5 Fam 630
Data Management Policy
(CT:IM-258; 12-04-2018)
(Office of Origin: IRM/BMP/OCA)
5 FAM 631 General Policies
(CT:IM-165; 08-20-2015)
a. Data management incorporates the full spectrum of
activities involved in handling data, including its policy, administration,
collection, capture, retention, and use.
b. This section provides the general policies of
managing data across the Department and key areas where Information Resource
Management (IRM) provides support. The general policy is based on the
principle that the Department of State considers data to be an asset.
c. All systems and business owners while managing data
must consider cost, ownership, stewardship, privacy and security, risk
management, storage, and security.
d. Business owners should also consider how data
relates to existing laws and regulations and how to maximize information
sharing across the Department, Federal Government, and if applicable, the
public.
5 FAM 631.1 Definitions
(CT:IM-165; 08-20-2015)
a. A data steward is one who oversees and maintains
consistent reference data and master data definitions, publishes relevant
interpretation and proper usage of the data, and ensures the quality of the
content and metadata.
b. A data architect is one who establishes the data
architecture, defines the taxonomy and naming conventions to be used, and
supports the alignment of the data models to the business needs for the IT
system or investment.
c. A data administrator is one who manages access,
security, and integrity of the database and monitors the performance of the
database system to maintain any established service level agreements.
d. A data analyst is one who understands, applies a
variety of techniques, and analyzes the data to align, interpret, and
communicate the data to support effective decision-making.
5 FAM 632 Scope
(CT:IM-165; 08-20-2015)
This policy applies to all programs and projects in the
Department that collect and store unclassified data.
5 FAM 633 Authorities
(CT:IM-258; 12-04-2018)
The authorities establishing this policy include:
(1) Clinger-Cohen Act Public Law 104-106, Section
5125 (40 U.S.C. 11315);
(2) OMB Circular A-130, Managing Information as a
Strategic Resource, July 28, 2016;
(3) Federal Information Technology Acquisition Reform
(FITARA) is Title VIII Subtitle D Sections 831-837 of Public Law 113-291 - Carl
Levin and Howard P. "Buck" McKeon National Defense Authorization Act
for Fiscal Year 2015;
(4) OMB Memorandum (M-15-14); Management and Oversight
of Federal Information Technology;
(5) Data Quality OMB, "Guidelines for Ensuring
and Maximizing the Quality, Objectivity, Utility and Integrity of Information
Disseminated by Federal Agencies," issued pursuant to the Treasury and
General Government Appropriations Act for Fiscal Year 2001, Public Law 106-554,
Section 515;
(6) Government Performance and Results Act Modernization Act of
2010, Public Law, 111-352;
(7) Government Paperwork Elimination Act (GPEA),
Public Law, 105-277, Title XVII (44 U.S.C. 3504 note);
(8) E-Government Act of 2002, Title II;
(9) OMB Memorandum M-13-13, Open Data Policy
Managing Information as an Asset, May 9, 2013;
(10) Executive Order, Making Open and Machine-Readable
the New Default for Government Information, May 9, 2013; and
(11) Application and Data Coordination Working Group
Charter, May 18, 2012.
5 FAM 634 Roles and Responsibilities
(CT:IM-165; 08-20-2015)
a. On behalf of the Under Secretary for Management, the
Office of Management Policy, Rightsizing, and Innovation (M/PRI) and IRM
provide strategic direction for the Department's Data Management policies,
processes, and procedures.
b. The Application and Data Coordination Working Group
(ADCWG) provides an executive-level body that assists in providing strategic
direction in managing data and in promoting the value of data to the Department
so that it is managed accordingly. The mission of the ADCWG is to facilitate
data standardization across the Department by engaging both the key
stakeholders who maintain enterprise data as well as the users to ensure data
standards meet all stakeholders' business needs. Composed of authoritative
personnel who serve as the governing body for determining data standards, the
ADCWG approves master reference data sets and provides subject matter expertise
for associated definitions, taxonomies, and business rules. The ADCWG is
tri-chaired and sponsored by the Chief Information Officer (IRM), the Chief
Financial Officer (CGFS), and the Director of M/PRI.
