Data Management Standards - en
Data Management Standards - en
VERSION 1.0
Contents
1 EXECUTIVE SUMMARY 02
2 INTRODUCTION 03
2.1 Overview 03
2.2 Purpose 04
2.3 Scope 05
2.4 Applicability 06
7 RELATED DOCUMENTS 15
7.1 Alignment with Related Government Standards 15
11 ALIGNMENT TO STANDARDS 20
12 EXTERNAL DEPENDENCIES 21
13 CONTROL STRUCTURE 22
15 APPENDICES 125
15.1 Glossary of Terms 125
15.2 Example Roles and Responsibility Matrix 127
15.3 References and Bibliography 128
Document Configuration Control
Version Release Date Summary of Changes Release Approval
Initial Publication Abu Dhabi Systems &
1.0
Release Information Centre
A review and update of this document will take place when changes require revising the Data Management
Standards and associated Data Management Policy. Such modifications may relate to changes in roles and
responsibilities, release of new legislation or technical guidance, or the identification of a new policy area.
Group
All Abu Dhabi Government Entity personnel, contractors, and third party individuals directly or indirectly involved
in the provision of government services.
In recognition of this, the Abu Dhabi Government has developed a government-wide data management programme
to be implemented by all Abu Dhabi Government Entities (‘Entities’). The goal of the Abu Dhabi Government Data
Management Programme is first to acknowledge that data is a key asset of the Abu Dhabi Government, and then
to improve both the data management functions and the data stored within the Abu Dhabi Government. Owning
and using high quality data is acknowledged as a strategic enabler for the Abu Dhabi Government in its journey to
become a world-class administration.
The ability of Entities to share and consume valuable data within a managed framework opens up many
opportunities to identify and deliver new or enhanced services to stakeholders, and to establish a working culture
that leads to continuous improvement in the way these services operate.
World-class data management must be directed and supported from the highest levels of an organisation, with
vision, direction, guidance and resources necessary to implement consistent policy and standards across and
throughout the organisational structure. With these objectives being of primary importance, the Abu Dhabi
Government has developed a core set of standards for data management based on the following principles:
1. Data shall be owned: all information used to enable the Entity’s business must have a designated owner who
is accountable for its proper custody.
2. Data shall be described: all data must be appropriately described to allow its content – and its purpose
within the organisation – to be properly understood.
3. Data shall be of known good quality: all data must be of the appropriate quality for its use within the
organisation.
4. Data shall be accessible: all data must be accessible to those who have a legitimate reason to use it. Data
must be securely protected against loss, damage or misuse.
5. Data shall be used and shared: all data must be available to share easily with any legitimate party, and its
use appropriately managed.
6. Data management shall be implemented: appropriate management of all data must be implemented
through initiatives designed to introduce or strengthen particular data management capabilities.
The executive management teams of all Abu Dhabi Government Entities are requested to acknowledge that
their vision, leadership, and commitment will ultimately decide how effectively their organisations embrace the
aims of these Standards, and that this will determine whether they achieve effective management of the data
given into their trust. The stewardship of government services is a significant and privileged responsibility. It
is a responsibility that can be effectively realised when executives, staff and suppliers are committed to data
management best practice.
The Abu Dhabi Government Data Management Model (figure 1) represents the landscape of data management
concepts within a hierarchy of dependent principles.
Governance OWNED
Modelling & Design
Data Architecture
Metadata Data Catalogue DESCRIBED
Data Completeness
Data Integrity Data Accuracy
QUALITY
The principles are shown towards the right-hand side of the diagram. Under the overarching organisational
strategy and programme governance, the model is read top down, with each principle providing a framework for
the principles below.
Data ownership is of primary importance for governing the effective management of all data created, curated
and used within each Entity.
Having established ownership, the model next indicates the need for Entities to develop and maintain a
description of the data they own. The resulting catalogue of information about data is published and made widely
available in a consistent form, and serves to communicate a common understanding of all the data owned by and
maintained within the government.
The principle of access determines that data needs to be accessible to those who have a legitimate reason to
use it, with the legitimate access enabled through proper security, privacy, storage, lifecycle and disaster recovery
controls.
All data should be available to be used and shared by any legitimate party. Entities are required to ensure that
data is readily shareable and re-usable, and that interoperability follows a consistent approach. This will lead to
data services exposed via an enterprise integration platform. Legitimate parties to receive and use shared data
could also be external stakeholders including those outside of government (eg citizens and other individuals,
commercial companies and other organisations, other nations etc). Data and recipients shall be considered
through the ‘Open Data’ controls.
Once the core principles of data management have been addressed, initiatives for managing and using data can
be implemented. Such initiatives are at the level that most discussions about data take place – encapsulating
subjects such as master data management, document and content management, data warehousing, business
intelligence (BI) and analytics etc.
2.2 Purpose
The Abu Dhabi Government Data Management Standards document is intended to direct Entities and other
stakeholders in areas requiring focus for the application of data management controls. Adherence to the
Control Standards means that data management controls are being deployed consistently across Abu Dhabi
Government Entities.
The Control Standards contained within this document represent the government’s expectations for data
management. The Control Standards are expressed in 13 domains of data management that are interrelated
and mutually supportive. Entities and business partners handling government data have the responsibility to
understand the Control Standards defined within this document, and to effectively apply these Standards in the
context of all data assets they own.
The Standards – and assessments made against them – are instruments intended to support the significant goals of:
Accompanying guidance documentation and checklists supports the Control Standards (see Section 7 Related
Documents for an overview of these items). The Standards should be read in conjunction with these supporting
materials.
Governance
Integration & Reference & EDW, BI &
Architecture Catalogue Security Interoperability Master Data Analytics
Domain Definition
Data Governance Provides planning and control over the implementation of the Data
Management Programme, together with the governance checkpoint
processes to show continued monitoring of compliance
Metadata Management Planning, implementation, and control activities to enable easy access to
high quality integrated metadata
Data Catalogue Activities required of Entities in terms of creating, managing and
contributing information about their datasets to the entitie’s catalogue
Data Modelling and Design Activities required of ADGEs in terms of designing data to meet the
strategic requirements of the organisation
Data Architecture Activities required for the ADGE in terms of defining the data needs of
the enterprise, and designing the master blueprints to meet those needs
Data Quality Planning, implementation and control activities that apply quality
management techniques to measure, assess, improve and ensure the
fitness of data for use
Data Security Planning, development and execution of security policies to provide
proper authentication, authorisation, access, and auditing of data and
information
Data Storage Requirements related to the management of structured and unstructured
physical data assets at rest
Data Integration and Managing data in motion, discovering and intergrating data within the
Interoperability Entity and between Entities through a strategic integration platform
Open Data Activities required of ADGEs to ensure the correct data is publicly
available to appropriate quality standards, in appropriate formats, and
with appropriate descriptions
Reference and Master Data Planning, implementation and control activities to ensure consistency
Management with a golden version of contextual data values
Documents and Content The required activities relating to the lifecycle of content and documents
outside structural databases
Data Warehouse, Business Planning, implementation and control processes to provide decision
Intelligence and Analytics support data, and support for knowledge workers engaged in reporting,
query and analysis.
Owned: Governance
Described: Metadata, data catalogue, modelling and design, data architecture
Quality: Data quality
Access: Storage, security and privacy
Implement: Implement:
Reference and master data Document and content
management management
Implement:
Data warehousing, business intelligence and analytics
Implementation of the Government Data Management Programme is required of all Entities, across all
13 domains. Entities shall gather evidence from across their business and technology functions in order to show
compliance with these Standards from all data users. Entities shall use the data management domains to direct
the implementation of all programmes that contain a data management element.
2.4 Applicability
Control Standards defined within this document must be applied by Abu Dhabi Government personnel,
contractors and – wherever possible – other third party organisations (eg federal bodies) with responsibility for
the creation, handling, storage, management transmission and destruction of Abu Dhabi Government data assets
(including information systems and other equipment).
These Control Standards apply to all programmes of work that have an aspect of data management. This includes
line-of-business information systems, whether new, changed, bespoke or commercial off-the-shelf. Some controls
are applicable to the data management programme as a whole, such as the development of the data governance
function, while other controls apply to each information system, data source or other information under the
Entity’s control (see section 5 – Data Management Framework for an overview). This shall include assets that are
provided by – or managed for – the Entity by third-party organisations.
Entities have the responsibility for the rollout of a data management programme of work ensuring that controls are
deployed in sufficient depth and range, applying the Control Standards effectively across the scope of the Entity’s
information assets.
The 13 data management domains are grouped together as ‘data principles’. These principles assist in the
understanding of the overall data management landscape and provide a natural grouping, hierarchy and
sequencing with each principle providing the framework for the next.
The principles of the Government Data Management Model (and its associated Controls and Specifications) have
been developed so that required changes can be applied – where they exist – through established information
systems programmes and projects.
Each Entity will need to mobilise a Data Management Programme to address the core principles of the
Government Data Management Model.
Figure 4 illustrates the distribution of effort across the Government Data Management Model for the Data
Management Programme and the projects that follow. The Entity will need to begin at the top of the model and
focus on implementing the necessary elements of the ‘Owned’ principle. This activity will encompass elements to
support all of the subordinate principles, providing the operational framework that will ensure that future projects
and programmes require less additional effort.
Owned
Data Management
Programme
Described
Quality
Access
Ongoing Projects
Ongoing Projects
Ongoing Projects
Further Projects
Initial Projects
Implement
As the Programme progresses to address each of the data principles in turn, there is less foundation work
required from subsequent information system projects. It is important to establish the organisation, processes and
tools that support the data principles as soon as possible, to allow business-focused initiatives within the Entity to
align with the Control Standards, in order to realise the benefits that the Data Management Programme attracts.
The adoption of the Data Management Standards across the data domains should be considered on a case-by-
case basis. Each Entity will have programmes and projects that are already in progress or planned to start, and
each of these projects will touch various datasets across the business domains. It is recommended that these
initial projects apply the Data Management Standards to the datasets within their scope.
These three levels of applicability provide the Entity with a framework (figure 5) for implementing the Data
Management Standards.
Entities can begin the implementation of the Control Standards almost immediately by focusing initially on the
Data Management Programme-level controls. This covers the development of policies, governance processes,
the identification and cataloguing of data owned by the Entity, and establishing a data architecture roadmap to
assist in planning and implementing both the Enterprise Data Capabilities and the Application Data Management
capabilities.
