IS Audit Basics: Data Management Body of Knowledge—A Summary for Auditors

A previous column reviewed the domains of data and information audits.¹ This column continues the exploration of this topic by focusing on the Data Management Body of Knowledge² (DMBOK) and what it does not cover. The DMBOK should be regarded as a complement to the guidance offered in ISACA’s COBIT 5: Enabling Information.³

Without data, applications and information technologies are of no use. Data are often referred to as a “key corporate asset” and yet, being intangible, they are not always managed as if they have value. Besides, the issues around data governance and management are complex and not always understood by the IT department or data owners (or, in other terminology, stewards or custodians).

Purists and taxonomists are likely to take issue with the following statements:

• There cannot be knowledge without information.
• There cannot be information without data.
• Data represent “things” that can be observed, measured, shared and recorded.

While proof is unattainable, it can be assumed that human prehistory was rich in knowledge and information. The earliest human societies did, after all, survive, develop and spread around the earth by land and sea. This cannot be explained by just chance.

The oldest records known are cave paintings, e.g., Lascaux and Chauvet⁴ in France, the latter estimated to be 36,000 years old, containing stunning drawings done for an unknown reason. These paintings gradually evolved into means to represent language in graphical forms,⁵ the earliest of which (Sumerian and Egyptian) are around 5,000 years old.

Mass literacy (reading and writing) continues to expand around the world, but has not yet reached 100 percent. Despite this growth, many people remain functionally illiterate, unable to make sense of, say, income tax forms and insurance policies, let alone complex texts on any subject.

When it comes to data, with billions of people having access to the Internet and social networks, everyone is a potential content creator. Many provide quality information while others feel free to express opinions, gossip, and mis- and disinformation. Poor-quality data should be treated as the garbage of the information society, and the real issue is the ability to separate the quality items from the garbage.

Literacy in data quality and data validation has a long way to go. This is equally true in the corporate environment as enterprises deal with their own collections of data, let alone big data, business intelligence and other services requiring data from multiple sources.

To make matters more difficult, the responsibility for data is not always shared between business owners and IS/IT. Data quality and life cycle management from acquisition to disposal are business issues (as are data classification, role-based access rules, etc.) while IT looks after implementing identity management, physical and logical security, backups, disaster recovery, etc. Dialog between these parties often leaves a lot to be desired.

Auditors are in an ideal position to determine the effectiveness of these shared responsibilities and identify areas where business risk could be mitigated further.

The COBIT 5 family of products includes a special publication⁶ covering some of these topics, and the DMBOK is a comprehensive framework discussing data governance issues in several well-structured sections (knowledge areas) covering several hundred pages.

The DMBOK

First published in 2009, the DMBOK presented a coherent and comprehensive guide to best practices in data governance. It was updated in 2012 to reflect the explosive growth of data, security issues and new services such as the cloud, and to add several topics that were not included in the first edition.

It would be nice if the 430 pages of the 2012 publication could be summarized into something easy to absorb. The illustrations in this column attempt to do just that in the form of a single-page mind map,⁷ shown in figure 1. Is it complete? Certainly not, but it shows the 10 knowledge areas covered and the main elements discussed in them.

View Large Image.

Presented this way, it contains more details than the pie chart in the DMBOK text (a circle divided into 10 segments with just a title). It is also easier to see the whole at once than by reading the table of contents.

A useful feature of both versions of the DMBOK is that every chapter, i.e., every knowledge area, begins with a summary diagram using the template shown in figure 2.

This provides an at-a-glance summary of each knowledge area that facilitates the study of the full DMBOK. Interestingly, the DMBOK does not need to be read sequentially, as each knowledge area is self-contained and invites a “just in time,” rather than a “just in case,” approach to study.

New in the 2012 version of DMBOK is the data management maturity assessment, based on the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC)’s ISO/IEC 15504, Information technology—Process assessment. The publication COBIT Process Assessment Model (PAM): Using COBIT 5 is equally applicable.

What Is Not in DMBOK

Two relevant topics are not covered in the DMBOK: assigning value to data and auditing data management.

Assigning Value to Data
At the lowest level, qualitative data values consist of words while quantitative data values consist of numbers, ideally financial numbers, as these can be used to support return on investment (ROI) assessments for database technologies, data warehouses, business intelligence applications, data security initiatives, etc. The interested reader could consider Douglas Hubbard’s book on how to measure anything.⁸

While classifying data into categories such as public, restricted and confidential is well established, this does not assign business value, e.g., of intellectual property.

