Questions to Ask for Compliance and Security
A strong information governance program requires a unified information governance strategy that is best developed by a careful, research-based audit. Before development of an information governance strategy and plan, IT organizations would be well-served to research and answer the following questions:
- What legal and regulatory requirements need to be met?
- Can governance policies be consistently applied across content and records throughout their lifecycle?
- Where do content and records reside, and who are the business owners of these systems?
- What file formats need to be supported (including paper)?
- What security concerns exist around content and records?
- What has hindered the adoption of existing records management systems?
Developing robust answers and workarounds for these important questions will help avoid snags in implementation of a governance plan, ideally saving both time and money in the process.
Sustainable Information Governance
In addition to developing research-driven plans to develop effective governance strategies, the most forward-looking companies leverage best practices to develop sustainable programs. They include the following:
Aiming for “invisible” governance
A governance solution is useless if end users don’t actually use the solution. As such, technologies that bypass end users and allow governance to happen “invisibly” behind the scenes can put businesses in a better position to run a consistent, legally defensible governance program. Examples include the following:
- Intelligent Classification—Solutions with this capability use a business rules engine to automatically declare a record, populate its metadata, and file it in the right place. Records management can be integrated seamlessly into any workflow, making it easier for users and eliminating haphazard, error-prone manual processes.
- Auto-Classification Engines—These solutions use machine learning and analytics to automate content classification at scale. They discover and tag sensitive or compliance-related data (such as personally identifiable information, or PII) in terabytess of unstructured content—important for complying with regulations such as GDPR or 23 NYCRR 500.
- Holistic records management—A strong governance program requires a unified records management strategy, meaning that records managers should have the ability to apply standard policies and classification schemes to content stored in disparate applications and locations. A central hub for records management provides maximum flexibility for both the business and IT, with the ability to manage records in place, in a centralized repository, or in both. Quite often, this hybrid approach leveraging a central hub can be very effective, as shown in this table.
- Build in extra controls—Extra security controls are needed for compliance with increasingly strict data protection regulations, so enabling the business to limit which content people can view and what they can do with it is useful. Audit logs that detail and demonstrate the complete lifecycle of governed content are effective; additional safeguards should go beyond basic access control lists and permissions, including these:
- Security marks that identify content as having sensitive information (such as PII)
- Security classifications (such as top secret or secret) that travel with a file
- Roles that control the actions individuals can take with a file
- Encryption of content in transit and at rest
- Future-proofing governance solutions—Information governance is not “set it and forget it.” ?Technologies used should be flexible enough to support new demands as the business and regulatory environment evolves. Future-proofing should be built around features and functions such as these:
- Open architecture—so records remain readable and accessible over time
- Connectors—to access a wide range of systems and support an evolving software environment
- Cloud-ready—to enable durable, low-cost storage on modern platforms
- Versatility—ability to manage multiple file types, including video, email, and social media content
- Scalability—to handle the continued explosive growth in content
- Standardized—certified or aligned to leading industry standards such as DoD 5015.02 and ISO:15489