Saturday, November 27, 2010

Study notes on Cobit: Defining information Architecture

Creating, maintaining and using information for the business

Suppose that you're the owner of a retail store. You'd like to use IT to enhance your business (so, you're also acting as the CIO in addition to the CEO). You figure that if some products are missing on shelves, you'll lose business. So, you have to replenish the items on shelve from the storage area promptly and reorder the items if they're running out in the storage area in a just-in-time manner. To do that, you can use a POS system to keep track of the items sold, the items on shelve and in the storage area. That is, you need to create, maintain and use information that is modeling the real world. That's probably the most common purpose of business IT systems.
However, there comes a cost of storing information: you have to take good care of (manage) the information properly otherwise bad things can happen. This is like owing a car or a dog: once you own it, you have to keep it clean, keep it healthy and etc.

Keeping information correct

One problem with storing information is that, if unmanaged, the information can become erroneous. For example,the data in the POS may not match the real world as time goes by, so you need to perform inventory from time to time to reconcile them (a process to keep information correct).

Keeping information consistent

Another problem is that information, if gets duplicate, will become inconsistent. For example, while the POS system contains the information about your suppliers, you may also need to input such information into your accounting system for the accounts payable. Why is this a problem? Let's say if a supplier changes his address and informs you, you will have to update it in both the POS system and the accounting system. If you forget to do either, the information will become inconsistent.
How to solve this problem? The ideal solution is to not duplicate the data. For example, if both the POS system and the accounting system support it, they could be put into the same database but in different schemas (one schema for each application), while storing the supplier information into a third schema to be shared. If this is not supported (some applications may not allow you to specify the schema), you may have to synchronize the supplier information somehow between two databases. Both approaches can be considered enterprise-wide data coordination between different applications, departments or processes.

Keeping information secure

In addition, once keeping the information, you must keep it secure. For the information regarding the product items, it is not that confidential (confidentiality is one aspect of information security), but you must prevent ordinary users or other people from changing their retail prices (integrity is the second aspect of information security). For the financial information (accessed through the accounting system), reports like profit and loss should be confidential and accessible to the management of the company only.

Making sure the information & the processing system are available

As the operation of your business now relies on the POS system to read and update the product item information, if the database (information) or the POS system (processing system) breaks, your business will be severely hindered. Therefore, you must ensure the availability of the database and the POS system (availability is the third aspect of information security).
How to do that? You should conduct backup of the database and the POS system and practice restoration regularly. You could also consider redundant hardware (e.g., RAID, fault-tolerant server, dual power supply), redundant power (UPS or power generator), redundant systems (e.g., database replication, server cluster) and disaster recovery planning.

Archiving or removing the information

Finally, for performance of the system or to save space, you may want to archive the information to a long term storage (e.g., DVD) as historical records.
In some companies, if the law requires that the information be kept for a certain years, they will remove that information after meeting that requirement in case that the information could be used against them in court (just think Edison Chen who failed to really delete his photos in his laptop!).

Delegating the management responsibility of information

As there is a lot of different information in the company, it is difficult to depend on you, an individual, to decide how much care should be put on that information (How strong should the access control be? How long to keep the information? How much availability?). Therefore, for each type of information (e.g., financial information, product information), you (acting as the compliance officer or chief security officer) should ensure that there is a process to assign someone as the owner of that information, then let him decide how much management care is required. Usually, this can be done by classifying the data (e.g., in security: top secret, confidential, internal use, public. In availability: highly available, important, normal, rarely needed).

Information architecture

In summary, to support the business, you plan what information to create, maintain and use, how to keep it correct, consistent (sharing or synchronizing), secure (confidential, untempered, available), when and how to archive or remove it. The processes, methods and documents you create to achieve the above purposes (properly managing the information) are called the "integration architecture" for the enterprise.