Introduction

When industry identifies a challenge, it’s amazing what can be done when talented people collaborate. This is the underlying story of CDMC – Cloud Data Management Capability Framework.

The art of data management has evolved. Once thought of as a behind the scenes technology fonction, understanding, curating, protecting and using our information resource is a front and center business, technology and operations fonction. Data is now the life-blood of our industry and our personal lives. As data professionals, we have a responsibility to ensure information is accurate, timely, trusted, and protected and that it is being put to use effectively and ethically.

It is this goal that has propelled the profession of data management. Chief Data Officers, Heads of Qualité des données, Data Governance and Architecture des données are becoming commonplace in our businesses. We now bear the responsibility of curating information from a defensive posture—controlling risk, privacy, safety and security, as well as from an offensive posture—increasing revenue, penetrating new markets, developing new products and services.

To better equip the data professional, the EDM Council developed a data management best practice framework known as DCAM – Data Management Capability Assessment Framework.

------- logo with right copy --------

For 16 months, this team worked tirelessly to build a cloud data management framework that would help the industry better manage data in the cloud, better protect data in the cloud, and better enable organizations to realize the benefits of the cloud environment.

------- second logo with right copy --------

Sincerely,
John Bottega
President, EDM Council

Open Acknowledgements

We would like to provide special acknowledgement to our CDMC Co-Chairs Oli Bage (LSEG) and Richard Perris (Morgan Stanley) for both their founding inspiration in advocating the CDMC Project to the EDM Council and for their extraordinary CDMC contributions and leadership over the last 18 months. Additionally, special thanks to Morgan Stanley for donating the initial draft of cloud principles that helped jump start the CDMC Project in the early days. Finally, special acknowledgement to our CDMC Project Manager, Jubair Patel (Microsoft formerly with Capco), who with steadfast support from the Capco team, kept the global CDMC project on track and was also an exemplary cloud subject matter contributor.

Over 100 companies have contributed to the production of the CDMC Framework:

• Cloud Service Providers: Amazon AWS, Google, IBM and Microsoft
• Leading financial organizations, including: Barclays, Citi Bank, Credit Suisse, Deutsche Bank, DTCC, Fannie Mae, Freddie Mac, Goldman Sachs, HSBC, JP Morgan, LSEG, M&G, Morgan Stanley, Societie Generale, Standard Bank, Sterling National Bank, TD Bank and UBS
• Other major organizations, including: CPA Canada and Schneider Electric
• Technology Providers, including: BigID, Collibra, Informatica, Privitar, Securiti, Solidatus and Snowflake
• Consultancies and System Integrators, including: Accenture, Capco, KPMG and Ortecha

EDM Council would like to thank the 300+ individuals who have participated. Those who have provided permission to be named are listed in the following document:

https://edmcouncil.org/resource/resmgr/cdmc_master/CDMC_Framework_Acknowledgeme.pdf

Open Revision History

------- insert revision history table ---------

Introduction ouverte

Purpose

Digital transformation is fundamentally changing how we do business – personally and professionally. Much of this transformation is taking place in the cloud environment across the globe. Cloud implementations are occurring in all sectors across all industries. There are many benefits of managing and storing data in a cloud environment, including cost savings, flexibility, mobility, improved information security, increased collaboration, and realizing new insights within an organization’s data assets.

As with any new technology, cloud computing entails many challenges. New cloud implementations face a variety of data, technology and planning difficulties. There remains a lack of consistent industry best practices for applying data management capabilities during migrations to and operations in single, multiple and hybrid cloud environments.

Consequently, an organization will likely face cost and complexity risks when adopting cloud computing technologies. Adoption can be especially difficult for regulated entities that must demonstrate precise, consistent data control in both on-premises and cloud environments. Cloud service providers (CSPs) and technology providers also face complexity as they seek to understand the data management priorities of organizations, resulting in challenges to improving their cloud implementations.

