Professional Documents
Culture Documents
Standards Frameworks
and Information Quality
Extracted from Chapter 3 of Defining and
Executing an Effective Data Quality Strategy
Daragh O Brien
This extract from my 2008 Industry Report Defining and Executing an Effective Data Quality Strategy
(published by Ark Group) examines the role of Information Quality in relation to a number of, at first
glance, competing strategic governance standards – specifically ISO27002 and COBIT.
Another key driver of Information Quality is the emergence of standards frameworks for a
variety of IT related functions in your Business which either expressly or implicitly require
the quality of information in your organisation to be managed. While Information Quality
may not be the expressed objective of many of these standards, the only effective way to
ensure and assure compliance is to effectively manage Information Quality in your
organisation, if only for a defined information group.
It is also important to remember that while certain standards may be implemented by the IT
function in the organisation, the challenge of managing the quality of the information that
evidences how the organisation meets those standards requires both Business and IT to work
together to ensure that the information meets or exceeds the expectations of the standards and
to ensure compliance with those standards.
1. Risk Assessment
2. Security policy - management direction
3. Organization of information security - governance of information security
4. Asset management - inventory and classification of information assets
5. Human resources security - security aspects for employees joining, moving and
leaving an organization
6. Physical and environmental security - protection of the computer facilities
7. Communications and operations management - management of technical security
controls in systems and networks
8. Access control - restriction of access rights to networks, systems, applications,
functions and data
9. Information systems acquisition, development and maintenance - building security
into applications
10. Information security incident management - anticipating and responding appropriately
to information security breaches
11. Business continuity management - protecting, maintaining and recovering business-
critical processes and systems
12. Compliance - ensuring conformance with information security policies, standards,
laws and regulations
There are distinct overlaps between Information Quality objectives and the guidelines in ISO
27002:2005, particularly with regard to the requirements in Sections 3,4,5,8,9 and 12.
In order to achieve many of the objectives of the Information Security standard, organisations
inevitably need to address the completeness, consistency, timeliness and accuracy of
information about their information assets, systems, users, system access rights etc. In
addition, adequate governance and controls need to be in place to ensure Information
Security. Many of these Governance objectives are complementary to or directly parallel the
Governance requirements for Information Quality.
We will now examine in more detail some of the more salient points of overlap between the
Information Quality Agenda and ISO27002:2005.
If approached from a pure “IT” perspective, these inventories of Information Assets risk
becoming focused purely on the question of what servers and systems do you have in your
organisation and who uses them. This may not address adequately the questions of what
information is held on those systems, where it comes from, what it is used for and who uses
it.
As we will see later in this paper when we look in detail at some methodologies for
Information Quality, understanding the important Information „groups‟ that your organisation
manages, the key Information Assets in your organisation, is an important first step in
Information Quality improvement.
From an Information Quality perspective, the same information can be used to identify which
information groups (e.g. „Customer Information‟, „Product Information‟, „Order-to-Cash
Process Information‟) your organisation is managing, where that information is held and
which information groups are likely to carry the greatest cost and risk of non-quality
information.
Likewise, employees are entitled to expect that their systems access rights will not be
curtailed because the HR department spelled their name incorrectly and it didn‟t match the
name associated with the system login. For example, if you have a team member called
Rachael (please note the spelling). You had submitted system access requests using the
correct spelling of her name. Would it impact your team‟s productivity her access to a key
system required for her job was curtailed because HR had misspelled her name as “Rachel”
and as such there was no „match‟ on a straight character for character clash between the
particular system access lists and the HR „Active employees‟ list? Would it be particularly
irksome if it transpired that Rachael had been trying to get the spelling of her name corrected
on the HR system but it had not been actioned?
Conclusion
There are clear overlaps and parallels between the drivers for Quality Information and the
practices necessary to meet the standards required by ISO 27002:2005, formerly known as
ISO 17799.
While some organisations may view their Information Security objectives as being distinct
from their Information Quality requirements, in reality there are sufficiently strong inter-
dependencies between the two sets of objectives to suggest that they are at worst parallel
programmes which could benefit from sharing tools, techniques and experiences. Application
of Information Quality Management principles and methodologies to ISO 27002:2005
compliance initiatives will improve the quality of the deliverables and will help to better
ensure and assure the security of your information. Likewise, approaching Information
Quality strategy with an understanding and awareness of the role of Information Security as a
stakeholder and potential ally will likewise benefit the execution of the Information Quality
strategy, not least because it will not appear to be yet another „fad‟ programme to distract
people from their „real‟ jobs.
