Paragon's Christopher J. Michael shares insights on trends, technologies and strategies in information governance, information management and more.
Information Governance (IG) works on the enterprise level in order to support the current and future business, legal, and regulatory requirements of information. Proper information governance demands top-down commitment and an understanding by C-level executives.
An IG program needs to have a steering committee of stakeholders across disciplines (Records Management, IT, Legal, Compliance, Risk Management, Information Security, Privacy, key business units) to draw from various backgrounds and areas of knowledge to best govern and manage content created across an organization.
The risks of not having a good strategy to deal with information are high.
An effective Information Governance program mitigates risk, gains more value from information assets, and lowers costs by increasing efficiency. There are three core reasons you need an information governance program.
#1 - Preventing Data Breaches & Leaks
The 2016 Ponemon Cost of Data Breach Study found that the average consolidated total cost of a data breach grew from $3.8 million last year to $4 million. The study also reports that the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158.
Besides cost, this global study also puts the likelihood of a data breach involving 10,000 records or more in the next 24 months at 26%. Cybersecurity risks are now a strategic business issue and therefore require oversight so that high stakes business decisions can be made correctly and confidently.
Sprawling data collections are more difficult to protect from hackers, malicious insiders, and negligent employees. Disorganization and information silos make data more vulnerable. The first step in securing your data is knowing what your confidential information is and where it is located. Then you can give the greatest protection to the most vital and sensitive company information. You can’t give the highest level of security to all information so put more time and money into protecting the most important enterprise information such as PII and vital records critical to the business’ operation. Balance the need for availability of records with security concerns.
Who needs access to what information and for how long?
When you know what records & information you have you can get rid of redundant, obsolete, and trivial (ROT) information. The embarrassing Sony email hack could’ve been avoided if all company emails were not kept forever on a server. An information governance framework should determine what information an organization keeps and how. A company can decrease the risk of data leaks by taking a more holistic view of its information and addressing issues such as privacy, information security, and policies.
#2 - The Proliferation of Digital Records & Information
Ever increasing numbers of electronic applications, records, information, and data are in use within and across organizations as technology evolves constantly. While there are still large amounts of paper records, born digital records and information are growing at an explosive rate. Organizations don’t know what to do with the large amounts of always growing information. Many times this information is duplicated, out of date, inaccurate, or disconnected and hard to find.
Enterprises often take a “keep everything” mentality for compliance. However, this thinking leads to storing and securing useless structured and unstructured data as businesses often don’t know what they are keeping or who should have access to it. Dark data is unidentified and could include vital business critical records, non-compliant data, or ROT. Be able to identify official vs. transitory records, copies, and who in business owns the information, data, and records. Information waste is not only expensive but can also lead to greater risk if personally identifiable information (PII) that should’ve been destroyed is kept and later exposed in a data breach or if records that should’ve been disposed of according to laws and regulations are now subject to discovery in litigation.
Another way of thinking about defensible deletion is by reversing it into defensible retention. Can you defend the retention of information based on business, legal, and regulatory requirements? If not, why are you keeping it?
Classification, data mapping, metadata, and long term digital preservation must be taken into account in order to locate, access, analyze, and preserve saved information for the term of its retention. Ensure the fast retrieval of the correct information to the correct people. Digital preservation is key as information is useless if it can no longer be accessed. There is an increasing amount of big data that must be governed and managed to provide value through analytics in order to gain a competitive advantage. However, before you can harness the power of analytics you must first make sure you have clean data by getting rid of ROT and preventing its proliferation so that you start with a smaller, refined data set.
#3 - Lowering the High Costs of eDiscovery
Storage may be cheaper than ever but be aware that the more information collected leads to more expensive eDiscovery. Reduce the amount of ESI created in the first place (duplicates, having electronic and paper versions of the same records, etc.) so that there is less information to be crawled during eDiscovery which will save money and time in the long run. Use defensible disposition to cut down on digital debris by deleting information that has no business, legal, or regulatory requirement for retention. Shine a light on dark data to get rid of information that can be defensibly deleted and use content remediation for the dark data you need to retain. Slimming down and get rid of ROT will reduce the scope of an organization’s information to lower eDiscovery costs and increase efficiency.
Read Also: 3 Ways to Wipe Out Dark Data
Coordination among the facets of Information Governance allows an enterprise to make effective use of all of its information, regardless of ownership and at all stages of the information lifecycle. This is particularly important in the era of Big Data where analytics can be used to gain a competitive advantage. Litigation and increasing disciplinary action and fines for compliance failures have forced organizations to be more proactive and cautious when dealing with the business risks associated with poor records keeping and information management.