E-Discovery and Information Governance

More and more companies are operating throughout the world, so the impact of differing requirements for e-discovery is increasing, especially those relating to privacy. The rules tend to be much more rigorous outside the United States, particularly in the European Union.

Europe has adopted the General Data Protection Regulation (GDPR), which was promulgated in April 2016 and has a two-year implementation timeframe. It regulates the manner in which data can be collected and moved across international borders. The regulation makes an e-discovery company or law firm responsible for any compliance failure. If there is a breach, the data handling entity can be held liable for up to 4 % of its gross revenues worldwide, whether the breach was intentional or not.

A number of other trends are occurring in international litigation that are having an effect on e-discovery. Litigation is beginning to be seen as a business strategy in Asia as evidenced by the aggressive litigation some Korean electronics companies are taking with regard to protecting their IP. Those companies are seeing the potential benefits of using litigation as a method to protect or monetize their IP, which results in greater requirements for e-discovery.

Other factors are also driving the demand for e-discovery. The United States was the first country to carry out antitrust investigations that reached beyond its borders, and there is a domino effect with other countries now doing the same thing. These government investigations are often followed by class action lawsuits, creating additional challenges for the multinational companies.

The international nature of that litigation also creates more issues with respect to moving data across borders. Therefore, it is all the more important for companies to be aware of local laws and customs regarding privacy.

One question about data resulting from the proliferation of data is whether it will become a more frequent target of e-discovery. 

Potential issues abound including whether personally identifiable information (PII) is involved. Most information is stored in structured databases and it could be used in litigation to make a claim that an individual was doing something at a certain time. The information may or may not be encrypted; it could also involve health data from wearable devices, for example, that could be considered PII. Organizations may need to take a step back and think about who the custodian is, whether the data could be part of e-discovery and whether it is being appropriately protected.

Moving to the cloud

Every organization has information stored across a multitude of systems, computers, shared drives, repositories, and now a lot of this information is moving to the cloud. This is going to require a new approach and new technologies in order to address the challenges arising from the growing volume and format of information being generated.

Managing cloud based content may be new to an organization and as a result there might be uncertainty of the risks involved and the various approaches to mitigate them.

Most of cloud repositories lack information governance. This means that an appropriate architecture and supporting processes have to be put in place to ensure hat content is properly governed and managed. By joining a could enabled information governance platform with those cloud content repositories, an organization will be able to make those cloud based repositories complaint with e-discovery requirements.

SaaS-based delivery models for e-discovery are becoming more prevalent. The move to Office 365 is another part of this equation. With more data in the cloud, it makes sense to have cloud-based e-discovery solutions. The established benefits of SaaS delivery such as scalability, faster release of new features and simpler interfaces apply to e-discovery as well.

SaaS delivery also offers simpler inclusive cost models and, in general, lower costs than on-premise and legacy hosted products. 

With more data in the cloud, it makes sense to have cloud-based e-discovery solutions.

Information governance should be deployed within a traditional IT infrastructure, a cloud-based environment, a hybrid of traditional and cloud infrastructure. Information governance is rapidly moving toward an enterprise service model enabling organizations to deploy shared services across the complex IT infrastructure, eliminates dependence on users, and enables uniform governance across all applications and systems.

In order to remain competitive and maintain costs, organizations must consider information governance as a service. Technologies with a flexible central policy engine capable of managing the challenges of complex, federated governance environments are going to be the ones that enable organizations to make the most strategic use of information. These technologies have an enforcement model not tied to a specific store or repository but leverage standards to enable automatic enforcement across all systems, repositories, applications, and platforms. 

Importance of Information Governance

The fact is that most people will either embrace or decline information governance depending on their individual situation at a certain point in time. Information governance is closely allied with privacy and security. Knowledge as internal currency that needs to be managed wisely, which is where a governance procedure would be helpful.

It is entirely possible that someone might curse a rule as arbitrary while simultaneously recognizing the necessity of it from a security standpoint. Someone else could easily applaud relevant search results without actually realizing the role information governance played in facilitating that relevance. And there’s always “that guy” who complains regardless of whether the complaint is justified.

Information governance is an important and necessary component of modern organizations’ information infrastructure. It is our job, as information specialists and knowledge managers, to combat any negativity about information governance within our organizations and to manage expectations. Information governance is an integral part of both information technology and knowledge management. Together, they bring information governance forward onto that center stage.

With almost everyone in an organization contributing content, the role of information governance is ever more critical. Information governance is hardly an impediment to productivity; it’s actually a productivity enhancer. Risk management in the form of information governance, data security processes, and legal compliance stands center stage for organizations of all sizes and types.

Information governance is not just a good idea, created by computer geeks or imposed by legal departments. It is tied to international legislation about privacy and that affects all organizations, whether they are involved in international trade or not. 

Companies should be looking at information governance not in reaction to legislation but as an opportunity to reflect on what is good information life cycle management. 

Take archiving, for example. If data is archived in five different places, your potential exposure is multiplied by five. It’s also harder to determine which version is the most current and the most authoritative. Whether protecting your data comes first or having a streamlined archival system comes first is a chicken-and-egg question. The fact is it doesn’t matter—they can happen simultaneously and be of equal benefit to your organization.

It is a KM responsibility to accentuate the positive about information governance. It is good data management, not simply a bunch of random rules. Since it makes good business sense and should be presented as such, we need to foster a culture of compliance and to have both top down and bottom up support. We should make it easy for people to do the right thing, remove obstacles, build a stakeholder community, and incentivize them to comply. Removing obstacles, however, should not mean removing all obstacles. Policies should still restrict access to those qualified to view the data.

Retention policies should recognize that information has a beginning, middle, and end. It has been created, collected, used internally, shared inside the company and externally, and then it should have a define disposition. Disposition might mean it is archived but it might also mean it is destroyed.

Organizations should comply with legal requirements and not dispose of information too quickly. On the other hand, hoarding information does not help with risk avoidance, either. If you think that information might have long-term implications, possibly to identify trends, you still don’t want that sitting in your content management system. Archiving it and getting it out of a production environment could be the answer, but if and only if you are not saving it simply for the sake of saving it.

Life cycle management of information starts with thinking about how information is created or collected. Did it come from internal sources? Was it gleaned from an external repository? Was it provided by customers? This will differ from company to company and even from one industry sector to another. Next is access policies: who is authorized to access and use the data. 

The point is to strike a balance between being punitive to the point of inhibiting compliance and restricting access to preserve privacy and security. Sharing information is an important component of modern information  management and the cornerstone of KM, but excessive sharing creates more problems than it solves and sharing across national borders raises potential legal issues. Retention policies and disposition practices are integral to good information governance, as is the understanding of what can and should be shared.

