As businesses today strive to develop a strong, secure framework for information governance, the first thing they must do is gain a comprehensive understanding of their existing information landscape and inventory all of their current data-generating systems—everything accessed and managed by employees to store vital company data.
To achieve better information governance and compliant records management, collecting data, developing an information security risk classification, and establishing mapping criteria, which is then used to appraise systems and repositories throughout the enterprise, are all steps that should be completed to help any organization form a current state inventory of information systems.
As is the case with any assessment activity, the best approach is a consistent one, where a repeated methodology builds confidence and defensibility of actions and decisions. The following steps are a good starting point for the security and privacy data mapping exercises:
- Planning and Management: By establishing parameters, scope, and fields for data mapping, an enterprise can then determine key stakeholders, goals, and dates, identifying and mobilizing critical criteria.
- Information Gathering: Identifying existing data inventories of current managed systems requires everything from collating data from stakeholders about data repositories to investigating how data is archived, including involvement of third-party entities.
- Draft Map Development: Defining data inventory templates and system criteria, as well as validating criteria with internal teams, helps to finalize the data inventory template—a key step in identifying high-value, high-risk data across the enterprise, as well as evaluating remediation steps.
- Final Map Deployment: Once it is time to finalize the data map based on the discoveries from all the information-gathering exercises, high-level steps can be outlined, allowing for the opportunity to validate key operational processes with stakeholders.
Generating a data map, or heat map, of where critical information resides begins with a definition of the critical data and an understanding of what categories of attributes are needed in order to describe the security risk posed to the organization. Areas to consider in the generation of the data map include technology, process, and governance.
Technology assessment criteria include identifying systems that are storing knowledge assets, user access governance, and records and data metrics. Process criteria include a review of information governance processes, the identification of procedural and compliance gaps, as well as opportunities for improvement and efficiencies regarding information creation and security application.
Governance includes the people aspects of both setting up and managing policies and standards around future listing of systems (registration) and documenting their information security and privacy risks upfront, as well as the change management aspects of defining this initial classification and the list of assets and where they are stored.
Once the groundwork and data collection is complete, the information gathered may be used to define a data inventory template and system criteria for the future assessment of security and privacy risks. Information-generating and managing systems may be listed and scored against the security and privacy risks they hold.
The volume of an organization’s intellectual property, technical knowledge, competitive intelligence information (knowledge assets), and the information systems that store these critical knowledge assets is growing substantially year over year.
As a result, the nature, location, and stewardship of critical information is not well-known, and this introduces risks to the organization in terms of the information’s security and the ability of the enterprise to protect its records and data while making it available to those who need it. Tackling these risks head on reinforces a company’s commitment to developing a strong information governance framework that will secure its knowledge assets and systems.