research-article

Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management

Authors:
Christian Sillaber

University of Innsbruck, Innsbruck, Austria

University of Innsbruck, Innsbruck, Austria
View Profile

,
Andrea Mussmann

University of Innsbruck, Innsbruck, Austria

University of Innsbruck, Innsbruck, Austria
View Profile

,
Ruth Breu

University of Innsbruck, Innsbruck, Austria

University of Innsbruck, Innsbruck, Austria
View Profile

Authors Info & Claims

Journal of Data and Information Quality Volume 11 Issue 2Article No.: 6pp 1–14https://doi.org/10.1145/3297721

Published:08 March 2019Publication History

Journal of Data and Information Quality

Abstract

Governance, risk, and compliance (GRC) managers often struggle to document the current state of their organizations. This is due to the complexity of their IS landscape, the complex regulatory and organizational environment, and the frequent changes to both. GRC tools seek to support them by integrating existing information sources. However, a comprehensive analysis of how the data is managed in such tools, as well as the impact of data quality, is still missing. To build a basis of empirical data, we conducted a series of interviews with information security managers responsible for GRC management activities in their organizations. The results of a qualitative content analysis of these interviews suggest that decision makers largely depend on high-quality documentation but struggle to maintain their documentation at the required level for long periods of time. This work discusses factors affecting the quality of GRC data and information and provides insights into approaches implemented by organizations to analyze, improve, and maintain the quality of their GRC data and information.

Supplemental Material

Available for Download

zip

sillaber.zip (36.3 KB)

Supplemental movie, appendix, image and software files for, Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management