Data without information governance practices in place can create operational, privacy, and security gaps that put company assets at risk. Once you know what your data is, where it is, who can access it, and who has accessed it, you can then make decisions about where it should reside. Data in a highly secure system may need less controls than data located in a cloud environment or a broadly available corporate intranet or website.

Depending on your information governance rules, data can be a valuable asset like gold or it can become toxic like asbestos. A true best practice approach requires a sustainable ecosystem where you derive value from the data you hold while protecting company assets.

In organizations around the world, almost every employee is now a content contributor. Social, mobile, and cloud technologies have made it easier than ever to share information both in and out of the organization. This influx of new content, however, brings about new risks. Legal systems and government regulators worldwide are clamping down and demanding greater compliance, particularly on IT systems, requiring that organizations quickly implement risk management protocols. Data is growing too fast to keep up, which creates both great opportunity and risk for all organizations.

Organizations must be vigilant in creating enforceable policies, training programs, and automated controls to prevent and monitor appropriate access, use, and protection of sensitive data, whether they are regulated or not. Doing so will not only mitigate the risk of regulatory and statutory penalties and consequences, but will also help prevent an unnecessary erosion of employee or consumer confidence in the organization as the result of a breach or the loss of sensitive data.

Understanding Data Lifecycle Management

You can’t secure data you don’t know you have. Thus, a process of identification, value extraction, classification, and archiving needs to occur.

Whether data is generated by your organization or collected from a third party (such as a customer, vendor, or partner), the only way you can effectively protect it is by understanding it. For instance, does it contain customer information, employee information, intellectual property, sensitive communications, personally identifiable information, health information, or financial data?

Implementing a Best Practice Approach

1. Contemplate how data is created or collected by your company. You should think about excessive collection as well as how you will provide notice to individuals about that collection and appropriate levels of choice. You should also understand whether you need to keep appropriate records of that collection and creation.

2. Think about how you are going to use and maintain this data. Here you should consider inappropriate access, ensure that the data subjects’ choices are properly honored, address concerns around a potential new use or even misuse, consider how to address concerns around breach, and also ensure that you are properly retaining the data for records management purposes.

3. Consider who is going to share this data, and with whom they are going to share it. You should consider data sovereignty requirements and cross-border restrictions along with inappropriate, unauthorized, or excessive sharing.

4. All data must have an appropriate disposition. You should only keep data for as long as you are required to do so for records management, statutory, regulatory, or compliance requirements. You should ensure you are not inadvertently disposing of data while understanding that as long as you store sensitive information you run the risk of breach.

5. Understand the difference between what can and should be shared. A good program must continually assess and review who needs access to what types of information. Privacy and security teams should work with their IT counterparts to automate controls around enterprise systems to make it easier for employees to do the right than wrong or simply neglect the consequences of their actions. Once you have implemented your plan, be sure that you maintain regular and ongoing assessments.

Discovery and Classification

Many companies worry about “dark data” or data that exists across their enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks) and is not properly understood. Understanding what and where this data is and properly classifying it will allow organizations to set the appropriate levels of protection in place. 

For example, many companies apply their security controls in broad terms using the same security procedures for everything. But logically, you do not need to put the same security protocols around protecting pictures from your company picnic as you do towards protecting your customer’s critical infrastructure design or build information, or credit card information or your employee’s benefits information.

Data discovery will allow you to determine the origin and relevance of the data you hold, and determine its retention schedule. You be more equipped to effectively implement Data Loss Prevention in a tactical way. Data aware security policies provide an opportunity for organizations to build a more layered approach to security, prioritizing where efforts (and costs) should be spent, and building multiple lines of defense. 

This provides you with the ability to manage the life cycle of the data within your company, from creation or collection through retention, archiving and/or defensible destruction. You cannot block everything from leaving your company any more than you should encrypt every document you have. When security blocks productivity, employees find a way to go around it. The job of security is to help the business use data productively and securely.

Data-Centric Audit and Protection

Understanding and controlling data flows is a critical component to an effective roll out of information management strategies. Key components of an effective methodology should include:

• Data inventories that help customers understand where their sensitive data resides.
• Classification on structured and unstructured data to ensure sensitive data is clearly identified.
• Governance policies that protect the use of sensitive information by applying data sovereignty requirements, permissions management, encryption, and other data protection techniques.
• Incident remediation and response for sensitive data breaches when they occur.

Report and Audit

Identifying potential risks within your information is just the first step. Take action to quickly and efficiently resolve issues with security-trimmed, pre-prioritized reports that provide guidance to your content owners and compliance teams to target the most critical violations. 

Privacy and security risk management intersect with other data lifecycle management programs within your company. Combining these related areas will allow you to better optimize resources while mitigating risk around digital assets to support responsible, ethical, and lawful collection, use, sharing, maintenance, and disposition of information.

Taxonomy Governance

When organizations have the need for a taxonomy, they focus on taxonomy development and they do not take into consideration the need for taxonomy governance. Taxonomy governance is part of information governance and should be taken seriously.

Taxonomies exist to support business processes and the associated organizational goals. A well-managed taxonomy provides the structure needed to manage content across multiple internal systems and gives users options and flexibility for how content is accessed and displayed. Taxonomy governance plans ensure that the taxonomies are maintained in a way that satisfies current and future needs and provides the maximum return on investment.

Taxonomy governance consists of the policies, procedures and documentation required for management and use of taxonomies within an organization. Successful taxonomy governance establishes long-term ownership and responsibility for taxonomies, responds to feedback from taxonomy users, and assures the sustainable evolution of taxonomies in response to changes in user and business needs.

Taxonomies are never “finished.” Rather, they are living systems that grow and evolve with the business. Taxonomy governance ensures that growth happens in a managed, predictable way.

Taxonomy governance answers the following questions:

• Who are the taxonomy stakeholders?
• What are their respective responsibilities?
• Who is responsible for making changes?
• What is the process for making changes?
• How are prospective changes evaluated and prioritized?
• When are changes made?
• When are processes reviewed and updated?

The goals of taxonomy governance are similar across organizations but it is important to remember that there is no universal taxonomy governance solution. Successful taxonomy governance works within the context of the organization.

Many of the principles and goals of taxonomy governance are shared with information governance.

A good first step when developing taxonomy governance policies is to examine related information governance policies that already exist within an organization. Re-purposing familiar policies and systems makes both adoption and compliance easier for taxonomy users.

The best governance policies take advantage of existing structure, workflows and management processes while accounting for human and technical resources and constraints. Governance policies provide a strategic framework to guide day-to-day taxonomy management.