COBIT Framework
The COBIT Framework (Control Objectives for Information and related Technology) is a set
of best practices for information technology management created by the Information Systems
Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT
provides managers, auditors, and IT users with a set of generally accepted measures,
indicators, processes and best practices to assist them in maximizing the benefits derived
through the use of information technology and developing appropriate IT governance and
control in a company.
Within each of these domains there are a sub-set of high level control objectives to be
addressed. Each of these control objectives addresses a specific component of Information or
Information Technology management which need to be addressed in some form to ensure
adequate and effective control of Information and its related Technologies. These high level
control objectives are illustrated below.
Table 1: COBIT Framework High Level Control Objectives
Plan & Organise
PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
Much like ISO 27002:2005, the COBIT Framework is not a standard per se but is a defined
set of recommended best practices to achieve high standards in the control and operation of
Information and Information Technology. Also, COBIT and ISO 27002:2005 are not
incompatible; rather they are complementary Best Practice frameworks, with the ISO
standard focussing on the specific challenges of securing information, which relates directly
to the COBIT DS5 objectives (Ensure System Security).
The Information Quality Perspective
From the perspective of Information Quality, it is interesting to note that within the name of
the framework there is a clear distinction between Information (the „asset‟ being managed)
and “related Technology” (the tools used to manage the Asset). A number of commentators
have highlighted that, while COBIT only explicitly mentions information quality as one item
in the midst of a number of Data Management recommendations published with the
Framework, the implication is that if you do not address data quality then you will not
achieve your control objectives. In the words of Cass Brewer of the ITCi:
“CobiT’s pert reference to data quality at level 0 in its maturity model essentially says that
without data quality you’re nowhere, whatever your other data management controls.”1
Looking at the various control objectives within COBIT, it is clear that a number of them are
dependent on good quality information (or at least an understanding of the poor quality of
your information) in order for your organisation to achieve them. I have selected some of the
High Level Control objectives and have mapped the Information Quality component of each
of them in Table 2 below. This mapping is not exhaustive and further correlations can be
found between the COBIT Framework and Information Quality Management.
Conclusion
While the COBIT framework does not expressly mandate the management of Information
Quality, the reality is that to achieve many of the High Level Control Objective set out by the
1
Brewer, Cass, Dissociative Disorder: Compliance, Data Quality, and Cognitive Dissonance,
http://www.tdwi.org/Publications/display.aspx?id=8125, 2007/09/29, last accessed 2007/12/29 @13:46 GMT.
Framework, organisations do need to address their management of the quality of their
information.
As we will see when we look at some of the methodologies for Information Quality
Management, there are also overlaps between many of the Control objectives and key steps
that are recommended by some „gurus‟ to develop a robust Information Quality Management
capability in your organisation.
Work is continuing on this standard and readers should check the ISO website (www.iso.org)
for further information.
Conclusion
Many of the standards selected for discussion in this paper are primarily IT focussed.
However, this should not be taken to mean that Information Quality is an IT issue. This is far
from the case. Indeed, one of the leading thought leaders in the field Tom Redman has this
advice for IT professionals tasked with improving Information Quality:
“If you are in IT and you are tasked with fixing data quality in your organisation, get out. Get
out of IT and go to work in the Business because that is where you can make the necessary
changes.”2
What this highlights is that for the Enterprise, the organisation as a whole, to achieve its
objectives of Compliance through the pursuit of various standards or frameworks then
Business and IT need to work together to address the issues raised by poor quality
Information and poor Information Quality Management. This requires more than just
recognition within the Information Technology strategic plan that Information Quality is an
important element of achieving these high standards and high level Control objectives. It
requires an acceptance within the Business that to achieve these improvements they must lead
the change.
While there are a number of different standards frameworks and objects that might be met,
ultimately there is a common „foundation‟ that links them and that is the need to ensure good
quality information in the operation of Business (and IT) processes.
2
Response given in answer to a question about the ability of IT to lead Information Quality change at the 2007
IDQ Conference in Las Vegas.
Figure 1: Information Quality as a key Foundation discipline
Organisations that recognise the significant foundational role of good quality Information in
the context of other Best Practice frameworks or regulatory requirements that they are
seeking to meet will inevitably achieve improved synergy between the requirements of each
standard and framework. Furthermore, compliance with these frameworks and standards will
be seen as a value-adding function as the quality of information in the organisation improves,
reducing costs associated with process failure, rework and compliance risks, and improving
profitability in the organisation.