Threats to organizational information come from many different sources: competitors, malicious hackers, even unknowing employees. Just a few keystrokes can put sensitive company data at risk.
But protecting this data is possible -- if you do your homework and develop a well-planned information governance policy.
"Every organization is different, in terms of culture, business plan, business objectives," said Robert Smallwood, a partner at IMERGE Consulting Inc., during a presentation at the ARMA International Conference and Expo in Chicago last month. "You have to fashion your information governance program -- which is an ongoing, continuous effort -- so it is customized to your organization."
Developing an information governance policy is especially difficult with the increased business use of the cloud and social media, said Smallwood and other ARMA conference presenters. Detailed policies are necessary and should be revisited periodically, as often as every six months.
Look at regulatory requirements to identify gaps, and remedy them with the policy.
Sandra Broady-Rudd, operational risk consultant, Wells Fargo
As with most policy initiatives, executive sponsorship is necessary to get the ball (and money) rolling. But because information governance policy crosses many departments -- legal, records management and IT, to name just a few -- all should provide input.
"When you are developing your policy, you want to bring in all of those stakeholders across the organization to make sure that you have all of that together in one comprehensive policy," said Sandra Broady-Rudd, operational risk consultant at Wells Fargo. "Look at regulatory requirements to identify gaps, and remedy them with the policy."
Data maps provide a huge help to information governance policy by clearly identifying where information resides and who is responsible for it -- vital information if there is an e-discovery investigation or an audit.
It sounds simple, but organizations also need to determine what they define as a "record." It's important to consider what information is sensitive to the business -- and could create risk if not properly secured or maintained.
All items deemed records should be kept according to predetermined retention schedules, but be sure to maintain some flexibility with these schedules as well. Record classification and retention schedules should be alterable as regulations develop or change, and allow for the suspension of data destruction during a legal hold.
These characteristics are especially important when it comes to social media, said Elizabeth Shaffer, a doctoral student in the library, archival and information studies program at the University of British Columbia in Vancouver.
"Since social media is still in its nascent state, it's important to consider legislative, legal and regulatory issues when employing social media within organizations," Shaffer said.
Information governance policy maintenance
When developing and maintaining an information governance policy, there are several tools and philosophies to consider. For example, using metadata to determine exactly where and when information was created and how it was routed can assist data tracking. Incorporating data loss prevention, proper access controls and real-time archiving of email also helps ease information governance.
More on information governance strategy
Information management and governance challenges for today's business
Corporate information governance as a business asset
"That way, you have defensibility -- you can prove that this was preserved, you can prove that this wasn't altered because it was uniquely archived and [you] can show the chain of custody for that email," Smallwood said.
It's vital for organizations to communicate these information governance strategies to employees -- and to help them understand their role in protecting company information. Initial and follow-up training on information governance is necessary.
Social media, in particular, needs a detailed policy around employee use. The manner in which many people use social media in their personal lives may conflict with what is appropriate in the business setting, and a policy needs to convey that to employees, Shaffer said.
The roles and responsibilities of employees -- as well as what they can and can't say on social media to adhere to confidentiality guidelines and protect intellectual property -- should all be clearly outlined in the information governance policy.
"It's really important to have basic guidelines and rules and actions around how social media is expected to be used, and important to know what social media is not to be used for," Shaffer said.
The social media information governance policy should also determine monitoring techniques to ensure regulatory adherence. Employees should know the punishments for not following information governance policy, which could include termination.
Without these information governance best practices in place, your business could be at huge risk.
"You have to be very specific about what is allowed in social media," Smallwood said. "You need to let people know what's allowed and what's not, in terms of style, the use of your logo … you need to realize that with social media, your brand is at risk."
This was first published in October 2012