The Cloud Data Management Capabilities (CDMC™) Framework defines the best practice capabilities necessary to manage and control data in cloud environments. The creation of this framework represents an important milestone in the global adoption of industry best practices for data management. The overall objective is to build trust, confidence and dependability for the adoption of cloud technologies, offering benefits to each of the constituencies within the cloud ecosystem:

• Cloud Service and Technology Consumers – provides a structured framework of auditable processes and controls, especially for sensitive data.
• Cloud service providers – provides requirements and controls that can be automated within CSP platforms, accelerating adoption and increasing market confidence.
• Application, Technology and Data Providers – applies standard, certified CDMC capabilities and controls to services and solutions to ensure a high degree of reliability and operational effectiveness.
• Consultants and System Integrators – enables training and assessments, gap analysis, strategy development, and execution services for end clients adopting cloud technologies.
• Regulators – provides industry guidance for auditing and validating key cloud environment controls, especially for sensitive data.

CDMC is a best practice assessment and certification framework for managing and controlling data in single, multiple, and hybrid cloud environments. CDMC is used to assess the capabilities of an organization that are necessary to support controlled integration and migration to the cloud environments. The framework focuses and expands on capabilities critical to controlling important and sensitive data and highlights features of contemporary cloud platforms that present opportunities for standardization and automation of data management and control.

Though CDMC is a standalone framework, it assumes that an organization already has a strong foundation of data management capabilities. A broader set of capabilities is covered in other frameworks such as the Modèle d'évaluation des capacités de gestion des données (DCAM®) of the EDM Council. Effective data management fundamentals, together with the features and capabilities defined in CDMC, will enable an organization to build trustworthy and secure cloud environments—both now and well into the future.

Approche

CDMC was produced by the EDM Council CDMC Work Groupe formed in May 2020 with over 300 individual business executives, engineers, technologists and data professionals. The groupe includes participants from over 100 organizations across the globe, including major CSPs, technology service organizations, privacy firms and major consultancy and advisory firms. The objectives of the initiative were to:

• Develop a framework that provides direction and guidance on core data management capabilities in cloud data management aligned with industry best practices.
• Develop a consistent CDMC scoring modèle for industry organizations to measure maturity and readiness against the cloud data management capabilities.
• Collaborate with cloud service and technology providers and industry organizations on a set of priorities for accelerating capabilities for cloud migration and implementations while allowing cloud service and technology providers the opportunity to apply their unique innovations and services to meet these industry requirements.
• Establish methods to continuously improve the CDMC Framework and facilitate training and education on these best practices.

The structure of CDMC and the approach to its creation leveraged the structure and approach of the DCAM® framework, which the EDM Council has maintained since 2014.

CDMC – A FRAMEWORK FOR CLOUD DATA MANAGEMENT

Many organizations must establish a broad set of controls to manage data responsibly and comply with applicable regulatory entities. Standards and best practices enable an organization to harness the enormous opportunity offered by cloud technologies while avoiding the challenges of developing and adapting home-grown controls and spending time on isolated feature requests between individual companies and CSPs.

Controlling data in cloud environments requires a complex set of data management capabilities:

• An organization must establish clear accountability, controls and governance for data migrated to or created in cloud environments.
• A critical requirement is always to know what data resides in cloud environments and the sensitivity of each of the data assets. Such tracking is essential to automating controls for data access and use. Tracking is also vital to enforcing the controls and maintaining evidence for required transparency, security, and protection levels.
• Data management controls must be established throughout the cycle de vie des données.
• Data assets must be fit-for-purpose and kept to required schedules for retention and archiving.
• As with on-premises data assets, the design of the architecture de données and configuration of supporting technologies are important for ensuring that business objectives are met.

CDMC captures the requirements for these capabilities in six areas. These six Components of the framework include 14 Capabilities and a total of 37 Sub-capabilities. The definition and scope of each component are presented below:

---- insert CDMC diagram ----

Champ d'application des contrôles

Ce cadre traite du contrôle des données dans les environnements cloud, multicloud et hybrides. Les contrôles visant à gérer les risques technologiques dans d'autres domaines, tels que le développement logiciel et la gestion des services, ne relèvent pas du champ d'application du présent document.

