UNCLASSIFIED (U)

5 Fam 630

Data Management Policy

(CT:IM-274;†† 05-26-2020)
(Office of Origin:† IRM/BMP/OCA)

5 FAM 631 †General Policies

(CT:IM-165;†† 08-20-2015)

a. Data management incorporates the full spectrum of activities involved in handling data, including its policy, administration, collection, capture, retention, and use.

b. This section provides the general policies of managing data across the Department and key areas where Information Resource Management (IRM) provides support.† The general policy is based on the principle that the Department of State considers data to be an asset.

c.† All systems and business owners while managing data must consider cost, ownership, stewardship, privacy and security, risk management, storage, and security.

d. Business owners should also consider how data relates to existing laws and regulations and how to maximize information sharing across the Department, Federal Government, and if applicable, the public.

5 FAM 631.1 †Definitions

(CT:IM-165;†† 08-20-2015)

a. A data steward is one who oversees and maintains consistent reference data and master data definitions, publishes relevant interpretation and proper usage of the data, and ensures the quality of the content and metadata.

b. A data architect is one who establishes the data architecture, defines the taxonomy and naming conventions to be used, and supports the alignment of the data models to the business needs for the IT system or investment.

c.† A data administrator is one who manages access, security, and integrity of the database and monitors the performance of the database system to maintain any established service level agreements.

d. A data analyst is one who understands, applies a variety of techniques, and analyzes the data to align, interpret, and communicate the data to support effective decision-making.

5 FAM 632 †Scope

(CT:IM-165;†† 08-20-2015)

This policy applies to all programs and projects in the Department that collect and store unclassified data.

5 FAM 633 †Authorities

(CT:IM-258;†† 12-04-2018)

The authorities establishing this policy include:

(1)† Clinger-Cohen Act Ė Public Law 104-106, Section 5125 (40 U.S.C. 11315);

(2)† OMB Circular A-130, Managing Information as a Strategic Resource, July 28, 2016;

(3)† Federal Information Technology Acquisition Reform (FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl Levin and Howard P. "Buck" McKeon National Defense Authorization Act for Fiscal Year 2015;

(4)† OMB Memorandum (M-15-14); Management and Oversight of Federal Information Technology;

(5)† Data Quality Ė OMB, "Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility and Integrity of Information Disseminated by Federal Agencies," issued pursuant to the Treasury and General Government Appropriations Act for Fiscal Year 2001, Public Law 106-554, Section 515;

(6)† Government Performance and Results Act Modernization Act of 2010, Public Law, 111-352;

(7)† Government Paperwork Elimination Act (GPEA), Public Law, 105-277, Title XVII (44 U.S.C. 3504 note);

(8)† E-Government Act of 2002, Title II;

(9)† OMB Memorandum M-13-13, Open Data Policy Ė Managing Information as an Asset, May 9, 2013;

(10) Executive Order, Making Open and Machine-Readable the New Default for Government Information, May 9, 2013; and

(11) Application and Data Coordination Working Group Charter, May 18, 2012.

5 FAM 634 †Roles and Responsibilities

(CT:IM-274;†† 05-26-2020)

a. On behalf of the Under Secretary for Management, the Office of Management Strategy and Solutions (M/SS) and IRM provide strategic direction for the Department's Data Management policies, processes, and procedures.

b. The Application and Data Coordination Working Group (ADCWG) provides an executive-level body that assists in providing strategic direction in managing data and in promoting the value of data to the Department so that it is managed accordingly.† The mission of the ADCWG is to facilitate data standardization across the Department by engaging both the key stakeholders who maintain enterprise data as well as the users to ensure data standards meet all stakeholders' business needs.† Composed of authoritative personnel who serve as the governing body for determining data standards, the ADCWG approves master reference data sets and provides subject matter expertise for associated definitions, taxonomies, and business rules.† The ADCWG is tri-chaired and sponsored by the Chief Information Officer (IRM), the Chief Financial Officer (CGFS), and the director of M/SS.

c.† The Office of the Chief Architect (IRM/BMP/OCA) provides support in formulating and maintaining the Data Management policy and an enterprise view of information, how it can be shared, accessed, and managed consistently across the Department.† OCA supports the IT Investment process in evaluating and assessing the adherence and compliance of systems to the Data Management policy.

