How Governance Can Address Compliance ChallengesBy Guest Author | Posted 2016-05-27 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Corporations must prepare for regulatory inquiries and arm against data breaches. That should start with proactive, strategic information governance practices.
By Jake Frazier
Corporations in highly regulated industries, such as insurance, health care, finance and manufacturing, face countless challenges in maintaining compliance with regulations and in securing their data. Many such companies also house sensitive data on behalf of customers.
The increasing incidence of cyber-attacks—which can target essentially any corporation—combined with uncertainty over how strict regulators may become in the future, makes data management increasingly complex.
In response, corporations must be adequately prepared for regulatory inquiries and investigations, as well as arming themselves against data breaches. All of this begins with proactive and strategic information governance practices. With sound IG, organizations can cost-effectively secure sensitive customer data, prepare for inspection and audit by regulators, and prevent the financial implications of a data breach, which the IBM and Ponemon Institute "2014 Cost of Data Breach Study: United States" estimated at $5.9M per incident.
Information-governance initiatives require buy-in and implementation from stakeholders across the company, and they can be successful only when approached by an inclusive team that extends beyond the IT department. Establishing appropriate requirements, policies, procedures and controls is often complicated by the requirements of regulations, large data volumes, the number of individuals accessing records, new data types, and the range of disparate applications found in most organizations.
Once the key stakeholders agree to tackle this problem, the IG team can take a few steps to get the program off the ground. Here are three steps companies can take to improve regulatory compliance and data security through information governance, in preparation for the inevitable audit or data breach.
These steps aren’t necessarily easy, but a good motto is that perfection shouldn’t be the enemy of progress. Also, any concerted effort in the right direction should be considered a win.
1. Evaluate the current internal landscape.
By conducting an end-to-end systems inspection and employee interviews, and by evaluating policy documentation, governance teams can assess the risk and understand the company’s vulnerabilities. Regulators are acutely aware that data breaches may result from the absence of controls in patch management. During an inquiry, they may take a close look at how the corporation monitors the transfer of data outside the firewall and how unauthorized data transfers are addressed.
In the event of a breach or other regulatory failure, it is important for corporations to provide regulators with a single point of contact—a person who understands internal processes and can work to resolve the matter efficiently. Designating a trusted outside consultant to advise on and execute IG processes and to work with regulators is a critical element of managing post-breach investigations. This third party must be experienced in data governance and regulatory issues, and able to clearly communicate the company’s compliance initiatives to authorities.
2. Establish compliant retention.
The seemingly simple first step of knowing which data to retain can be a huge challenge. Companies in regulated industries must follow a detailed and extensive set of guidelines for what type of data must be retained, where and how it should be stored, and for how long. Information security and governance controls can be built into data repositories, automating much of the retention process, in keeping with specific company retention policies and regulatory statutes.
Establishing retention policies also means adopting protocols for compliant disposition, because the safest way to ensure that a piece of information isn’t leaked or hacked is to dispose of it as soon as it is eligible for disposal. Any data that doesn’t fall under retention guidelines may be deleted, provided that deletion and disposal are done in a consistent and documented way.