Our internal auditors and our board are showing increased interest in just how exactly we are managing and protecting our data. In previous years, questions were usually cursory and in reaction to some specific event or issue. But now, these groups are taking a more holistic view of data as a corporate asset that must be identified, controlled, and protected … and this time, they are serious.
Your board members and Internal Audit simply need assurance that compliance standards are being set and met, and that the organization has a plan to ensure effective management of information assets. The risks of poor data management are legion and must be addressed both tactically and strategically:
The Strategy: Manage information compliance, cost, and risk, while maximizing value.
To implement the strategy, you will need to first understand what data you have, where it is, and your legal and regulatory retention requirements. Most organizations keep far too much data for far too long. And by the way, “big data” initiatives are not an excuse to keep everything—to be most useful, such initiatives must start with clean data.
The Tactics: Implement retention and disposition rules, rid yourself of unnecessary data, and enforce privacy and data security controls.
Essential tools include:
- Legally-validated retention schedule appropriate for your industry, operations, and geography;
- High-level inventory of data repositories, both structured and unstructured, on premise and in the cloud;
- Records and information management policy;
- Data classification and security policies and controls based on risk assessment; and
- Critical Incident Response Plan to coordinate the activities crucial for effective data breach response.