As firms face increasing pressure to protect information, they are looking at their information governance (IG) programs more seriously and looking for opportunities to strengthen them. In this white paper, we present guidance for improving existing IG programs that aren't yet highly effective.
You can download a PDF of this paper here.
Taking a Hard Look at the Effectiveness of Your Information Governance Program
Given the increasing number of high-profile breaches over the past few years (Target, Anthem, Sony, Premera, Equifax, the DNC), it’s no surprise that most firms have begun to take information governance (IG) more seriously than they had in the past. And with the advent of stringent, expensive privacy regulations (such as the GDPR, CCPA, and NYCRR 500), firms are having to take a hard look at their IG programs to make sure their programs enable them to comply. And what many firms see when they take this hard look isn’t promising.
We recently completed a survey of privacy and IG professionals in which they assessed the effectiveness of their program and controls (e.g., policies, procedures, etc.). Fewer than 20 percent reported that they were highly effective, with nearly two-thirds reporting that they believe they’re either fairly effective or not effective at all.
A Framework to Improve Your Information Governance Program
In general, Doculabs sees firms struggle with IG effectiveness because they don’t have a solid framework to guide their IG efforts, so they end up doing work that isn’t as productive and valuable as it could be. In this white paper, we’ll step through a framework that Doculabs has seen produce tremendous results for IG programs across firms, regardless of industry. Follow this framework to improve your existing IG program.
At a high level, the framework is organized around a set of questions that drive an honest assessment of a firm’s IG capabilities and guide them in the work they need to do to improve them:
- What business goals are supported by IG?
- What laws, regulations, and industry standards does IG need to address?
- How do our controls need to change to support the laws and regulations IG must address?
- What systems do we have that manage information? Who owns them? What kind of information is on them?
- Is IG part of corporate culture or an afterthought?
Let’s examine each of these in more detail.
What Business Goals Are Supported by IG?
One of the most important steps in running an effective IG program is to clarify the business goals it supports. This may seem strange: after all, isn’t the goal of IG to be compliant? In one sense, yes—IG must foster compliance. But if that’s all IG does (or if it doesn’t articulate the other things it does), it will not only struggle to deliver as much value as possible to the firm, but likely struggle for support (resources, funding, and leadership involvement) as well.
Think about it this way: we all pay our taxes, but aren’t particularly excited about doing so if avoiding IRS fines and penalties is the only value we get (or perceive that we get) from doing so. But if having good schools for our kids, functioning roads, and beautiful parks and recreational facilities are things we value, then we need to pay our taxes (and will feel better about doing so when the payment of taxes is directly connected to the services we get for it).
IG is no different. An effective IG program does make a firm more compliant, but it also increases the findability and accuracy of information, reduces enterprise risk, makes IT more efficient and sustainable, and allows us to better serve our customers and business partners (among other things). All of these are business goals that nearly everyone in a firm, particularly leadership, would be excited to achieve.
So it’s critical to think about how your IG program can impact business goals that are important to your organization and then work to make sure you articulate those impacts and get leadership to agree.
What Laws, Regulations, and Industry Standards Does IG Need to Address?
Like the previous question, this one may seem a bit strange: shouldn’t an IG program already know what laws, regulations, and industry standards it needs to address? It should, but Doculabs has found that at most firms, IG isn’t aware of the total universe of compliance obligations it needs to address. And even when organizations do have a good handle on this, they often don’t have a clear vision of who’s responsible for compliance, who’s accountable for non-compliance, or what work is currently being done to address compliance.
This makes a certain amount of sense because, while IG directly impacts certain categories of compliance (think Records Management), it only indirectly impacts others (think GDPR, HIPAA, OSHA, NIST, etc.) but is nevertheless a key stakeholder. And typically there isn’t a single group with their eye on all the compliance requirements and activities across the organization for information-related laws and regulations.
For this reason, Doculabs recommends that IG programs perform a crosswalk exercise to (1) catalog all the laws and regulations relevant to IG, (2) identify who is responsible, accountable, consulted and informed for each, and (3) the current work being done to address each. While there are software products out there that can help in this (typically referred to as Governance, Risk, and Compliance tools), you can get a lot of value out of simpler and lower-cost methods, like a spreadsheet or Access database.
Long term, particularly at larger, more complex organizations, simpler methods will be difficult to maintain accurately, but in the near-term, simply having a document that captures what compliance obligations IG needs to address, who is involved, and what’s being done will go a long way towards increasing IG effectiveness.
How Do Our Controls Need to Change to Support the Laws and Regulations IG Must Address?
Once your IG program knows what laws and regulations it has to address, the next step is to determine whether the controls you have in place (e.g., policies, procedures, standards, guidelines, etc.) support compliance with each of them. This can be harder than it seems at first glance.
For example, just about every firm has an Information Security policy, and, depending on industry, it will be aimed at complying with laws, regulations, and industry standards for Information Security (for Healthcare, HITECH; for Utilities, NERC-CIP; for Financial Services, FINRA; etc.), but Information Security has a critical role to play in compliance with non-Information Security laws, regulations, and industry standards. It’s difficult to imagine being compliant with consumer data privacy laws, such as the CCPA, without Information Security involvement.
