Brian Kordelski – WW Sales Executive – IBM InfoSphere
12/07/2010
The Core Principles of
Information Governance
© 2010 IBM Corporation
Governance is no longer an option
“By 2013, 25% of the
companies in highly regulated
industries will create and staff
positions in accounting,
human resources, compliance
and audit and law that deal
explicitly with the management
of information via technology.”
– Gartner, Inc.
“Organizing for
Information Governance”
Debra Logan, November 2009
2
“[A]n [information
management] strategy
should incorporate lifecycle information
governance practices [to
ensure] consistent
execution of ... business
optimization, agility, and
transformation [initiatives].”
– Forrester Research, Inc.
“Refresh Your Information
Management Strategy to
Deliver Business Results”
Rob Karel & James
G. Kobielus, August 2009
“If you are going to protect
your company's most
valuable asset—your
data—you will begin to
view data security as a
component of a more
comprehensive information
governance strategy.”
– Hurwitz & Associates
“Why you need an
information governance
strategy for 2010”
Marcia Kaufman,
December 2009
© 2010 IBM Corporation
Information Governance Council Maturity Model
Requires
Enhances
Supports
3
© 2010 IBM Corporation
If we don’t proactively manage quality
Increase costs and missed revenue opportunities, impacting both
financials and customer relationships due to lack of data quality.
Incomplete and inaccurate master data created problems in receiving and/or
shipping products, marketing literature and regulatory mailings, and 360-degree
customer visibility.
Small error in the quality of the rating data leads to negative
impact for the company and unhappy customers
Large Telecom provider with massive volume of telephone calls and telephone
customers, even a small error in the rating data can mean significant revenue
loss or customer turnover.
Data quality issues plague BI initiatives creating a lack of trust in
the data
Several attempts at implementation of a data warehouse and analytics application at
a major retailer had stalled due to data quality issues which created frustration for the
project team and a lack of trust of the data on the part of business users.
4
© 2010 IBM Corporation
Requirements to manage the quality of data
5
Understand
& Define
Develop
& Test
Cleanse &
Manage Continuously
Discover your data across
systems
Develop database
structures
Define Rules &
Cleanse Data
Define common
vocabulary
Create & refresh
test data
Actively Monitor
& Manage Data
Design your
data structures
Validate test
results
Remediate
Inconsistencies
© 2010 IBM Corporation
Understand your information
?
?
?
?
?
?
?
?
?
?
?
? ?
?
 Complex, poorly documented data
relationships
?
?
?
?
?
– Which data is sensitive, and which can be
shared?
– Whole and partial sensitive data elements
can be found in hundreds of tables and
fields
 Data relationships not understood
because:
?
?
– Where are those databases located?
?
?
?
?
?
?
? ?
 Data can be distributed over multiple
applications, databases and platforms
?
– Corporate memory is poor
– Documentation is poor or nonexistent
– Logical relationships (enforced through
application logic or business rules) are
hidden
Distributed Data Landscape
6
© 2010 IBM Corporation
Gain consistent terminology
How does each user define:
Financial
Officer
Business
Analyst
“Active Subscriber”?
 Mobile user who has used “any”
service in the mobile network
Compliance
Officer
 User who paid for the service at
least 1 time in the past 90 days.
Sales Lead
Marketing
Manager
Business
Intelligence
Manager
 Only post-paid customers, not
pre-paid customers
CRM Project
Manager
ERP
Project Manager
 Mobile user who has a phone
plan, but not SMS
IT
Architect
 User who makes at least 1 call
over the period of 90 days
Support Rep
7
© 2010 IBM Corporation
Cleanse and continuously manage your data
1. Create reusable quality rules & cleanse your data
– Leverage the knowledge gained during the understand
& define steps
– Define what quality means to you
– Design your data quality rules and matching logic
2. Actively monitor & manage your data
– Standardize data formats
– Leverage precisely calibrated matching rules and
remove duplicates
– Develop rules & quality metrics for monitoring
– Manage duplicate data, when required
3. Remediate inconsistencies in your data
– Monitor for problems or trends
– Investigate data lineage to find source of problem
– Repair data and source of problem
– Maintain monitoring to capture future problems
8
Make sure there is an owner of data quality AND
management sponsorship
© 2010 IBM Corporation
Monitor quality with integrated data rules
 Create “Checks & Balances” to proactively identify quality concerns throughout the lifecycle
– Build & test rules for common or complex conditions
– Extend profiling through targeted analysis of specific data conditions or conformance to
expected rules
– Establish benchmarks and baselines to help track data quality – is it deteriorating or
remaining constant?
