• Bookmark

Using COBIT 5 to Deliver Information and Data Governance

By Myles Suer, ITIL, and Roger Nolan

COBIT Focus | 12 January 2015

Myles Suer Roger Nolan COBIT 5 provides guidance for IT practitioners and business leaders regarding the governance and management of data and information. COBIT 5 starts by providing an overarching set of business recommendations. For example, COBIT 5 suggests that business leaders include in their balanced scorecard the following topics: compliance, financial transparency and information-based strategic decision making. COBIT also establishes an information life cycle function where data are enriched to become information and information is enriched with context to become knowledge that has enterprise value (figure 1).

Figure 1—COBIT 5 Information Life Cycle
Figure 1
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission

The enterprise goals flow, in turn, into a set of IT-enabling processes for information and data governance. Here, COBIT 5 suggests that IT organizations start by defining, with their business customers, their information data system. COBIT 5 holds IT responsible for fostering the definition of and responsibilities for the ownership of information/data and information systems. Chief information officers (CIOs), in general, acknowledge that the business must own the data and must determine how specific data are managed. This is because only the business understands the business context of the data. CIOs own the processes and technology for ensuring data are secured and available when and where the business needs them.

After CIOs have established processes and technology, they need to make sure information and data owners can make decisions about data definition, data classification, data security and control, and data integrity. Additionally, they need to ensure that the information system provides the “knowledge required to support all staff in their work activities and informed decision making and enhanced productivity.”1 This means IT needs to create facilities so that knowledge is used, shared and updated. This starts by identifying, defining and classifying all sources of information.

Part of doing this successfully involves ensuring the availability of reliable and useful information for decision making. This clearly involves keeping the ratio of erroneous or unavailable information to a minimum. Limiting erroneous decision making also involves ensuring that reporting is complete, timely and accurate.2 Measuring performance here involves looking at the percent of reports that are not delivered on time and the percent of reports containing inaccuracies. These obviously need to be kept to a minimum. Clearly, this function is enabled by backup systems, applications, data and documentation. These should be worked according to a defined schedule that meets business requirements. However, business leaders should recognize that most every source system has a level of bad data. Given this, it is important to understand the impact of data on the business and maintain a level of data accuracy that is acceptable to business users.

Business leaders should recognize that most every source system has a level of bad data.

COBIT defines a set of enabling processes for enterprise architects. These require that a common architecture be put together consisting of “business processes, information, data, application, and technology layers for effectively and efficiently realizing enterprise strategies.”3 The enterprise architecture needs to provide a description of baseline and target enterprise architectures that will support the organization’s strategic direction.

The enterprise architecture layer should also represent the differing building blocks that make up the enterprise and their interrelationships, as well as the principles guiding their design and evolution over time. A key element of this involves establishing a common understanding of the business context of the data. This requires building and maintaining an enterprise data dictionary that promotes a common understanding and classification schemes that include details about the data definition and business context, data ownership, appropriate data security, and data retention and destruction requirements.

COBIT requires classifying data inputs and outputs according to enterprise architecture standards. This includes the source data collection design, the data inputs regardless of sources, the validation for processing transactions and the methods for validation. This can include identifying the data outputs from the source. At the same time, it can include mapping data storage, location, retrieval and recoverability. From a design perspective, appropriate redundancy, recovery and backup should be built into the architecture. Obviously, any system component should ensure availability and data integrity.

Another architecture element looks at optimizing the use of resources. This means answering the following questions:

  • What percentage of architecture components are reused?
  • How many repositories of enterprise data does the organization have?
  • Is spaghetti code strung from application to application, or is there a unified enterprise data integration architecture where data are resources that are accessible and sharable across all applications, processes and analyses?

