Database Governance is the set of policies, procedures, practices and organizational structures ensuring the execution of database related activities in an organization according to defined strategies and controls. Database Governance is required to enforce Information Security for structured data held in databases.
Within Enterprise GRC, Database Governance is an element of IT GRC. Enterprise GRC starts with Corporate Governance, e.g. the general, enterprise-wide policies and the focus on strategic risks. Business GRC with its focus on operational risks is the second element (or layer). However, automated controls for many of the operational and even strategic risks require IT – that’s where Database Governance comes into play as one of the major elements of IT GRC.
KuppingerCole strongly recommends defining a Database Governance approach in the context of enterprise-wide GRC initiatives, based on the same approaches as for policies, controls, processes, and organization. If Database Governance is undertaken without first putting an enterprise-wide GRC approach in place we suggest at least investing some work in defining the basic elements, for instance what a book of rules should look like.
Database Governance is first and foremost an organizational approach and not a technical topic. Technology can assist in implementing and executing controls, but it needs to follow the organizational concept. In other words: Without a book of rules, defined controls and processes, and without suitable organizational structures technology is a back-burner issue. Only when proper controls are in place is it time to worry about technical solutions.