– Flag bad data for audit
 Examples of Rules:
– The Gender field must be populated and must be in the list of accepted values
– The Social Security Number must be numeric and in the format 999-99-9999
– If Date of Birth Exists AND Date of Birth > 1900-01-01 and < TODAY Then Customer
Type Equals ‘P’
– The Bank Account Branch ID is valid in the Branch Reference master list
9
© 2010 IBM Corporation
IBM provides the solutions required to create high quality information
10
Understand
& Define
Develop
& Test
Cleanse &
Manage Continuously
Discover your data across
systems
Develop database
structures
Define Rules &
Cleanse Data
Define common
vocabulary
Create & refresh
test data
Actively Monitor
& Manage Data
Design your
data structures
Validate test
results
Remediate
Inconsistencies
© 2010 IBM Corporation
Organizational challenges from lack of data lifecycle management
 New application functionality to meet business needs is not deployed on schedule
– No understanding of relationships between data objects repeatedly delays projects
– Greater data volumes take longer to clone, test, validate and deploy which equates to
longer test cycles
 Increased operational and infrastructure costs impact IT budget
– Cloning databases requires more storage hardware
– Larger databases impact staff productivity and could mean additional license costs
 Application defects are discovered after deployment
– Costs to resolve defects in production can be 10 – 100 times greater than those caught
in the development environment
 Unintentional disclosure of confidential data kept in test/development environments
“
Forrester estimates that 85%
of data stored in databases is inactive
Source: Noel Yuhanna, Forrester Research, Database Archiving Remains An Important Part Of Enterprise DBMS Strategy, 8/13/07
11
© 2010 IBM Corporation
The data multiplier effect
Development
1 TB
Test
1 TB
1 TB
Production
1 TB
Backup
1 TB
User
Acceptance
1 TB
6 TB
Total
Disaster
Recovery
Actual Data Burden = Size of production database + all replicated clones
12
© 2010 IBM Corporation
Requirements to manage data across its lifecycle
Discover &
Define
Develop &
Test
Optimize, Archive
& Access
Consolidate &
Retire
Discover where
data resides
Develop database
structures & code
Enhance
performance
Rationalize
application portfolio
Classify & define data
and relationships
Create & refresh test
data
Manage data growth
Move only the
needed information
Validate test results
Report & retrieve
archived data
Enable compliance
with retention &
e-discovery
Define policies
13
© 2010 IBM Corporation
Implement test data management with masking
Production or
Production Clone
Create targeted, right-sized test
environments instead of cloning
entire production environments
Mask data to protect privacy
Development
Environment
Test
Environment
QA
Environment
Training
Environment
Compare data pre/post test to
identify quality issues
14
© 2010 IBM Corporation
Archive to manage data growth
Production
Archive
Reference
Data
Historical
Retrieved
Current
Archives
Historical
Data
Reporting
Data
Retrieve
Universal Access to Application Data
Application
Mashup
Application
XML ODBC / JDBC
Archiving is an intelligent process for moving inactive or infrequently
accessed data that still has value, while providing the ability to search
and retrieve the data
15
© 2010 IBM Corporation
Diagnose and solve performance problems
 Identify problems before they impact
business
 Diagnose performance problems
quickly & easily
 Implement a permanent solution, not a
temporary workaround
 Plan for the future while avoiding past
mistakes
16
© 2010 IBM Corporation
When you retire or consolidate applications don’t move all of the data
 Application portfolio has redundant systems acquired via mergers and acquisitions
 Line of business divested; application is no longer needed
 Legacy technologies not compatible with current IT direction
– Old database and/or application versions no longer supported by manufacturer
 Required technical skills or application knowledge no longer available
 Budget pressures – do more with less
In almost ALL cases, access to legacy
data MUST be retained while the
application and database are eliminated
17
© 2010 IBM Corporation
IBM provides the solutions required to manage information
throughout its lifecycle from requirement to retirement
Discover &
Define
Develop &
Test
Optimize, Archive
& Access
Consolidate &
Retire
Discover where
data resides
Develop database
structures & code
Enhance
performance
Rationalize
application portfolio
Classify & define data
and relationships
Create & refresh test
data
Manage data growth
Move only the
needed information
Validate test results
Report & retrieve
archived data
Enable compliance
with retention &
e-discovery
Define policies
18
© 2010 IBM Corporation
The data privacy and protection risk continues
Confidential data inadvertently exposed or otherwise available
to unauthorized viewers.
