Enterprise Data Governance for Financial Institutions


Published on

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • In this presentation series we will discuss;

    1) What Data Governance is, and what the Visions & Objective of EDM are.

    2) Identify how we use Master Data Management to analyze Data Quality in our business terms and metrics used in standard management reports.

    3) Establish a Stewardship model to ensure Data Ownership & eliminate Risks of Data Miss-Management.

    4) And finally, discuss how we use Data Loss Prevention Technology to ensure data privacy and security controls are being met.
  • Data Governance refers to the overall management of the availability, usability, integrity, and security of the data within any enterprise. A sound data governance program includes a governing body, a defined set of procedures, and a plan to execute those procedures over time.

    Data Governance consists of the following FOUR main pillars of excellence;

    Metadata Management – It involves deciding what information about your data to track and storing the information about your data by means of a metadata repository.

    Master Data Management (MDM) – It is a process of collecting and aggregating all the data within the organization into a single source of truth.

    Data Quality Management – It involves defining the governing business rules for your data quality and then formally training the Business and IT together with a focus on that quality.

    Data Privacy & Security – Utilizes data protection technology and MDM tools to manage data classifications and uses those standards to enhance the organizations level of protection from unauthorized users and other data related threats.
  • How is Data Governance different from IT Governance?
    Data Governance complements IT Governance. Data Governance focuses on creating a structure that will enable the organization to align data management efforts to business objectives, support regulatory compliance and manage the risks associated with managing data.

    To borrow an analogy commonly used by the data management community: IT Governance focuses on the pipelines in the organization’s IT infrastructure, Data Governance focuses on the water that flows through those pipelines.

    How does Data Governance relate to data retention?
    Data Retention is the practice of keeping records of data and metadata that are generated by an organization while conducting regular business operations. Knowing our records retention policies by department and where the data is stored allows us to manage records retention and destruction.
  • Data Governance Initiatives take Investments in Resources & Technology over Time with constant improvement to meet evolving regulations.

    Although it can take a considerable amount of time and effort to set up good Data Governance initiatives there is no doubt that it is going to improve the overall process of meeting objectives and resolving conflicts.

    We are approaching standardized processes today. We have training and awareness programs for security, and we have expanded our policies and procedures to include more collaboration and communication of responsibilities around data quality.

    For us to move toward Rationalized Maturity Level, we would need to establish Metadata standards and create Master Data Management process and procedures that will be delivered as training to employees of the process.
  • Improve decision-making of management
    Ensure data consistency and common understanding across the organization
    Build trust of data among everyone involved in the process
    Re-use of standardized data components over time, space, and applications, and passes saving to all future project budgets
    Eliminate risks related to data privacy and security
    Adhere to compliance requirements
  • The following table lists some of the attributes of a classification system that may be recorded in an MDR.
  • When we talk about investing in Technology, we often talk about ROI. This is easily done with simple value mapping.

    Master Data Management tools can;
    Help IT meet the organization’s strategic objectives for data privacy and data quality by providing a single source of reference.
    MDM tools provide a way to measure, track and report progress of data quality tasks performed.
    MDM tools provide a way to track and manage data classification at the column, table and database layer.

    New Definitions for ROI, could be Risk of NO Investment

    Risk of Internal Control Deficiency
    Risk of Inefficiencies
    Risk of Ineffectual Data Quality Practices
    Risk of Impossible Odds of Succeeding With Planned Data-Related Projects

  • Some organizations are setting up new teams, others are re-fashioning existing teams. Either way, new roles, responsibilities and structures are still required. Identifying key resources, aligning them to a strategy, and evolving critical roles over time will enable long-term success with MDM.
    Why do people-related issues become the biggest challenges in MDM?
    What key roles must be formalized and how do they inter-relate?
    Which stakeholder management tactics are most effective?