References

Latif Al-Hakim. 2007. Information Quality Management: Theory and Applications. IGI Global, Hershey, PA.Google Scholar
Donald P. Ballou and Giri Kumar Tayi. 1999. Enhancing data quality in data warehouse environments. Communications of the ACM 42, 1 (1999), 73--78. Google ScholarDigital Library
Neera Bhansali. 2013. Data Governance: Creating Value From Information Assets. CRC Press, Boca Raton, FL.Google ScholarCross Ref
John L. Campbell, Charles Quincy, Jordan Osserman, and Ove K. Pedersen. 2013. Coding in-depth semistructured interviews problems of unitization and intercoder reliability and agreement. Sociological Methods and Research 42, 3 (2013), 294--320.Google ScholarCross Ref
T. C. Chieu, M. Singh, C. Tang, M. Viswanathan, and A. Gupta. 2012. Automation system for validation of configuration and security compliance in managed cloud services. In Proceedings of the 2012 IEEE 9th International Conference on e-Business Engineering (ICEBE’12). 285--291. Google ScholarDigital Library
Steven De Haes, Wim Van Grembergen, and Roger S. Debreceny. 2013. COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. Journal of Information Systems 27, 1 (2013), 307--324.Google ScholarCross Ref
James Robert Evans and William M. Lindsay. 1999. The Management and Control of Quality. South-Western College Publishers.Google Scholar
Craig Fisher, Eite Lauría, and Shobha Chengalur-Smith. 2012. Introduction to Information Quality. AuthorHouse. Google ScholarDigital Library
Ronan Fitzpatrick. 1996. Software Quality: Definitions and Strategic Issues. Reports. Paper 1. Available at http://arrow.dit.ie/scschcomrep/1.Google Scholar
Uwe Flick. 2009. An Introduction to Qualitative Research. Sage.Google Scholar
Catherine Hardy and Jenny Leonard. 2011. Governance, risk and compliance (GRC): Conceptual muddle and technological tangle. In ACIS 2011 Proceedings. 42.Google Scholar
David G. Hill. 2009. Data Protection: Governance, Risk Management, and Compliance. CRC Press, Boca Raton, FL. Google ScholarDigital Library
Hsiu-Fang Hsieh and Sarah E. Shannon. 2005. Three approaches to qualitative content analysis. Qualitative Health Research 15, 9 (2005), 1277--1288.Google ScholarCross Ref
ISACA. 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Retrieved February 9, 2019 from http://www.isaca.org/COBIT/Pages/COBIT-5.aspx.Google Scholar
ISO 27000 Directory. 2005. An Introduction to ISO 27001 (ISO27001). Retrieved February 9, 2019 from http://www.27000.org/iso-27001.htm.Google Scholar
Mari Kert, Javier Lopez, Evangelos Markatos, and Bart Preneel. 2014. State-of-the-Art of Secure ICT Landscape. Technical Report. NIS Platform WG3.Google Scholar
Vijay Khatri and Carol V. Brown. 2010. Designing data governance. Communications of the ACM 53, 1 (2010), 148--152. Google ScholarDigital Library
Yang W. Lee, Diane M. Strong, Beverly K. Kahn, and Richard Y. Wang. 2002. AIMQ: A methodology for information quality assessment. Information and Management 40, 2 (2002), 133--146. Google ScholarDigital Library
Anja M. Maier, James Moultrie, and P. John Clarkson. 2012. Assessing organizational capabilities: Reviewing and guiding the development of maturity grids. IEEE Transactions on Engineering Management 59, 1 (2012), 138--159.Google ScholarCross Ref
Ghazwa Malak, Linda Badri, Mourad Badri, and Houari Sahraoui. 2004. Towards a multidimensional model for web-based applications quality assessment. In E-Commerce and Web Technologies. Springer, 316--327.Google Scholar
Matthew B. Miles and A. Michael Huberman. 1994. Qualitative Data Analysis: An Expanded Sourcebook. Sage.Google Scholar
Michael D. Myers. 1997. Qualitative research in information systems. Management Information Systems Quarterly 21 (1997), 241--242. Google ScholarDigital Library
Cabinet Office. 2011. ITIL Service Strategy 2011 Edition. The Stationery Office. Google ScholarDigital Library
PCI Security Standards Council. 2014. Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.Google Scholar
Michael Quinn Patton. 2005. Qualitative Research. Wiley Online Library.Google Scholar
J. Pettigrew and J. J. C. Ryan. 2012. Making successful security decisions: A qualitative evaluation. IEEE Security and Privacy 10, 1 (Jan. 2012), 60--68. Google ScholarDigital Library
Leo L. Pipino, Yang W. Lee, and Richard Y. Wang. 2002. Data quality assessment. Communications of the ACM 45, 4 (April 2002), 211--218. Google ScholarDigital Library
P. Puhakainen and M. Siponen. 2010. Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly 34, 4 (2010), 757--778. http://aisel.aisnet.org/cgi/viewcontent.cgi?article=29338 context=misq. Google ScholarDigital Library
Nicolas Racz, Johannes Panitz, Michael Amberg, Edgar Weippl, and Andreas Seufert. 2010. Governance, risk 8 compliance (grc) status quo and software use: Results from a survey among large enterprises. Governance 1 (2010), 1--20.Google Scholar
Nicolas Racz, Edgar Weippl, and Riccardo Bonazzi. 2011a. IT governance, risk 8 compliance (GRC) status quo and integration: An explorative industry case study. In Proceedings of the 2011 IEEE World Congress on Services (SERVICES’11). IEEE, Los Alamitos, CA, 429--436. Google ScholarDigital Library
Nicolas Racz, Edgar Weippl, and Andreas Seufert. 2011b. Governance, risk 8 compliance (GRC) software-an exploratory study of software vendor and market research perspectives. In Proceedings of the 2011 44th Hawaii International Conference on System Sciences (HICSS’11). IEEE, Los Alamitos, CA, 1--10. Google ScholarDigital Library
Adnan Rawashdeh and Bassem Matalkah. 2006. A new software quality model for evaluating COTS components. Journal of Computer Science 2, 4 (2006), 373--381.Google ScholarCross Ref
Thomas C. Redman. 1995. Improve data quality for competitive advantage. MIT Sloan Management Review 36, 2 (1995), 99.Google Scholar
Sascha Roth, Matheus Hauder, Matthias Farwick, Ruth Breu, and Florian Matthes. 2013a. Enterprise architecture documentation: Current practices and future directions. In WirtschaftsinformatikProceedings 2013. 58.Google Scholar
Sascha Roth, Matheus Hauder, Felix Michel, Dominik Münch, and Florian Matthes. 2013b. Facilitating conflict resolution of models for automated enterprise architecture documentation. In Proceedings of the 19th Americas Conference on Information Systems.Google Scholar
Jennifer Rowley. 2012. Conducting research interviews. Management Research Review 35, 3--4 (2012), 260--271.Google ScholarCross Ref
SANS. 2014. Critical Security Controls. Retrieved February 2, 2019 from https://www.cisecurity.org/critical-controls/documents/CSC-MASTER-VER61-FINAL.pdf.Google Scholar
Mikko Siponen and Harri Oinas-Kukkonen. 2007. A review of information security issues and respective research contributions. ACM SIGMIS Database 38, 1 (2007), 60--80. http://dl.acm.org/citation.cfm?id=1216224. Google ScholarDigital Library
Janine L. Spears and Henri Barki. 2010. User participation in information systems security risk management. MIS Quarterly 34, 3 (2010), 503--522. Google ScholarDigital Library
Stefan Thalmann, Daniel Bachlechner, Lukas Demetz, and Ronald Maier. 2012. Challenges in cross-organizational security management. In Proceedings of the 45th Hawaii International Conference on System Sciences. IEEE, 5480--5489. Google ScholarDigital Library
Eileen M. Trauth. 2001. The choice of qualitative methods in IS research. In Qualitative Research in IS: Issues and Trends. IGI Publishing, Hershey, PA. Google ScholarDigital Library
Hennie Van Greuning and Sonja Brajovic-Bratanovic. 2009. Analyzing Banking Risk: A Framework for Assessing Corporate Governance and Risk Management. World Bank Publications.Google Scholar
Richard Y. Wang. 1998. A product perspective on total data quality management. Communications of the ACM 41, 2 (1998), 58--65. Google ScholarDigital Library
Richard Y. Wang and Diane M. Strong. 1996. Beyond accuracy: What data quality means to data consumers. Journal of Management Information Systems 12, 4 (1996), 5--33. Google ScholarDigital Library
K. Krasnow Waterman and Jim Hendler. 2013. Getting the dirt on big data. Big Data 1, 3 (2013), 137--140.Google ScholarCross Ref
Andreas Witzel. 2000. The problem-centered interview. Forum Qualitative Sozialforschung/Forum: Qualitative Social Research 1, 1, Article 22.Google Scholar