1 2 3 4
Abu Dhabi Data Entity
Other External Compliance
Management Enterprise
Obligations Reporting
Policy and Architecture
Standards
5 10 13 14 15
Entity Data Enterprise Data
Data Enterprise
Management Data Architecture
Governance Data Modelling
Programme Architecture Roadmap
6 7 11 12
Entity Data
Entity Privacy Metadata Data
Management
Policy Management Catalogue
Policy
8 9
Entity Data Entity Data
Retention Data Open Data
Policy Policy
23 26 16 21 22
Document
Data Data
Data Quality Data Storage and Content
Architecture Catalogue
Management
24 27 17 18
Master &
Data Data Data Reference
Modelling Quality Cleansing Data
Management
25 28 19 20
Data Data
Data Data Warehouse,
Integration & Business
Security Storage
Interoperability Intelligence &
Analytics
Primary
Item Related
Element Description
No Control
Standard(s)
Data Management Programme
1 Abu Dhabi This document: provides definition of Data Management All
Government Data Control Standards that an Abu Dhabi Government Entity
Management (ADGE) is expected to follow
Standards
2 Other External Other external obligations such as government
Obligations technology standards, including UAE National Information
Assurance Standards, and the Metadata and Standards
described in the Abu Dhabi Government Interoperability
Framework (eGIF)
3 Compliance Gathering evidence and reporting standards compliance
Reporting to the Abu Dhabi Government Data Governance
Committee
4 Entity Enterprise The business processes and supporting technology that DA.1
Architecture enable the Entity’s service delivery
5 Entity Data The Entity’s programme to implement these standards DG.3
Management
Programme
6 Entity Data The Entity’s internal documented policies for managing DG.2
Management each of the 13 data domains
Policy
7 Entity Privacy The Entity’s public Privacy Policy, describing the Entity’s DSP.2
Policy obligations and the rights of its service users
8 Entity Data The Entity’s internal documented policy for data DG.2
Retention Policy retention, describing how long data will be kept and
the circumstances that will lead to data archival and
destruction
9 Entity Open Data The Entity’s public Open Data policy, describing the DG.1
Policy requirements, circumstances and licence under which
data shall be published to the public
10 Data Governance The Entity’s Data Governance Board, and the Governance DG.1, DG.2, DG.3
Checkpoint Process used to evaluate evidence of
compliance from enterprise and application level
programmes
11 Metadata Defining the names, values and definitions of data that MD.2
Management shall be managed from across the Entity’s business
functions
12 Data Catalogue Capturing metadata in the form of master profiles, data DC.3, DC.4
models, data structures, both at a business and technical
level
13 Enterprise Data Developing the baseline and target data architectures DA.2, DA.3,
Architecture from across the Entity’s business functions DIO.2, DWBA.2
17 Data Cleansing Provision of data cleansing tools and processes and skills DQ.3
for the Entity’s master profiles
18 Master and Managing versioned reference data across the Entity, and RM.1, RM.5
Reference Data ensuring the single ‘golden view’ of the Entity’s master
Management profiles through matching and merging techniques
19 Data Providing the ability to consistently share high-quality DIO.1
Integration and data both within the Entity and between Government
Interoperability Entities
20 Data Warehouse, Providing coordinated data warehousing, business DWBA.1,
Business intelligence and analytics capabilities through a defined DWBA.6, DWBA.7
Intelligence and set of tooling across the Entity’s business subject areas
Analytics
21 Data Storage Centralised Entity data storage provision DS.3, DS.4
The Entity should maintain its own self-assessment capabilities to determine if compliance is being maintained. It
is anticipated that this capability will be achieved through a Governance Checkpoint Process, allowing evidence
and justifications to be presented to the Data Governance Board at specific programme and project milestones.
This shall be overseen by the Entity’s Data Manager, who shall provide compliance evidence to the Abu Dhabi
Systems and Information Centre (ADSIC)as required, which has the primary and definitive responsibility for
determining if compliance to these Standards has been achieved.
Entities and individual staff members found to be non-compliant with these Standards may have their access to
information systems and data revoked.
Information systems found to be non-compliant with these Standards may be restricted from processing
government data and from connecting to government networks.
Abu Dhabi Government Entities are responsible for ensuring that third party suppliers engaged on their behalf are
acquainted with – and contractually committed to – adhering to relevant elements of these Standards and the
Entity’s Data Management Programme.
These Standards are intended to provide a coherent perspective on multiple disciplines relevant to the
management of data by Abu Dhabi Government Entities. These Standards are not intended to replace or replicate
other government standards.
Where government-wide policies and standards exist in related areas, then these should be regarded as the
authoritative reference, and any contradictions should be resolved in favour of the government standards and
policies for their specific areas. Examples of potential government-wide standards include:
Where there are no government-wide standards in any associated areas, then Entities may reasonably assume
that these Data Management Standards serve as the primary reference until other such materials are approved
and published.
The Data Management Standards are aligned to, and support compliance with, the following standards:
Additionally, the Entity will be guided by two elements from these Standards that will help determine an
appropriate sequence of control implementation, these being:
Suggested Priority
Three priorities have been allocated, and are applicable within the context of the Government Data
Management Model:
Priority 1: The essential first steps that should be taken by any organisation to provide a base level of process
and governance controls.
Priority 2: Controls that represent an expansion of data management maturity across the Entity’s data
management programme.
Priority 3: Controls that provide additional support for building data management capability.
Each of these priority allocations exist in the context of each principle through the Government Data
Management Model. Thus, the Priority 1 controls within the “Ownership” principle should be addressed before
the Priority 1 controls within the “Described” principle, and so forth.
These priorities are meant only to guide the Entity – they are not intended to be prescriptive. Due to its own
unique circumstances, the Entity may determine that a different priority sequence is warranted.
The highest priority controls have the underlying themes of:
1. Setting clear management direction for what is expected of the Entity’s data management capabilities.
2. Deploying a foundation of planning, process and governance controls to provide an organisational maturity
with which to deliver improved data management practices.
3. Implementing improved data management practices across the data in the custody of the Entity, starting
with the data already in the scope of active or planned programmes of work.
Entities need to determine what organisational structure best suits achievement of its own Data Management
Programme Plan. Examples of where decisions are required include:
• Whether the mandate of the Data Governance Board should be addressed by a free-standing committee or
incorporated into a body that already exists
• Whether the role of Data Manager should be full or part time
• Whether the role Data Manager should also function as the Chair of the Data Governance Board
• Whether the level of risk, programme goals and level of activity provide justification for additional data
management-related resources
• What weighting should be applied to data management roles (ie technical vs managerial)
• What minimum level of experience, competence and qualifications post-holders require to successfully
achieve the goals of the Entity’s Data Management Programme
A one-size-fits-all approach is not practical, given the diversity of Abu Dhabi Government Entities in terms of their
remit, structure, risk profile and resources.
In the above context, data management domains described within these Standards should not be taken to
be equivalent to specific organisational roles or units. For example, obligations for reference or master data
management may be undertaken as a central capability or be split across applications, depending on the demands
and structure of the Entity.
Within the Standards, terms such as ‘significant’ and ‘appropriate’ have been used. These require a subjective
decision to be made on the part of the Entity, an example being:
“The Data Governance Board shall develop guidance appropriate to its departments and stakeholders.”
(From DM2.2)
For such control specifications, the Entity is obligated to determine for itself what constitutes ‘appropriate’ in
the context of its own business processes, risks, and deployed technologies. It is neither practical nor advisable
for these Standards to specify absolutes across all areas of an Entity’s delivery of data management. For areas
requiring subjective decision making, the Entity should be able to demonstrate, during assessment, that the
judgement applied was thoughtful and took advantage of all necessary and available information.
• Mandatory
• Recommended
The level of Control Specification application is expanded upon in the table below.
Entities should recognise that the Abu Dhabi Data Management Standards provide a common base of data
management definition that provides a platform to increase the value of data assets across government.
The Standards are not an end in themselves, and achieving the minimum necessary compliance with the Standards
should not be regarded as a primary goal. In the above context, Entities have the primary responsibility for ensuring
that they have the appropriate depth and range of data management controls deployed. In some circumstances, the
Entity may determine that the control definition required exceeds what is found in these Standards.
Common data management controls have the greatest potential to help the Entity balance expenditure on Data
Management versus effectiveness of the controls deployed.
However, for common controls to be effective, their range of potential uses needs to be carefully evaluated. A
control that is ideally suited for Service A may be less appropriately optimised for Service B when it is introduced
a year from now.
Examples of common controls that multiple information systems and services could potentially leverage include:
The application of common controls will depend on the risk context and the business need of the Entity. There will be
circumstances where a tailored data management control (ie one that is specific to an individual service or system) is
necessary, justified and preferable.
The Entity has the obligation to understand its own data management needs, opportunities and weaknesses, and to
tailor its control set appropriately. The Abu Dhabi Data Management Standards are intended as a starting point for
informed engagement within the Entity.
‘Tailored’ controls will be ones that are specific and unique to the target data asset. They will be utilised where no
common control is available, or where the available common control is not fit for a specific purpose. Tailored controls
do not necessarily indicate that the control has been heavily customised. Such a control might be a standard off-
the-shelf type from a vendor, but which has been acquired specifically in reference to a target information system.
Equally, a version or copy of an existing common control may be adapted or configured in a way that makes it unique
to a specific control requirement.
• An application system might come supplied with an embedded metadata feature that describes its data
structures
• An application system might come supplied with embedded data integration features and design patterns/
formats that differ from the common controls
• The stringency of review and approval processes might be varied depending on the nature of the data in scope
for the review
References 11 List of related references that are used and/or related to this control
Control Standards The Entity shall develop an organisational capability to support data governance
Control Standards The Entity shall develop their data management policy
The Entity shall develop and execute a plan for implementing its data management
Control Standards
programme.
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DG.3.1 The Entity shall agree and maintain specific, measurable and scheduled M
goals in support of its Data Management Programme. Goals shall reflect
the programme’s obligation to support:
• Business strategy and priorities
• The Entity’s management of its data related risks
• Compliance obligations to data management policy and these
Standards, and other relevant laws and regulations
• The promotion of an organisational culture within the Entity that is
aware of data management concerns and responsibilities
DG.3.2 The Plan shall be made available to ADSIC for review. M
DG.3.3 The Plan shall: M
• Provide a clear roadmap for data management initiatives, their
priorities and dependencies
• Demonstrate clear alignment with the Entity’s strategic plan and
objectives
• Be reviewed annually to ensure it remains effective and aligned with
evolving priorities
• Include key performance indicators for analysis to track progress on
a continual basis.
• Provide a clear indication of internal budget requirements for
delivering the planned initiatives
DG.3.4 The Entity shall ensure that robust version control of all Data M
Management Programme artefacts is detailed within the plan
DG.3.5 The Entity’s Data Management Programme shall be approved by the M
Entity executive with responsibility and accountability for the risk being
incurred to organisational operations
DG.3.6 In support of its Data Management Programme, the Entity shall develop M
supporting plans to build out specific capabilities in defined areas. These
subsidiary plans may include (but are not limited to):
• Data Governance (including the Governance Checkpoint Process)
• Organisational Awareness and Training (See DG.4)
• Disaster Recovery (See Data Storage controls)
• Document and Content Management
• Data Architecture Management
• Inter-Entity Data Integration
• Reference and Master Data Management
Subsidiary plans may be rendered as either freestanding documents or
as appendices to the Entity’s Data Management Programme Plan.
The Entity shall develop and maintain its change management processes for the
Control Standards Data Management Programme as a whole, and domain-level processes developed
within the Data Management Programme
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DG.4.1 The Entity’s Data Governance Board should approve all changes to the M
Data Management Programme (eg Plan or Policy).
DG.4.2 The Entity shall integrate its existing change management processes M
into each of the data management domains, or create a new change
management process if none already exists.
DG.4.3 The Entity should establish a baseline for its Data Management Programme M
Plan, with proposed changes to the plan being analysed for impact
DG.4.4 Changes to the Data Management Programme Plan should be M
coordinated with the organisation-wide Change Management capabilities
of the Entity to ensure on-going alignment between Data Management
and other organisation initiatives.
DG.4.5 Where compliance with these Standards requires a change to existing M
business process, the Entity shall perform an impact assessment to
identify relevant stakeholders and other impacted processes in order to
properly coordinate and communicate the change.
DG.4.6 As Business Processes are identified to be in compliance with these M
Standards, the Entity shall establish a baseline for each process to allow
the Data Governance Board to assess and ensure that future business
process change remains compliant with these Standards.
Control Version History
1.0
Control DG.1 Organisational Structure
Dependencies DG.3 Data Management Programme
Data Governance (Ladley, 2012)
References
DMBOK (Mosley and Brackett, 2010)
The Entity shall develop and execute organisation-wide awareness programmes for
Control Standards
the required data domains
Control Type Directive þ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DG.5.1 The Entity shall establish, maintain – and review an ongoing awareness M
and training programme for – data management, including but not
limited to:
• Training required for specific individuals or roles
• The legal and regulatory framework within which the Entity’s data is
managed
• Information systems and processes that impact data management
DG.5.2 Training records shall be retained, and refresher training carried out at M
regular intervals (annually should be considered as the minimum interval
or else as determined by the requirements of the training content for a
specific domain or other topic).
