John G. Iannarelli - Information Governance and Security: Protecting and Managing Your Companys Proprietary Information

Contents

1 The Case for Information Governance

Information Governance

The Small Business

The Medium Size Business

The Large Business

What You Will Learn

References

2 The Threats of Today and Tomorrow

Defining Threats

Future Concerns

References

3 The Ever Changing Technical Landscape

A Little History

The Issues

The World Is Shrinking

References

4 The Changing Corporate Landscape

Todays Cyber Enviornment

The Federal Government

The Private Sector

Why Should Corporate America Care?

References

viii Contents

5 How Information Governance Fits in the New World

Issues in the New World

References

6 The Human Element

Cyber

Physical Acts

References

7 The Technical Side

The Benefits

Concerns Brought About by Technology

References

8 Balancing Information Governance and Your

Companys Mission

Policies

Factors to Consider

References

9 The Case for Information Governance from within

Your Organization

Negative Perceptions of Information Governance

Implementation

References

10 What to do First

The Basics

How to Determine Information Governance Needs for Your Company

How to Create Information Governance Policies

Methods of Security to Support Information Governance

How to Implement Information Governance Policies

References

11 What to Do Forever

Continuing Efforts

Evaluate Effectiveness of Information Governance Policies

Encouraging Accountability and Ownership of Information Governance 161

Contents

ix

Training and Education of Employees About Information Governance

References

12 Charting the Best Future Course for Your Organization

Information Governance Impacts All Facets of an Organization

Closing Thoughts

References

Appendix A

177

Appendix B

181

Appendix C

183

Works Cited

185

Index

187

Chapter 1

The Case for

Information

Governance

Guarding assets, staff, and accounts has always been a key to protecting businesses.

But in the information age, are you protecting your most important resources

company and client data? Each year, businesses lose billions of dollars due to data leakage, on top of which the government often imposes millions in fines. In addition, leakage can cause irreparable damage to your companys reputation. It is not a matter of if you will be a victim; it is a matter of when.

We have all heard the old adage that an ounce of prevention is worth a pound of cure.

When it comes to data management, that pound of cure may not be available, so the new adage might be that an ounce of prevention is worth preventing the total destruction of your business. The ounce of prevention is information governance, andif you are like most peopleyou have no idea what that is or how to take advantage of it.

This book explains how youas a business owner, executive, or even someone

just interested in keeping their proprietary information safecan better adapt to twenty-first-century threats. By understanding the changing landscape and moving your organization to be focused and data centric, the damage or loss of your key information can be minimized if not out-right prevented. We will break down for you what information governance is and does for different sized companies. Large, medium, and small companies all have unique circumstances that will be addressed.

Additionally, we will discuss what they have in common. Information governance has many standard issues that can and should be addressed across all organizations.

Information Governance and Security. http://dx.doi.org/10.1016/B978-0-12-800247-6.00001-7

Copyright 2015 Elsevier Inc. All rights reserved.

2 Information Governance and Security

One of the benefits of reading this book is the impact on your personal life. While this book is written to help in business, many of the tools and habits discussed are important for individuals. Digital threats affect people at work and at home. Be mind-ful as you read to see the parallels to your life away from the office.

Lets start with a bold statement: information governance is not a function of your information technology group. It is a base-level management function, much like human resources or finance. A properly developed and managed information governance program protects your company and keeps it effective and efficient. It helps to manage compliance issues and can be vital in defending against litigation. It will make employees more satisfied and secure in their work and limits your risk of loss from human error.

Information governance is more than an IT problem that needs to be solved; it is a systemic solution to counteract threats, alleviate inefficiencies, and prepare for the future.

Take, for example, the story of an architectural firm located in the southwestern United States that was happily doing business as a profitable midsized company in the spring of 2011. The employees were engaged. The clients were happy. The company was making money and having a great time. All seemed well, so what could go wrong?

During that time a senior designer with full access to the client base and design work resigned and went to work for a competitor. In very short order, clients started leaving and much of the work was shifted to the competing firm by whom the

employee had been hired. Not good.

In an effort to stop the bleeding, the firms owner went to his attorney to take action on this sabotage by stopping the theft of clients and company designs. Upon review with legal counsel it was determined the employee had never been asked

or required to sign a nondisclosure or a noncompete agreement. The owner even

contacted law enforcement in an effort to right the wrong, but received the same response. There was nothing they could do. The former employee was not in breach of contract, nor could criminal intent be proven in a court of law.

The victim company was able to recover, but only after shrinking in size, laying off office personnel, and moving to a new, smaller building. Several years later, they have still not fully regained their previous work levels. The situation was tragic and preventable. It occurred because the architectural firm did not have a policy that addressed data management and access. They had no employee agreements to hinder or address the theft of intellectual property. They had no information governance program to steer management to avoid such problems.

Information Governance

So what exactly do we mean when we talk about information governance? It is a set of established policies and procedures you and your employees implement and follow in order to manage sensitive and proprietary information.

The Case for Information Governance 3

For smaller businesses, which can be anything from a sole proprietor up to

approximately fifty employees, participation in information governance should be from the top down. The smaller the organization, however, the more concentrated the development and implementation can be. Ensuring that everyone understands what they are supposed to do with important information and how to do it can make the difference in protecting the companys vital interests. This understanding evolves as the threats and benefits of the digital age become clearer. Likewise, information governance can be applied in such a fashion that the companys performance improves, productivity increases, and employee satisfaction can be positively impacted.