By Daryl Crockett
I think by now, we are all familiar with the perils and reality of our new cyber world order. The woes of Target, Sony and even the IRS have opened our eyes to the fact that protecting data is a fiduciary responsibility and a seemingly insurmountable task at times.Employee, customer, credit card and financial data certainly top the list of domains to be protected. ERP systems have evolved to configure user access by functional role and SOX segregation of duties -requirements. Ever-improving firewalls, encryption, and the latest intrusion detection software will hopefully protect companies from most inbound infiltration threats targeting these commonly identified domains of precious data.
But buried deep within the stores of millions of seemingly harmless and mundane supply chain data are “nuggets of gold” which --in the hands of a fierce competitor –could be an open playbook of the key factors that give the target company their competitive advantages.Vendors, assets and materials are tools of a business. Blindly granting access to staff and subcontractors who might share (intentionally or not) this information with a company’s competitors can be akin to giving over the keys to the city. All the non-disclosure agreements in the world can’t protect a company when a competitor learns the intimate details of how a business conducts its business.
Recently, when I was advising a major manufacturing company on data governance for their supply chain, they expressed deep concerns over sharing information on certain vendors and materials used in their proprietary manufacturing process. They explained that this information could be very dangerous in the hands of their competitors. It might reveal secrets to the formulation of their products and what suppliers were most valuable to those processes. With this data, their competitors might seek to replicate their secret formulas, or a competitor could block them out of those suppliers who were critical to meeting production deadlines.But the data the client feared could be harmful if exposed was buried deep within their vendor and material masters and their purchase order data --mixed altogether with all of their commonplace data. It took the client a long time and a lot of effort to peel out the data they did not wish to share because there was no attribute, field or definitive list to indicate that a particular vendor, materials or asset should be considered sensitive data.
In the end, I am certain the client was not able to identify and partition off all of their sensitive data. They just didn’t have the manpower or the time. And when we think about how data is consumed and flows through an organization, plucking out sensitive vendors and materials buried and mixed into the millions of lines of purchasing data and spend reports is much more of a challenge without pre-identified master data.In most large companies, there is a small army of in-house staff and internal and external contractors who view supply chain data for very valid business reasons --so making all material, vendor and asset information highly “protected” (they way payroll data is protected) could seriously hamper normal business functions.
So how do we ensure we can easily identify sensitive Supply Chain and Fixed Asset data?The best way to make certain that special material, fixed asset and vendor data remain private is to create or utilize a field within the master data record itself to indicate that a certain record (or field or value within a record) requires higher security. While maintaining separate lists of potentially sensitive data to reference data against might seem like a viable method, it is more effective and efficient to imbed the security label within the master data record itself.
This technique has been an integral part of the NATO cataloging system for almost 50 years and allows for not only the record to be flagged but also a specific data element within a record –i.e. a specific property value pair. Both ISO 22745 and ISO 8000 Data Quality standards work at the property value pair level as opposed to the record level.For more information on cataloging and master data management, I recommend reading Advanced Cataloging and Master Data Management.
Master records are much easier to govern than transactional records. When the master data is first created, the procurement team usually understands the importance and inherent risk in that data being created. So this is the opportune time to record any security risk flag. As master data records are combined and used for creation of transactions and reports, the security marker within the consumed master data records (or easily referenced within the corresponding master data table) can be read. If a security flag is found, this can trigger an action for an identified record to be masked, stripped, blocked or whatever is needed to protect that data from exposure.
While these new security markers and subsequent procedures can take effort to implement, they should be added as soon as possible to the formal requirements for the master data records and for the creation of any new supply chain related programs and reports.
Security is the new data dimension. Savvy companies, their consultants and tech partners who together build and update their enterprise systems should wisely start to plan for and imbed the protection of their precious data within the master data records themselves.