George Parapadakis ([email protected]) is an ECM Advocate at IBM, advising customers and partners on how to maximize the value from their ECM and BPM investments. He has also been monitoring the use of ECM technologies in the Risk & Compliance field. After 20 years in the Document/Content management and Process/Workflow industry, he's still a believer!... George has been an AIIM member since 1995 and you can follow him on twitter as @parapadakis or his InformationZen blog. All opinions expressed here are explicitly George's and not necessarily those of his employer.
This post is part of an ongoing guest blog series around the overall theme of "8 things." The idea is to tap into the collective experience of members/readers on topics that they are passionate about. (But related to information, documents, content, or records!). Click HERE for a full list of topics that we've covered.
8 Things You Need to Know about Information Risk
Information is a critical asset of every organization. “Information Risk” can be defined as any possible event that prevents critical information from being used as the business intended it to. The most critical information risks are:
1. We didn’t keep it (Non-capture) – The risk of critical information not being captured into the system.
If the email gets deleted, the attachment is gone for good. Users, driven by delivery pressures and performance controls, often bypass or ignore good house-keeping practices needed for compliance policies and business continuity. Using process-controlled, automated declaration and classification procedures for capturing both paper and electronic records, this risk can be significantly mitigated.
2. It was on the disk that crashed (Loss) – The risk of captured information being accidentally removed from the system.
In order to avoid the risk of information being accidentally lost from the system, organizations must invest time in selecting the right storage, availability and disaster recovery architectures. In a controlled environment, the system also needs to provide specific “hold” or “freeze” mechanisms which prevent normal information disposition schedules from inadvertently removing critical information, for example, when litigation is in progress.
3. That is not my signature (Malice) – The risk of information being deliberately removed, corrupted or damaged.
This is defined in legal context as “spoliation of evidence” which is the “destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation.” Records are a key part of any successful legal or regulatory defense, but organizations must be able to locate and produce their records with the assurance that they have not been altered. In order to minimize the risk of spoliation, information needs to be captured in a controlled environment where access or deletion of records is only possible through the defined and security controlled disposal processes. All access to records must be monitored though a detailed audit log.
4. March.xls – but which year? (Attribution) - The risk of losing the context and metadata describing the information.
For information to be relevant and useful to the business, the organization needs to ensure that not only documents and content be retained and managed securely, but the context or information used to describe them (metadata, relationships and processes) also need to be carefully managed too. This is especially true in large enterprises where content may be captured through many different systems and sit in different repositories, but is openly available across the organization through an Enterprise Content Management system.
5. Where did you get this? It’s confidential! (Unauthorized Access) – The risk of information being accessed by unauthorized persons.
Information needs to be available to the right people only, for the right use and at the right time. Lax security can not only compromise confidential or sensitive commercial information but also personal details. Complex organizations require sophisticated security policies to stop access to information by any unauthorized person, as well as mechanisms to prevent authorized persons taking the information outside the authorized domain (information leakage)
6. The system is down (Unavailability) – The risk of disaster or technical failures, preventing access to the information.
There is very little value for information that is carefully preserved for posterity, but is not available when you need it to make a decision. IT systems in general are a key operational risk for the organization, posing a threat to business continuity. But whereas loss of electronic process and transaction handling could be temporarily replaced with manual processes, critical information that is locked away in a system that is unavailable, cannot be manually retrieved. Information availability should be managed within the context of an overall business continuity planning.
7. But where is it? (Findability) – The risk of information being lost inside the digital landfill due to lack of sufficient classification.
In most business environments today, information is generated, received or contained in a multitude of electronic mediums, formats, storage devices, etc. This explosive growth is an additional source of information risk. Being able to locate the correct information within the required timescales, be it a telephone enquiry from a customer, or a weeklong regulatory audit, is critical. Organizations can employ techniques such as automated content capture, classification and federation, to ensure that all relevant information is discoverable within short timescales.
8. Does anyone have SuperWriter 2.0? (Inaccessibility) – The risk of information becoming inaccessible due to its medium or format.
Format refresh is a particular issue with electronically stored information. We can read a scroll of papyrus that was written 3000 years ago. But we can’t read a 5¼” disk with WordPerfect files from 10 years ago. Information that is locked into obsolete mediums or proprietary formats and systems, is worthless to an organization. So long-term preservation, media refresh and format refresh, need to be considered proactively. Information strategies that include the use of format standards (e.g. TIFF or PDF/A) and audited content refresh cycles, will ensure that information remains accessible for the whole period that it is being kept for.
---------
Today, more than ever, access to electronic information is vital to an organization’s operation. Carefully assessing your organization against the Information risks discussed above, is the first stage in identifying where your organization is most vulnerable and in defining a roadmap for implementing governance controls and monitoring to protect your information assets.
Recent Comments