Data Governance

Scope
Date

Client Name
Protiviti Team:
(Insert Team Member Name)
(Insert Team Member Name)
 Big Data Work Program – Data Governance

Process Overview
Data governance is accomplished most effectively as an on-going program and a continual improvement process. Every effective
data governance program is unique, taking into account distinctive organizational and cultural issues, and the immediate data
management challenges and opportunities. Data governance is a relatively new term, and many organizations continue to pioneer
new approaches. Nevertheless, effective data governance programs share many common characteristics, based on basic concepts
and principles.
Data governance is not the same thing as IT governance. IT governance makes decisions about IT investments, the IT application
portfolio, and the IT project portfolio. IT governance aligns the IT strategies and investments with enterprise goals and strategies.
CobiT (Control Objectives for Information and related Technology) provides standards for IT governance, but only a small portion of
the CobiT framework addresses managing information. Some critical issues, such as Sarbanes-Oxley compliance, span the
concerns of corporate governance, IT governance, and data governance. Data governance is focused exclusively on the
management of data assets.

Table of Contents
1. Data Stewardship....................................................................................................................................................... 2
2. Data Governance and Stewardship Organizations..................................................................................................4
3. Data Strategy.............................................................................................................................................................. 5
4. Data Policies, Standards and Procedures................................................................................................................6
5. Data Architecture........................................................................................................................................................ 8
6. Regulatory Compliance..............................................................................................................................................9
7. Issue Management..................................................................................................................................................... 9
8. Data Management Projects...................................................................................................................................... 10
9. Data Management Services..................................................................................................................................... 11
10. Data Asset Valuation................................................................................................................................................ 11
11. Communication and Promotion.............................................................................................................................. 11

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

1. Data Stewardship
Related Risk: Defined data stewardship roles and responsibilities do not exist, resulting in a lack of accountability and coordination across the
organization as well as poorly defined and controlled data.
1.1 Formal Data stewardship responsibilities Test results should be detailed here and work paper
have been established to ensure effective references should be included at the end of each
control and use of data assets. sentence as follows [WPXX]. Once fieldwork is
complete, each work paper should be assigned a
unique number (e.g., WP01, WP02, WP03, etc.).
Exception related text should be in red font and
summarized in the “Observations” section.

Observations:
Section to be populated with any exceptions or “No
exceptions noted”.

Work Papers:
WPXX – Work Paper File Name.doc
1.2 Data stewards identified are part of
business functions, are business leaders
and are recognized subject matter experts
accountable for these responsibilities.
1.3 Data stewards review, validate, approve,
and refine data architecture.
 Business data stewards define data
requirements specifications that data
architects organize into the
enterprise's data architecture.
 Coordinating data stewards help data
architects integrate these
specifications, resolving differences in
names and meanings.
 Executive data stewards review and
approve the enterprise data
architecture.
Data stewards of all levels and data
architects collaborate to maintain data
architecture.

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

1.4 Data stewards validate physical data
models and database designs, participate
in database testing and conversion, and
ensure consistent use of terms in user
documentation and training.

Data stewards identify data issues as they

arise and escalate when necessary.
1.5 Business data stewards define
requirements for data recovery, retention
and performance and help negotiate
service levels in these areas.

Business data stewards also help identify,

acquire, and control externally sourced
data.
1.6 Business data stewards provide security,
privacy and confidentiality requirements,
identify and resolve data security issues,
assist in data security audits, and classify
the confidentiality of information in
documents and other information products.
1.7 Business data stewards control the
creation, update, and retirement of code
values and other reference data, define
master data management requirements,
identify and help resolve master data
management issues.
1.8 Business data stewards provide business
intelligence requirements and
management metrics, and they identify
and help resolve business intelligence
issues.
1.9 Business data stewards help define
enterprise taxonomies and resolve content
management issues.
1.10 Data stewards at all levels create and
maintain business meta-data (names,
** CONFIDENTIAL ** For internal use only Page of
 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

meanings, business rules), define meta-
data access and integration needs, and
use meta-data to make effective data
stewardship and governance decisions.

1.11 Business data stewards define data quality

requirements and business rules, test
application edits and validations, assist in
the analysis, certification, and auditing of
data quality, lead data clean-up efforts,
identify proactive ways to solve root
causes of poor data quality, promote data
quality awareness, and ensure data quality
requirements are met.