The main components of this framework are the taxonomy management organization and the operations they perform. Governance has a role at both strategic and operational levels by defining roles and responsibilities of taxonomy organization members, articulating communication, decision-making and escalation policies and providing protocols for taxonomy maintenance operations. Above all, governance provides accountability for decision-making and operations on both a large and small scale.

Taxonomy Management

Ongoing maintenance and development of a taxonomy is best achieved by a formal organization with well-defined and clearly documented roles, responsibilities, and processes. The Taxonomy Management team should be responsible for both strategic direction and routine administration of taxonomy operations. This team should include high-level decision-makers as well as trained taxonomists and IT if needed. End users of the taxonomy should also be represented in the Taxonomy Management team.

The role of a taxonomy governance team is to ensure that taxonomy management occurs in a systematic, measurable, and reproducible way. It provides a mechanism for managing the needs and concerns of all taxonomy stakeholders and helps maximize the value of taxonomy resources by establishing organization-wide policies for taxonomy development, maintenance and use.

Taxonomy Management Team manages taxonomy administration and development. As with governance policies in general, the specific makeup and divisions between teams as well as the terminology used to describe them will vary depending on the particulars of organizational structure, history and goals.

Taxonomy governance focuses on strategic goals and company-wide policies for taxonomy management and use as well as levels of responsibility for different taxonomy stakeholders. These goals and policies are developed by the Taxonomy Governance Team.

Identifying and documenting organization-wide taxonomy use cases is very important task of taxonomy governance activities. Taxonomies can potentially be used in multiple business areas. Content strategy, web design and user experience, marketing, customer support, site search and business intelligence are a few examples. Developing tangible, specific use cases helps communicate the taxonomy’s value throughout the organization and is necessary when prioritizing taxonomy-related investments.

Governance policies should also be developed that define taxonomy success, performance and quality. Metrics should validate the quality of a taxonomy implementation through quantifiable, direct measurement of taxonomy performance. Regular assessment ensures that the taxonomy meets business and user needs over the long term.

The ability to share data across systems, improved quality of search results, improved user experience of websites and regulatory compliance resulting from effective record keeping and document management are all examples of benefits that can result from effective taxonomy implementation and management. A goal of governance should be to identify and document benefits of this type that are relevant to the specific organization.

Taxonomy Operations and Maintenance

Ongoing maintenance is very important aspect of a taxonomy project. Taxonomies must be continually updated to reflect changes in content, competition, and business goals. In the absence of maintenance taxonomies atrophy and the value they provide will be greatly diminished.

Organizations must anticipate the resources needed to maintain the taxonomy and develop effective management processes to realize the maximum value from their taxonomy investment. At this level governance is primarily focused on operational details. It provides the framework for taxonomy operations in the form of guidelines, processes, documentation and a defined organizational structure.

The specific tasks performed as part of taxonomy maintenance consist of a wide range of large and small-scale changes to the taxonomy. Taxonomy staff are also typically responsible for providing training, preparing documentation materials, interacting with IT groups to ensure smooth operation of taxonomy systems and providing expert advice and feedback to business leaders to inform strategic decision-making.

The Taxonomy Change Process

One of the most important purposes of taxonomy governance is to define the organizational taxonomy change process. Governance policies define and document specific taxonomy changes and provide guidance to taxonomy administrators on making those changes.

It is especially important to provide guidance on decision-making authority and escalation processes. Defining and documenting different change types allows rational decisions to be made as to which changes can be routinely handled at the discretion of taxonomy administrators and which changes require higher-level consensus and approval. The first step in defining a taxonomy change process is to categorize taxonomy changes by impact and scale.

An important consideration in categorizing the impact of changes to the taxonomy is that taxonomy data is often used by multiple internal tools and systems. Content management, marketing, web analytics and SEO, product inventory and web publishing systems are just a few potential consumers of an enterprise taxonomy.

Experience shows that the level of engagement with the taxonomy team varies widely between users. To avoid unpleasant surprises, taxonomy administrators should be proactive in tracking users and systems where taxonomies are used. Understanding and documenting both the technical details of how taxonomy data flows to these systems and the specific business use case of various users is an important part of the taxonomy change process and should be addressed in both change processes and communication plans.

Small-scale changes will affect only a single term or small number of terms and will have a minimal impact on users and systems where they are used. Typical small-scale changes are spelling corrections or the addition of individual terms to existing vocabularies.

Taxonomy management staff is usually empowered to make this type of changes as part of routine taxonomy administration. In contrast, large-scale changes will impact large numbers of taxonomy consumers, multiple consuming systems and/or require a significant commitment of taxonomy management resources for an extended period of time. They require high-level approval with input from the entire information governance team.

Change Request Process

Typical sources of taxonomy change requests are users feedback, routine maintenance by taxonomy administrators, and new business needs.

User feedback is usually the largest and most important source of small-scale taxonomy change requests. A channel is needed for users to provide feedback and for taxonomy administrators to communicate with users. Interacting with taxonomy users and serving as a general point of contact for taxonomy issues is one of the most important aspects of routine taxonomy maintenance for taxonomy administrators.

Email aliases, bug/issue tracking software, dedicated portals, message boards, and other tools used in a help desk or customer support setting are all potentially useful mechanisms for taxonomy administrators to interact with users. Governance policies should address these needs with a well-defined communications plan.

It is also common for predictable events to have an impact on the taxonomy. Marketing campaigns, product updates, new products, company reorganizations and mergers are a few examples of events that could lead to taxonomy changes. Changes of this type can be significant in terms of scale but they can usually be handled as a routine part of taxonomy maintenance. These events should be identified and relevant change and communication policies developed.

In contrast to small-scale changes, large-scale changes tend to be infrequent and are typically driven by strategic business needs. Major expansions in scope requiring the creation of large numbers of new terms and implementation of significant new systems or technologies are examples of large-scale taxonomy changes that may be needed.

Difficulty and scale of taxonomy changes is dependent on the specific details of its implementation. Management of the taxonomy with a dedicated taxonomy tool versus within a content management system, the capabilities of the tool being used, the number and complexity of taxonomy use cases and the number and characteristics of consuming systems are a few variables that will influence the change process.

Collecting statistics on change requests and taxonomy use should be part of taxonomy administrator’s routine responsibilities. This data should be reported to the governance team and used to inform strategic decision-making. In the same way decisions made at the strategic level will impact the prioritization and performance of day-to-day tasks.

Maximizing ROI on Taxonomy Investments

Quality control mechanisms are an important function of governance, especially for businesses that operate in highly regulated environments, but they are not the only, or most important purpose of governance.

The high-level goal of taxonomy governance is to maximize the return on taxonomy investments. The taxonomy governance team establishes strategic goals for the taxonomy and develops organization-wide policies for taxonomy management and use designed to meet those goals.

