信息治理的四步法

四个步骤帮助组织梳理信息治理的框架。...



原文: The challenge of governing your information

选自: CSO online

导读

首席信息安全官（CISO）负责公司（及组织机构）中的信息安全，他们履行职责的难度正变得越来越大。在这个时代，信息以每年50%的速度增长，如何保证公司信息的保密性并进行有效治理？这是本文要解决的问题。

The Chief Information Security Officer (CISO) is the protector and guardian of your organization’s information assets. This responsibility is becoming more and more difficult, given the explosive growth of information, the rapid pace of transformation impacting information technology (IT) and business, and the proliferation of information across contractors and trusted third parties.

Organizations must address how best to allocate scarce resources to protect and govern information. This question encapsulates the evolving dilemma of information governance. How should an organization protect and govern its information assets when the rate of data growth is estimated to be nearly 50 percent year over year? These growth rates present tremendous cost pressures. While the cost of information storage has proven to decrease over time, the cost of incident, fraud, and escalation management continues to increase at exponential rates with no end in sight.

信息治理是一项有关“信息经济学”的活动，即利用员工、可信任的第三方及顾客等多方力量，从信息中提取价值并通过合理的利用促进价值的实现。这要求公司识别和保护珍贵的信息，并减少信息所有权带来的成本。

通常，公司的首席信息安全官(CISO)与首席法务官(CLO)在信息治理上的行动并不一致，因为双方的工作计划、预算、汇报标准并不统一，有时候甚至是相互冲突的。现在有必要让两者联合起来，共同设计和实施一个治理公司信息的方案。

Information governance is about improving information economics. This means successful organizations help their employees, trusted third parties, and customers extract and realize value from the proper use of information. This requires that organizations identify and protect at-risk information, while reducing the total cost of information ownership.

In general, the CISO and CLO are not acting in concert to protect and govern their organization’s information assets. Their respective agendas, budgets, and reporting standards are separate, and quite often unaligned. It is now an imperative that these two functions work together to devise, implement, and sustain a strong information governance capability in their organization.

信息治理包含了公司日常开展的很多活动 ，如信息分类、日志管理、数据隐私保护、风险管理、防御部署、信息质量以及信息生命周期管理等。而公司通常忽略了的是用一种统一的理念（如“信息治理”）来综合协调这些功能。

The information governance capability includes many different functions and activities that organizations perform every day, including: data classification, records management, data privacy, IT security, legal, compliance, risk management, electronic discovery, defensible disposition, data quality, and information life cycle management. What organizations tend to neglect is coordinating and managing these many different functions and activities under one point of view and control— i.e., information governance.想要治理每一种信息资产是不可能的。公司需要分配有限的资源并采用高效的治理方式。接下来，本文将介绍四大会计师事务所之一毕马威（KMPG）内部进行信息治理的、务实而有效的原则。

首先，要明确“控制≠治理”。

许多公司在信息治理中犯的第一个错误就是，把“治理”与“控制”混为一谈，这样的后果是重复的评估和制度调整。尽管控制也很重要，但公司可以从这样的角度出发进行信息治理——“治理是一种企业文化”。

这就要求考量整个环境和相关利益群体，以充分了解公司内外有关商业、信息技术、风险、法律和上下级沟通的文化。有两种基本的方式可以达成这个目标。

There is no way to govern every information asset. Organizations need to make tough decisions about how best to allocate scarce resources and introduce effective governance of their information assets. KPMG firms’ approach outlines a practical and effective means to introduce information governance. 

One critical point for all parties to agree on before introducing information governance is:The first mistake that many organizations make when trying to establish an information governance program is to equate controls with governance. This point of view results in repetitive control assessments and exhaustive controls portfolio updates. While controls are important, organizations should start from the position that:You must work across your environment and your stakeholder community to understand your business, IT, risk, legal, and compliance cultures before you can introduce information governance. There are two ways to think about culture as it relates to information governance.

一种方式是评估公司中是否已有必须的基本要素，来识别公司行为、流程和控制机制，帮助公司管理业务流程中的所有信息资产。以下列出了常用的要素，其中有企业风险管理、日志管理、调查与响应机制、第三方风险管理、信息质量、知识资产、数据隐私等。

I. Evaluate whether or not your organization has the right foundational elements in place that define expected behaviors, processes, and controls to help govern all information assets belonging to all business processes. These foundational elements help govern information assets via the use of harmonized policies, procedures, training, and communications.