New training shall be provided when there new requirements (eg new
policy, standards or projects).
DG.5.3 For those responsible for creating, manipulating, interpreting, managing M
or disposing of data, training shall include (but not be limited to):
• The scope and purpose of the Entity's Data Management
Programme and policy
• The role and benefit of these Standards
• Key roles, responsibilities and processes supporting the Data
Management Programme, with contact information provided for
relevant post-holders
• The Data Catalogue and importance of capturing accurate Metadata
• Data Security responsibilities to ensure the confidentialiy, integrity
and availablilty of data
• Data Quality impact to ensure that data is captured and maintained
correctly
• The Entity-wide requirement for common data architecture and
known data quality
• The identification of data for release under the Open Data policy
• The requirements on the Entity to facilitate data sharing with other
Entities
• Their individual responsibilities under the Data Management
Programme
DG.5.4 All personnel with defined responsibilities within the Data Management M
Programme shall be provided with training tailored to their role type,
with appropriately tailored content, length and frequency as required by
specific roles.
DG.5.5 The Entity shall determine in advance the learning outcomes and desired M
capabilities in order to provide focussed and structured training. The
Data Governance Board should verify that training is being delivered in
a manner consistent with the requirements of the Data Management
Programme.
The Entity shall perform an audit of its capabilities and/or current state for each
Control Standards
data domain
Control Type Directive þ Preventive ¨ Detective þ Corrective ¨
Control Specification M/R
DG.6.1 The Entity shall develop a Data Management Audit Framework to ensure M
compliance with the Data Management Policy and Standards.
The Audit Framework shall address
• The Scope of the Entity’s Data Management Programme
• Roles and Responsibilities within the Data Management Programme
• Management commitment and coordination across the various
departmental levels within the Entity
Data Management Audit activities should be supportive of the Entity’s
existing Internal Audit Framework and the Information Security
Framework. Alignment should be achieved with the Entity’s Internal Audit
Plan.
DG.6.2 The Data Governance Board shall facilitate development and M
implementation of Data Management audits.
Implementation of Data Management audits should be approved by an
overseeing function independent of the Entity's Data Governance Board.
The Entity shall develop, report against and analyse key performance indicators
Control Standards
relating to its Data Management Programme
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DG.7.1 Data management performance reporting shall be against specific, M
measurable, achievable, realistic and timetabled goals articulated by the
Entity's Data Governance Board and the Abu Dhabi Data Management
Programme.
Goals should encompass the Entity's business needs as well as legal and
regulatory obligations.
DG.7.2 The Entity shall develop outcome-based performance metrics to measure M
the effectiveness and efficiency of its Data Management Programme and
implementation of these Standards in support of the programme.
The Data Governance Board shall serve as the authorising and
overseeing body for Data Management performance metrics. The board
shall:
• Oversee the setting of performance metrics aligned to the Entity's
Data Management Programme plan and its compliance obligations
to these Standards
• Receive and analyse performance data from the Data Manager
(supplied by Data Owners and others responsible for compliance)
with each domain within the Data Management Programme
• Report performance of the Data Management Programme to ADSIC
and other relevant stakeholders at a frequency and in a format
specified by those stakeholders
DG.7.3 The Entity's Data Management performance metrics shall be aligned M
to the performance indicators of the Abu Dhabi Government Data
Management Programme, and should support the Entity in reporting
timely and accurate Data Management status to ADSIC and other
relevant stakeholders.
DG.7.4 Data Management performance data shall be verified by a competent M
and independent party that is not directly connected with the work that
is the subject of measurement.
DG.7.5 Data Management performance reporting shall consider multiple M
dimensions of data management performance. These should include (but
are not limited to):
• Compliant technology business processes
• Compliant line of business processes
• Level of maintenance of data architecture artefacts
• Production and completeness of Entity-level data models and
architectures
• Level of maintenance of system-level data models and architectures
• Documented master profiles across the Entity's line of business
systems
• Data quality milestones
• Active master and reference data management achievements
• Information and document lifecycles
Control Standards The Entity shall conform with existing metadata standards
The Entity shall develop and execute a metadata management initiative, ensuring
Control Standards
processes exist to make metadata defined, captured and accessible
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
MD.2.1 The Entity shall develop and execute a metadata initiative. M
Metadata management describes the processes and practices of the
Entity in order to effectively gather, store and use metadata.
Activities within a metadata management initiative include, but are not
limited to:
• Assessment of existing metadata sources and repositories
• Stakeholder interviews to develop initial knowledge about the range
of data held
• Gathering requirements for business and technical metadata
• Development of metadata architecture
• Establishment of data stewardship functions to gather and maintain,
and to promote metadata usage
• Production of a metadata management rollout plan
MD.2.2 The Entity shall utilise Abu Dhabi government and international standards M
when developing their metadata (eg eGIF, SCAD, Geospatial, ADMS)
to accommodate the needs of its particular operational context. In
alignment with the Abu Dhabi Government eGIF Metadata Standard, the
specialised standards will contain the metadata Elements, Refinements
and Encoding Schemes to represent the values necessary to be captured
in the Entity's particular context.
The development of Metadata Elements, Refinements and Encoding
Schemes shall take account of metadata defined and captured in other
data management domains (eg Data Security, Data Quality etc).
MD.2.3 The Entity shall manage metadata using both automated and manual M
techniques.
Automated scanning of information systems using data discovery tools,
metadata capture tools and other proprietary methods, shall be used to
maintain the accuracy of metadata according to a schedule defined by
the metadata management programme.
Data Stewards shall manage all metadata that has been captured
via automated processes, and shall be responsible for maintaining
additional business and technical metadata (where this is not captured
automatically). Data Stewards are responsible for the quality of the
metadata (Ref: MD.4.4).
MD.2.4 The Data Governance Board shall be responsible for arbitrating any M
conflicts relating to the definition and quality of metadata that cannot be
resolved by Data Stewards. For example, such situations may emerge
where metadata names, definitions, or values cross-departmental
boundaries.
MD.2.5 The Entity shall ensure that all metadata is accessible via the Data M
Catalogue (see Data Catalogue Standards), which shall be used as the
user access point end for the repository of metadata, data dictionary,
business glossary, and associated modelling and architectural
deliverables.
The Entity shall develop its metadata architecture to support the requirements of its
Control Standards
metadata management programme
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
MD.3.1 The Entity shall document the metadata architecture according to the M
requirements of the Data Architecture standards (see DA Standards).
Metadata architecture shall be a component of the Enterprise Data
Architecture.
MD.3.2 The Entity shall evaluate the most appropriate metadata architecture that M
meets the business requirements while maintaining alignment with any
emerging central standards. Justification for the architectural approach
shall be submitted to the Data Governance Board for approval.
Possible architectural approaches for metadata systems include:
• Centralised: A central metadata repository, storing all data required
by the data catalogue, data modelling, data dictionary and business
glossary
• De-centralised: Separate physical metadata components delivered
through a single access point. Automatically scanned metadata remains
in the source systems and repositories, with access made available
• Hybrid: Separate physical components delivered through a single
access point; however, automatically scanned metadata is pulled in
from source systems and managed, maintained and refreshed centrally
Control Version History
1.0
Control DG.3 Data Management Programme
Dependencies MD.2 Metadata Management Programme
Building Semantic Interoperability in Europe (European Commission, 2012)
References Digialiser.dk semantic asset repository - Case Study (European Commission, 2012a)
XRepository semantic asset repository - Case Study (European Commission, 2012b)
The Entity shall develop a Data Catalogue that fulfils the Abu Dhabi Government
Control Standards
Data Catalogue core requirements
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DC.1.1 The Entity shall align its Data Catalogue with mandatory standards to M
facilitate Data Catalogue interoperability.
The following standards are mandatory:
• Abu Dhabi Government eGIF Schema Generation
• DCAT – Data Catalogue Vocabulary to describe data sets
• XSD – XML Schema Definition, used to describe dataset structure
DC.1.2 The Entity should align its Data Catalogue with the recommended R
standards, as follows:
• ADMS – Asset Description Metadata Schema, used to describe
assets, schemas, data models and reference data
• RDF – Resource Description Framework, used to describe the
semantic relationships between data assets
Where a Data Catalogue does not align with a given standard (eg
due to lack of vendor support), the Entity shall document and submit
justification for non-alignment to the Data Governance Board
DC.1.3 The Entity shall develop a Data Catalogue capability that includes the M
following features:
• Metadata repository – to store or otherwise provide access to
the Entity's metadata (see MD3.2 for description of acceptable
metadata repository architectures)
• Publishing portal – to provide controlled access to metadata,
definitions, data models, and reference datasets
• Workflow management tool – to facilitate the management of Data
Catalogue entries across their lifecycle
• Business glossary – allowing business-level profiles, attributes,
definitions and rules to be stored and accessed
• Data dictionary – allowing technical-level profiles, attributes,
definitions and rules to be stored and accessed
• Data model repository – to store application specific and enterprise
data model assets
• Version control – versioning of metadata definitions, captured
metadata, reference data, and other stored assets
DC.1.4 The Entity shall align their data catalogue requirements with government- M
wide data catalogue requirements as they emerge.
Control Version History
1.0
DG.6 Capability Audit
Control MD.1 Standards Conformance
Dependencies MD.2 Metadata Management Programme
MD.3 Metadata Architecture
The Entity shall implement and manage a Data Catalogue according to cataloguing
Control Standards
principles
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DC.2.1 The Entity shall develop its Data Catalogue in alignment with each of the
following principles:
• Usability – make pragmatic design decisions about the Data
Catalogue with the end user in mind
• Common usage – use a standard vocabulary that meets the
understanding of the end user
• Representation – names and descriptions should be based upon
real-world concepts where possible
• Accuracy – the captured data should accurately describe its real-
world representation
• Sufficiency and necessity – elements should only be included that
are required to fulfil user tasks or to uniquely identify an entry
• Economy – the least cost or simplest approach should be taken
• Consistency – entries in the Data Catalogue should be of a
consistent depth and breadth
• Integration – names and descriptions describing the data captured
should be integrated and consistent across the Entity's business
functions
Alignment shall be shown through the Governance Checkpoint Process.
Where principles conflict, the Entity shall develop a pragmatic solution,
and submit a justification for approval by the Data Governance Board.
DC.2.2 The Data Catalogue shall act as a single point of access for all users
(both internal and external) of the description of the Entity's data assets.
Though specific data assets (such as datasets, metadata, data models,
etc) will continue to reside in a multitude of separate systems, the Data
Catalogue should provide a central resource that allows users to find and
determine information about any asset.
Control Version History
1.0
Control DG.3 Data Management Programme
Dependencies DC.1 Data Catalogue Requirements
The Entity shall develop and execute a plan to populate the Data Catalogue across
Control Standards
the Entity's business and technical functions
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DC.3.1 The Entity shall identify datasets for inclusion in the Data Catalogue. M
Such datasets shall include, but are not limited to:
• Transactional data within application systems
• Reference datasets
• Datasets containing master data profiles
• Statistical data
• Geospatial data
Consideration shall be given to the size of the potential numbers of
users of that data, the likelihood of re-use, and the breadth, depth and
complexity of the data.
DC.3.2 The Entity shall employ suitable methods to discover datasets that M
should be populated within the Data Catalogue. Such discovery is likely
to involve both human interactions, and assistance by technical tooling
designed for the purpose.
