How time flies. Seventeen years ago, I went to work for a small, visionary company based in Seattle—Computer Forensics, Inc. Indeed, the founder was so early in the e-discovery and forensics industry that our URL was forensics.com. Laptop drives typically had 8 GB of storage, and servers were more often than not simply a bigger box that sat in a closet.
Lots has changed since then. New technologies, expanded data sources and media types, and more raw data have flooded consumer and business marketplaces alike. We’ve all seen the scary statistics on increasing information volumes and the security risks that follow. Unfortunately, our controls for the creation, management, retention, and disposition of those data have not kept pace. Yet how we manage our data on a day-to-day basis goes also to the heart of how we protect our data and ensure that our information assets are secure from theft or compromise.
During my years at CFI and since, I’ve found myself pondering “what if?” questions. What if we only had to protect 20% of our information? What if clients could take dollars earmarked for e-discovery and increased storage and spend them instead on better systems and operational improvements? What if a client faced with the reality of a data breach didn’t have to wonder how many unnecessary skeletons were now visible? The promise of information governance is that we can answer these questions affirmatively. This is good news, and more importantly, news you can use.
Building blocks
Good information security requires a few things. First, you need to know what you have and where it is. Second, you need to know about any legal or compliance requirements for its retention. Knowing these two things will help you decide what policies to put in place, what tools to acquire, and what training to provide. Information governance helps you do that.
IG foundations include the Structure (asset inventory, retention schedule), Direction (policies, processes), Resources (training, technology), and Accountability (executive mandate, audits) that allow for information management and defensible disposition. Disposition leads to:
Better Data = Better Value
“Big data” is all the rage. The problem is that poor quality, irrelevant, or obsolete data diminishes the value to be gained from mining that big data. Routinely cleaning out the chaff makes the remaining data more valuable—just one of many benefits of good governance.
Less Data = Less Risk
Similarly, having less data immediately can limit the scope of a breach, limit the exposure of protected information such as PHI and PII, and significantly minimize e-discovery costs in the event of litigation or regulatory investigation.
Three ways to get started
- Create rules for your tools. Develop a legally-valid retention schedule to apply against your information assets. Be sure your policies and procedures reflect the reality of the data you need to manage. Plan for “security by design” when considering new technology acquisitions.
- Address the human element. Training for information governance and security is critical, but its quality and impact must also be measured to be effective. Cultural “will” and the “tone from the top” will drive the success of IG initiatives. Be sure to get the support you need.
- Look for opportunities to leverage triggers. It’s hard to get started without a compelling argument. Look for that argument in litigation/e-discovery spend, regulatory audit findings, Board of Directors inquiries, and budget requests.
Effective information governance will most certainly reduce risk, enhance compliance, and minimize costs. All you need to do is take the first step toward building the right foundation.