The following list summarizes typical foundational elements employed by organizations:

• Policy and Procedure Framework
• Controls Portfolio
• Enterprise Risk Management
• IT Architecture
• IT Operations
• Governance, Risk, Compliance (GRC)
• Records Management
• Records Retention Schedules
• Data Classification
• Information Life Cycle Management
• eDiscovery
• Investigation and Incident Response
• Third-Party Risk Management
• Change Management
• Corporate Communications
• Corporate Affairs
• Legal
• Data Quality
• Master Data Management
• Intellectual Property
• Data Privacy
• Business Intelligence

Many organizations are content with allowing these foundational elements to (loosely) work together with the hopes that information will be governed (fingers crossed!). This is not an effective approach to information governance. Organizations must operationalize and embed information governance into their culture by identifying which information assets deliver the most value and present the most risk to the organization. This starts with prioritizing the process portfolio.

许多公司仅仅止步于将这些松散的要素组合起来，静静地等待信息能够得到有效治理，但这远远不够。

第二种方式要求公司把信息治理贯穿到企业文化中，将整个公司的业务流程组合进行排序，识别出哪些对公司最有价值，或是风险最大，在这过程中所有相关的信息资产就是公司需要治理的部分。

II. Prioritize business processes that deliver the most value and present the most risk to the organization. The related information – structured, unstructured, and physical – are the exact assets that need to be governed.毕马威的DC² 法可以将上述两种方式有效结合，这一方法包含四个步骤，即：

Define--Clean--Discover--Change

（识别--清理--发现--改变）

A simple way to introduce the two considerations summarized above in points I and II is to follow KPMG’s DC² approach.其中每一项的关键活动包括：

识别

- 与商业和技术合作伙伴进行沟通，就如何评估业务流程达成一致。

- 回顾已有的与信息治理相关的政策、流程、标准、工具、计划、功能层面的职责以及最低的安全标准。

- 确定法律上、制度上、合同上、商业上的需求等。

清理

- 对控制关键业务流程和信息资产的制度进行评估，消除风险敞口(未加保护的风险)。

- 将缺失的基本要素及时弥补，对促进目标达成的信息资产进行完善。

发现

调查信息的利用状况，以更好地理解目标用户和受信任的第三方是如何影响信息资产的。

改变

将信息治理融入到企业文化中。制定中长期的行动计划，弥补基本要素、业务流程上的不足。在适当的时候可以引入自动化，以更好地管理信息资产。建立一定的汇报机制，追踪和确保信息治理项目的实施。

Each of these actions requires the following activities and outcomes:

DEFINE: What does good look like?

• Educate business and IT partners, secure buy-in, and agree on how to value and risk rank business processes (think: 95/5 rule when prioritizing business processes)
• Review existing policies, procedures, standards, minimum security baselines, tools, schedules, and function level responsibilities related to information governance (i.e., foundational elements)
• Identify legal, regulatory, compliance, contractual, and commercial requirements (i.e., external factors)
• Identify third parties involved with business processes, IT, information, storage, and records management
• Identify ongoing and planned changes that may impact information governance; this should include an evaluation of external factors (e.g., regulatory changes)

CLEAN: Eliminate immediate risk exposures.

• Perform a gap assessment of processes and controls governing prioritized business processes and related information assets, with a focus on:

   -  Behavior-based items, including policy, training, schedules, incident management, etc.

-  Access control items, including privileged access, identity management, etc.

-  Management responsibilities, including information oversight, identification, retention, protection, disposition, and destruction

• Remediate critical process and control issues impacting information assets
• Develop and document a remediation plan for impacted or nonexistent foundational elements
• Develop and document a remediation plan for information assets that aligns to your business and IT target state.

DISCOVER: You cannot govern what you do not know.

• Leverage automated tools and manual inspection efforts to identify information assets belonging to prioritized business processes
• Conduct information use surveys to better understand end-user and trusted third-party behaviors impacting information assets
• Work with trusted third parties to identify information assets used, accessed, processed, managed, archived, etc. on behalf of your organization
• Update gap assessment (see the Clean stage) based on newly identified information assets and results of use surveys
• Update remediation plans, as needed.

CHANGE: Embed governance into the culture.

• Implement mid- and long-term change and remediation plans related to foundational element gaps and deficiencies
• Implement mid- and long-term change and remediation plans related to business and IT process and control gaps and deficiencies
• Manage information-related changes that impact or are required of third parties
• Introduce automated capabilities to better manage and govern information assets
• Update business and IT management reporting to track and sustain the information governance program.

DC² 法的四个步骤虽然不能解决所有问题，但是覆盖了信息治理的基本框架，对于还没有重视或者开始利用内部信息资产的企业来说，是一个好的起点。

Organizations can benefit from information governance. Improved information economics directly and positively impacts your customers, employees, and trusted third parties.

请

长按指纹识别图中二维码

    关注 浪潮规划咨询