Information Technology Reference
In-Depth Information
associated with the classification often are reasonable. If it is “Top Secret,”
one must do so and so. The problem seems to lie in recognizing the
category of the data with which one is dealing. Making the rules for
recognition more and more complex would lead to a self-defeating situ-
ation at some point as it starts getting ignored, simplified, or mostly
subjective. One must consider the likelihood that the employees will
choose the category that is safest or most convenient for them in terms
of getting approvals or keeping things moving.
Classification is a judgment call. This means that any time data is
classified as such, there must be some metadata about the classification
itself — who did it, when they it, any reasons for selecting that classifi-
cation, etc.
Classifications change over time. Classifications can also change if some
minor adjustments are made to the data being retained. For example, the
removal of a small piece of sensitive information — a particular table, a
photograph, names of sources in an intelligence report — might allow a
different classification. Such options also must be made part of the
classification metadata for that document.
Systems of Record
Companies have multiple sources and stores of the same information.
One of them is designated a “system of record” (SOR). What does this
mean?
The most upstream source of information need not be the SOR. An
SOR is information that the company classifies as the SOR. It could be
processed, cleaned up, or enriched. It is the recognized proof point for
the record of a transaction. If it does not exist in the SOR, then it did not
happen. The SOR must be definitive and authoritative.
One must be careful to distinguish the need between a consistent
source of information and an ultimate reference. The ultimate reference
stands alone as the final authority. It is the official record. Others must
be, one would assume, consistent with it. The SOR does not have to be
consistent with the others.
Every database, although maintained to high degrees of accuracy and
backed up regularly, is not an SOR. The legacy systems concept of a
Master — Employee Master, Customer Master — appear to be likely
candidates but they may not be so.
Considering the wide range of information handled by any company,
there would be multiple SORs in a company. An SOR need not and cannot
be a monolithic data store. The SOR can, of course, be an entire system.
For many companies, its ERP (enterprise resource planning) system is its