February 2010: About 600,000 customers of a major NYC bank received their
annual tax documents with their Social Security numbers (combined with other
numbers & letters) printed on the outside of the envelope.
SQL injection is fast becoming one of the biggest & most high
profile web security threats.
July 2010: Hackers obtained access to the user database and administration
panel of a popular website by exploiting several SQL injection vulnerabilities. The
exposed data included user names, passwords, e-mail addresses and IPs.
Unprotected test data sent to and used by test/development
teams as well as third-party consultants.
February 2009: An FAA server used for application development & testing was
breached, exposing the personally identifiable information of 45,000+ employees.
Confidential data that should be redacted can be hidden or
embedded
April 2010: A PDF of a subpoena in the case of “United States vs. Rob
Blagojevich” was posted to public website. However, the “redacted” text simply had
black box placed on top to hide the content – the actual text was still available.
19
© 2010 IBM Corporation
Can today’s organizations successfully protect their information?
 Where does your sensitive data reside across the enterprise?
 How can your data be protected from both authorized and unauthorized access?
 Can your confidential data in documents be safeguarded while still enabling the necessary
business data to be shared?
 How can access to your enterprise databases be protected, monitored and audited?
 Can data in your non-production environments be protected, yet still be usable for training,
application development and testing?
“
Larry Ponemon, founder of the group that bears his name, said that survey
shows a shift in the way C-level executives think about security software.
Investing in data protection, he said, is now seen as less expensive than
recovering from a data breach. -- InformationWeek
20
© 2010 IBM Corporation
Requirements to manage the security and protection of data
21
Discover &
Define
Secure &
Protect
Monitor
& Audit
Discover where sensitive
data resides
Protect enterprise data
from both authorized &
unauthorized access
Audit and report
for compliance
Classify & define data
types
Safeguard sensitive data in
documents
Monitor and enforce
database access
Define policies
& metrics
De-identify confidential
data in non-production
environments
Assess database
vulnerabilities
© 2010 IBM Corporation
Discover where sensitive data may be hidden
Sensitive Relationship Discovery
S ys te m A T a b le 1
S ys te m A T a b le 1 5
N um ber
4600986
8150928
6736304
3802468
5567193
N am e
A le x F u llth e im
B a rn e yS o lo
B illA le x a n d e r
B o b S m ith
E ile e n K ra tc h m a n
P a tie n t
3802468
4182715
4600986
5061085
5567193
R e s u lt
N
N
N
N
N
Test
53
53
32
53
72
7409934
6123913
5061085
4182715
8966020
F re d S im p s o n
G re g L o u g a in is
J a m ie S la tte ry
J im J o h n s o n
M a rtin A s to n
6123913
6736304
7409934
8150928
8966020
Y
N
N
N
N
47
34
34
47
34
Patient ID # embedded within another field
Code
53
72
32
47
34
System Z Table 25
Name
Streptococcus pyogenes
Pregnancy
Alzheimer Disease
H1N1
Dermatamycoses
 Relationships and sensitive data can’t
always be found just by a simple data
scan
– Sensitive data can be embedded
within a field
– Sensitive data could be revealed
through relationships across fields
& systems
 When dealing with hundreds of tables
and millions of rows, this search is
complex – you need the right solution
Compound sensitive data:
Test results could potentially be revealed.
22
© 2010 IBM Corporation
Protecting data is both an external and internal issue
 Prevent “power users” from abusing their access to
sensitive data (separation of duties)
– DBA and power users
 Prevent authorized users from misusing sensitive data
– For example, third-party or off-shore developers
 Prevent intrusion and theft of data
– For example, someone walking off with a back-up tape
– Hacker
– Database vulnerabilities (user id with no password or
default password)
23
© 2010 IBM Corporation
Protection of data requires a 360-degree strategy
 Secure sensitive data values
– Across both structured and unstructured
 De-identify data
– Restricted data sharing with 3rd parties
– Generation of fictionalized test data for non-production
– Support off-shore deployment model
 Stop unauthorized data access
– Render data useless via encryption
– Lock down SQL to prevent SQL injection
– Block suspicious network traffic
Security makes it possible for us to take risk, and innovate confidently.
