It’s no longer enough to build stronger walls to protect corporate information. You need to align your information management procedures in order to purge or migrate data.
Repositories should contain as little sensitive data as possible.
Today’s Chief Information Security Officers (CISOs) also must address information management as part of their day-to-day practice, as a complement to the more traditional focus on building stronger defenses against breaches. One part of information management is to make sure repositories contain as little sensitive data as possible, and appropriate access rights have been assigned that information.
I’ve been posting on Doculabs’ information management program framework—that is, what you need to do to execute information management successfully and help minimize the impact of a breach. The five components of the framework are as follows:
- Defensible content disposition playbook
- Policy alignment
- Procedure alignment
- Content cleanup
- Change management
With this post, we’re now on to the third item on the list: procedure alignment.
The defensible disposition playbook (outlined in the first post in this series) defines the parameters within which a purge or migration needs to operate in order to be legally defensible. My second post showed how to align that playbook with corporate policies for managing information.
The procedures you use to migrate and purge data should be aligned with your playbook and policies.
Now, with your defensible disposition playbook done and information management policies aligned to that playbook, it’s time to make sure the procedures your technical employees are following to migrate and purge data are aligned to the playbook and the policies.
Any court needs to assume that a specific set of procedures follow the playbook.
These procedures will be very specific to your organization, because they will be based on the technology that you currently use to purge or migrate data. The procedures should provide detailed, step-by-step guidance for how to purge or migrate data—procedures which, if followed, will make it reasonable for a future court or regulatory body to assume that the policies and playbook also are being followed.
You need a specific set of procedures to guide your technical resources.
These procedures should be granular; you don’t want a procedure for “migrating content.” Instead, you want to specify a series of procedures to guide your technical resources in migrating content. For example:
- File analytics procedures guide technical resources in using file analytics tools to find “junk,” stale, and sensitive content.
- Migration procedures guide technical resources in using migration tools to migrate the in-scope content from the source to target systems.
- Testing procedures guide technical resources in how to test the results of the migration to determine where it went according to plan, and where it didn’t.
- Remediation procedures guide technical resources on how to remediate the migration if it didn’t go as planned.