Data stewards actively profile and analyze

data quality in partnership with data
professionals.
2. Data Governance and Stewardship Organizations
Related Risk: Appropriate data governance roles and responsibilities do not exist to support the strategic alignment between the data management
function and the business as a whole.
2.1 Data stewardship and governance
organizations have responsibility for
setting policies, standards, architecture
and procedures, and for resolving data
related issues.
2.2 Data governance includes responsibility for
legislative functions (policies and
standards), judicial functions (issue
management) and executive functions
(administration, services, and compliance).
2.3 Data governance operates at both
enterprise and local levels.
In large organizations, data governance
may also be required at levels in between,
depending on the size of the enterprise.
2.4 There is a separation of duties between

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

Data Stewardship (Legislative and
Judicial) and Data Management Services
(Executive) that provides a degree of
checks and balances for the management
of data.
3. Data Strategy
Related Risk: A formal data strategy has not been defined, resulting in an ineffective data management program that does not align with business
strategy or support the achievement of business objectives.
3.1 A formal data strategy is in place that 1.
highlights a set of choices and decisions
that together chart a high-level course of
action to achieve high-level goals.
3.2 The Data strategy is defined based on an 1.
understanding of the data needs inherent
in the business strategies. These data
needs drive the data strategy.
3.3 The data strategy is owned and
maintained by the Data Governance
Council, with guidance from the Chief
Information Officer and the Data
Management Executive.
In some organizations, these executives
may retain ownership and control of the
data strategy.
3.4 The data strategy includes key  At a minimum, this should include:
components to address key risks from an
‒ A compelling vision for data management.
organization’s perspective ‒ A summary business case for data
management, with selected examples.
‒ Guiding principles, values, and
management perspectives.
‒ The mission and long-term directional goals
of data management.
‒ Management measures of data
management success.
‒ Short-term (12-24 months) SMART (specific
/ measurable / actionable / realistic / time-
bound) data management program
objectives.
** CONFIDENTIAL ** For internal use only Page of
 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

‒ Descriptions of data management roles and
organizations, along with a summary of their
responsibilities and decision rights.
‒ Descriptions of data management program
components and initiatives.
‒ An outline of the data management
implementation roadmap (projects and
action items).
‒ Scope boundaries and decisions to
postpone investments and table certain
issues.

4. Data Policies, Standards and Procedures

Related Risk: Data policies, standards and procedures are not formally defined or communicated to the organization, resulting in ad-hoc,
inconsistently applied data management practices which negatively impact data definition, data collection, data maintenance, data use,
and data security processes.
4.1 A formal data policy is in place and drafted 1.
and approved by data management
individuals, including data stewards, data
management, data governance council,
data stewardship committee or data
management services organization.
4.2 Data policies are effectively 2.
communicated, monitored, enforced, and
periodically re-evaluated
4.3 The data policy includes key components  Typical topics covered should be:
to address key risks from an organization’s
‒ Data modeling and other data
perspective
development activities within the SDLC.
‒ Development and use of data
architecture.
‒ Data quality expectations, roles, and
responsibilities (including meta-data
quality).
‒ Data security, including confidentiality
classification policies, intellectual
property policies, personal data privacy
policies, general data access and usage
policies, and data access by external

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Governance
Ref Control Objectives
4.4 Data standards and guidelines including
naming standards, requirement
specification standards, data modeling
standards, database design standards,
architecture standards, and procedural
standards for each data management
function are reviewed, approved and
adopted by the Data Governance Council
4.5 Data standards and guidelines are
effectively communicated, monitored,
enforced, and periodically re-evaluated.
4.6 Data standards and procedural guidelines
include components that address key risks
from an organization’s perspective
** CONFIDENTIAL ** For internal use only
Testing Procedures Test Results
parties.
‒ Database recovery and data retention.
‒ Access and use of externally sourced
data.
‒ Sharing data internally and externally.
‒ Data warehousing and business
intelligence policies.
‒ Unstructured data policies (electronic
files and physical records).
 Data standards and procedural guidelines
may include:
‒ Data modeling and architecture
standards, including data naming
conventions, definition standards,
standard domains and standard
abbreviations.
‒ Standard business and technical meta-
data to be captured, maintained, and
integrated.
‒ Data model management guidelines
and procedures.
‒ Meta-data integration and usage
procedures.
‒ Standards for database recovery and
business continuity, database
performance, data retention, and
external data acquisition.
Page of
 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

‒ Data security standards and
procedures.
‒ Reference data management control
procedures.
‒ Match / merge and data cleansing
standards and procedures.
‒ Business intelligence standards and
procedures.
‒ Enterprise content management
standards and procedures, including
use of enterprise taxonomies, support
for legal discovery and document and e-
mail retention, electronic signatures,
report formatting standards, and report
distribution approaches.
5. Data Architecture
Related Risk: A defined enterprise data model does not exist, does not take into account business requirements, or is not approved, resulting in data
architecture that is not suitable to meet the needs of the organization.
5.1 The Data Governance Council sponsors
and approves the enterprise data model
and other related aspects of data
architecture.
5.2 The enterprise data model is developed
and maintained jointly by data architects
and data stewards working together in
data stewardship teams oriented by
subject area, and coordinated by the
enterprise data architect.
5.3 The enterprise data model is reviewed,
approved, and formally adopted by the
Data Governance Council.
5.4 The business case and less technical
aspects of related data architecture are
reviewed, approved, and adopted by the
Data Governance Council.

