Information as a Governance Component

Information as a Governance Component in COBIT 2019 Foundation

Understanding Information as a Governance Component

Information is one of the critical assets in any organization, and governing it effectively is essential for several reasons:

• Business Continuity: Information governance ensures that critical business information remains available, accurate, and accessible when needed.
• Regulatory Compliance: Organizations must comply with various regulations (GDPR, HIPAA, SOX) that govern how information is handled, stored, and protected.
• Risk Management: Proper governance of information helps identify and mitigate risks associated with data breaches, loss, or misuse.
• Stakeholder Confidence: Good information governance builds trust with customers, partners, and investors by demonstrating responsible data stewardship.
• Decision Making: High-quality, well-governed information enables better business decisions at all organizational levels.
• Competitive Advantage: Organizations that effectively govern their information assets gain insights and agility that competitors may lack.

In COBIT 2019, Information as a Governance Component refers to the governance and management of information assets throughout their lifecycle. It encompasses:

• Information Definition: Clearly defining what information is important to the organization and its stakeholders.
• Information Classification: Categorizing information based on its sensitivity, criticality, and regulatory requirements.
• Information Quality: Ensuring information is accurate, complete, timely, and relevant for its intended use.
• Information Protection: Implementing controls to protect information from unauthorized access, modification, or loss.
• Information Lifecycle Management: Managing information from creation through retention, archival, and disposal.
• Information Accountability: Defining clear ownership and responsibility for information assets.
• Information Compliance: Ensuring information handling aligns with legal, regulatory, and organizational requirements.

Information governance operates as part of the broader governance system within COBIT 2019. The framework addresses information governance through several key mechanisms:

Organizations establish governance structures that define roles and responsibilities for information management:

• Chief Information Officer (CIO) or Chief Data Officer (CDO): Typically oversees information governance strategy.
• Information Governance Committees: Cross-functional teams that make decisions about information policies and standards.
• Data Stewards: Business unit representatives responsible for specific information domains.
• Information Custodians: IT personnel responsible for technical implementation of information governance controls.

COBIT 2019 includes processes that support information governance:

• EDM (Evaluate, Direct, Monitor): Executive processes that set governance direction for information management.
• APO (Align, Plan, Organize): Planning processes that define information governance strategies and policies.
• BAI (Build, Acquire, Implement): Processes for implementing information governance solutions.
• DSS (Deliver, Service, Support): Day-to-day processes that execute information governance policies.
• MEA (Monitor, Evaluate, Assess): Processes that monitor and improve information governance effectiveness.

Key principles that guide information governance include:

• Accountability: Clear assignment of responsibility for information assets.
• Transparency: Open communication about how information is used and protected.
• Integrity: Ensuring information is accurate and trustworthy.
• Confidentiality: Protecting sensitive information from unauthorized disclosure.
• Availability: Ensuring information is accessible to authorized users when needed.

Organizations implement specific controls to govern information:

• Access Controls: Restricting access based on role and need-to-know.
• Data Quality Controls: Validating information accuracy and completeness.
• Encryption and Protection: Technical measures to secure information.
• Audit Trails: Tracking who accesses and modifies information.
• Retention Policies: Defining how long information is kept.
• Incident Management: Responding to information breaches or losses.

Example 1 - Financial Information: A bank implements information governance for customer financial data by classifying it as highly sensitive, restricting access to authorized personnel, encrypting it at rest and in transit, maintaining audit logs, and establishing retention periods compliant with regulatory requirements.

Example 2 - Customer Data: A retail organization governs customer information by defining a clear data ownership structure, implementing data quality checks during customer registration, securing personal information, and ensuring GDPR compliance through proper consent and deletion procedures.

Example 3 - Strategic Information: A manufacturing company protects strategic information about product development by classifying it as confidential, limiting access to project team members, implementing document control procedures, and tracking all access through audit logs.

How to Answer Exam Questions Regarding Information as a Governance Component

Exam questions on information governance typically fall into these categories:

• Definition Questions: What is information governance? What does it include?
• Purpose Questions: Why is information governance important? What problems does it solve?
• Application Questions: How would you address an information governance issue in a scenario?
• Best Practice Questions: What is the best approach to managing a specific information governance challenge?
• Role and Responsibility Questions: Who is responsible for information governance? What are their duties?

When answering questions, ensure you cover these essential concepts:

• Holistic Approach: Information governance is not just IT's responsibility—it involves the entire organization.
• Lifecycle Perspective: Information has a lifecycle from creation to disposal, all requiring governance.
• Business Alignment: Information governance must align with business objectives and strategy.
• Risk-Based: Governance should be proportional to the risk and value of information assets.
• Compliance Integration: Information governance helps meet regulatory and legal requirements.
• Continuous Improvement: Information governance evolves with organizational needs and emerging threats.

