Information governance in the big data age is a monumental task -- especially when the associated risks are taken...
The list of potential information risk sources is growing: Storing information with cloud providers and launching bring-your-own-device (BYOD) programs often create unforeseen data security concerns, and it's a trend that companies are starting to pay attention to.
"I think that everybody is really concerned about potential hacking and data breaches of their information," said Diane Carlisle, executive director of content at ARMA International. "Nobody wants to be in the headlines … for not properly handling customer and personal information."
Protecting sensitive company information is much more difficult as BYOD and cloud use proliferate in the corporate world. With more information being stored and used outside the company network, how do you protect data when you don't know where it lives?
That's actually where companies should start: Organizations can use data mapping to get a grasp on exactly what information it's responsible for and how it needs to be managed.
"In this day and age, companies are responsible for a tremendous amount of records," said Carl Weise, program manager for global education services at the Association of Information and Image Management. "As we are storing information on several different devices, there really is this need to get centralized control."
You've got sort of this intersection of what the business needs to protect its data and to be efficient in how it's supporting the technology.
Carlisle suggests that IT and risk management departments work together to develop a complete, comprehensive picture of the company's information risk. These two departments know exactly what company data is most sensitive when considering storage and use outside the network.
"I think collaboration between those two parts of the organization is really critical," Carlisle said. "Then you can start to get a picture of what data the company has, what's the most confidential, what information might we feel OK about putting out to a cloud service."
Too often, organizations only consider the cost savings when moving to the cloud -- and ignore vital aspects such as litigation response and whether the vendor is committed to following the company's relevant compliance regulations, Carlisle said.
This company-specific information risk management approach extends to BYOD as well as cloud. Companies should examine their unique operations to conduct a risk-benefit analysis of potential BYOD ramifications and take steps to mitigate that risk.
"You've got sort of this intersection of what the business needs to protect its data and to be efficient in how it's supporting the technology," Carlisle said. "The company needs to take a measured and thoughtful approach to what is the [amount of] risk they want to take on."
Strategy and policy in information governance
Managing information assets is an important administrative function, Weise said, and should be treated as such. Corporate-wide policies are needed to address information governance, much like policies governing other corporate departments, he added.
To properly maintain information security, organizations need to develop a strategy and accompanying policy that clearly outlines how it protects its data assets. These should include stipulations such as sign-in and access controls, encryption and specific provisions outlining what people can do with company data when using mobile devices.
"There's a major concern about loss of these devices and other people having access into the network," Weise said, adding that mobile device management tools can help with data security. "They can control access and, more importantly, they're able to lock down these devices remotely, then they're able to wipe the hard drives if it does require it."
More on BYOD and cloud strategy
The key to cloud security? Ask the right questions
Managing the data security implications created by BYOD
A proactive stance is necessary when moving data to the cloud or entrusting employees to use personal devices. When auditing the network, take particular note of who has access and what type of data is most vulnerable from a legal and regulatory perspective. If a company knows exactly how and what information it wants to secure, it will be in an even better position to negotiate contract terms with vendors, Carlisle said.
"A lot of times people feel sort of stuck in the contract templates that the vendors provide, which of course aren't going to be in the company's interest," Carlisle said. "A company should take its time, know its data, know its requirements and take a risk assessment approach to their move to the cloud."
This is where input from records managers can be a huge help, she added.
"The records managers have a much better sense for what the workflow of the business is and what information is particularly sensitive," Carlisle said. "They're the ones that have a better grasp on the legal requirements from a regulatory standpoint."
BYOD requires a policy as well, and one that is clearly communicated and enforced. One important aspect is making all staff aware of the potential ramifications when using company data on mobile devices, Weise said.
"It really gets back to the individual -- what is the business implication of what you are creating?" he said. "Having that understanding puts the organization in much better shape with their content and their records."
Perhaps most important? Remember human nature when developing BYOD and cloud information security policies.
"Individuals do crazy things," Weise said. "The bottom line is, don't be stupid."