24
© 2010 IBM Corporation
Protect sensitive data values within documents
 Redact (or remove) sensitive unstructured data found in documents and forms, protecting
confidential information while supporting the need to share critical business information
– Support compliance with industry-specific and global data privacy requirements or
mandates
 Leverage an automated redaction process for speed, accuracy and efficiency
– Ensure hidden source data (or metadata) within documents is redacted as well
 Prevent unintentional disclosure by using role-based masking to confidently share data
 Ensure multiple file formats are support, including PDF, text, TIFF and Microsoft Word
documents
Redact Full Name
& Street Address
25
© 2010 IBM Corporation
De-identify data without impacting test & development
 Mask or de-identify sensitive data elements that could be used to identify an individual
 Ensure masked data is contextually appropriate to the data it replaced, so as not to impede
testing
– Data is realistic but fictional
– Masked data is within permissible range of values
 Support referential integrity of the masked data elements to prevent errors in testing
JASON MICHAELS
26
ROBERT SMITH
Personal identifiable
information is masked
with realistic but fictional
data for testing &
development purposes.
© 2010 IBM Corporation
What happens with security complacency
 Not being able to report compliance can lead to regulatory fines
– No audit report mechanism
– No fine grain audit trail of database activities
 Don’t know if there is a data breach until it’s too late
– Lack of awareness of suspicious access patterns
– On-going vs. single-invent: problems identifying patterns of unauthorized use
 Not able to monitor super user activity to ensure data security standards
– Unable to detect intentional and unintentional events
“
27
Most organizations do not have mechanisms in place to prevent
database administrators and other privileged database users from
reading or tampering with sensitive information [in business
applications]…Fewer than two out of five respondents said they could
prevent such tampering by super users.
-- Independent User Group
© 2010 IBM Corporation
Streamline and simplify compliance processes
 Alerts of suspicious activity
 Audit reporting and sign-offs
– User activity
– Object creation
– Database configuration
– Entitlements
 Separation of duties – creation of policies vs. reporting
on application of policies
 Trace users between applications, databases
 Fine grained-policies
 Sign-off and escalation procedures
 Integration with enterprise security systems (SIEM)
28
© 2010 IBM Corporation
IBM provides the solutions required secure and protect data privacy
29
Discover &
Define
Secure &
Protect
Monitor
& Audit
Discover where sensitive
data resides
Protect enterprise data
from both authorized &
unauthorized access
Audit and report
for compliance
Classify & define data
types
Safeguard sensitive data in
documents
Monitor and enforce
database access
Define policies
& metrics
De-identify confidential
data in non-production
environments
Assess database
vulnerabilities
© 2010 IBM Corporation
The IBM security strategy:
Make security, by design, an enabler of innovative change
IBM as a trusted partner,
delivering secure products
and services
IBM as a trusted security
vendor, providing key solutions
across all security domains
 15,000 researchers, developers and SMEs
on security initiatives
– Data Security Steering Committee
– Security Architecture Board
– Secure Engineering Framework
 3,000+ security & risk management patents
 200+ security customer references and 50+
published case studies
 40+ years of proven success securing the
zSeries environment
 Managing more than 7 Billion security
events per day for clients
30
© 2010 IBM Corporation
Delivering trusted information for smarter business decisions across
your entire information supply chain
Transactional &
Collaborative
Applications
Integrate
Analyze
Business Analytics
Applications
Big Data
Manage
External
Information
Sources
Master
Data
Cubes
Streams
Data
Data
Warehouses
Content
Streaming
Information
Govern
Quality
31
Lifecycle
Security &
Privacy
© 2010 IBM Corporation
Enabling success
IBM Information Governance Unified Process
Define
Business
Problem
Obtain
Executive
Sponsorship
Conduct
Maturity
Assessment
Build
Roadmap
Establish
Organization
Blueprint
Build Data
Dictionary
Understand
Data
Create
Metadata
Repository
Appoint Data
Stewards
Create
Specialized
Centers of
Excellence (COE)
Implement
Master Data
Management
Manage Data
Quality
Manage
Security &
Privacy
Define
Metrics
Manage
Life-cycle
Measure
Results
= Enable through Process
32
= Enable through Technology
© 2010 IBM Corporation
What can you do next …
 Start small with a project, don’t try to do it all at once
– Free workshops and assessments
– Best of breed solutions to help you succeed
 Join a movement: www.infogovcommunity.com
– Benchmark your organization online
– Work with others on the Maturity Model
– Compare best practices in online peer reviews
– Be recognized for what you contribute on the leader
board
 Read the book:
– The IBM Data Governance
Unified Process: Driving Business Value
with IBM Software and Best Practices
 Visit our web page:
– ibm.com/informationgovernance
33
© 2010 IBM Corporation
Thank you
© 2010 IBM Corporation
Descargar

The Core Principles of Information Governance