Privacy and protection of personal information is a hot topic in data governance. However, the compliance challenge is in creating audit defensibility that ensures practices are compliant and performed in a way that is scalable, transparent, and defensible; thus creating “Audit Resilience.” Data practitioners often struggle with viewing the world from the auditor’s perspective. This presentation focuses on how to create the foundational governance framework supporting a data control model required to produce clean audit findings. These capabilities are critical in a world where due diligence and compliance with best practices are critical in addressing the impacts of security and privacy breaches. The companies in the news recently drive home these points.
2. Jonathan Adams
• Director of Research that supports customers in
building governance discipline around analytics
and regulatory compliance
• Certified CMMI Enterprise Data Management
Expert (EDME)
• 20+ years of experience in leading requirements,
design and implantation efforts for retailers,
financial organizations and federal agencies
3. Risk
the Federal Reserve barred the bank from
future asset … until it improves
corporate governance
https://www.thestreet.com/story/14508322/1/wells-fargo-directors-retire-
after-federal-reserve-slams-governance.html
the company not only suffered a breach in
late 2016 … hiding it from the General
Counsel and Board.
https://www.forbes.com/sites/forrester/2017/12/05/ubers-uber-breach-a-
stunning-failure-in-corporate-governance-and-culture/#ec10cf459fc5
Ex-CEO Blames One Employee For Patch Failures … how it was
possible that a business of this size, with an information security team
that reportedly comprised 225 personnel, could have screwed up in such
spectacular fashion.
https://www.bankinfosecurity.com/blogs/equifax-ex-ceo-blames-one-employee-for-patch-failures-p-2551
It's important to understand that what happened …
was not just a technological failure but more
important a failure of management and
corporate governance.
https://www.bloomberg.com/gadfly/articles/2017-10-03/equifax-can-t-protect-data-but-
it-can-keep-a-secret
We have spent tens of
millions on governance –
why are we receiving
MRIA’s?!
Data Practitioner at major bank
System of controls lack
linkage to data
Controls must be
observable and
measurable in the data!
If footprints of good
practices are not
observable in data – did
they happen?
4. The Compliance Challenge
Creating Audit Defensibility that ensures
practices are compliant and performed in
away that is transparent, and defensible at
the data level
Building a robust and comprehensive
Control Model
5. Compliance
a: The act or process of complying to a desire, demand,
proposal, or regimen or to coercion
b: conformity in fulfilling official requirements
Merriam Webster
In data management and governance, Compliance is about
defining the Data Control Model that reduces risk, and
creates “Audit Defensibility”
6. Audit Defensibility
6
The degree to which the organization is ready to address the
demands of an auditor:
• Observable
• Measureable
• Repeatable
• Robust
• Transparent
• Defensible
Operationalized in a Data Control Model
7. Data Control Model sits within the Control System
Control Environment
• Sets the tone for the organization
Risk Assessment
• Identification and analysis of relevant risks to the
achievement of objectives
Information and Communication
• Systems or processes that support the identification,
capture, and exchange of information
Control Activities
• Policies and procedures that help ensure
management directives are carried out
Monitoring-processes
• Assess the quality of internal control performance
over time.
COSO Internal Control Framework
AICPA: System and Organization Controls
Original COSO Cube
Internal Control
Integrated Framework
8. The Data Control Model connects data to
overarching Control System
The configuration of a Data Control model to align impacted
data with compliance requirements and best practices
Rules Data
Standards Processes
Objectives;
Policies / SOP
Metrics
Data Control Model
9. Best Practice Frameworks define “good” and are
critical input to Control Systems
9
Control
System
Best
Practices
Organizational
Mission / Culture
Operating Model
Regulatory
• BCBS 239; GDPR; CCAR; …
Industry
• APQC –Petroleum; FIBO; …
Functional
• COBIT; CMMI DMM: ISO 27001;
NIST 800; SCOR;…
Internal:
• Policy / Management Driven
Frameworks can be:
10. The Challenge is that Control Systems and
Frameworks rarely identify the data!
What does this mean to
a data manager?
• What data?
• What systems?
• Who owns?
• What processes?
• What Controls?
APQC Process Classification Framework
https://www.apqc.org/
11. Creating Alignment
• Best Practices: those activities that one would expect to see high
maturity companies executing in order to be compliant
• Governance Artifacts & Workproducts: Those elements of the Data
Control Model that support the Practices detailed above.
• Alignment to regulatory requirements often formalized in matrix that
cross walks regulation to best practices and work products
Alignment maps regulatory requirements to:
13. Steps to Setting up a Data Control Model
1. Configure Data Control Model
2. Configure Operating Model
3. Identify Control Points
4. Getting the Data Labelled
5. Automation & Scaling
14. Set up Data Control Model
Steps Implementation Notes
Identify Compliance Objectives Policies and guidance from risk and compliance teams
Identify relevant best practices
framework
Multiple sources will provide guidance: Industry Associations; Regulators;
Publications; Internal Documentation
Extend best practices framework
as needed
Match the detail to your capabilities! Additional detail only makes sense if you
have the use case and capabilities to leverage them
Compliance objectives
alignment
Remember – auditors need observable and measurable artifacts or work product
to support findings. The regulatory alignment matrix discussed is used here.
