A shift is happening in the information management (IM) industry. Ownership of IM disciplines — records management, content management, information governance, etc. — is consolidating under information security at many of our clients.
Previous owners included legal, compliance, IT, finance and facilities management (a carryover from the days when management of paper records was information management's primary concern). Information governance never joined these ranks as it has not yet become a formal department in many businesses.
The information security departments that are taking over information management are not the white-hat, PEN-testing, encryption obsessed folks of yesterday. While still core capabilities, maturing InfoSec departments understand that they can only partially mitigate the risk of a data breach by securing the network's borders.
To protect sensitive information, InfoSec needs to know where that information lives and needs to remediate at-risk content, systems and access rights.
How Many Apps Can You Manage?
Nearly half of data breaches happen because employees walk out the door with sensitive content. Many organizations perform audits of PII (Personally Identifiable Information) and PHI (Personal Health Information) on their systems. A recent survey Doculabs completed found that 30 percent of organizations had received an audit finding of PII or PHI exposure in the past 12 months.
Most organizations do not have a standard application decommissioning process, which carries big cost implications and bigger risk exposures.
Legacy apps can’t be managed with the same scrutiny as your active application portfolio. And yet many of them contain PII or PHI, and your view is obstructed of where sensitive information lives and where it doesn’t.
An application portfolio should align to a data map that identifies the nature of the data in the application and the level of security needed for that data. A data map of 100 applications is easier to manage than a data map of 1,000 or 10,000 apps.
A View From Above
Access rights are another place where information management can impact InfoSec goals.
This is a new spin on an old problem.
Records and information management have been discussing how to clean up content for years now. Let's use network drives as an example, but this applies to any “platform.”
A high level analysis of your network drives should identify the access rights (global, group, individual, etc), content owner, content age, content type, etc. Access rights are a quick-hit way to reduce exposure. InfoSec doesn’t need to consult the business, legal or anyone else to make this move. Auditing and remediating access rights falls fully within their jurisdiction.
Access rights often pose exposure problems because the default for many network drives is global access. In addition, long time employees collect specialized access as they move from one department to another, usually without their previous access rights being revoked.
Performing the kind of analysis described above also provides the InfoSec group with a view of junk files, orphaned data and sensitive data — all areas where InfoSec can partner with IT to perform cleanup activities. Junk files can be destroyed as a part of basic application hygiene activities. Orphaned files can be migrated to a “holding pen” and disposed of as dictated by policy. Sensitive data can be quarantined and migrated to a secure environment or disposed of.
In my opinion, organizations that put InfoSec over Information Management are moving in the right direction.
An audience member at a records management conference I recently spoke at said that Enron was the records industry’s big chance to elevate the discipline, and they missed it.
We are at one of those Enron-level moments again. We need to protect the customer data that is entrusted to us. When a breach happens — and it will — we need to be able to say that we did everything in our powers, via internal policies, processes, procedures and technology, to protect that data.
Information Management has an opportunity within the InfoSec organization to elevate its discipline. Will it take this opportunity to do so?