c. The Office of the Chief Architect (IRM/BMP/OCA)
provides support in formulating and maintaining the Data Management policy and
an enterprise view of information, how it can be shared, accessed, and managed
consistently across the Department. OCA supports the IT Investment process in
evaluating and assessing the adherence and compliance of systems to the Data Management
policy.
d. The Systems Integration Office (IRM/OPS/SIO)
supports the implementation of the Data Management policy by managing and
maintaining the Master Reference Data (MRD), Enterprise Metadata Repository
(EMR) and the Enterprise Service Bus (ESB). SIO supports the Data
Standardization Process in identifying, analyzing, implementing, and
maintaining the master reference data sets that are to be used as standards
across the Department.
e. The Strategic Planning Office (IRM/BMP/SPO) supports
the adherence and compliance of the Data Management policy by managing and
maintaining the Departments portfolio management system (iMatrix) as a part of
the IT Capital Planning and Investment Control (CPIC) process. SPO supports
the long-range planning, budget and acquisition process to facilitate decision
making regarding the best use of available funds to achieve strategic business
goals and objectives.
f. Bureau Executive Directors provide leadership to
ensure their data is managed as an asset and ensure IT projects conform to data
management policy.
g. Business Owners are accountable for the definition,
assignment, and restricting access to data. Business Owners plan for and
ensure implementation of data management policies and standards.
h. System owners are accountable for all control,
management, and support aspects of the information system that stores and
manages the data. System Owners prepare and maintain updated implementation
plans, which outline how the system will incorporate standardized data sets.
These implementation plans must be submitted annually to the ADCWG chairs.
i. Data stewards are responsible for resolving data
quality issues (content and metadata) in accordance with ADCWG standards and
making decisions related to specific data sets and/or information integrity,
security, delivery, and access within the assigned business area. For master
reference data, Data Stewards are identified and designated by the ADCWG.
j. Data architects are responsible for reviewing the
business need, developing strategy, processes, and models to ensure the data
model leverages existing data as applicable.
k. Data administrators are responsible for ensuring the
database is running efficiently and securely. They monitor the operations of
the database in line with the system.
l. Data analysts collect, analyze, and interpret data
in support of business needs. Data Analysts also support the Data Steward and
Data Administrator in identifying quality issues and supporting decisions about
data sets related to information integrity, security, delivery, and access.
5 FAM 635 Management of Data LifeCycle
(CT:IM-165; 08-20-2015)
a. Create or acquire: During this phase, all data
stakeholders must make sure that all the conceptual details and requirements
are addressed whether the data is being created or acquired from other sources.
b. Store and maintain: During this phase, the data must
be stored using best practices that cover areas such as data integrity and data
quality. There needs to be a mechanism in place to perform quality assurance
and quality control to ensure data quality.
c. Use and share: During this phase, data is shared
with the appropriate audiences through secure channels. System owners must
consider leveraging technology to interface with other systems so that sharing
of data can be automated; where appropriate, authoritative data sources must be
used.
d. Archive or Dispose: During this phase, data must
either be archived or disposed in accordance with policies or guidelines
associated with the type of data. System owners must document their standard
practices for data storage, archival, or backup.
5 FAM 636 Data Management Components
(CT:IM-165; 08-20-2015)
The Data Management policy provides a framework supporting
system and business owners for the purpose of improving the accuracy and
integrity of data being used. The five components of the data management
policy are:
(1) Data Governance: Provides
strategic oversight and controls to ensure policy and principles are upheld.
This component is led by the ADCWG;
(2) Information Architecture:
Provides an enterprise view of information, business entities,
relationships, attributes, definitions and reference values as guidance to
share, access, and manage data consistently across the Department. This component
is led by IRM/BMP/OCA;
(3) Implementation: Leverages
existing investments (e.g., Master Reference Data) to support operations and
maintenance of sound policies, processes, and practices. Provides best
practices and standards to manage data as an asset. All business and system
owners participate in this component in coordination with IRM/OPS/SIO and
IRM/BMP;
(4) Information Security Management: Provides
the processes and methodologies to protect data. When new technology and
infrastructure are introduced, supports the Department by bringing together the
processes, tools, and discipline on how information can be accessed, delivered,
and protected. All business and system owners participate in this component in
coordination with IRM/IA and DS; and
(5) Collaboration: Provides
tools and processes to enable better collaboration, management of data to
facilitate data sharing and compliance with all regulations and policies.
