Information governance for the real world
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Information governance
for the real world
1
2
“Information governance is the activities and technologies that organizations employ to
maximize the value of their information while minimizing associated risks and costs.”
“The Information Governance Initiative,” The Information Governance Initiative, http://iginitiative.com, accessed January 30, 2015.
Real-world information risks span information disciplines
Recent headlines describing cyber attacks and
leaked private communications make most Information governance is a business
organizations worry, “Can this happen to us?” issue. Organizations should have an
Yet, information security breaches are just effective information governance
one of many information risks that companies strategy that aligns with their overall risk
are struggling to come to grips with. management strategy, and that can be
effectively operationalized to leverage
Faced with this latest threat, will companies
and protect information assets and
respond by throwing resources only at this
accomplish broader business goals.
latest challenge, or will they respond with a
broader strategy that links information risks
across the enterprise? Companies should ask
themselves if it’s time to abandon the rigid and functions typically in IT continue to be
division of information risks into information isolated from what is, in any event, an informal
disciplines — information security, privacy, arrangement between functions. Each function
records and information management, tackles its own information risks in its own way,
eDiscovery and so forth — and instead enable often missing opportunities to leverage relevant
these disciplines to work together to address expertise, previously completed work, and the
risks that, in the real world, span across them. resources and technology available in other
information risk functions.
Some organizations have already recognized
the need to draw together information Without the benefit of a broader understanding
management disciplines to better manage of the complex dependencies between risks
risks that cut across traditional organizational and planned or in-flight information risk
boundaries. Improved governance has management initiatives, individual risk functions
commonly come in the form of increased may not realize all of the available opportunities
cooperation between records management, to manage information risk.
legal, compliance, privacy and information
technology (IT) and is spurred by, and generally
related to, the mitigation of discovery risks.
This is admirable, but it does not go far
enough. Information disciplines responsible
for structured data, data security, information
access management, master data management
1
Six key considerations of a robust outlining what information organizations
information governance program need to retain, how to retain the information
(addressing both access and security) and
The need for a strong information governance what information can be transported
program is driven by the goals of the individual across borders.
information disciplines, such as compliance
with laws and regulations, protection of data, • The discovery process. Traditionally,
enhanced response to eDiscovery demands and outside counsel and third-party vendors
achieving business imperatives. An information have held a firm grip on the operations
governance program is the glue between components of the discovery process.
functions — enabling enterprise information Additionally, the preservation and collection
risk management and improved coordination of electronic information was generally
and cooperation between disciplines without supported by corporate IT groups, which
requiring changes to the reporting structures. may have used a black box approach to
An information governance program, by preservation and collection of data.
improving risk management and coordination In recent years, judges are penalizing
across information disciplines, helps companies organizations for not taking more
better manage challenges, such as the responsibility for their discovery process.
following: Because of this, discovery support is shifting
to its own distinct, in-house program that is
• Responding to regulatory requirements. in need of improved policies, procedures
Rigorous compliance requirements may and controls.
include international standards, such as
those contained in Basel III; European Union • Proliferation of systems. Information is
laws such as the Markets in Financial collected, processed and exchanged
Instruments Directive; and US regulations between many different internal systems, as
issued by agencies such as the Financial well as external organizations (including
Industry Regulatory Authority, Securities government agencies), making
and Exchange Commission and the Food understanding data flows and monitoring
and Drug Administration. There are also a regulatory compliance increasingly difficult.
wide range of safety-related record Many organizations adopt BYOD policies and
requirements that may impact chemical, issue tablets and other portable devices,
utility, oil and gas, automotive and other further compounding these challenges.
manufacturing companies. Among other • An increasing volume of information.
objectives, these regulations look to protect As the volume of information increases,
consumers and maintain privacy rights by so does the number of information systems
2
How can your information governance be improved?
• Does your organization have an information governance strategy? Are information
governance objectives defined and communicated, and are resources allocated?
• Are information governance policies and procedures well defined and socialized
throughout the organization?