Finally, COBIT 5 stresses the importance of data and information compliance and security. Information needs to be “properly secured, stored, transmitted or destroyed.”4 This starts with effective security and controls over information systems. This means that procedures need to be defined and implemented to ensure the integrity and consistency of information stored in databases, data warehouses and data archives. COBIT requires IT to manage the number of security incidents that cause financial loss, business disruption or public embarrassment.5 Security of information, processing infrastructure and applications is critical today, as attacks such as the 2013 Target breach have proven. Clearly, information security solutions need to be operated consistently throughout the enterprise. All users need to be uniquely identifiable and have access rights in accordance with their business role. And for business compliance, all business transactions need to be retained for governance and compliance reasons.6

COBIT 5 establishes seven enablers to drive better information and data governance and management. Each of the enablers has goals and metrics that aim to drive better control and hopefully, over time, improvement of:

  • Management of IT-related business risk
  • Transparency of IT costs, benefits and risk
  • Security of information, processing infrastructure and applications
  • IT compliance with internal policies
  • Risk thresholds definition and communication
  • Managing critical IT-related enterprise risk effectively and efficiently
  • Ensuring that IT-related risk does not exceed the enterprise risk appetite

COBIT Data Governance Requirements

COBIT 5 defines multiple components of governance for IT organizations. Good governance “ensures that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.”7 According to COBIT 5, data governance requires the following four elements:

  • Clear information ownership
  • Timely, correct information
  • Clear enterprise architecture and efficiency
  • Compliance and security

But how are all of these objectives achieved? Information ownership requires that business and IT establish and maintain a good working relationship around data governance. It also requires that a common set of information requirements be established. This demands that up-to-date and future-state enterprise architectures are in place. According to the book Enterprise Architecture as Strategy, this involves creating “the organizing logic for business processes and IT infrastructure, reflecting the (data) integration and standardization requirements of the company’s operating model.”8 But how does an enterprise achieve timely, correct information and better manage enterprise compliance and security?

Enterprises need to standardize a data architecture that creates a single integration layer among all data sources.

Getting timely and correct information starts by eliminating manual data massaging and movement. In recent discussions with chief financial officers (CFOs), many have shared their need to first manually pull data and then massage the data and finally move the massaged data between one or more data sources. Eliminating this requires an enterprise architecture that creates a more systematic approach to data management. Instead of manually moving data or creating layer over layer of spaghetti code integration, enterprises need to standardize a data architecture that creates a single integration layer among all data sources. This is critical to realizing the benefits of enterprise architecture. This will also enable repeatable processes, skills reuse and continuous improvement that will be critical for the integration system to keep up with the emerging demands of the business. An integration layer also increasingly needs to support new and existing sources of data and be able to do so at the speed of business. This way, information is delivered in a timely fashion. But having automated integration does not go far enough. Business users want trustworthy data. In the data integration business, it is called the veracity of data. “Veracity refers to the quality or cleanliness of data and how certain one is that the data [being used] is indeed accurate.”9 An expert on data integration “maintains that at least 20 percent of all raw data is incorrect. Inaccurate data leads data users to question the information their systems provide.”10 Even worse, Bloor Research estimates that data quality erodes at 1 to 1.5 percent per month if not actively managed.11

So, how does one fix this? It requires people, processes and tools. Data stewards need a data system that actively manages the quality of data and does so at multiple layers. First, it needs to set up rules from the business perspective to manage data from their first entrance point into the enterprise. These rules should be established and managed by business users to ensure that data are accurate. Second, the business users need tools to be able to monitor the ongoing quality of their data. And when a rule fails, the business user, not an IT leader, needs to be enabled to take action.

Beyond this, the data system need to automatically and proactively fix data issues like addresses, missing data and data format problems. And once this has been accomplished, it needs to go after redundancies in customers and transactions. With multiple IT-managed transaction systems, it is easy to misstate both customers and customer transactions. It is also possible to miss potential business opportunities. All of these are required to get accurate data.

With integration and quality, business users are able to relate traditional and nontraditional data sources. The relationship among social, mobile, machine data and traditional data offers amazing potential to provide business value through initiatives such as enhanced customer service. By connecting or fusing these data sources, it becomes possible to discover new business insights and drive new or improved business outcomes.

The relationship among social, mobile, machine data and traditional data offers amazing potential to provide business value...

Additionally, data need to be systematically protected. This means that user access to data needs to be managed systematically across all IT-managed systems. Typical data integrations move data between applications without protecting the source data systems’ rules. A data security issue at any point in the IT system can expose all data. At the same time, enterprises need to control exactly what data are moved in test environments and product environments. Enterprises must also ensure that a common set of security governance rules is established and maintained across the entire enterprise, including data being exchanged with partners, employees and contractors using data outside of the enterprise firewall.

