September 6, 2016
By Dana Louise Simberkoff Chief Compliance and Risk officer, AvePoint, Inc.,
Article

5 Best Practices for Information Governance and Risk Management

In organizations around the world—whether they are multinational corporations, public sector, not-for-profits, or small businesses—almost every employee is now a content contributor. Social, mobile, and cloud technologies have made it easier than ever to share information both in and out of the organization. This influx of new content, however, brings about new risks. Legal systems and government regulators worldwide are clamping down and demanding greater compliance—particularly on IT systems—requiring that organizations quickly implement risk management protocols. Data is growing too fast to keep up, which creates both great ?opportunity and risk for all organizations.

In the light of new data breach laws with penalties of up to four percent of global annual revenue, the rise of the Internet of Things (IoT), big data, and the cloud, companies are being forced to rethink their traditional siloed and perimeter-based security strategies to adopt multifunctional, layered technologies. So how do you balance the business benefit of the free flow of information with the risk of inappropriate access and/or disclosure? Enterprise organizations must be vigilant in creating enforceable policies, training programs, and automated controls to prevent and monitor appropriate access, use, and protection of sensitive data, whether they are regulated or not. Doing so will not only mitigate the risk of regulatory and statutory penalties and consequences, but will also help prevent an unnecessary erosion of employee or consumer confidence in the organization as the result of a breach or the loss of sensitive data.

Security is ultimately about mitigating risk at some cost. This means that, in the absence of metrics, we tend to focus on risks that are familiar or recent. Unfortunately, that means that we are often reactive rather than proactive, and it becomes important to understand how data, people, and location create patterns—both good and bad—across your organization. The center, or “pivot point,” of that strategy should be around the data that you hold.

Understanding Data Lifecycle Management

Whether data is generated by your organization or collected from a third party (such as a customer, vendor, or partner), the only way you can effectively protect it is by understanding it. For instance, does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information, health information, or financial data?

Data without controls can create operational, privacy, and security gaps that put company assets at risk. Once you know what it is, where it is, who can access it, and who has accessed it, you can then make decisions about where it should live. Data in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet or website. Data sovereignty rules also dictate what controls are needed—including what should be kept on premises and what can go to the cloud—to ensure data is located in the right place.

Implementing a Best Practice Approach

Depending on the way you govern it, data can be a valuable asset like gold or it can become toxic like asbestos. A true best practice approach requires a sustainable ecosystem where you derive value from the data you hold and at the same time protect company assets.

1. Contemplate how data is created or collected by your company. You should think about excessive collection as well as how you will provide notice to individuals about that collection and appropriate levels of choice. You should also understand whether you need to keep appropriate records of that collection and creation.

2. Think about how you are going to use and maintain this data. Here you should consider inappropriate access, ensure that the data subjects’ choices are properly honored, address concerns around a potential new use or even misuse, consider how to address concerns around breach, and also ensure that you are properly retaining the data for records management purposes.

3. Consider who is going to share this data, and with whom they are going to share it. You should consider data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.

4. All data must have an appropriate disposition. You should only keep data for as long as you are required to do so for records management, statutory, regulatory, or compliance requirements. You should ensure you are not inadvertently disposing of data while understanding that as long as you store sensitive information you run the risk of breach.

5. Understand the difference between what can and should be shared. A good program must continually assess and review who needs access to what types of information. Privacy and security teams should work with their IT counterparts to automate controls around enterprise systems to make it easier for employees to do the right than wrong or simply neglect the consequences of their actions. Once you’ve implemented your plan, be sure that you maintain regular and ongoing assessments.

Free

for qualified subscribers

Subscribe Now Current Issue Past Issues

KMWorld 2024 Is Nov. 18-21 in Washington, DC. Register now for Super Early Bird Savings!

5 Best Practices for Information Governance and Risk Management

Understanding Data Lifecycle Management

Implementing a Best Practice Approach

How Knowledge Graphs Make Generative AI Consumable in Enterprise Environments

Building a KM Foundation for Enterprise AI

TRANSFORMING ENTERPRISE KNOWLEDGE: THE JOURNEY TO SAFE, SECURE, AND TRUSTWORTHY AI

More

Intelligent Content Management: Game-Changing Technologies and Strategies

Optimizing LLMs with RAG: Key Technologies and Best Practices

What's Ahead in Search: AI, NLP, Knowledge Graphs, and More

Rethinking KM for Agility, Efficiency, and Innovation

More Webinars