d. The Systems Integration Office (IRM/OPS/SIO) supports the implementation of the Data Management policy by managing and maintaining the Master Reference Data (MRD), Enterprise Metadata Repository (EMR) and the Enterprise Service Bus (ESB).† SIO supports the Data Standardization Process in identifying, analyzing, implementing, and maintaining the master reference data sets that are to be used as standards across the Department.

e. The Strategic Planning Office (IRM/BMP/SPO) supports the adherence and compliance of the Data Management policy by managing and maintaining the Departmentís portfolio management system (iMatrix) as a part of the IT Capital Planning and Investment Control (CPIC) process.† SPO supports the long-range planning, budget and acquisition process to facilitate decision making regarding the best use of available funds to achieve strategic business goals and objectives.

f.† Bureau Executive Directors provide leadership to ensure their data is managed as an asset and ensure IT projects conform to data management policy.

g. Business Owners are accountable for the definition, assignment, and restricting access to data.† Business Owners plan for and ensure implementation of data management policies and standards.

h. System owners are accountable for all control, management, and support aspects of the information system that stores and manages the data.† System Owners prepare and maintain updated implementation plans, which outline how the system will incorporate standardized data sets.† These implementation plans must be submitted annually to the ADCWG chairs.

i.† Data stewards are responsible for resolving data quality issues (content and metadata) in accordance with ADCWG standards and making decisions related to specific data sets and/or information integrity, security, delivery, and access within the assigned business area.† For master reference data, Data Stewards are identified and designated by the ADCWG.

j.† Data architects are responsible for reviewing the business need, developing strategy, processes, and models to ensure the data model leverages existing data as applicable.

k. Data administrators are responsible for ensuring the database is running efficiently and securely.† They monitor the operations of the database in line with the system.

l.† Data analysts collect, analyze, and interpret data in support of business needs. Data Analysts also support the Data Steward and Data Administrator in identifying quality issues and supporting decisions about data sets related to information integrity, security, delivery, and access.

5 FAM 635 †Management of Data LifeCycle

(CT:IM-165;†† 08-20-2015)

a. Create or acquire: During this phase, all data stakeholders must make sure that all the conceptual details and requirements are addressed whether the data is being created or acquired from other sources.

b. Store and maintain: During this phase, the data must be stored using best practices that cover areas such as data integrity and data quality.† There needs to be a mechanism in place to perform quality assurance and quality control to ensure data quality.

c.† Use and share: During this phase, data is shared with the appropriate audiences through secure channels.† System owners must consider leveraging technology to interface with other systems so that sharing of data can be automated; where appropriate, authoritative data sources must be used.

d. Archive or Dispose: During this phase, data must either be archived or disposed in accordance with policies or guidelines associated with the type of data.† System owners must document their standard practices for data storage, archival, or backup.

5 FAM 636 †Data Management Components

(CT:IM-165;†† 08-20-2015)

The Data Management policy provides a framework supporting system and business owners for the purpose of improving the accuracy and integrity of data being used.† The five components of the data management policy are:

(1)† Data Governance: Provides strategic oversight and controls to ensure policy and principles are upheld.† This component is led by the ADCWG;

(2)† Information Architecture: Provides an enterprise view of information, business entities, relationships, attributes, definitions and reference values as guidance to share, access, and manage data consistently across the Department.† This component is led by IRM/BMP/OCA;

(3)† Implementation: Leverages existing investments (e.g., Master Reference Data) to support operations and maintenance of sound policies, processes, and practices.† Provides best practices and standards to manage data as an asset.† All business and system owners participate in this component in coordination with IRM/OPS/SIO and IRM/BMP;

(4)† Information Security Management: Provides the processes and methodologies to protect data.† When new technology and infrastructure are introduced, supports the Department by bringing together the processes, tools, and discipline on how information can be accessed, delivered, and protected.† All business and system owners participate in this component in coordination with IRM/IA and DS; and

(5)† Collaboration: Provides tools and processes to enable better collaboration, management of data to facilitate data sharing and compliance with all regulations and policies.

