[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article

Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management

Published: 08 March 2019 Publication History

Abstract

Governance, risk, and compliance (GRC) managers often struggle to document the current state of their organizations. This is due to the complexity of their IS landscape, the complex regulatory and organizational environment, and the frequent changes to both. GRC tools seek to support them by integrating existing information sources. However, a comprehensive analysis of how the data is managed in such tools, as well as the impact of data quality, is still missing. To build a basis of empirical data, we conducted a series of interviews with information security managers responsible for GRC management activities in their organizations. The results of a qualitative content analysis of these interviews suggest that decision makers largely depend on high-quality documentation but struggle to maintain their documentation at the required level for long periods of time. This work discusses factors affecting the quality of GRC data and information and provides insights into approaches implemented by organizations to analyze, improve, and maintain the quality of their GRC data and information.

Supplementary Material

a6-sillaber-supp.pdf (sillaber.zip)
Supplemental movie, appendix, image and software files for, Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management

References

[1]
Latif Al-Hakim. 2007. Information Quality Management: Theory and Applications. IGI Global, Hershey, PA.
[2]
Donald P. Ballou and Giri Kumar Tayi. 1999. Enhancing data quality in data warehouse environments. Communications of the ACM 42, 1 (1999), 73--78.
[3]
Neera Bhansali. 2013. Data Governance: Creating Value From Information Assets. CRC Press, Boca Raton, FL.
[4]
John L. Campbell, Charles Quincy, Jordan Osserman, and Ove K. Pedersen. 2013. Coding in-depth semistructured interviews problems of unitization and intercoder reliability and agreement. Sociological Methods and Research 42, 3 (2013), 294--320.
[5]
T. C. Chieu, M. Singh, C. Tang, M. Viswanathan, and A. Gupta. 2012. Automation system for validation of configuration and security compliance in managed cloud services. In Proceedings of the 2012 IEEE 9th International Conference on e-Business Engineering (ICEBE’12). 285--291.
[6]
Steven De Haes, Wim Van Grembergen, and Roger S. Debreceny. 2013. COBIT 5 and enterprise governance of information technology: Building blocks and research opportunities. Journal of Information Systems 27, 1 (2013), 307--324.
[7]
James Robert Evans and William M. Lindsay. 1999. The Management and Control of Quality. South-Western College Publishers.
[8]
Craig Fisher, Eite Lauría, and Shobha Chengalur-Smith. 2012. Introduction to Information Quality. AuthorHouse.
[9]
Ronan Fitzpatrick. 1996. Software Quality: Definitions and Strategic Issues. Reports. Paper 1. Available at http://arrow.dit.ie/scschcomrep/1.
[10]
Uwe Flick. 2009. An Introduction to Qualitative Research. Sage.
[11]
Catherine Hardy and Jenny Leonard. 2011. Governance, risk and compliance (GRC): Conceptual muddle and technological tangle. In ACIS 2011 Proceedings. 42.
[12]
David G. Hill. 2009. Data Protection: Governance, Risk Management, and Compliance. CRC Press, Boca Raton, FL.
[13]
Hsiu-Fang Hsieh and Sarah E. Shannon. 2005. Three approaches to qualitative content analysis. Qualitative Health Research 15, 9 (2005), 1277--1288.
[14]
ISACA. 2012. COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Retrieved February 9, 2019 from http://www.isaca.org/COBIT/Pages/COBIT-5.aspx.
[15]
ISO 27000 Directory. 2005. An Introduction to ISO 27001 (ISO27001). Retrieved February 9, 2019 from http://www.27000.org/iso-27001.htm.
[16]
Mari Kert, Javier Lopez, Evangelos Markatos, and Bart Preneel. 2014. State-of-the-Art of Secure ICT Landscape. Technical Report. NIS Platform WG3.
[17]
Vijay Khatri and Carol V. Brown. 2010. Designing data governance. Communications of the ACM 53, 1 (2010), 148--152.
[18]
Yang W. Lee, Diane M. Strong, Beverly K. Kahn, and Richard Y. Wang. 2002. AIMQ: A methodology for information quality assessment. Information and Management 40, 2 (2002), 133--146.
[19]
Anja M. Maier, James Moultrie, and P. John Clarkson. 2012. Assessing organizational capabilities: Reviewing and guiding the development of maturity grids. IEEE Transactions on Engineering Management 59, 1 (2012), 138--159.
[20]
