Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and metrics that treat information as a valuable business asset. Show
The goal of a holistic approach to information governance is to make information assets available to those who need it, while streamlining management, reducing storage costs and ensuring compliance. This, in turn, enables the company to reduce the legal risks associated with unmanaged or inconsistently managed information and be more agile in response to a changing marketplace. An important goal of information governance is to provide employees with data they can trust and easily access while making business decisions. In many organizations, responsibilities for data governance tasks are split among security, storage and database teams. Often, the need for a holistic approach to managing information does not become evident until a major event occurs, such as a lawsuit, compliance audit or corporate merger. Information governance provides a wide range of benefits. It ensures the following:
Why is information governance important?Information governance makes information more accessible to those who need it, which is crucial for any organization. Organizations of all types and sizes often suffer from poor organization and management of information assets, leading to issues with accessibility, ease of use, timeliness and security -- all of which governance can positively affect. Often, the same information may exist in more than one location, leading to issues with updating. When the same information is in several places and does not agree, confusion can ensue. Effective information governance can establish single source of truth (SSOT), rendering information more trustworthy. Effective information governance is so important that it has become a C-suite role in many organizations, with an executive responsible for its implementation. The chief information governance officer (CIGO) often oversees the initial governance initiative, shepherding its development, management and ongoing evolution throughout the organization. The officer is generally responsible for maintenance of information integrity standards, gathering required quality and usage metrics and ensuring that the company meets compliance and regulatory requirements. It is also increasingly common that the enterprise establish an information governance council composed of key stakeholders in the organization, including management-level representatives from every area of the business, information technology (IT) personnel involved in infrastructure and security, and subject matter experts who fully understand how specific information is used. This governance council often aids the executive officer in implementing and enforcing governance policy and can be invaluable in helping to guide its ongoing development. A commitment to information integrity throughout the enterprise requires the active participation of employees at all levels and in all areas. Awareness of and commitment to information governance processes should be organization-wide, actively promoted and frequently updated. What is the difference between data governance and information governance?When considering information governance, it's common to wonder how it differs from data governance, which is referred to more commonly. The difference is subtle; data is not necessarily information, whereas information cannot exist without data. Information governance refers to data assets that have carefully defined business meanings; data governance, on the other hand, refers to the oversight of the physical data itself -- its storage, security and transport. Someone implementing data governance might perform those tasks with little or no understanding of the data's meaning, while, in information governance, meaning is everything. Information governance challengesEven a clear vision and strong management support don't guarantee information governance success. Organizations can experience a number of common issues when implementing information governance, including the following:
Information governance frameworksMany types of organizations may have different goals and tasks, but the elements of information that are used to manage those activities are often similar. For this reason, it is possible to create frameworks to clarify an information governance plan that can be useful in organizing the effort, regardless of how customized the organization's handling of information may seem. These information governance plan frameworks outline the who, what, when, where, why and how of company information. Frameworks are built from the answers to some central questions that apply to information of all types:
Answering all of those questions for every information asset within the enterprise is a monumental task. Once an organization collects those the answers, however, a path to managing it becomes increasingly clear. Frameworks are tailored to the organization's unique governance needs but should define the following areas:
Laws, regulations and principlesInformation governance isn't just a matter of best practices; it is a matter of regulation in and of itself because it is so deeply intertwined with security, privacy and compliance concerns. As technological innovations continue to expand business capabilities and corporate data volumes grow, regulations that put strict mandates on information governance processes have become the norm. This is especially true for data privacy and security, as personally identifiable information (PII) has become a big target for hackers and nefarious online actors. Privacy laws, such as the European Union's Data Protection Directive, have started to expand in countries all over the world and create new information security (infosec) governance obligations for companies. Many industries, including highly regulated sectors, such as energy and financial services, are subject to regulations that require records and electronic communications be retained for a minimum period of time. These regulations include mandates from federal agencies, such as the Securities and Exchange Commission (SEC), Department of Justice (DOJ) and Environmental Protection Agency (EPA), regarding response times for information requests. Regulatory reporting requirements also often mandate that companies provide an account of compliance, usually in the form of raw or summary data, with set frequency, such as annually. Some examples of laws and regulations that information governance can address include the following:
Information governance modelsIn addition to frameworks, there are information governance models. Organizations can use these to assess the quality and effectiveness of an information governance program once they implement it.
This was last updated in January 2021 Continue Reading About information governance
Dig Deeper on Risk management and governance
What should be the primary basis for developing an organization's information security program?The primary goal of developing an information security strategy is to: Establish security metrics and performance monitoring. Educate business process owners regarding their duties. Ensure that legal and regulatory requirements are met.
What is the primary purpose of information security governance?Information security governance ensures that an organization has the correct information structure, leadership, and guidance. Governance helps ensure that a company has the proper administrative controls to mitigate risk. Risk analysis helps ensure that an organization properly identifies, analyzes, and mitigates risk.
What is our information security governance primarily driven by?Information security governance is PRIMARILY driven by:
business strategy.
What is the primary basis for the prioritization of security spending and budgeting?What is the PRIMARY basis for the prioritization of security spending and budgeting? alignment of values to protect corporate assets.
|