    As MDM shifts from an abstract discipline to a tangible program, governance has to appropriately expand. This broader scope still encompasses data stewardship aspects, but it also has to entail additional decision areas that ensure the value and sustainability of the MDM program.
    What should the scope of MDM program governance cover?
    What are the different implementation options of master data governance?
    What are the barriers to effective master data governance and how can they be overcome?
  • Integrating business strategy and vision is critical for driving business and technology change and investment. One vehicle for communicating and uniting IT and business efforts is a high-level business capability map, as well as the ability to drill down to deeper levels of analysis.
  • A company’s Master Data Management program should be an enterprise-wide initiative. However, it is often difficult to start the initiative across the entire enterprise. The key is to embark upon tactical projects that are aligned with an overall enterprise vision for MDM. Pick a starting point with limited scope that proves the technical approach and delivers faster business benefits.

    An important thing to note is “There is no such thing as an MDM project, just business projects requiring MDM. MDM must be treated as a program and therefore funded as one. Business realities make this very difficult to achieve — specifically, political, organizational, and cultural barriers stand in the way.” – Gartner MDM
  • Why is Data Quality Mgmt necessary?
  • A naming convention specifies how names shall be formulated. An effective naming convention can enforce the exclusion of irrelevant facts about the administered item from the name, such as the input source of a data element or its field position in a file.
  • Another example: Definitions should not use the term to define the term.  Ie: past due should not be defined as loans past due. 
  • There are various roles involved in this process and all of them have to be accountable to ensure data quality. Its vital that the roles are clearly defined upfront. The following are some of the commonly recognized roles and a link to the specific responsibilities of each role.

    FCBT is working diligently to implement Data Privacy and Security Management solutions across the District to protect all our sensitive data from loss using the guidance of regulatory requirements outlined by FFIEC for securing, transmitting and disposing of data.

    The OBJECTIVE is to assign a data classification such as (Public, Private, Confidential) to each data element and then use a protection profile to describe the types of protection that should be applied to data in each classification.

    The profile is used to develop and asses controls within the institution and to develop contractual controls and requirements for those outside the institution who may process, store, or otherwise use that data.

    FFIEC offers guidance on;

    1) Theory and Tools

    2) Practical Application
    Handling and Storage

    Average record cost per file = $194-$214 according to Poneman research http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US

    Negligent insiders and malicious attacks are the main causes of data breach. 39 % of organizations say that negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.

    Detection and escalation costs declined but notification costs increased. Detection and escalation costs declined from approximately in $460,000 in 2010 to $433,000 in 2011. These costs refer to activities that enable a company to detect the breach and whether it occurred in storage or in motion. This suggests that organizations in the 2011 study had the appropriate processes and technologies to execute these activities.

    Notification refers to the steps taken to report the breach of protected information to appropriate personnel within a specified time period. The costs to notify victims of the breach increased in this year’s study from approximately $510,000 to $560,000. A key factor is the increase in laws and regulations governing data breach notification.
  • Maintaining the privacy and confidentiality of data, as well as meeting the requirements of a growing list of related compliance obligations, are top concerns for government organizations and enterprises alike.

    Addressing these challenges requires a cross-disciplinary effort involving a varied list of players human resources, information technology, legal, business units, finance, and others—to jointly devise solutions that address privacy and confidentiality in a holistic way.

    Data governance is one such approach that addresses many aspects of data management, including information privacy and security as well as compliance.
  • People: The people make up the steering committee, data stewards and information security officers. They are the subject matter experts from different areas of the organization that will collaborate to develop a comprehensive set of process and technical controls that support approved policies, standards, and procedures.

    Process: The process consists of;
    Adhering to data privacy and confidentiality principles
    Applying continuous process improvement methods; (Plan-Do-Check-Act-Repeat)
    Keep each process structured, manageable, and repeatable

    Technology: Represents the tools for evaluating risks (DLP) and enables the technical and manual controls for mitigating those risks.
  • Data Stewardship Policy – define who is responsible for ensuring effective control and use of data assets according to data security and privacy requirements.

