Poor data 'governance' underlies security lapses
- By Thomas R. Temin
- Jun 29, 2006
NEW YORK'A common thread runs through adverse events ranging from theft of a data-laden laptop to granting disaster housing money to prison inmates.
The thread is poor data governance, according to Steve Adler, program director for an IBM-led initiative known as the Data Governance Council. Speaking to corporate auditors and data security types at the C3 Expo IT trade show in New York yesterday, Adler cited the now-infamous recent lapses at the Veterans Affairs Department
and the Federal Emergency Management Agency.
IBM has identified 11 data governance-related subjects, such as an organization's awareness of good data practices or whether it has done a proper risk analysis for its data.
The council consists mostly of financial and insurance companies, although it includes the government of Nassau County, N.Y.
Adler said good governance doesn't mean total lockdown of an organization, both because it is unworkable and because few companies or agencies carefully assess the true effect of governance lapses.
For example, although in the past year some 106 personal data losses were reported by companies and governments totaling some 108 million identities, only 645,000 Americans were reported by the Federal Trade Commission as having been victimized by identity theft, with relatively small losses.
'Good governance doesn't require a cop in every kitchen,' Adler said. 'Good governance is getting an organization to police itself effectively.' He cited a hypothetical pizza parlor, worried about the remote chance of having someone poison its pizzas, installing surveillance cameras and RFID tracking at every stage of pizza-making from dough to delivery.
'Would you want to live in that world?' Adler said.
He said the council is developing a data governance capability maturity model, similar to the CMM for software development operated by Carnegie Mellon University.