Question Type 1: Definition/Concept
Q: What is meant by 'information as a governance component' in COBIT 2019?
A: Information as a governance component refers to the systematic governance and management of information assets throughout their entire lifecycle. It includes defining information requirements, classifying information based on sensitivity and criticality, ensuring information quality, protecting information from unauthorized access or loss, managing information lifecycles, establishing clear accountability for information assets, and ensuring compliance with legal and regulatory requirements. It recognizes that information is a critical organizational asset requiring structured governance similar to other governance domains.

Question Type 2: Purpose/Importance
Q: Why is information governance critical in modern organizations?
A: Information governance is critical because: (1) Information is a strategic asset that, when properly governed, provides competitive advantage; (2) Regulatory requirements (GDPR, HIPAA, SOX) mandate specific information handling practices; (3) Information breaches can result in significant financial, legal, and reputational damage; (4) High-quality, well-governed information enables better decision-making; (5) Clear information governance reduces operational risks and ensures business continuity; (6) It establishes accountability and transparency in how the organization handles sensitive data; (7) It helps prevent information loss, corruption, or unauthorized use.

Question Type 3: Scenario/Application
Q: A company is experiencing inconsistent data quality across departments, leading to poor business decisions. How would information governance address this issue?
A: Information governance would address this by: (1) Establishing clear information ownership and stewardship roles for each data domain; (2) Defining information quality standards and requirements; (3) Implementing data quality controls and validation processes during data entry and processing; (4) Creating governance structures and policies that ensure consistent information handling across departments; (5) Establishing accountability for information quality through performance metrics; (6) Implementing monitoring processes to identify quality issues; (7) Creating processes for continuous improvement of information quality; (8) Ensuring training and awareness about information quality standards across the organization.

Question Type 4: Best Practice
Q: What is the best approach to implementing information governance in a large organization?
A: The best approach involves: (1) Starting with a clear governance structure that defines roles, responsibilities, and reporting lines; (2) Conducting an information inventory and assessment to understand current state; (3) Developing an information governance strategy aligned with business objectives; (4) Classifying information based on sensitivity, criticality, and regulatory requirements; (5) Establishing policies and standards for information management; (6) Implementing appropriate technical controls (access controls, encryption, audit trails); (7) Creating monitoring and measurement mechanisms; (8) Ensuring executive sponsorship and organizational commitment; (9) Implementing incrementally with quick wins to build momentum; (10) Establishing continuous improvement processes.

Question Type 5: Responsibility/Role
Q: What are the key roles and responsibilities in information governance?
A: Key roles include: (1) Executive Sponsor (C-level): Provides governance direction and resources; (2) Chief Information Officer or Chief Data Officer: Develops and oversees information governance strategy; (3) Information Governance Committee: Makes policy decisions and resolves conflicts; (4) Data Stewards: Define data requirements and quality standards for their domains; (5) Information Custodians: Implement technical controls and protect information assets; (6) Process Owners: Ensure information governance is embedded in business processes; (7) Audit and Compliance: Monitor governance compliance; (8) All Employees: Follow information governance policies and practices.

Exam Tips: Answering Questions on Information as a Governance Component

Remember that COBIT 2019 views information governance as part of a complete governance system. When answering questions, connect information governance to:

• Overall business objectives and strategy
• Risk management frameworks
• Regulatory and compliance requirements
• Other governance components (people, processes, technology)
• Organizational performance and value creation

Tip Application: If asked about implementing information governance, mention how it connects to business strategy, not just IT needs.

Information has a lifecycle: Creation → Use → Storage → Archival → Disposal. Effective governance addresses all stages.

• Creation Stage: Define what information is needed and quality standards.
• Use Stage: Ensure appropriate access and security controls.
• Storage Stage: Protect information and maintain backups.
• Archival Stage: Retain information according to policies.
• Disposal Stage: Securely destroy information when no longer needed.

Tip Application: Frame answers to show understanding of information throughout its entire lifecycle, not just protection while in use.

Information governance typically balances three key aspects:

• Availability: Information is accessible to authorized users when needed (business enablement).
• Confidentiality: Information is protected from unauthorized disclosure (risk mitigation).
• Integrity: Information is accurate, complete, and reliable (quality assurance).

Tip Application: When discussing information governance challenges, show how solutions balance all three pillars rather than focusing on only one (e.g., security often gets emphasis, but availability and integrity matter too).

Strong answers include discussion of governance structures:

• Who makes decisions about information policies?
• How are conflicts resolved?
• What are the reporting lines?
• How is accountability established?
• How are decisions communicated and enforced?

Tip Application: When describing information governance implementation, always mention governance structures and decision-making processes, not just technical controls.

