7 Myths in Information Governance (IG) and Privacy Execution
Data leaks and breaches have become rampant in recent times. Though the protection of data is a high priority for companies, CIOs, and Information Governance (IG) professionals, there are a few myths and misconceptions that impede effective IG and privacy efforts.
Let us debunk some of these myths and discuss best practices for a robust IG program.
Myth #1: I am aware of the location of my data
Understanding the flow of your data and the location of your data is a crucial first step for an effective IG program. Most companies believe they know where their data resides and how it flows within and outside the organization. But to monitor the data footprint across employees, contractors, multiple devices, different servers, and the cloud requires the right mix of tools and expertise.
A great illustration of this was when a CIO of a midsized company recently mentioned in a conversation that all their employee data was on Prem. But an analysis of the actual flow of data with the company revealed 60% of the employee information was held with service providers outside the organization.
A comprehensive data map will be invaluable and provide in-depth knowledge about the state of the data in the organization and how sensitive and confidential information is actually managed. It will also be very helpful to understand and detect other vulnerabilities around data.
Myth #2: Information governance is a new term for records management.
Information Governance is not old wine in a new bottle. As defined by the Sedona Conference Commentary on Information Governance, 2019, it is “an organization’s coordinated, interdisciplinary approach to satisfying information, legal and compliance requirements and managing information risks while optimizing information value.” A true enterprise-wide information governance program would be not restricted to just records management but will also cover security, privacy, and data governance.
Myth #3: File analysis is equivalent to information governance
Contrary to popular belief, analysis of a file share is not equivalent to information governance. This merely provides an assessment of one type of content. File analysis is indeed a step for companies starting to manage large amounts of data in file shares and it is a part of an overall IG program. True IG programs will articulate overall plans and policies for the management of data and will have strong elements of stakeholder engagement. Data classification and policies around retention would be other key aspects of these programs. The program will help organizations make informed decisions on data by enabling understanding of how the data originated, how the data is used, and consent behind the data.
Myth #4: The employees fully understand the policies around the key data risks
A majority of employees are generally unaware of the organization’s security policies. The company’s data can be at risk if employees inadvertently send sensitive information to their personal mail or do not follow password protection guidelines. But there needs to be a more comprehensive awareness of policies and guidelines around the usage and sharing of data within the organization.
Employee training is more essential than ever in today’s remote, office, and hybrid work environments. Starting right at new hire orientation, training needs to be conducted periodically. Annual refresher courses should be offered to all employees on key data risks and mitigations. Technology can be leveraged to provide users with a good understanding of requirements and expectations, information management and privacy goals, and progress towards these goals on a more real-time basis beyond training. Technology can also be used to enforce policy and track any violations of the policy.
Myth #5: Robust perimeter security is sufficient to stop information leaks
Restricting or monitoring data that is uploaded or downloaded (to external IMs, web-based e-mail, or storage devices) can provide basic data security but by no means complete protection. Depending on the type of work, infrastructure in place, and whether external data flows are required (to third parties, etc.), some of these measures can even hamper operations and ultimately affect the business. Covid-19 and the need to work remotely have almost made it impossible for this security strategy to work.
Instead of blocking the flow of data, an effective leak prevention strategy (including zero trust security) should be adopted across the organization. Appropriate leak prevention policies should be employed along with endpoint security and encryption technology to allow the safe use of external storage devices. Zero trust security requires being able to know what data was created, how it is being used, and who has access to it. This is not possible without a good IG program.
Myth #6: When you address risk, you are not taking advantage of opportunities
Risks come along with opportunities. A better understanding of a company’s data and forming good data management policies that reduce the risk profile of the organization will also open new opportunities for data analytics.
It helps in revising existing IG practices and adopting brand new approaches which unlock previously unforeseen value in data. When more information is collated for analysis and decision-making, it allows the company to strategize in unique ways.
Myth #7 Governance requires separate funding and big budget
IG and privacy projects cannot happen without the allocation of resources and time. However, the assumption that every project or task that needs to be undertaken needs a huge budget might be misleading. Often the savings associated or the opportunities gained from good management of data will more than offset the cost of these initiatives.