If you read the news headlines, you know that gaps persist in the way many organizations deal with information security. Often, the gaps are due to an information security program that relies on a one-size-fits-all approach to information risk management, and these organizations rely on information technology (IT) to manage the program, which consists of using tools designed to prevent outsiders from penetrating the internal systems.
Information security requires more than a tool, though; it requires a multi-disciplinary approach to implementing processes and methods that protect information from a variety of internal and external threats. An effective solution can be found in establishing an information governance (IG) framework that will drive all information security practices.
Information security requires more than a tool, though; it requires a multi-disciplinary approach to implementing processes and methods that protect information from a variety of internal and external threats. An effective solution can be found in establishing an information governance (IG) framework that will drive all information security practices.
Defining IG
IG is a collaborative approach that helps ensure that information is treated as an asset, leveraged for business purposes, protected in compliance with all internal and external rules and regulations and disposed of according to a legally defensible retention plan. ARMA International defines IG as “a strategic framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to the organization’s goals.”
IG is a collaborative approach that helps ensure that information is treated as an asset, leveraged for business purposes, protected in compliance with all internal and external rules and regulations and disposed of according to a legally defensible retention plan. ARMA International defines IG as “a strategic framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to the organization’s goals.”
Benefiting from IG
Information governance helps to establish and steward the activities for a variety of business technology functions, including:
Information governance helps to establish and steward the activities for a variety of business technology functions, including:
- Planning and implementing technologies (e.g., an enterprise content management system)
- Developing effective data structures
- Collaborating internally and externally
- Developing business processes and identifying their owners
- Coordinating with information technology to help align business needs with the technology infrastructure
- Applying best practices to drive improvements
Recognizing vulnerabilities
Every cyber villain wants something different. Some are in organized crime groups that hack systems through stealth or brute force attacks to get sensitive personally identifiable information. Others conduct phishing campaigns that target intellectual property, and still others focus on disrupting a website or damaging an organization’s reputation. Each of these threats requires its own means of protection, because each attacks a different vulnerability. Organizations lacking a strategic IG framework are prone to responding to attacks directly and solely with technology solutions. However, taking such a tactical approach of establishing a moat and high walls is not enough, since this type of solution may not thwart inside misuse of information, internal cyber espionage or miscellaneous errors.
Finding the right solution
An information security program must ultimately be driven by an IG strategy. You must first understand where your organization’s content resides, how it is used and how it is managed throughout its life cycle. You cannot protect what you cannot identify. Further, you cannot prioritize the protection of certain content if you don’t understand how often it’s duplicated, how easily it gets scattered and where it might end up—perhaps on a mobile device, a thumb drive or an employee’s personal email account.
Taking a one-size-fits-all approach is typically inefficient as well. For example, is information security money well spent when the same method of high-level security is used to protect, say, engineering schemes and marketing brochures? Since this is a question the IT team members may have little interest in or feel little urgency to answer, it must be addressed properly through an enterprise-wide IG program.
Involving the right functional areas
None of this is to suggest that IT doesn’t want optimal security for the organization’s information. It’s just that the scope of IT’s perspective may be limited to the IT function. For instance, IT can respond to a business unit request to allow an individual access to a certain sensitive system, but when that individual no longer has a business requirement for such access—say, if a human resources manager moves to the marketing team—IT may not know that or think of the implications of such a move. Under an enterprise IG strategy, the business units would know to notify IT of the changing access requirements for that person.
Every cyber villain wants something different. Some are in organized crime groups that hack systems through stealth or brute force attacks to get sensitive personally identifiable information. Others conduct phishing campaigns that target intellectual property, and still others focus on disrupting a website or damaging an organization’s reputation. Each of these threats requires its own means of protection, because each attacks a different vulnerability. Organizations lacking a strategic IG framework are prone to responding to attacks directly and solely with technology solutions. However, taking such a tactical approach of establishing a moat and high walls is not enough, since this type of solution may not thwart inside misuse of information, internal cyber espionage or miscellaneous errors.
Finding the right solution
An information security program must ultimately be driven by an IG strategy. You must first understand where your organization’s content resides, how it is used and how it is managed throughout its life cycle. You cannot protect what you cannot identify. Further, you cannot prioritize the protection of certain content if you don’t understand how often it’s duplicated, how easily it gets scattered and where it might end up—perhaps on a mobile device, a thumb drive or an employee’s personal email account.
Taking a one-size-fits-all approach is typically inefficient as well. For example, is information security money well spent when the same method of high-level security is used to protect, say, engineering schemes and marketing brochures? Since this is a question the IT team members may have little interest in or feel little urgency to answer, it must be addressed properly through an enterprise-wide IG program.
Involving the right functional areas
None of this is to suggest that IT doesn’t want optimal security for the organization’s information. It’s just that the scope of IT’s perspective may be limited to the IT function. For instance, IT can respond to a business unit request to allow an individual access to a certain sensitive system, but when that individual no longer has a business requirement for such access—say, if a human resources manager moves to the marketing team—IT may not know that or think of the implications of such a move. Under an enterprise IG strategy, the business units would know to notify IT of the changing access requirements for that person.
Aligning protection with information value
All information is not to be treated equally and neither should all threats to it. A proper IG approach to information security will engage multiple departments to safeguard information according to its business value and protection requirements.
Diane Carlisle is the executive director of content for ARMA International, the professional association and the global authority on records and information management (RIM) and thought leader in information governance. For more information, visit www.arma.org.