Like any organization dealing with personal and protected data, financial services companies are looking to develop the right information governance practices to minimize risk and improve information security. In this case study, our client wanted to define best practices around sensitive data and, working with Doculabs, defined a set of rules to identify sensitive information.
An information governance program protects institutional information and intellectual property.
Our client is a Midwest investment management company with a history that spans three centuries. Since 2003, the company of more than 1,000 employees has grown substantially through the acquisition of asset management, securities, and investment bank firms.
In 2018, the client asked Doculabs to help get its information governance program up and running in order to protect both institutional information and intellectual property.
Four Project Tasks to Launch the Information Governance Program
The company engaged Doculabs to structure its information governance program by delivering on four inter-related tasks:
1. To define and identify sensitive, unstructured data
The company asked Doculabs to help develop a set of recommendations on how to structure its new information governance program. That meant defining resources needed, the activities of these resources, and related roles and responsibilities.
2. To come up with a set of information governance rules
The client also wanted Doculabs to help define a set of custom rules for handling sensitive data identification. (See our post on this topic, How to Minimize the Risk Surface of Unstructured Content for Information Security.) The better the governance surrounding sensitive data, the more an organization can identify areas of highest risk that need remediation.
3. To create a series of data maps that would match proposed information governance rules
Through data maps, our client could pinpoint where sensitive data resided across the file share network. You can read more on developing data maps below.
4. To better utilize software the firm already owned and was using to track, visualize, analyze, and protect unstructured data
A small internal team wanted to demonstrate immediate progress to leadership. For instance, the team wanted to show the organization that a large number of sensitive data hits that also were duplicates could be removed quickly from their environment.
Doculabs helped define and identify specific types of sensitive data.
In order to define and identify sensitive data, Doculabs and the client focused on several sets of data. These included:
- Social security numbers
- Personally identifiable information (PII)
- Protected health information (PHI)
- Intellectual property
- Trading information
- Wire transfer information
The Process Used to Develop Information Governance Rules and Data Maps
Doculabs, in conjunction with the client team:
- Worked to understand priorities around sensitive data
- Developed and tested 10 custom rules
- Scanned the data environment
- Refined rules based on the scan
- Re-scanned the environment to be sure adjustments were correct
- Made recommendations on where to focus initial cleanup
- Created a data map for all rules
- Developed recommendations on the information governance structure
For scanning multiple rules, Doculabs worked with the client to better leverage its in-house software.
As a result, we jointly developed 10 custom rules for sensitive information, which we then tested. The results allowed our client to understand where sensitive data resided across the file share network.
Through the establishment of an information governance program, we defined a set of rules to decrease the volume of unmanaged sensitive data in the organization. The rules we defined were set up to help the client start the process of better managing sensitive data, and we outlined how long we thought the process would take. Most importantly, we made recommendations to areas where the client could focus its initial cleanup efforts by demonstrating where they could reduce duplicates, and we recommended the sequence of what data types the firm should clean up.