Specialised technical components can be used to scan a network for
data sources and datasets within an organisation.
Human interactions might include holding interviews and developing
awareness programmes targeted at the individuals that produce,
manage, or disseminate data that could be worthy of inclusion in the
Catalogue.
DC.3.3 The Entity shall identify priorities for including data in the Data M
Catalogue. In particular, this should take account of previous demand
for data from both internal and external users. Particular consideration
shall be given to the sequence in which metadata is captured; typically
business-level metadata should be captured first, followed by technical,
and then semantic metadata.
The Data Manager shall produce a roadmap for populating the Data
Catalogue, which shall be submitted to the Data Governance Board for
approval.
DC.3.4 The Entity shall produce and store data models for the data captured in M
the Data Catalogue (see Data Modelling standards).
Data models for data within the Data Catalogue shall captured at the
following levels:
• Business – describes data in business terms, to aid understanding
of business requirements
• Technical – describes data in technical and physical
implementation-specific terms, to assist technical development
activities and operational management of data
DC.3.5 The Entity should develop semantic data models for the data captured. R
Semantic models describe the relationships within data using a defined
vocabulary that is machine-readable.
The Entity shall develop internal guidance and monitoring for usage of data
Control Standards
published through the Data Catalogue
Control Type Directive ¨ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DC.4.1 The Entity shall develop and publish a licensing model for data sharing, M
which shall be made available through the data catalogue.
DC.4.2 The Entity shall plan and execute an awareness programme to publicise R
the information available within the Data Catalogue to its business and
technical stakeholders. The awareness programme shall highlight the
benefits to project teams of re-using data, and describe the datasets
available for re-use.
DC.4.3 The Entity shall ensure that the System Development Lifecycle (SDLC) M
of information systems includes consideration for re-use of the datasets
captured within the Data Catalogue. Consideration for data re-use shall
be monitored through the Governance Checkpoint Process for approval
by the Data Governance Board.
DC.4.4 The Entity shall encourage submissions for innovative use of data from M
across business and technical functions, which shall be evaluated for
merit by the Data Governance Board. The Data Governance Board,
through the Data Manager, shall socialise data innovation resulting from
Data Catalogue usage.
DC.4.5 The Entity shall allow consumers of datasets to register their data usage M
in the Data Catalogue. Registered consumers of data published through
the Data Catalogue shall be informed of changes within the dataset, such
as significant data refreshes, data model changes, and data purges.
A consumer is defined as an individual, an application system
representative, or business function representative.
DC.4.6 The Entity shall classify registered consumers of datasets published M
through the Data Catalogue with a status of Formal or Informal.
Formal registered consumers shall be identified by the provision of
service level (or other agreements) between the data producer and
consumer.
Informal consumers receive no such agreement outside of the bounds of
the published licence and policy.
The Entity shall develop and execute a plan for introducing and standardising data
Control Standards
modelling tools and techniques
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.1.1 The Entity shall ensure that data models for information systems within M
the software development lifecycle are reviewed by the Data Governance
Board as part of its Governance Checkpoint Process.
Data models shall form a core deliverable of any system built, purchased,
or commissioned by an Entity as part of developing its data architectures
in support of business and technology requirements.
DM.1.2 The Entity shall implement data modelling tools with the following M
minimum capabilities:
• The creation of UML2.x-compliant models
• Support for UML model interchange using the XMI Interchange Format
• Modelling and reverse engineering structured datasets
• Modelling unstructured datasets (see DM.10)
• Use of the Common Warehouse Metamodel (CWM) for modelling
data warehouse systems
• Associating metadata to models to facilitate and promote re-use
• Model versioning and traceability
The Entity shall generate modelling artefacts using diagrams, notations and
Control Standards
documents appropriate to the audience
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.2.1 The Entity shall develop Data Models at the Conceptual (See DM.5), M
Logical (See DM.8) and Physical level (See DM.9), with references
between them, allowing physical information systems to be mapped to
logical models and at a higher conceptual level.
DM.2.2 The Entity shall use UML diagrams as the primary modelling notation M
throughout the software development lifecycle.
Exceptions to the UML modelling standard shall be documented and
submitted for authorisation by the Data Governance Board.
Data modelling primarily uses structural diagrams, such as Class
Diagrams, Entity Relationship Diagrams, Component Diagrams and
Deployment Diagrams.
DM.2.3 The Entity shall use models best suited to communication with business M
stakeholders. UML diagrams and notation are often too technical for
such purposes, and more common tools such as text-based documents,
presentation slides and spreadsheets can often be more appropriate
media for communicating data model concepts.
The Data Governance Board shall inform the development of guidance to
ensure appropriate and effective communication to its departments and
stakeholders.
DM.2.4 The Entity shall use Entity-Relationship diagrams and Class Diagrams M
to document the structure and relationships of data objects at a
conceptual, logical and physical level.
DM.2.5 The Entity shall use Data Flow Diagrams to model the movement of data M
within and between systems, focusing in particular on data that forms
part of the Entity's master profiles.
The following shall be identified and captured for all types of data flows:
• The point where data is captured
• Actions that transform and/or aggregate data
• Points where data is exported (automatic or manual)
• Service end points that emit master and common profiles
DM.2.6 Very large models (models with more than 200 tables or other M
descriptive artefacts) are inherently difficult to read. Large data models
should be subdivided into smaller subject area-based models, and
aggregated in a higher level model to maintain clarity.
Data models should fulfil the purpose of aiding understanding.
DM.2.7 Data models shall clearly indicate and differentiate aspects that are M
current, and those that are not yet implemented.
The Entity shall develop a business glossary and a technical data dictionary to
Control Standards
provide understanding of terms across the organisation
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.3.1 The Entity shall capture and define business terms for data object, M
attributes, relationships and values that have contextual business
meaning.
For example, a data object – such as a 'Citizen' – should have a single
definition across the Entity. Although not all the attributes may be used
by all parts of the Entity, where attributes of a 'Citizen' object are used,
they should preserve consistency of meaning.
A relationship between two data objects – such as the 'access'
relationship between 'Citizen' and 'Service' objects – shall be defined
and consistently used across the Entity.
Examples of 'contextual values' might include (though not be limited to)
a set of values used to indicate state (eg 'Active', 'Inactive' or 'Pending',
'Approved' and 'Rejected'). These values represent reference data,
and shall be defined to ensure consistent use in the context of a data
attribute within a given data object.
Business definitions shall be stored within the business glossary portion
of the Entity's Data Catalogue.
DM.3.2 The Entity shall produce technical definitions for each term within the M
business glossary for all information systems under its ownership. These
definitions shall be developed to aid data integration and development
projects that cover multiple systems. Technical definitions shall take
input from logical and physical models (such as attribute types), but may
also include technical validations in the form of state diagrams, flow
charts, regular expressions, and other documentation as required.
Technical definitions shall be populated within the data dictionary of the
Entity's Data Catalogue.
Control Version History
1.0
DG.3 Data Management Programme
Control DC.3 Data Catalogue Population
Dependencies DC.4 Data Catalogue Usage
DM.1 Implement Tools and Methods
The Entity shall ensure data models contain sufficient metadata to allow traceability
Control Standards
and re-use
Control Type Directive ¨ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DM.4.1 The Entity shall maintain the following minimum data model metadata: M
• Model Identifier - in the form
[Entity Initials]-[Reference Number]-[VERSION]
For example: ADSIC-123-V1.0 would be Version 1.0 of model
123 for ADSIC.
• Responsibility Assignment – Responsible, Accountable, Consulted,
Informed
• Published Status – Draft, Published
• Change History – including dates, authors and descriptions
DM.4.2 The Entity shall maintain metadata to capture the following information R
about a data model:
• Traceability links – where a number of data models are produced
to show different views of the same subject area (for example, a
logical and physical model), annotations should be used to indicate
that other views exist. Links should be made by reference to the
Model Identifiers.
• Department or other lower level identifier – the Reference Number
element of the model identifier does not need to be sequential. This
allows the Entity to pre-assign numbers to different subject areas
eg the model reference number '3nnnn' could identify financial data
models, and '4nnnn' could identify HR data models, etc
DM.4.3 The Entity shall maintain other such metadata for its data models that is M
appropriate to its requirements. The metadata set shall be evaluated by
the Data Governance Board, and issued – along with a guide to usage –
to staff responsible for maintaining or using data models.
DM.4.4 Data models shall be stored in a suitable version controlled repository. R
A number of options are available, listed in order of recommendation:
• Version control repository built into data model tooling
• External version control repository or document management
system that supports versioning
• Version control through file system structure (this should only be
used as an interim solution)
Control Version History
1.0
Control DG.3 Data Management Programme
Dependencies DM.2 Modelling Artefacts
The Entity shall maintain an Enterprise Data Model (EDM) comprising Conceptual,
Control Standards
Logical and Physical Data Models across the Entity’s master data and systems
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.5.1 The Entity shall develop an enterprise-wide data model, taking an M
organisation-wide view of all data that is central to the Entity's core
business functions.
The enterprise data model represents a key aspect of the baseline and
target enterprise data architectures (See Data Architecture).
DM.5.2 The Data Governance Board shall maintain oversight and approval of M
enterprise data models through the Governance Checkpoint Process.
The Data Governance Board shall socialise the enterprise data model
through working groups to facilitate sharing with other Entities.
DM.5.3 When developing new data models for system implementations, the M
Entity shall ensure alignment with the Entity's Enterprise Data Model.
Conceptual, logical and physical data models shall show alignment to the
Entity's master profiles and the common profiles in the government Data
Catalogue.
DM.5.4 The Entity shall align their Enterprise Data Model with government-wide
data models as they emerge.
Control Version History
1.0
DG.3 Data Management Programme
DM.1 Implement Tools and Methods
Control DM.2 Modelling Artefacts
Dependencies DM.3 Business Glossary and Data Dictionary
DM.4 Data Model Metadata
DM.6 Conceptual Data Models
The Entity shall develop and maintain Conceptual Data Models (CDM) to describe
Control Standards
high-level data within and across systems
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.6.1 The Entity shall develop conceptual data models to support the M
architecture, development and operational processes for its data.
Conceptual data models shall be required as part of the system
development lifecycle, and provided to the Data Governance Board
through the Governance Checkpoint Process.
DM.6.2 Techniques to develop conceptual data models shall include, but are not M
limited to:
• Interviewing stakeholders, or otherwise undertaking business
functional analysis and requirements gathering to understand all
relevant business concepts and requirements
• Identifying candidate data profiles (typically the 'nouns') related
to business processes, and capturing associations between these
profiles
• Combining candidate data profiles – as appropriate – into master
data profiles, transactional data profiles and reference data profiles,
and modelling the high level relationships between the data profiles
DM.6.3 Conceptual data modelling shall be performed at a system level (or group M
of information systems with similar concerns), or as part of Enterprise
Data Modelling. Care must be taken to identify the view of the data being
modelled (system or enterprise).
For example, a customer has an order delivered by a courier. 'Customer'
is a master profile, while 'Order' represents transactional data.
Categorisation of the 'Courier' profile is more ambiguous, and varies
depending on how the data needs to be viewed. In an Enterprise Data
Model, 'Courier' could be considered reference data, as it is not core
to the business functions. However, within a system data model for a
Supplier Management System, a 'Courier' is likely to be a master profile
(as an extension of 'Supplier').
DM.6.4 Conceptual data models shall be used to provide documentation to M
support development of logical data models, change requests, impact
assessments, and/or gap analyses between baseline and target state
requirements.
