Records management and compliance may sound like a dull pair, but there's nothing more important to your IT operations. Now that "compliance" has been a major technology process-related buzzword for more than 10 years, businesses are learning some hard lessons about keeping electronic records in check. One thing is certain: There are so many records management aspects to consider at any given business that they cannot be ignored.
Be it data classification, labeling or retention, talk is cheap. I often hear phrases like, "Our lawyers are handling it," "We keep everything," and "Our records management functions are outsourced so we can focus on other things." The reality is these are all tenuous approaches, especially if you're ultimately responsible for IT, compliance or both.
One of the greatest risks present in business today is that so many organizations don't know where electronic information is located, and they have little to no control over the management of this information.
This is a big risk that can cast a dark cloud over a business -- and one that can quickly grow into an all-out storm. Something as seemingly benign as a retention requirement buried deep in a federal regulation can get your business into a real bind if it's ignored. All it takes to expose holes in your records management strategy is a data breach or a lawsuit-induced e-discovery request.
When electronic records are out of sight, out of mind and out of control, the next thing you know, you've got external hackers, rogue employees and lawyers exposing these weak information governance strategies. All of the information you've been hoarding in every nook and cranny of your network may have served the business well to this point. But unmanaged information -- much of it no longer needed -- is now benefitting others attacking your business.
More on records management and compliance
Implementing compliance process synergy for records management
A compliance-eye view of records management strategy
Even if your company has a document retention policy, do you know if that policy has been tested? It's important to remember that even if such policies exist, it doesn't mean they're well thought out and being enforced. Again, talk is cheap. In both large enterprises and smaller businesses, I often see policies but rarely any action. Every network has unstructured files, databases and storage systems that house all sorts of sensitive information that few, if any, know about.
The need for control of and visibility into your information systems is a great one -- especially as it relates to records management and compliance. Do something about it. Ask yourself the following questions:
- What are our unique requirements?
- What information is where?
- How is it being protected?
- How can we access it?
- How can we ensure its backup and destruction?
Consider the amount of information you have combined with the complexity of your information systems. The only reasonable way to manage these aspects of electronic data is to use proper records management tools. You can use technology to your advantage to automate many of your record management and compliance processes.
Looking at the big picture, electronic records management is deeply entrenched in various business, compliance and IT processes. You can't change what you tolerate. By actually paying close attention to and taking action around records management processes, you can be truly compliant in these areas once and for all.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored or co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Compliance and the newly updated Hacking for Dummies, 3rd edition. In addition, he's the creator of the Security on Wheels information security audiobooks and blog. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.
This was first published in September 2012