And if they’re going to be involved in any meaningful way, there needs to be policy supporting and directing that involvement. Yet the folks responsible for CCPA compliance are typically not Information Security folks, so the Information Security policy won’t necessarily be suitable to support CCPA compliance. Without strong coordination across functions, it’s a good bet that the Information Security policy won’t reflect what’s needed for CCPA and that Privacy policies either (1) won’t include critical Information Security elements or (2) will include them, but without input from Information Security. Neither of these is optimal.
This example is bad enough, but now multiply it by all the laws, regulations, and industry standards identified in the crosswalk (typically a dozen on the low end, many more on the high end), and then by all the controls in place beyond just policies, and you can see why dedicated effort to assess existing controls against all the compliance obligations is critical to effective IG.
What Systems Do We Have that Manage Information? Who Owns Them? What Kind of Information Is in Them?
Once you have a firm grasp of what compliance obligations IG must address and how well your controls are doing so, the next step is to get a handle on the systems used to manage information and what information they manage. This makes sense: if you don’t know what information you have on what systems, how can you govern it effectively? The answer is that you can’t. However, gaining this knowledge can be daunting at most organizations, for a few reasons:
- Number of systems: Most organizations have roughly 1.5 to 6 (or 7, or 8…) applications per employee. This means thousands—if not tens of thousands—of applications to inventory.
- Bad or absent metadata: Most firms lack a corporate information architecture function, and so their metadata has developed organically (or not at all), which makes it difficult to know what information they have.
- Lack of tools: In a recent Doculabs survey, fewer than 20 percent of respondents reported that their organizations were using tools that aid in application or file analysis (e.g., data loss prevention, file analytics, content classification).
As daunting as creating an application inventory and data map can be, there’s no avoiding them. The best thing is to forget about the enormity of the task and just get started. Having something is better than having nothing, and while you can drive yourself crazy trying to achieve perfection with your application inventory and data map, “pretty good” versions of these artifacts are often nearly as good as perfect (or only marginally less good).
Two Tips for Creating an Application Inventory and Data Map
While directions on exactly how to create an application inventory and data map could take up an entire white paper on its own, here are some tips and tricks to help you get started and make progress:
- Leverage work already done: Look for things like a Configuration Management Database (CMDB), which IT uses to catalog all applications (at least the major ones); the corporate Records Retention Schedule, which most organizations have (although it may be out of date or incomplete); security and access entitlement lists, which typically specify corporate data owners (i.e., the people authorized to grant access to systems) for major applications; and litigation tracking documentation, which list all active legal matters, typically along with information about custodians, topic areas, business processes, systems involved, and the kinds of information relevant to the litigation.
- Adopt the 80/20 rule: Pick the 20 percent of applications that are the largest or most mission critical and address them; pick the 20 percent of information that poses the greatest IG risk to the organization and start there. Call that phase one and decide later whether you need a phase two, with a better idea of the resources and time required to do so.
Is IG Part of Corporate Culture or an Afterthought?
This question is the least often asked, but the most critical – because if IG is viewed as something employees have to stop their jobs to do, it won’t happen. So, how do you make IG a part of the DNA of your organization? You’ll need to invest heavily in change management, especially training and communication, to (1) raise awareness of IG practices and (2) make IG a transparent part of how folks work everyday.
Consider how organizations have changed employee conduct over the years. In the 1960s, most organizations were like Mad Men in terms of the HR approach, with few clear guidelines on acceptable or expected conduct. But starting in the 1970s, as society and regulations were changing, the corporate HR functions worked hard to make their concerns part of the way their organizations did business, with the result that today, most of us behave in a business context in full compliance with HR laws, regulations, and industry standards that we’ve likely never read or even know about. HR specialists understand the reasons behind these expectations, although no one else does, but no matter—the end result is that most employees at most firms behave in ways that meet HR obligations without missing a beat. IG needs to be in the same place, but is currently trapped in the Mad Men era: it’s at best an afterthought, and at worst unknown to most employees.
Although a full treatment of change management is worthy of its own white paper, here are some helpful practices you can start with when addressing change management for IG:
- Create a training and communication stakeholder matrix: List out the key stakeholders affected by IG changes; then list out the key training and communication events that need to happen; then cross reference the two to determine what collateral (e.g., emails, intranet campaigns, training materials, awareness-raising presentations, etc.) you need to create and when it needs to be delivered.
- Avoid worst practices: Instead of training folks on all the things they should do, train them on the things they absolutely shouldn’t do if IG is to be effective. Usually the result is a shorter, more effective list.
- Communicate in short bursts: Five 12-minute sessions are usually more effective than a single 60-minute session. If you hone in on the key things not to do, rather than trying to make them IG experts in general, these brief repeated sessions will have a far greater impact.
Although most firms have an IG program in place, as we’ve seen, most are not effective. And while there’s no silver bullet for improving the effectiveness of your IG program, hopefully this white paper has given you some food for thought on how to make IG more effective at your organization.