Shared Drive Remediation: Define Remediation Policies and Rules

I’d like to dig a little deeper into Step 1 of the File Shares Remediation Process: Define Remediation Policies and Rules.

You will remember in my previous post I suggested a methodology organizations can follow in File Shares (Shared Drive) Remediation projects. There is nothing earth shattering about this methodology… what I proposed was a series of logical and commonsense steps.

And yet, it is amazing how many customers struggle with figuring out what to do, where to start, and what tools to use.

The starting point is to establish a common understanding with the organization that their Information Assets fall into a minimum of four general classes: Business Records, Business Content, ROT and ESI. Then, it is important to establish the policies and rules about the characteristics of Information Assets that fall into each of these classes and the Actions to take on these assets.

The following table should help you in your asset definition and action planning:

Information Asset Class	Definition	Actions
Business Records	When does an Information Asset become a Business Record? Defined by location Defined by business process Defined by version number Identified manually by user	Identify pre-approval requirements Declare it as a Record in an RM system and classify it against Corporate Records Retention Schedule Migrate it to Records Management system repository and manage lifecycle there (with immutability) Ditto but copy to RM system and manage lifecycle of copy there Leave it in-place and manage its lifecycle within the Records Management System (no immutability)
Business Content	Usually this is defined by what is left AFTER Business Records, ROT and ESI have been identified Some organizations may define sub-classes of Business Content	Identify pre-approval requirements Leave it in-place Migrate it to new repository: SharePoint, cloud-based EFSS, etc. Monitor its status… in the future it may become a Business Record or ROT
ROT	Redundant: duplicated information located in multiple places Obsolete: information “no longer in general use” or “discarded” or “replaced” or “outdated” Trivial: information of very little value… all stuff not meeting the d definition of records, corporate knowledge, business insight, or any other value category Based on AIIM definitions	Identify pre-approval requirements Delete it Move to Quarantine space and delete later
ESI	Information Assets in any of the above classes but are found to be responsive to active or upcoming litigation (typical eDiscovery process)	Identify pre-approval requirements Identify, Collect, Preserve (EDRM.net) Place on hold

Important Note: Dealing with ESI is not necessarily part of the File Shares Remediation process. HOWEVER, dealing with ESI is a step that MUST precede any actual remediation execution work.

In my next post, I will explore Step 2 of the File Shares Remediation methodology… the definition of the remediation execution process. In closing, I would like to re-iterate that File Shares Remediation and the File Analytics tool used, will most likely be integral to organizations efforts to achieve GDPR Compliance (due by May 2018).

Follow the full File Analytics series, including What are you waiting for? Govern Your Information Assets! and 4 Steps for File Share Remediation.