Information Governance (IG) can be described as simply the ‘security, control and optimization of information’. The end goal of IG is to minimize the risk and cost of information and maximize the value. Think of it as a balancing act between information accessibility and security.
Why do we need to control our data? Well, it’s controlled to meet legal, regulatory, risk and business demands. For example, there is a regulatory requirement in the financial sector which states that organizations must retain data of customer transactions for a set period of time. The control aspect of the IG strategy centres around the ability to identify those information items that need to be retained & implementing some control around the disposal of this data (use software to mitigate the risk of ‘accidental’ deletion).
In order to successfully implement an IG strategy, you’ll need to ensure that you have a very senior sponsor in your business. IG costs time and money and when the sh*t hits the fan, you need to know that the IG programme is not going to fade into the background & that the budget is not going to be pulled – the executive sponsor needs to have real buy-in to the initiative and help to remove obstacles for the IG team to make the programme a true success.
Further to the senior stakeholder support & engagement, a strong information governance strategy needs cross-functional buy-in and agreement on IG strategy. This is because, only the team generating or using the data heavily will understand the true value of the data – and only by understand the true value, can you effectively classify information & impose IG processes.
Once you’ve got all the buy-in you need from across the business, you’ll need to document those items that you’ve agreed in a policy document (and a supplementary policy communication document – to outline how you’re going to share, update and execute the policy). The IG policy should outline the procedures that will control the use of data both internally and also externally via email, IM, cloud services, social platforms and blogs. If data is to be shared externally, it should outline the required authorization procedure and a secure method of data-transfer to a third party supplier (including encryption requirements).
Within the policy, a section on data classification and categorization should outline the type of documents that the company perceives to be most classified and confidential and those which it considers to be in the public domain. As an example, these could be classified as: confidential, internal use only or public.
Further to all of this, you’ll need to create a document retention schedule. In this schedule, the retention period for each category of document should be outlined. For example, you may be required to retain invoices for 6 years. After this period has passed, you can choose for the data to be archived, transferred or destroyed.
Regardless of your retention schedule, any documents which you consider to be confidential and not available to the general public should be secured. All documents should be secured at rest, in transit and while in use – all of the security provisions in place to do this should be outlined in your IG document.
You’ll need to also document how you handle legal issues as part of your ‘legal hold notification’ strategy. This should outline whether particular documents are ‘frozen’ in the event of legal action.
Next you’ll need to think about risk planning. What risks are likely to arise if your data is accessed by an unauthorised individual? What would be the cost to your business (reputational & monetary) if that were to happen? How likely is it to happen and how are you going to mitigate the risk of it happening.
Finally, there are a number of software packages which will aid you with control and auditing. Control packages can enable version control and data access control. Auditing packages keep a note of each change to the document, including date, time and author – auditing packages work in conjunction with control packages, as it’ll retain audit logs for all versions of a particular document.
How do you justify your Information Governance investment?
By investing in a solid IG strategy, you will be able to reduce the amount of ROT (redundant, obsolete and trivial) information in your business. This reduces overall risk by removing outdated information from your environment. ROT can be identified by file analysis software which scans files on a schedule.
By removing the ROT, the organization can reduce their information footprint, leading to lower storage costs. Not only that, but there are much lower compliance costs as data is better structured and easy to extract for litigation and auditing purposes – and a reduction in fines from audit firms / regulators for delays in providing data for their investigations.
Further to this, it’ll also reduce your IT security costs as all the data will be classified and secured accordingly (so the security team won’t be chasing their own tail, as is very common in IT security).
Finally, you’ll have a reduced information risk as all the outdated and irrelevant data will be gone and all remaining data will adhere to the correct sharing and security protocols.
Image used under creative commons