Goals, policies and procedures should not only be designed to mitigate risks but also to improve organizational performance and capabilities. An enterprise taxonomy is used by many different individuals, groups, and systems and can impact multiple business processes. All of these stakeholders should have insight into taxonomy management processes and a mechanism to provide feedback. Because of the breadth of business processes using the taxonomy it is also important that the governance team include high-level representation to provide strategic guidance and advocacy for taxonomy operations. In return, the governance team must communicate the positive benefits to stakeholders so that policies are more than just vague background noise.

One of the most important tasks of a governance team is to communicate these policies and procedures in a positive way. Governance is often perceived as an enforcement mechanism and it’s natural for stakeholders to react defensively if they believe that policies are in place because they’re not trusted to produce high-quality work. Processes, standard operating procedures, responsibility matrices and so on are viewed as a an active obstructions to productive work.

Galaxy Consulting has 20 years experience in taxonomy development and taxonomy governance. Please contact us for a free consultation.

Information Security

Data is not just critical to business it is core. It is the essence of a company’s function. Big data is a major part of that flow, and the more customer data that is out there, the more it needs protection.

As big data gathers momentum, incorporating security into planning and processes in the early stages of a project are becoming more important. The big data revolution is just getting started and will present major security challenges if its data management is not carefully planned.

Formerly the exclusive domain of IT, information security has now become the domain of everybody including content and knowledge managers.

Major retailers and government agencies have suffered data breaches, denials of service and destructive intrusions. Millions of individuals have been affected, and organizations are now forced to devote more resources to prevention and remediation. Everyone in a company, from consumers to CEOs, has become acutely aware of the hazards of failing to protect information.

Every business user and anyone accessing data needs to be aware of it. The advent of the mobile worker and the proliferation of cloud technology have added a new dimension.

People want to run their businesses on a tablet, and they can do that but information managers need to understand how to do it safely. Much of the data in an enterprise exists only at endpoints, which increasingly are mobile devices.

According to a study by IDC, 75% of the U.S. workforce is mobile, with most of those employees having more than one mobile device. But those devices are at risk: about five to 10% of laptops are lost each year, according to a study from Ponemon Institute, and about one-third of them contain unencrypted sensitive or confidential data. In another study, one in six respondents reported having a mobile device lost, stolen or destroyed. In addition, a lot of intellectual property is stored on mobile devices, and in the event of litigation, the company has to be able to locate it.

Despite the convenience of mobile devices, their use creates well-recognized conflicts with security, especially in the face of increased frequency of BYOD (Bring Your Own Device).

Even when users hold onto their devices, security is far from guaranteed. Data is becoming more dispersed and fragmented. Even when companies do not know where the data is flowing, they still have an obligation to protect it. Information sharing is the norm rather than the exception today, both among employees within an organization and with outside organizations.

Along with mobile devices, the supply chain is a point of vulnerability. Once supply chain information leaves your organization, you don’t know what is being shared and what is being protected. Tracking it is a massive task and has often been managed by departments well outside of IT, such as procurement. It’s not just information about material goods that enters the supply chain; intellectual property associated with the products also goes to third-party suppliers. Information, such as patent data or formulas for pharmaceuticals, is shared with lawyers and accountants.

Analyzing the risks to information in the supply chain can help focus resources on mission-critical data. Companies should work with their vendors to ascertain how they are protecting information, and to consider putting security requirements into the contracts they write with suppliers.

Business and IT should start with a conversation to explain what protection the company has in place and what measures are being taken. Then, the business side can work with IT to develop business cases based on the impact of their operations and illustrate the ROI for protection of their functions. That can help IT by showing the costs of downtime and clarifying what needs to be protected.

Technology can help overcome security problem. For example, an application can provide continuous backup, but users don’t know that it is running or the can also enforce encryption without the user’s awareness and remotely wipe laptops to clear the data. There are products which focus on encryption and tokenization, to secure the data itself rather than the network environment. Tokenization provides visibility to the flow of data without putting the data at risk.

A new product called Protegrity Avatar for Hortonworks is designed to secure individual data elements while managing and monitoring the data flow in Hortonworks, an enterprise Hadoop data platform.

In most cases, organizations need to deploy more than one security solution, because the threats are many and varied. Most companies use a best-of-breed strategy, picking out the strongest solutions for their needs.

Data security is about data protection, but it is also about continuity and availability. Protecting information with technology is important, but it is not a substitute for information governance within a company.

Achieving the right balance between business needs and information security requires a fundamental shift in attitude. Rather than thinking of data as something a company owns, business owners need to come to term with the fact that they are custodians of data that needs to flow and be managed.

A legislative proposal announced by the White House in mid-January is designed to increase data security by promoting information sharing, strengthening law enforcement for cyber crimes and requiring that data breaches be reported promptly.

Companies have been concerned about information sharing because of the risk of liability for violating individuals’ privacy. The bill addresses that issue by requiring compliance with privacy guidelines, including removal of unnecessary personal information. The legislation would simplify and standardize the requirements for reporting data breaches. Currently, the laws exist at the state level, but not all states have them, and those that exist are not consistent.

Whether defending their website from intrusions, keeping applications running or protecting data elements, organizations are faced with an increasing number of threats and a complex security environment. Awareness at every level of the extended enterprise will be essential to minimizing the adverse impact of security incidents.

Galaxy Consulting has 18 years experience in information security and governance. Please call us for a free consultation.

Data Security

Data security should be a priority in your organization.

For hackers, large-scale data breaches such as Home Depot, Neiman Marcus, and Staples are gold mines. For businesses, keeping valuable customer data out of the hands of cyber-thieves is a constant battle. Companies need to safeguard against every possible vulnerability across their entire infrastructure.

In 2014, the total number of reported data breaches in the United States hit a record high of 783, averaging about 15 per week, based on information compiled by the Identity Theft Resource Center (ITRC).

Companies, on average, can expect to encounter 17 malicious codes, 12 sustained probes, and 10 unauthorized access incidents each month, according to research from the Ponemon Institute, a provider of independent research on privacy, data protection, and information security policy.

Despite the growing number of attacks, many companies are still not doing nearly enough to secure their customers' personal and financial information. For many companies, the wake-up call only comes after they have fallen victim to a large-scale, high-profile breach.

Forrester Research noted that outside of banking and national defense, many industries are "woefully immature" when it comes to making the necessary investments in data breach protection, detection, and response.

This prompted Forrester to conclude that most enterprises will not be able to respond to a data breach without undermining their customers' trust or dragging their own corporate reputations through the mud.

Companies need to prevent data breaches from happening. They need to have an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breaches significantly and goes a long way toward reassuring customers who might have been thrown into a panic.

