Targeting Risks in IT – 5 Things to Consider

July 11, 2016 Marta Farensbach

Today’s compliance, litigation, and regulation-heavy business environments introduce a number of challenges for busy IT professionals. Ignoring any of these areas, as well as failing to implement a strong Information Governance (IG) platform, can introduce substantial risk into your organization. In the worst cases, data breaches, adverse judgements, or non-compliance penalties could thrust a company into the glare of national headlines. Poor policy can affect more than just the finances of a company; loss of reputation and consumer confidence can be far more impactful in the greater marketplace. Take a look at the links below for information and ideas from Sherpa Software on how to reduce risk in various problem areas.

The biggest area of concern for many companies may well be Data Security. Strong, well tested methods are essential to prevent loss of critical material and ensures that key information assets are not mislaid or misused. Procedures need to be in place (and audited) to prevent hacks and other cybercrimes. When combined with Regulatory Compliance, data security forms a critical portion of corporate responsibility in many IT departments. For example, regulations dealing with PCI / PII data are numerous and far reaching. These rules are designed to deter data theft and encourage the secure handling of critical records. They include best practices for data in storage and data in transit. Personally Identifiable Information (PII), such as date of birth, social security numbers or social insurance numbers (SIN) and credit card information, falls under Payment Card Industry (PCI) standards, and are also included in these guidelines. Scanning your environment, evaluating your processes, and testing for weaknesses are essential to ensure that sensitive information is protected.

Compliance is also felt in other areas. Many organizations, such as those regulated by Sarbanes Oxley (SOX), HIPAA, Gramm-Leach-Bliley, and others, need to perform scheduled audits and respond to regulatory requests to fulfill their legally mandated obligations. Public entities are not immune from these regulatory concerns. On the federal, state, and local level, the Freedom of Information Act (FOIA) and other ‘Open Records’ or ‘Sunshine’ laws require governments, schools, and other public entities to produce records requested by citizens.

Risk pops up in eDiscovery – an area that often requires significant attention from the IT department. Whether responding to subpoenas, putting together proactive response plans, or deploying in-house resources, the search and collection of electronically stored information (ESI) can prove to be overwhelming for an underprepared staff.

The dangers inherent with poorly executed eDiscovery cannot be overstated. Many aspects of litigation are mandated by the Federal Rules of Civil Procedure (FRCP). A detailed eDiscovery plan mitigates risk while streamlining the costs, resources, and time associated with legal action. An essential requirement of the FRCP is to prevent the spoliation (destruction or modification) of data relevant to ongoing litigation. Litigation Holds should follow the legal mandates to preserve data; the penalties for failure can be severe, including fines and adverse judgements.

EDiscovery also provides the backbone for Internal Investigations which need to be performed quickly and effectively to maintain security and prevent data loss, fraud, and other menaces to corporate wellbeing.

Both Compliance and eDiscovery are aided by an effective Information Governance (IG) strategy. A good IG framework reduces risk by implementing policy and processes designed to manage company data assets from creation to dissolution.   This includes the creation and enforcement of rule governing wide-ranging areas including data access, internet use, disaster recovery, and ‘bring your own device’ (BYOD) as well as the regulation and control of corporate communications and data storage.

Another critical component of IG is policy enforcement which combines with electronic records management to prevent redundant, outdated and trivial information (ROT) from clogging up servers, bogging down business processes, and making essential data more difficult to locate.   An effective policy will clarify the retention and disposition of records based on organizational value. These types of policy form credible defensible deletion plans.

Sherpa Software offers a number of solutions for a variety of environments to target these critical functions to help reduce risk for your entire organization. In addition to the articles listed above, keep an eye out for our new White Paper outlining the best practices for applying a Risk Management strategy.

 

The post Targeting Risks in IT – 5 Things to Consider appeared first on Sherpa Software.

Read more...

Previous Article
Understanding the General Data Protection Regulation

If your organization has international operations in the European Union, you should be planning for GDPR co...

Next Article
FOIA reforms are on the way, are you ready?

If you are employed by a federal government agency, then you are probably well aware of FOIA, or the Freedo...