How to benchmark systemic risk around information management
Having a policy defined in a single location eases the management overhead and ensures consistent application across the content lifecycle – from creation in the DMS, to internal review in a collaboration application like Microsoft Teams, to final review and signing in a deal management solution.
From cyber-attacks and insider threats to the ongoing challenge of keeping sensitive and privileged content properly governed and in compliance with fast-evolving regulations, there is no shortage of risk that today’s enterprises face. The question is: if a legal organisation’s CIO wants to assess how prepared they are for these risks, how would they go about it?
It’s time for a scorecard that allows legal organisations to benchmark risk and security by looking at several key areas across the organisation, particularly around information management.
This serves several functions. For starters, it allows organisations to measure their information security risk profile against established industry benchmarks and best practices, to get a clear assessment of how they are performing. Additionally, it enables them to effectively address systemic risk and gain a 360-degree assessment of risk across the organisation.
Risk area 1: adoption and usage of a DMS solution
The first area to examine revolves not so much around the purchase of a tool like a document management system (DMS) or central repository that legal organisations typically use to manage all of their sensitive and privileged content, but around the adoption of that tool.
What firms often find is that one department/office location/class of user is using the DMS to manage content, while another is not. Sometimes this is because the DMS provides a poor user experience, or lacks features that legal workers need to do their jobs, highlighting the importance of a system that offers a user-friendly experience. Whatever the reason, poor adoption of this centralised system is a security risk since the DMS offers layers of security that local drives, network drives, and Outlook folders do not.
As far as benchmarking their risk around information management, firms need to ask a series of questions. First of all, are they getting active adoption of the DMS? Is usage uniform across practice groups, locations, and users? Are people using it to file emails as well as documents? Legal organisations should aim to have at least 80% of the organisation actively using the DMS if they hope to manage systemic risk.
Risk area 2: categorisation and security policies
The second area revolves around categorisation of information in the DMS so that it can successfully be protected. Downstream categorisation does not work. It should be categorised upfront where the context of the content is best understood.
Categorisation must go hand in hand with implementing need-to-know access. For instance, is it appropriate for someone in the family law practice to be browsing content from the M&A group? Likely not. Putting security barriers in place helps lock that content down on a need-to-know basis but in order for that to happen, information has to be classified correctly in the first place.
Flexible information models that give organisations a variety of options to classify and secure information – by office, by department, by project, and so on – help address this need. Additionally, automated workflows that manage access grants and revocation based on access patterns and rules can reduce overhead.
Classifying and securing data appropriately also helps with staying abreast of GDPR and other data protection and privacy regulations. Does the data contain PHI, or PII, or credit card information? Classifying it appropriately allows firms to better manage their risk and avoid running afoul of any relevant laws.
As far as a benchmark, firms should look to maximise information that is categorised with appropriate security policies in place, and regular benchmarking must be performed to make sure that goals are met.
Risk area 3: ancillary systems
The third risk area revolves around ancillary systems. Most firms have realised that a DMS serves as a central hub in a larger content ecosystem. The information in the DMS needs to be shared internally, collaborated on, shared with external parties, and so on. This is where ancillary tools like Microsoft Teams and third-party file sharing solutions, amongst others, often come into play.
From a security and risk perspective, firms need to make sure that the security policies discussed in the above section carry outside of the DMS and apply to content in those ancillary systems. Having a policy defined in a single location eases the management overhead and ensures consistent application across the content lifecycle – from creation in the DMS, to internal review in a collaboration application like Microsoft Teams, to final review and signing in a deal management solution.
Additionally, organisations should examine the flow of content into and out of the DMS and those ancillary systems. Are people making copies of content and storing it in the collaboration tool, so that now there are two copies of the same document? This creates a compliance and regulation nightmare. Best practice is to share links to secured and categorised content in the DMS.
To address systemic risk, firms need to ensure that they’ve addressed all the above aspects with existing ancillary systems and should also look to achieve the same with new applications being deployed.
Risk area 4: ongoing content maintenance and records management
The fourth area revolves around pruning content. If you think of your information repositories as a garden, then you need to tend to it to ensure it doesn’t get overrun.
If you keep filing information into the DMS year after year without archiving or purging content that is no longer relevant, over time people are going to get overwhelmed with irrelevant content. As a result, they’re going to stop using the system which, again, defeats the purpose of having a DMS in the first place.
Legal organisations should ask themselves: Is information being purged when it is no longer required? If a lawyer looks for knowledge and finds information that’s eight years old and not really relevant today, he or she’s wasted their time.
It makes sense to have a separate library for old content, while the frequently accessed content needed to address most search requests is available in an active library. That way, old knowledge is still accessible without compromising the search experience. Additionally, old or irrelevant information should be purged on a regular schedule in accordance with a policy.
Keep in mind that there’s certain content that needs to be kept and retained from a business continuity perspective, or from a regulatory perspective. Think here of record declaration or the enforcement of a legal hold or responding to a subpoena. This is where a clearly defined records retention and disposition policy comes into play, helping ensure pruning can take place without inadvertently introducing risk.
Knowing where you stand reduces risk
Benchmarking risk around information management to create a scorecard is not a one-and-done activity. It should be performed on an ongoing basis – ideally multiple times a year, paying close attention to the above-mentioned risk areas. Only when firms have a 360-degree view of systemic risk will they be in the best position to understand both strengths and weaknesses and prioritise projects accordingly to reduce risk and deliver maximum value.
Aaron Rangel, director of product management, iManage
