Your Guide to Defining an Information Governance Policy
To safeguard your company’s assets and employees’ privacy, consider the Top 3 most important factors when building your information governance policy
As more industries seek digital transformation — adopting conveniences such as cloud-based connectivity, frictionless operations, and more — their vulnerability to potential threats increases. When it comes to protecting sensitive information, is your company well-equipped to prevent email phishing scams, cybersecurity threats, and other attacks by bad actors?
While sharing and collaborating on information assets is essential to streamline workflow within an organization, it’s imperative to ensure that any shared information is only accessible by people who need to see it and that it is managed correctly. An information governance policy assures that not only is your company’s most confidential data protected, but also that of every department and individual employee.
What factors must be considered when defining an organization’s information governance (IG) policy? There are three main considerations that go into a strong IG policy approach:
1. WHAT needs to be protected?
Information that needs to be protected can be placed in one of two categories:
- Personally identifiable information (PII)
- Company confidential information (CCI)
Both sets must be protected, but for different reasons.
PII: It is a company’s responsibility to protect the personal data of their employees and customers. There are now laws, such as Europe’s General Data Protection Regulations (GDPR) and the California Consumer Protection Act (CCPA) that require such PII protections, safeguarding individual’s interests and privacy.
CCI: It is a company’s responsibility to protect its own sensitive data. There are myriad reasons that a company’s private information stay in-house, the most important being to keep that data away from competitors or those looking to hurt the company. CII protections work to guard company interests.
2. WHO can access the protected data?
Locking away data certainly secures it, but the data serves very little purpose if need-to-know users cannot properly access it. This is where group access lists and Digital Rights Management (DRM) come in handy. Ensuring only true stakeholders have access minimizes the chances that private company information ends up in the wrong hands.
3. HOW can the protected data be accessed?
Policy creators must consider the following questions: Can the users only review the information, or can they also alter the information? Can they download the information locally? Administering user roles can help with this — certain users can read, other users can modify, and so on.
Implementing a sustainable information governance policy
Once an IG policy has been defined, it’s up to those implementing it to choose workflow solutions that meet the requirements of the policy. Weighing the usability of these solutions against how closely they adhere to the IG policy can be a bit of a give and take. The more secure a solution is, the more complicated it might be to administer or the more difficult it might be to use productively.
One area where solutions can offer both information security and solution usability is document viewing. Both CCI and PII are often found in Microsoft Office documents. Think about a financial spreadsheet, an applicant resume, and a product design document. These three documents are from three different areas — finance, human resources, and product development — but all contain CCI and/or PII. Selecting solutions that allow for secure storage of these kinds of documents, while limiting the access to these documents only to those who need to see them, certainly supports any well-defined IG policy. And if these solutions also provide a consistent way to view and work within these documents, that’s also a usability win.
On the other hand, solutions that store documents, but don’t provide a way to view them, not only impact productivity, but may encourage violating the IG policy. For instance, consider a Microsoft Word document containing patent submission information saved securely within a product lifecycle management solution in the cloud. This information is safe — access to the document within the solution is limited. But what happens when someone with access wants to see the information?
They click on the file within the solution and instead of opening a viewer, a copy of the file is downloaded locally to their personal computer so they can open it. If this process is repeated by everyone who needs to access this document, that is a tremendous waste of time. But worse yet, there are now dozens of copies of this document and the information contained therein on different systems. Is the information still secure? What if someone prints the document? Or sends it to personal email or personal cloud storage? Now that there are dozens of digital duplicates, the chances of this information leaking are now a lot higher. This can be avoided with a single solution that not only stores data, but also manages access among users.
Considering solutions that support information governance
The fact is that every day, Microsoft Office files are shared by millions across all vertical industries and markets — and these files frequently contain sensitive data. Setting an IG policy that moves these kinds of documents to limited distribution within workflow tools is a start. But from there, organizations must consider how users are allowed to access the documents to further limit the number of copies of these files. These documents must also be viewable within the solution to prevent users downloading them or attempting to access them by any other means.
Workflow solution providers can feel confident their products meet customer expectations around protecting CCI and PPI by implementing an inline viewer like Qualcomm DirectOffice Document Conversion Software, which ensures that documents are quickly converted and accurately displayed right within the solution.
Check out Qualcomm DirectOffice to see for yourself how it works