EMC ANZ Momentum User Group 2011- Tech Track- Information Governance Maturity Model

1© Copyright 2011 EMC Corporation. All rights reserved.

Information Governance Maturity ModelResolving a multi-dimensional problem

Dalibor Ivkovic


Information GovernanceTwo points of view

Internal point of view

External point of view

To manage information

flows within an organisation

Government courts

customers partners suppliers

contractors...

Staff contractors

inter-business unit intra business unit

subsidiaryparent

...

To fulfil statutory, regulatory & contractual obligations Reputation / Brand

Financial risk

Quality of service

Productivity

Cost

1

2

What? Who? Why?


Highlighting the risks of poor Information Governance

• A judgment for Coleman (Parent) Holdings in March 2005, also against Morgan Stanley for failure to comply with e-Discovery orders, resulted in costs of more than $1 billion.

• Sony - Sony faces a court battle over how it will pay for legal claims made in the wake of a massive data breach. In April 2011, Sony discovered that hackers had gained access to 77 million accounts on its PlayStation Network.

• Wiki Leaks - Intelligence analyst, who joined the US Army in 2007, is accused of leaking 720,000 secret military and diplomatic US government documents.

• Cyber Warfare Command - In the US the Pentagon's systems are probed by unauthorised users about 6 million times a day. Total losses to cyber crime globally may be as high as $1 trillion.

• GFC / Collapse of Storm Financial - Major investigation in Australia.• Australian Legal battle / capital works project - “Why was the wrong design

document used to build this $mill infrastructure?”• HK Government – “We want more transparency of government” – the issue of

public confidence in government.


0

100B

200B

300B

400B

500B

600B

700B

800B

900B

1,000B

2005 2006 2007 2008 2009 2010

Gigabytes

It keeps growing …

161billionGB

Source: IDC, “The Expanding Digital Universe,” Sponsored by EMC, March ‘07

57% CAGR

988 billion GB

988billionGB

Information Governance is not optional!

– The amount of information in the world is set to increase 45-fold in the next decade. There will be an inverse relationship between information volume and IT staffing. During the same period IT staff are expected to grow 1.4-fold, about 1/40th of the increase in data – IDC/EMC report


Influential Roles

Information Risk

Policy Management

Information Capture &

Classification

Information Access & Security

Information Content

Governance

Retention Lifecycle

Management

CxO x x

Compliance & Legal

x x x x x x

Information Manager

x x x x x

Bus Mgrs x x x x

IT x x x x x

This table indicates which roles are influential in each area of Information Governance


Information GovernanceFour dimensions

ApplicationsAccess Control

InfrastructureHardware Control

InformationGovernance

ContentStructured & UnstructuredClassification & Controls

BusinessRisks & Policies


Leak of Intellectual Property

Information Risk

Information Policies



Classification

Information Content

Governance

Records Lifecycle

Management

Secured? Audit Trail?

A contractor has distributed a sensitive document to your competitorHow did it happen?Leak of

Tech specs

Appropriate Legal Notices?

Classified Correctly?

Updated Policy Required?

Retention ofLegal documents?

Contractor Training

A single issue can involve all areas of information governance


• Information Risk– Regulatory compliance– Competitive threats

• Policy Management– Definition, Discovery and ownership– Including the structure of the governance organization itself– Ability to communicate and enforce policies

• Information Capture & Classification– e.g. Content, Email, Transactions, Call data

• Information Access & Security– Access policies, corporate boundaries

• Information Content Governance– Consistency, templates, legal clauses, brand governance

• Records Lifecycle Management– Governance of information throughout its lifecycle

Six Information Governance Categories(columns in the maturity model chart)


Maturity Levels

• The following 5 levels of maturity are proposed:• 5 – Optimized

– The most effective and efficient possible, deliberate process improvement/optimization

• 4 – Managed– Repeatable measurement against metrics, and an integrated part of

the business operation• 3 – Proactive

– Some planning and action, improved understanding of the process concerned

• 2 – Reactive– Ad hoc activity based on day-to-day issues, “individual heroics”

• 1 – Aware– Know that an issue exists, but little action


Risk

sB

enefitsInformation Access & Security

Aware Reactive Proactive Managed Optimized

No overall plan, but aware of potential issues

Security breaches dealt with as they occur. Not policy driven

Active management of security model, process based security in some areas. Manual configuration between systems

Common plan for security policy implementation across the enterprise, managed by responsible team. Regular monitoring

Shared, centralised security policies referenced and enforced automatically, including boundary controls, breach alerts.

Customer Data lost or stolen

Unsecuredmanagement docs

Loss of IP

Scalableto supportgrowth

CentralizedIdentities &passwords

Rapid, secure user provision/de-provision

Fast threatdetection and response

High riskInformationprotected

High integration and support cost

Automated updates fornew threats

Trust framework established


Risk

sB

enefitsInformation Capture & Classification

Aware Reactive Proactive Managed Optimized

Limited identification of information types, poor classification processes

Identified information types, ad hoc classification, loosely enforced

Selected information types managed as identified

Enforced capture, consistent classification rules. Centrally managed policies

Automatic rule-based capture and classification maintained centrally.”

