Data analyst — This person analyzes the business requirements to design the data structures and recommends data definition standards and physical platforms, and is responsible for applying certain data management standards. Responsibilities include the following:

•  Designing data structures to meet business needs.

•  Designing physical data base structure.

•  Creating and maintaining logical data models based on business requirements.

•  Providing technical assistance to data owner in developing data architectures.

•  Recording meta data in the data library.

•  Creating, maintaining, and using meta data to effectively manage data base deployment.

Solution Provider — Person who participates in the solution (application) development and delivery processes in deploying business solutions; also referred to as an integrator, application provider/programmer, I/T provider. Duties include the following:

•  Working with the data analyst to ensure the application and data will work together to meet the business requirements.

•  Giving technical requirements to the Data Analyst to ensure performance and reporting requirements are met.

End user — Any employees, contractors, or vendors of the company who use information systems resources as part of their job. Responsibilities include:

•  Maintaining confidentiality of log-on password(s).

•  Ensuring security of information entrusted to their care.

•  Using company business assets and information resources for management approved purposes only.

•  Adhering to all information security policies, procedures, standards, and guidelines.

•  Promptly reporting security incidents to management.

Process owner — This person is responsible for the management, implementation, and continuous improvement of a process that has been defined to meet a business need. This person:

•  Ensures data requirements are defined to support the business process.

•  Understands how the quality and availability affect the overall effectiveness of the process.

•  Works with the data owners to define and champion the data quality program for data within the process.

•  Resolves data-related issues that span applications within the business processes.

Product line manager — Person responsible for understanding business requirements and translating them into product requirements, working with the vendor/user area to ensure the product meets requirements, monitoring new releases, and working with the stakeholders when movement to a new release is required. This person:

•  Ensures new releases of software are evaluated and upgrades are planned for and properly implemented.

•  Ensures compliance with software license agreements.

•  Monitors performance of production against business expectations.

•  Analyzes product usage, trends, options, and competitive sourcing, etc. to identify actions needed to meet project demands of the product.

IDENTIFYING OWNERS

The steps previously defined are required to establish the information classification infrastructure. With the classifications and their definitions defined, and roles and responsibilities of the participants articulated, it is time to execute the plan and begin the process of identifying the information owners. As stated previously, the information owners must be from the business units. It is the business unit that will be most greatly affected if the information becomes lost or corrupted; the data exist solely to satisfy a business requirement. The following criteria must be considered when identifying the proper owner for business data:

•  Must be from the business; data ownership is not an I/T responsibility.

•  Senior management support is a key success factor.

•  Data owners must be given (through policy, perhaps) the necessary authority commensurate with their responsibilities and accountabilities.

•  For some business functions, a multi-level approach may be necessary.

A phased approach will most likely meet with less resistance than trying to identify all owners and classify all information at the same time. The Study Team formed to develop the roles and responsibilities should also develop the initial implementation plan. This plan should consider using a phased approach — first identifying from the risk assessment data those applications that are critical or most important by orders of magnitude to the corporation (such as time-critical business functions first, etc.). Owners for these applications are more easily identified and probably are sensitized to the mission criticality of their information. Other owners and information can be identified later by business functions throughout the organization.

A training program must also be developed and be ready to implement as the information owners and their delegates are named. Any tools such as spreadsheets for recording application and information ownership and classification and reporting mechanisms should be developed ahead of time for use by the information owners. Once the owners have been identified, training should be commenced immediately so that it is delivered at the time it is needed.