Information governance

by John Bandler

Information governance is simply information management. Managing your information assets and information systems.

Organization should bring principles of good management to their information assets, just like they want to bring good management to all other aspects of their business.

Good management means exercising due diligence when making decisions that affect information systems.

It means bringing the Five Components of Policy Work to information systems.

It means these general principles:

Someone is in charge, and staying on top of important issues and decisions
Important stakeholders are consulted regarding important decisions
Laws and regulations (external rules) are considered
Mission and business needs are considered
The organization has written policies and procedures (internal rules) which are reviewed and updated and followed
The organization has consulted reliable external guidance (best practices)
The organization considers what their practices are and should be
The organization trains its people.

A brick and mortar analogy

If an individual or family was considering buying or renting a home and moving, or buying a new car, imagine the research and due diligence that goes into that.

If an organization is considering office or business locations, imagine the research and decision making for that.

But sometimes technology intimidates people, or technology decisions are made on the fly, or the status quo is continued without evaluation.

Clearly, information systems are an important part of business operation, so a commensurate amount of diligence should go into it.

Traditional decision making concepts can be brought to technology.

The three goals

The three goals are:

Protect - Cybersecurity and cybercrime protection: This is important for legal compliance and accomplishing the mission. Cybercrime risks need to be considered, and appropriate decisions made.
Comply - Legal compliance and other legal issues: As above, cybersecurity is a legal duty. Information governance also includes eDiscovery planning. Know what data you are storing and why before a data breach, before a lawsuit.
Mission and business needs: Well run businesses can serve their clients and customers the best, accomplish their mission the best, and earn more revenue. Since information systems are so important to every business, it stands to reason that this part of the business should also be managed well.

The five components for policy work

Policy work is a part of management, because as organizations grow past a certain size, unwritten rules cannot properly be conveyed.

So to best manage, we need to create written documentation.

We can think of five main components to consider when doing policy creation or improvement, they are:

Mission and business needs: The reason the organization exists in the first place.
External rules: Laws, regulations, and other legal requirements.
External guidance: Helpful and relevant voluntary guides to our policies and actions.
Internal rules: Policies, procedures, and more (that currently exist).
Practice or action: what is actually done.

You need a written policy (probably)

Organizations will need written rules to help them manage their information systems and cybersecurity.

That's why I wrote a book about it.

What's next?

Organizations can do these things, to a reasonable degree, and improve upon them all periodically.

Put a person and a group in charge of information governance
Put a person in charge of information security
Assess and identify applicable laws and regulations (external rules)
Create internal rules (policies and procedures) and continually review, update, and follow them
Know your information assets and systems, do an inventory, periodically update and improve upon it
Conduct due diligence for decision making about information systems
Train your people.

What could go wrong?

Imagine all the bad things that could happen to an organization that doesn't manage information assets well:

Data breach, and then you need to work to answer the question "what data was there anyway"
Lawsuit, and then you need to work to answer the question "what data are we storing anyway"
Inefficiency
Accounts forgotten about, lose access, compromised by an attacker
Using multiple accounts or software providers for the same service
Forget data is being stored in a particular location or application
Forget to pay the phone bill, lose the company phone number
Forget to pay the internet bill, lose internet access

What could go right or be improved?

Almost everything.

The better you manage your information assets and information systems, the better you can use them. And you are properly managing risks.

There is waste and inefficiency if you have duplicate assets or cannot find them or properly harness them.

Disclaimer

This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform and you assume all risk for cybersecurity decisions you make. This is an introduction and more can be written on this topic.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.

Conclusion

Information assets are essential, your organization should consider an inventory of them! See that article below.

If your organization needs help with improving its cybersecurity, feel free to contact me.

Additional reading

This article is also available on Medium.com at NOT YET (though not kept as up to date).

Originally posted 12/10/2023, updated 3/14/2024.