Losing what you need, keeping what you don’t

No basis forsecurity

Loss of customer data

Litigation throughe-Discovery

Cost of wasted duplication

Controlledvocabulariesreduce cost and risk

Success In ECM/Data systems deployment

Strong platform for records mgmt

Productive knowledge workers

Efficient access and storage

Effective search

Maximum value from your information


Risk

sB

enefits

Records Lifecycle ManagementAware Reactive Proactive Managed Optimized

Aware of the need for retention policies but not formally identified

Some long term archiving, managed on ad hoc basis. May be paper storage

Retention policy applied manually at point of retention based on pre-defined classifications/ taxonomy

Records policies applied automatically based on system defined policies and information classification

Automatic application of lifecycle policies and dynamic management over time through appropriate storage

Litigation throughaudits and e-discovery

Storage bloat

Leakage of competitiveinformation

Improvedsearch

Keep only EssentialRecords, Save $$

MoReq2Compliance

Secure Chain of Custody

e-Discovery readyNo response

to freedom of information requests Tiered storage

benefits


Barriers to Enterprise Information Governance

• There are several reasons why proper information governance remains elusive, but the biggest challenges worldwide are (Economist):

– Identifying the cost/risk/return tradeoffs of managing information company-wide (40%)

– Enforcing policies company-wide (39%)

– Gaining support from department heads and line-of business managers (35%) are also obstacles.


Information Risk Policy Management



Classification

Information Content

Governance

Records Lifecycle Management

5 Automated detection and remediation of high risk information

Policies defined/confirmed and automatically enforced, with verification

Shared, centralised security policies referenced and enforced automatically, including boundary controls, breach alerts.

Automated capture and classification based on centralised policies

Automated policy enforcement internally and across all external interfaces.

Automatic application of policies and dynamic management over time through appropriate storage

4 Active management of risks on regular basis. Well classified information types in managed repositories

Active management on regular basis using well classified information types in managed repositories.

Common plan for security policy implementation across the enterprise, managed by responsible team. Regular monitoring

Enforced capture, consistent classification rules. Centrally managed policies

Agreed policies, automatically enforced. Dynamically generated content

Records policies applied automatically based on system defined policies and information classification

3 Awareness of information risks , Silo’d repositories with some riskier information more managed than others, possibly by department.

Policies published corp.wide, manual enforcement by subset of owners.

Active management of security model, process based security in some areas. Manual configuration between systems

Selected information types managed as identified, automated scan & file

Agreed policies, automatically and/or manually enforced. Some standard templates

Retention policy applied manually at point of retention based on pre-defined classifications /taxonomy

2 Specific risk issues are worked on as they arise

Selectively communicated, manual enforcement when issues arise

Security breaches dealt with as they occur. Not policy driven

Identified information types, ad hoc classification, loosely enforced

Manually enforced rules departmentally/application specific

Some retention schedules defined, managed on ad hoc basis. May be paper storage

1 Awareness of operational risk in information handling, but not managed

Awareness of the need, but no definition or enforcement

No overall plan, but aware of potential issues

Limited identification of information types, poor classification processes

User driven free-form author/publish

Aware of the need for retention policies but not formally identified

Maturity Model

Data Discovery Assessment

IG Risk Assessment Content

Consolidation Assessment

Retention and Records Policy ReviewPolicy

Framework Assessment

Site integrity check


Consulting exercises summary

Exercise Duration (days) Done by Output

IG Maturity Model Workshop

2 (1d workshop) Strategic Consultant

MM and benefits summary presented

Unstructured Data Discovery Assessment

3-5 Consultant Statistical reports and recommendations

IG Risk Assessment 10-20 Strategic Consultant

Itemised report

Content Consolidation Assessment

3-5 Consultant Statistical reports and recommendations

Summary Business Case and ROI Model

10 Strategic Consultant

Summary business case and high level plan

Retention and Records Policy Review

5 RM Strategic Consultant

Policy recommendations


Maturity Model Workshop deliverable

• Report – Current positioning on the

maturity model– Risks of current position– Potential benefits to be

gained in each area– Recommendations for

target maturity level and next steps

– Areas where IIG can assist


This high level schedule provides an overview of the programme. Each program will be assessed and scheduled with its own business justification and budget

Access & Security

Information Risk

Records Lifecycle Management

20112010

Single Sign on

Policy Management

Detail plans

Execute

Capture & Classification

Audit Preparation

2 Factor Authentication

CollabR3 deploy

Web Site Auto-checks

Content Governance

SAP Integr.

RPSR4 deploy

2012

Site Search & eDiscovery Engine

Retention in place

Business Case / Roadmap


THANK YOU