WIXLIB

Data qualityClassification by criticality and sensitivity16. In APRA’s view, a useful technique for managingdata risk is through the assessment andmanagement of data quality. Data quality canbe assessed using a range of dimensions. Therelevance of each of these dimensions willvary depending upon the nature of the data.Dimensions typically considered in the assessmentof data quality include:18. For the purposes of managing data risk, a regulatedentity would typically classify data based on businesscriticality and sensitivity. The assessment wouldtypically take into account the end-to-end use ofthe data. A regulated entity could seek to leveragethe existing business impact analysis process toachieve this. The entity’s data classification methodand granularity would normally be determined bythe requirements of the business.(a) accuracy: the degree to which data is errorfree and aligns with what it represents;(b) completeness: the extent to which data is notmissing and is of sufficient breadth and depthfor the intended purpose;(c) consistency: the degree to which related datais in alignment with respect to dimensionssuch as definition, value, range, type andformat, as applicable;(d) timeliness: the degree to which data is upto-date;(e) availability: accessibility and usability of datawhen required; and(f) fitness for use: the degree to which datais relevant, appropriate for the intendedpurpose and meets business specifications.17. Other dimensions that could also be relevant,depending on the nature and use of specificdata, include:(a) confidentiality: restriction of data access toauthorised users, software and hardware;(b) accountability: the ability to attribute theresponsibility for an action;(c) authenticity: the condition of beinggenuine; and(d) non-repudiation: the concept that an eventcannot later be denied.Australian Prudential Regulation AuthorityIndustry baselines19. A regulated entity could find it useful toregularly assess the completeness of its data riskmanagement processes by comparison to peersand established control frameworks and standards.A systematic and formalised approachOverarching framework20. In order to ensure that data risk managementis not conducted in an ad hoc and fragmentedmanner, a regulated entity would typically adopt asystematic and formalised approach that ensuresdata risk is taken into consideration as part ofits change management and business-as-usualprocesses. This could be encapsulated in a formallyapproved data risk management frameworkoutlining the entity’s approach to managing datarisk that:(a) includes a hierarchy of policies, standards,guidelines, procedures and otherdocumentation supporting business processes;(b) aligns with other enterprise frameworkssuch as operational risk, security, projectmanagement, system development, businesscontinuity management, outsourcing/offshoring management and risk management;(c) includes the expectations of the Board andsenior management;8

(d) assigns a designated owner or owners;(e) outlines the roles and responsibilities ofstaff to ensure effective data riskmanagement outcomes;(f) enables the design and implementation ofdata controls. The strength of controls wouldnormally be commensurate with the criticalityand sensitivity of the data involved; and(g) is reviewed on a regular basis, with periodicassessment for completeness against currentpractices and industry standards.A data management framework could be definedat an enterprise-wide level, a business unit level, oras a component of other enterprise frameworks,as appropriate.21. The establishment and ongoing developmentof the data risk management framework wouldnormally be:(a) directed by a data risk management strategyand supporting program of work with a clearlydefined budget, resource requirements,timeframes and milestones; and(b) an integral part of a regulated entity’s changemanagement and business-as-usual processes.A data risk management strategy would typicallybe aligned with the regulated entity’s business,information technology, and security strategiesas appropriate.Principles-based approach22. APRA envisages that a regulated entity wouldadopt a set of high-level principles in orderto establish a sound foundation for data riskmanagement. Data risk management principlescould include:(a) access to data is only granted where requiredto conduct business processes;(b) data validation, correction and cleansing occuras close to the point of capture as possible;(c) automation (where viable) is used as analternative to manual processes;Australian Prudential Regulation Authority(d) timely detection and reporting of data issuesto minimise the time in which an issue canimpact on the entity;(e) assessment of data quality to ensure it isacceptable for the intended purpose; and(f) design of the control environment is basedon the assumption that staff do not knowwhat the data risk management policies andprocedures are.In addition, a number of specific securitymanagement principles are also relevant (refer toPrudential Practice Guide 234 Management of securityrisk in information and information technology forfurther details).Roles and responsibilities23. A key element in effective data risk managementis the allocation of formal roles and responsibilities(pertaining to data) to appropriately skilledstaff. This would typically articulate the data riskmanagement responsibilities of staff, customers,service providers and other third parties. Commonareas of consideration when formalising datamanagement roles and responsibilities include:(a) data roles and responsibilities for generalstaff and data users;(b) data-specific roles and responsibilities,as applicable (e.g. data officers4, datacustodians5, data owners/stewards6,designated business sponsor). These couldform part of an individual’s broader roles andresponsibilities;(c) governance functions and reportingmechanisms to assess the ongoingeffectiveness of the data risk managementframework and ensure a continued focus ondata risk and the escalation of data issues;(d) risk management, assurance andcompliance roles;4 A data officer is responsible for data processing and usage.5 A data custodian is responsible for the safe custody, transport andstorage of data.6 A data owner/steward is responsible for authorising access to data andits quality.9

