Introduction

When industry identifies a challenge, it’s amazing what can be done when talented people collaborate. This is the underlying story of CDMC – Cloud Data Management Capability Framework.

The art of data management has evolved. Once thought of as a behind the scenes technology fonction, understanding, curating, protecting and using our information resource is a front and center business, technology and operations fonction. Data is now the life-blood of our industry and our personal lives. As data professionals, we have a responsibility to ensure information is accurate, timely, trusted, and protected and that it is being put to use effectively and ethically.

It is this goal that has propelled the profession of data management. Chief Data Officers, Heads of Qualité des données, Data Governance and Architecture des données are becoming commonplace in our businesses. We now bear the responsibility of curating information from a defensive posture—controlling risk, privacy, safety and security, as well as from an offensive posture—increasing revenue, penetrating new markets, developing new products and services.

To better equip the data professional, the EDM Council developed a data management best practice framework known as DCAM – Data Management Capability Assessment Framework.

------- logo with right copy --------

For 16 months, this team worked tirelessly to build a cloud data management framework that would help the industry better manage data in the cloud, better protect data in the cloud, and better enable organizations to realize the benefits of the cloud environment.

------- second logo with right copy --------

Sincerely,
John Bottega
President, EDM Council

Open Acknowledgements

We would like to provide special acknowledgement to our CDMC Co-Chairs Oli Bage (LSEG) and Richard Perris (Morgan Stanley) for both their founding inspiration in advocating the CDMC Project to the EDM Council and for their extraordinary CDMC contributions and leadership over the last 18 months. Additionally, special thanks to Morgan Stanley for donating the initial draft of cloud principles that helped jump start the CDMC Project in the early days. Finally, special acknowledgement to our CDMC Project Manager, Jubair Patel (Microsoft formerly with Capco), who with steadfast support from the Capco team, kept the global CDMC project on track and was also an exemplary cloud subject matter contributor.

Over 100 companies have contributed to the production of the CDMC Framework:

• Cloud Service Providers: Amazon AWS, Google, IBM and Microsoft
• Leading financial organizations, including: Barclays, Citi Bank, Credit Suisse, Deutsche Bank, DTCC, Fannie Mae, Freddie Mac, Goldman Sachs, HSBC, JP Morgan, LSEG, M&G, Morgan Stanley, Societie Generale, Standard Bank, Sterling National Bank, TD Bank and UBS
• Other major organizations, including: CPA Canada and Schneider Electric
• Technology Providers, including: BigID, Collibra, Informatica, Privitar, Securiti, Solidatus and Snowflake
• Consultancies and System Integrators, including: Accenture, Capco, KPMG and Ortecha

EDM Council would like to thank the 300+ individuals who have participated. Those who have provided permission to be named are listed in the following document:

https://edmcouncil.org/resource/resmgr/cdmc_master/CDMC_Framework_Acknowledgeme.pdf

Open Revision History

------- insert revision history table ---------

Open Introduction

Purpose

Digital transformation is fundamentally changing how we do business – personally and professionally. Much of this transformation is taking place in the cloud environment across the globe. Cloud implementations are occurring in all sectors across all industries. There are many benefits of managing and storing data in a cloud environment, including cost savings, flexibility, mobility, improved information security, increased collaboration, and realizing new insights within an organization’s data assets.

As with any new technology, cloud computing entails many challenges. New cloud implementations face a variety of data, technology and planning difficulties. There remains a lack of consistent industry best practices for applying data management capabilities during migrations to and operations in single, multiple and hybrid cloud environments.

Consequently, an organization will likely face cost and complexity risks when adopting cloud computing technologies. Adoption can be especially difficult for regulated entities that must demonstrate precise, consistent data control in both on-premises and cloud environments. Cloud service providers (CSPs) and technology providers also face complexity as they seek to understand the data management priorities of organizations, resulting in challenges to improving their cloud implementations.

The Cloud Data Management Capabilities (CDMC™) Framework defines the best practice capabilities necessary to manage and control data in cloud environments. The creation of this framework represents an important milestone in the global adoption of industry best practices for data management. The overall objective is to build trust, confidence and dependability for the adoption of cloud technologies, offering benefits to each of the constituencies within the cloud ecosystem:

• Cloud Service and Technology Consumers – provides a structured framework of auditable processes and controls, especially for sensitive data.
• Cloud service providers – provides requirements and controls that can be automated within CSP platforms, accelerating adoption and increasing market confidence.
• Application, Technology and Data Providers – applies standard, certified CDMC capabilities and controls to services and solutions to ensure a high degree of reliability and operational effectiveness.
• Consultants and System Integrators – enables training and assessments, gap analysis, strategy development, and execution services for end clients adopting cloud technologies.
• Regulators – provides industry guidance for auditing and validating key cloud environment controls, especially for sensitive data.

