5 Best Practices for Information Governance and Risk Management
Privacy and Security by Design and by Default
Traditionally, there has been a perception that privacy is where “IT goes to die” and that security “leads with no.” Whether this is deserved or not, it is not an effective way to build a collaborative team. Instead, it’s important for security and privacy officers as well as general counsel to take the steps to “bake privacy” in as a fundamental ingredient and a foundational tenant of their development lifecycles. Privacy must be embedded in every step of the process—from the whiteboard stage of a new IT project, program, system, or campaign—to the design, development, quality assurance, and release of the very same system.
Consider using automation to allow your colleagues to request a Privacy Impact Assessment (PIA) of the systems they are planning to build and deploy. This allows the privacy team to provide them with a reasonable estimate and timeline. Privacy’s involvement early on will save them from having to make last minute design changes or decisions with the clock to launch ticking. Making it easier for your employees to do their job successfully while creating a “culture of compliance,” will require organizations to adopt a risk-based approach to implementing a data protection program. While that often starts with the legal and compliance team and ends with the Chief Information Security Officer (CISO), it needs to focus on a day in the life of your everyday business user.
Trust-and-Verify Approach to Compliance
Many organizations have data governance policies that are theoretical rather than operational. In other words, there is a corporate policy that is unenforced or left to the business users to implement. The challenge presented by a trust-driven system include key questions that need to be verified:
- Is data being properly tagged?
- Are inappropriate discussions happening?
- Is sensitive or confidential information being shared?
- Are privacy and compliance policies being circumvented, either deliberately or inadvertently?
Making it easier for your employees to do their job successfully while building a more secure environment includes implementing a culture and technology systems where privacy and security controls are not limited to annual training sessions, but rather a culture of compliance where it is easier for your employees to do the right thing than to do the wrong thing. Companies must create a transparent security organization to discourage employees from working around security.
Discovery and Classification
Many companies worry about “dark data” or data that exists across their enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks) and is not properly understood. Understanding what and where this data is and properly classifying it will allow organizations to set the appropriate levels of protection in place. For example, many companies apply their security controls in broad terms using the same security procedures for everything. But logically, do you need to put the same security protocols around protecting pictures from your company picnic as you do towards protecting your customer’s critical infrastructure design or build information, or credit card information or your employee’s benefits information?
Data discovery will allow you to determine the origin and relevance of the data you hold, and determine its retention schedule. You be more equipped to effectively implement Data Loss Prevention in a tactical way. Data aware security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent, and building multiple lines of defense. This provides you with the ability to manage the life cycle of the data within your company—from creation or collection through retention, archiving and/or defensible destruction. You cannot block everything from leaving your company any more than you should encrypt every document you have. When security blocks productivity, employees find a way to go around it. The job of security is to help the business use data productively and securely.
Data-Centric Audit and Protection
Understanding and controlling data flows is a critical component to an effective roll out of information management strategies. Key components of an effective methodology should include:
- Data inventories that help customers understand where their sensitive data resides
- Classification on structured and unstructured data to ensure sensitive data is clearly identified
- Governance policies that protect the use of sensitive information by applying data sovereignty requirements, permissions management, encryption, and other data protection techniques
- Incident remediation and response for sensitive data breaches when they occur
Report and Audit
Identifying potential risks within your information is just the first step. Take action to quickly and efficiently resolve issues with security-trimmed, pre-prioritized reports that provide guidance to your content owners and compliance teams to target the most critical violations. Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources while mitigating risk around digital assets to support responsible, ethical, and lawful collection, use, sharing, maintenance, and disposition of information.
To learn more about AvePoint Compliance Solutions, visit our site at www.avepoint.com/solutions/compliance.
AvePoint is the Microsoft Cloud expert. Over 15,000 companies and 5 million cloud users worldwide trust AvePoint to migrate, manage, and protect their Office 365 and SharePoint data.