5 FAM 637 †Data Management Principles

(CT:IM-165;†† 08-20-2015)

The Data Management policy is guided by the following key principles. These principles provide a foundation to:

(1)† Build a consensus amongst data stakeholders across the Department

(2)† Ensure consistency in data management across bureaus and system owners; and

(3)† Implement and monitor compliance to the policy.

5 FAM 637.1 †Managing Data

(CT:IM-165;†† 08-20-2015)

a. Data is an asset of the Department and must be managed accordingly.† It is an invaluable resource for the Department to inform decisions.

b. Data must be carefully managed to ensure that the source is credible.

c.† All data assets must be registered in the Departmentís portfolio management system (iMatrix).

d. Roles and responsibilities for those associated with the data must be clearly defined.

5 FAM 637.2 †Data Quality

(CT:IM-165;†† 08-20-2015)

a. The accuracy of data that is used and shared must be verified and validated.

b. Data quality procedures should be followed throughout the lifecycle.† Data users must be able to clearly identify the data quality procedures (e.g. quality assurance, quality control, etc.) that have been followed.

5 FAM 637.3 †Securing Data

(CT:IM-165;†† 08-20-2015)

a. Data residing in any systems (data at rest) or being transmitted (data in motion) must be secured according to the required level of classification.

b. Data must be protected from unauthorized use and disclosure.

c.† Security needs must be identified and managed at the data and information flow level.

d. An ongoing and evolving data security approach of tested layered controls must be used for reducing risks to data.

5 FAM 637.4 †Sharing Data

(CT:IM-165;†† 08-20-2015)

a. Data is made available to users as needed to perform their functions.

b. Data must be classified and discoverable by users.

c.† Levels of access to the underlying data must be determined by security principles.

d. Common data access policies and guidelines must be adopted and enforced to keep the data current and secure.

e. Clear statements of criteria for data access and, when applicable, information on any limitations must be applied to data to enable control of full access that could affect its use.

f.† Data being shared or published must be consistent with relevant policies, guidelines, and/or initiatives as specified by the Data Policy Framework Working Groupís Information Memo dated March 2015.

5 FAM 637.5 †Authoritative Data Source

(CT:IM-165;†† 08-20-2015)

a. Authoritative data sources must be registered in the Department's portfolio management system (iMatrix), and the associated data sets must be registered in the Enterprise Data Inventory.† Generally, authoritative data sources should also be the primary source system, with an appropriate records disposition schedule, for the data, except where the authoritative data source is a combination of disparate sources.

b. An authoritative data source has to be identified for any data that is being shared.

c.† An authoritative data set is a data asset recognized by the ADCWG as the official data for use by the Department.† The Master Reference Data platform is the authoritative data source for standardized data.

d. Published data that is available and useable to users must be clearly documented with consistent delivery procedures.

5 FAM 637.6 †Common Taxonomy

(CT:IM-165;†† 08-20-2015)

a. Data must be defined consistently throughout the Department.

b. Taxonomy is the science of classification, wherein objects are structured in relation to one another.† It is a conceptual framework for organizing information within a defined scope and context.† Taxonomy is also a component of Information Architecture.

c.† Taxonomies can be applied to any electronic resource system to improve information access.† Taxonomies structure information and are integral to effective data management.

d. Terms in common taxonomies should be defined in a way that is unambiguous, in order to be understandable and available to all stakeholders.

e. Applications or systems using common data sets must use a common vocabulary to facilitate communication.

5 FAM 638 †Data Management Practices

(CT:IM-165;†† 08-20-2015)

The following Data Management practices must be followed by all business and system owners:

(1)† Business owners at all levels (executive directors, program managers, project managers, etc.) must plan for and enforce data management policies and standards;

(2)† Information resource (data) project managers must refer to the Departmentís Information Architecture Blueprint that contains conventions, reference models, practices, and guidelines to ensure architectural alignment;

(3)† System owners must apply effective Data Quality Management procedures that include quality assurance and quality control processes at all stages of the data lifecycle;

(4)† System owners must leverage standardized data sets identified in the Master Reference Data that have been approved by the ADCWG.† Bureaus must prepare and maintain updated implementation plans, which outline how the bureauís systems will incorporate standardized data sets.† These implementation plans should be submitted annually to the ADCWG chairs;

(5)† All system owners must have a mechanism to produce metadata of their key data sets using Metadata Management.† The metadata of the data sets being shared must be provided to the Enterprise Metadata Repository; and

