The Information Security element of an Information Governance framework is essentially about finding the correct balance between accessibility and confidentiality. The policy should set out how, where and when information can be deployed, while keeping it fully protected, securely stored and defensibly deleted.
Information Governance should ensure the following for Information Security:
- A robust framework for handling information in a confidential and secure manner;
- That information security extends beyond the organisation to encompass the organisation’s partners, suppliers and contractors;
- Security policies cover not only information and associated applications, but also the physical devices users employ to access information;
- That information security and privacy policies meet all relevant Data Protection and Freedom of Information legislation;
- Information is processed legally, securely, efficiently and consistently to the highest standards; and
- All employees fully understand, and have been trained on the organisation’s information security policies and procedures.
A key facet of Information Governance rests with the way in which information is classified and categorised. This enables the business to utilise information assets, in order to determine where the value of information lies, and how this information can be identified and retrieved.
Authentication and user access policies can be built into the metadata of any piece of information. This also enables the organisation to automatically anonymise any piece information that includes personal identification details, in line with corporate and regulatory policies.
Defensible disposal helps companies control storage growth and costs, whilst ensuring any regulatory requirements for information are met. It should also be used to underpin Information Security activities. It ensures that irrelevant or duplicate information is kept to a minimum. It removes the risk that information at the end of lifecycle is left online where it is vulnerable to attack, instead information can be responsibly deleted as soon as possible.