A data-valuation framework⁹ groups data in a way that identifies their business importance and, therefore, the degree to which they need to be protected and recovered:

• Mission-critical—Frequently used, must have very high availability. If corrupted or disclosed, high and immediate impact (financial, operational, reputational, possibly legal) may follow.
• Business-critical—Frequently used, high availability, significant long-term impact if disclosed
• Essential—Periodically used, available in a defined time frame, possible long-term impact if disclosed
• Consequential—Occasionally used, available over a long time frame, unlikely financial or operational impact if disclosed, but possible compliance issues
• Noncritical—Rarely used, availability uncritical, minimal or no business impact if disclosed
• Inconsequential—Used only on request, availability uncritical, minimal or no business impact if disclosed
• Disposable—Not used, no impact (and yet, kept in huge amounts, as dark data)

There is an interesting quote on dark data from the Gartner Blog Network: “‘Dark data’ is the cute name given to all that data an organization gathers that is not part of their day-to-day operations. It is old stuff, stuff that turned up in the mail that you kept, ‘just in case.’ It is data that you didn’t erase, because ‘it might come in handy some time’.”¹⁰ And, as the blogger said, dark data are a storage vendor’s dream.

Auditing Data Governance
For the purpose of auditing data governance, one could consider the Data Audit Framework¹¹ (DAF) developed by the Humanities Advanced Technology and Information Institute (HATII) at the University of Glasgow (Scotland, UK) and its associated DAF methodology, both available as free downloads.¹²

In addition, auditors can rely on the DMBOK and COBIT 5: Enabling Information¹³ to formulate an audit plan that examines:

• Which of the 10 knowledge areas have been implemented
• The extent to which the individual sub-areas have been implemented
• The extent to which the roles and accountabilities of the various parties shown in figure 2 are defined and implemented
• The assessed maturity of the various knowledge area processes

Conclusion

If data really are a corporate resource, it would make sense to manage them as such. How can management continue to justify a situation where dark data outnumbers mission- and business-critical data, where data governance is weak, and big data continues to dominate the media? By contrast, old office furniture stored in a basement is bar coded and inventoried and shown as assets in the accounts.

Endnotes

¹ Gelbstein, E., “The Domains of Data and Information Audits,” ISACA Journal, vol. 6, 2016, https://www.isaca.org/resources/isaca-journal/issues
² The Data Management Association, DAMA-Data Management Body of Knowledge Framework, 6 March 2014, https://www.dama.org/sites/default/files/download/DAMA-DMBOK2-Framework-V2-20140317-FINAL.pdf
³ ISACA, COBIT 5: Enabling Information, USA, 2013
⁴ La Grotte Chauvet-Pont d’Arc, Ardeche, http://archeologie.culture.fr/chauvet/
⁵ Robinson, A.; The Story of Writing: Alphabets, Hieroglyphs & Pictograms, Thames & Hudson, UK, 2007
⁶ Op cit, ISACA
⁷ Buzan, T.; B. Buzan; The Mind Map Book: How to Use Radiant Thinking to Maximize Your Brain’s Untapped Potential, Plume, USA, 1996
⁸ Hubbard, D. W.; How to Measure Anything: Finding the Value of “Intangibles” in Business, Tantor Audio, USA, 2014
⁹ Croy, M.; “The Business Value of Data,” Disaster Recovery Journal, 22 November 2007
¹⁰ White, A.; “Dark Data Is Like That Furniture You Have in That Dark Cupboard,” Gartner Blog Network, 11 July 2012, http://blogs.gartner.com/andrew_white/2012/07/11/dark-data-is-like-that-furniture-you-have-in-that-dark-cupboard/
¹¹ Jones, S.; A. Ball; C. Ekmekcioglu; “The Data Audit Framework: A First Step in the Data Management Challenge,” International Journal of Data Curation, vol. 3, no. 2, 2008
¹² Jones, S.; S. Ross; R. Ruusalepp; “Data Audit Framework Methodology,” Humanities Advanced Technology and Information Institute, University of Glasgow, Scotland, United Kingdom, 2009, www.data-audit.eu/DAF_Methodology.pdf
¹³ Op cit, ISACA