The first step toward that goal is having a high-level company executive who is responsible for data security. The key to addressing information security is first understanding what customer information is stored in company databases. Create a data inventory and determine what data is sensitive. Then segment out the sensitive and nonsensitive data.

Systematically purge the data that your organization no longer needs.

Take an inventory of all of their IT assets and business processes and analyze them for vulnerabilities that could expose sensitive data, for example, cardholder data. The next step, would be to fix those vulnerabilities. This assessment should be performed at least once a year. Make sure that the company's data security program meets industry best practices, government regulations, and the company's business objectives.

Make sure your web site uses encryption for processing customer's data. Once your company no longer needs customer data, such as payment cards or any other personal information, it should be securely deleted.

It is crucial for companies to segment data so that a breach in one file does not open other data repositories.

Companies should use Internet firewalls at all times, keep their operating systems and other business software up to date, and install and maintain antivirus and anti-spyware programs. Because many companies allow employees to use their own mobile devices, including smartphones, tablets, and laptops for business, these devices should be protected in the same way. Limit some company applications and data so that employees can't access them from unsecured mobile devices.

It is extremely important that companies limit data access to those employees who need it setting up appropriate security permissions in your data systems. You can put data logging in place, with alarms for when something happens out of the ordinary. This way you will know when someone is doing something with the data that does not coincide with their job description.

Contact centers are vulnerable to hackers. They use interactive voice response (IVR) systems for surveillance and data-gathering as a precursor to phishing schemes with agents, who are unwittingly coaxed into giving out sensitive information to unauthorized callers. In most cases, the call center agents are tricked by skilled fraudsters who use a variety of social engineering techniques to get them to break normal security procedures. The only real defense is proper training and protocols.

As many as 35% of data breaches have started with basic human error, such as sending an email with personal information to the wrong person or storing company files on laptops or tablets that were lost or stolen.

Even worse than careless employees or outside hackers, though, are the contact center agents who knowingly engage in illegal activities, using their jobs to gain access to information that they can sell or use on their own.

To help contact centers deal with this threat, call center technology can completely prevent skimming by agents. At the point in the transaction where the agent needs to collect the credit card information, systems can automatically pause recordings. With other solutions, the call can be transferred to an IVR system. Agent-assisted solutions can allow agents to collect credit card information without ever seeing or hearing it. The agent remains on the phone and customers enter their credit card information directly into the system using their phones' keypads. The standard dual-tone multi-frequency tones are converted to monotones so the agent cannot recognize them and they cannot be recorded.

In this environment, contact center managers and other employees need to be trained to spot at-risk employee behaviors. Training alone, though, is not enough. Employees need to know that there will be serious repercussions for violations of company practices and security protocols. Companies need to have a clearly defined formal policy so that employees know if they violate it, there are consequences that they will have to face.

Data security, therefore, has to be a business-wide endeavor. IT professionals, company executives, and employees at every level must work together to protect critical data assets from internal and external threats. Companies need to foster a security-aware culture in which protecting data is a normal and natural part of everyone's job.

Data security is also a constant game of what-ifs. The only certainty is that cyber-criminals will never stop learning and sharing information that will help them to get into high-profile targets. They will never stop trying to break into corporate databases. The information is just too valuable on the black market. The key is to make sure that you are not leaving the front door open for hackers to get in.

Galaxy Consulting has 16 years experience protecting organizations' data. We have done it for many companies. We can do the same for you! Contact us today for a free consultation!

Social Media Management and Information Governance

The social media landscape today has ballooned to include several different types of platforms from video or photo sharing to microblogs to short posts and activity feeds for all. With all of this newly introduced communication software, there becomes an increasing amount of data and data risk.

There are three layers of information governance involved with social media use within official organizations. Read on to learn what these layers are and what can be implemented within your organization to keep data compliant with legal, organizational and regulatory policies and procedures, as well as keeping data safe and free of risk.

Social Media Security

Organizations, including small and midsize businesses, non-profits, corporate enterprises, even governments, are no doubt being inundated with automatic cyber-attacks, hacks, spam, phishing scams, DDoS (distributed denial of service) attacks and other forms of electronic malware. Much of this malware also no doubt comes from social media use. Interestingly though, many organizations are not prepared or putting effort into scanning this content for malware stemming from social media use.

Short links distributed through tweets, wall posts and other forms of communication are generated by bots that are designed to appear human online, though they are not. The information gathered through deploying these bots can be devastating for an organization. Imagine that employee clicks on one of these links and critical business information becomes vulnerable to automated information harvesting.

This information can be used in a variety of ways including business or government espionage, theft of important customer or internal financial information, theft or distribution of important trade secrets like research or prototypes and illegal or compromising use of other critical data.

There are tools that can scan this content and monitor user behavior to ensure secure communications. One of the tools that can manage social media is HootSuite.

Social Information Archival

The archival of information is obviously important for any kind of enterprise or organization. Data can become stockpiled or deleted immediately on social media sites, depending on their own policies for data retention.

If an employee or member creates a piece of content that was deleted, there must be a way to retrieve when and why the content was removed. It may come up in a legal matter at some point (continue reading to see Social Media Information Policy).

Screenshots of content or documentation of social media activity are a couple of ways that this information may be monitored or recorded. Some kind of record needs to exist. A simple log may not suffice, depending on policy or regulations. Businesses with a supply chain, product or other third party scenario may need to refer to this information for business practices or other reasons effecting third parties or partners.

Social media insights can also be gained through tracking content and activity over long periods of time. Research into social use over time can enable organizations to become adaptable to market conditions, laws, disruptions, customer expectations, business practices and a broad range of other areas important to organizations using social tools and sites.

Social Media Information Policy

Organizations are more heavily burdened by legislation, regulation and threat of legal action or litigation than ever before. To complicate matters, the amount of information is growing ever more rapidly. As old data becomes archived, exponentially larger volumes of data are being produced. This trend is not going to slow down anytime soon. Just take a look at the massively growing market of cloud storage and computing services on the market. So how can we ensure that social media use follows guidelines?

It starts with auditing content, campaigns and procedures to ensure legal, regulatory and organizational compliance. Look at content to see if there are vulnerabilities. You don’t want users posting content that can lead to insider trading, for example. Trade secrets and confidential customer or supplier information must also not be distributed to the public, for another example.

These are just a couple of ways that this kind of media use can harm or injure the credibility, profitability and even viability of an entire enterprise. Information handling policies must be both set in stone for things that will not change (corporate responsibility, for example) and things that will change or evolve over time (product marketing, for example). Some things will in fact change quite rapidly, while others will be a little slower moving.

