Claiming Information Governance

Written By:
Content Copyright © 2009 Bloor. All Rights Reserved.

I have just received an email from CA that, amongst other things, includes details of a press release announcing a partnership between CA and Acxiom to deliver a cloud-based information governance solution. This is all very well and good. No doubt it is excellent at what it does. But it’s what it does that is the problem: specifically it provides “a single portal view to better manage email, archiving, litigation holds, search, records declaration, retention and disposition.” Excellent. But that’s not what I call information governance. First, it’s content-centric and does not encompass data. What, is data (at least in context) not information? Second, it is both too narrow and too broad to be governance.

For my money (and others—I have discussed this with other analysts and with other vendors such as IBM) Information Governance must cover all forms of information, whether structured or unstructured and, more particularly, must cover six areas, as follows:

  1. Discovery – I don’t here mean legal or eDiscovery but simply that if you don’t know where your information resides (in a database, in a content management system, in a spreadsheet) how can you govern it? Moreover, you need to understand how different pieces of information relate to one another.
  2. Trust – you must be able to trust your information otherwise how can you use it to make decisions? This means applying data quality and, possibly, master data management. In the case of unstructured data it may mean applying content governance facilities, though perhaps we should refer to these as content quality?
  3. Security – you need to be able to ensure that your information is secure: that it is protected from attack, that it is encrypted where necessary, that it is masked where appropriate, that you have appropriate user access control, that it is tamper-proofed for evidentiary purposes and so on.
  4. ILM – you need to be able to manage the lifecycle of your information; archive it to near-line or off-line media as appropriate, and end-of-life it when this is appropriate and permissible.
  5. Compliance – you need to be able to ensure that you maintain and manage your information in a compliant manner both with internal governance policies and external regulation. In the latter case this includes complying with data protection acts, accessibility regulations, Sarbanes-Oxley, the EU Data Retention Directive, GCSx, PCI and so forth.
  6. Stewardship – you need to have the organisation, software and people in place to enable all of the above functions.

So that’s why I don’t think that CA’s information governance is not broad enough: it doesn’t cover data and it doesn’t cover all the things you need for governance. However, it also provides facilities that I would not include in governance.

If you think about information there are not many basic things you can do with it: you can collect it, store it, move it, govern it and access it. Search, for example, is an access mechanism not a form of governance.

Anyway, I am not really having a go at CA but setting out my stall as to how you categorise information management as a discipline: the five sub-domains alluded to in the previous paragraph, each of which then break down further, with governance organised as described. And of course there are further sub-domains within each of these. I am currently working on a map to visually represent this breakdown for the whole information management space.

Of course there are other representations: you could take security and ILM and put them in with storage and refer to information assurance instead of governance, for example. You could also concatenate information collection and storage. I’m sure you could come up with other models, but this is the best I have managed to-date and what I will be running with in the future unless I hear any better suggestions.