We’ve been talking about The Four “Ws” Information Governance for awhile now and we’ve saved the best for last!
For those of you that are just getting in on the conversation here are The Four “Ws” Information Governance:
What are your information assets?
Where are they located?
When can you dispose of them?
Who manages them and has access to them?
Up until now we’ve been laying the groundwork of Information Governance. The first three “Ws” build the policies around your organization’s information assets. The final “W” defines how your staff interacts with these assets. Because of this “Who” is the most important piece of this puzzle. “Who” defines the people that manages the information assets and those that have access to them.
Before you start assigning these roles, take a step back and really look at what these people really need to do. While it seems like a pretty straight forward exercise keep in mind that the goal of Information Governance is getting the right information to the right people at the right time. I also like to point out that protecting that information is paramount. What this means is that while everyone needs access to information, the level of their access and their ability to interact with it is not always the same.
In Government there is a concept of “Need to Know.” “Who” defines what that level of access is. In the world of Information Governance these access levels are defined in the acronym CRUD. Here’s how it works:
C = Create
Who needs the ability to create files?
R = Read
Is there a group that only needs to read files to do their work?
U = Update
Who needs the ability to edit files? Note: This role should be limited as editing documents may change the value of the information.
D = Delete
Who needs the ability to delete files? Note: This is the most critical role for the protection of your assets and should be severely limited to as few of people as possible.
With this in mind let’s move on to the Roles:
Who Manages the Assets?
The Manager is not necessarily a Department Manager, although that can certainly be the case. In most instances the person assigned this role is an Admin that most frequently works with the information. This is similar to the person that represents the department on the Steering Committee we have discussed in previous articles. This is the person you want to have full access to the repository. They should have full CRUD rights to the information.
Who needs to have access to the assets?
This role encompasses a variety of access rights. Remember the adage of “Need to know.” There are those that need the ability to Create and Update information for the system while there are others that only need the ability to Read the information order to do whatever they need to do to accomplish their function. To make it easier to maintain, I suggest creating Roles or Groups with certain access rights. Then you can assign people to groups as you need to create the security scheme that works for your organization. You’ll note that this group does not have the ability to Delete information. This ability should be used sparingly and only given to those individuals that have the most knowledge of the information governance program to avoid the loss of your information assets.
Who Owns the Asset?
Another critical role that we need to point out is that of Ownership. This is the individual that is responsible for ensuring the information governance program is being followed for a given set of records. Most organizations consider this to be the Department Manager. Regardless of whom is given this responsibility, it is important to stress to them that they may be held legally responsible for the records in Court Not something to be taken lightly.
That’s all there is to it! It takes longer to decide how it will work than it did to read this article, take the time to set it up right. It will be worth it. Next month we will discuss communicating and training of the program.