Data is Data
CIOREVIEW >> Database >>

Data is Data

Jeffrey Garbus, CEO, Soaring Eagle Consulting
Jeffrey Garbus, CEO, Soaring Eagle Consulting

Jeffrey Garbus, CEO, Soaring Eagle Consulting

When hiring IT staff, many industry verticals request/require in-vertical IT experience. For example, securities companies tend to prefer staff with securities experience. Insurance companies would prioritize insurance experience.

“Your data needs to be protected, both logically and physically, against unauthorized access”

In reality, with the industry-specific experience, when a candidate has a head-start, they can skip learning terminology, but data management doesn’t really change. What changes are the labels: SOC 2, HIPAA, SarbOx, PCI… but it’s really about data management and best practices.

Add to this, a level of auditing that becomes an increasing drain on resources, and compliance becomes a costly endeavor. I have a client, who is a CIO at a quasi-governmental agency, who endures 12 audits per year. He has built systems around supplying metadata to auditors.

But does this all really matter? Well, yes, it certainly matters to regulators and auditors. But does it matter to your IT staff?

Not really. You still need to set up standards, processes, and security to meet your organizations’ needs regardless of your industry.

You still need to maintain what SOC 3 refers to as “Trust Services Principles (TSP)” … and you still need to manage your data. Industry is really irrelevant.

The TSPs (i.e. what you’re likely to be audited upon) include:

• Security: Your data needs to be protected, both logically and physically, against unauthorized access. Level of security will likely be described either by a regulatory body, your own site security officer (Chief Security Officer), or some combination. Your IT staff will apply industry standards, which include requirements for login and password minimum complexity, firewalls to protect from outside intervention, and sensible application of permissions across system processes.

• Availability: The system is available for operation and use per your defined Service Level Agreement (SLA) with your business users. High availability systems are DBMS-dependent, not industry dependent. These can include everything from hardware to software redundancy.

• Processing Integrity: System processing is complete, accurate, timely, and authorized. Not all audits require performance minima, but many do.

• Confidentiality: Information that is designated “confidential” is protected as committed or agreed. This starts with security, but continues inwards to the data, and often requires encryption at the column, table, or database level most current DBMS support this, keep in mind that the more you encrypt, the more expensive your hardware and software requirements become, not to mention administrative costs of managing encryption keys.

• Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Don’t forget EU Safe Harbor Compliance.

There is seemingly a lot of overlap between security confidentiality and privacy, but really the needs differ but the mechanism to manage the needs overlaps.

From a data management perspective, and you may see a bit of overlap here, you need:

• Preventive Maintenance – Lack of which is one of the most common problems to plague the database component of the IT shop

• Database consistency – are all of your page linkages correct? Can your DBMS walk its page and object allocation maps? Are there any physical storage issues being reflected in the data? Never age out your backups, without running your DBMS’ check utility.

• Index balancing – in theory, index structures are self-balancing and self-maintaining. In practice, they need to be periodically rebalanced, especially in technologies that take shortcuts that need to be cleaned up. Lack of this is a frequent cause of erratic performance times.

• Updating statistics histograms – also a frequent cause of erratic performance, lack of updating histograms can skew information coming into the optimizer can cause performance to go dramatically wrong.

• Performance – The bane of some DBA existences, queries, databases, and servers need to be tuned. And SLAs (where they exist) need to be met.

• Backups – Both full backups (copies of the database) and incremental backups (the set of changes to the database since the last backup or incremental backup) need to be stored, as well as copied off site. In addition, somebody needs to be tasked with testing the restores.

• High Availability – What happened when bad things happen to good servers, software, or sites? While some compliance / governance requirements may specify minimum availability requirements, the business needs will often trump these. User confidence goes down when the server does, whether that be customers or internal users.

• Monitoring

• Database usage and performance should be monitored with a tool other than the one operations use to monitor heartbeats; databases are a specialized animal that require specific hooks into the DBMA.

• Resource growth needs to be managed and planned. When are you going to run out of disk? When will you start overloading CPU, Memory, disk throughput? Can you predict when the problem(s) will start?

• Disaster preparedness

• Business continuity requirements do vary from vertical to vertical, but in high volume environments, high availability is critical

• Run books are mandatory for everything from dealing with employee turnover to rebuilding crashed servers

• Testing failover and restores is no less important due to audit requirements

• Software upgrades – must still be tested and applied periodically, both to take advantage of new features and so that vendors don’t make fun of us when we request support 

Business needs don’t vary  a lot across verticals; data needs to be cared for, and loss prevention is mandatory. Audit requirements have different labels, but tend to boil down to the same thing; be alert and attentive. 

Data is data.

Read Also

Cloud At The Edge

Duncan Clubb, Head of Digital Infrastructure Advisory, CBRE

Edge Computing - Where Does It Fit Today And Tomorrow!

Adel Bekhiet, Senior Director of Infrastructure & Cloud Services, Northwestern Mutual

The Evolution of Digital Banking Landscape in Indonesia

Altona Widjaja, Head of New Digital Venture, Bank OCBC NISP

Banking Preference Shifted: Moving Away from Traditional Banks

Supaneewan Chutrakul, First Senior Vice President, Kasikornbank

How Opendoor Platformized Inspection Tooling for Self-Guided Assessments

Salman Jamali, Head of Engineering, Strategic Initiatives, Opendoor

Mobile-Centricity is Banking's 'New Normal

Lyndon Subroyen, Global Head of Digital and Technology, Investec