    Data Classification Policy - is the enterprise-wide classification scheme that defines appropriate security levels and protection controls, data retention policies, and criticality and sensitivity of enterprise data (e.g., public, confidential, top secret). Tagging confidential information covered by statutes and regulations with the associated authority document is also a good idea. The classification scheme should apply to both structured and unstructured data.

    Each policy should clarify the following basic elements:
     Purpose of the policy.
     Policy statement.
     Whom the policy affects and their associated role and responsibilities.
     How the policy will be monitored for compliance (metrics and related key performance indicators).
     What enforcement actions will be taken against policy violators.
  • Diagramming
    Multiple techniques can be used for diagramming. Microsoft product teams and our consulting services organization typically use data flow diagrams (DFDs) with the addition of “trust boundaries.” A trust boundary is a border that separates business entities and/or IT infrastructure realms, such as networks or administrative domains. Every time confidential data crosses a trust boundary, basic assumptions about security, policies, processes, and practices—or all of these combined—might change, and with them the threats that will be identified in the next step.

    Threat Enumeration
    Once the diagram is ready and all trust boundaries have been identified, the next step is enumerating potential threats against privacy and confidentiality using the four data privacy and confidentiality principles and identifying threats that might affect the integrity of each one. Here are the four principles, each followed by examples of threat types

    Principle 1: Honor policies throughout the confidential data lifespan

    Choice and consent (collection, use, and disclosure)
    o Inadequate notice of data collection, use, disclosure, and redress policies.
    o Unclear or misleading language or processes for the user to follow in choosing and providing consent for the collection and use of personal information.

    Individual access and correction
    o Limited or nonexistent means for users to verify the correctness of their personal information.

    o Lack of necessary controls to enforce customer choice and consent, as well as other relevant policies, laws, and regulations, including data classification.

    Principle 2: Minimize risk of unauthorized access or misuse of confidential data

    Information protection
    o Lack of reasonable administrative, technical, and physical safeguards to ensure confidentiality, integrity, and availability of data.
    o Unauthorized or inappropriate access to data.

    Data quality
    o Lack of means to verify accuracy, timeliness, and relevance of data.
    o Lack of means for users to make corrections as appropriate.

    Principle 3: Minimize impact of confidential data loss

    Information protection
    o Insufficient safeguards (i.e., strong encryption) to ensure confidentiality of data if it is lost or stolen.

    o Lack of a data breach response plan and an escalation path.
    o System does not encrypt all confidential data.
    o Adherence to data protection principles cannot be verified through appropriate monitoring, auditing, and use of controls.

    Principle 4: Document applicable controls and demonstrate their effectiveness

    o Plans, controls, processes, or system configurations are not properly documented.

    o Compliance cannot be verified or demonstrated through existing logs, reports, and controls.
    o Lack of a clear noncompliance escalation path and process.
    o Lack of a breach notification plan. Lack of other response plans that are required by law.

    Intro to DLP and what we are protecting by using this technology with a security in depth model.
    * How often do we send out information that is not encrypted and that should be?
    * Do employees have access to post on social network sites, linkedin, wordpress, twitter or facebook?
    * Have you ever been tempted to send files to your personal account to be able to catch up on work while at home?
    * How do you currently prevent these kinds of situations from spilling or losing data that could be considered a compliance breach?
  • Secure Infrastructure
    Safeguarding confidential information depends fundamentally on a secure technology infrastructure—one that protects computers, storage devices, operating systems, applications, and the network against malicious software and hacker intrusions as well as rogue insiders.

    Identity and Access Control
    Identity and access management (IAM or IdM) technologies help protect personal information from unauthorized access while facilitating its availability to legitimate users. They include authentication mechanisms to verify identity and to ensure that only valid users can connect to an organization’s systems; access controls that determine which resources and data a user is allowed to use and in what ways; and provisioning systems and management technologies that help organizations manage user accounts across multiple systems and with partners they trust.

