We presented at a gathering of IT professionals where the topic of discussion was data security. Our presentation focused on how a managed file transfer solution can address issues relating to “governance, risk and compliance,” or “information governance” (IG) as it has become to be known. During the presentation, we learned that a good number of people were unfamiliar with the concept of IG. So, to avoid any confusion, we will start by defining IG.
What is Information Governance?
An IT industry analyst defines IG as “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
A Wikipedia page defines it as the “set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization’s immediate and future regulatory, legal, risk, environmental and operational requirements.”
One blogger offers a more fashionable definition (I say that because the blogger uses trendy corporate speak with terms like “holistic”): “Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset.”
I know what you’re thinking: “What the heck does all this mean?” At the risk of oversimplifying the matter, we will try to synthesize this material into a better (i.e., shorter), easier-to-understand definition. Here goes: The things you (IT professionals) need to do to protect your organization’s information/data so you don’t get in trouble, either from within the organization (audit/InfoSec/management) or with outside authorities (laws/regulations/industry standards).
Effective IG Does Not Require Eliminating All Risks; the Goal is to Reduce Risk to Acceptable Levels
All organizations face a certain level of risk as part of doing business. In fact, risk management is an issue that organizations deal with on almost a daily basis. Should we buy insurance, and if so, what type and in what amounts? Do we want to partner with Company X? Is it wise to open markets in China? India? In these types of situations, we perform a risk-benefit calculation—i.e., weigh the risk to the organization and determine if the risk is worth the reward. In this process, we strive to reduce our risk to acceptable levels.
The same risk-based approach should be taken with respect to IG. Don’t just “follow the herd” by establishing data security measures merely because others have. Rather, you should assess the inherent risk to your organization without implementing any data security measures and compare that to the residual risk that would exist after implementing such measures.
Effective data security is a vital part of delivering value to the organization. Thus, a good IT professional will be adept at identifying and understanding the relationship between risk and data security solutions.
IG Mandates Necessarily Involve Risk Assessment
The rapid growth of data across the enterprise has resulted in increasing risk, liability and cost to organizations. As a result, the regulatory environment governing information systems in both the public and private sector has exploded over the past several years.
The alphabet soup of regulatory and auditing mandates that your organization may fall under (i.e., HIPAA, SOX, FISMA, PCI DSS, GLBA, etc.) are not specific in how you meet the requirements. Take the Cybersecurity Framework, for example, which derives from an Executive Order requiring NIST to develop a framework of voluntary measures designed to help both public and private sector organizations “better protect and defend themselves against cyber threats.” But instead of providing the promised answers to nagging questions about how best to reduce cyber risks, the Cybersecurity Framework amounts to nothing more than a general compendium of already-existing risk management standards.
One thing all these mandates require, though, is a risk assessment. And the primary purpose behind each such mandate is the reduction of risk. As mentioned, the goal for you is always to reduce data security risks to acceptable levels based on the specifics of your organization and its data flows.
All Affected Parties Must Be Involved, Because Compliance is an Enterprise-Wide Issue, Not Just an IT Issue
IG is not just an issue for the IT team. IG must be a strategic enterprise-wide approach to the management of an organization’s data. By that I mean that there must be cooperation among all affected parties–i.e., IT, information security, audit, compliance, legal, business units, etc. This will not be an easy task, but things are changing, and changing rapidly.
As a result of a series of recent high-profile data breaches, organizational audit committees are paying closer attention to data security. Consequently, Boards of Directors and senior management will be under increasing pressure to comply with more IG mandates concerning data management and data security. IG mandates will also have to address new data security issues created by such things as cloud computing, social media platforms, big data, and “bring your own devise” (BYOD).
Thus, organizations of all sizes need to realize that effective IG is not just a technology issue; it’s an issue for the entire enterprise.
Feel Better By Incorporating Managed File Transfer into Your IG Plan
If you take away nothing else from this piece, please remember this: Data security is one of the most pressing concerns for organizations in both the public and private sectors. The amount of data (much of which contains confidential information) that is generated by such organizations continues to grow, whether it is stored internally or transmitted externally using the Internet. At the same time, the potential risks for a cyber attack against such data continue to increase. To help illustrate the potential risks, consider Edward Snowden’s disclosures about the National Security Agency’s digital spying practices. And how can we forget about the data security troubles associated with the Healthcare.gov website.
Thus, a centralized, global approach to IG is necessary so that entities can maximize the value of their data while also reducing risks and costs. To that end, implementation of an MFT software solution should be considered if you want to ensure a holistic solution. It is not a panacea that will solve all your data security issues, but it has the features and functionality to address the core requirements of the various IG mandates referenced above, including:
- Dashboards and Reports (real-time monitoring)
- Auditing and tracking of messages
- Alerts and notifications
- Authorization (system access based on identity)
- Archiving and purging (active logging)
- Support for multi-tiered networks; DMZ and internal network components
- Compliance with secure protocol standards
- Cross-platform compression, encryption and authentication
- Secure email
The term “data breach” is now well known to most, if not all organizations. Data breach incidents have become so prevalent that security analysts are encouraging entities of all sizes to adopt a “when, not if” mindset. Thus, a well-implemented MFT solution is a necessity for organizations that run on information, and today that is all organizations.
Allow bTrade to Help
IG isn’t going away. In fact, it will only get more complex in the future. As a first step, every organization should acknowledge that their information must be governed on an enterprise-wide basis. Obtaining the input of corporate stakeholders and balancing their needs against the backdrop of legal and regulatory requirements and sound information technology is crucial to the success of an IG plan and achievement of overall organizational goals.
bTrade can help in that regard. We have been actively working with our customers to ensure their data privacy and security practices and policies comply with evolving laws and best practices. Please contact one of our data security experts by sending a confidential email to firstname.lastname@example.org.