System analysis in information governance
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Parker and Braithwaite define governance in The Oxford Handbook of Legal Studies as something “intentional” which shapes events for positive outcomes. If we translate that into information governance speak, we can say that the concept of information governance is to ensure that confidentiality, integrity, and availability remains constant.
To achieve this consistency, companies must analyse their systems that hold critical and vital business information to ensure that vulnerabilities and threats existing in the configuration are spotted and addressed.
A bank carries out an analysis of the configuration of their systems that store sensitive personal information of all their customers only to realise that the current flow to the repository is redundant and springs some risks. They immediately contacted the IT team to simplify the system and attend to the existing risk. Redesigning that process sprung a new approach and eliminated the existing risks.
It is not enough to have the right information governance structure. It is important to map out how information is captured, know which system captures that information, and understand how long that information is stored within that system.
Another thing is to understand who has access to those information assets and when the systems are managed by third party companies then consideration must be given to the data sharing agreements and the procedures in place to ensure that the processor understands their obligatory positions in the scheme of things.
The big question then is how do we go about system analysis in information governance? What other things should companies be looking out for outside what I’ve mentioned in the last paragraph?
Again, the foundational step, like I’ve mentioned in previous articles is to carry out an extensive data mapping exercise—this can be done manually or in an automated fashion — as this provides a broad overview of information flow within the organisation.
Second step would be to have a data flow map best in diagrammed form to know which system captures what information and what system stores it. The privacy or information governance officer must have an inventory of these systems and what they capture.
Another step is to understand the kind of security protocols when the systems converse with each other. For example, when system X transfers information to system Y what are the encryption methodologies when the data is transferred. The company must document when these transfers are carried out to have an audit trail of actions taken in and around the systems.
When the data has reached its point of destination, companies must list the name of individuals who have access to that system. Each system must have an activity log so that the company has an introspective perspective of everything going on in the system.
It is good practise for information governance to have these steps in place to sort of understand where risks exists within the systems. Mapping of systems, one must add, should be done on departmental levels, so that the company’s information officer sort of knows which areas need attention. Without this, she might find it hard to locate other existing risks which present room for IT system breaches.
System analysis is critical in any information governance structure and allows the company to further probe into the existing governance framework and tease out existing gaps for immediate remediation.