De nombreuses mesures de contrôle s'appliquent aux données sensibles. Chaque organisation dispose d'un système de classification de ses données sensibles et importantes et détermine les catégories spécifiques auxquelles ces mesures doivent s'appliquer. Voici quelques exemples de catégories pouvant entrer dans ce champ d'application :

• Données à caractère personnel (DCP) / Données personnelles sensibles
• Informations personnelles identifiables (PII)
• Informations permettant d'identifier le client
• Informations non publiques importantes (MNPI)
• Classifications spécifiques relatives au niveau de sensibilité des informations (telles que ‘ Strictement réservé ’ et ‘ Confidentiel ’)
• Éléments de données essentiels utilisés pour les processus opérationnels clés¹ (y compris les déclarations réglementaires)
• Données sous licence

Description

Implementing the concept of data ownership requires defining the role and responsibilities of the propriétaire des données and ensuring the role is applied to data managed in the cloud environment and on-premises.

Objectifs

• Define roles and responsibilities of the propriétaire des données and mandate by the data management politique.
• Extend propriétaire des données responsibilities to data hosted in cloud environments.
• Adapt and extend propriétaire des données responsibilities to any new data types used by cloud service providers (CSPs).
• Determine if any propriétaire des données responsibilities will have more importance concerning data residing in a cloud environment.
• Define cloud technology support requirements for each relevant propriétaire des données role and responsibility.

ADVICE FOR DATA PRACTITIONERS

Le propriétaire des données role must be assigned to a senior business executive to have the necessary authority to perform the role. This required seniority ensures ongoing accountability, even when personnel changes occur. Data management politique should explicitly ensure that data ownership accountability belongs to the appropriate executive. In most organizations, responsibility for the execution of data ownership tasks will be delegated to supporting roles such as data stewards. Definition of the propriétaire des données role should extend to and clarify how the execution responsibilities are delegated. This role definition should also be incorporated in and supported by the data management politique.

A propriétaire des données is accountable for the meaning, content, quality, distribution and storage of a given set of data or the contents of a domaine de données. Le propriétaire des données must ensure that all data drawn by its data consumers meet fit-for-purpose criteria and align with organizational standards. Adopting cloud computing data management services can support a propriétaire des données with automated capabilities that are typically more effective and efficient than conventional systems.

Le propriétaire des données has full responsibility for understanding the quality and scope of the content in a domaine de données. Cloud computing technology typically provides comprehensive, real-time data catalog and lignée des données solutions. Rich métadonnées is available from many of these solutions. This métadonnées enhances the ability of the propriétaire des données to understand the data landscape and eases the execution of data ownership responsibilities.

Many data owners have responsibility for various on-premises applications that rest upon various platforms and legacy technologies. Lack of homogenization and transparency across these data domains makes applying granular control across all environments challenging. Many cloud environments can improve standardization of functionality, granular controls standardization and monitoring capabilities.

Cloud environments should provide standards for monitoring data and provide summaries for the entire data landscape. Data owners will use the monitoring dashboards to drill down to identify various sources of qualité des données and control failures. Such views can extend from data assets down to individual data elements.

Enhancements in data storage and management homogenization significantly improve the visibility and precision of consommateur de données utilization. Consequently, data owners can understand which élément de données controls require prioritization. Better controls improve the ability of the propriétaire des données to enforce sécurité des données and immutability.

A propriétaire des données should provide transparency about the content, location and consumption of their data. Cloud data management can help a propriétaire des données manage responsibilities, operate more efficiently, improve transparency and facilitate better systems integration.

Typically, a propriétaire des données must also solve qualité des données and manage control exceptions. In support of such tasks, the propriétaire des données should also have the ability to interact with an integrated workflow, direct a course of action or redirect to another propriétaire des données.

