It hasn’t been a year since we started talking about the key capabilities of successful information governance, but like everything, our perspective has evolved thanks to the many discussions we’ve been having with companies struggling to get a better handle on their information assets. So we thought it was time to offer a revised view of the five key capabilities that organizations adopt to ensure their information governance strategies are effective.
Information Governance Business Drivers
Information governance isn’t a technology. It’s a framework that includes people, process and technology designed to support business challenges that commonly occur in most medium to large enterprises. The following use cases aren’t the only reason for information governance, but they are five of the most predominant that we’ve seen and discussed:
- Decommissioning Legacy Systems and Preserving Data: I have a legacy system from an acquisition that I want to decommission but I need to preserve some of the content.
- Addressing Compliance Requirements: I need to address a compliance requirement such as GDPR, DoD 5015.2, ISO 15489, and FDIC 12 CFR Part 380.
- Reducing Costs and Risks of “Dark” Content: I need to reduce the volume of content we are retaining to reduce cost and exposure to data theft.
- Implementing Records Management: I need to implement retention policies and manage our content based on retention rules, and enable legal hold.
- Migrating to the Cloud: I am moving to a cloud-based enterprise application, and I do not want to migrate unnecessary content.
Why is it important to understand the use cases? Because the information governance you put in place: the people, processes and technology, should align to support the business need – the use cases. If your framework doesn’t enable to you address your business needs, then it will fail.
The 5 Critical Capabilities for Information Governance
We still haven’t gotten to a point where there’s a consistently used definition of information governance. Maybe that’s okay, because every organization is going to approach how it deals with its information assets differently. They are also all at different stages of their information governance program. However, in our discussions with companies dealing with the use cases noted above, we have determined five critical capabilities that must be a part of every program. Keep in mind that these capabilities don’t map to a single technology; there is no one technology to support information governance, but there are several that when integrated together support most or all of these capabilities.
In a nutshell, the five critical capabilities are:
Let’s take a look at each one in more detail.
Connect: Connecting to Disparate Content Sources Across the Organization
It’s safe to say you store and manage a lot of information in your company. This information may be stored in application databases, file shares, SharePoint and Office 365, Google Apps or Box, and many other places. Information may be structured in well-defined databases or it may be unstructured (e.g. Word docs, PDFs, email).
To get control of your information, you first need to connect to all data and look at it from a central point (some call this a ‘single pane of glass’). Not only do you want to connect to it, you want to retrieve file properties and stored metadata from this information so you can analyze it or search using it.
Discover: Understand what information you have
Once you have this single view of your information you want to explore it. It’s very likely you are storing a lot of information you no longer need to have. Maybe some of the information is a duplicate, others unimportant, and others obsolete – what everyone refers to as ROT (redundant, obsolete, trivial). You’ll also want to know where you currently store personally-indefinable information (PII, PCI, OCH), especially if it’s stored in unsecure locations where anyone can access it.
If you have a lot of information, it would be impossible to manually review and document the type of information you have. You will want any tools you use in the discovery phase to be able to automatically help you find certain types of content, or identify patterns for potential classification.
Organize: Define your classification and action plan
Once your information is connected, you know what you have, now it’s time to organize it. To do that, you need to analyze it, classify it and decide what action to take on it.
As in the discovery phase, you’ll want to use a tool that will help you automatically expose possible classification schemes using file properties or metadata. You will also want to analyze file content to identify document types and categories. And you may want enhance a file’s existing metadata with additional information.
But organizing doesn’t just mean classification, it’s also means you will do something with the information. So part of the organize stage is to define the actions you want to take on your information. Some you may leave as is, others you’ll plan to move, modify or delete. For example, it you found PII an unsecure location you’ll want to move it to a secure repository and apply strict permissions to it. If it’s multiple copies of a legal contract, you’ll identify which one is the original, note where it should be located, and indicate to delete the other copies.
When you are organizing your information you can also leverage a file/content analytics tool to delete target content through defined workflows.
Move: Migrate it or Archive it – according to your action plan
Maybe you are decommissioning an application in favor of a new and improved application. In this case, your manage activities including moving existing content to the new system. But maybe not all of it. Why take the old information you don’t need? Instead archive that information in a place that makes it easy for you to retrieve it if you ever do need it.
You may also just want to plan a regular review and update of an existing application’s information, moving unused, or no longer required information to low-cost storage.
Migrate and archive are the two key tasks in the Move phase:
- Migrate content to target systems on premises or in the cloud
- Move enhanced metadata to target system OR
- Archive content in an archive repository for reduced-cost storage
What’s important to remember is that when it is time to move or archive your information, you have already organized it making it much simpler to store and find later on.
Manage: Looking after your information long-term
When most people think of the Manage phase, they think Records Management, and they would be right. But don’t get caught up in the term thinking you have to implement a complex set of policies and procedures – it doesn’t have to be difficult. It is critical that you manage your content on-going to ensure you are only storing information for as long as you need it.
Some things you do in the Manage phase:
- Enforce access rules
- Define complex, hierarchical retention rules
- Manage retention calendar
- Route records for disposition approval
- Retain audit evidence for defensible destruction
- Implement legal hold
Every organization will use one or more of these capabilities as part of their information governance program. Which capabilities they use and how will depend on the use case they want to support. In a follow up post, we’ll examine the use key uses cases in detail and talk about how these five capabilities will help you solve them.
Until then, sign up for our newsletter to get more insights and guidance on information governance.