Abstract
Governance, risk, and compliance (GRC) managers often struggle to document the current state of their organizations. This is due to the complexity of their IS landscape, the complex regulatory and organizational environment, and the frequent changes to both. GRC tools seek to support them by integrating existing information sources. However, a comprehensive analysis of how the data is managed in such tools, as well as the impact of data quality, is still missing. To build a basis of empirical data, we conducted a series of interviews with information security managers responsible for GRC management activities in their organizations. The results of a qualitative content analysis of these interviews suggest that decision makers largely depend on high-quality documentation but struggle to maintain their documentation at the required level for long periods of time. This work discusses factors affecting the quality of GRC data and information and provides insights into approaches implemented by organizations to analyze, improve, and maintain the quality of their GRC data and information.
Supplemental Material
Available for Download
Supplemental movie, appendix, image and software files for, Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management
- Latif Al-Hakim. 2007. Information Quality Management: Theory and Applications. IGI Global, Hershey, PA.Google Scholar
- Donald P. Ballou and Giri Kumar Tayi. 1999. Enhancing data quality in data warehouse environments. Communications of the ACM 42, 1 (1999), 73--78. Google ScholarDigital Library
- Neera Bhansali. 2013. Data Governance: Creating Value From Information Assets. CRC Press, Boca Raton, FL.Google ScholarCross Ref
- John L. Campbell, Charles Quincy, Jordan Osserman, and Ove K. Pedersen. 2013. Coding in-depth semistructured interviews problems of unitization and intercoder reliability and agreement. Sociological Methods and Research 42, 3 (2013), 294--320.Google ScholarCross Ref
- T. C. Chieu, M. Singh, C. Tang, M. Viswanathan, and A. Gupta. 2012. Automation system for validation of configuration and security compliance in managed cloud services. In Proceedings of the 2012 IEEE 9th International Conference on e-Business Engineering (ICEBE’12). 285--291. Google ScholarDigital Library
- Steven De Haes, Wim Van Grembergen, and Roger S. Debreceny. 2013. COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. Journal of Information Systems 27, 1 (2013), 307--324.Google ScholarCross Ref
- James Robert Evans and William M. Lindsay. 1999. The Management and Control of Quality. South-Western College Publishers.Google Scholar
- Craig Fisher, Eite Lauría, and Shobha Chengalur-Smith. 2012. Introduction to Information Quality. AuthorHouse. Google ScholarDigital Library
- Ronan Fitzpatrick. 1996. Software Quality: Definitions and Strategic Issues. Reports. Paper 1. Available at http://arrow.dit.ie/scschcomrep/1.Google Scholar
- Uwe Flick. 2009. An Introduction to Qualitative Research. Sage.Google Scholar
- Catherine Hardy and Jenny Leonard. 2011. Governance, risk and compliance (GRC): Conceptual muddle and technological tangle. In ACIS 2011 Proceedings. 42.Google Scholar
- David G. Hill. 2009. Data Protection: Governance, Risk Management, and Compliance. CRC Press, Boca Raton, FL. Google ScholarDigital Library
- Hsiu-Fang Hsieh and Sarah E. Shannon. 2005. Three approaches to qualitative content analysis. Qualitative Health Research 15, 9 (2005), 1277--1288.Google ScholarCross Ref
- ISACA. 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Retrieved February 9, 2019 from http://www.isaca.org/COBIT/Pages/COBIT-5.aspx.Google Scholar
- ISO 27000 Directory. 2005. An Introduction to ISO 27001 (ISO27001). Retrieved February 9, 2019 from http://www.27000.org/iso-27001.htm.Google Scholar
- Mari Kert, Javier Lopez, Evangelos Markatos, and Bart Preneel. 2014. State-of-the-Art of Secure ICT Landscape. Technical Report. NIS Platform WG3.Google Scholar
- Vijay Khatri and Carol V. Brown. 2010. Designing data governance. Communications of the ACM 53, 1 (2010), 148--152. Google ScholarDigital Library
- Yang W. Lee, Diane M. Strong, Beverly K. Kahn, and Richard Y. Wang. 2002. AIMQ: A methodology for information quality assessment. Information and Management 40, 2 (2002), 133--146. Google ScholarDigital Library
- Anja M. Maier, James Moultrie, and P. John Clarkson. 2012. Assessing organizational capabilities: Reviewing and guiding the development of maturity grids. IEEE Transactions on Engineering Management 59, 1 (2012), 138--159.Google ScholarCross Ref
- Ghazwa Malak, Linda Badri, Mourad Badri, and Houari Sahraoui. 2004. Towards a multidimensional model for web-based applications quality assessment. In E-Commerce and Web Technologies. Springer, 316--327.Google Scholar
- Matthew B. Miles and A. Michael Huberman. 1994. Qualitative Data Analysis: An Expanded Sourcebook. Sage.Google Scholar
- Michael D. Myers. 1997. Qualitative research in information systems. Management Information Systems Quarterly 21 (1997), 241--242. Google ScholarDigital Library
- Cabinet Office. 2011. ITIL Service Strategy 2011 Edition. The Stationery Office. Google ScholarDigital Library
- PCI Security Standards Council. 2014. Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.Google Scholar
- Michael Quinn Patton. 2005. Qualitative Research. Wiley Online Library.Google Scholar
