This Paragon Insight was originally published by Document Strategy.
For enterprises looking to move to the cloud, or identifying if there is a need to remediate existing deployments, the difference between a successful assessment and an anemic one is the capability of an organization to provide the people, process understanding, and support commitment required to mitigate the information governance risks inherent in cloud solutions.
When assessing the impact a cloud implementation project will have on information governance, there is no shortage of compliance considerations. Ideally, an assessment project is positioned before cloud services are contracted, though most assessment and strategy approaches may be applied to existing cloud solutions, whether software-as-a-service (SaaS), platform-as-a-service (PaaS), or infrastructure-as-a-service (IaaS). Components of an assessment project include roadmaps and implementation plans designed to present clear risk identification and mitigation activities that address gaps in circumstances where parts of an organization has already employed cloud solutions.
For businesses looking to target cloud deployment, the goal for an information governance assessment is an actionable cloud implementation plan, balancing everything from recommendations for remediation of existing deployments to an implementation plan for future cloud migration activities.
The Six Greatest Risks
To achieve this result, an organization must conduct an information governance assessment that strongly appraises the following six threats:
- Regulatory Compliance
- Records Retention Compliance
- E-discovery/Electronically Stored Information (ESI) Compliance
- Information Security
- Data Management, Migration, and Integration
- Privacy, Risk Management, and Vendor Transparency
Many industries face tight regulations and legislative requirements for reporting financial information, while still other organizations face requirements for retention of information, controlling data generation processes, managing electronic records and signatures, and more. These rules are well known within impacted business areas of the organizations but are not always transparent for chief information officers (CIOs) and information technology (IT) infrastructure and operations leaders. The result is a cloud solution that may not be deployed in a controlled, documented, and consistent fashion or may not include all of the controls for managing the information created and stored in the cloud solution.
All industries should have transparent records and information management policies and records retention schedules. These governing documents dictate when and if information and data becomes a record and, when it does, how long it must be retained before it must be destroyed. The retention concerns focus on ensuring that users of the cloud solution understand their retention obligations, namely, how to differentiate data and information from records and managing data according to information management policies. Sounds simple, but many cloud software, platforms, and infrastructure don’t have metadata fields or the processes to use any classification information for the proper management of information, data, and even records.
ESI is a term that is used in the industry to refer to electronic records, data, and information that is a potential target for expected or existing litigation. E-discovery is the process for searching or collecting electronic information that may be subject to a legal hold, so it is predominantly US organizations that face these risks, but other countries are catching up. A legal hold requires that an organization communicate to parties the potentially created or managed information that is important to supporting or refuting a litigation matter such that they do not alter nor destroy the information that is included in the description of the hold. If cloud deployments are not set up for, or cannot meet search, retrieval, collection, and holding of records and data, in compliance with the Federal Rules of Civil Procedure (FRCP), there could be trouble ahead.
Information security is still a key threat to organizations that use cloud solutions or are planning implementation. In fact, staff use of unapproved cloud solutions pose the greatest risk. Latest studies suggest that while organizations approve a handful of cloud services, employees use an order of magnitude higher number of cloud services, many of which remain undetected by IT infrastructure and operations nor information governance teams. In addition, details on how cloud services manage security don’t often go to the level of detail required to assure it is in compliance with IT security policies.
Data Management, Migration & Integration
So, you’ve moved to the cloud and are in a position where endless amounts of data may be captured. This data storage area now scales to meet your demands. If you are not managing retention and you don’t have strong metadata or data governance requirements, all of this data is not living up to its potential, and thus, the real benefits of your cloud deployment will not be realized.
Privacy, Risk Management & Vendor Transparency
Privacy goes beyond security requirements and includes basic, key concerns related to vendor transparency when moving to the cloud. Keep these cautionary points in mind and express your concerns to any cloud vendor with an unwillingness to provide full transparency. For example, when speaking with cloud vendors to determine next steps, enterprise leadership should question:
- Will the cloud provider use any subcontractor who will have access to hosted services, and if so, will the subcontractor have access to the company’s personal data?
- Does the cloud vendor provide an established timeframe to notify your company regarding privacy, security, and other compliance breaches?
- Will your company be formally notified of any legally binding request to provide or disclose your company’s data?
Personally Identifiable Information
If an enterprise manages personally identifiable information (PII), particularly personal health information, the risks are even greater in making sure the cloud vendor selected is reliable and transparent. Will the vendor manage patient medical records or clinical data records? Are there processes in place to ensure that all personal data remains authentic and is not maliciously or accidentally altered during processing, storage, or transmission?
PII consists of key information that can be used to distinguish or trace an individual's identity, such as their name, social security number, fingerprints, retina scans, voice signature, facial geometry, taxpayer identification number, and passport and credit card number.
As the growth of cloud computing and big data continues to lead to an explosion of both structured and unstructured data that is more distributed than ever, there has been a corresponding interest in tools for performing data discovery and classification. With all of this, protecting brand reputation and keeping PII secure is paramount.
Enterprises need to cater to the cautions and demands of cloud security in the mission to protect PII—keeping in mind the positive reality that cloud service providers typically have the ability to support far greater and more effective security systems and platforms than are practical for most individual enterprises today.