Design an Effective Information Governance Framework to Minimize Data Risks
May 31, 2023
Most households have their own stash of “crown jewels” — key documents, jewelry, family heirlooms, irreplaceable photos and other personal treasures that need protection from theft, catastrophe or loss. Often, this problem is solved simply, by buying a safe.
Somewhat more complicated is the process of finding and determining what to put in the safe. The car title? Passports? An expensive watch that is worn regularly? What about the old family photos tucked away in an album?
Similarly, organizations have a unique set of crown jewels: information that is critical, protected or irreplaceable. Much like at home, the most difficult part of protecting them is not actually setting up the repository, it is determining what information qualifies for the utmost protection, then finding it and moving it to the designated safe place.
This is challenging in part because no business leader or department can define what constitutes the crown jewels. Moreover, different types of data will have varying levels of risk — even among datasets that can be categorized as crown jewels, a multidisciplinary, cross-functional team will need to establish different tiers of sensitivity. These tiers must account for information that would be devastating to have stolen, but may also include data that needs to be exempt from disposition and cannot be destroyed, such as executive emails under legal hold.
When identifying and protecting crown jewels, organizations must involve many stakeholders, determine the processes for keeping the data safe and create procedures for removing information that has lost its value.
Sensitive Data Types
Data cannot be simply locked up and shut away. If that happens, it becomes useless. At the same time, it is critical to determine what type of information requires protecting. For example, much like flammable household products, some information may not be considered crown jewels, but can quickly cause tremendous damage in the wrong hands. Countless headline-making data breaches have illustrated just how catastrophic such incidents can be.
Therefore, sensitive information should be divided into several categories, so it can be managed according to risk, but at the same time exist in locations and formats necessary for business use. These categories include:
- Information that may not be destroyed: Some information may need to be carefully maintained, not because it has intrinsic value, but for purposes such as legal hold, regulatory requirements and obligations. This type of information can exist in many places within organizations, such as a file share, on an employee’s mobile device, on a hard drive or a cloud account. Some of these files may also exist in legacy formats and archives. When moved to a secure location, this type of data needs to be handled carefully, so that metadata is not altered, and must be stored so it is protected from inadvertent destruction.
- Items of actual value: Like precious jewels, some corporate information is truly valuable. This can include customer lists, formulas, intellectual property, schematics, pricing templates and other types of information that provide competitive and strategic advantage.
- Information that can be risky or dangerous in the wrong hands/: Some information must be kept private, regardless of its actual value. Employee documentation, financial information and health records are examples. These documents are much more valuable to outsiders than the company itself, and therefore must be protected.
The legal department, the records management group and business stakeholders should collaborate to bucket different records into categories. Note that it is not necessary to have representatives from each group review every potential piece of data. Rather, each group should be given access to the underlying database where records are kept, with each group having its own interface into the data.
For example, the legal department’s interface can help it manage legal hold requirements, while the records management team can assist in tracking what information must be retained for which length of time as part of the company’s document retention policies. By making decisions about which information is needed long-term for business use, business stakeholders can help classify records that have value and should be retained.
How To Keep Information Secure
Once legal, records management and the business users have determined what and where their crown jewels are, it is time to develop processes to keep that data safe. Such a repository must be much more sophisticated than a simple file share, from which anyone can access and copy or delete files. The central repository should have more granular controls such as authentication labels, access tiers and permission restrictions. It should also provide sophisticated storage and backup protocols given the value of the information within it.
In terms of processes that support the overall program, it is important to create an audit and reporting trail. When someone identifies information as a crown jewel, it should automatically trigger a set of steps to categorize and preserve that information according to where it falls on the hierarchy of importance and sensitivity.
In parallel, it is important to begin training teams on how they can interact with the central repository and support information governance policies in day-to-day activities. Careful change management is important in this regard, as employees can easily become overwhelmed by too much too soon. New policies and procedures should be rolled out over time, supported by education and awareness campaigns that reinforce how the new processes work, each employee’s responsibility in supporting them and why the program is important to the organization’s overall success.
Established procedures should be regularly reviewed and adjusted when necessary — such as when new types of information flow into the organization, business units are acquired or divested, new vendors are established and obligations change due to legal or regulatory activity. Similarly, information that had been previously identified in a crown jewel category may at some point qualify for deletion, for instance, as legal holds close or business needs change. Overall, the framework should be extremely flexible to evolve alongside the organization’s needs.
Creating Repeatable Information Governance Processes Across Locations
All of this is challenging enough when companies operate in only one jurisdiction. Establishing consistent and repeatable processes across regions that are subject to numerous regulations and other variables is even more complicated.
This is where technology can make a significant impact. For example, indexing technology scans, opens, scrapes and maintains information in an index, with a pointer to original files. These systems have built-in functionality to automatically skip or re-review files depending on whether there have been changes to original documents. They look for additions, deletions and changes to files, so they can be re-indexed continually, ensuring that the retention program is always up to date based on established rules.
Locking the crown jewels in an accessible, flexible and secure safe is one of the most impactful information governance strategies for reducing cost and risk relating to sensitive data. By establishing a hierarchy of different categories of critical information and building clear processes around them, organizations can protect their greatest assets while also strengthening regulatory compliance, data privacy, litigation readiness and information security resilience.