Information Governance – Managing the Seemingly Unmanageable
In my previous blog, I outlined how unmanaged information growth is becoming unacceptable for enterprises. The risks and costs associated with the growth and proliferation of unstructured data are becoming too great. And businesses are failing to exploit the value of information assets effectively.
So, given the sheer volume of information involved, how should an enterprise embark on an Information Governance programme?
Step 1: Reduce data loss from the enterprise perimeter
For many organisations, the greatest information governance fear is that critical information will leak out into hostile hands. The consequences of data loss can be catastrophic: Symantec and Ponemon Institute’s report on the Cost of a Data Breach puts the average cost to an enterprise at £1.75m in the UK and $5.5m in the US.
Given these potentially devastating consequences, it is no surprise that many of our enterprise clients start their information governance programmes by implementing controls that help prevent data loss from their perimeter. Typically, these controls target egress points such as email, web (including web email, IM and cloud services), portable USB devices and mobile devices. Content-based data loss prevention technology can be configured to detect and block common critical information types, such as PCI data, customer information and HR records. It can even help protect intellectual property, such as source code or design blueprints.
Step 2: Gain visibility of your information assets
One of the biggest challenges organisations face is determining just what information they have, how critical it is and where it is located. Gaining visibility of information assets is a major step in information governance programmes.
Much of the work is people-intensive and involves meeting with the various business units and functional teams, to determine the different types of information they handle and its criticality to the business. However, finding out exactly where the various information types are stored – particularly in unstructured data stores – can be very difficult.
One effective way to begin is to scan the various unstructured data stores and analyse access patterns. By mapping files to the business units or functional teams that access them most frequently, you can determine the likely criticality of the data held within them. Content-scanning techniques can then be applied to identify specific information assets, focusing first on those data stores thought likely to hold the most critical data.
Step 3: Define information governance policies
The next key step in the programme is to define the policies for handling the assets moving forward.
These policies should include the rules for who has access to what information types, where the information is stored, how long it is retained and when it should be deleted. Policies should also ensure compliance with applicable legal and industry regulations, and protect from undue risk, but at the same time, enable the information to be used effectively to drive business value.
Step 4: Apply controls
It is also vital to implement controls that will ensure policy compliance. Many of these controls will be process-based, others will be technical. Technical controls often include data de-duplication, compression, replication and backup, data encryption (at rest, in motion, or both) and archiving, automated data disposal and content-based data loss prevention.
Most organisations take a risk-based approach to implementing these technical controls, prioritising their most critical or sensitive data types first and focusing initially on those controls that will deliver the biggest benefit to the business, in terms of risk and / or cost reduction.
Step 5: Enable information discovery
The final step is to implement tools that allow data stores to be easily searched in the event of a requirement to discover information when faced with legal action. Many enterprises face the daunting task of identifying all the electronic data related to the case and this can be a hugely labour-intensive task, sometimes involving dozens of lawyers, IT professionals and business unit representatives.
Effective eDiscovery tools can dramatically reduce the amount of manual effort involved. Based on experiences with our enterprise customers, the time required to complete discovery exercises can be reduced by a factor of ten and the financial savings can run into millions of pounds.
Unmanaged data growth has become endemic in many enterprises. However the impact of failing to govern information effectively - in terms of increased risks, increases costs and an inability to effectively exploit the business value of the enterprise’s information assets – is increasing. This five-step approach to information governance provides an effective framework for gaining control over your enterprise data stores and will enable a reduction in your information risk, while at the same to gaining full value from your corporate information assets.