The data governance story: How to develop policies & rules

Offering Manager, IBM InfoSphere Information Governance Catalog, IBM

If information is paramount, it becomes our collective responsibility to nurture, develop, secure and protect information. One should nurture and develop information so that it is well formed, mature and timely; and secure and protect information so that it is valued and guarded, not shared or misused.

The importance of policies and rules 

Thus, applying governance through an established set of policies and rules, is the basic tenet for any information. This is much like the historical evolution of governance where kings were responsible for their subjects, to today, where an enterprise is responsible for their information and its dissemination. A greater focus is now placed by an enterprise on their information for analytics and growth. Thus, the development, maintenance and enactment of policies and rules are not only critical, but must be incorporated into the business culture, and processes. All employees must be aware and adhere to such policies, even as those policies continually evolve and adapt to reflect alterations and growth of varied corporate or regulatory requirements. Policies therefore require a novel approach of management and continued support and funding from executive leadership and the IT organization, often driven by the office of the Chief Data Officer (CDO). 

The Dodd-Frank Act, Health Insurance Portability and Accountability Act (HIPPA) and Basel Committee on Banking Supervision (BCBS-239) are all examples of such regulatory bodies and requirements, that drive uniform policies for the protection, privacy or mitigation of risk of the related information and require a system to document, share and review such policies across the enterprise domain. 

Policies and rules are therefore the vehicle by which an enterprise can establish, declare and make known the basic requirements for the general structure, format, identity, ownership, usage and access for all information within the enterprise. They thus aide in the conformation of standards and the mitigation of risk, and are further delivered and enacted through the establishment of operational rules and applications.


Figure 1: IBM InfoSphere Information Governance Catalog allows users to search and explore through the foundational policies, understand their definitions and requirements in natural language. One can further explore the associated operational rules and enacted data sources.

Policies and rules are a building block of any governance solution. Let’s now look at what they mean for a data governance program in detail.


Policies define the parameters for the operational activities and storage of information. They are considered a documented set of guidelines for ensuring the proper management and usage of information. They reflect upon the accountability and allowed or intended usage of information. Policies are generally exacting and purposeful, aligned with campaigns such as Data Security, Data Transformation or Life Cycle Management within the context of a regulatory requirement.

Within the enterprise, the data governance team should initially establish abstract policies that reflect such campaigns and core set of requirements, then expand upon such areas or requirements with a more refined and exacting set of policies. A hierarchy of policies and references establishes the domain and specificity for each.


Figure 2: Display of Governance Policy Hierarchy within IBM InfoSphere Information Governance Catalog


Rules formalize the declarations of the policy, and establish the framework for the standardization, validation or security of information. Rules, unlike policies, are specific and concrete and therefore multiple rules may be required to enact a single policy or set of policies. 

Rules are required for the effective management and valuation of information, ensuring consistency of information, and that it conforms to given standards and quality metrics. They further allow for the active monitoring and compliance against the corporate or regulatory initiatives and specified business objectives. 

Such rules may involve the profiling and analysis of information, determining the classification and characteristics of information, or the integration of reference data. For example, scanning a customer account table will alert the data governance team to the presence of address information, and the rules for standardizing such information through varied operational rules. 

Further, rules are an active component in securing information through its definition for the engagement of information and the subsequent risk assessment. For example, the same customer account table includes customer name and account details, and the data governance team who are alerted to such are responsible for enacting rule to restrict access and mask data when required.

Figure 3: Display of Governance Rule within IBM InfoSphere Information Governance Catalog.


The data steward, at a later stage within the data governance process, will be responsible for securing information through such policies and operational rules. This will allow individuals to access information responsibly, under the established guidelines for information access and usage. Actions which are performed against information must account for the presences of any given rule, and the requirements set forth.


Policies and operational rules are a core component for an enterprise and a valued asset which must facilitate the ability to search, explore, understand their definitions and intentions, as well as their enactment and binding. They deliver upon the organizational requirements to support all governance initiatives and regulatory requirement. 

Download a trial edition of IBM InfoSphere Information Governance Catalog today, and learn how to support and deliver upon the basic tenets of data governance by defining the governance policies and rules for your enterprise.