Interesting video about data governance. This is the second video in our series, “5 Questions about Information Governance in 5 Minutes.” In this video IG experts answer the tricky question, “Who Should Own Information Governance?”
“13 minutes a week – that is how much work your data stewards should be doing.”
This is a terrific goal and it is what we strive for withDataPrivilege. How do we do it?
- We make reviews devoid of noise – stewards only see data they care about
- We make reviews differential – if it hasn’t changed since last review, it doesn’t show up
- We make reviews inline with normal workflow – a timely email appears in the steward’s inbox with a big link that takes them right to the review; no separate reminders or TODOs needed
- We make reviews actionable – exceptional items are highlighted and a suggested action is given along with the ability to take the action without leaving the review screen
A significant portion of our operational plan is devoted to finding, assigning, and involving data owners. But without buy-in from the people who will be doing the work, the plan can’t be executed. Andrew cuts right to the core of why many businesses have failed at implementing information governance programs: they have effectively dumped an unreasonable and unnecessaryamount of work on their stewards’ desks and walked away.
What do you think? Could you sell 13 minutes of work per week in exchange for true information governance, accountability, and data protection?
A clear path to effective information governance.
1. Audit Data Access
Effective management of any data set is impossible without a record of access. Unless one can reliably observe data use, one cannot observe its non-use, misuse, or abuse. Without a record of data usage, one cannot answer critical questions—from the most basic ones, like “who deleted my files, what data does this person or people use, and what data isn’t used?” to more complex questions, “like who owns a data set, which data sets support this business unit, and how can I lock down data without disrupting workflows?”
2. Inventory Permissions and Directory Services Group Objects
Effective management of any data set is also impossible without understanding who has access to it. Access controls lists and groups (in Active Directory, LDAP, etc.) are the fundamental protective control mechanism for all unstructured and semi structured data platforms, yet too often IT cannot easily answer fundamental data protection questions like, “Who has access to a data set?” and “What data sets does a user or group have access to?” Answers to these questions must be accurate and accessible for data protection and management projects to succeed.
3. Prioritize Which Data Should Be Addressed
While all data should be protected, some data needs to be protected much more urgently than other data. Some data sets have well known owners and well defined processes and controls for their protection, but many others are less understood. With an audit trail, data classification technology, and access control information, organizations can identify active and stale data, data that is considered sensitive, confidential, or internal, and data that is accessible to many people. These data sets should be reviewed and addressed quickly to reduce risk.
4. Remove Global Access Groups from ACLs (like “Everyone”) – especially where sensitive data is located
It is not uncommon for folders on file shares to have access control permissions allowing “Everyone,” or all “domain users” (nearly Everyone) to access the data contained therein. SharePoint has the same problem ( especially with authenticated users). Exchange has these, as well as “Anonymous User” access. This creates a significant security risk; for any data placed in that folder will inherit those “exposed” permissions, and those who place data in these wide-open folders may not be aware of the lax access settings. When sensitive data, like PII, credit card information, intellectual property, or HR information are in these folders, the risks can become very significant. Global access to folders, SharePoint sites, and mailboxes should be removed and replaced with rules that give access to the explicit groups that need it.
5. Identify Data Owners
IT should keep track of data business owners and the folders and SharePoint sites under their responsibility. By involving data owners, IT can expedite a number of the previously identified tasks, including verifying permissions revocation and review, and identifying data for archival. The net effect is a marked increase in the accuracy of data entitlement permissions and, therefore, data protection.
- Using Varonis: Which Data Needs Owners? (varonis.com)
Philip Favro of Symantec, in an article called Defensible Deletion: The Cornerstone of Intelligent Information Governance on the eDiscovery 2.0 blog, defines defensible deletion as “a comprehensive approach that companies implement to reduce the storage costs and legal risks associated with the retention of electronically stored information (ESI)”.
That is the point, of course, of the word “defensible” in this context. It matters most in the US, where everyone goes in fear of the sanctions bogeyman, apparently without regard to the terms of Rule 37(e) of the Federal Rules of Civil Procedure which reads as follows:
(e) Failure to Provide Electronically Stored Information. Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.
Most other jurisdictions can manage without this “safe harbor” because they do not have the same (alleged) reason to fear sanctions. I say “alleged” because if US companies paid more attention to Rule 37(e), they too could set about the deletion of material which is not presently the subject of a legal hold and which is not required for statutory or business purposes. It would help, too, if they read some of the sanctions Opinions which cause such dread to see how many of them were the consequence of the “routine, good-faith operation of an electronic information system”.
If you are short of ROI information to justify the work involved in a defensible deletion programme, try and calculate how much money was spent last year processing and reprocessing useless data for eDiscovery purposes, rejecting it time after time, at considerable expense. There’s a big chunk of ROI there.
Thanks to http://chrisdale.wordpress.com/