Corporate Information Responsibility
|
Corporate Information Responsibility What is Corporate Information Responsibility? Corporate Information Responsibility (CIR) refers to the responsibility organisations have to protect the information they hold and use is in a way that doesn’t jeopardise the privacy or identity of their employees, customers and other key stakeholders. The term was first used by Marc Duale, president international of information management company, Iron Mountain. CIR is the practice of understanding, valuing and protecting the information a business holds. A successful programme will help a business protect its data, keeping private information private and avoiding data breaches. The benefits to a business include enhanced productivity and increased consumer trust. It entails clear policy, regular training, frequent auditing for compliance and an understanding of high risk information. Much like Corporate Social Responsibility, which refers to corporate self regulation built into a business plan, Corporate Information Responsibility describes a company’s duty to take responsibility for how it safeguards and manages its information. CIR complements Corporate Social Responsibility, as both terms describe self-regulating commitments that have a positive impact on a company’s stakeholders and are designed to improve the success of the company based on more than just its financial performance. The goal of both is to foster a spirit of accountability within operations and among employees so that customers, investors, employees, suppliers and regulators, as well as society as a whole are aware of the values, actions and impact of the business. In the case of Corporate Information Responsibility, this accountability is to protect and optimise the information held by the organisation in such a way as to safeguard the privacy of stakeholders and provide significant competitive advantage for the business itself. Business benefits of CIR include an increased ability to harness the value of information which can be used to inform decision-making and increase business efficiency and productivity. Like CSR, CIR can enhance brand image and reputation, build customer trust and loyalty and attract, retain and motivate employees. CIR leads to a greater understanding of how the business functions and provides a map of what information is available, where it is and how it moves through the organisation. It plays a vital role in risk resilience, business continuity planning and the development of future strategy. The understanding, management and mitigation of information risk represent an integral aspect of successful Corporate Information Responsibility. There is there is both value and risk attached to corporate information and in order to properly implement CIR, an organisation must understand, manage and protect information throughout its lifecycle, rather than simply processing, scanning and backing it up to comply with regulatory demands. Information Risk Maturity Index In March 2012, Iron Mountain and PwC published a research report, "Beyond Cyber-threats - a study on business culture, employee responsibility and information security", that looked at approaches to information risk in mid-market businesses in the UK, France, Germany, Spain, the Netherlands and Hungary. The report included a Risk Maturity audit for each of these geographies which assessed the strategy, people, communications and security measures in place to protect data and information. The resulting Risk Maturity Index shows that European mid-market businesses have a long way to go to bring their information security measures up to acceptable standards, with an average index of just 40.6 set against an ideal of 100. How to be a CIR business Successful CIR is best achieved when senior management first commits and embraces the practice. This promotes a company-wide culture of respect and protection for information, maximising its value and contribution, and minimising the risk of data breaches and loss. The Iron Mountain/PwC study identified the following eight-step action plan for Corporate Information Responsibility (CIR) is as follows: Step 1. Make information a boardroom issue: CIR requires senior executive support for the development and implementation of information risk-management policies, staff communications and cultural change Board members need to understand the full impact of a data breach. All too frequently, senior managers only get involved in the aftermath of a serious data breach. Action: Ensure information risk is an item on the agenda at Board meetings with regularity depending on business need. Step 2. Start with people: Engage your workforce; understand how they use information and help them learn how to protect it. Training and HR policies are fundamental in transforming corporate culture and empowering employees to take pride in and responsibility for information. Action: Don’t just talk to staff, listen. Ask employees to help create a list of golden rules for protecting information and provide a channel for them to confidentially express concerns or raise issues. Incentivise responsible information management through bonus schemes linked to quantifiable targets. Step 3. Be realistic, resources are limited so the most important thing is to get the basics right: A ‘good enough,’ scalable approach to risk management and mitigation will meet most of a mid-market business’ needs. It is not essential to spend a fortune on new IT to mitigate risk. Your biggest returns will come from better training and communication. Action: Take simple first steps. Secure your paper records in a locked room or consider outsourcing; keep back-up tapes off site; encrypt where necessary. Even a small step in the right direction is better than no action at all. Step 4. Understand how your business operates and how information flows through your company: Look at how information is created, received, processed, stored and securely destroyed in your business. Who is responsible for it at any moment in time, and how is it protected? Information risk management and mitigation is a holistic process that transcends departmental boundaries. Action: Set up a cross-departmental team to identify the journey of information through the business and highlight the main risks and vulnerabilities. Ask the team to produce a report and recommendations for the Board’s consideration. Step 5. Understand what information you care about and what you are willing to do to protect it: Not all information is of equal value, identify the information that could damage your organisation if lost, corrupted or inadvertently disclosed. What information is your business responsible for and whose information are you holding? Are you ultimately responsible to these stakeholders? Action: Think through the repercussions of data loss, corruption or inadvertent disclosure for all your data types, in order to understand where your risks lie and what level of impact each scenario would have. The output of this thinking should be shared with the Board. Get senior business leaders to decide what scenarios they can live with and which they can’t. By doing this, you create a prioritised series of goals aligned with your organisation’s appetite for risk. Step 6. Introduce a unified approach to on-going risk management: Include clear lines of accountability and responsibility, as well as centralised control to identify inter-dependencies and inter-departmental weak points. Action: Appoint someone to take charge of information risk management and give him or her he skills and the power to make it work. Monitor and support her performance. Step 7. Create policies and procedures and check their performance regularly: Policies on their own are not enough; they need to be understood and implemented by the employees handling your information on a day-to-day basis. Action: Introduce a reward and recognition programme for employees. Also consider getting free gap analyses from vendors and refer to best-practice standards such as PCIDSS and ISO27001. Step 8. Get help: Information management is hard and getting harder as the volume and velocity of structured and unstructured information increases. There are resources out there that can help.
|
|
|