There's a general lack of maturity these days in most companies when it comes to managing data. The lack of a set of formal data governance policies is usually at the heart of most security breaches, which inevitably leads to business executives looking for an IT scapegoat.
But while IT people are responsible for managing the systems that hold the data, it's up to the business to put real polices in place to govern data.
To that end, Kelly Bissell, a principal with the IT consulting firm Deloitte & Touche, says companies need to evaluate their data governance processes along an access control maturity model that encompasses the following concepts:
User life cycle management - a set of processes for managing user access within the environment from time of hire through termination or retirement.
Enterprise role management - processes associated with establishing a role-based structure that links applications from downstream applications to the broad enterprise, making it easier to grant appropriate access needed by users to perform their work.
Compliance management - composed of key compliance activities companies face for user access controls such as segregation of data (SoD), user access reviews, password policies, etc.
Enterprise identity and access management - a comprehensive set of processes and tools that enable security tasks for management of user identity, workflow processes, password management, and user and role administration.
The hard part may not be figuring out what needs to be done, but rather getting everybody to sit down and do it. Nobody seems to take data governance issues seriously on the business side until there is an actual crisis. And from the perspective of the IT department, the only hard return on investment from managing these processes is keeping the names of their companies out of the paper. Of course, there is a soft ROI to be had in the form of pushing all the requests for data access to the business managers that actually own that data.
Whether you take on the task of creating data governance policies proactively or reactively, the day when access control and data governance issues are going to be front and center is coming very soon. It's just a question of time before the inevitable security breach forces the issue.