Image by: stevanovicigor, ©2016 Getty Images
I spoke at the ISACA Houston Chapter's Cyber Security Conference this week on the elements of a successful enterprise information management program for information technology (IT) auditors. There are elements of the organization’s information governance program that auditors should pay attention to when testing the efficacy of the program, the information management solution, and the controls that should be in place.
Information governance is a business issue, and organizations should have an effective information governance strategy, which aligns with their corporate risk management strategy, to leverage and protect information assets, accomplish broader business goals, and reduce the organization’s overall risk profile. In fact, having a robust and effective information governance program will significantly improve the organization’s risk profile. IT auditors are tasked with ensuring that these initiatives to manage information risk and overall enterprise risk are effective and that there are adequate controls in place.
How information risk contributes to enterprise risk
Most organizations think of data breaches or cyberattacks when they think of information-related risks, but these are just a couple of the many risks that companies must consider. Typically, organizations respond by focusing their resources on the latest threat until another information-related risk pops up—almost like a game of whack-a-mole. This approach can actually lead to greater risks by ignoring other risk factors while focusing on the most current issue.
Information-related risks that contribute to enterprise risk include:
- Inability to respond to regulatory requirements completely and consistently
- E-discovery-related risks, such as noncustodial data sources missed in legal hold execution, resulting in potentially relevant information inadvertently modified or deleted, or material issues of dispute that are poorly understood until well after the strategy is established and expenses incurred, along with excessive data (redundant, obsolete, trivial), causing litigation costs to exceed value of dispute
- Excessive data, considered redundant, obsolete, trivial (ROT), contributes to potential personally identifiable information (PII) breach exposure
- Leaks of sensitive data, including intellectual property (IP) and PII, can result in reputational risk and fines and/or costs
- Business decisions made on missing information or poor quality information can result in ineffective or faulty decisions and can increase safety and operational risks
- The type of data maintained in IT systems, which is poorly understood, can lead to incomplete or incorrect application of retention, disposition, preservation, privacy, and collection policies
- Poor understanding of data held in legacy systems prevents IT from appropriate disposal of data and decommissioning systems, causing significant and unnecessary costs and risks
Without a robust information governance program and a useful way to measure its effectiveness, an organization can be exposed to significant information risks, which contribute to overall enterprise risk. Auditors, program managers, and organization leaders alike should focus on the following areas. Thinking about the program from an auditor’s perspective can be a healthy exercise when evaluating opportunities for improvement to your information management program.
1. Policies should define and reinforce behaviors necessary for effective information management. Effective policies should be clear and concise. Clarity and simplicity are key. If the information management policy is more than two to three pages, then nobody will read it.
Auditors need to review policies and make sure they are clear and unambiguous. They need to see if the policy is explicit about not only what people should do but also what they are prohibited from doing (e.g., employees are prohibited from using consumer file sharing applications, like Dropbox, OneDrive, etc.).
All policies and best practices should be reviewed with staff upon joining the organization and refreshed annually. I strongly believe that coaching should be provided to make sure the correct behaviors are demonstrated and reinforced. In-person training with questions and answers are best. Make sure the training includes example scenarios and use cases so they can see the policy in action.
2. A robust program includes an Information Governance Council. Leaders of the business should assign delegates to actively participate on the Council. If information is the new currency, then we should apply the same rigor to information governance as we do to managing money. Companies have financial audit committees. From an audit perspective, does the Council meet regularly? Are there minutes? Who is assigned to track the action items that come from the meetings?
3. Awareness and communications are crucial to educating stakeholders. In one of my previous articles, "What Does Culture Have to Do With Information Management?," I talked about the elements needed to create a culture of information management excellence. Technology is important, but people and their behaviors are the single biggest factors for a successful program. By establishing quarterly briefings, you can inform and enlist their help. Brief them on what is working well and areas of needed improvement. These briefings are a great opportunity to identify ways they can help improve the effectiveness of the program for their teams. From an auditor’s perspective, is this level of communication and cooperation happening in the organization?
