In their efforts to identify and protect information assets, companies are not identifying many information "content" risks that fall between gaps of data stewardship and regulatory compliance.

As organisations face heightened data security issues regarding information loss and leakage, the demands for technology, process controls, and information stewardship frameworks have become a key part of how an organization approaches its data compliance and risk functions. 

It is estimated that 85 to 90 percent of all content created by an organisation now exists electronically.  Business operations continue to generate vast amounts of unstructured data, private customer information, and electronic communications.  The amount of content that must be properly managed, stored, secured, and destroyed is therefore a daunting task and a governance, risk, and compliance (GRC) responsibility.  With additional pressure to collect more information on customers and business partners, the duty to protect this content is an added burden.

Balance is a difficult issue.  The question for your organisation is whether you are taking proactive steps to manage and control your content for optimal use, to facilitate compliance and litigation discovery, or to protect it from inadvertent disclosures, intentional theft, and careless breach.   For some companies, the issue is determining what information needs to be protected and what varied threats and vulnerabilities constitute the risks for unwanted consequences of data loss. 

Blending people, processes and technology

Technology makes for greater efficiencies in this area, but organisations require more strategic approaches that involve blending process, people, and technology in the face of today’s compliance and risk management challenges.   More often than not, aspects of critical asset identification and protection fall in the seams and gaps of nebulous rules but not corporate culture and existing business processes.  This is a critical component of many regulators’ guidelines on cybersecurity preparedness in monitoring for data loss.  Companies that don’t know what they have, do not consider who would want the information and how someone might access unauthorized corporate information, should ask themselves the following questions:

• Where does my information risk management fit into current risk, compliance, and security protocols?
• How do current business processes impact IT’s critical asset identification and protection to address loss and leakage of sensitive content within the context of how information is being used and flows within the organization?
• Have we conducted an information inventory to the extent of balancing information access, control, and stewardship - in structured and unstructured data?
• Are our enterprise information management policies and procedures properly aligned to address evolving threats, risks, and vulnerabilities, which is based on differing levels of information value or sensitivity?
• What would it take to develop and implement a business unit-driven Critical Asset Identification and Protection Program to identify, review, and remediate weak information risk and compliance programs?

Most companies are going to find it tough to answer these questions.  Many organisations still struggle to develop adequate policies, procedures, and processes, and do not socialise those policies, procedures, and processes to ensure efficient management of critical information assets.  This is one of the key reasons that companies are not regularly the first to know when a data breach has occurred, with literally millions of records being stolen. 

With the ongoing rise in hacking and information theft, it’s time for companies to recognise that it is not only information that is poorly managed, but failures in controls and governance demonstrate a compromise in the integrity, confidentiality, and the potentially unauthorized accessibility of the whole company.

Scott Swanson  is a freelance advisor for information protection and corporate risk analysis.  He has over twenty years of experience in the public and private sector as an intelligence specialist, investigator and fraud examiner. sswanson@donovanrisk.com