Control Version History
1.0
DG.3 Data Management Programme
DM.1 Implement Tools and Methods
Control
DM.2 Modelling Artefacts
Dependencies
DM.3 Business Glossary and Data Dictionary
DM.4 Data Model Metadata
The Entity shall define, create, and maintain data models for master profiles
Control Standards
applicable to their line of business
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.7.1 The Entity shall identify and model all master profiles, and the M
relationships that exist between them.
Master profiles comprise the data model, relationships, validations and
descriptions of the data that is core to the Entity's line of business.
For example, an Entity that provides a service to citizens is likely to
include both 'Citizen' and 'Service' as master profiles. A master profile
may have a complex structure eg a 'Citizen' profile may include family
relationships, multiple contact details, and the history of name changes.
DM.7.2 Master profiles shall be documented as part of the Entity's activities M
to populate the Data Catalogue (see Data Catalogue Standards), both
at a conceptual and logical level. Master profiles shall form part of the
Entity's enterprise data model.
DM.7.3 Each system that physically contains master profile data shall have its M
data modelled at conceptual, logical and physical levels.
DM.7.4 Entity master profiles shall be made available to ADSIC, upon request, to M
facilitate the development of government-wide common profiles.
The Entity shall align their local profiles with government-wide common
profiles as they emerge, as appropriate.
Control Version History
1.0
DG.3 Data Management Programme
Control DM.3 Business Glossary and Data Dictionary
Dependencies DM.5 Enterprise Data Model
DM.6 Conceptual Data Models
The Entity shall develop and maintain Logical Data Models (LDM) for its information
Control Standards
systems
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.8.1 The Entity shall develop logical data models that describe the data M
attributes and the relationships rules between the profiles described in
the conceptual data model.
DM.8.2 The logical modelling of relationships between profiles shall describe M
referential integrity and normalisation concerns, unless the design
relates to multi-dimensional information systems, such as data
warehouses. Where data is de-normalised for performance or other
reasons, the Entity shall ensure that this is documented, justified and
approved by the Data Governance Board via the Governance Checkpoint
Process.
DM.8.3 Logical data models shall be independent of technical implementation M
details.
Although tables may be used to represent profiles in a logical model, the
physical design might translate into something other than a relational
database. Emerging technologies, such as 'No SQL' key/value stores,
columnar databases and graph databases may be more appropriate
physical data repositories (though careful evaluation, consideration and
justification should be given when choosing these technologies over
more traditional patterns).
For example, a text string representing a Name attribute should not
identify a physical data type of String[50]. Instead, this attribute should
be defined by a logical data type, such as NameString. Business rules
should be associated with NameString, constraining the type to a string,
and the maximum length to 50 characters.
DM.8.4 Logical data models shall be used to provide documentation to support M
development of the physical data model, change requests, impact
assessments, and/or gap analyses between baseline and target state
requirements. The Entity's software development lifecycle shall reflect
the requirement to develop and maintain logical data models.
Logical data models shall be provided to the Data Governance Board as
part of its Governance Checkpoint Process.
Control Version History
1.0
DG.3 Data Management Programme
DM.1 Implement Tools and Methods
Control
DM.2 Modelling Artefacts
Dependencies
DM.3 Business Glossary and Data Dictionary
DM.4 Data Model Metadata
The Entity shall develop and maintain Physical Data Models (PDM) for its information
Control Standards
systems
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.9.1 The Entity shall develop physical data models for system designs and M
architectures that are based on the appropriate logical data models.
A physical data model provides the detailed technical implementation
specifications that represent the application and/or data repository
perspectives of the data.
DM.9.2 A physical data model shall be used to support technical implementation M
and system operational functions. For example, a SQL query should be
written with reference to the physical data model.
Physical data models shall be provided to the Data Governance Board as
part of its Governance Checkpoint Process.
DM.9.3 The Entity shall provide a mapping between the logical data model and R
the resulting physical design to describe the implementation decisions
involved.
In the case of relational database systems, the physical data model
might explicitly specify configuration details that exploit the capabilities
of the particular relational database management system toolset
employed (eg to derive performance optimisations, enforce security
requirements, or to take advantage of embedded convenience functions,
etc).
For other types of data store (eg 'No SQL' or graph), the physical data
model is likely to be significantly different from the logical model in terms
of structure.
It is important to highlight any dependencies that emerge as a result of
using the embedded features of a toolset.
DM.9.4 The Entity should reverse engineer data models from existing supported R
information systems in order to support baselining data architecture.
Physical data models should be linked back to their logical counterparts.
Reverse-engineered data models are – by their nature – physical models,
and can provide value in contexts such as system support, system
development and technical data manipulation tasks undertaken by Data
Stewards. Such models are not a substitute for conceptual and logical
data models; if reverse engineering is used to assist data analysis and
modelling, the resulting information must be considered for inclusion
within the appropriate conceptual and logical data models.
Control Version History
1.0
DG.3 Data Management Programme
DM.1 Implement Tools and Methods
Control
DM.2 Modelling Artefacts
Dependencies
DM.3 Business Glossary and Data Dictionary
DM.4 Data Model Metadata
The Entity shall prefer structured data over unstructured data and align with the
Control Standards
Unstructured Information Management Architecture (UIMA) standards
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DM.10.1 The Entity shall model unstructured data that is linked to structured data M
through the business terms and logical concepts that are represented by
the unstructured data.
For example, modelling the concepts expressed in a document that is
linked to a Citizen record, such as a medical report or education report.
DM.10.2 Semi-structured data (eg. data without a pre-defined schema) or M
unstructured data (eg. free text, images, audio, video), shall be modelled
to document the:
• Entities mandatory requirements of the data captured
• Metadata that describes the concepts contained within the
unstructured data
• Associated structured identifying data that may be captured along
with unstructured data
For example, the mandatory requirements of ID photos of citizens could
be that they should contain an image of the full, unobscured face, and
metadata, such as the dimensions and resolution of the image. Associated
structured identifying data may include the Emirates ID and date of the
image. These shall be modelled at a conceptual and logical level.
DM.10.3 The Entity shall choose conversion of semi-structured and unstructured M
data into a structured form through transformation or analytical
conversion techniques in order to formally document and model
unstructured and semi-structured data.
DM.10.4 When attempting to convert unstructured data into a structured form of M
data, the Entity shall align its processes with the Unstructured Information
Management Architecture (UIMA) in order to perform analysis on
unstructured artefacts, develop and model artefact metadata.
DM.10.5 Unstructured content lifecycle shall be governed through appropriate M
workflows (see DCM.2).
DM.10.6 The Entity shall produce Data Flow Diagrams and Entity Relationship M
Diagrams for unstructured data.
Data Flow Diagrams shall show the flow of unstructured information (and
associated metadata and identifying data) between systems.
Entity Relationship Diagrams shall show the relationship between the
unstructured information concepts and structured identifying data, and
the relationships between different unstructured information concepts.
Control Version History
1.0
DG.3 Data Management Programme
DM.1 Implement Tools and Methods
Control
DM.2 Modelling Artefacts
Dependencies
DM.3 Business Glossary and Data Dictionary
DM.4 Data Model Metadata
The Entity shall use the defined architecture framework and methodologies in
Control Standards order to produce the required data architecture deliverables within the Governance
Checkpoint Process
Control Type Directive þ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DA.1.1 The Entity shall develop data architecture within an Enterprise M
Architecture Framework, specifically The Open Group Architecture
Framework (TOGAF). The phases within TOGAF shall be followed, with
the Data Governance Board performing architecture reviews at the
appropriate governance checkpoints. Enterprise Architecture shall align
with business modelling processes and frameworks within the Entity.
The Data Governance Board shall determine the required architecture
deliverables specific to each governance checkpoint.
The Entity shall develop data architectures at the system and enterprise
level. Enterprise data architecture covers the business functions and
concepts across the Entity as a whole. System level architectures relate
to technology systems, and are specific to a single application group of
applications within a business function.
The high-level data architecture development process is as follows:
• System baseline data architectures, describing the architecture of
information systems containing data
• Enterprise baseline data architecture, taking input from the key
system baseline architectures
• Enterprise target data architecture, demonstrating the desired
architectural state across the Entity at some point in the future
• Target data architecture roadmap, designed to fill the gaps between
the baseline and target enterprise architectures
• System target data architecture, as influenced by the roadmap in
order to fill the gaps
System architectures are likely to be evolving during this process,
and the Entity should plan to maintain architectures as part of the
software development lifecycle, and validated as part of the Governance
Checkpoint Process.
The Entity shall develop and maintain a baseline data architecture, both for
Control Standards
information systems and components, and at an overarching enterprise level
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DA.2.1 The Entity shall develop baseline data architectures for information M
systems and components under their control, and a baseline enterprise
data architecture across all key systems.
The Data Manager – acting on behalf of the Data Governance Board –
shall develop and execute a plan to ensure full coverage of information
systems that shall include:
• Initial baseline data architecture production of all information
systems controlled and maintained by the Entity
• Baseline Enterprise Data Architecture, covering the high-level
architectural view across information systems that support the
key business functions of the Entity, including information systems
not directly under the Entity's control (such as those hosted and
managed by third parties, partners, other Entities or centrally run
within the Abu Dhabi Government). Key information systems are
those systems that include touch points with the Entity's master
profiles (as defined by DM.2)
• Baseline data architecture maintenance at the appropriate data
governance checkpoints, for system-level data architectures and
enterprise data architectures
DA.2.2 Development of baseline data architecture deliverables shall include M
consideration of the following elements:
• The business and technical requirements that the data architecture
supports, and those that are not currently supported by the data
architecture
• Identification of technical data architecture themes (for example,
service-based/batch processing/data silos/data integration)
• Constraints, where known, that have been placed upon the baseline
data architecture; these may include factors such as licencing, legal,
technical, training constraints, or others
DA.2.3 System-level baseline data architecture shall be presented as part of any M
system construction, change, upgrade, replacement or retirement.
The baseline data architecture, detailing the current state of the
information systems in place, shall be used to enable the discussion and
validation of any target data architecture or roadmap presented, and
ensure that the target architecture fulfils the requirements gap between
the baseline and target architectures.
These shall be reviewed at the appropriate points in the system
development lifecycle by the Data Governance Board, as part of the
Governance Checkpoint Process.
The Entity shall develop and maintain a target data architecture both for information
Control Standards
systems and components, and at an overarching enterprise level
Control Type Directive þ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DA.3.1 The Entity shall produce a target enterprise data architecture. The M
completion of a baseline data architecture is not a prerequisite for
development of a target enterprise data architecture, but may be
informed by it.
The Data Governance Board should give consideration and justification
to the appropriate time to produce the target enterprise data
architecture.
The target enterprise data architecture is expected to be a continuously
evolving set of deliverables, reacting to external factors such as
technology changes, business requirements and external factors.
The Data Governance Board shall ensure that the target enterprise data
architecture is maintained as information systems and components are
implemented, revised or decommissioned.
DA.3.2 The Entity shall produce target data architectures for information M
systems as they go through natural change cycles. A system's target
data architecture shall be required for the appropriate phase in the
Governance Checkpoint Process.
The Entity shall perform an architectural gap analysis, and develop, maintain and
Control Standards
follow an architecture roadmap
Control Type Directive ¨ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DA.4.1 The Entity shall identify the gaps between the baseline enterprise data M
architecture and the target enterprise data architecture.
This gap analysis shall include detail of the:
• Business data requirements that are not currently being met
• Technical data components missing between the baseline and
target
• Capability gaps (in terms of roles, skills, tools and training)
Control Standards The Entity shall develop a plan for the rollout of a data quality initiative
The Entity shall perform a data quality audit of data, information systems and
Control Standards
services under their control
Control Type Directive ¨ Preventive ¨ Detective þ Corrective ¨
Control Specification M/R
DQ.2.1 The Entity shall ensure that its master profiles (as identified in Data M
Modelling standards) are audited for data quality at three-monthly
intervals across all data sources where they are contained.
