Addressing Key Business Topics - Audit Compliance, Business Continuity, and Data Governance

Beyond technical topics of A.I., Cybersecurity, and Tech Modernization, some of the "other" work we've been insanely busy assisting organizations on has been around Audit Compliance, Business Continuity, and Data Governance.

In the past, I.T. focus has been all about "the tech" - upgrades, operations, monitoring, and management, however executives are keenly aware that RISK is managed top down!

If you don't have a clear policy, strategy, or governance focus, third party auditors and lately the cyber risk and liability insurers are expecting far more than "tech documents" and verbal / email notations from I.T. leadership.

Audit Compliance and Business Continuity

As tech has become the backbone of pretty much EVERY organization (communications, records storage, accounting, payroll, banking, and operations), having a well documented I.T. operations and business continuity plan is essential for the organization. It's no longer "those computer systems we have that we trust our I.T. guys keep operational for us".

Organizations are expected to have a formal well documented process and system noting WHAT they have, WHERE information is stored, referencing HOW it is secured and managed, WHO is responsible for security and escalation, that has been professionally reviewed and business management acknowledged to meet stringent expectations of the leadership of the organization!

The documentation expected includes interviews with business stakeholders and system owners to create an inventory with noted priorities of key systems and processes that are necessary for business operations. Once aligned with leadership, the inventories are used to create alternative processes and system usage to account for high-risk scenarios - examples include regional fires, building floods,?cybersecurity incident, ransomware incident, or the like. The complete plan typically includes a documented incident response process providing a runbook of resources used when responding to business impacting events.?

Most organizations these days advance their incident response and business continuity plans by conducting a tabletop exercise to practice execution and improve the plans based on experience learned that includes key decision makers in management such as the CFO (that frequently has to make financial decisions in the event of a 24hr ransom demand), the Head of Legal (that typically works with the insurance company on limits of liability within policies), Head of H.R. and Head of Communications (that works with employees and external sources on communicating any outage/event), and the Head of Marketing and Public Relationships (if customers are impacted).

In the middle of a major outage or event is NOT the time to discuss tough questions and make up answers for the first time. Having "talked though" tough topics ahead of time is the level of preparation necessary in this day and age where I.T. downtime is more than an inconvenience.

Data Governance

Back when "stored data" was just a handful of years of files and emails, there wasn't a lot of attention spent on data governance. However now that "everything" is digitally processed and stored, with organizations sitting on years (decades) of content with privacy laws critical of organizations retaining client, employee, and public information "longer than necessary," organizations HAVE to rethink the strategy of just "keeping everything".

Content these days HAS to be classified - noting legal records that must be maintained for 5, 7, 10+ years due to legal retention requirements. Content NOT deemed to be records with no legal reason to be retained need to be considered for regularly scheduled elimination.

CCO has compiled a records retention schedule that notes best practices for the retention of financial records, personnel records, legal documents, patient records, supplier documents, contract files, etc. And the latest in technologies built into Microsoft Office 365 email / Teams / SharePoint / OneDrive system allows organizations to apply the applicable retention policies to content that resides in the Microsoft cloud as well as in various non-Microsoft cloud systems (ie: onpremise, on laptops, on mobile phones, etc).

This whole process involves an inventory and review of existing data repositories and locations with a focus on creating data governance including data retention, data protection and preparation for cybersecurity tasks (breaches, audits, etc.).

The review and inventory process involves identifying and interviewing data owners, reviewing the results with leaders and aligning on key governance standards such as default retention period, data classification, data protection needs, an exception process for adopted standards and a deployment process for governance controls.

Wrap-up

As complex as the various legal and compliance standards are in making things difficult in handling data governance, many of the newer tools and technologies built into the latest data systems can assist in the handling of electronically stored information (ESI). The tools and technologies exist in helping organizations address their compliance and audit needs.

With the tools and solutions being available, the key is for organizations to take the step in creating policies and practices AND testing workflows and data governance models to ensure the business is ready before they need to be.