5 FAM 637 Data Management Principles
(CT:IM-165; 08-20-2015)
The Data Management policy is guided by the following key
principles. These principles provide a foundation to:
(1) Build a consensus amongst data stakeholders across
the Department
(2) Ensure consistency in data management across
bureaus and system owners; and
(3) Implement and monitor compliance to the policy.
5 FAM 637.1 Managing Data
(CT:IM-165; 08-20-2015)
a. Data is an asset of the Department and must be
managed accordingly. It is an invaluable resource for the Department to inform
decisions.
b. Data must be carefully managed to ensure that the
source is credible.
c. All data assets must be registered in the
Departments portfolio management system (iMatrix).
d. Roles and responsibilities for those associated with
the data must be clearly defined.
5 FAM 637.2 Data Quality
(CT:IM-165; 08-20-2015)
a. The accuracy of data that is used and shared must be
verified and validated.
b. Data quality procedures should be followed
throughout the lifecycle. Data users must be able to clearly identify the data
quality procedures (e.g. quality assurance, quality control, etc.) that have
been followed.
5 FAM 637.3 Securing Data
(CT:IM-165; 08-20-2015)
a. Data residing in any systems (data at rest) or being
transmitted (data in motion) must be secured according to the required level of
classification.
b. Data must be protected from unauthorized use and
disclosure.
c. Security needs must be identified and managed at
the data and information flow level.
d. An ongoing and evolving data security approach of
tested layered controls must be used for reducing risks to data.
5 FAM 637.4 Sharing Data
(CT:IM-165; 08-20-2015)
a. Data is made available to users as needed to perform
their functions.
b. Data must be classified and discoverable by users.
c. Levels of access to the underlying data must be
determined by security principles.
d. Common data access policies and guidelines must be
adopted and enforced to keep the data current and secure.
e. Clear statements of criteria for data access and,
when applicable, information on any limitations must be applied to data to
enable control of full access that could affect its use.
f. Data being shared or published must be consistent
with relevant policies, guidelines, and/or initiatives as specified by the Data
Policy Framework Working Groups Information Memo dated March 2015.
5 FAM 637.5 Authoritative Data
Source
(CT:IM-165; 08-20-2015)
a. Authoritative data sources must be registered in the
Department's portfolio management system (iMatrix), and the associated data
sets must be registered in the Enterprise Data Inventory. Generally,
authoritative data sources should also be the primary source system, with an
appropriate records disposition schedule, for the data, except where the
authoritative data source is a combination of disparate sources.
b. An authoritative data source has to be identified
for any data that is being shared.
c. An authoritative data set is a data asset
recognized by the ADCWG as the official data for use by the Department. The
Master Reference Data platform is the authoritative data source for
standardized data.
d. Published data that is available and useable to
users must be clearly documented with consistent delivery procedures.
5 FAM 637.6 Common Taxonomy
(CT:IM-165; 08-20-2015)
a. Data must be defined consistently throughout the
Department.
b. Taxonomy is the science of classification, wherein
objects are structured in relation to one another. It is a conceptual
framework for organizing information within a defined scope and context.
Taxonomy is also a component of Information Architecture.
c. Taxonomies can be applied to any electronic
resource system to improve information access. Taxonomies structure information
and are integral to effective data management.
d. Terms in common taxonomies should be defined in a
way that is unambiguous, in order to be understandable and available to all
stakeholders.
e. Applications or systems using common data sets must
use a common vocabulary to facilitate communication.
5 FAM 638 Data Management Practices
(CT:IM-165; 08-20-2015)
The following Data Management practices must be followed
by all business and system owners:
(1) Business owners at all levels (executive directors,
program managers, project managers, etc.) must plan for and enforce data
management policies and standards;
(2) Information resource (data) project managers must
refer to the Departments Information Architecture Blueprint that contains
conventions, reference models, practices, and guidelines to ensure
architectural alignment;
(3) System owners must apply effective Data Quality
Management procedures that include quality assurance and quality control
processes at all stages of the data lifecycle;
(4) System owners must leverage standardized data sets
identified in the Master Reference Data that have been approved by the ADCWG.