After the audit, the next step is to ensure enforcement. Not only management, but every single member of the organization must first understand that these policies are important and then see to it that they are being followed. Monitor all onsite or virtual network use and the use of social on those systems. Let users know that their activity is being monitored to dissuade them from engaging in the risky behavior to start with. Remember that the average employee spends nearly an hour engaging in social media use at work.

There are various risks associated with this activity. Employees must both know the risks associated but also understand that there will be no tolerance for non-compliance with these policies. Disciplinary action is at the discretion of each organization.

Implement the Layers Proactively

Remember that the sooner your organization starts implementing these layered tasks, the better. You don’t want to be comfortable today and sorry tomorrow for not realizing the mistake of complacency. Make sure that everyone is on-board at all levels to ensure the smoothest possible transition into security protocols, policies, procedures and use of tools and software.

People are often afraid of change or resistant to do things that require patience or more work on their end. You may be able to alleviate some of those pains from them, but ultimately everyone must be responsible for the information they produce, gather and distribute.

All this being said, social media is a great tool for boosting productivity as well as marketing efforts for most organizations, so don’t be afraid to use social media, just use these precaution measures first.

Role of Automatic Classification in Information Governance

Defensible disposal of unstructured content is a key outcome of sound information governance programs. A sound approach to records management as part of the organization’s information governance strategy is rife with challenges.

Some of the challenges are explosive content volumes, difficulty with accurately determining what content is a business record comparing to transient or non-business related content, eroding IT budgets due to mounting storage costs, and the need to incorporate content from legacy systems or merger and acquisition activity.

Managing the retention and disposition of information reduces litigation risk, it reduces discovery and storage costs, and it ensures organizations maintain regulatory compliance. In order for content to be understood and determined why it must be retained, for how long it must be retained, and when it can be dispositioned, it needs to be classified.

However, users see the process of sorting records from transient content as intrusive, complex, and counterproductive. On top of this, the popularity of mobile devices and social media applications has effectively fragmented the content authoring and has eliminated any chance of building consistent classification tools into end-user applications.

If classification is not being carried out, there are serious implications when asked by regulators or auditors to provide reports to defend the organization’s records and retention management program.

Records managers also struggle with enforcing policies that rely on manual, human-based classification. Accuracy and consistency in applying classification is often inadequate when left up to users, the costs in terms of productivity loss are high, and these issues, in turn, result in increased business and legal risk as well as the potential for the entire records management program to quickly become unsustainable in terms of its ability to scale.

A solution to overcome this challenge is automatic classification. It eliminates the need for users to manually identify records and apply necessary classifications. By taking the burden of classification off the end-user, records managers can improve consistency of classification and better enforce rules and policies.

Auto-Classification makes it possible for records managers to easily demonstrate a defensible approach to classification based on statistically relevant sampling and quality control. Consequently, this minimizes the risk of regulatory fines and eDiscovery sanctions.

In short, it provides a non-intrusive solution that eliminates the need for business users to sort and classify a growing volume of low-touch content, such as email and social media, while offering records managers and the organization as a whole the ability to establish a highly defensible, completely transparent records management program as part of their broader information governance strategy.

Benefits of Automatic Classification for Information Governance

Apply records management classifications as part of a consistent, programmatic component of a sound information governance program to:

Reduce

• Litigation risk
• Storage costs
• eDiscovery costs

Improve

• Compliance
• Security
• Responsiveness
• User productivity and satisfaction

Address

• The fundamental difficulties in applying classifications to high volume, low touch content such as legacy content, email and social media content.
• Records manager and compliance officer concerns about defensibility and transparency.

Features

• Automated Classification: automate the classification of content in line with existing records management classifications.
• Advanced Techniques: classification process based on a hybrid approach that combines machine learning, rules, and content analytics.
• Flexible Classification: ability to define classification rules using keywords or metadata.
• Policy-Driven Configuration: ability to configure and optimize the classification process with an easy "step-by-step" tuning guide.
• Advanced Optimization Tools: reports make it easy to examine classification results, identify potential accuracy issues, and then fix those issues by leveraging the provided "optimization" hints.
• Sophisticated Relevancy and Accuracy Assurance: automatic sampling and bench marking with a complete set of metrics to assess the quality of the classification process.
• Quality Assurance : advanced reports on a statistically relevant sample to review and code documents that have been automatically classified to manually assess the quality of the classification results when desired.

Information Governance With SharePoint

The goals of any enterprise content management (ECM) system are to connect an organization's knowledge workers, streamline its business processes, and manage and store its information.

Microsoft SharePoint has become the leading content management system in today's competitive business landscape as organizations look to foster information transparency and collaboration by providing efficient capture, storage, preservation, management, and delivery of content to end users.

A recent study by the Association for Information and Image Management (AIIM) found that 53% of organizations currently utilize SharePoint for ECM. SharePoint's growth can be attributed to its ease of use, incorporation of social collaboration features, as well as its distributed management approach, allowing for self-service. With the growing trends of social collaboration and enhancements found in the latest release of SharePoint 2013, Microsoft continues to facilitate collaboration among knowledge workers.

As SharePoint continues to evolve, it is essential to have a solution in place that would achieve the vision of efficiency and collaboration without compromising on security and compliance. The growing usage of SharePoint for ECM is not without risk. AIIM also estimated that 60% of organizations utilizing SharePoint for ECM have yet to incorporate it into their existing governance and compliance strategies. It is imperative that organizations establish effective information governance strategies to support secure collaboration.

There are two new nice features in SharePoint 2013 version that would help you with compliance issues. E-discovery center is a SharePoint site that allows to get more control of your data. It allows to identify, hold, search, and export documents needed for e-discovery. "In Place Hold" feature allows to preserve documents and put hold on them while users continue working on them. These features are available for both on-premises and in-cloud solutions.

2013 SharePoint has been integrated with Yammer which provides many social features. This presents new challenge with compliance. Yammer is planning to integrate more security in future releases. But for now, organizations need to create policies and procedures for these social features. Roles like "Community Manager", "Yambassadors", "Group Administrators" might be introduced.

There are 3rd party tools that could be used with SharePoint for compliance and information governance. They are: Metalogix and AvePoint for Governance and Compliance, CipherPoint and Stealth Software for Encryption and Security; ViewDo Labs and Good Data for Yammer analytics and compliance.

In order to most effectively utilize SharePoint for content management, there are several best practices that must be incorporated into information governance strategies as part of an effective risk management lifecycle. The goal of any comprehensive governance strategy is to mitigate risk, whether this entails downtime, compliance violation or data loss. In order to do so, an effective governance plan must be established that includes the following components:

Develop a plan. When developing your plan, it is necessary for organizations to understand the types of content SharePoint contains before establishing governance procedures. It is important to involve the appropriate business owners and gather any regulatory requirements. These requirements will help to drive information governance policies for content security, information architecture and lifecycle management.

