Doculabs recommends a five-step process for how to use information management to bolster your information security. Remember: The goal is to eliminate redundant, obsolete, and trivial information (aka ROT) from your repositories, thereby making the vulnerability footprint smaller (and also resulting in more productive and efficient business processes).
My most recent blog post explored two of the five steps:
This post covers the final three steps:
3. Create a Center of Experts.
4. Tackle the low-hanging fruit.
5. Engage in full-on cleanup.
When it comes to information management and its role with respect to risk mitigation, every organization needs stakeholders who are empowered to make decisions. You need these stakeholders to determine, enforce, and—when necessary—to modify or augment the organization’s policies regarding how information is to be managed, enterprise-wide. A group of designated decision-makers, brought together as a Center of Experts (COE), is the foundation for putting your policies together and for implementing them across the organization.
Information security is not a division tasked with a wholly unique and specialized work effort. It’s an enterprise-wide effort, with all parts of the business contributing: HR, Legal, Compliance, Records Management, IT, and the lines of businesses, as well as Sales and Marketing.
The Center of Experts requires executive involvement, with someone from or representing the C-suite; a czar, in other words, to run the COE. That person can be the CEO, or anyone else who reports to the board—a person who, when the group is deadlocked, has the authority to make the final call on decisions.
It’s great when a company has a Chief Information Security Officer (CISO) in its C-suite. But not all organizations have designated such a role. A COE can help fill the gap. (Although we’d recommend forming a COE, even if your organization has a CISO.)
Is it more important to build your policies and guardrails first (see Part 1 of this series) or to form this committee first? At Doculabs, we don’t see this in a linear fashion. You need to do both: They can happen simultaneously, or one can happen before the other.
Get quick wins. Show immediate progress.
Some great examples of quick wins include deleting duplicates, identifying and disposing of ROT, and getting rid of data within systems that may have been decommissioned. Remember that ROT exists in individual devices and PCs, as well as in shared drives.
Let’s say you still have an old billing system which has been inactive since the new one officially came online. Most likely that system has little to no business value. It’s probably well past any legally required retention period. Why not take that obsolete system offline? Or at least quarantine it? This reduces your risk surface. (See our white paper, “The CISO’s Six-Step Guide to Managing Application Risk,” which addresses application decommissioning in detail.)
One of the easiest places to find duplicates is in multiple systems where repeatable processes and workflow occur. This could be in your payroll or HR department, or in your accounting group. Sometimes you find such duplication in multiple systems within the marketing department.
If you’ve undertaken the first steps in this process, you will by now understand and have identified your data patterns and pools. You will have set up your policies and guardrails. You will have created a Center of Experts. And you will have proven the methodology to the organization at large by tackling easier, low-hanging problems.
You are now fully ramped and functional—and ready to go! Now’s the time to clean data that you couldn’t get to with a quick win—or where members within the COE didn’t immediately align with an agreed-upon, team approach. Go back to them now with new credibility, and get their agreement to go after the more challenging data.
Here we recommend that you look backwards. Where is most of your risk? Where is it helpful to the organization if the data were cleaner when it got to its repository? Is there a specific problematic process—or group of business users—for which data cleaning or process improvements would be beneficial?
As an example, take sales information. Do you really need to retain every early iteration or version from when you were building quotes that turned into a specific contract? You have a quoting system. But can’t you do with just one copy—the final copy?
What if you get stuck choosing a course of action for a particular set of data or business process? Maybe a business unit is unwilling to part with some data. Or Legal says it’s essential to keep that information. Is there a compromise position in either scenario?
Instead of keeping the information on a (relatively) open shared drive, you can move it to a more secure system that’s less accessible. Over time, you can use file analytics to track how often a piece of information or set of data is used—or even requested. Then, when over the last 3 years, you report to the business that you’ve had all of eight requests to see a particular piece of information within some 10 terabytes that was moved to a more secure storage repository, you can make the case to the business unit in question. Is that data really essential? Does the benefit (and the cost) of making that data available outweigh the risk of having the information out? Asking and answering these kinds of questions is how you build a business case where you take ownership of information—or dispose of it.
Over the years, we’ve heard various justifications from organizations about why they need to keep information forever. But there’s no argument that really invalidates the increased risk that’s presented when an organization holds onto its information forever.
Interested in learning more? Or finding it difficult to make the case within your own organization? We offer a wide range of services in both information security and information governance that can help you reduce your data footprint and your exposure risk!