Ghazwa Malak, Linda Badri, Mourad Badri, and Houari Sahraoui. 2004. Towards a multidimensional model for web-based applications quality assessment. In E-Commerce and Web Technologies. Springer, 316--327.
[21]
Matthew B. Miles and A. Michael Huberman. 1994. Qualitative Data Analysis: An Expanded Sourcebook. Sage.
[22]
Michael D. Myers. 1997. Qualitative research in information systems. Management Information Systems Quarterly 21 (1997), 241--242.
[23]
Cabinet Office. 2011. ITIL Service Strategy 2011 Edition. The Stationery Office.
[24]
PCI Security Standards Council. 2014. Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.
[25]
Michael Quinn Patton. 2005. Qualitative Research. Wiley Online Library.
[26]
J. Pettigrew and J. J. C. Ryan. 2012. Making successful security decisions: A qualitative evaluation. IEEE Security and Privacy 10, 1 (Jan. 2012), 60--68.
[27]
Leo L. Pipino, Yang W. Lee, and Richard Y. Wang. 2002. Data quality assessment. Communications of the ACM 45, 4 (April 2002), 211--218.
[28]
P. Puhakainen and M. Siponen. 2010. Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly 34, 4 (2010), 757--778. http://aisel.aisnet.org/cgi/viewcontent.cgi?article=29338 context=misq.
[29]
Nicolas Racz, Johannes Panitz, Michael Amberg, Edgar Weippl, and Andreas Seufert. 2010. Governance, risk 8 compliance (grc) status quo and software use: Results from a survey among large enterprises. Governance 1 (2010), 1--20.
[30]
Nicolas Racz, Edgar Weippl, and Riccardo Bonazzi. 2011a. IT governance, risk 8 compliance (GRC) status quo and integration: An explorative industry case study. In Proceedings of the 2011 IEEE World Congress on Services (SERVICES’11). IEEE, Los Alamitos, CA, 429--436.
[31]
Nicolas Racz, Edgar Weippl, and Andreas Seufert. 2011b. Governance, risk 8 compliance (GRC) software-an exploratory study of software vendor and market research perspectives. In Proceedings of the 2011 44th Hawaii International Conference on System Sciences (HICSS’11). IEEE, Los Alamitos, CA, 1--10.
[32]
Adnan Rawashdeh and Bassem Matalkah. 2006. A new software quality model for evaluating COTS components. Journal of Computer Science 2, 4 (2006), 373--381.
[33]
Thomas C. Redman. 1995. Improve data quality for competitive advantage. MIT Sloan Management Review 36, 2 (1995), 99.
[34]
Sascha Roth, Matheus Hauder, Matthias Farwick, Ruth Breu, and Florian Matthes. 2013a. Enterprise architecture documentation: Current practices and future directions. In WirtschaftsinformatikProceedings 2013. 58.
[35]
Sascha Roth, Matheus Hauder, Felix Michel, Dominik Münch, and Florian Matthes. 2013b. Facilitating conflict resolution of models for automated enterprise architecture documentation. In Proceedings of the 19th Americas Conference on Information Systems.
[36]
Jennifer Rowley. 2012. Conducting research interviews. Management Research Review 35, 3--4 (2012), 260--271.
[37]
SANS. 2014. Critical Security Controls. Retrieved February 2, 2019 from https://www.cisecurity.org/critical-controls/documents/CSC-MASTER-VER61-FINAL.pdf.
[38]
Mikko Siponen and Harri Oinas-Kukkonen. 2007. A review of information security issues and respective research contributions. ACM SIGMIS Database 38, 1 (2007), 60--80. http://dl.acm.org/citation.cfm?id=1216224.
[39]
Janine L. Spears and Henri Barki. 2010. User participation in information systems security risk management. MIS Quarterly 34, 3 (2010), 503--522.
[40]
Stefan Thalmann, Daniel Bachlechner, Lukas Demetz, and Ronald Maier. 2012. Challenges in cross-organizational security management. In Proceedings of the 45th Hawaii International Conference on System Sciences. IEEE, 5480--5489.
[41]
Eileen M. Trauth. 2001. The choice of qualitative methods in IS research. In Qualitative Research in IS: Issues and Trends. IGI Publishing, Hershey, PA.
[42]
Hennie Van Greuning and Sonja Brajovic-Bratanovic. 2009. Analyzing Banking Risk: A Framework for Assessing Corporate Governance and Risk Management. World Bank Publications.
[43]
Richard Y. Wang. 1998. A product perspective on total data quality management. Communications of the ACM 41, 2 (1998), 58--65.
[44]
Richard Y. Wang and Diane M. Strong. 1996. Beyond accuracy: What data quality means to data consumers. Journal of Management Information Systems 12, 4 (1996), 5--33.
[45]
K. Krasnow Waterman and Jim Hendler. 2013. Getting the dirt on big data. Big Data 1, 3 (2013), 137--140.
[46]
Andreas Witzel. 2000. The problem-centered interview. Forum Qualitative Sozialforschung/Forum: Qualitative Social Research 1, 1, Article 22.