(e) data risk management framework roles(if applicable) including maintenance,ongoing review, compliance monitoring,training and awareness; and(f) responsibilities for data monitoringand management.Ongoing compliance24. APRA expects that a regulated entity wouldimplement processes that ensure compliance withregulatory and legal requirements and data riskmanagement requirements. This would typicallyinclude ongoing checks by the compliancefunction (or equivalent), supported by reportingmechanisms (e.g. metrics, exceptions) andmanagement reviews.25. A regulated entity would be expected toimplement an exemption policy for handlinginstances of non-compliance with the data riskmanagement framework (if relevant), includingmanagement of the exemption register, authorityfor granting exemptions, expiry of exemptionsand the review of exemptions granted. Whereexemptions are granted, APRA envisages that anentity would review and assess the adequacy ofcompensating controls initially and on an ongoingbasis. Compensating controls would normallyreduce the residual risk in line with the entity’srisk appetite.Ongoing assessment of effectiveness26. APRA envisages that a regulated entity wouldregularly assess data quality and evaluate theeffectiveness of data risk management, and makeany necessary adjustments to ensure identifiedcontrol gaps are treated in a timely and systematicmanner. This could involve establishing a dataimprovement program that specifies target metrics,timeframes for resolution and associated actionplans for closing any gaps identified. Typically, actionplans would be prioritised and tracked.Data architecture27. In order to ensure that data risk management iseffective, it is important that a regulated entity:(a) understands the nature and characteristics ofthe data used for business purposes;(b) is able to assess the quality of the data;(c) understands the flow of data and processingundertaken (i.e. data lineage); and(d) understands the data risks andassociated controls.28. Data risk management could be supported by theuse of data architecture practices. These practicesassist in understanding how data is captured,processed, retained, published and disposed of.The sophistication of the data architecture7 wouldnormally be commensurate with data risk. A dataarchitecture could include:(a) a data strategy as a component of thebroader business and information technologystrategies, as relevant;(b) information on the characteristics of thedata, commonly referred to as metadata.8This could include definitions, descriptions,sources, usages, update mechanisms, owners,authorised users, criticality, sensitivity andquality requirements;(c) diagrams and detailed technical informationthat describe the underlying data structure9,the flow of data, key systems and datarepositories and interfaces;(d) description of the controls necessary acrossthe various stages of the data life-cycle10; and(e) standards and guidelines to facilitate thedevelopment of systems, data repositories,interfaces (including exchange of data withexternal parties) and data controls. This wouldnormally include approved technologies (e.g.applications, data base management systemsand data integration tools).7 This can range from system documentation provided by vendors to anenterprise-wide data architecture.8 Metadata is often embodied in a data dictionary.9 Data structure is often embodied in data models.10 Refers to the end-to-end life-cycle of data from the initial point ofcapture through to disposal. This differs from the system developmentlife-cycle.Australian Prudential Regulation Authority10