Where data quality does not align across data sources, the Entity shall
identify discrepancies in master profile data quality in the different data
sources, and determine the root cause for the discrepancy.
Where data quality does not align with the stated data quality definitions
for master profiles, the Entity shall identify discrepancies between
master profile data quality and the stated data quality definitions for the
master profiles, and determine the root cause for the discrepancy.
Once the root cause of the discrepancy is known and understood, the Data
Governance Board shall determine if corrective action needs to be taken.
DQ.2.2 The Entity shall define appropriate time intervals to audit data types that M
are not part of the common profiles (as defined in DM2).
Once the root cause of the discrepancy is known and understood, the Data
Governance Board shall determine if corrective action needs to be taken.
DQ.2.3 The Entity shall perform spot checks on data quality of third party data to M
ensure that the data meets service level agreements from the data supplier.
Where there are no service level agreements from the data supplier, the
Entity shall develop its data quality requirements for the third party data
in order to monitor data being supplied. The Entity should share these
data quality requirements with the data supplier.
A data supplier could be another government Entity, business partner,
customer, service provider or other stakeholder.
DQ.2.4 The Entity shall use data profiling tools systematically to audit the data. Data M
profiling tools shall have the following analysis capabilities as a minimum:
• Structured data column analysis – analysing columns for data
patterns, value ranges, redundancy and duplication
• Data structure independent integrity analysis – determining
relationships between tables and datasets based upon data alone
• Pattern definition and identification – for example, standard
telephone patterns
• Reporting generation – to highlight key areas for concern
• Comparison of data audits over time to detect significant changes
in quality
DQ.2.5 The Entity shall store the data quality measures gathered during the data M
quality audit as metadata in the Data Catalogue.
Control Version History
1.0
Control DG.3 Data Management Programme
Dependencies DQ.1 Data Quality Plan
DMBOK (Mosley and Brackett, 2010)
References
ISO/TS 8000 Data Quality (ISO, 2009-2011)
Control Standards The Entity shall perform monitoring and cleansing of data as required by the plan
The Entity shall apply and show compliance with the approved Information Security
Control Standards
Standards in the Abu Dhabi Governemnt to data managed by and for the Entity
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DSP.1.1 The Entity shall apply the latest version of the approved Information M
Security Standards in the Abu Dhabi Governemnt. These Standards shall
take precedence over these Data Management Standards in the event of
conflict. The Data Governance Board shall record conflict issues and the
outcome of any decisions taken to resolve such conflicts.
DSP.1.2 The Entities data architecture, and the information systems and M
components that form that architecture, shall show alignment with
approved Information Security Standards in the Abu Dhabi Governemnt.
The Data Governance Board shall certify evidence of alignment with
approved Information Security Standards in the Abu Dhabi Governemnt
through the Governance Checkpoint Process.
Information systems and components include, but are not limited to:
• Data integration and interoperability components, formats,
specifications
• Line of business management systems, such as ERP, CRM, Spatial
data
• Back office systems, such as issue management, HR, facilities
management
• Data analysis systems, data stored in data warehouses, big data
repositories or data made otherwise available through business
intelligence tooling
• Data quality tooling, such as Master and Reference Data
Management, data profiling, data cleansing
• Data and information systems managed and provided by third
parties on behalf of the Entity
DSP.1.3 The Entity shall ensure that data proposed for release as Open Data (see M
Open Data standards) includes a statement demonstrating compliance
with both the approved Information Security Standards in the Abu Dhabi
Governemnt and Data Management Standards, and is presented to the
Data Governance Board, which will ratify the decision to publish the data
as Open Data.
DSP.1.4 The Entity shall extend the classification of systems to identify M
information systems that may be at risk of privacy breaches in
accordance with the Entity's privacy policy (see DSP.2).
DSP.1.5 The Entity shall ensure compliance with the Payment Card Industry (PCI) R
Security Standards – through the Governance Checkpoint Process – for
information systems that store or process credit card data.
DSP.1.6 The Entity shall ensure that cloud suppliers meet ISO/IEC 27017 Cloud R
Security Standards and ISO/IEC 27018 Handling of Personally
Identifiable Information Standards as they become ratified by the
International Standards Organisation.
The Entity shall develop a data privacy policy in line with current Abu Dhabi
Control Standards
Government legislation with regards to privacy
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DSP.2.1 The Entity shall develop a privacy policy that aligns with current M
government privacy legislation. The privacy policy shall encompass the
guidance within these Standards, with specific reference to the data
within the Entity's line of business. The policy should by augmented with
appropriate information and guidance.
Consideration shall be given, where appropriate, to:
• Structured, transactional data
• Spatial, geographical or other location-based data
• Data collected from sensors or other automated devices
• Biometric data collected, stored, or otherwise used by the Entity
• Surveillance data collected by the Entity, including audio/visual
data and metadata gathered from monitoring and recording, such as
phone record information
• Data stored in other unstructured or semi-structured formats, such
as reports, documents and images
All these data formats have the ability to breach an individual’s privacy if
exposed to the wrong audience.
DSP.2.2 The privacy policy shall contain a public privacy statement that provides M
its service stakeholders with a clear and unambiguous description of the
stakeholders' privacy rights, and the Entity's privacy obligations.
The Entity shall ensure that its privacy policy remains in alignment with
any policy that emerges from cross-government working groups.
DSP.2.3 Consideration (in consultation with appropriate legal experts) shall be R
given for the individual – about which data is gathered – to have the
following minimum rights:
• Have visibility of data that is held about them
• Correct inaccuracies in data that is held about them
• Request removal of data that is held about them, but is no longer
relevant or applicable to the business of the Entity
The Entity shall adopt the principles of 'Privacy by Design' into its data architecture
Control Standards
and training programmes
Control Type Directive ¨ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DSP.3.1 The Entity shall adopt the principles of 'Privacy by Design'. R
The principles of 'Privacy by Design' are:
• Proactive not Reactive – Anticipating privacy risks and addressing
them before they occur
• Privacy as the Default Setting – The individual does not have to
perform any actions in order to safeguard their privacy
• Privacy Embedded into the Design – Privacy is built into information
systems and business processes rather than being added after the
fact
The Entity shall operate a data privacy management workflow in line with the Entity's
Control Standards
data privacy policy, to identify and manage privacy-related data issues and risks
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DSP.4.1 The Entity shall develop a privacy management workflow that enables the M
Entity to identify, log, investigate and resolve data privacy-related issues
in accordance with the Entity's own privacy policy.
This workflow should include the ability to capture and investigate
privacy issues identified both by internal users and external stakeholders,
including steps for evidence gathering, post-incident analysis, reporting,
and taking corrective action.
This workflow shall be used to monitor the effectiveness of the
implementation of the Entity's privacy policy, and as such, the Entity
shall report privacy-related metrics to the appropriate cross-government
working group.
DSP.4.2 The Entity shall ensure that there is a route for individuals to maintain/ M
correct private data held about themselves.
Such updates shall be incorporated into a data quality audit.
DSP.4.3 Where permitted by the Entity's privacy policy, the Entity shall respond M
within a reasonable amount of time (as determined by the Data
Governance Board) to requests from an individual for disclosure of the
data held about them by the Entity.
These requests shall be monitored to ensure that they are actioned
within the time targets established by the Data Governance Board.
DSP.4.4 The Entity shall evaluate requests for removal of data about an individual, M
as allowed by the Entity's privacy policy.
The Entity shall establish a request evaluation process that balances
business need for the data, and the privacy of the individual. Such
requests should be handled internally by the Entity, though an appeal
process should be available to individuals, and this may require cross-
Entity collaboration. The Data Manager shall be the final arbiter.
Control Version History
1.0
Control DG.3 Data Management Programme
Dependencies DSP.3 Privacy By Design
Better Practice Guide for Big Data (Data Analytics Centre of Excellence, 2014)
DMBOK (Mosley and Brackett, 2010)
References Government Privacy and Best Practices workshop (Department of Homeland
Security, 2009)
Privacy By Design, (2014)
Control Standards The Entity shall implement data security protection measures at a system level
The Entity shall document the baseline data storage architecture of datasets,
Control Standards
information systems and services under its control
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DS.1.1 The Entity shall engage an infrastructure audit team familiar with platform M
utilisation metrics and the hardware and software configurations
prevalent across the Entity.
DS.1.2 The Entity shall undertake a comprehensive audit of physical inventory M
both within the Data Centres and at any other site or location.
The following fields shall be recorded for every system discovered:
• Data Centre Location
• Service/Application Name
• Server Name
• Server Type (Rack-mount, Blade or Tower)
• Hardware Model
• VMhost (if virtualised)
• Computer Model
• CPU (Type/Model, N CPUs, No Cores per CPU)
• RAM (GB)
• SAN Type (SATA, SSD, Flash) and Size (in GB)
• Backup Type (Disk, Tape) and Size (in GB)
• O/S Version
• Power and Cooling requirements (Watts and BTUs)
• Criticality to Business
• Requires SAN (Y/N)
• IP Addresses and MAC addresses
• Current Redundancy Levels (Power, Network, CPU)
Control Standards The Entity shall develop and maintain a target data storage architecture
Control Standards The Entity shall develop and maintain a data storage roadmap
Control Standards The Entity shall implement the rollout of the data storage roadmap
Control Standards The Entity shall develop and execute a data backup and recovery plan
Control Standards The Entity shall develop and execute a disaster recovery plan
The Entity shall document the data lifecycle of data within information systems and
Control Standards
services under its control
Control Type Directive þ Preventive ¨ Detective þ Corrective ¨
Control Specification M/R
DS.7.1 The Entity shall develop a clear policy and standards for the management M
of all recorded information (irrespective of its form) that has been
created or received and maintained by the Entity in the course of its
business. The states of the Information Life Cycle are:
• Creation
• Retention (organisation, storage, security, etc)
• Maintenance
• Use (retrieval, access levels etc)
• Retirement (archival offline or nearline)
• Disposal (timely, with appropriate and secure media destruction
methods used)
The intention is that recorded Information held by the Entity shall always be:
• Of high quality
• Accurately captured
• Timely
• Up to date
• Secure
• Easily retrievable
• Available when needed
The Entity shall include data integration architecture within the Entity's data
Control Standards
architecture
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DIO.1.1 The Entity shall implement a Strategic Integration Platform to provide the M
infrastructure to connect internal and external information systems and
data feeds.
The Strategic Integration Platform is an architectural component or set
of services that allows:
• Data transfer – physically moving data from one system to another
• Data transformation – mapping data from one set of data formats to
another where there are differences between systems
• Access auditing – logging users, services, requests
• Performance monitoring – monitoring data volumes and frequency
• Security controls – ensuring controlled access to data
• Transaction management – management of long running
transactions in the case of two-way data transfer
The Strategic Integration Platform shall be included in the Entity's target
enterprise data architecture (see Data Architecture Standards).
DIO.1.2 The Entity shall ensure that its strategic integration platform aligns with M
metadata requirements of the Abu Dhabi Government Interoperability
Framework (eGIF).
DIO.1.3 The Entity shall develop and publish a policy for usage of its strategic M
integration platform. This shall cover sharing (i) internally; (ii) with trusted
third parties; and (iii) externally.
• Internal data sharing policy should encourage data sharing initiatives
across business functions.
• The policy for sharing data with trusted third parties (which include
other Entities, commissioned third parties and service suppliers)
shall include consideration for developing service level agreements
(See Data Integration and Interoperability Standards).
External users of the Entity's data that are not affiliated with the
Abu Dhabi Government or its contracted suppliers shall be bound by
usage licences developed by the Entity. Such usage licences shall align
with the Entity's Open Data standards (see Open Data Standards).
