Information Governance: You Have to Start Somewhere

Information Governance: You Have to Start Somewhere
Author: ISACA Now
Date Published: 21 November 2019

Deborah Juhnke, senior consultant with Information Governance Group LLC, cited a definition of information governance as “an organization’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information.”

Accomplishing all of that can be a tall order, even overwhelmingly so, acknowledged Juhnke in her session, “Information Governance – The Foundation of Information Security,” that took place today at the Infosecurity-ISACA North America Expo and Conference in New York City.

Considering the size of the challenge, Juhnke encouraged practitioners to identify some “low-hanging fruit” to start with, while remaining mindful of the bigger picture.

“While on the one hand being overwhelmed with everything is bad, at the same time, you kind of need to think of the whole picture to then drill down on a particular issue,” Juhnke said. “That’s the challenge is seeing the big picture but not being overwhelmed by the big picture, and still being able to then focus down and say we have all the elements and all the stakeholders, now let’s get those stakeholders together and see what we want to tackle first.

“It might not be your problem, it might be this [person]’s problem, but let’s figure something out and go after it, and show some success.”

InfoSec session

Juhnke asked attendees how many of them go back to read emails from 2002, making the point that managing a glut of outdated data can be unnecessary and counterproductive.

“Look carefully at your email rules, if you have any, to find out how to best contain the creation and retention of email,” she said. “Secondary to that would be to find any archives of email and be sure that you can clean those up.”

By the same token, Juhnke said fileshare services, if unchecked, can pose tricky governance challenges, so they present another opportunity to streamline governance priorities.

“Make some effort at sifting through them to figure out what’s there,” Juhnke said. “There tend to be ways of going through that where you can just take a chainsaw to some of it because it’s just so old – well, that's gone. Then you maybe need to be a little more careful at the next level and maybe get some user involvement at that point, but work your way through those fileshares to see if you can clean that out, and at the same time, give [users] a new model.”

In general, having too much information leads to a lack of efficiency and can present compliance challenges, so being judicious when it comes to classifying and storing data is critically important. 

Other key takeaways from Juhnke’s presentation included:

  • Unmanaged, unstructured data increases footprint for compromise.
  • There are ample regulatory and legal drivers for change.
  • Security standards support improved information governance.
  • Engaging multiple stakeholders enhances the argument for change.
  • Triage and disposition will diminish the attack surface and improve compliance.

Editor’s note: For additional coverage of the Infosecurity-ISACA North America Expo and Conference, see the latest “Off-Stage and Off-Script episodes of the ISACA Podcast.”