Aligning Policies: Information Management and Information Security

Today’s Chief Information Security Officers (CISOs) can’t just build stronger walls to protect corporate information. They need to be sure that their organization aligns information management and information security policies.

Why you should align information management and information security policies.

They have to also make sure that corporate repositories contain as little sensitive data as possible, and that appropriate access rights have been assigned that information. It’s why CISOs are now addressing information management as part of their day-to-day practice, as a complement to the more traditional focus on building stronger defenses against breaches.

How do you execute on information management successfully? Doculabs has outlined an information management program framework CISOs can adopt, one that helps minimize the impact of a breach. The framework has five components:

I’m taking up these components one by one in a series of blog posts, and in this one, I'm taking up the second item on the list: policy alignment. The defensible disposition playbook outlined in my previous post defines the parameters within which a purge or migration needs to operate in order to be legally defensible.

How to be sure your playbook is aligned with your organization's corporate policies.

It’s also important that the playbook be aligned with your organization's corporate policies for managing information. Or better put, your corporate policies for managing information must align with your defensible disposition playbook to ensure that, if you’re following the playbook, you’re also following corporate policy.

And, as with the disposition playbook, the specific policy work that needs to be done will differ from organization to organization. But there are some general areas that any policy alignment will need to cover.

Your corporate records management policy needs to cover both paper and electronic records.

It may seem obvious that a corporate records management policy covers both paper and electronic records. But we see lots of organizations today that have yet to include digital documents along with hard-copy documents in their records policies. Their policies are still solidly grounded in the paper world.

You need to account for the security classification of data.

Second, you need to consider the security classification of data. That is, you need to determine if the data are public, internal, confidential or highly confidential.

Without clear definitions of these categories of corporate information and how they should be handled, your organization’s employees will lack clear guidance on how to appropriately handle the data they work with.

Address orphaned and abandoned data which has no owner.

Finally, you need to address orphaned and abandoned data. Orphaned data is data that has no owner. That may be because the original owner of that data has left the organization or moved to another role in the organization.

Abandoned data also is data that hasn’t been accessed recently. Of course, what constitutes “recently” will be different at every organization. Typically firms use some timeframe between 3 and 5 years of inactivity to define abandoned data.

Regardless of these specifics, what needs to be defined is that data which meets the criteria for orphaned or abandoned is assigned an owner (Legal, IT, Records Management, Information Security, etc.) which can then lifecycle that data appropriately. They can determine whether that data is subject to a legal hold or to the corporate records retention schedule. If not? purge the data!

Download the Transforming Information Security with Information Management White Paper 

Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.