Posted by: Ben Cole
cloud compliance, cloud strategy, cloud-based services, data retention, data security and storage, information governance
(This blog post was written by Marilyn Bier, chief executive officer for ARMA International.)
All organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance and monitor strategic initiatives. This critical information resides in the organization’s business records.
Good information governance controls are difficult enough to apply inside an organization, even when it is using its own best practices tool set. While it is possible to manage aspects of the lifecycle and disposition of the information that resides in the cloud, these rules become more difficult to enforce.
“Proper information governance requires a centralized control point, as well as effective enforcement, for an organization’s records management tool set to be effective,” said Brent Gatewood, owner of consultIG, in a recent issue of Information Management magazine. “Today, the controls in place with most SaaS [Software as a Service] providers are too non-specific. The controls in place are collection-focused and largely managed according to the provider’s rules, not those of the organization whose information is being stored.”
To satisfy the information governance needs of most organizations, control and management of data in the cloud should reside inside the organization itself and extend to cloud-based repositories. A centralized tool managing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud. These tools need to have a complete view of the information owned by the organization to be responsive to internal and external requests.
According to Gatewood, “The reality is this: The tools may not exist, but organizations are moving — or have already moved — data into the cloud. Data relationships and management controls inside of organizations are more important than ever. Unless the management controls are already in place, it is unlikely that individuals are going to seek advice about extending controls to cloud-based repositories.”
Cloud computing is not going away. It can be a valuable tool, but a tool that needs to be understood and managed. Applying information governance controls, with the proper relationships in legal and information technology and services, can help to reasonably manage information in the cloud.
Information governance controls: cloud provider accountability
Gatewood recommends that organizations considering a cloud-based initiative — or reviewing a solution already in place — find answers to the following questions about contracts, audit controls and integration points:
- What service are we contracting for and what are the vendor’s records management and compliance obligations?
- What kind of data controls does the vendor have in place?
- How is information destroyed?
- Can we set minimum and maximum retentions and at what level?
- Are there secure destruction options?
- What are the vendor’s policies for backups, replication or failover?
- How do we confirm disposition takes place on a timely basis and according to our rules?
- What is the provider’s internal audit process?
- How often is the provider audited by external agencies?
- What standards is the provider held to?
- Is the vendor open to being audited for compliance? (If not, this may be a sign of bigger issues.)
- Is the vendor open to integration with our systems and applications?
- Has the vendor integrated with any systems that provide a structure for compliance?
Organizations must also consider if the vendor’s policies and procedures related to the handling and management of information are acceptable. If they are not, Gatewood believes the organization should either move the data elsewhere or require an auditable change that meets its needs.
Gatewood also recommends that organizations require a data map that details where the information resides. Data maps can be complicated because they detail what is often a complex infrastructure that might involve third-party relationships specific to your data, but the effort to review them is definitely worthwhile.
Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000-plus global members and countless external customers the education, publications and resources they need to be able to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to their organization’s goals.