    Information Protection
    As confidential data is shared within and across organizations, it requires persistent protection from interception and viewing by unauthorized parties. Organizations must ensure that their databases, document management systems, and practices correctly classify and safeguard confidential data throughout the lifecycle.
    Classifying data and files
    Protecting information through encryption
    Protecting data through the information lifecycle

    Auditing and Reporting
    Organizations can use technologies for systems monitoring and compliance controls. Such technologies verify that system and data access controls are operating effectively and assist in identifying suspicious or noncompliant activity. They can also help ease the systems administration burden and reduce troubleshooting planning. Capabilities include:
     Harmonizing compliance requirements across IT processes
     Selecting activities that enable automation of data governance compliance and produce proof of that compliance
     Detecting and reporting on misplaced data by performing routine sweeps using automatic file classification
  • Enterprise Data Governance for Financial Institutions

    1. 1. Data Governance starts with planning; • Metadata Management • Master Data Management • Data Quality Management • Data Privacy & Security Enterprise Data Governance for Financial Institutions
    2. 2. What is Data Governance? Ref. http://searchdatamanagement.techtarget.com/definition/data-governance Is what FIs tracks in spreadsheets today. Uses MDM technology to enhance FI data quality and provide metrics on data governance programs. Defines FI standards for data and who will be accountable. Assigns a security classification type to all structured and unstructured data within the Financial Institution (FI).
    3. 3. Benefits of Data Governance • Adopting a Data Governance strategy can help Financial Institutions protect sensitive information from attack or misuse and also helps the organization use its data more effectively. • Good Data Governance practices and data security classification help to protect against and limit the risks of a data breach, data leakage or human misuse of data. • By having a Data Governance program, organizations can establish data storage lives and destroy old data to reduce data storage and maintenance costs. Providing a small boost in ROI of Data Warehousing & Business Intelligence Programs.
    4. 4. Basic Immature policies and procedures Lack of training and awareness Limited technology Standardized Established policies and procedures Formal training and awareness Minimal technology Rationalized Process and procedure Improvement Formal training and compliance metrics Reduced reliance on manual controls Dynamic Process transformation and more integrated compliance efforts Formal training and compliance metrics Fully automated and integrated controls managed by IT Data Governance Maturity Model Resource & Technology Investments Time
    5. 5. Data Governance Strategic Objectives •Produces information that is easily accessible, standardized, and sourced from a single place. •Produces information that can be used to make and support operational and strategic business decisions. •Ensures data is captured, mapped, stored, managed, retained and archived in accordance to FFIEC compliance regulations. INFORMATION DELIVERY Information Management of Enterprise Reporting Content •Assists in dismantling business systems that are designed or built with architectural dependencies on other applications. •Consolidation of business application and reporting systems. SIMPLIFY SYSTEMS Deprecation of Ad-hoc Legacy Business Systems •Supports the deployment of new applications by standardizing key business terms to enable data conversion and configuration of application integration points. ENABLING CAPABILITY Enabling the Deployment of New Business Applications •Provide quality support services that add value to FI reporting data stakeholders and business users. •Maintains safety and soundness of all the data used and shared by the Financial Institution. ONGOING OPERATIONS Maintaining business functions that maximize daily operations
    6. 6. Metadata Management Specifies the basic components of data into information that can be re-used to improve business operations and processes, including: • Design & control of Data Dictionary • Identifying Data Stewards & Data Owners • Retrieval of data from databases • Design of information processing systems • Design of EDI-messages • Maintenance of items in a metadata repository
    7. 7. Metadata Repository (MDR) • A Metadata Repository is designed to capture the “basic components” or the semantics of data, independent of any application or subject matter area. • MDR’s can reduce the time and costs of defining and approving the semantics of data by re-using basic components that have already been approved by our data stewards.