ADVICE FOR CLOUD SERVICE AND TECHNOLOGY PROVIDERS

It is important to recognize that a propriétaire des données may not have a strong affinity for technology. This understanding is especially true if the propriétaire des données is from a business, finance, risk, or another background—not Information Technology. Such users should have resources available to navigate and interrogate interactive dashboards and perform some workflow tasks. Any technology competency beyond that expectation should be regarded as optional.

With these expectations in mind, a cloud service provider should:

• Provide dashboards, workflow tasks and task execution tracking.
• Provide corresponding training that does not require coding, tedious querying, or any IT knowledge.
• Provide the ability to the propriétaire des données to execute or manage responsibilities in the domaine de données.
• If necessary, automate any capabilities for the propriétaire des données to develop and maintain the integration of a élément de données list, definitions, qualité des données rules, controls, lignée des données et entreprise modèle de données integration.
• Provide intuitive, non-programmatic interfaces to interact with any automations.
• Provide some ability for data owners that may have technical and coding expertise to extend or customize dashboards, workflows and task execution.
• Work with the organization to determine if any propriétaire des données responsibilities (such as sovereignty) have more importance in managing data in a cloud environment.

Questions

• Avoir propriétaire des données roles and responsibilities been defined?
• Avoir propriétaire des données responsibilities been extended to data management capabilities at the CSP?
• Est-ce que propriétaire des données's responsibility include data that is generated by and stored at the CSP?
• Est-ce que propriétaire des données's responsibility include all activities that have higher importance for managing data at the CSP?
• Does the CSP provide technology to support propriétaire des données roles and responsibilities?

Artefacts

• Gestion des données Politique, Standard et Procédure – defining and operationalizing propriétaire des données rôles et responsabilités

Score

Sous-capacité suivante

Le présent document fait partie intégrante du cadre CDMC™ et porte sur les contrôles clés permettant une gestion efficace des risques liés aux données dans les environnements cloud, multicloud et hybrides. Cette section présente un résumé des autres volets du cadre global.

Cadre CDMC ouvert

Une documentation complète des 6 composantes, 14 capacités et 37 sous-capacités du cadre CDMC, ainsi que des 14 contrôles présentés dans ce document. Ce document de plus de 150 pages détaille les objectifs de chaque sous-capacité et propose des conseils sur les meilleures pratiques, rédigés tant du point de vue des professionnels des données que de celui des fournisseurs de services et de technologies cloud. Un ensemble de questions, d'artefacts et de conseils de notation pour chaque sous-capacité fournit aux organisations une base pour réaliser des évaluations de leurs capacités.

Référence : Cadre CDMC version 1.1 – publié en septembre 2021

Procédures d'essai des commandes CDMC ouvertes

Spécifications des tests portant sur les 14 contrôles clés du référentiel, destinés à servir de base à la certification des produits et services cloud au regard dudit référentiel.

Référence : Procédures d'essai des commandes CDMC V1.1 – publication prévue au quatrième trimestre 2021

Informations sur Open CDMC Modèle

Un ontologie qui s'appuie sur des cadres et des normes ouverts connexes et les combine afin de définir les informations nécessaires à la gestion des données dans le cloud. Cela jette les bases de l'interopérabilité des catalogues de données et de l'automatisation des contrôles entre les différents fournisseurs de services et de technologies cloud.

Référence : Informations du CDMC Modèle Version 1.1 – publication prévue au quatrième trimestre 2021

Gestion des données ouvertes Glossaire d'affaires

A standard un recueil de plus de 150 termes liés à la gestion des données, accompagnés de définitions et de commentaires pour chacun d'entre eux.

Référence : https://www.dcamportal.org/glossary/

Commentaires et informations complémentaires

Les commentaires sur ce document doivent être soumis via la communauté d'intérêt « Cloud Data Management » sur EDMConnect : https://edmconnect.edmcouncil.org/clouddatamanagementinterestcommunity/home

Pour plus d'informations sur l'initiative CDMC, rendez-vous sur : https://edmcouncil.org/page/CDMC.

Pour toute question concernant l'adhésion au Conseil EDM ou le partenariat agréé CDMC, veuillez vous adresser à info@edmcouncil.org.