Cited By

View all
  • (2024)Bibliometric Analysis of Using IT-GRC for Corporate Resilience and Sustainability2024 2nd International Conference on Software Engineering and Information Technology (ICoSEIT)10.1109/ICoSEIT60086.2024.10497485(92-97)Online publication date: 28-Feb-2024
  • (2024)Unlocking financial innovation through strategic investments in information management: a systematic reviewDiscover Sustainability10.1007/s43621-024-00542-65:1Online publication date: 6-Nov-2024
  • (2024)Ant: a process aware annotation software for regulatory complianceArtificial Intelligence and Law10.1007/s10506-023-09372-932:4(1075-1110)Online publication date: 1-Dec-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Journal of Data and Information Quality
Journal of Data and Information Quality  Volume 11, Issue 2
On the Horizon, Experience Paper and Regular Papers
June 2019
66 pages
ISSN:1936-1955
EISSN:1936-1963
DOI:10.1145/3317030
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 March 2019
Accepted: 01 November 2018
Revised: 01 September 2018
Received: 01 May 2007
Published in JDIQ Volume 11, Issue 2

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Data quality
  2. Governance risk and compliance
  3. information quality
  4. management system

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

  • Austrian Federal Ministry of Science, Research and Economics (BMWFW), FFG Project

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)143
  • Downloads (Last 6 weeks)18
Reflects downloads up to 28 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Bibliometric Analysis of Using IT-GRC for Corporate Resilience and Sustainability2024 2nd International Conference on Software Engineering and Information Technology (ICoSEIT)10.1109/ICoSEIT60086.2024.10497485(92-97)Online publication date: 28-Feb-2024
  • (2024)Unlocking financial innovation through strategic investments in information management: a systematic reviewDiscover Sustainability10.1007/s43621-024-00542-65:1Online publication date: 6-Nov-2024
  • (2024)Ant: a process aware annotation software for regulatory complianceArtificial Intelligence and Law10.1007/s10506-023-09372-932:4(1075-1110)Online publication date: 1-Dec-2024
  • (2024)Data governance for wicked problemsThe Electronic Journal of Information Systems in Developing Countries10.1002/isd2.1229690:1Online publication date: 8-Jan-2024
  • (2022)Threat Intelligence Quality Dimensions for Research and PracticeDigital Threats: Research and Practice10.1145/34842023:4(1-22)Online publication date: 10-Mar-2022

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media