    8. 8. MDR Registration Model 2 6 3 4 1 5 7 1) Project submits a term to MDR for registration 2) Project team notifies Registrar submitted item is ready for certification 3) The submitted item is routed to Data Stewards 4) Data Stewards work with the project teams to define terms and definitions 5) Term is pending approval 6) Term is approved by the EDM voting members 7) Term is certified for use in the MDR registry and updated in the FCBT WIKI. A Registration Process Model can be viewed here. MDR Registration Process
    9. 9. Classification of Metadata Attributes Attribute Definition Occurrence Required Metadata Term Name The MDM approved term name. One per data element Yes Business Definition The MDM approved definition One per data element Yes Valid Values Examples of data element, amount, date, selection list or other If applicable Yes, If applicable Standardized Formula Calculation used to derive a data element metric or amount One per data element Yes, If applicable Source Reference The system the data element originates from Can be multiple systems of origin Yes, used to determine ownership Data Owner The decision contact for data quality and data privacy Could be more than one per data element Yes Data Steward Definition contact. Appointee of the business owner. Could be more than one per data element Yes Submission Contact Appointee of the project team One per data element Yes Creation Date Date a data element was submitted One per data element Yes Last Change Date Shows when a data element was last updated One per data element Yes The complete Metadata Classification Schema can be viewed here.
    10. 10. Master Data Management Brings together the: • Business Rules for Data Quality • Procedures for Metadata Management • IT Roles & Responsibilities • Progress Tracking & Reporting • Data Privacy Classifications for all the data within the organization • Auditable Time Stamps & User IDs
    11. 11. Benefits of MDM Master Data Management (MDM) is a methodology for researching and implementing controls and business rules around your data. The many benefits to implementing Master Data Management include; - Preventing critical errors in data quality - Preventing data loss, breach and negligence - Improve efficiency and availability of information needed for business decision making
    12. 12. Challenges of Implementing MDM • Lack of centralization • Data misunderstandings • Lack of defined metadata attributes • Poor data quality rules and guidelines • Other priorities • Lack of training and awareness • No clear definition of success
    13. 13. Master Data Management Maturity No MDM Metadata Schema and Mgmt. Plan Stewardship and Project Team Mgmt. Model Centralized Hub Processing of all application database data Business Rules for Data Quality & Policy Support Data Privacy & Security Processing Maturity Time INVEST
    14. 14. MDM Capabilities and Enablers Key Business Capabilities • Well defined, documented, and enforced policies and processes for governing master data and data quality • Cross-functional teams of business stakeholders • Well documented, regularly reviewed and updated operational procedures Key Technology Enablers • Established metadata schema and metadata repository • Data or information consistency, migration, quality, and transformation tools (ETL) • IT enabled access controls, process management, and security solutions
    15. 15. Solutions for MDM Life Cycle Strategy • MDM Roadmap • Program Development • Readiness Assessment • Data Quality / Stewardship Programs Planning • Project Planning • Tool Assessment • Architecture Design • Success Metrics & Reporting Implementation • Requirements Workshops • MDM Design • MDM Process • Stewardship Process • Data Quality Support • Policies & Procedures • SLA Management • MDM Training • Change Management MDM Maturity Accelerators • MDM Methodology • Project Plans • Architecture Frameworks • Best Practice Techniques • Training Curriculum • New Technology Tools
    16. 16. Data Quality Management Data Quality Management is the process of establishing roles & responsibilities and the business rules that govern data by bringing the Business and IT to work together. Their task is two-fold:- to address the problems that already exist and to prevent the potential ones from occurring. Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/
    17. 17. Data Quality and Data Governance: The Basics • Business Rules – Enterprise Architecture – Naming and Identification Principles – Formulation of Data Definitions – Data Definition Process • (see Data Registration Model) • Roles & Responsibilities – Business & IT Subject Matter Experts (SMEs)
    18. 18. Business Rules Naming and Identification Principles Each administered item shall have a unique data identifier within the metadata register. (ex: ID_KEY) A naming convention shall cover all the following aspects; a) the scope of the naming convention, e.g. established industry name b) the authority that establishes names c) semantic rules governing the source and content of terms used in a name d) syntactic rules covering required term order
