Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Creating Order in World of Data Chaos

Jose Tabuena | November 11, 2014

Companies are drowning in data.

Most large companies have experienced a massive increase in the volume of documents, both paper and electronic, created and received during the ordinary course of business. Among this clutter resides sensitive information, requiring systematic identification, security, and disposal, that can result in penalties and loss of reputation for those who stumble in this effort. The unfettered stockpiling of data also creates legal discovery demands, where the volume of information directly drives up the cost of discovery.

Companies maintain data in file shares, SharePoint, records management repositories, e-mail environments, backup systems—the list goes on, particularly with data warehousing and the advent of Big Data initiatives. The same exact piece of data may exist in several different locations within the enterprise. Companies suffer from a “don’t delete anything” culture, where employees save everything on desktops or file shares well past any required record retention period or beyond any remaining business value.

Despite this glut of documents and data, most companies do a poor job of identifying, classifying, securing and disposing of e-mail, files, and other electronic information. Legal, audit, and compliance teams seek access to, and replication of, this information for various regulatory investigations, formal audits, and litigation matters, and the burden of this task is compounded by both the volume and complexity of the information sources.

There is further misconception that more data is equivalent to extra expense, which is largely based from the experience of implementing systems ad hoc over time to control more and different types of data. But it is the complexity in information governance systems, and not the amount of data stored by those systems, that increases costs for compliance and audit teams as well as for operational units. More separate systems for managing data means slower search times, inability to search from one central location, and costs associated with logistics, such as importing and exporting data.

What Is Information Governance?

According to the Information Governance Initiative, a cross-disciplinary consortium advancing the adoption of information governance practices and technologies, information governance is “the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” It includes the processes, roles, and policies that ensure the effective and efficient use of information in enabling an organization to achieve its goals. Information governance combines traditional records and information management with activities involving e-Discovery, privacy protection, data storage and security, defensible disposition, and business productivity. Thus IG seeks to institutionalize cross-functional initiatives to support companies in better managing, retaining, securing, and making efficient the accessibility and disposal of their stores of information.

The effort, expense, and time required to drive a successful information governance program is much less than aggregate effort of current piecemeal approaches.

The Information Governance Initiative goes so far to recommend that organizations with complex information environments appoint a chief information governance officer. Some leading organizations are already developing the role. The CIGO is intended to provide a coordinating function, balancing stakeholder interests from each facet of IG and developing an operational model for the organization. The CIGO does not replace or subsume complementary offices, such as chief privacy officer or chief data officer.

The IGI reports that the activities that should be coordinated by an IG program include information security, data governance, risk management, and privacy. Companies that adopt an information governance program can expect the following benefits from an audit and compliance perspective:

  • Enabling compliance. The ability to apply retention policies as appropriate and remove what is not needed to promote compliance with pertinent legal and regulatory mandates, and professional criteria such as those spelled out in FRCP, HIPAA, ISO, FIP, PCI-DSS, as well as requirements under global standards and specific U.S. state privacy laws.
  • Protecting sensitive information. With guidelines for proper management, it becomes more manageable to identify what specific data elements must be protected, such as personally identifiable information, trade secrets, and other types of company-sensitive data.
  • Optimizing e-Discovery. Capabilities for asserting control over information before the next legal action, and the ability to establish repeatable and predictable legal hold processes to minimize business disruption.

Know Where Your Data Resides

To tackle the issue of comprehensive information governance, it is useful to map out and account for all existing systems in which company data exist and may already be managed. Those who have participated in such an exercise know full well how tedious and difficult it can be. Yet to have effective information governance, and to enable monitoring systems and robust audit capabilities, a comprehensive and current data map is necessary. Many organizations may have separate data maps for discovery or privacy developed by internal audit and compliance that are difficult to maintain with continually changing IT environments.

A data map is an inventory of the data sources that tells you what you have, where it is, and who is responsible for managing it. Another approach for the auditor and privacy professional is to have a well-designed, jointly-managed data map that captures metadata for a number of business and regulatory drivers. This would be centrally managed and updated by a number of groups, making it both more accurate and easier to maintain.

It is essential to consider more “informal” data types, such as instant messaging and social media posts. Do these data types have their own repository or system where they are managed? Another step is to identify possible overlap between the various systems. Overlap in function can create duplicate data sets, making it more difficult to manage and find the data. To address overlapping systems, business units must ultimately decide (with audit and compliance input) which system will be the “master” system for the purpose of invoking data retention policies.

Identifying the business units that have primary control over each information management tool is crucial to resolving such issues. Compliance, legal, records management, and IT all play a role in untangling the Web. Identifying who controls the various information management systems is as important as understanding how these systems are accessed when information needs to be located for litigation purposes.

All data types need to be assigned a retention period that reflects applicable rules, regulations, or relevant law. For data types that do not have a retention period mandated by law, or by other business or industry standards, there needs to be a practical retention period that the business chooses and consistently enforces via its information governance system. Defensible lifecycle management will help avoid potential penalties, such as spoliation sanctions.

For the compliance and legal teams, knowing exactly what you have in terms of data—even if it is unfavorable to the company—is preferable to possessing unknown information that might be used against you during future litigation. The more you know about your data landscape, the more likely you are to discover a “smoking gun” that makes settlement the clear course of action. It is preferable to know how the evidence stacks up prior to spending unnecessary time and effort on protracted litigation.

Policy and Process Updating

Many records management, privacy, discovery, and other information governance-related policies that were originally created in a paper-centric world may need to be updated. With emerging technologies and nascent legal and regulatory requirements for retention and privacy, updated policies are often needed.

Many older policies, for example, may need to be updated to reflect a media-agnostic approach that does not classify e-mail as a record type, but rather recognizes that electronic messaging is a medium that contains records and non-records. Many employees don’t realize that there really isn’t a retention requirement for e-mails, per se, but that preservation is dependent on the nature of the content including attachments and metadata. Additionally, many organizations have been updating their policies to synchronize the practices for securing records and maintaining privacy or confidential information.

Internal auditors can facilitate the policy-update process to better harmonize management of both records and content that has business value. Updating your policy is an opportunity to build a consensus with the business units on what should not be saved and what should.

Internal audit and compliance can play a vital role by utilizing their in-house knowledge and seeking out the right stakeholders for crafting a problem-specific and action-oriented IG initiative. The effort, expense, and time required to drive a successful information governance program is much less than aggregate effort of current piecemeal approaches. With a strong foundation built on from identifying and integrating key data points, an organization is better able to ensure regulatory compliance while being able to exploit the value of its warehouse of information.