Over the last few years senior executives, legal teams and IT departments have been tasked with protecting their companies from a multitude of evolving legal and compliance liabilities surrounding old emails, files and mystery legacy data.
Industry regulations have changed the entire landscape of the way communications are handled. Emails are full of disclosures, legal keeps a tight watch on regulatory compliance and information governance policies are supposed to make everyone feel safer at night.
But a growing number of companies are finding the greatest risk to the security and stability of their company is not today’s communications, but the ones that have been stored for the past five, 10 or more years. Those stockpiles of mystery backup tapes, servers, emails, PSTs and other file types have snuck by information governance policies because no one knows what legacy information exists or where to find it.
As policies, laws and employees have changed, legacy data has not been located and managed according to policy and get exempt from current information governance policies just waiting to be uncovered at the most inopportune time.
To mitigate these risks, avoid security breaches and manage legal hold requirements, more organizations are proactively managing Big Data by using a data profile to enforce their information governance policy. An information governance policy dictates the use, disposition and management of corporate data in order to protect the firm’s assets and manage long-term risk, but the data profile has the ability to audit and uncover the ‘red flag’ data.
This ‘red flag’ content includes highly sensitive PST email archives created by the former CEO’s admin, unencrypted personally identifiable information (PII), aged emails from former employees, and copies of business data such as contracts, network file shares and even decade-old backup tapes.
Corporate data policies are usually complex in nature and difficult to enforce. Both are exacerbated by the fact that policies are often created with little to no context around the actual properties of the data that they are meant to affect. A general rule is for organizations to hunker down with their legal, compliance and records management teams and attempt to churn out a meaningful set of rules about how corporate data assets should be treated.
Once the policies are written, they are delivered to IT, which is expected to execute and enforce them moving forward. More often than not, IT will fail due to the fact that the ideals of the policies do not match the realities of the data.
A more-effective approach is to get insight on what the enterprise data contains and where it resides prior to developing a policy and enforcement plan. Policies are often based on specific regulatory guidelines that a firm must adhere to - these are usually non-negotiable. The extent to which those regulations apply within a specific firm, though, can vary widely based on the actual data themselves.
Overlaying those regulations on top of corporate policy, legal hold requirements and the like just make things worse. Rather than trying to actively enforce this web of rules, many organizations leave it up to their employees to follow policies their likely not tech savvy enough to understand. Throwing a rules blanket blindly across the enterprise without knowing what is being covered up is an all-around poor practice.
A proactive approach to applying policy to user data is simplified by first profiling the data and collecting information about its makeup and location. Data profiling is the process of examining data from all sources across the enterprise and collecting metadata-level information on the content to create a searchable and reportable repository of information about the user files and email such as owner, age, type of files, location, last accessed or modified and more.
Profiling user data provides the knowledge required to understand what data exists where, and to allow those who manage policy to take action on it. This could include various dispositions such as preserving it in an archive, encrypting it, moving it, leaving it in place but monitoring it, or even purging it if it no longer has any business value. The data profiling process creates a searchable repository where simple inquiries allow the administrator to understand the data environment and generate summary reports that help decisions to be made.
An enterprise data profile simplifies the process of developing, enforcing and updating data management policies. A good use case is managing PST files. Many users preserve their email into local PST archives, which are typically a challenge to manage as users usually have the ability to create them and store them anywhere on the network. Even after implementing a no-PST policy, many organizations still unknowingly store tens of thousands of them within their enterprise simply because they cannot find them. Those files are also being copied to backup tapes, replicated on a daily basis, adding to the problem of how to find or remediate them.
Running a simple query against a data profile can show you exactly how many PST’s are in your environment, how much space they are taking up and, most important who owns them and when they were last accessed. This information can inform a specific set of actions to address the current situation as well as allow creation/tuning of a policy to better control the creation and storing of these files in the future.