Creating a Data Policy Statement

Before you begin identifying and characterizing the data elements that you plan to store in your directory service, it is important to develop some general guidelines about directory data. These guidelines should be collected in a written data policy statement. The purpose of such a statement is to help everyone affected by your directory service to understand in general terms how data will be handled. Because this group includes you, your directory deployment team, data source owners , application authors, and end users, you should widely publish your data policy statement throughout your organization and perhaps outside (if some or all of the end users are outside your company, for example).

Your data policy statement should cover the following topics:

• Guidelines for determining what data will and will not be stored in your directory service . For example, the general guideline could be that any data element that is likely to be shared by more than one application will be stored in your directory. You might decide that large values (greater than 10K) will never be stored in your directory.

• Guidelines for access to directory data . This topic is especially important if you plan to store any sensitive information in your directory service. You should also include general guidelines on the kind of authentication and encryption required for access to directory data.

• Guidelines for modification of directory data . This topic might include information about whether you expect end users to be allowed to update their own entries, the capability of applications to modify entries, and other "data ownership" issues. You should also include general guidelines on the kind of authentication and encryption required when changes are being made to directory data.

• Legal considerations . Because of privacy laws, employment contracts, or other legal considerations, there may be certain kinds of information you may simply not be able to store in your directory service or allow people to access. It is best to involve your organization's legal staff when you're formulating this aspect of your policy.

• Guidelines for maintaining data stored in more than one location . Typically, data elements will be stored in your directory service, as well as in one or more external data sources. Topics such as how to handle data flow between the sources and which source will be authoritative should be covered by a general data policy.

• Guidelines for handling exceptions to your general policies . Because no policy can cover all possible situations, you should define a simple process for handling exceptions.

Your data policy statement should be a fairly stable document. However, you will inevitably need to evolve your policy as your mission changes, as you learn more about managing your directory service, and as external factors such as privacy laws change.

Because your data policy statement will cover a lot of ground, it is essential that you involve other groups within your organization in the process of creating and reviewing the policy. In many cases the data policy will actually be defined mainly by people outside your directory team. For example, the owners of important data sources and your legal department will undoubtedly have a lot to say about how you should handle data.

Here are some specific groups to enlist when defining your directory data policy:

• Your directory design and deployment team

• People who maintain other important data sources within your organization, if applicable to your directory deployment (for example, the human resources department)

• Authors and deployers of important directory-enabled applications

• The end users who will use your directory service and the directory-enabled applications

• Your legal department

• Upper management, including your chief information officer (CIO) or even the office of your chief executive officer (CEO)

Now that you have a good start on creating a data policy statement, it is time to examine the specific data elements you will store in your directory. Looking at specific examples of data elements will also help you firm up your data policy.