In a previous post I suggested that Information Technology is really in a good position to help identify and clean up ROT (redundant, obsolete, and trivial information). Sometimes, though, IT needs a helping hand to get the attention of those who can approve a budget for clean-up initiatives. Here’s where Audit comes in.
Over the years, I’ve seen many information governance clean-up programs come to life in the wake of an expensive e-discovery effort, or an embarrassing and costly data breach. Needless to say, such events draw the attention of the C-suite and boards of directors. That attention usually translates into emergency funding and action to shut down e-mail retention, delete old files, and generally do what should have been done all along: better manage information. Audits, whether external or internal, can serve the same function.
Depending on your industry, routine audits are a fact of life. In financial services, the Office of the Comptroller of Currency may issue an MRA (Matter Requiring Attention), which requires senior management attention and immediate action. Although MRAs may address a variety of risk and compliance issues, they increasingly focus on cybersecurity. And one of the greatest risk factors for cybersecurity is too much information that is not properly inventoried, classified, or even necessary. In other words, ROT. As another example, the Office of Civil Rights has been actively pursuing HIPAA privacy, security, and breach notification audits of covered entities and business associates. Poor findings here regarding information governance and privacy protection can result in monetary penalties and a corrective action plan.
Internal information security audits may be the ideal catalyst for change. They are not typically public, so can act as the “canary in the coal mine,” alerting management to impending danger well before an external audit or catastrophic public event finds the same vulnerability. By many estimates, as much as 80% of the information stored on corporate systems is unnecessary. Leaving aside the cost of storage (not cheap), simply having too much information exposes organizations to risk. An internal InfoSec audit should consider that “[e]xperts are predicting a 4,300 percent increase in annual data production by 2020,” thus we can only assume our information management challenges will increase, as will our risk if nothing is done to curb the retention of ROT.
One basis for InfoSec’s involvement in auditing ROT is the guidance found in ISO 27002, sections 8 (Asset Management) and 18 (Compliance). Section 8 focuses on inventory, ownership, classification, acceptable use, handling, disposal, and protection of assets, including information assets. Each of these clauses provides a good basis for inquiry regarding the organization’s secure management of its information. Section 18.1.3 speaks directly to protection of records. Specifically, it states that records should be identified and their statutory and regulatory retention periods followed. It also addresses the need for appropriate destruction of records when the retention period lapses.
ISO security standards, the NIST Cybersecurity Standard, regulatory guidance, and myriad other security frameworks all support, if not demand, better information governance. InfoSec Audit can help make the case for change by including ROT in its risk analysis.