EMC ANZ Momentum User Group 2011- Tech Track- Information Governance Maturity Model
-
Upload
emc-information-intelligence-group -
Category
Business
-
view
577 -
download
0
description
Transcript of EMC ANZ Momentum User Group 2011- Tech Track- Information Governance Maturity Model
1© Copyright 2011 EMC Corporation. All rights reserved.
Information Governance Maturity ModelResolving a multi-dimensional problem
Dalibor Ivkovic
2© Copyright 2011 EMC Corporation. All rights reserved.
Information GovernanceTwo points of view
Internal point of view
External point of view
To manage information
flows within an organisation
Government courts
customers partners suppliers
contractors...
Staff contractors
inter-business unit intra business unit
subsidiaryparent
...
To fulfil statutory, regulatory & contractual obligations Reputation / Brand
Financial risk
Quality of service
Productivity
Cost
1
2
What? Who? Why?
3© Copyright 2011 EMC Corporation. All rights reserved.
Highlighting the risks of poor Information Governance
• A judgment for Coleman (Parent) Holdings in March 2005, also against Morgan Stanley for failure to comply with e-Discovery orders, resulted in costs of more than $1 billion.
• Sony - Sony faces a court battle over how it will pay for legal claims made in the wake of a massive data breach. In April 2011, Sony discovered that hackers had gained access to 77 million accounts on its PlayStation Network.
• Wiki Leaks - Intelligence analyst, who joined the US Army in 2007, is accused of leaking 720,000 secret military and diplomatic US government documents.
• Cyber Warfare Command - In the US the Pentagon's systems are probed by unauthorised users about 6 million times a day. Total losses to cyber crime globally may be as high as $1 trillion.
• GFC / Collapse of Storm Financial - Major investigation in Australia.• Australian Legal battle / capital works project - “Why was the wrong design
document used to build this $mill infrastructure?”• HK Government – “We want more transparency of government” – the issue of
public confidence in government.
4© Copyright 2011 EMC Corporation. All rights reserved.
0
100B
200B
300B
400B
500B
600B
700B
800B
900B
1,000B
2005 2006 2007 2008 2009 2010
Gigabytes
It keeps growing …
161billionGB
Source: IDC, “The Expanding Digital Universe,” Sponsored by EMC, March ‘07
57% CAGR
988 billion GB
988billionGB
Information Governance is not optional!
– The amount of information in the world is set to increase 45-fold in the next decade. There will be an inverse relationship between information volume and IT staffing. During the same period IT staff are expected to grow 1.4-fold, about 1/40th of the increase in data – IDC/EMC report
5© Copyright 2011 EMC Corporation. All rights reserved.
Influential Roles
Information Risk
Policy Management
Information Capture &
Classification
Information Access & Security
Information Content
Governance
Retention Lifecycle
Management
CxO x x
Compliance & Legal
x x x x x x
Information Manager
x x x x x
Bus Mgrs x x x x
IT x x x x x
This table indicates which roles are influential in each area of Information Governance
6© Copyright 2011 EMC Corporation. All rights reserved.
Information GovernanceFour dimensions
ApplicationsAccess Control
InfrastructureHardware Control
InformationGovernance
ContentStructured & UnstructuredClassification & Controls
BusinessRisks & Policies
7© Copyright 2011 EMC Corporation. All rights reserved.
Leak of Intellectual Property
Information Risk
Information Policies
Information Access & Security
Information Capture &
Classification
Information Content
Governance
Records Lifecycle
Management
Secured? Audit Trail?
A contractor has distributed a sensitive document to your competitorHow did it happen?Leak of
Tech specs
Appropriate Legal Notices?
Classified Correctly?
Updated Policy Required?
Retention ofLegal documents?
Contractor Training
A single issue can involve all areas of information governance
8© Copyright 2011 EMC Corporation. All rights reserved.
• Information Risk– Regulatory compliance– Competitive threats
• Policy Management– Definition, Discovery and ownership– Including the structure of the governance organization itself– Ability to communicate and enforce policies
• Information Capture & Classification– e.g. Content, Email, Transactions, Call data
• Information Access & Security– Access policies, corporate boundaries
• Information Content Governance– Consistency, templates, legal clauses, brand governance
• Records Lifecycle Management– Governance of information throughout its lifecycle
Six Information Governance Categories(columns in the maturity model chart)
9© Copyright 2011 EMC Corporation. All rights reserved.
Maturity Levels
• The following 5 levels of maturity are proposed:• 5 – Optimized
– The most effective and efficient possible, deliberate process improvement/optimization
• 4 – Managed– Repeatable measurement against metrics, and an integrated part of
the business operation• 3 – Proactive
– Some planning and action, improved understanding of the process concerned
• 2 – Reactive– Ad hoc activity based on day-to-day issues, “individual heroics”
• 1 – Aware– Know that an issue exists, but little action
10© Copyright 2011 EMC Corporation. All rights reserved.
Risk
sB
enefitsInformation Access & Security
Aware Reactive Proactive Managed Optimized
No overall plan, but aware of potential issues
Security breaches dealt with as they occur. Not policy driven
Active management of security model, process based security in some areas. Manual configuration between systems
Common plan for security policy implementation across the enterprise, managed by responsible team. Regular monitoring
Shared, centralised security policies referenced and enforced automatically, including boundary controls, breach alerts.
Customer Data lost or stolen
Unsecuredmanagement docs
Loss of IP
Scalableto supportgrowth
CentralizedIdentities &passwords
Rapid, secure user provision/de-provision
Fast threatdetection and response
High riskInformationprotected
High integration and support cost
Automated updates fornew threats
Trust framework established
11© Copyright 2011 EMC Corporation. All rights reserved.
