Most organizations have (or by now should have) an information governance policy monitored by a cross-organization governance and compliance group. As organizations get ready for the cloud, this group needs to take a more active role in ensuring that new technology deployment reduces risk and enhances compliance. An effective way of pushing this down to IT and the lines of business is to ensure that any new project that creates data or files inside or outside of the organization has a formal compliance review section.
The emphasis of the review should be on ensuring that compliance is built in for every new piece of data created, as retrofitting is hugely expensive and often ineffective; classification is low impact if it is done at file creation, very difficult if is done years later. A key elements in justifying any review will be cost avoidance of future eDiscovery activity and risk reduction.
Action Item: Project and maintenance reviews should include the following types of questions:
- How will all the data and files created be automatically classified with minimal user impact?
- How will the new data and files be integrated into the formal recordkeeping processes?
- What are the backup and recovery mechanisms required to ensure compliance?
- How is disaster recovery for the new files and data to be included in the business continuance plan?
- What are the risks of data loss, and how will they be mitigated?
- Are the costs for all supporting processes included in the project?