Organizations are experiencing explosive growth in the volume and variety of data they collect, store and process. Unfortunately, many of them do not understand what types of data they are handling — and what value that data has — so they cannot maintain proper control over it. As a result, they often suffer serious legal, financial and reputational consequences. Proper information governance can help you avoid the same fate.
What Is Information Governance?
Information governance (IG) is the process of managing information assets, such as Human Resources records, customer information, medical records and intellectual property. It is a continuous process, not a one-time event.
Gartner’s definition of IG is widely accepted:
Gartner defines information governance as the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.
Elements of an Information Governance Plan
Creating an effective program requires implementing policies, processes and technologies for managing the organization’s information throughout its lifecycle. Primary goals include the following:
- Clearly define how you will manage information assets and explain the expectations, responsibilities and standards for staff members who handle information on the network or in the cloud.
- Make sure that information management practices meet all legal requirements, stakeholder expectations, accountability requirements and business needs.
Rather than a single information governance policy, organizations normally create many policies, such as:
- Information security policies
- Records management policies
- Retention and disposal schedules
- Archiving policies
- Data privacy policies
- Information and communications technology (ICT) policies
- Information sharing policies
- Remote working policies
How Does Information Governance Differ from Data Governance?
While both information governance and data governance are important for organizations and there is some overlap between them, they are different:
- Information governance is focused on data lifecycle management. It is a strategic discipline that is the responsibility of IG professionals working together with corporate leadership and other stakeholders.” Information governance examples include controlling use of personal information, protecting data privacy and establishing record retention schedules.
- Data governance, on the other hand, is concerned with managing data to ensure its availability, integrity, usability and security. Data governance activities include metadata management, data architecture, risk assessment, data operations, use of versioning, and data quality control.
Applying data governance and information governance together can yield information management practices that deliver higher business value.
Why Is Information Governance Important?
Establishing a solid information governance program helps organizations in wide variety of ways. In particular, it helps them:
- Support business needs and strategic objectives
- Achieve regulatory compliance and avoid penalties
- Prevent data breaches
- Improve the return on investments in enterprise business intelligence
- Reduce storage costs
- Make use of document discovery (e-discovery) technology
- Improve data analytics capabilities
- Gain control over proliferating systems and outsourced IT functions
- Increase employee awareness about information policies
Which Regulations Are Relevant to IG?
Many government and industry regulations have requirements related to data security, data retention, and records management that can affect your IG strategy.
Here are some of the most important laws that any organization operating in the U.S. needs to be aware of:
- Sarbanes–Oxley Act (SOX) — A key regulation that standardizes record management practices, SOX applies to all public companies in the U.S., without exception. It requires the implementation of controls over corporate financial records and risk mitigation processes and stipulates that business records must be kept for at least five years.
- Health Insurance Portability and Accountability Act (HIPAA) — HIPAA applies to healthcare providers, health information organizations, and other covered entities and business associates that store, transmit or manage protected health information (PHI). It requires them to control access to health information, provide audit trails for electronic record systems, and ensure the confidentiality and security of electronic protected health information (ePHI).
- The Gramm–Leach–Bliley Act (GLBA) — This act requires financial institutions to protect the nonpublic personal information of their customers. Financial records must be properly secured, and when they are no longer needed, they must be destroyed so the data cannot be accessed.
- The Federal Records Act (44 U.S.C. 31) and other statutes — These laws require federal agencies to create records that document their activities, file records for safe storage and efficient retrieval, and dispose of records properly.
Other regulations that can affect your IG strategy include:
- Foreign Account Tax Compliance Act (FATCA)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Federal Rules of Civil Procedure
How Netwrix Can Help
Netwrix’s information governance software helps organizations automate data governance and reduce data risks. You control data at creation or ingestion, identify its level of sensitivity, and ensure your organization only collects what it needs. Plus, you can satisfy data subject access requests (DSARs) more efficiently, saving money and time.
Conclusion
Information governance provides significant benefit, especially as data stores grow and regulatory oversight increases. Developing and implementing a sound IG strategy will help your organization mitigate cyber risks, ensure data availability, control costs and meet regulatory challenges. Consider starting today — before your organization suffers a breach, fails an audit or faces a lawsuit.
FAQ
What is information governance (IG)?
A basic information governance definition is that IG is a set of procedures, policies and technologies for managing information throughout its lifecycle. Here are two information governance examples:
- Instituting controls to limit access to sensitive or regulated information
- Adopting policies to properly dispose of information at the end of its lifecycle
What is the difference between data governance and information governance?
Data governance and information governance are similar but not identical. Data governance focuses on maintaining data quality, integrity and availability. Information governance involves establishing policies and procedures for managing information throughout its lifecycle.
Why is information governance important?
Information governance helps organizations avoid data breaches, ensure compliance with regulations, achieve business goals and much more.
What is an information governance plan?
An information governance plan covers the policies, strategies, technologies and procedures that an organization will use to manage its data responsibly.
How can an organization create an information governance program?
To create an information governance program, an organization must define clear policies and procedures for handling information as required by applicable regulations, train staff on information governance, and monitor the program for opportunities for improvement.