4. Process and procedures are essential to driving consistency and compliance with the organization’s policies. Is there a well-defined process for onboarding new datasets? To me, this is one of the critical procedures that needs to be defined and one that everyone needs to briefed and trained on. This prevents the “digital landfill” effect and will install the rigor required to make sure the data quality remains high and the information delivers on the value it should. This is something to look at during an audit. How are the processes documented? Are they reviewed regularly? What controls are in place? How are the controls tested? Finally, who is responsible for remediating a process or procedure if the test of a control fails?
5. What about the cloud? Most of what I discussed above is the same for the cloud. There is little difference, though the following are some things to watch out for:
Auditors need to review policies and make sure they are clear and unambiguous. They need to see if the policy is explicit about not only what people should do but also what they are prohibited from doing (e.g., employees are prohibited from using consumer file sharing applications, like Dropbox, OneDrive, etc.).
All policies and best practices should be reviewed with staff upon joining the organization and refreshed annually. I strongly believe that coaching should be provided to make sure the correct behaviors are demonstrated and reinforced. In-person training with questions and answers are best. Make sure the training includes example scenarios and use cases so they can see the policy in action.
2. A robust program includes an Information Governance Council. Leaders of the business should assign delegates to actively participate on the Council. If information is the new currency, then we should apply the same rigor to information governance as we do to managing money. Companies have financial audit committees. From an audit perspective, does the Council meet regularly? Are there minutes? Who is assigned to track the action items that come from the meetings?
3. Awareness and communications are crucial to educating stakeholders. In one of my previous articles, "What Does Culture Have to Do With Information Management?," I talked about the elements needed to create a culture of information management excellence. Technology is important, but people and their behaviors are the single biggest factors for a successful program. By establishing quarterly briefings, you can inform and enlist their help. Brief them on what is working well and areas of needed improvement. These briefings are a great opportunity to identify ways they can help improve the effectiveness of the program for their teams. From an auditor’s perspective, is this level of communication and cooperation happening in the organization?
4. Process and procedures are essential to driving consistency and compliance with the organization’s policies. Is there a well-defined process for onboarding new datasets? To me, this is one of the critical procedures that needs to be defined and one that everyone needs to briefed and trained on. This prevents the “digital landfill” effect and will install the rigor required to make sure the data quality remains high and the information delivers on the value it should. This is something to look at during an audit. How are the processes documented? Are they reviewed regularly? What controls are in place? How are the controls tested? Finally, who is responsible for remediating a process or procedure if the test of a control fails?
5. What about the cloud? Most of what I discussed above is the same for the cloud. There is little difference, though the following are some things to watch out for:
- Make sure the digital security team has conducted the necessary reviews and penetration tests, etc. to vet the selected vendor and their ability to meet the organization's cybersecurity requirements.
- As you look at cloud solutions, make sure that legal and the data privacy people are involved and that considerations regarding where data can and cannot reside have been reviewed. Some countries do not let data leave the geography, like Indonesia and some African countries.
- Make sure legal has made a determination regarding how legal holds and e-discovery collection will be handled in the cloud environment.
- Make sure that contracts with cloud vendors have been reviewed and provide the protections needed based on the above items.
What if I am not an auditor?
This article is for everyone, not just IT auditors. Taking on the persona of an auditor and thinking into the ways they will measure the effectiveness of the information management program not only helps you prepare if your program is selected for an audit, but it can also help you make the program more robust and effective. Try selecting someone on your team or a peer in the organization to partner with and really think about looking at your program through an auditor’s eyes. You will be glad you did.
Russell Stalters is the founder of Clear Path Solutions Inc., author of gettinginformationdone.com and is a recognized information and data management expert. Previously, he was the director of information and data management and chief architect for BP’s Gulf Coast Restoration Organization. Follow him on Twitter @russellstalters.