(6)† To ensure effective and secure use of data throughout the lifecycle, some of the key documentation must include:

         Data/Information flows

         Logical Data Model

         Database specifications

         Data storage, backup, and recovery methods

         Archival or disposition plan

5 FAM 639 †Implementing Data Management

5 FAM 639.1 †Enterprise Data Inventory

(CT:IM-165;†† 08-20-2015)

a. iMatrix maintains the inventory of the Department's data assets as a part of the Enterprise Data Inventory (EDI).

b. System or business owners must register their data assets in iMatrix and update the entries on a regular basis.

c.† The EDI contains data elements as required by OMB and other additional data elements so that valuable insights into the data assets can be obtained.

d. The authoritative data sources for the data assets must be identified and entered in iMatrix.

e. The data assets must be categorized in accordance with the Information Reference Model specified in the Information Architecture Blueprint.

5 FAM 639.2 †Master Reference Data

(CT:IM-165;†† 08-20-2015)

a. Master Reference Data (MRD) is a set of stable reference data sets sharable by all business teams and applications across the Department.

b. Incorporating Master Reference Data into all Department systems where applicable improves the accuracy and integrity of data being used, while also facilitating information exchange and cross-system reporting.

c.† The MRD application is the central source for the Departmentís authoritative data sets approved by the ADCWG.

d. The MRD application improves the accuracy, consistency, and timeliness of reference data, while reducing maintenance requirements.

e. Master Reference Data is available to application developers in various formats, including as a web service.

f.† Master Reference Data is maintained by the data steward established and appointed during the data standardization process chartered by the ADCWG.

g. System and business owners must incorporate or have a plan of incorporating the Master Reference Data into their system and process where the data is applicable.† Adherence to this policy will be evaluated as a part of the CPIC process.

h. The owners of information resource programs and projects must apply data sharing and use of Master Reference Data (MRD), as approved by the ADCWG, as explicit business requirements for all Department systems and must integrate these data management principles into the data lifecycle.

5 FAM 639.3 †Security Guidelines and Checklists

(CT:IM-175;†† 03-15-2016)

a. IT access controls must be implemented pursuant to 12 FAM 623.1, 12 FAH-10 H-110, and 12 FAM 630.

b. IT security awareness and training must be implemented pursuant to 5 FAM 845, 12 FAM 623.5, 12 FAH-10 H-210, and 12 FAM 630.

c.† IT auditing and accountability must be implemented pursuant to 12 FAM 623.2, 12 FAH-10 H-120, and 12 FAM 630.

d. IT security and authorization assessments must be conducted pursuant to 1 FAM 262, 5 FAH-6, 5 FAH-11, 12 FAM 623.14, 12 FAH-10 H-310, and 12 FAM 630.

e. IT configuration management must be implemented pursuant to 5 FAM 650, 12 FAM 623.6, 12 FAH-10 H-220, and 12 FAM 630.

f.† IT contingency planning must be implemented pursuant to 5 FAM 1060, 12 FAM 623.7, 12 FAH-10 H-230, and 12 FAM 630.

g. User and system identification and authentication measures must be implemented pursuant to 12 FAM 623.3, 12 FAH-10 H-130, and 12 FAM 630.

h. Computer security incident response must be implemented pursuant to 12 FAM 590, 12 FAM 623.8, 12 FAH-10 H-240, 12 FAM 630, and 1 FAM 262.

i.† IT system maintenance must be implemented pursuant to 5 FAH-5, 5 FAH-11, 12 FAM 623.9, 12 FAH-10 H-250, and 12 FAM 630.

j.† Document and media protection must be implemented pursuant to 5 FAH-11, 7 FAH-2, 12 FAM 623.10, 12 FAH-10 H-260, and 12 FAM 630.

k. Physical and environmental protection must be implemented pursuant to 12 FAM 623.11, 12 FAH-10 H-270, 12 FAM 630, 12 FAH-5, 12 FAM 390, 12 FAM 530, and12 FAM 575.

l.† Security planning must be conducted pursuant to 12 FAH-5, 12 FAM 623.15, 12 FAH-10 H-320, 12 FAM 630, and 12 FAH-11.

