A great deal of the business value of Information Governance is derived from getting the right information, to the right people, at the right time. Just as important, however, is stopping the wrong information, going to the wrong people, at the wrong time.
High profile examples of the loss of personal data by government, healthcare and commercial organisations abound and demonstrate the reputational and financial damage that can occur.
Any Information Governance programme should ensure that the Information Security element includes:
Only authorised users can access the information
Information is accurate, complete, and as few versions of information exist as possible
Information is accessible to the right people when they need it
Information is credible and authoritative
Information can be trusted and is a full and accurate presentation of the business activity or transaction
Information Governance and Information Security
It should be clear that the Information Security element of Information Governance is essentially about finding the correct balance between accessibility and confidentiality. It has to set out how, where and when information can be deployed while keeping it fully protected, securely stored and defensibly deleted.
Information Governance should ensure the following for Information Security:
- Develop a robust framework for handling information in a confidential and secure manner
- Ensure that information security and privacy policies meet all relevant Data Protection and Freedom of Information legislation
- Ensure information is processed legally, securely, efficiently and consistently to the highest standards
- Ensure security policies cover not only information and associated applications, but also the physical devices users employ to access information
- Ensure all employees fully understand, and have been trained on the organisation’s information security policies and procedures
- Ensure that information security extends beyond the organisation to encompass the organisation’s partners, suppliers and contractors
Key Areas to Consider
Authentication and Encryption
Any piece of sensitive or personal information should, at a very minimum, be password protected. In many cases, it is better to add sophisticated encryption and authentication facilities to information and the devices used to access it. Biometrics and iris recognition are becoming commonplace in many workplaces to protect information.
A key piece of Information Governance rests with the way that information is classified and categorised. Once classification is complete, the business can use this knowledge to determine where the real business value of information lies, and how this information can be identified and retrieved.
Authentication and user access policies can be built into the metadata of any piece of information. This also enables the organisation to automatically anonymise any piece information that includes personal identification details, in line with corporate and regulatory policies.
Defensible disposal helps companies to curb storage growth and costs, as well as ensure that any regulatory requirements for information are met. It should also be used to underpin Information Security activities. It ensures that irrelevant or duplicate information is kept to a minimum. It removes the risk that information at the end of lifecycle is left online where it is vulnerable to attack, instead information can be responsibly deleted as soon as possible.
External communication is no longer simply email. There is an expanding number of communications channels that must be managed. Today, vital business intelligence on market trends and customer preference can be contained within Facebook, Twitter and LinkedIn.
Information security must encompass these areas as, with difficulty in controlling how employees use social media, there is a significant risk that confidential or personal information could be exposed whether by accident or by design.
Suppliers & Contractors
In 2010, the hospital records of 15,000 patients were discovered in a Massachusetts landfill because an independent billing agency didn’t properly destroy the records. This potentially opened the hospital to litigation proceedings because of the action of its supplier. Your organisation should consider the implications of the fact that it can be responsible for the information held by third parties.
At a minimum, your company should ensure that its suppliers and contractors have an Information Governance policy, and that it can integrate where necessary into the organisations policies and procedures. Information Governance should also be built into all tenders, SLAs and contracts.
Click to go to Best Practices