DIO.1.4 The Entity shall give consideration to migrating existing data feeds R
into and out of information systems through the Strategic Integration
Platform within the Entity's target data architecture.
The Data Governance Board shall consider the business value and
applicability for re-use of each data feed.
The Entity shall include data integration architecture within the Entity's data
Control Standards
architecture
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DIO.2.1 The Entity shall ensure that consideration is given at the data M
architecture level for appropriate data exchange methods when
integrating data between applications and information systems.
Acceptable data exchange methods include (but are not limited to):
• File based data exchange – transferring a data file to a central
physical location, where it may be processed, validated, and
transformed before being collected by the receiving system
• Message based data exchange – exchanging information through
formatted messages via a service bus, typically in a publisher/
subscriber model or broadcast model (see DIO.3)
• Database to database data exchange – typically used with ETL
systems, data may be passed through an intermediary database for
transformation and validation before routing to its final destination;
information systems should not exchange data directly into each
other’s databases
The Entity shall describe the data exchange methods used in system
data architectures (see Data Architecture).
DIO.2.2 The Entity shall include the plan to migrate peer-to-peer application M
data sharing to the Strategic Integration Platform in its target data
architecture.
For example, a time sheet system may pull the list of employees from a
human resources system. The Entity shall plan to migrate the provision of
the employee list via the Strategic Integration Platform, allowing greater
opportunities for data re-use.
Where migration to the Strategic Integration Platform is not possible due
to proprietary software, the Entity shall provide justification through the
Data Governance Board.
DIO.2.3 The integration platform shall provide the capability to broker R
interactions across different integration patterns allowing, for example,
file-based data exchanges and message-based data exchanges to be
integrated.
Data exchange integration capability shall be shown on the Entity's
target data architecture.
Control Standards The Entity shall develop a framework for data integration service level agreements
Control Standards The Entity shall define and identify open data in their business context
The Entity shall develop and publish a plan to release open data from the data,
Control Standards
information systems and services under their control
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
OD.2.1 The Entity shall develop an Open Data Plan, working from its Open Data M
Review, to release the data through the Open Data Portal.
The Open Data Plan shall allow for:
• The dataset to be reviewed and duly approved for release as Open
Data
• The dataset to be released once it has passed its predetermined
quality gate
• Any aggregation, redaction, anonymisation or obfuscation required
for privacy or security concerns has been approved and undertaken
OD.2.2 The Entity shall ensure that the Open Data Plan prioritises the release of M
Open Data by:
• Addressing security and privacy concerns
• Addressing the business priorities of the Entity
• Addressing the demand from third parties for data
• Addressing the measurable quality of the data
OD.2.3 The Entity shall ensure that the Open Data Plan systematically addresses M
all of the datasets identified in the Open Data Review.
OD.2.4 The Entity shall ensure that progress against the Open Data Plan is M
monitored, and the plan is reviewed quarterly.
Control Version History
1.0
DG.2 Data Management Policy
Control DG.3 Data Management Programme
Dependencies DSP.3 Privacy By Design
DSP.5 Data System Protection
Project Open Data (2014)
References
The Open Data Handbook (2014)
Control Standards The Entity shall publish Open Data in the Abu Dhabi Government Open Data Portal
The Entity shall engage external interested parties in an Open Data awareness
Control Standards
campaign
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
OD.4.1 The Entity shall undertake annual awareness campaigns to ensure M
potential users and stakeholders are aware of the existence, nature and
quality of the Open Data being offered by the Entity.
The awareness campaign needs to consider:
• Progress of the Open Data Plan
• The need to inform and educate internal stakeholders
• The need to inform and educate external stakeholders
• The need to inform and educate the wider public
The awareness campaign should include:
• Details on where to find Open Data
• Details on where to find the Open Data Catalogue
• Information on privacy and security concerns, including (in a general
sense) the provisions made for:
1. Aggregation
2. Redaction
3. Anonymisation
4. Obfuscation
• Explanations in plain language on the type of data and its context
• An indication on the Age (or Age Window) of the data
• An Indication on the quality that can be expected form the data
OD.4.2 In the event that an Entity does not publish a dataset or datasets, it shall M
use its annual awareness campaign to:
• Explain to the extent possible the reasons for withholding a dataset
• Indicate if and/or when a dataset will be published
• To provide a clear statement if a particular dataset is to remain
unpublished for the foreseeable future
Control Version History
1.0
Control DG.3 Data Management Programme
Dependencies OD.3 Open Data Publishing
Project Open Data (2014)
References
The Open Data Handbook (2014)
Control Standards The Entity shall develop a Reference Data Management Plan
Control Standards The Entity shall identify the reference data used in its Information Systems
Control Standards The Entity shall develop and execute reference data change management processes
Control Standards The Entity shall implement a Reference Data Management platform
Control Standards The Entity shall develop a Master Data Management plan
Control Standards The Entity shall identify the master data used in its Information Systems
Control Standards The Entity shall operate master data profiles across their organisation
Control Standards The Entity shall develop and execute master data change management processes
Control Standards The Entity shall implement a Master Data Management Platform
The Entity shall define standard formats, style guides and versioning guidelines for
Control Standards
any documents or content produced
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DCM.1.1 The Entity shall establish quality standards for all document and content M
types being managed. As a minimum, these quality standards should
establish:
• A language style guide describing the expected written standard for
the writing, and important guides for design (look and feel)
• Naming conventions to be followed
• Review and editorial processes to be undertaken and documented
• Version management processes and procedures
Control Version History
1.0
Control DG.3 Data Management Programme
Dependencies DG.6 Capability Audit
The Entity shall implement document and content management appropriate to their
Control Standards
requirements
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DCM.2.1 The Entity shall define requirements for Documents and Content M
Management that includes, but is not restricted to:
• A document standard that specifies what documents are mandatory
in each Entity process, and the data that must be included in each
document
• What document types should be used in each case (eg Word DOCX,
Adobe PDF, Scans TIFF or JPEG etc)
• The metadata to be captured with the document, and throughout
the document lifecycle
• How the document metadata will be captured and managed
• Procedures for retrieving, using and sharing documents between
business processes
• Determination of how long documents need to be kept to satisfy
business, privacy and regulatory requirements
• Determination of the file structure (file plan) for the proper
organisation of documents
• Assessment of the risks of failure to the management or access of
documents
• Persisting documents and their availability over time to meet
business needs
• Proper considerations of any legal and regulatory frameworks or
requirements
• Referencing the Information Security policy to ensure documents
are in a safe and secure environment
• Retirement and disposal of documents so that they are retained
only for as necessary and required
DCM.2.2 All documents and records created and held with an Entity should be: M
Authentic
• Have their provenance clearly identified showing chain of custody to
its ultimate source
• Recorded information can be traced and proven to be what it
appears to be
• Have been created or sent by the person who appears to have
created or sent it
• Have been created or sent at the time suggested
Reliable:
• The content of a document can be trusted as an accurate
representation of the information or facts as shown, and that it can
be relied upon in the course of subsequent processes
Control Standards The Entity shall implement appropriate repository and workflow management tools
The Entity shall develop a data warehouse, BI and analytics effort that aligns with
Control Standards
business goals and data management domains
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DWBA.1.1 The Entity shall ensure that any data warehouse, business intelligence M
and analytics initiative is driven by a clear business vision.
Data warehouse, business intelligence and analytics initiatives –
whether or not designated as having 'enterprise' scope – represent
large, complex streams of work that typically require significant time
and financial investment. The Data Governance Board shall be the key
stakeholder in the outcome of any such initiative.
DWBA.1.2 The Entity shall develop Service Level Agreements (SLAs) – determined M
by business requirements – to regulate and support stakeholders in their
exploitation of data within the data warehouse.
Data warehouse SLAs shall include at a minimum:
• Data warehouse availability – when and how often the data within
the data warehouse will be available for querying eg there may be
routine scheduled unavailability due to batch loads and processing
• Data load latency – the period between data appearing in an
operational system and being available for query within the data
warehouse
• Data retention period – the period of time that any given data will be
retained in the data warehouse
• Data quality – the minimum quality requirements for data stored in
the data warehouse (see Data Quality Standards)
DWBA.1.3 The Entity shall monitor the effectiveness of the data warehouse initiative M
in order to meet and report against the requirements of the established
SLA.
Reporting shall also reflect the level of technical alignment with the
architectural roadmap, implementation and usage experiences, lessons
learned, and business successes. Findings shall be reported to the
Data Governance Board to facilitate the sharing of experiences across
Abu Dhabi Government Entities.
DWBA.1.4 The Entity shall agree SLAs with external data suppliers (see Data M
Integration and Interoperability standards) in order to provide the Entity
with confidence when relying upon externally produced and managed
datasets.
Externally supplied authoritative data shall:
• Be managed and stored separately from the data produced within
the Entity
• Have clear ownership both within the Entity, and within the external
supplier
• Have defined issue resolution workflow
• Have documented data refresh cycles
• Have clearly defined data quality requirements and other
performance metrics
The Entity shall ensure that data warehouse, business intelligence and analytics
Control Standards
architecture uses the appropriate architectural components
Control Type Directive þ Preventive þ Detective ¨ Corrective ¨
Control Specification M/R
DWBA.2.1 The Entity shall employ a data-staging environment to collect source M
system data for cleansing, matching, and merging (as appropriate) before
adding it into the data warehouse.
A data-staging environment might be a stand-alone intermediary data
store, part of a Master Data Management system (see Reference and
Master Data Management Standards) or implemented within tooling for
Extract, Transform and Load (ETL).
DWBA.2.2 Data warehouse, business intelligence and analytics initiatives typically M
depend on many aspects of data management. The Entity shall ensure
that these initiatives take appropriate account of other domains, which
may include:
• Metadata – to describe the types, formats and definitions of data
contained within the warehouse
• Data Catalogue – to document the content the datasets contained
within the warehouse
• Data Modelling and Design – to model the data contained within the
warehouse
• Data Architecture – to align with target data architecture, enterprise
architecture, business processes and functions, and existing
components within the baseline data architecture
• Data Quality – to control and determine the quality of data
contained within the warehouse
• Data Security – to protect the data contained within the warehouse
(as with any system, the data within data warehouses can be
commercially sensitive; however, given the high volumes, the
commercial sensitivity of data can be amplified within the context of
a data warehouse)
• Data Storage – to ensure the appropriate physical components and
infrastructure required to support the storage of data is provisioned
and managed, and also to govern the information lifecycle
• Data Integration and Interoperability – feeding data from source
information systems into the data warehouse should use the Entity's
standard integration technology
References The Data Warehouse Lifecycle Toolkit 2nd Edition (Kimball et al, 2008)
The Entity shall design and model data warehouses and data marts using accepted
Control Standards
conventions
Control Type Directive þ Preventive ¨ Detective ¨ Corrective þ
Control Specification M/R
DWBA.3.1 The Entity shall implement data warehouse architectural designs that M
favour usability over ease of implementation. Implementation complexity
should also be considered.
An incremental business-focused approach towards developing a data
warehouse capability (including populating it with data) is recommended.
Each Entity master profile might represent a suitable candidate segment
of data to be cleansed and moved into the warehouse.
The Data Governance Board shall require the Entity to submit data
warehouse design proposals for evaluation and approval.
DWBA.3.2 The Entity shall use special-purpose table types when modelling the M
data warehouse. Conceptual, logical and physical modelling shall be
undertaken to enhance understanding by stakeholders with varying
levels of technical knowledge.