• Does your company effectively meet legal and regulatory requirements?
• Are information governance risks considered when business decisions are made?
For example, when an organization rolls out a bring-your-own-device (BYOD)
technology model, are risks related to eDiscovery, records management,
information security, etc., considered holistically?
and servers. As volume increases and new and multinational organizations. Without
information systems are procured, knowledge of an organization’s critical
information may shift around the country or assets, too many resources are spent on
globe. As this happens, organizations tend protecting everything. While there are many
to lose their understanding and control of ways to gain access to an organization’s
what information is stored where. This environment, whether through third-party
presents risks when an organization must vendors with too much access or social
apply records retention policies, respond to engineering of the front line, the goal is
discovery or regulatory requests, determine to build up defenses around those critical
compliance with privacy requirements, etc. assets.
If companies cannot identify data and
• Outsourcing. Outsourcing IT services,
dispose of it in accordance with retention
including to offshore locations, increases
policies, then that data may be discoverable
both security and compliance risks. Third-
and increase eDiscovery risks and costs.
party service and infrastructure providers
• Increased risk of cyber attacks. outside of the organization that have
Publicized cyber events amplify the risks custody of the organization’s information
to all organizations trying to protect their may not have appropriate protections or
critical information. The resulting loss of information governance capabilities in
trust and reputational damage has led to place.
economic and revenue hits for both small
3
True information governance is a program
Information governance is not a project The emphasis in information governance
or an information management is squarely on “governance.”
discipline — it enables information
The information governance program
management disciplines to be managed
does not replace existing information
holistically. Through its information
disciplines or reporting structures for
governance program, the organization
those disciplines, but establishes shared
can better understand and address
governance and a culture of coordination
enterprise information risks.
and integration between disciplines.
Information governance
Information Records and
Data Master data Discovery and
access Privacy information
protection management legal holds
management management
4How we can help
Ernst & Young LLP works with organizations to
find opportunities to mitigate overlapping risks
by bringing these siloed functions together.
When organizations implement a well-balanced
information governance program, they
can better identify effective approaches to
managing and mitigating enterprise information
risks.
• Information governance program
assessment and strategy development
diagnostic. Ernst & Young LLP employs a
diagnostic that is based on the four
foundational components of our information
governance framework: strategy,
governance, operations and performance
measurement (see graphic on page 6). By
observing and evaluating the organization’s
current approach to information risk across may also reflect the organization’s desired
disciplines, the organization begins to future state and depict the gaps that must
understand the current state of its be closed to achieve the future state.
information governance program and can • Information governance program
plan for its desired future state. The development. We work closely with
diagnostic identifies risks across the organizations to help them realize their
spectrum that can be aligned to future-state information governance
recommendations for improvement. programs. This work can involve establishing
• Information governance program maturity a committee that includes executives from
model. The information governance the various information management
diagnostic described above can also be used disciplines and other stakeholders; working
to develop a profile of the organization’s with stakeholders to develop or streamline
information governance program and its corporate strategy, policies, procedures,
maturity compared with other organizations standards, reporting and controls to support
in the same industry. The maturity model the revised program and its initiatives;
5The four components of our shared- and the ongoing maintenance,
focus framework provide an effective administration and safekeeping of the
design and solid foundation for information governance program.
implementing a sustainable information
Operations: This comprises the
governance program.
infrastructure, systems and processes
Strategy: This describes how that make the information governance
information governance will help program operational.
realize the business strategy, facilitate
Performance measurement: This
compliance with applicable regulations,
consists of assessing how well
improve operations, manage risk and
information governance is performing
improve the organization’s economic
against the needs of the business and
position.
expectations of the users.
