Protecting the Crown Jewels - Information governance and the corporation

Anyone who owns a home understands they need a way to safely protect their family’s “crown jewels,” such as key documents, jewelry and irreplaceable photos, from theft, loss and catastrophe. Solving this problem is typically simple: buy a safe. Somewhat more complicated is the process of finding and determining what to put in the safe. Should the title to the car go in there? What about passports? If I wear my Rolex once a week, is it worth bothering to keep in the safe the rest of the time? And those photos of my grandparents are in a box in the attic somewhere; I really should find them and put them in the safe.

IGRM - Information Governance Reference Model graphic

Similarly, every organization has a set of crown jewels—information that is critical, unique or irreplaceable. And much like at home, the most difficult part of protecting them is not actually the repository, it is determining what information qualifies for this type of protection, and finding it, and moving it to a safer place.

This is in part because no single person or department can define what constitutes the crown jewels. That requires a multidisciplinary, cross-functional approach. It must encompass information that would be devastating to have stolen, but may also include data that needs to be exempt from disposition and can’t be destroyed, such as executive emails under legal hold.

When identifying and protecting crown jewels, organizations must involve many stakeholders, determine the processes for keeping the data safe and create procedures for removing information that has lost its value. With the right tools and technologies, companies can keep their crown jewels from being lost or stolen.

Categorizing Critical Information

Data cannot be simply locked up and shut away. If that happens, it becomes useless. Think about heirloom jewelry. It was meant to be worn, but if it is kept inaccessibly in a safe deposit box at a bank downtown, it cannot be. Similarly, paintings may be extremely valuable, but storing them in a fireproof warehouse makes them less enjoyable.

At the same time, it is critical to determine what type of information requires protecting. For example, much like flammable household products, some information may not be considered crown jewels, but can quickly cause tremendous damage in the wrong hands. Sony Pictures Entertainment learned this lesson when it was hacked last year and lost control of the Social Security numbers of workers who had long since left the company.

Crown jewels can be divided into several categories and can exist in multiple locations and different formats:

Do not destroy graphic

Information that may not be destroyed

Some information may need to be carefully maintained, not because it has intrinsic value but due to legal holds, regulatory requirements and other reasons. This type of information can exist in many places within organizations, such as a file share, on an employee’s mobile device or on a hard drive. It must be protected from inadvertent destruction. Some of these files may be old or exist in legacy formats. When moved to a secure location, this type of data needs to be handled carefully, so that none of the metadata is altered. If no one at the organization knows what data exists and where it is, companies can easily find themselves with “dark data pools.” This can include decades-old paper files or microfiche that are in storage.

Valuable items graphic

Items of actual value

Like real precious jewels, some corporate information is truly valuable. This can include customer lists, formulas, intellectual property, schematics, pricing templates and other types of information that provide competitive and strategic advantage. As in the Sony case, it can also include master copies of intellectual property (e.g. films not yet released).

Risky information graphic

Information that can be risky or dangerous in the wrong hands

Some information must be kept private, regardless of its actual value. Employee records are a good example of this, as are documents developed for regulators and documents that carry attorney-client privilege, or the Social Security numbers of the prior Sony employees. These documents are likely much more valuable to outsiders than... download the full white paper below to continue reading.