How to establish good information management policies

By Atle Skjekkeland

We often meet organizations with ineffective governance policies, - this could be retention policies, information security policies, or information classification policies. The problems often evolve around one or more of the following areas.

  • The policy does not provide value. If the policy does not help business users do their job, then the policy will be easily forgotten leading to non-compliance.
  • The policy is not easy to understand. If the policy is not clear for business users, then it won´t be effective. As an example, many organizations have security classification policies defining how to determine the correct security classification for information, but it is difficult for business users to identify the correct classification. The consequence is that users set a too high security classification to avoid making a mistake.
  • The policy is not practical. If the policy is complex or unpractical, then it won´t work. As an example, many data retention policies have lots of event triggers and disposition reviews that can´t easily be implemented in any IT system.
  • The policy is not measurable. If an information management policy to ensure compliance can´t easily be measured, then you can´t easily ensure compliance.
  • The policy is very high-level. Many corporate policies are at a very high-level to accommodate local requirements. The consequence is often that one corporate policy becomes many different local policies making it difficult to ensure corporate compliance across an enterprise.

So, how do you then establish a good governance policy?

Stakeholder involvement with practical evaluations

Ensure the policy is established with the relevant stakeholders, not only within the department responsible for the policy. This should include representatives from:

  • Business users who need information to operate the organization,
  • IT departments who must implement the mechanics of information management, and
  • Legal, risk, and regulatory departments who understand the organization’s duty to preserve information beyond its immediate business value.

Don´t allow a corporate policy to be developed just by one function if the policy will be used across the corporation.

The update or development of governance policy should include the following:

Process with continual improvement

Ensure the policy will enable you to set up a process to ensure compliance, detect non-compliance, and respond to non-compliance. The policy needs to change when the requirements change. This could be changes to technology, lifecycle model, metadata model, policies, procedures, training, communication, etc.

Try to ensure the process is not only for the HQ, but also at local offices. This means the corporate process should cover the toughest local requirements. As an example, if financial information needs to be kept minimum 10 years in the EU, and 7 years in the US, make then 10 years your corporate retention requirement. If HR files need to be deleted maximum 5 years after an employee leaves your business in the EU, and never in the US, make then 5 years your corporate retention requirement.

Training with audits

Ensure the policy can be trained against to ensure correct and consistent behaviour. The policy needs to ensure consistent behaviour by both people and systems. This often include changing behaviours, which takes time and effort. Just publishing the policy won´t cut it.

We achieve this by focusing our training design on:

  • Outcome – agree with stakeholders the behaviours that should change
  • Personas – segment the audience based on personas to ensure relevant and useful training
  • Engaging – make the course memorable, fun, interactive, and enable attendees to also learn from each other
  • Repetitive – first educate attendees in the why, then the how, and then require them to do it during the training
  • Applicable – make it easy to remember and use the new knowledge with hands-on exercises, checklists, and on-demand repetition
  • Measurable – define key performance metrics to identify how well the training changes behaviours

Technology with metrics

Ensure the policy can be implemented in IT systems and measured. Many enterprises try to use old principles from the paper era to manage information in the digital era, but the growing volume, variety, and velocity of electronic information requires a new approach.

Let me give you three examples:

  1. Big buckets retention schedules – don’t waste time creating lots of retention schedules that users and machines will struggle with. The more buckets, the more options, the more errors, the more complexity. Minimize instead the number of retention schedules to make it easier for users and machines to pick the right retention.
  2. Event-based retention – don’t complicate the user experience and waste IT resources on event-based retention unless absolutely necessary. Event-based retention requires users to add unique metadata to identify the relevant records, e.g. employee number, agreement number, and triggers to be established to start the retention, e.g. employee leaving your organization, agreement has expired. Try instead to rely on data-based retention based on information lifespan.
  3. Disposition reviews – don’t waste time on manual disposition reviews at the end of the retention. A manual review may make sense for Iron Mountain boxes, but not individual records. As an example, disposition reviews of 1 mill records with each review taking 15 minutes, is 31,250 days. Do automatic disposition for records that can’t be kept permanent.

 

The policy should therefore be practical for both business users and machines. Feel free to contact us if you need help establishing a more future proof governance policy.

Atle Skjekkeland is CEO of Infotechtion is a vendor-independent boutique consulting firm specializing in improving and automating information protection and governance in Office 365 and beyond.