Index Terms

Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management

Recommendations

The Impact of Experience and Time on the Use of Data Quality Information in Decision Making

Data Quality Information (DQI) is metadata that can be included with data to provide the user with information regarding the quality of that data. As users are increasingly removed from any personal experience with data, knowledge that would be ...
Read More
A multidimensional analysis of data quality for credit risk management: New insights and challenges

Recent studies have indicated that companies are increasingly experiencing Data Quality (DQ) related problems as more complex data are being collected. To address such problems, the literature suggests the implementation of a Total Data Quality ...
Read More
Data quality assessment: The Hybrid Approach

Various techniques have been proposed to enable organisations to assess the current quality level of their data. Unfortunately, organisations have many different requirements related to data quality (DQ) assessment. For example, some organisations may ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Journal of Data and Information Quality Volume 11, Issue 2
On the Horizon, Experience Paper and Regular Papers
June 2019
66 pages
ISSN:1936-1955
EISSN:1936-1963
DOI:10.1145/3317030
Editor:
Tiziana Catarci
Sapienza University of Rome, Rome, Italy
Issue’s Table of Contents
Copyright © 2019 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 March 2019
- Accepted: 1 November 2018
- Revised: 1 September 2018
- Received: 1 May 2007
Published in jdiq Volume 11, Issue 2

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Data quality
Governance risk and compliance
information quality
management system
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 930
  Total Downloads
- Downloads (Last 12 months)139
- Downloads (Last 6 weeks)14
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management

Journal of Data and Information Quality

Abstract

Supplemental Material

Available for Download

References

Cited By

Index Terms

Recommendations

The Impact of Experience and Time on the Use of Data Quality Information in Decision Making

A multidimensional analysis of data quality for credit risk management: New insights and challenges

Data quality assessment: The Hybrid Approach