Data warehouse table types include:
• Data staging tables – containing the data from source information
systems prior to processing
• Dimension tables – containing the objects required by the business
for reporting purposes (typically, these objects will include date
and text-based fields, such as Citizen, Address, Service, Service
Outcome Type etc)
• Fact tables – containing measures, usually in numeric form, that
may be the result of processing relationships in the input data eg
the count and/or average of service outcome types by district
for a given date period. In addition to measures, fact tables may
also contain metadata to describe dimensions of the data. Such
metadata might include (though not be limited to) source system,
date of data capture, and other information to provide traceability
and validity as appropriate. Fact tables link to multiple dimension
tables
DWBA.3.3 Dimension tables should have synthetic or surrogate primary keys to R
support performance optimisations.
DWBA.3.4 The Entity shall use the simplest schema possible when designing a data M
warehouse or data mart.
Star schemas are the simplest schemas for end users to understand,
and should be the preferred choice. A star schema contains a single fact
table with a single primary key relationship with each of the dimension
tables. The fact table is at the centre of the star with the dimensions
forming the points.
Where a design deviates from a star schema, justification shall be
provided in the design, for evaluation by the Data Governance Board
through the Governance Checkpoint Process.
Control Standards The Entity shall consolidate its Data Marts into a federated Data Warehouse
The Entity shall distinguish between an Operational Data Store and a Data
Control Standards
Warehouse in its data architecture
Control Type Directive þ Preventive ¨ Detective þ Corrective ¨
Control Specification M/R
DWBA.5.1 Where an operational data store (ODS) exists as an architectural M
component on the Entity's data architecture, it shall act as a data source
for the enterprise data warehouse.
DWBA.5.2 The Entity should ensure a clear separation between data for an ODS R
and data within a data warehouse (both use similar technology and
processes – such as dimensional modelling and de-normalisation – but
to different ends. An ODS is designed to contain current, operationally
volatile data).
For example, both an ODS and data warehouse could contain the current
address for a Citizen. If the address changes, a single record would
usually be updated within the ODS, whereas both address versions
would be stored within the data warehouse, with each being indicated as
correct at different ranges of time.
DWBA.5.3 The Entity should use the capability of an ODS to integrate, analyse R
and report on current data from across the organisation, where the
functionality meets the business requirements.
Control Standards The Entity shall develop Business Intelligence solutions that align with business goals
The Entity shall provide Analytics and Big Data tooling and training to encourage
Control Standards
innovation and to develop analytics capabilities
Control Type Directive þ Preventive ¨ Detective ¨ Corrective ¨
Control Specification M/R
DWBA.7.1 The Entity should produce a initiative to develop data analysis R
capabilities suitable for the types of data within its ownership.
The Entity shall evaluate suitable training opportunities within its Data
Management Programme and its roadmap for data architecture, in order
to enhance the Entity's data analytics capabilities.
Data analysis techniques include, but are not limited to:
• Machine learning – information systems that develop understanding
of patterns within the data without being explicitly programmed
• Clustering algorithms – to identify groups of data variables that
influence each other
• Classification and regression – attempting to automatically classify
new data on the basis of known historic data
Data analytics development and usage is more ad hoc than typical
business intelligence activities, and must be undertaken in collaboration
with business users.
DWBA.7.2 The Entity should identify data that is very high in volume, velocity R
or variety, and apply 'Big Data' analysis techniques to encourage
innovation. While the term 'Big Data' is imprecise, typically it identifies
data that cannot be processed using traditional data analysis
capabilities.
The Entity shall identify Big Data initiatives in order to document and
share experiences through the Data Governance Board to other Entities.
Checkpoint: A point within a business process where rationales, justifications, decisions, designs and other
deliverables are subject to external scrutiny, for example, when budget is requested; when requirements gathering
is complete; when design is complete (see also Governance Checkpoint Process)
Common Profile: A government-wide data profile, applicable to many government Entities, containing fields,
attributes, validations, descriptions and reference data (see also Master Profile)
Component: A technology element that by itself does not form an information system, but forms part of a wider
information system (see also Information System)
Conceptual Data Model: The high-level concepts and their relationships within an information system
Data Architecture: A set of deliverables that show the how (at various levels of detail depending upon the
audience) information systems store data at rest facilitate the movement of data between information systems.
Data architecture is part of a wider Enterprise Architecture (see also Enterprise Architecture)
Data Feed: A data source exposing a dataset as a service (see also Dataset, Data Source)
Data Governance Board: The board formed within the Entity to provide oversight of the data management
programme and ensure information systems adhere to these controls (see also Checkpoint, Governance
Checkpoint Process)
Data Governance Committee: The government-wide committee formed from representatives from across the
Abu Dhabi Government Entities
Data Manager: The person with responsibility for executing the data management programme, under the
direction of the data governance board
Data Mart: Subject-based data analytical tool (or tools) that may join other data marts to form a data warehouse
(see also Data Warehouse)
Dataset: A discreet set of data, comprising multiple records. An information system may contain, use or maintain
one or more datasets. A dataset may be published outside the information system that created it (see also Data
Source)
Data Source: A source system that provides a dataset for re-use (see also Information System)
Data Steward: A technology or business expert with understanding of the datasets and information systems, with
responsibility for implementing the requirements data management programme under the direction of the Data
Manager (see also Data Manager)
Enterprise Architecture: The design and management of business, technology and governance across the
Entity’s information systems and business processes (see also Data Architecture)
Enterprise Data Model: A combination of the Entitiy’s Conceptual Data Models, Logical Data Models and
Physical Data Models describing the data its relationships that are core to the organisations function (see also
Conceptual Data Model, Master Profile)
Enterprise Information System: An information system that crosses departmental boundaries to use and/or
maintain data from across the Entity, for example, Master Data Management systems or a Data Warehouse (see
also Information System)
Governance Checkpoint Process: The set of checkpoints defined by the data governance board for
confirming an information systems compliance with these controls as it progresses through its lifecycle (see also
Checkpoint, Data Governance Board)
Integration Patterns: Pre-defined and document industry models for enabling data transfer between information
systems (see also Enterprise Integration Platform)
Logical Data Model: The information system independent data model, documenting the tables, relationships and
rules that form the full range of data used by an information system
Master Data Management (MDM): A set of tools and business processes by which master profile data from
multiple systems can be compared, matched and merged (logically or physically) in order to create a ‘golden view’
of each record (see also Master Profile)
Master Profile: An Entity wide data profile used across many departments in order to fulfil the Entity’s core
business, containing fields, attributes, validations, descriptions and reference data. Entity master profiles should
align with the government-level Common Profiles as they emerge (see also Common Profile)
Open by Default: An Open Data principle that allows sharing and publishing data managed by the Entity unless
there is sufficient justification not to
Physical Data Model: A physical implementation of a Logical Data Model constrained by specific vendor
hardware and software
Privacy by Design: A set of design principles that ensure the privacy of personal information is managed through
the information systems implementation and associated processes
Reference Data Management (RDM): A set of tools and business processes for versioning, refreshing,
transforming and distributing to information systems the reference data developed both internally and externally
Recovery Point Objective (RPO): A defined objective for disaster recovery that limits the volume of data (in
terms of new or changed data) that would potentially be lost in the event of a disaster (see also Recovery Time
Objective)
Recovery Time Objective (RTO): A defined objective for disaster recovery that limits the amount of downtime or
service outage when recovering data in accordance with the Recovery Point Objective (see also Recovery Point
Objective)
Semantic Definitions: Forms of metadata that go beyond defining, and add meaning to data entities
Semantic Modelling: Modelling where a meaning as well as a definition is attached to an entity, which in turn
allows non-human interrogative actors to make judgements on the value of including data they access. For
example ‘Country name’ may be a definition, but ‘developing country’ adds meaning
DATA
DATASETS DATA MODELS ARCHITECTURES
ARCHITECTURE
Business Code
Glossary Lists
Data Model
Metadata
ADSIC. (2013). Abu Dhabi Information Security Standards. Abu Dhabi Government.
Agency of Digitalisation, (2012). Good Basic Data for Everyone. Copenhagen: Danish Ministry of Finance.
Alasem, A. (2009). An overview of e-government metadata standards and initiatives based on Dublin Core.
Electronic Journal of e-Government, 7(1), pp.1--10.
Data Analytics Centre of Excellence, (2014). Better Practice Guide for Big Data. Australian Government.
Department of Homeland Security, (2009). Government 2.0: Privacy and Best Practices. DHS Privacy Office.
Dublincore.org, (2014). DCMI Home: Dublin Core® Metadata Initiative (DCMI). [Online]. Available at:
http://dublincore.org/ [Accessed 2 April 2014].
European Commission, (2012a). Case Study Digitalisér.dk Semantic Asset Repository. ISA.
European Commission, (2012b). Case Study XRepository semantic asset repository. ISA.
Griffin, J. (2010). Four Critical Principles of Data Governance Success. [Online]. Information Management
Magazine. Available at: http://www.information-management.com/issues/20_1/four-critical-principles-of-data-
governance-success-10016929-1.html [Accessed 12 May 2014].
IBM. (2012). Three guiding principles to improve data security and compliance: IBM Corporation, Somers.
IBM Redbooks, (2013). Reference Data Management. 1st ed. [e-book] IBM Redbooks. Available at:
http://www.redbooks.ibm.com/technotes/tips1016.pdf [Accessed 19 June 2014].
Indiana Health Information Exchange, (2012). Building Effective Data Governance Models, Policies, and
Agreements in a Hi Tech world.
Joohaeng, C. (2010). Case Study and Best Practices of e-Government Interoperability in Korea. 1st ed.
[e-book] Samsung SDS. Available at: http://www.gobiernofacil.go.cr/e-gob/gobiernodigital/Foro_Ddigital/
presentaciones/e_Government_Interoperability_in_Korea.pdf [Accessed 19 June 2014].
Lees, K (2012). Organizing for the Cloud: VMWare Inc [Online], Available at:
http://www.vmware.com/files/pdf/services/VMware-Organizing-for-the-Cloud-Whitepaper.pdf
[Accessed 8 October 2014].
Maali, F., Cyganiak, R. and Peristeras, V. (2010). Enabling Interoperability of Government Data Catalogues.
Galway: National University of Ireland.
Mosley, M. and Brackett, M. (2010). The DAMA guide to the data management body of knowledge
(DAMA-DMBOK guide). 1st ed. Bradley Beach, N.J.: Technics Publications.
Open Knowledge Foundation. (2014). The Open Data Handbook. [Online]. Available at:
http://opendatahandbook.org/ [Accessed 23 June 2014].
Opengroup.org, (2014). The Open Group Application Framework (TOGAF). [Online]. Available at:
http://www.opengroup.org/togaf/
Pitney Bowes, (2010). Data Warehousing, The Keys for a Successful Implementation. Business Insight Series.
Pitney Bowes Insight.
PCI Security Standards Council (2013) Data Security Standards. [Online], Available at:
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf [Accessed 23 Oct 2014].
Soares, S. (2010). The IBM data governance unified process. 1st ed. Ketchum, ID: MC Press Online.
Telecommunications Industry Association (2005). Telecommunications Infrastructure Standard for Data Centers.
[Online], Available at: http://manuais.iessanclemente.net/images/9/9f/Tia942.pdf
[Accessed 12 October 2014].
The MDM Institute, (2012). Field Report: Orchestra Networks Reference Data.
Troy, C. and Ellis, T. (2008). Best Practice Guide for MDM Implementations. London Data Connects.
W3C Government Linked Data Working Group, (2013). Asset Description Metadata Schema (ADMS). [Online].
Available at: http://www.w3.org/TR/vocab-adms/ [Accessed 20 May 2014].
W3C RDF Working Group (2014), Resource Description Framework (RDF). [Online]. Available at:
http://www.w3.org/RDF/ [Accessed 20 May 2014].