    19. 19. Business Rules Formulation of Data Definitions A data definition should: a) be stated in the singular b) state the concept as a descriptive phrase or sentence(s) c) contain only commonly understood abbreviations d) be expressed without embedding rationale, functional usage, or procedural information e) use the same terminology and consistent logical structure for related definitions
    20. 20. Roles & Responsibilities Data Governance Council – comprises of an Information Management Head and Data Stewards from various units. Information Management Head – is the one who is accountable to the Governance Council on all aspects of data quality. This role would typically be fulfilled by the CIO. Data Stewards - are the unit heads who lay down the rules & policies to be adhered to by rest of the team. This role would usually be fulfilled by a Program Manager. Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/ Data Custodians – are responsible for the safe storage & maintenance of data within the technical environment. DBA’s would normally be the data custodians in a firm. Business Analysts – are the ones who convey the data quality requirements to the data analysts. Data Analysts – are those who would reflect the requirements into the model before handing it over to the development team. Internal Audit – reviews procedures to determine how well we did.
    21. 21. Data Privacy & Security Management Financial institutions should control and protect access to paper, film and computer-based media to avoid loss or damage. Institutions should; • Establish and ensure compliance with policies for handling and storing information, • Ensure safe and secure disposal of sensitive media, and • Secure information in transit or transmission to third parties. http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/data-security.aspx FFIEC Action Summary
    22. 22. Data Privacy and Security Threats
    23. 23. Data Privacy & Security Challenges • Information Security – Organizations need to worry about evolving criminal enterprises, but they also need to worry about small storage media devices that can easily be lost or stolen. – The financial and reputational costs that data breaches can have on an organization is significant. • Information Privacy – The sensitive information involved in data breaches, and the potential for an increase in identity theft cases has consumers thinking twice about their personal information being held by organizations. • A Complex Regulatory Landscape – Stop security threats and protect consumers’ personal information – Spread awareness of best practices and promote self-regulation Ref.http://tfs.sharepoint.nterprise.net/sites/Enterprise%20Data%20Mgmt/Project%20Management/EDM%20Presentations/Data%20Governance%20Research%20Files/Guide_to_Data_Governance_Part4_A_Capability_Maturity_Model_whitepaper.pdf
    24. 24. Data Governance Privacy & Compliance Framework People • Committed and engaged executive leadership • Trained, aware and accountable employees Process • Structured, repeatable, and adaptable process • Data Classification & Data Stewardship Technology • Secure infrastructure that protects information • Auditing and Reporting of access controls
    25. 25. Data Governance, Risk Management, and Policy Compliance • Governance ensures that the business focuses on core activities, clarifies who has the authority to make decisions, and addresses how performance will be evaluated. • Risk Management is a systematic process for identifying, analyzing, evaluating, remedying, and monitoring risk. • Compliance refers to actions that ensure behavior that complies with established rules as well as the provision of tools to verify that compliance.
    26. 26. Data Governance Policies • Data Stewardship (authority) Policy • Data Classification Policy – Public Information – Internal Use Only – Restricted Data – Confidential Data
    27. 27. Data Privacy Risk Management Process Establish goals Identify (model) threats Analyze risks Determine treatment Evaluate compliance Diagramming Threat Enumeration 1
    28. 28. Data loss/leak prevention solutions are designed to detect potential data breach incidents in a timely manner and prevent them by monitoring data while in-use, in-motion and at-rest. A data leakage incident is when, sensitive data is disclosed to unauthorized personnel by malicious intent or human mistake. DLP (Data Loss Prevention) Software INTERNET DLP Suite
    29. 29. DLP Technology Domains • Safeguard against malware and intrusions • Protect systems from evolving threats Secure Information •Protect sensitive data from unauthorized access or use •Provide management controls for identity, access , and provisioning Identity and Access Control •Protect sensitive data in structured databases •Protect sensitive data in unstructured documents, messages, and records •Automate data classification •Protect data in motion Information Protection •Monitor to verify integrity of systems and data •Monitor to verify compliance with policies Auditing and Reporting
    30. 30. Click logos to view References