Risk
sB
enefitsInformation Capture & Classification
Aware Reactive Proactive Managed Optimized
Limited identification of information types, poor classification processes
Identified information types, ad hoc classification, loosely enforced
Selected information types managed as identified
Enforced capture, consistent classification rules. Centrally managed policies
Automatic rule-based capture and classification maintained centrally.”
Losing what you need, keeping what you don’t
No basis forsecurity
Loss of customer data
Litigation throughe-Discovery
Cost of wasted duplication
Controlledvocabulariesreduce cost and risk
Success In ECM/Data systems deployment
Strong platform for records mgmt
Productive knowledge workers
Efficient access and storage
Effective search
Maximum value from your information
12© Copyright 2011 EMC Corporation. All rights reserved.
Risk
sB
enefits
Records Lifecycle ManagementAware Reactive Proactive Managed Optimized
Aware of the need for retention policies but not formally identified
Some long term archiving, managed on ad hoc basis. May be paper storage
Retention policy applied manually at point of retention based on pre-defined classifications/ taxonomy
Records policies applied automatically based on system defined policies and information classification
Automatic application of lifecycle policies and dynamic management over time through appropriate storage
Litigation throughaudits and e-discovery
Storage bloat
Leakage of competitiveinformation
Improvedsearch
Keep only EssentialRecords, Save $$
MoReq2Compliance
Secure Chain of Custody
e-Discovery readyNo response
to freedom of information requests Tiered storage
benefits
13© Copyright 2011 EMC Corporation. All rights reserved.
Barriers to Enterprise Information Governance
• There are several reasons why proper information governance remains elusive, but the biggest challenges worldwide are (Economist):
– Identifying the cost/risk/return tradeoffs of managing information company-wide (40%)
– Enforcing policies company-wide (39%)
– Gaining support from department heads and line-of business managers (35%) are also obstacles.
14© Copyright 2011 EMC Corporation. All rights reserved.
Information Risk Policy Management
Information Access & Security
Information Capture &
Classification
Information Content
Governance
Records Lifecycle Management
5 Automated detection and remediation of high risk information
Policies defined/confirmed and automatically enforced, with verification
Shared, centralised security policies referenced and enforced automatically, including boundary controls, breach alerts.
Automated capture and classification based on centralised policies
Automated policy enforcement internally and across all external interfaces.
Automatic application of policies and dynamic management over time through appropriate storage
4 Active management of risks on regular basis. Well classified information types in managed repositories
Active management on regular basis using well classified information types in managed repositories.
Common plan for security policy implementation across the enterprise, managed by responsible team. Regular monitoring
Enforced capture, consistent classification rules. Centrally managed policies
Agreed policies, automatically enforced. Dynamically generated content
Records policies applied automatically based on system defined policies and information classification
3 Awareness of information risks , Silo’d repositories with some riskier information more managed than others, possibly by department.
Policies published corp.wide, manual enforcement by subset of owners.
Active management of security model, process based security in some areas. Manual configuration between systems
Selected information types managed as identified, automated scan & file
Agreed policies, automatically and/or manually enforced. Some standard templates
Retention policy applied manually at point of retention based on pre-defined classifications /taxonomy
2 Specific risk issues are worked on as they arise
Selectively communicated, manual enforcement when issues arise
Security breaches dealt with as they occur. Not policy driven
Identified information types, ad hoc classification, loosely enforced
Manually enforced rules departmentally/application specific
Some retention schedules defined, managed on ad hoc basis. May be paper storage
1 Awareness of operational risk in information handling, but not managed
Awareness of the need, but no definition or enforcement
No overall plan, but aware of potential issues
Limited identification of information types, poor classification processes
User driven free-form author/publish
Aware of the need for retention policies but not formally identified
Maturity Model
Data Discovery Assessment
IG Risk Assessment Content
Consolidation Assessment
Retention and Records Policy ReviewPolicy
Framework Assessment
Site integrity check
15© Copyright 2011 EMC Corporation. All rights reserved.
Consulting exercises summary
Exercise Duration (days) Done by Output
IG Maturity Model Workshop
2 (1d workshop) Strategic Consultant
MM and benefits summary presented
Unstructured Data Discovery Assessment
3-5 Consultant Statistical reports and recommendations
IG Risk Assessment 10-20 Strategic Consultant
Itemised report
Content Consolidation Assessment
3-5 Consultant Statistical reports and recommendations
Summary Business Case and ROI Model
10 Strategic Consultant
Summary business case and high level plan
Retention and Records Policy Review
5 RM Strategic Consultant
Policy recommendations
16© Copyright 2011 EMC Corporation. All rights reserved.
Maturity Model Workshop deliverable
• Report – Current positioning on the
maturity model– Risks of current position– Potential benefits to be
gained in each area– Recommendations for
target maturity level and next steps
– Areas where IIG can assist
17© Copyright 2011 EMC Corporation. All rights reserved.
This high level schedule provides an overview of the programme. Each program will be assessed and scheduled with its own business justification and budget
Access & Security
Information Risk
Records Lifecycle Management
20112010
Single Sign on
Policy Management
Detail plans
Execute
Capture & Classification
Audit Preparation
2 Factor Authentication
CollabR3 deploy
Web Site Auto-checks
Content Governance
SAP Integr.
RPSR4 deploy
2012
Site Search & eDiscovery Engine
Retention in place
Business Case / Roadmap
18© Copyright 2011 EMC Corporation. All rights reserved.
THANK YOU