m. Information security program plans must be developed and disseminated pursuant to12 FAM 500 and 5 FAH-11.

n. Personnel security must be implemented pursuant to 5 FAM 100, 5 FAM 900, 5 FAH-11, 12 FAM 623.12, 12 FAH-10 H-280, and 12 FAM 630.

o. IT risk assessments must be conducted pursuant to 5 FAH-5, 5 FAH-11, 12 FAM 623.16, 12 FAH-10 H-330, and 12 FAM 630.

p. System and service acquisition must be managed pursuant to 5 FAH-5, 5 FAH-11, 12 FAM 623.17, 12 FAH-10 H-340, and 12 FAM 630.

q. Systems and communication protections must be implemented pursuant to 5 FAH-11, 12 FAM 623.4, 12 FAH-10 H-140, and 12 FAM 630.

r.† System and information integrity must be maintained pursuant to 12 FAM 623.13, 12 FAH-10 H-290, and 12 FAM 630.

5 FAM 639.4 †Enterprise Metadata Repository

(CT:IM-175;†† 03-15-2016)

a. Metadata is the definition or description of data.† In data processing, metadata provides information about, or documentation of, other data managed within an application or environment.† For example, metadata would include name, size, data type, and definition for a data element or attribute, as well as data about records or data structures (length, fields, columns, etc.) and information about data (e.g., where it is located, how it is associated, who owns it, what other data it may be related to, etc.).

b. The Enterprise Metadata Repository (EMR) contains enterprise metadata elements from various sources in a centralized system.

c.† IRM/OPS/SIO provides user access and accounts and administers the application, as follows:

(1)† Provides data to both technical and business users;

(2)† Provides repeatable data transformation processes;

(3)† Supports data standardization;

(4)† Provides data traceability across systems; and

(5)† Provides a capability to produce impact analysis for changes to Department systems.

d. IT project managers must provide metadata to the EMR based on the requirements previously stated in 5 FAM 638, subparagraph (5).

5 FAM 639.5 †Authoritative Data Sets

(CT:IM-165;†† 08-20-2015)

a. All authoritative data sets must be identified as a part of the Enterprise Data Inventory.

b. A comprehensive list of reference data sets and their authoritative data sources can be found in the Master Reference Data tables.

c.† Uses of authoritative data sets require all naming, classification, and standardization conventions to be in compliance with the determination made by the ADCWG.

d. The data must be maintained and updated by the appropriate data steward, to be selected by the ADCWG.

e. Data consumers and/or application owners must request changes to data sets through the ADCWG change request (CR) process.

f.† Manipulating data 'downstream' for alternative functions is permissible (such as appending data points that require a security classification), provided the MRD is still the source of the data and the manipulated data is not exchanged across bureaus.

g. The core attributes identified with each data set must be stored in each system that is required to use the reference data sets from the MRD.† Storing the core attributes ensures that common elements are stored in each system to facilitate data exchange and to make downstream aggregation of data possible.

h. Data up to the SBU-level should be exchanged with the MRD through IRMís SBU Enterprise Service Bus (ESB).† Any exceptions should be documented in the Capital Planning and Investment Control process.

5 FAM 639.6 †Naming Conventions

(CT:IM-165;†† 08-20-2015)

a. Department systems must adhere to object naming conventions as governed by the ADCWG and be compatible with the Federal Information Processing Standards (FIPS) 156 Information Resource Dictionary System (IRDS) standard and the National Institute of Standards and Technology (NIST) data design guidelines.

b. Object definition and naming conventions are critical in facilitating object sharing and consistency across the Departmentís organizations.

c.† The Departmentís naming conventions describe how objects should be defined, including what metadata should be documented.† In addition, naming conventions are defined to:

(1)† Facilitate object sharing, object consistency, and communication among the Departmentís organizations;

(2)† Increase reliability of information stored, shared, and managed by the repository tool set;

(3)† Promote accessibility and understandability of information across systems;

(4)† Improve the quality of data and application documentation;

(5)† Eliminate data redundancy and inconsistency;

(6)† Facilitate user access to object names and related documentation as used throughout the Department.

(7)† Assist analysts in selecting names that are clear and represent rules of good grammar; and

(8)† Simplify recognition of synonyms.

UNCLASSIFIED (U)