This includes the data technology

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

architecture, the data integration
architecture, the data warehousing and
business intelligence architecture, and the
meta-data architecture. It may also include
information content management
architecture and enterprise taxonomies
6. Regulatory Compliance
Related Risk: IT non-compliance incidents not identified or corrected, adversely impacting the organization’s performance and reputation.
6.1 Data management is included in the
organization’s compliance function.
6.2 Record retention requirements established
in applicable laws and regulations have
been identified and documented in data
management policies and procedures.
6.3 Data privacy and handling requirements
established in applicable laws and
regulations have been identified and
documented in data management policies
and procedures.
6.4 Regulatory requirements are considered
when designing and implementing data
management solutions.
6.5 Changes to regulations that affect the
organization are actively monitored to
identify events that would affect the
organization.
6.6 Data management compliance practices
are regularly reviewed to ensure that
procedures continue to adequately address
regulatory requirements.

7. Issue Management
Related Risk: Data related issues are not identified and resolved in a timely manner, resulting in poor data quality, regulatory non-compliance, or
reliance on incorrect information to make business decisions.
7.1 A data issue reporting system exists that
** CONFIDENTIAL ** For internal use only Page of
 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

logs the evaluation, initial diagnosis, and
subsequent actions associated with data
quality events.
7.2 Data issues are regularly reviewed to
identify data incidents that have not been
resolved in a timely manner.
7.3 Data issues that are not adequately
addressed are appropriately elevated in a
timely manner.
7.4 Affected stakeholders’ are consulted
regarding data issue resolution, where
appropriate.
7.5 Resolution of data issues is appropriately
documented and communicated to
appropriate stakeholders.

8. Data Management Projects

Related Risk: Data management projects are not appropriately managed, resulting in a lack of project prioritization, potential misallocation of funds,
and sub-optimal decision making.
8.1 Data management projects adhere to
organizational project management
standards.
8.2 The data management project portfolio is
aligned with strategic business objectives to
ensure that projects are prioritized based on
business need and approved by
appropriate management.
8.3 A clearly defined and documented project
charter that outlines the objectives, mission,
scope, resources, and delivery expectations
of business sponsors exists and is
approved prior to project initiation.
8.4 The Data Governance Council oversees the
status and progress of data management
projects.

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

8.5 Analysis and review of data management
projects is completed upon their conclusion
to confirm business cases and project
objectives were achieved. This may also
include lessons learned discussions
between the project team and key project
stakeholders.

9. Data Management Services

Related Risk: Organizational data management service expectations are not formally defined in a service level agreement, resulting in the
organization’s data needs not being met.
9.1 A formal data management service level
agreement exists between affected
business units and the data management
function that defines roles, expected levels
of service, and handling and escalation
procedures.
9.2 The data management function’s
performance is regularly monitored and
measured against requirements defined in
the service level agreement.

10. Data Asset Valuation

Related Risk: Data assets are not valued appropriately, resulting in misreporting the organization’s financial position, poor management decision-
making and underestimating the business impact of data loss.
10.1 Accountants and financial executives are
involved in the valuation of organizational
data assets.
10.2 A consistent approach is utilized in valuing
the organization’s data assets.
10.3 Data asset values are considered when
designing and implementing data backup,
data restoration, and data loss prevention
processes.

** CONFIDENTIAL ** For internal use only Page of

 Big Data Work Program – Data Governance

Ref Control Objectives Testing Procedures Test Results

11. Communication and Promotion
Related Risk: Stakeholders are unaware of data management responsibilities, resulting in noncompliance with organizational data standards and
external regulations.
11.1 A data management strategy and charter,
including vision, benefits, goals, and
principles, exists and is make available to
stakeholders.
11.2 Data policies and standards are distributed
to data producers and information
consumers.
11.3 Stakeholders are aware of data issue
identification and escalation procedures.

** CONFIDENTIAL ** For internal use only Page of