Build-in Information Governance
The IT Strategist’s Guide to Transforming ECM
Too much content with too few controls is a real liability. This habit looks at how to embed Information Governance into your ECM system and content-driven processes.
Information Governance is all about taking control of business information—not just your unstructured digital content, but also structured data and paper documents. It encompasses the policies, procedures, and technologies that determine how your organization manages, secures, uses, retains, and disposes of this information.
Why is Information Governance important?
A robust Information Governance program helps your organization comply with laws and regulations, safeguard its data and reputation, and respond efficiently to eDiscovery or Freedom of Information Act (FOIA/FOI) requests. It also prevents information overload by keeping only the most valuable content.
What’s the urgency?
Organizations face ever-growing compliance obligations, like the new General Data Protection Regulation (GDPR) in the EU and the new NYDFS Cybersecurity Regulation (23 NYCRR Part 500) in the U.S. High-profile hacks, leaks, and data breaches (Equifax, Sony, US Office of Management and Budget, and Yahoo) amplify security risks. And the explosive growth in the volume and variety of content isn’t going to stop.
But we’ve already got a records management system
Records management is just one part of a broader Information Governance program. You also need to consider issues like data security and eDiscovery.
Plus, many companies have struggled with legacy records management systems due to low user adoption and a bolt-on approach. Distributed content stores, mobile working, and the use of unsanctioned file-sharing sites add to the challenge of managing records in a consistent, compliant way.
Information governance requires a holistic approach that can include people from legal, finance, corporate risk, HR, IT and lines of business. As experts in using technology to meet business objectives, here’s how enterprise architects can strengthen Information Governance:
Here’s how some of the most forward-looking companies use technology to build an effective Information Governance program.
• Intelligent Classification. Solutions with this capability use a business rules engine to automatically declare a record, populate its metadata, and file it in the right place. Records management can be integrated seamlessly into any workflow. It’s effortless for users and eliminates haphazard, error-prone manual processes.
• Auto-Classification Engines: These solutions use machine learning and analytics to automate content classification at scale. They discover and tag sensitive or compliance-related data (like personally identifiable information, or PII) in TBs of unstructured content—a must for complying with regulations like GDPR or 23 NYCRR 500.
Manage Records Holistically
A strong information governance program requires a unified records management strategy. That means giving records managers the ability to apply standard policies and classification schemes to content stored in disparate applications and locations. A central hub for records management provides maximum flexibility for both the business and IT, with the ability to manage records in place, in a centralized repository, or both.
Build in Extra Controls
Extra security controls are needed to comply with today’s increasingly strict data protection regulations. Look for features that allow the business to limit which content people can see and what they can do with it. These safeguards go well beyond basic access control lists and permissions to include capabilities like:
• Security marks that identify content as having sensitive information (such as PII)
• Security classifications (top secret, secret, etc.) that travel with a file
• Roles that control the actions individuals can take with a file
• Encryption of content in transit and at rest
And while compliance is one thing, demonstrating it is another. Audit logs that detail the complete lifecycle of governed content can help you show compliance with confidence.
Future-Proof Your Solution Information Governance isn’t a set-it-and-forget-it program. The technologies you implement need to be flexible enough to support new compliance and business demands—because they’re coming. Here are some features that will future-proof your solution:
• Open architecture so that records remain readable and accessible over time
• Connectors to a wide range of systems to support an evolving software environment
• Cloud-ready to enable durable, low-cost storage on a modern platform
• Ability to manage multiple file types, including video, email, and social media
• Ability to handle explosive growth in content
• Certified or aligned to leading industry standards like DoD 5015.02 and ISO:15489
Improved regulatory or legal compliance is the top driver for ECM investment in 2017, according to research from Forrester. Here are a few of the new regulations that have organizations scrambling to upgrade their Information Governance capabilities. Which apply to you?
|23 NYCRR Part 500||GDPR||NARA 2019|
|Description||Set of cybersecurity requirements intended to protect customer data and information systems||Set of data protection laws that cover the management, use, and security of personal data||Mandate to manage all permanent records in electronic format|
|Applies to||Financial services firms that operate in New York state||Companies around the world that hold personal data on EU citizens||U.S. federal agencies|
|Enforcement Date||August 28, 2017||May 25, 2018||December 31, 2019|
|What's at Stake||Fines, imprisonment, and possible shut down of an organization’s business in New York state||Fines of up to 4% of annual global revenue in event of a security breach||An opportunity to modernize government operations|
|Good to Know||
Sets a new high watermark for compliance with specific requirements and teeth behind it
Expected to have a ripple effect in other U.S. states
GDPR applies in the UK even with BREXIT
Only 23% of companies feel they are fully prepared for 2018 deadline
|Technologies used to meet the 2016 mandate for managing email records won’t cut it|