Kick off 2016 with good information governance
- By John Newton
- Feb 16, 2016
With each new year, agencies review the efficacy of policies already in place and prepare for the future.
One area that inevitably receives attention in those reviews is compliance. And this year, agencies are faced with meeting the deadline for compliance with the Managing Government Records Directive issued by the National Archives and Records Administration and the Office of Management and Budget. The directive requires federal agencies to manage both permanent and temporary records in an electronically accessible format by the end of 2016. In addition, it requires federal agencies to manage all permanent electronic records in an electronic format by the end of 2019.
While the 2016 deadline looms, agencies should keep 2019 in their line of sight and think even beyond that. In reality, compliance is but one component of something much larger -- information governance, a critical initiative all year, every year. Looking to short-term solutions that only address particular deadlines and mandates can lead to costly consequences in the long term.
While the term is often used interchangeably with compliance, information governance is much more: It is the strategy behind the effective management of information’s authority, control, accessibility and visibility throughout its lifecycle. More than merely a matter of compliance, information governance can help organizations uncover business opportunities and protect them from security threats. In short, compliance is the end goal, and information governance is how it is achieved.
Good information governance boils down to knowing how employees are working with information, where that information is being stored and maintaining full control of that information.
However, most organizations struggle with good information governance. A study conducted by the Association for Information and Image Management (AIIM) found that while two-thirds of organizations had some level of information governance policy in place, nearly one-third admitted that their electronic record keeping practices caused problems with regulators and auditors.
Trouble spots for information management
The risks associated with poor information governance vary from the inconvenient to the catastrophic. At best, a constituent gets out-of-date information regarding services offered, and the agency is required to honor that. At worst, hackers gain access to the network and steal sensitive information. In between are the all-too-frequent incidents of information mismanagement.
Consider the old workhorse of communication -- email. The very structure of email systems puts valuable information at risk. Servers pass data back and forth, leaving the information contained within the email is available for interception. Although email is notoriously unsecure, countless employees use it to share sensitive information. And it gets worse. A recent survey conducted by Alfresco showed that 54 percent of end users have used their private email for work, circumventing enterprise controls.
While email is usually managed through an organization’s network, there are other methods of information sharing that are not controlled by the IT department. Many knowledge workers have turned to consumer solutions for collaboration and information sharing. These shadow IT solutions create security risks and may cause an agency to fail to meet information management compliance regulations.
Another pain point is the lack of policies governing enterprise-sanctioned collaborative content, namely instant messaging and social media. The AIIM study previously mentioned found that 37 percent of respondents agreed that there are important social interactions that are not being saved or archived, and less than 15 percent of organizations included social postings in their information governance policies.
Simple strategies for a start
Most organizations have focused on putting compliance, management and security controls in place, but what is really required is information governance. There are some simple steps agencies can use to put good information governance practices in place for 2016 and beyond.
- Audit: As a first step, agencies should dig in and understand the range of information that needs to be managed and where it is currently being stored.
- Prioritize: Agencies must then prioritize the information and its associated processes to assess the level of risk – compliance risk, regulatory risk and reputational risk.
- Define: Retention policies will help agencies define what needs to be kept, for what purpose, which employees need access and for how long. The information should be stored where it can be used to most effectively address both the mission objectives and the risks.
- Clean: Turn a critical eye to the information maintained. In some cases, agencies will be able to prune old data, reducing the costs required to store it. Delete or archive content once it has outlived its useful life.
- Control: Get a good handle on shadow IT. Restrict access to non-approved tools. Stop the uncontrolled copying of content as employees save files to personal file-sync services.
- Create: Design an information management system that employees find easy to use so that they will, indeed, use it.
With a good information governance system in place, agencies will be able to manage data in any format, analyze what must be preserved and protected, sort and inventory it and provide management, access and monitoring controls. Having full control of that information will help your agency start (and finish) 2016 in great shape.
John Newton is co-founder and CTO, Alfresco.