Information governance
by John Bandler
Information governance is simply information management. Managing your information assets and information systems.
Organization should bring principles of good management to their information assets, just like they want to bring good management to all other aspects of their business.
Good management means exercising due diligence when making decisions that affect information systems.
It means bringing the Five Components of Policy Work to information systems.
It means these general principles:
- Someone is in charge, and staying on top of important issues and decisions
- Important stakeholders are consulted regarding important decisions
- Laws and regulations (external rules) are considered
- Mission and business needs are considered
- The organization has written policies and procedures (internal rules) which are reviewed and updated and followed
- The organization has consulted reliable external guidance (best practices)
- The organization considers what their practices are and should be
- The organization trains its people.
A brick and mortar analogy
If an individual or family was considering buying or renting a home and moving, or buying a new car, imagine the research and due diligence that goes into that.
If an organization is considering office or business locations, imagine the research and decision making for that.
But sometimes technology intimidates people, or technology decisions are made on the fly, or the status quo is continued without evaluation.
Clearly, information systems are an important part of business operation, so a commensurate amount of diligence should go into it.
Traditional decision making concepts can be brought to technology.
The three goals
The three goals are:
- Protect - Cybersecurity and cybercrime protection: This is important for legal compliance and accomplishing the mission. Cybercrime risks need to be considered, and appropriate decisions made.
- Comply - Legal compliance and other legal issues: As above, cybersecurity is a legal duty. Information governance also includes eDiscovery planning. Know what data you are storing and why before a data breach, before a lawsuit.
- Mission and business needs: Well run businesses can serve their clients and customers the best, accomplish their mission the best, and earn more revenue. Since information systems are so important to every business, it stands to reason that this part of the business should also be managed well.
The five components for policy work
Policy work is a part of management, because as organizations grow past a certain size, unwritten rules cannot properly be conveyed.
So to best manage, we need to create written documentation.
We can think of five main components to consider when doing policy creation or improvement, they are:
- Mission and business needs: The reason the organization exists in the first place.
- External rules: Laws, regulations, and other legal requirements.
- External guidance: Helpful and relevant voluntary guides to our policies and actions.
- Internal rules: Policies, procedures, and more (that currently exist).
- Practice or action: what is actually done.
You need a written policy (probably)
Organizations will need written rules to help them manage their information systems and cybersecurity.
That's why I wrote a book about it.
You need a person in charge
Your policy can specify this, but someone should be in charge.
For cybersecurity, this person could be called an "information security coordinator". See my article on that (links below).
For overall information governance, you can have a committee, with someone in charge of that (see next section).
You need a group of people to advise
It helps to have a group of people advise on important information governance decisions and strategy. Your policy can specify this too.
This could be an "information governance committee" with someone designated as being in charge of it, and making the ultimate decision.
See my article on that (links below).
What's next?
Organizations can do these things, to a reasonable degree, and improve upon them all periodically.
- Put a person and a group in charge of information governance
- Put a person in charge of information security
- Assess and identify applicable laws and regulations (external rules)
- Create internal rules (policies and procedures) and continually review, update, and follow them
- Know your information assets and systems, do an inventory, periodically update and improve upon it
- Conduct due diligence for decision making about information systems
- Train your people.
What could go wrong?
Imagine all the bad things that could happen to an organization that doesn't manage information assets well:
- Data breach, and then you need to work to answer the question "what data was there anyway"
- Lawsuit, and then you need to work to answer the question "what data are we storing anyway"
- Inefficiency
- Accounts forgotten about, lose access, compromised by an attacker
- Using multiple accounts or software providers for the same service
- Forget data is being stored in a particular location or application
- Forget to pay the phone bill, lose the company phone number
- Forget to pay the internet bill, lose internet access
What could go right or be improved?
Almost everything.
The better you manage your information assets and information systems, the better you can use them. And you are properly managing risks.
There is waste and inefficiency if you have duplicate assets or cannot find them or properly harness them.
Disclaimer
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.
I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.
Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.
Conclusion
Information assets are essential, your organization should consider an inventory of them! See that article below.
If your organization needs help with improving its cybersecurity, feel free to contact me.
Additional reading
- Information governance (this article)
- Information governance committee
- Information security coordinator
- Policies and Procedures Book
- Information asset inventory
- Bandler's Four Pillars of Cybersecurity
- Cybersecurity Policy (Free Version) (with an incident response plan)
- The Three Priority Cybercrime Threats
- Identity theft
- Cybercrime
- Five Components for Policy Work
- Cybersecurity and Privacy for You and Your Organization
- Cybersecurity for the Home and Office (book)
- Cybercrime Investigations (book)
This article is hosted at https://johnbandler.com/information-governance, copyright John Bandler, all rights reserved.
Originally posted 12/10/2023, updated 9/26/2024.