In COBIT 2019:

• Governance: Setting direction, making strategic decisions, defining policies (done by leadership).
• Management: Executing the policies, day-to-day operations (done by operational teams).

Information governance addresses both, but emphasizes the governance (strategic) side.

Tip Application: Include both strategic governance elements (policies, structures, direction) and management elements (implementation, operations, monitoring) in your answers.

Most information governance questions have compliance and risk dimensions. Always consider:

• Regulatory requirements (GDPR, HIPAA, PCI-DSS, etc.)
• Legal obligations
• Risk of data breaches or loss
• Reputational damage
• Business continuity implications

Tip Application: When discussing information governance, mention relevant compliance requirements and risks specific to the scenario.

Reference relevant COBIT processes when appropriate:

• EDM02: Ensure Stakeholder Value Delivery (governance)
• EDM03: Ensure Risk Optimization (governance)
• APO01: Manage the IT Management Framework (planning)
• APO10: Manage Suppliers (relevant for third-party data)
• BAI04: Manage Availability and Capacity (information availability)
• DSS02: Manage Service Delivery (information delivery)
• DSS06: Manage IT Security (information protection)
• MEA01: Monitor, Evaluate and Assess Performance (governance monitoring)

Tip Application: If comfortable with COBIT processes, reference relevant ones in your answers to demonstrate deeper knowledge.

Strengthen answers with specific examples:

• By Industry: Financial institutions (credit card data), Healthcare (patient records), Retail (customer data).
• By Information Type: Personal data, financial data, trade secrets, strategic information.
• By Governance Activity: Data classification, access control implementation, audit logging, retention scheduling.

Tip Application: Include a brief, relevant example to illustrate your understanding of how information governance works in practice.

Information governance requires clear accountability:

• Who owns the information?
• Who is accountable for its quality?
• Who ensures it's protected?
• Who approves access?
• Who monitors compliance?

Tip Application: Always mention accountability and role clarity when discussing information governance implementation.

Good governance is never static. Strong answers should mention:

• Monitoring and measurement mechanisms
• Regular audits and assessments
• Feedback loops
• Adaptation to new risks and requirements
• Technology updates and improvements

Tip Application: Frame information governance as an ongoing, evolving process rather than a one-time implementation.

Before submitting exam answers on information governance, verify you've included:

• ☑ Clear definition of what you're discussing
• ☑ Business alignment and purpose
• ☑ Governance structure and roles
• ☑ Risk and compliance considerations
• ☑ Technical and non-technical aspects
• ☑ Lifecycle perspective (creation to disposal)
• ☑ Balance between availability, confidentiality, and integrity
• ☑ Both governance and management elements
• ☑ Accountability and ownership
• ☑ Monitoring and continuous improvement
• ☑ Relevant example or scenario application

• Mistake 1: Confusing information security with information governance. Security is one component; governance is broader.
• Mistake 2: Treating it as only an IT responsibility. Information governance involves the entire organization.
• Mistake 3: Focusing only on protection (confidentiality) while ignoring availability and integrity.
• Mistake 4: Omitting discussion of governance structures and focusing only on technical controls.
• Mistake 5: Forgetting that information has a lifecycle and governance applies throughout.
• Mistake 6: Not addressing compliance and regulatory requirements where relevant.
• Mistake 7: Viewing information governance as a one-time project rather than continuous practice.
• Mistake 8: Not explaining the why behind governance practices.

Practice Q1: Your organization has suffered a data breach involving customer personal information. How would you use information governance principles to prevent this from happening again?
Approach: Discuss governance structures, information classification, access controls, monitoring, accountability, and continuous improvement. Mention compliance requirements and business impact.

Practice Q2: Define information governance and explain why it's important for business continuity.
Approach: Define clearly, explain components, discuss how it enables availability of critical information, ensures quality decisions, maintains compliance, and protects assets.

Practice Q3: How would you establish accountability for information assets in your organization?
Approach: Discuss roles (data stewards, custodians, owners), governance structures, policies, performance metrics, and monitoring.

Practice Q4: What controls should be implemented to ensure high-quality information throughout its lifecycle?
Approach: Address each lifecycle stage, discuss quality standards, validation processes, monitoring, and accountability.

• Stay Focused: Ensure your answer directly addresses the question asked.
• Be Specific: Use relevant terminology from COBIT 2019 when appropriate.
• Show Understanding: Demonstrate why information governance matters, not just what it is.
• Connect Concepts: Link information governance to broader organizational objectives.
• Be Balanced: Address both strategic (governance) and operational (management) perspectives.
• Practice: Review practice questions and develop your own examples.
• Review COBIT Framework: Familiarize yourself with the COBIT 2019 structure and terminology.