IT Governance Blog

CobiT definition:

Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public,
confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate
security levels and protection controls; and a brief description of data retention and destruction requirements, criticality and
sensitivity. It should be used as the basis for applying controls such as access controls, archiving or encryption.

Bill says,

What I really like about CobiT is it forces you to look at things in a comprehensive way. For data classification you really need to analyze every bit of data you collect, categorize it, and decide who will have access, how you will control it, etc - but those are future controls. For this one it is all about defining the classification of data.

Let’s look at some non-traditional data that really does need to be captured in your classification scheme. For example, you probably use WebEx for data conferencing. And I am sure you realize that there is a lot of data archives pertaining to the meetings held through WebEx - many of which can have very telling titles.

As an aside, if you are using WebEx make sure you do not have your site open to the public - or you have strict rules and controls in place regarding what people can use as the subject line in meetings. Prior to us turning this off I saw some pretty awkward meeting titles that were open for all to see - employees, customers and competitors.

So you probably have never thought about that data but you need to. What parts are important? I know for me we record the monthly usage locally because after three months we lose access to it through WebEx. Who has access to that? How can we be sure we know who is responsible for archiving it? These are all important questions that you need to go through as part of the classification exercise.

Don’t be scared off by how much data you have, this is work that needs to be done!

The third step in Defining the Information Architecture is defining the data classification sceme.

CobiT definition:

Maintain an enterprise data dictionary that incorporates the organisation’s data syntax rules. This dictionary should enable the
sharing of data elements amongst applications and systems, promote a common understanding of data amongst IT and business
users, and prevent incompatible data elements from being created.

Bill says,

Establishing and maintaining a data dictionary for a complex application is difficult but not impossible, particulary if the application and the underlying data structure and processes don’t change much. But when you start defining an overall data dictionary for your enterprise it becomes a much more difficult challenge. When building a data dictionary, however, don’t feel as though it needs to be perfect - better than to have a mess documented than not at all.

In today’s corporate IT applications space integration between applications is critical. The ability to integrate between applications effectively is contingent on a good enterprise data dictionary. If you have not done this then you are not doing the corporate governance that you should be doing.

An important component of this is to understand what the data means and ensuring that both the business and IT are in alignment. For example, we have a phone system that records ACD transaction and one of the pieces of data that comes out of this application is abandoned calls. What does that mean to you? Does it mean something different to sales? In our case IT thought they knew what abandoned calls meant and sales thought it meant something else. When in fact the vendor defined it to mean even something else! SLAs had been established around this key piece of data and nobody in the business truly understand what it actually meant.

The second step in Defining the Information Architecture is establishing an enterprise data dictionary along with corresponding data syntax rules.