The concept of information analytics and remediation (IAR) sounds simple—evaluate data and put a system in place so is is properly classified, stored and destroyed as needed so your company complies with best practices and applicable governing regulations. But the process entails several phases. I’m writing a series of blog posts about the three steps that are involved to deploy a successful IAR program.
The first phase of IAR involves conducting a comprehensive assessment to help companies figure out where they are in their data management efforts. When I work with clients, I like to help them see what their information landscape looks like internally before the solution is deployed.
Pinpointing Data Types and Sources
This step involves not only determining what types of information are out there such as specific file types, but also where the files are coming from—including computers and mobile devices. Unstructured content on a company’s file shares can be a nightmare. Many organizations I work with have files that are not stored in the right places, which makes it hard to identify records between various departments. Some also have duplicate copies of records, which adds to the chaos. Files can be saved in the proper place and classified, but if they are not protected, critical information can fall into the wrong hands—so that’s another challenge when trying to make sense of the overall picture.
And finally, without a proper system to destroy data, companies are at a regulatory risk. I have probably 100 cases in eDiscovery where companies have held on to data too long, and as a result can become liable for it. Most companies focus so much on properly storing data—has your company ensured that data is also destroyed when it needs to be so your organization complies with privacy regulations? That’s another part of the IAR process.
That’s why the systematic analysis and categorization of unstructured information is important. I base it on input from corporate polices, records management, legal, and best practices in order enable organizations to understand information value, evaluate risk and adhere to applicable regulations.
The assessment also evaluates if a client has room or a platform already in place to store the data they need. Some already have a policy for data management, so I look to see if that is functioning in accordance with their own company rules and industry regulations. Other clients have existing processes or programs to classify data, but we must explore those to see if they are truly working. The evaluation offers a comprehensive analysis so we can fill in gaps where needed, because most companies have some sort of data management platform in place—but they don’t have the processes behind it to support its optimal function.
So the assessment isn’t a cookie-cutter process or tool, but rather a blend of process evaluation and deployment as well as technology evaluation deployment. I run programs as needed to give the client the “big picture” of their existing data and see if they have a data reference model; EMC tools are commonly used during the assessment. The other part of my job involves creating processes that work for the company, so I sometimes have to work more on the policy development side of things.
The assessment process along can take anywhere from three weeks up to 6 months, depending on a number of factors such as how big the company is and whether or not they have an information management system in place.
Again, this is just one part of analyzing and remediating data. In the next post of this series, I’ll discuss Phase Two: how I develop a customized plan to meet the individual needs of each client.
What types of factors have you explored during your company’s information analysis process?