CDMC is a best practice assessment and certification framework for managing and controlling data in single, multiple, and hybrid cloud environments. CDMC is used to assess the capabilities of an organization that are necessary to support controlled integration and migration to the cloud environments. The framework focuses and expands on capabilities critical to controlling important and sensitive data and highlights features of contemporary cloud platforms that present opportunities for standardization and automation of data management and control.

Though CDMC is a standalone framework, it assumes that an organization already has a strong foundation of data management capabilities. A broader set of capabilities is covered in other frameworks such as the Modèle d'évaluation des capacités de gestion des données (DCAM®) of the EDM Council. Effective data management fundamentals, together with the features and capabilities defined in CDMC, will enable an organization to build trustworthy and secure cloud environments—both now and well into the future.

Approche

CDMC was produced by the EDM Council CDMC Work Groupe formed in May 2020 with over 300 individual business executives, engineers, technologists and data professionals. The groupe includes participants from over 100 organizations across the globe, including major CSPs, technology service organizations, privacy firms and major consultancy and advisory firms. The objectives of the initiative were to:

• Develop a framework that provides direction and guidance on core data management capabilities in cloud data management aligned with industry best practices.
• Develop a consistent CDMC scoring modèle for industry organizations to measure maturity and readiness against the cloud data management capabilities.
• Collaborate with cloud service and technology providers and industry organizations on a set of priorities for accelerating capabilities for cloud migration and implementations while allowing cloud service and technology providers the opportunity to apply their unique innovations and services to meet these industry requirements.
• Establish methods to continuously improve the CDMC Framework and facilitate training and education on these best practices.

The structure of CDMC and the approach to its creation leveraged the structure and approach of the DCAM® framework, which the EDM Council has maintained since 2014.

CDMC – A FRAMEWORK FOR CLOUD DATA MANAGEMENT

Many organizations must establish a broad set of controls to manage data responsibly and comply with applicable regulatory entities. Standards and best practices enable an organization to harness the enormous opportunity offered by cloud technologies while avoiding the challenges of developing and adapting home-grown controls and spending time on isolated feature requests between individual companies and CSPs.

Controlling data in cloud environments requires a complex set of data management capabilities:

• An organization must establish clear accountability, controls and governance for data migrated to or created in cloud environments.
• A critical requirement is always to know what data resides in cloud environments and the sensitivity of each of the data assets. Such tracking is essential to automating controls for data access and use. Tracking is also vital to enforcing the controls and maintaining evidence for required transparency, security, and protection levels.
• Data management controls must be established throughout the cycle de vie des données.
• Data assets must be fit-for-purpose and kept to required schedules for retention and archiving.
• As with on-premises data assets, the design of the architecture des données and configuration of supporting technologies are important for ensuring that business objectives are met.

CDMC captures the requirements for these capabilities in six areas. These six Components of the framework include 14 Capabilities and a total of 37 Sub-capabilities. The definition and scope of each component are presented below:

---- insert CDMC diagram ----

Open Scope of Controls

The framework addresses the control of data in cloud, multi-cloud and hybrid-cloud environments. Controls that address technology risks in other areas such as software development and service management are not within the scope of the document.

Many of the controls refer to being applicable to sensitive data. Each organization will have a scheme for classifying their sensitive and important data and will determine the specific classifications to which the controls must be applied. Examples of classifications that may be in scope include:

• Personal Information (PI) / Sensitive Personal Data
• Personally Identifiable Information (PII)
• Client Identifiable Information
• Material Non-Public Information (MNPI)
• Specific Information Sensitivity Classifications (such as ‘Highly Restricted’ and ‘Confidential’)
• Critical Data Elements used for important business processes1 (including regulatory reporting)
• Licensed data

Description

Implementing the concept of data ownership requires defining the role and responsibilities of the data owner and ensuring the role is applied to data managed in the cloud environment and on-premises.

Objectifs

• Define roles and responsibilities of the data owner and mandate by the data management politique.
• Extend data owner responsibilities to data hosted in cloud environments.
• Adapt and extend data owner responsibilities to any new data types used by cloud service providers (CSPs).
• Determine if any data owner responsibilities will have more importance concerning data residing in a cloud environment.
• Define cloud technology support requirements for each relevant data owner role and responsibility.

ADVICE FOR DATA PRACTITIONERS

Le data owner role must be assigned to a senior business executive to have the necessary authority to perform the role. This required seniority ensures ongoing accountability, even when personnel changes occur. Data management politique should explicitly ensure that data ownership accountability belongs to the appropriate executive. In most organizations, responsibility for the execution of data ownership tasks will be delegated to supporting roles such as data stewards. Definition of the data owner role should extend to and clarify how the execution responsibilities are delegated. This role definition should also be incorporated in and supported by the data management politique.

A data owner is accountable for the meaning, content, quality, distribution and storage of a given set of data or the contents of a domaine des données. Les data owner must ensure that all data drawn by its data consumers meet fit-for-purpose criteria and align with organizational standards. Adopting cloud computing data management services can support a data owner with automated capabilities that are typically more effective and efficient than conventional systems.

