On Data Ownership…

July 14, 2010 Leave a comment Go to comments

In order to understand the concept of data ownership, I think its important to first attempt to understand how data can be classified within an enterprise. With most organizations, data can be classified into three main categories:

1) Classified: would represent the most critical business information, intended for use strictly for authorized personnel. This could include PII (personally identifiable information) and this could be personal credit level information or health related information.

2) Confidential: this would include less sensitive information, can be used within the organization when deemed appropriate by designated data owners.

3) Public: this is all information that can be shared outside the organization, once approved.

It is important to understand what the word “data” means within the context of an organization. Data can be any information which could include personal employee information beginning with their street address to their social security number, health care records (PII or ePHI), intellectual property, any financial information, and most importantly any access control or entitlement information, granting access to critical target systems and business applications. This could also include network access level information, from IP addresses to server names to account ids and passwords. As you can tell, the list can explode, and every organization defines it uniquely.

data owner can now be defined as designated party responsible for maintaining the integrity of the information we just attempted to define above. A data owner is responsible to manage, update and assess any risks associated to data. Eventhough the data eventually belongs to the organization, a data owner shepherds the data and protects it against any harmful entities and ensures that it is maintained with accordance to the organization’s pre-determined guidelines. Finally, data owners take the necessary steps to ensure controls and policies are implemented and managed in the storage, handling, distribution, and regular usage of this data.

From a compliance perspective, it is extremely important for data owners to attest the users authorized to access the information they are owners for. With identity based information, periodic reviews that allow data owners to verify permissions given to employees by their business managers are indeed what the employee is accessing, and should have access to. The advantages of this are:

1) Prevents data hoarding, with too many users accessing data. Managers may not be aware of the criticality of the data and may approve access to the data, such as an Active Directory group membership, an SAP Role or a RACF group.

2) Allows data owners to bring their expertise to the table and attest users accessing the data while revoking access to users that should not be permitted to view this data.

3) Allows data owners to gauge the interest levels in the data they manage and allows them to create alternative views to information if possible, and then ensuring the right users are accessing the appropriate data.

In the market today, products such as Oracle Identity Analytics provide this attestation capability that allows designated data owners to attest the users that access the data they are owners for. This is a very data centric view and a bottom up approach to user attestation. Nevertheless, a necessary approach that allows for a second set of eyes validating the integrity of critical information…I mean, data.

Categories: Compliance, Identity & Access Governance, Oracle Identity Analytics Tags:
  1. No comments yet.
  1. No trackbacks yet.

Leave a comment