When some people think about data governance they immediately jump to the conclusion that a technological solution is a holy grail for defining an answer to this substantial task, writes Finn Rye, CISSP. While a technology solution is an integral part, it is just one aspect of an overall holistic approach a company should follow to achieve success. Most experts agree that successful data governance is arrived at through planning and communication, rather than focusing on it as a typical IT project. There are several core elements that, when correctly undertaken, can increase the likelihood of achieving your data governance goals.
Support and funding
You cannot count on executing a widely adopted data governance model in the business without first developing management support for the project. The team tasked with data governance efforts will need to find an executive sponsor to sanction the work and to give the project some priority.
The data stewards should be the ones to make the pitch to the executive sponsor because they can best articulate the benefits of applying the strategy and the risk associated with not having a strategy. Data stewards representing the core business processes should make up the data governance council. This formal council is intended to be a working group that evaluates, arbitrates, and decides on the range of enterprise data governance issues at hand. The council is a permanent part of the business and should not remain stagnant or lethargic in their watchful oversight of the data policy.
It is important to define what needs to be accomplished and how the project is going to achieve the objectives. The project charter is the foundation of the project that takes a rough idea and turns it into a consolidated single source of information for stakeholders. The charter is a communication tool and is also used as a reference throughout the project. The project charter also documents authorisation from the executive sponsor.
Stakeholders are essential
Stakeholders should be involved in the creation of the project charter. All data can be and should be categorised into data sets and then associated with stakeholders. It is up to the council and the other data stakeholders to decide which data is sensitive, how sensitive it is, and what measures must be taken to protect the data. When you develop this plan, you will need to take into account the compliance landscape, which of course varies by country, sector and regional influence, with for example EU and/or state level regulation adding to the complexity.
It is perpetual
The data governance council should be integral in the planning stages of designing a governance model. I have stated this already, but it is important to understand that data governance is more of a continual programme rather than a project that will be completed. The initial implementation of the governance strategy can and should be treated as a formal project, but once finished the governance activities will need constant care and feeding.
Finn Rye, CISSP, is information security manager for a telecommunications company in south central Alaska.