Le data owner has full responsibility for understanding the quality and scope of the content in a domaine des données. Cloud computing technology typically provides comprehensive, real-time data catalog and lignée de données solutions. Rich métadonnées is available from many of these solutions. This métadonnées enhances the ability of the data owner to understand the data landscape and eases the execution of data ownership responsibilities.

Many data owners have responsibility for various on-premises applications that rest upon various platforms and legacy technologies. Lack of homogenization and transparency across these data domains makes applying granular control across all environments challenging. Many cloud environments can improve standardization of functionality, granular controls standardization and monitoring capabilities.

Cloud environments should provide standards for monitoring data and provide summaries for the entire data landscape. Data owners will use the monitoring dashboards to drill down to identify various sources of la qualité des données and control failures. Such views can extend from data assets down to individual data elements.

Enhancements in data storage and management homogenization significantly improve the visibility and precision of consommateur de données utilization. Consequently, data owners can understand which élément de données controls require prioritization. Better controls improve the ability of the data owner to enforce la sécurité des données and immutability.

A data owner should provide transparency about the content, location and consumption of their data. Cloud data management can help a data owner manage responsibilities, operate more efficiently, improve transparency and facilitate better systems integration.

Typically, a data owner must also solve la qualité des données and manage control exceptions. In support of such tasks, the data owner should also have the ability to interact with an integrated workflow, direct a course of action or redirect to another data owner.

ADVICE FOR CLOUD SERVICE AND TECHNOLOGY PROVIDERS

It is important to recognize that a data owner may not have a strong affinity for technology. This understanding is especially true if the data owner is from a business, finance, risk, or another background—not Information Technology. Such users should have resources available to navigate and interrogate interactive dashboards and perform some workflow tasks. Any technology competency beyond that expectation should be regarded as optional.

With these expectations in mind, a cloud service provider should:

• Provide dashboards, workflow tasks and task execution tracking.
• Provide corresponding training that does not require coding, tedious querying, or any IT knowledge.
• Provide the ability to the data owner to execute or manage responsibilities in the domaine des données.
• If necessary, automate any capabilities for the data owner to develop and maintain the integration of a élément de données list, definitions, la qualité des données rules, controls, lignée de données et entreprise modèle de données integration.
• Provide intuitive, non-programmatic interfaces to interact with any automations.
• Provide some ability for data owners that may have technical and coding expertise to extend or customize dashboards, workflows and task execution.
• Work with the organization to determine if any data owner responsibilities (such as sovereignty) have more importance in managing data in a cloud environment.

Questions

• Avoir data owner roles and responsibilities been defined?
• Avoir data owner responsibilities been extended to data management capabilities at the CSP?
• Est-ce que le data owner's responsibility include data that is generated by and stored at the CSP?
• Est-ce que le data owner's responsibility include all activities that have higher importance for managing data at the CSP?
• Does the CSP provide technology to support data owner roles and responsibilities?

Artéfacts

• Gestion des données Politique, Standard et Procédure – defining and operationalizing data owner rôles et responsabilités

Notation

Next Sub-Capability

This document is a constituent part of the CDMC™ framework focusing on the key controls for effective management of data risk in cloud, multi-cloud and hybrid environments. This section provides a summary of additional parts of the overall framework.

Open CDMC Framework

Full documentation of the 6 components, 14 capabilities and 37 sub-capabilities of the CDMC framework, along with the 14 controls presented in this document. This 150+ page document details the objectives of each sub-capability and presents best practice advice written from both the data practitioner and cloud service and technology provider perspectives. A set of questions, artifacts and scoring guidance for each sub-capability provide the basis for organizations to perform capability assessments.

Reference: CDMC Framework Version 1.1 – published September 2021

Open CDMC Controls Testing Procedures

Specifications of tests of the 14 key controls within the framework to form the basis of certification of cloud products and services against the framework.

Reference: CDMC Controls Testing Procedures V1.1 – to be published Q4 2021

Open CDMC Information Modèle

An ontologie that draws on and combines related open frameworks and standards to describe the information required to support cloud data management. This provides a foundation for interoperability of data catalogs and automation of controls across cloud service and technology providers.

Reference: CDMC Information Modèle Version 1.1 – to be published Q4 2021

Open Data Management Glossaire commercial

A standard set of over 150 data management terms, with definitions and commentary for each.

Reference: https://www.dcamportal.org/glossary/

Open Feedback and Additional Information

Feedback on the document should be contributed via the Cloud Data Management Interest Community on EDMConnect: https://edmconnect.edmcouncil.org/clouddatamanagementinterestcommunity/home

For further information on the CDMC initiative please visit: https://edmcouncil.org/page/CDMC.

Any enquiries regarding EDM Council membership or CDMC Authorized Partnership should be directed to info@edmcouncil.org.