z/VSE: 45 Years of Progress - z/VM - IBM
z/VSE: 45 Years of Progress - z/VM - IBM
z/VSE: 45 Years of Progress - z/VM - IBM
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Compliance Options<br />
Getting From WHY to HOW<br />
gwen thomas<br />
Raise your hand if people tell you what to do. Keep it up if<br />
they also try to tell you how to do it. Is it ever challenging<br />
to extract the details that would make it easier for you to<br />
<strong>of</strong>fer and defend different compliance options?<br />
Here’s an easy-to-remember method you can use to<br />
guide a compliance negotiation to the conclusion that<br />
maybe you should be the one to decide how to comply. It’s<br />
based on the WHO-WHAT-WHEN-WHERE-WHY model<br />
we’re all familiar with.<br />
In this technique, we start with the word WHY. When<br />
you’re told you need to do something, ask for the underlying<br />
objective. For instance, let’s assume you’ve been told to<br />
implement a specific control. Why? You’re told it’s to ensure<br />
that confidential customer data will adhere to privacy rules.<br />
Great. That’s a clear objective, assuming you have access<br />
to those rules. Your next question is WHO this applies to—<br />
who must implement the recommended control. But don’t<br />
stop with a simple question. Pick two sets <strong>of</strong> criteria and two<br />
options for each criteria. Arrange them in a grid, and use<br />
that grid to determine whether the situation includes one,<br />
two, three, or four sets <strong>of</strong> circumstances.<br />
The following is an example <strong>of</strong> a WHO grid.<br />
Will this activity take place infrequently during planning<br />
and alignment, or is it a recurring operational activity? If<br />
the scope is both formal and informal activities, can a single<br />
option actually satisfy every requirement?<br />
Other systems<br />
The mainframe<br />
Individual data fields Data stores and files<br />
Next, ask WHERE the activity must be performed (see<br />
above). Is this control applied only to the mainframe, or also<br />
within other systems? Is it applied at a field-level, at the<br />
repository-level, or something in between? At this point,<br />
you’re going to have some insight that your order-giver<br />
might not have. You know that applying controls to individual<br />
fields <strong>of</strong>ten requires a different approach than implementation<br />
at higher-granularity levels.<br />
Other groups<br />
Ongoing activities<br />
Our group<br />
Your goal is to know whether this specific suggestion or<br />
requirement applies to groups other than yours, and whether<br />
it’s an IT-focused activity or something that also applies<br />
to business users. This is important to know because it tells<br />
you whether there’s the possibility <strong>of</strong> flexibility; for example,<br />
will other groups satisfy compliance in a manner different<br />
from you? Next, ask WHAT the requirement applies to (see<br />
below).<br />
Formal processes<br />
“Pr<strong>of</strong>essional<br />
judgment”<br />
practices<br />
Technical experts<br />
Non-technical<br />
users <strong>of</strong> data<br />
Planning, Alignment Execution, Statusing<br />
One-time activity<br />
Planned activities<br />
Ad hoc activities<br />
Finally, ask WHEN the activity should take place (see<br />
above). Is it one time, ongoing, or both? Will it be part <strong>of</strong><br />
planned processes, ad hoc activities, or both?<br />
By now, you should have the WHO-WHAT-WHEN-<br />
WHERE-WHY information you need to understand your<br />
stakeholders’ actual needs. You’re in a better position to suggest<br />
a HOW that will meet those needs and satisfy your<br />
own, as well. Z<br />
Gwen Thomas is president <strong>of</strong> The Data Governance Institute and publisher <strong>of</strong> its Website<br />
at www.DataGovernance.com and its sister site, SOX-online (www.sox-online.com), the<br />
vendor-neutral Sarbanes-Oxley site. She has designed and implemented many data governance<br />
and compliance programs for publicly traded and private companies across the<br />
U.S. and is a frequent presenter at industry events. Author <strong>of</strong> the book Alpha Males and<br />
Data Disasters: The Case for Data Governance, she hosts the Data Governance &<br />
Stewardship Community <strong>of</strong> Practice at www.DataStewardship.com.<br />
Email: gwen.thomas@datagovernance.com<br />
Website: www.datagovernance.com<br />
6 0 • z / J o u r n a l • O c t o b e r / N o v e m b e r 2 0 1 0