When determining the best approach to implement and enforce content management and compliance initiatives, chief privacy officers, chief information security officers, compliance managers, records managers, SharePoint administrators, and company executives will all have to work together to establish the most appropriate processes for their organization as well as an action plan for how to execute these processes. During the planning phase, your organization should perform an assessment, set your organization's goals, and establish appropriate compliance and governance requirements based on the results of the assessment to meet the business objectives.

Implement your governance architecture. Once your organization has developed a good understanding of the various content that will be managed through SharePoint, it is time to implement the governance architecture. In this phase, it is important to plan for technical enforcement, monitoring and training for employees that address areas of risk or noncompliance. It is important to note that while SharePoint is known for its content management functionality, there are specific challenges that come with utilizing the platform as a content management system for which your governance architecture must account: content growth and security management.

In order to implement effective content management, organizations should address and plan to manage growth of sites, files, storage, and the overall volume of content. Organizations without a governance strategy often struggle with proliferation of content with no solutions to manage or dispose of it. This is a huge problem with file servers. Over time, file servers grow to the point where they become a bit like the file cabinet collecting dust in the corner of your office. It is easy to add in a new file, but you will not find it later when you need it. The challenge comes from the planning on how to organize and dispose of out-of-date content.

SharePoint offers the technology to address these challenges, but only if it is enabled as part of your governance plan. Information management policies can be used to automatically delete documents, or you may be using third-party solutions to archive documents, libraries and sites. By default in SharePoint 2013, Shredded Storage is enabled to reduce the overall storage of organizations that are utilizing versioning. Remote BLOB Storage (RBS) can also be enabled in SharePoint or through third-party tools to reduce SharePoint's storage burden on SQL Server.

Tagging and classification plays a key role in information governance. Proper classification can improve content findability. Organizations can utilize SharePoint's extensive document management and classification features, including Content Types and Managed Metadata to tag and classify content. Third-party tools that extend SharePoint's native capabilities can also filter for specified content when applying management policies for storage, deletion, archiving, or preservation. Ultimately, however, the people in your organization will play the biggest role here. As such, your plan should identify who the key data owners are and the areas for which they are responsible. This role is often filled by a "site librarian" or those responsible for risk management in the enterprise.

In order to minimize risk to the organization, it is imperative to ensure information is accessible to the people that should have it, and protected from the people that should not have access. SharePoint has very flexible system of permissions that can accommodate this issue.

Ongoing assessments. In order to ensure that established governance procedures continue to meet your business requirements ongoing assessment is required. Conduct ongoing testing of business solutions, monitoring of system response times, service availability and user activity, as well as assessments to ensure that you have complied with your guidelines and requirements for properly managing the content. The content is essentially your intellectual property, the lifeblood that sustains your organization.

React and revise as necessary. In order to continue to mitigate risk, respond to evolving requirements, and harden security and access controls, we must take information gathered in your ongoing assessments and use that to make more intelligent management decisions. Continue to assess and react and revise as necessary. With each change, continue to validate that your system meets necessary requirements.

The risk has never been higher, especially as more data is created along an growing regulatory compliance mandates requiring organizations to ensure that its content is properly managed.

If you develop a plan, implement a governance architecture that supports that plan, assess the architecture on an ongoing basis, and react and revise as necessary, your organization will have the support and agility necessary to truly use all of the content it possesses to improve business processes, innovation, and competitiveness while lowering total costs.

Information - Governance, Risk and Compliance – GRC - Part 3

In part 1 and 2 of my post about governance, risk, and compliance, I have described why information governance is important, where to begin with the information governance, and I started to describe what needs to be considered in information governance polices. In this my post I will describe information governance policies as they relate to crisis management and e-discovery, and list general information governance control points.

Information Governance for Crisis Management

Crisis management is set of procedures for unplanned situation that would prevent you from doing critical functions on your job.

Such situations can be:

• Availability – illness, weather, turnover, fire, flood, severe weather, facility issues
• Technology – phone cut-off, system outage, applications is down, network problems
• Volume/Capacity – huge number of calls (in the example of call center)
• Special situations – pandemic, loss of facility, tornado, etc.

An approaching storm or disaster does not provide much leeway to assess your disaster recovery preparations.

For example, if your CMS is down, what happens to those departments who need to use critical documents?

Solutions:

What you need to do is to develop a plan for each crisis situation. It should be designed to implement disaster recovery. Planning is very important.

Prioritize requirements – short, medium, long-term. Assess business needs. For example, how do you want to handle spike of calls (if you are in the call center)? Short term plan could be such as – re-route calls for live answer where there are people. Medium to long term could be such as plan for alternative site, work from home.

Make your plan flexible. Have incident coordinator. Create communication plan which should include who is responsible for coordinating the recovery process. Create crisis team which could include IT, QA, management, business partners. Outline responsibilities and procedure in the document.

Test this procedure at least once a year. Do post-analysis – timing, access gaps, communications of results, recommend changes and training plan for next testing, maybe next quarter, not next year. Evaluate your systems when you have no crisis.

Other points:

• Address disaster recovery in addressing planned and unplanned downtime.
• Virtualize your data center.
• Ensure swift restoration of content items following corruption or accidental deletion.
• Maintain all metadata during and after recovery events.
• Ensure seamless transition to a warm stand-by system should the main system fail.
• Plan what to do if outage happens.
• Maximize platform up-time and swift restoration of platform following a disaster event.
• Users need to feel confident that the system will protect content and will be available regardless of any disaster, otherwise user adoption will fail – users will go back to their old habits essentially halting KM effort in its tracks.

Information Governance for E-Discovery

E-Discovery preparedness makes it imperative for organizations to develop an enterprise wide strategy to manage the volume of electronic information. The discovery process affects many individuals in an organization, not just lawyers and others involved in discovery, but also IT professionals and records managers, who have to be prepared to produce electronic content for discovery and litigation.

You need to have an ability to respond to legal request, to solve litigation issue, mitigate the risk of sanctions, reduce impact and cost associated with future litigation.

For legal counsel, it means having a review process to determine what discovered content is relevant to the case. For an IT person, it means restoring backup tapes to show evidence on file shares, content management systems, e-mail systems, or other applications. But for records managers, this work will have begun long before any lawsuit with managing records for retention, placing legal holds, and finalizing disposition.

E-discovery could be costly because it requires organizations to retrieve content from servers, archives, backup tapes, and other media.

