A version of this post appeared on CMSWire.
A shift is taking place in how organizations approach information management (IM). Ownership of IM disciplines—records management, content management, information governance, etc.—is consolidating under the Information Security function at many of our clients.
Previous owners of IM included Legal, Compliance, IT, Finance, and Facilities Management (a carryover from the days when managing paper records was the primary concern). Information Governance never joined these ranks, however, as it hasn't yet become a formal department in many organizations.
The Information Security departments that are taking over information management are not the white-hat, PEN-testing, encryption-obsessed folks of yesterday. While these latter are still core capabilities under the InfoSec umbrella, maturing InfoSec departments understand that they can only partially mitigate the risk of a data breach by securing the network’s borders.
To protect sensitive information, InfoSec needs to know where that information lives and needs to be able to remediate at-risk content, systems, and access rights.
How Many Apps Can You Manage?
Nearly half of data breaches occur because employees walk out the door with sensitive content. Many organizations perform audits of personally identifiable information (PII) and personal health information (PHI) on their systems. In a recent survey, Doculabs found that 30 percent of organizations had received an audit finding of PII or PHI exposure in the past 12 months.
Few organizations have a standard application decommissioning process, which carries big cost implications and bigger risk exposures. And all those legacy apps can’t be managed with the same scrutiny as your active application portfolio. Yet many of them contain PII or PHI, and as long as they’re out there unmanaged, you don’t have visibility into where sensitive information lives and where it doesn’t.
An application portfolio should align to a data map that identifies the nature of the data in the application and the level of security required for that data. Let’s face it: A data map of 100 applications is a lot easier to manage than a data map of 1,000 or 10,000 apps.
A View From Above
Access rights are another area where information management can impact InfoSec goals.
This is a new spin on an old problem. Records management and information management have been discussing how to clean up content for years now. Let's use network drives as an example, but this applies to any “platform.”
A high-level analysis of your network drives should identify the access rights (global, group, individual, etc.), the content owner, content age, content type, etc. Access rights are a quick-hit way to reduce exposure. InfoSec doesn’t need to consult the business, Legal, or anyone else to make this move. Auditing and remediating access rights falls fully within its jurisdiction.
In many cases, access rights pose exposure problems because the default for many network drives is global access. In addition, long-time employees collect specialized access as they move from one department to another, usually without revocation of their previous access rights.
Performing the kind of analysis described above also provides the InfoSec group with a view of “junk” files, orphaned data, and sensitive data — all areas where InfoSec can partner with IT to perform cleanup activities. Junk files can be destroyed as a part of basic application hygiene activities. Orphaned files can be migrated to a “holding pen” and disposed of as dictated by policy. Sensitive data can be quarantined and migrated to a secure environment or, if outdated, can be disposed of.
In my opinion, organizations that put InfoSec over Information Management are moving in the right direction.
At a recent records management conference, I heard someone remark that Enron was the records industry’s big chance to elevate the discipline, and they missed it. I agree.
We’re now at another of those Enron-level moments. We need to protect the customer data that’s entrusted to us. When a breach happens (and it will), we need to be able to say that we did everything in our powers, via internal policies, processes, policies and procedures, and technology, to protect that data.
Information Management has an opportunity within the InfoSec organization to elevate its discipline. Will it take this opportunity to do so?