Data must also be protected from a compliance perspective. This means that enterprises need to manage the life cycle of data and ensure the retention of any and all compliance-related data. This life cycle may require different approaches for different phases. COBIT 5 distinguishes four phases: plan, design, build/acquire and use/operate. The planning phase involves identification of objectives, information architecture, and standards and definitions. The design phase involves the implementation of what is planned. The build/acquire phase involves the creation of data records, the purchase of data and the loading of external files. And finally, the use/operate phase involves the storage, sharing and use of information. The latter can include monitoring and disposing of information.12

A key element of the use phase can involve archiving and protecting data as they become inactive. This is also a key element of the application information life cycle. Concurrently, enterprises need to enable application developers in the build/acquire phase to work with test data without creating a data exposure risk. And in the use/operate phase, IT organizations need to be able to audit, block and dynamically mask sensitive production data or nearby production databases to prevent unauthorized access.

Governance Realization Best Practices

Information and data governance and management initiatives can be very complex and expensive to implement. The following are a few good practices learned from real-world implementations:

  1. Start with an information strategy, people, processes and technology. In that order.
  2. Do not try to do it all at once. Many companies have tried and failed at these initiatives because they did not deliver business value in a reasonable time period. (In fact, COBIT 5 suggests a number of measures to align IT, commitment of executive management and benefit realization to gauge how well an enterprise is doing here.) Prioritize the most important data based on:
    • Regulatory requirements
    • Potential impact to the overall business or business initiative where it is being applied
  3. Implement the data governance strategy one initiative at a time. This will help with prioritization and will help align the data governance strategy with business priorities. But it is also essential that the head of data governance has an overall architecture and plan in place so that islands of data governance are not created in the process.
  4. Standardize the approach to enterprise data governance. This is how an enterprise drives efficiency and automation while eliminating the islands of data. The approach should:
    • Increase IT and business collaboration
    • Eliminate manual movement and massaging of data
    • Grow with the needs of the business
    • Provide an audit trail and end-to-end visibility of the flow of data across the enterprise

Having implemented these best practices, COBIT 5 then requires an enterprise to actively measure data quality. COBIT 5 does this through a set of data quality goals: intrinsic data quality (information is correct and reliable), contextual and representational quality (relevance, completeness, currency and ease of manipulation), and security/accessibility quality (availability, timeliness and access restricted).13

Good Governance Takes Time and Effort

COBIT 5 recommends that organizations take specific actions to govern data. It also provides a set of IT-enabling processes for information and data governance. Some enterprises may already be using some, if not many, of the COBIT 5 process recommendations. For those who are not, this article lays out a set of steps that enterprises can take to better govern and manage information. As with most improvement methodologies, start by taking just one step. Rome was not built in a day and neither is good governance. The point is to start the improvement journey today. And COBIT provides sound and comprehensive improvement recommendations to kick things off.

Myles Suer, ITIL

Is a senior manager of solutions marketing at Informatica Corp. Much of his experience has been as a business intelligence (BI) practitioner. Previously, Suer worked at Hewlitt Packard and Peregrine, where he led the product management team applying BI and scorecard technology to IT management products. Prior to HP, Suer led new product initiatives at start-ups and large companies. This included a restart of a business activity monitoring company. He has also been employed as a software industry analyst.

Roger Nolan

Is a director of solutions marketing for Informatica, currently focusing on next-generation enterprise data architectures. Prior to Informatica, he worked as an independent consultant, taught in the University of San Francisco (California, USA) masters of business administration (MBA) program, and managed product marketing and product management teams for enterprise software at Sun Microsystems, Avaya, Metricom and other technology companies.


1 ISACA, COBIT 5, USA, 2012, p. 81
2 ISACA, COBIT 5: Enabling Processes, USA, 2012, p. 47
3 Ibid., p. 63
4 Op cit, COBIT 5 , p. 113
5 Ibid., p. 39
6 Ibid., p. 198
7 Ibid., p. 89
8 Ross, J.; P. Weill; D. Robertson; Enterprise Architecture as Strategy, Harvard Business Press, 2006
9 Hurwitz, Judith; Alan Nugent; Fern Halper; Marcia Kaufman; Big Data for Dummies, 2013, p. 190
10 Underdahl, Brian; Data Integration for Dummies, Wiley, 2014
11 Howard, Philip; “Data Migration,” white paper, Bloor Research, May 2011
12 Op cit, COBIT 5 , p. 82
13 Ibid . , p. 150