In some cases, an organization is unable to execute a discovery order because it is unable to locate all content in a timely manner, or it is unable to place holds on all content and some of it is deleted during the lawsuit. The inability to do this correctly also has a cost, and it can be considerable.

To address these costs, many organizations are looking at e-discovery solutions that will enable them to review the found content and take it through litigation.

But organizations can also lower costs for archiving and restoring, legal review, and sanctions by simply cutting down how much content it retains. Less stored content means less content on which to perform discovery.

Developing a strategy and a plan of action for handling e-discovery will help organizations mitigate their risk and save them a significant amount of money in the event of litigation. Organizations need to have a retention policy to determine which content can be destroyed and at what time and which content should be kept and for how long. The key is to have a retention program that is flexible enough to keep content for the right retention period.

By categorizing content, creating a catalog of the content, creating a retention plan, implementing a hold methodology, and having disposition procedures, an organization will benefit in many ways.

Solutions: Integrate e-discovery into information governance practice. Include key capabilities:

• understand and secure – identify and categorize docs; docs are distributed globally; find and correctly identify them
• automate and enforce - extend policies to docs within unmanaged repositories such as file shares, SharePoint, etc. Automate processes in a transparent manner to manage and control docs. Retention and disposition policies that can be enforced within ECM.
• protect and control – regulate how docs accessed and used; security controls over docs; control who can access protected docs
• discover and produce – ability to produce relevant docs upon demand is a mandatory requirement.

Develop retention programs. Create committees within your organizations and bring their expertise together with legal counsel and IT to prepare for e-discovery and litigation.

General Governance Controls

• Understand your data topology – holistically across the enterprise: how much, where, who owns it, and what value does it provide.
• Employ real-time indexing of content – to keep track of its changes.
• Store the intelligence about your content (metadata).
• Create an information intelligence service center and include data analysis, governance analysis.
• Employ change management to stay current of new forms of content and new business requirements.
• Become proactive in deploying policies for securing data, storing data, sharing data and enforcing compliance.
• Remove obsolete or unnecessary content.
• Define content life cycle and retention policies.
• Tier your access to enable relevant data to be closer to users and devices that are local.
• Educate the organization on the value of good governance; it is less about control and more about raising the intelligence and health of information.
• Categorize your information and determine its value and rank.
• Use content approval function in your CMS.
• As deployments grow, organizations must also find ways to efficiently store records in compliance with retention of records management policies.
• Create retention schedule, content controls, consistent disposition of content in accordance with records management policies for content preservation, remediation, retention.
• Keep track of what info is created, stored, and accessed.
• Use auto-classification and semantic tools within the search engines.
• Move relevant documents from desktops and shared drives to your central docs repository.
• Create efficient document versioning and check-in/check-out management for information consistency.
• Create robust administration of users to ensure that each as access rights for only documents that they are authorized to have access to.

Information - Governance, Risk and Compliance – GRC - Part 2

In my last post about governance, risk, and compliance, I have described why information governance is important and where to begin with the information governance. Today, I will describe what needs to be considered in information governance polices and will give some recommendations.

What needs to be considered in information governance polices?

Government mandates - If you are in a regulated industry, you need to consider first and foremost government mandates such as GMP/GxP, ISO 9001. You need to make sure that your documents management and IT are compliant with these requirements.

Proliferation of content - there has been explosive growth in the creation and collection of content by organization and individuals. Content is stored in CMS, data warehouses, physical warehouses, desktop computers, file shares, back-up archives, mobile devices, cloud services, employees personal computers and other devices such as tablets, smart phones, etc. To complicate matters this information is also geographically disbursed.

In SharePoint, for example, you get a small department that has a site, other departments take notice and start their own sites. Suddenly you have small SharePoint instances pervading everywhere. What organization should do instead is take those separate silos of SharePoint and combine them into one centrally managed environment. It is the matter of having a plan in place first, then applying the technology to achieve those business goals.

Information governance policies should cover desktops and shared drives, CMSs, databases and data warehouses, email systems, cloud based apps, social media platforms, physical warehouses. Content may be stored with the 3rd party, this needs to be considered.

Employees send email with documents attachments. This email and attachments have significant value to the business whether they contain contract terms, meeting notes or even employees opinions on a given topic. Email requires governance and so it needs to be included in your information governance policies.

Big data – are you prepared? What measures your IT has taken to help with this issue?

Cloud computing – If you use cloud computing, you need to create governance policy for it.

Mobile Devices - Employees use mobile devices to do their job. Many companies don’t have policies that cover things like tablets and handhelds. They are starting to, but it is just a beginning. You need to create polices for mobile devices and a mechanism to enforce those policies. And in the regulated environment, you would need to prove that you are enforcing those policies.

Social media - effectively leveraging social media while protecting the organization from non-compliance.

Create comprehensive social media governance plan. It should include compliance, supervision to interactive social content; perform conceptual search and policy-based monitoring of all info, inside and outside the firewall; establish social media usage policies and procedures and then train staff on them; preserve and collect relevant social media content for compliance and litigation purposes.

Consider all content and access methods involved as users connect via smartphones and tablets.

Employ solutions that capture additional approval on a site-by-site basis to verify assent for capturing and monitoring.

Wherever possible create separate business identities for social media to minimize capture of personal or private information.

Govern employees interactions. Most regulated organizations are taking a measured approach to social media, starting with small number of employees and approved social media sites.

Monitor and capture inside-based interactions within a corporate networks. Moderate inside-based interactions. Be mindful of legal and regulatory guidelines.

BYOD phenomena – “bring your own device”. People bring their iPads, iPhones, etc. to conferences, work, taking notes, making presentations, responding to email, updating pipeline, etc. All this content belongs to the organization but the device is not. What happens when this employee leaves the company? Or that employee loses the tablet? What happens to information?

I read about the case where a doctor had all his patients’ medical records unencrypted on his laptop. The laptop was stolen.

It could also be that there are multiple versions of documents floating around, gets passed from one person to another person, may be tweaked a little along the way. And they each are legally discoverable.

Be sure that the official version of the document is stored in your CMS and managed by your governance program.

It is imperative to have a policy to protect this information and to enforce that policy across all those devices.

Security – sensitive information must be protected – encrypted. LinkedIn got hacked and all passwords got stolen. What are you going to do that this does not happen to your organization?

Intellectual property - What about a pharmaceutical company developing a new drug, not yet under patent protection, and an employee takes that information to a competitor?

Of special importance is information related to future revenue. For example, a pharmaceutical company should place a high priority on protecting information related to future products which are not covered by patents.

It is vital for companies to have a system in place to protect sensitive content such as for example product roadmaps, manufacturing plans, vendor supply lists, marketing and promotional strategies.

In my next post, I will describe information governance for crisis management and e-discovery.