Identify Processes and Control
Points
Where will you look for evidence of compliance?
Build Control Rules How will you know that you are compliant? What questions must be asked of the
data to validate compliance
Align / Assign Controls to data
and to RACI
Accountability – who is doing what, when and where?
Identify Testing Method for
Control Rules
This may impact your Operating Model. Control Rules may tested as part of an
annual audit, or during ETL, or using a data quality tool.
1
15. Create / Update the Operating Model for
Accountability
2
Steps Implementation Notes
If a Model exists Are required Functions and Roles supported? What new roles must be
created? Are Roles and Functions resourced for the new activity?
Capability Analysis Does the team have the right capabilities? Tools? Training?
Assign roles to Control Points Assign Roles to those places where the compliance will be enforced: Rules
and Processes
The alignment of organizational roles, functions, and decision
processes to the Governance Framework
What is a Governance
Operating Model?
Operating Model
Components
Data governance roles; Functions aligned to Roles and Teams;
Decision Making Processes
16. Identify Control Points
Example: Breach Remediation Process
“Control Points” are activities / tasks that are linked to
compliance related Rules, Standards and Data
1. Control Points are where the
auditor will look to validate
compliance / assess risk
2. Control Points are applied to tasks
within each process identified in
the Data Control Model.
3. You cannot “control” all data all
the time! Apply resources
commensurate with compliance
needs.
4. How many and where the control
points are placed will depend on:
• Business model
• Risk posture
• Risk mitigation assessment
• Complexity of process
3
18. Control Point Tasks3
Steps Implementation Notes
Identify in scope business
processes
This should be available in the Governance Framework. Examples might be
product procurement; loan origination; Order to Cash, etc.
Identify how data in the
business processes will be
controlled
This must align with your Governance Operating Model. All data cannot be
controlled in all places (generally speaking). Pick process gates or milestones
that create a natural measurement point.
Be Practical - Whatever is selected must work today, AND will evolve
over time as capabilities evolve.
Build Control Rules Control Rules must relay on observable and measureable data or work
products; and must have roles assigned.
Rules must be supported by a Standard and/or a Policy
19. Curate your Data – The Data Control Model relies
on well labeled data
4
Data Classification / Labeling
1. Important data is data that feeds key
performance or compliance metrics
2. Data is labelled to show where it is
in the lifecycle
3. Data is linked to a Data Asset
4. Data has Security Classification
5. Personal Information “Type” label
flags this data as falling under
privacy regulations
Do we know enough about the data to know it
is being managed correctly?
20. Three approaches to labeling your data4
Steward Led Curation:
• People driven
• Source knowledge
drives classification
Systemic Curation:
• Glossary Driven
• Data structures /
location drives
classification
Semantic Curation:
• Machine Learning
driven
• Data meaning drives
classification
Scaling is Challenge: Costs ↑; Quality ↓; Inflexible / Brittle At Scale: Costs ↓; Quality ↑;
Flexibility Maintained
a. b. c.
Governance Maturity
Source Files;
Transaction Systems
21. Enable automation & scaling through Machine
Learning
Identify Identification of instance data in order to classify the data
Classify Classify the data
Resolve Perform entity resolution
Link
Identify and resolve relationships and specify relationship type /
strength
ML Techniques perform the following functions:
5
22. Architecting for Compliance & Risk Management
1
Data Control
Model
Update
Operating
Model
Define &
Configure
Control Points
Architect,
Automate,
Scale
Label Data
5432
• Links data to
Control System
• Aligns Business
Objectives
• Builds
Defensibility
• Ensures
Accountability
• Creates
Transparency
• Bases for
Governed Data
• Addresses issues
of
“completeness”
23. Thank you for your time.
• Any questions?
• Visit us at www.datumstrategy.com for more information
• For the latest news follow us on Twitter at @datumstrategy
Editor's Notes
The data exists, but no one is looking at it
The policies exist, but enforcement mechanism does not
Enforcement mechanism exists, but does not map to the data level
Robustness refers to the ability of the model to produce valid output across the complete range of inputs. A robust model has no use case where the observed behavior (inputs) does not get captured and evaluated correctly (desired outputs.)
Good Deloitte deck https://www.slideshare.net/IrfanAhmedACACICA/coso-internal-control-integrated-framework-58951959
Control System guides executive management and governance entities on relevant aspects of organizational governance
Est 1992
Acceptance following financial control failures of early 2000’s
Most widely used framework in the States
Widely used around the world
“Machine Learning is the science of getting computers to learn and act like humans do, and improve their learning over time in autonomous fashion, by feeding them data and information in the form of observations and real-world interactions.”
Identify: Is this personal Information? Does it look like a financial #? Does it reside in a financial statement?
Classify: Once data is identified, ML approaches support classifying the data within the data dictionary: data is in finance domain; it is in the “Deliver” phase so the SCOR lifecycle; it is a vendor; etc.
Resolve: The completed data dictionary will support entity resolution by providing a richer feature set against which Master Data or analytical algorithms can be run. If I know data represents a vendor, do I know which vendor?
Link: The resolved entity is linked to internal and external reference sources. ML Techniques may be used to identify and resolve link candidates and specify link type / strength