Introduction to Information Governance

Today, companies are experiencing explosive growth in both the volume and variety of data they collect, store and process. Unfortunately, many of them do not understand what types of data they are handling and what value it has, so they cannot maintain proper control over it. As a result, they often suffer serious legal, financial and reputational consequences. Proper information governance can help you avoid the same fate.

What is information governance?

Information governance (IG) is the process of managing information assets. It requires implementing policies, procedures and technologies that balance ease of use with security.

Gartner’s definition of IG is the most widely accepted. It defines information governance as “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

Information governance processes manage the use of information records, including employees’ records, customer information, patients’ medical records and intellectual property. The company’s IG professionals should work with leadership and other stakeholders to create policies that specify how employees should handle corporate information assets.

What is the difference between data governance and information governance?

Data governance and information governance are often considered to be the same thing. However, although both are important to a company being able to achieve its business objectives and there is some overlap between them, they not identical. Let’s explore the key differences in their goals, scope and activities, starting first with IG.

Information governance is related to getting business value from data assets. The Information Governance Initiative defined IG as “the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.”

Data governance, on the other hand, is concerned with controlling information at the business-unit level to ensure that it is accurate and reliable. Data governance programs involve procedures to manage data availability, integrity, usability and security.

To illustrate the differences, here are some examples of the activities involved in both areas. Data governance activities include management of metadata, data architecture, data operations, data management, master data, and data quality. Information governance, on the other hand, is concerned with the organization’s data lifecycle management, so it includes processes and activities like personal information exchange, data privacy protection, regulatory compliance audits, e-discovery, and records retention schedule.

While data governance is an IT responsibility, IG has a broader scope. It is used to meet compliance and business needs regarding the use and retention of data. This makes IG a strategic discipline that is a significant part of corporate governance. Applying data governance and information governance together can yield information management practices that deliver higher business value.

Why is information governance important?

IG is still an emerging field, so there are many questions around its role in business processes. Why is information governance important in the first place? A properly implemented information governance program helps will several different challenges and gives organizations an opportunity to:

  • Support business needs and strategic objectives and priorities, which vary based on organizational culture, level of engagement of stakeholders and available resources
  • Achieve regulatory compliance and reduce the costs associated with regulatory penalties
  • Avoid data breaches
  • Improve the return on investments in enterprise business intelligence
  • Reduce the costs of storage and document discovery technology (eDiscovery)
  • Improve data analytics capabilities
  • Build control over proliferating systems and outsourced IT
  • Increase employee awareness about information policies

Which regulations are relevant to IG?

Numerous government and industry regulations have requirements related to data security, data retention and records management that can affect your IG strategy. Here are few of the most important laws that any organization operating in the U.S. needs to be aware of:

  • Sarbanes–Oxley Act of 2002 (SOX) — A key regulation that standardizes record management practices, SOX applies to all public companies in the U.S., without exception. It requires implementation of controls over corporate financial records and risk mitigation processes, and stipulates that business records must be kept for at least five years.
  • Health Insurance Portability and Accountability Act (HIPAA) — HIPAA applies to healthcare providers, health information organizations, and other covered entities and business associates that store, transmit or manage protected health information. It requires them to have control over access to health information, provide audit trails for electronic record systems, and ensure the confidentiality and security of ePHI.
  • The Gramm–Leach–Bliley Act (GLBA) — GLBA requires financial institutions protect the nonpublic personal information of their customers. Financial records must be properly secured, and when they are no longer needed, they must be completely destroyed so the information cannot be accessed.
  • The Federal Records Act (44 U.S.C. 31) and other statutes — These laws require federal agencies to create records that document their activities, file records for safe storage and efficient retrieval, and dispose of records properly.

Other regulations that can affect your IG strategy include:


Information governance brings significant value and benefit, especially as data stores grow and regulatory oversight increases. Developing and implementing a sound IG strategy will help your organization mitigate cyber risks, ensure data availability, control costs and meet regulatory challenges. Consider getting started today, before your organization suffers a breach, fails an audit or faces a lawsuit.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.