Governance: This includes defining the
information governance organization
Strategy
Performance
Governance
measurement
Operations
6developing change management plans to Our teams work closely with discovery and
prepare employees for changes to the legal support teams to develop a “discovery
information governance program; helping playbook” to guide preparedness for
implement training programs to socialize discovery. This playbook is composed of
the new model and policies; and more. standardized procedures and reports, and
acts as a blueprint for the operational
• Regulatory review. As regulations continue
elements of discovery. The standard
to change and emerge, it can be difficult for
procedures contained in the playbook may
organizations to understand whether their
describe how the discovery or legal support
businesses are compliant with applicable
team executes and oversees the
laws. We work with clients to evaluate the
identification, preservation, collection,
information governance program’s
processing, review, analysis, production and
compliance with regulations promulgated
presentation of information subject to
globally. Additionally, once applicable
discovery requests. The standardized
regulations are identified and compliance
reporting templates are used to
with those regulations has been evaluated,
memorialize the decisions made and
organizations may need to refine or
activities performed when responding to
enhance their programs to implement
requests. This discovery playbook allows
appropriate controls to improve compliance.
organizations to execute discovery
• Data maps. With the explosion of consistently, facilitates the transfer of
information retained by organizations, it is knowledge to new resources, increases the
becoming increasingly burdensome and level of transparency and quality control
difficult to locate records and information when working with third-party vendors, and
and respond to regulatory or litigation increases the defensibility of the
requests efficiently. We work with organization’s discovery function.
organizations to develop data maps that
• Understanding critical assets.
align regulated records to their system of
Organizations create information that can
records or repositories. These data maps
become vulnerable whether it is active or
can also be used to identify where other
inactive, on-site or in the cloud.
information that is frequently subject to
Organizations are struggling with
discovery is stored, easing preservation and
information overload, the cloud, remote
collection.
workforces and BYOD. Just understanding
• Develop discovery preparedness plan. where information is and what should
be protected is a major challenge.
7Ernst & Young LLP works with organizations and function requirements. We also assist
to catalog data assets and determine the with the pilot of their leading candidates.
necessary steps for managing information
• Developing a defensible disposition
security risks. Knowing where the critical
program. Defensible disposition is the
information is stored, and how it is stored,
process of identifying and disposing of
is fundamental to information security, as
records, documents and data in a manner
well as other information management
consistent with the company’s own
disciplines.
document retention policies and applicable
• Data protection. We work with clients to laws and regulations. By implementing an
design and help implement strategies for effective defensible disposition program,
safeguarding data, information and records, organizations can reduce IT costs, reduce
as well as improving business processes and litigation risk and avoid potential discovery
information security, to reduce the risk of costs. The goal of an effective defensible
data breaches and strengthen the detection disposition program is to classify and then
of leaks. dispose of data in accordance with retention
and legal hold policies to reduce corporate
• Designing and implementing training
risk and control legal and business costs.
programs. A training program can help
educate employees about information Effective information governance helps the
governance policies and procedures. organization reduce costs, demonstrate
Program content may vary according to the compliance, protect rights, defend against
level of employee and their degree of claims and improve operations. The traditional
involvement in the program. We work with model of siloed functions that manage vertical
clients to develop and deliver effective information governance disciplines is shifting
training programs. to a more integrated, collaborative format
better suited to managing information risk.
• System selection and implementation
When these functions understand and approach
support. Systems that support the
risks together, the organization is stronger and
management of information must consider
better positioned to manage the ever-increasing
requirements that cross information
volume of information, reduce costs and
management disciplines. We help companies
prepare for the future.
plan their approach to system selection, the
development of scoring and weighting
models, and the identification of business
811
EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about ourorganization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. About EY’s Fraud Investigation & Dispute Services Dealing with complex issues of fraud, regulatory compliance and business disputes can detract from efforts to succeed. Better management of fraud risk and compliance exposure is a critical business priority—no matter the industry sector. With our more than 3,200 fraud investigation and dispute professionals around the world, we assemble the right multidisciplinary and culturally aligned team to work with you and your legal advisors. And we work to give you the benefit of our broad sector experience, our deep subject-matter knowledge and the latest insights from our work worldwide. © 2015 Ernst & Young LLP. All Rights Reserved. 1501-1382586 EYG no. WW0376 ED none ey.com
You can also read