Bureaus must prepare and maintain updated implementation plans, which outline
how the bureaus systems will incorporate standardized data sets. These
implementation plans should be submitted annually to the ADCWG chairs;
(5) All system owners must have a mechanism to produce
metadata of their key data sets using Metadata Management. The metadata of the
data sets being shared must be provided to the Enterprise Metadata Repository;
and
(6) To ensure effective and secure use of data
throughout the lifecycle, some of the key documentation must include:
Data/Information flows
Logical Data Model
Database specifications
Data storage, backup, and recovery methods
Archival or disposition plan
5 FAM 639 Implementing Data Management
5 FAM 639.1 Enterprise Data
Inventory
(CT:IM-165; 08-20-2015)
a. iMatrix maintains the inventory of the Department's
data assets as a part of the Enterprise Data Inventory (EDI).
b. System or business owners must register their data
assets in iMatrix and update the entries on a regular basis.
c. The EDI contains data elements as required by OMB
and other additional data elements so that valuable insights into the data
assets can be obtained.
d. The authoritative data sources for the data assets
must be identified and entered in iMatrix.
e. The data assets must be categorized in accordance
with the Information Reference Model specified in the Information Architecture
Blueprint.
5 FAM 639.2 Master Reference Data
(CT:IM-165; 08-20-2015)
a. Master Reference Data (MRD) is a set of stable
reference data sets sharable by all business teams and applications across the
Department.
b. Incorporating Master Reference Data into all
Department systems where applicable improves the accuracy and integrity of data
being used, while also facilitating information exchange and cross-system
reporting.
c. The MRD application is the central source for the
Departments authoritative data sets approved by the ADCWG.
d. The MRD application improves the accuracy,
consistency, and timeliness of reference data, while reducing maintenance
requirements.
e. Master Reference Data is available to application
developers in various formats, including as a web service.
f. Master Reference Data is maintained by the data
steward established and appointed during the data standardization process
chartered by the ADCWG.
g. System and business owners must incorporate or have
a plan of incorporating the Master Reference Data into their system and process
where the data is applicable. Adherence to this policy will be evaluated as a
part of the CPIC process.
h. The owners of information resource programs and
projects must apply data sharing and use of Master Reference Data (MRD), as
approved by the ADCWG, as explicit business requirements for all Department
systems and must integrate these data management principles into the data
lifecycle.
5 FAM 639.3 Security Guidelines and
Checklists
(CT:IM-175; 03-15-2016)
a. IT access controls must be implemented pursuant to 12 FAM 623.1, 12 FAH-10 H-110,
and 12 FAM 630.
b. IT security awareness and training must be
implemented pursuant to 5 FAM 845, 12 FAM 623.5, 12 FAH-10 H-210,
and 12 FAM 630.
c. IT auditing and accountability must be implemented
pursuant to 12
FAM 623.2, 12
FAH-10 H-120, and 12 FAM 630.
d. IT security and authorization assessments must be
conducted pursuant to 1 FAM 262, 5
FAH-6, 5 FAH-11, 12 FAM 623.14,
12 FAH-10
H-310, and 12
FAM 630.
e. IT configuration management must be implemented
pursuant to 5 FAM
650, 12 FAM
623.6, 12
FAH-10 H-220, and 12 FAM 630.
f. IT contingency planning must be implemented
pursuant to 5
FAM 1060, 12
FAM 623.7, 12
FAH-10 H-230, and 12 FAM 630.
g. User and system identification and authentication
measures must be implemented pursuant to 12 FAM 623.3, 12 FAH-10 H-130,
and 12 FAM 630.
h. Computer security incident response must be
implemented pursuant to 12 FAM 590, 12 FAM 623.8, 12 FAH-10 H-240,
12 FAM 630,
and 1 FAM 262.
i. IT system maintenance must be implemented pursuant
to 5 FAH-5, 5 FAH-11, 12 FAM 623.9, 12 FAH-10 H-250,
and 12 FAM 630.
j. Document and media protection must be implemented
pursuant to 5 FAH-11, 7 FAH-2, 12 FAM 623.10,
12 FAH-10
H-260, and 12
FAM 630.
k. Physical and environmental protection must be
implemented pursuant to 12 FAM 623.11,
12 FAH-10
H-270, 12 FAM
630, 12 FAH-5, 12
FAM 390, 12
FAM 530, and12
FAM 575.
l. Security planning must be conducted pursuant to 12
FAH-5, 12 FAM
623.15, 12
FAH-10 H-320, 12
FAM 630, and 12 FAH-11.