- J. Pettigrew and J. J. C. Ryan. 2012. Making successful security decisions: A qualitative evaluation. IEEE Security and Privacy 10, 1 (Jan. 2012), 60--68. Google ScholarDigital Library
- Leo L. Pipino, Yang W. Lee, and Richard Y. Wang. 2002. Data quality assessment. Communications of the ACM 45, 4 (April 2002), 211--218. Google ScholarDigital Library
- P. Puhakainen and M. Siponen. 2010. Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly 34, 4 (2010), 757--778. http://aisel.aisnet.org/cgi/viewcontent.cgi?article=29338 context=misq. Google ScholarDigital Library
- Nicolas Racz, Johannes Panitz, Michael Amberg, Edgar Weippl, and Andreas Seufert. 2010. Governance, risk 8 compliance (grc) status quo and software use: Results from a survey among large enterprises. Governance 1 (2010), 1--20.Google Scholar
- Nicolas Racz, Edgar Weippl, and Riccardo Bonazzi. 2011a. IT governance, risk 8 compliance (GRC) status quo and integration: An explorative industry case study. In Proceedings of the 2011 IEEE World Congress on Services (SERVICES’11). IEEE, Los Alamitos, CA, 429--436. Google ScholarDigital Library
- Nicolas Racz, Edgar Weippl, and Andreas Seufert. 2011b. Governance, risk 8 compliance (GRC) software-an exploratory study of software vendor and market research perspectives. In Proceedings of the 2011 44th Hawaii International Conference on System Sciences (HICSS’11). IEEE, Los Alamitos, CA, 1--10. Google ScholarDigital Library
- Adnan Rawashdeh and Bassem Matalkah. 2006. A new software quality model for evaluating COTS components. Journal of Computer Science 2, 4 (2006), 373--381.Google ScholarCross Ref
- Thomas C. Redman. 1995. Improve data quality for competitive advantage. MIT Sloan Management Review 36, 2 (1995), 99.Google Scholar
- Sascha Roth, Matheus Hauder, Matthias Farwick, Ruth Breu, and Florian Matthes. 2013a. Enterprise architecture documentation: Current practices and future directions. In WirtschaftsinformatikProceedings 2013. 58.Google Scholar
- Sascha Roth, Matheus Hauder, Felix Michel, Dominik Münch, and Florian Matthes. 2013b. Facilitating conflict resolution of models for automated enterprise architecture documentation. In Proceedings of the 19th Americas Conference on Information Systems.Google Scholar
- Jennifer Rowley. 2012. Conducting research interviews. Management Research Review 35, 3--4 (2012), 260--271.Google ScholarCross Ref
- SANS. 2014. Critical Security Controls. Retrieved February 2, 2019 from https://www.cisecurity.org/critical-controls/documents/CSC-MASTER-VER61-FINAL.pdf.Google Scholar
- Mikko Siponen and Harri Oinas-Kukkonen. 2007. A review of information security issues and respective research contributions. ACM SIGMIS Database 38, 1 (2007), 60--80. http://dl.acm.org/citation.cfm?id=1216224. Google ScholarDigital Library
- Janine L. Spears and Henri Barki. 2010. User participation in information systems security risk management. MIS Quarterly 34, 3 (2010), 503--522. Google ScholarDigital Library
- Stefan Thalmann, Daniel Bachlechner, Lukas Demetz, and Ronald Maier. 2012. Challenges in cross-organizational security management. In Proceedings of the 45th Hawaii International Conference on System Sciences. IEEE, 5480--5489. Google ScholarDigital Library
- Eileen M. Trauth. 2001. The choice of qualitative methods in IS research. In Qualitative Research in IS: Issues and Trends. IGI Publishing, Hershey, PA. Google ScholarDigital Library
- Hennie Van Greuning and Sonja Brajovic-Bratanovic. 2009. Analyzing Banking Risk: A Framework for Assessing Corporate Governance and Risk Management. World Bank Publications.Google Scholar
- Richard Y. Wang. 1998. A product perspective on total data quality management. Communications of the ACM 41, 2 (1998), 58--65. Google ScholarDigital Library
- Richard Y. Wang and Diane M. Strong. 1996. Beyond accuracy: What data quality means to data consumers. Journal of Management Information Systems 12, 4 (1996), 5--33. Google ScholarDigital Library
- K. Krasnow Waterman and Jim Hendler. 2013. Getting the dirt on big data. Big Data 1, 3 (2013), 137--140.Google ScholarCross Ref
- Andreas Witzel. 2000. The problem-centered interview. Forum Qualitative Sozialforschung/Forum: Qualitative Social Research 1, 1, Article 22.Google Scholar
Index Terms
- Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management
Recommendations
The Impact of Experience and Time on the Use of Data Quality Information in Decision Making
Data Quality Information (DQI) is metadata that can be included with data to provide the user with information regarding the quality of that data. As users are increasingly removed from any personal experience with data, knowledge that would be ...
A multidimensional analysis of data quality for credit risk management: New insights and challenges
Recent studies have indicated that companies are increasingly experiencing Data Quality (DQ) related problems as more complex data are being collected. To address such problems, the literature suggests the implementation of a Total Data Quality ...
Data quality assessment: The Hybrid Approach
Various techniques have been proposed to enable organisations to assess the current quality level of their data. Unfortunately, organisations have many different requirements related to data quality (DQ) assessment. For example, some organisations may ...
Comments