29. APRA envisages that the data architecture wouldnormally align with a regulated entity’s establishedpolicies, standards and guidelines. An entity wouldnormally maintain the data architecture as partof its change management, project managementand system life-cycle processes. This includescontrols to ensure alignment to the standards andguidelines embodied in the data architecture.Data life-cycle managementData risk considered at all stagesStaff awareness33. APRA envisages that a regulated entity wouldensure that data risk is considered at each stageof its life-cycle and that appropriate controls areimplemented to ensure that data requirements aremet. Data-related life-cycle stages typically includedata capture, processing, retention, publicationand disposal.Training and awareness programsCapture30. A regulated entity would be likely to benefit fromdeveloping an initial and ongoing training andawareness program. For staff who do not havespecific data risk management responsibilities,this would typically be incorporated as part ofongoing business process-specific or broader riskmanagement training, as applicable.34. Data capture controls, including manual entry ofdata as well as automated data feeds from internalbusiness units and external sources, would typicallybe designed to ensure that newly introduced datameets data quality requirements. Controls in thisarea could include:31. A regulated entity could also considerincorporating data risk managementresponsibilities as a component of staffperformance plans, as appropriate.Staff education areas32. In APRA’s view, a regulated entity would regularlyeducate users as to their responsibilities inmaintaining data quality. Common areas coveredcould include:(a) ensuring the quality of data entered;(b) verifying the level of data quality prior toits use;(c) mechanisms for reporting data quality issuesand concerns; and(d) adherence to the regulated entity’s datarelated policies and standards.(a) user interfaces that conduct appropriatevalidation before data is accepted;(b) mechanisms to detect if automated data feedsare functioning as expected and to preventerroneous data from progressing beyondthe capture stage and prevent downstreamprocessing from proceeding; and(c) specification of data quality requirementsand the mechanisms for handling data qualityissues included in agreements with internaland external parties.Processing35. A regulated entity would typically implementcontrols to ensure that data processing(the application of business rules to data,including regulatory and legal requirements)and the output generated continue to meet dataquality requirements. This would usually includecontrols over:(a) data integration (combining data fromdifferent sources) to manage the extraction,transformation and loading mechanisms;Australian Prudential Regulation Authority11

(b) acquisition and implementation viaapproved development, change and projectmanagement methodologies to ensure thatdata quality is not compromised by changesto the production environment;(c) exception handling to identify and respondto data quality issues in a timely manner; and(d) error-handling to ensure data is able berestored or corrected to a known level ofdata quality. This is commonly achievedthrough a variety of mechanisms includingdatabase management system checkpointand rollback capabilities, data backup andrecovery, and the design of automatedprocesses so they can be re-run if required.Retention36. Data retention controls would typically be inplace to ensure that data requirements are notcompromised as a result of risks associated withthe storage of data. This includes data hostingthat is outsourced and/or located offshore.APRA’s prudential standards and prudentialpractice guides on security, business continuitymanagement and outsourcing provide specificrequirements and guidance in this area.37. A regulated entity could find it beneficial todevelop a formal retention strategy that addressesthe risks associated with data accessibility,and takes into account archiving and recoveryrequirements. Common issues in this area includeaccidental deletion, data corruption, changesin technology and poor asset management.The retention strategy would normally includemechanisms to ensure that data retentioncomplies with business requirements, includingregulatory and legal requirements.38. As part of data retention, a regulated entitywould normally implement robust protocols fordata correction including approval and reviewof data changes, and maintenance of audit trailsfor tracking data changes. These controls wouldtypically include appropriate segregation of duties,to reduce the potential for the actions of anindividual to compromise data quality.Australian Prudential Regulation AuthorityPublication39. Data publication refers to the production ofinformation for internal and external stakeholders(e.g. operational information, managementinformation, customer information, mediareleases, regulatory reporting). Controls wouldtypically be in place to ensure that publisheddata meets the understood content and qualityrequirements of users. Examples include:(a) acquisition and implementation controls aspart of the introduction of new publicationmechanisms (e.g. management reviewand approval, change management,project management and systemdevelopment life-cycle);(b) validation and monitoring controls to ensurepublished data continues to meet thespecified requirements of users; and(c) processes to manage data issues raisedby users.40. In APRA’s view, it is important that data qualityrequirements are clearly specified and thatconfidentiality is not compromised through thepublication of data.41. Additionally, depending on the nature of usage,there could be benefit in a regulated entityincluding metrics with the data to provide userswith an indication of the level of data quality(e.g. the level of completeness and accuracy).Disposal42. Disposal controls would typically be in placeto ensure:(a) data is disposed of in compliance with theretention strategy; and(b) business requirements with respect toconfidentiality are not compromised ashardware, software or data reach the end oftheir useful life or the hardware/software isrecommissioned for another use.12