m. Information security program plans must be developed
and disseminated pursuant to12 FAM 500
and 5 FAH-11.
n. Personnel security must be implemented pursuant to 5 FAM 100,
5 FAM
900, 5 FAH-11, 12 FAM 623.12,
12 FAH-10
H-280, and 12
FAM 630.
o. IT risk assessments must be conducted pursuant to 5
FAH-5, 5 FAH-11, 12 FAM 623.16,
12 FAH-10
H-330, and 12
FAM 630.
p. System and service acquisition must be managed
pursuant to 5 FAH-5, 5 FAH-11, 12 FAM 623.17,
12 FAH-10
H-340, and 12
FAM 630.
q. Systems and communication protections must be
implemented pursuant to 5 FAH-11, 12 FAM 623.4, 12 FAH-10 H-140,
and 12 FAM 630.
r. System and information integrity must be maintained
pursuant to 12
FAM 623.13, 12 FAH-10 H-290,
and 12 FAM 630.
5 FAM 639.4 Enterprise Metadata
Repository
(CT:IM-175; 03-15-2016)
a. Metadata is the definition or description of data.
In data processing, metadata provides information about, or documentation of,
other data managed within an application or environment. For example, metadata
would include name, size, data type, and definition for a data element or
attribute, as well as data about records or data structures (length, fields,
columns, etc.) and information about data (e.g., where it is located, how it is
associated, who owns it, what other data it may be related to, etc.).
b. The Enterprise Metadata Repository (EMR) contains
enterprise metadata elements from various sources in a centralized system.
c. IRM/OPS/SIO provides user access and accounts and
administers the application, as follows:
(1) Provides data to both technical and business
users;
(2) Provides repeatable data transformation processes;
(3) Supports data standardization;
(4) Provides data traceability across systems; and
(5) Provides a capability to produce impact analysis
for changes to Department systems.
d. IT project managers must provide metadata to the EMR
based on the requirements previously stated in 5 FAM 638, subparagraph
(5).
5 FAM 639.5 Authoritative Data Sets
(CT:IM-165; 08-20-2015)
a. All authoritative data sets must be identified as a
part of the Enterprise Data Inventory.
b. A comprehensive list of reference data sets and
their authoritative data sources can be found in the Master Reference Data
tables.
c. Uses of authoritative data sets require all naming,
classification, and standardization conventions to be in compliance with the
determination made by the ADCWG.
d. The data must be maintained and updated by the
appropriate data steward, to be selected by the ADCWG.
e. Data consumers and/or application owners must
request changes to data sets through the ADCWG change request (CR) process.
f. Manipulating data 'downstream' for alternative
functions is permissible (such as appending data points that require a security
classification), provided the MRD is still the source of the data and the
manipulated data is not exchanged across bureaus.
g. The core attributes identified with each data set
must be stored in each system that is required to use the reference data sets
from the MRD. Storing the core attributes ensures that common elements are
stored in each system to facilitate data exchange and to make downstream
aggregation of data possible.
h. Data up to the SBU-level should be exchanged with
the MRD through IRMs SBU Enterprise Service Bus (ESB). Any exceptions should
be documented in the Capital Planning and Investment Control process.
5 FAM 639.6 Naming Conventions
(CT:IM-165; 08-20-2015)
a. Department systems must adhere to object naming
conventions as governed by the ADCWG and be compatible with the Federal
Information Processing Standards (FIPS) 156 Information Resource Dictionary
System (IRDS) standard and the National Institute of Standards and Technology
(NIST) data design guidelines.
b. Object definition and naming conventions are
critical in facilitating object sharing and consistency across the Departments
organizations.
c. The Departments naming conventions describe how
objects should be defined, including what metadata should be documented. In
addition, naming conventions are defined to:
(1) Facilitate object sharing, object consistency, and
communication among the Departments organizations;
(2) Increase reliability of information stored,
shared, and managed by the repository tool set;
(3) Promote accessibility and understandability of
information across systems;
(4) Improve the quality of data and application
documentation;
(5) Eliminate data redundancy and inconsistency;
(6) Facilitate user access to object names and related
documentation as used throughout the Department.
(7) Assist analysts in selecting names that are clear
and represent rules of good grammar; and
(8) Simplify recognition of synonyms.