Examples include the deletion of sensitiveinformation prior to the disposal orrecommissioning of hardware, archiving dataprior to decommissioning systems and theremoval of data following disaster recoverytesting, if appropriate.Other control considerationsAuditability43. Auditability (the ability to confirm the origin ofdata and provide transparency of all alterations) isa key element to verifying data quality. It involvesthe examination of data and associated audittrails11, data architecture and other supportingmaterial. APRA envisages that a regulated entitywould ensure that data is sufficiently auditable inorder to satisfy the entity’s business requirements(including regulatory and legal), facilitateindependent audit, assist in dispute resolution(including non-repudiation) and assist in theprovision of forensic evidence if required.Desensitisation44. Desensitisation (the process of reducing a dataset’s sensitivity to a level which complies withthe authorised access of the end-user) is a usefulapproach for maintaining the confidentialityof data while extending its usage. Commonapproaches include the use of cryptographic12 orde-identification13 techniques when transferringdata to a less trusted environment (including thepublic domain). The strength of desensitisationshould take into account the ability to reconstructthe original data set using other data available orbrute force techniques.1411 Evidence (e.g. log files, paperwork) of the sequence of activities thathave affected data through a specific operation, procedure, or event.12 Methods used to transform data/information using an algorithmto make it unreadable to anyone except those possessing specialknowledge, usually referred to as a key.13 The removal of identifying information (e.g. name, date of birth)14 A brute force technique is a method of defeating a desensitisationprocess by systematically trying a large number of possibilities.Australian Prudential Regulation AuthorityEnd-user computing45. Current technologies allow for end-users todevelop/configure software for the purposeof automating day-to-day business processes,facilitating decision-making and storing data. Inaddition, software is increasingly designed toenable extraction of data by users. This creates arisk that data life-cycle controls may be inadequategiven that end-user developed/configuredsoftware is not typically subject to the controlsthat a technology function would apply.1546. A regulated entity would normally introduceprocesses to identify the existence of end-userdeveloped/configured software and assess itsrisk exposure. In APRA’s view, any software that isused for the processing and retention of critical orsensitive data would comply with the relevant lifecycle controls of the entity.Outsourcing/offshoring of data managementresponsibilities47. Continued industry developments allow aregulated entity to more easily move datamanagement responsibilities to service providersor other entities within a group (both on- andoffshore). This increases the risk that data lifecycle controls may be inadequate, with problemspotentially magnified when offshoring is involved.The possible causes of this increased risk includecontrol framework variations, lack of proximity,reduced corporate allegiance, geopolitical risksand jurisdictional-specific requirements.48. APRA expects a regulated entity to applya cautious and measured approach whenconsidering retaining data outside the jurisdictionit pertains to. It is important that a regulated entityis fully aware of the risks involved and makes aconscious and informed decision as to wheth

Data quality 16. In APRA's view, a useful technique for managing data risk is through the assessment and management of data quality. Data quality can be assessed using a range of dimensions. The relevance of each of these dimensions will vary depending upon the nature of the data. Dimensions typically considered in the assessment