All organisations should take appropriate steps to ensure that their business confidential data, information and content is adequately protected, especially when stored or communicated electronically. There are also specific legal, regulatory and fiscal requirements for certain types of data, information and content too.
Data, information and content ( let's just call it 'data') is either stored or in transit. The use of online hubs or data centres to process data on behalf of third parties brings many risks if the commercial relationship between the parties is not managed correctly.
Organisations should implement an end-to-end governance strategy that addresses the full life-cycle of the data it processes, from creation and collection, through storage and processing, to retention and destruction. For the organisation, the base-line objective is to ensure that governance and data management is adequate to meet the business bottom line. But it's also important that the organisation meets its legal, regulatory and fiscal obligations.
Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes.
This also includes ensuring that data and information can meet evidential requirements should disputes arise during the course of business.
Data is a core business asset that has value to the organisation and is managed accordingly.
Data is a valuable corporate resource; it has real, measurable value. This is especially so in the case of £multi-million contracts under PPP and PFI frameworks.
In simple terms, the purpose of data is to aid decision-making across the organisation. Accurate, timely data is critical to accurate, timely decisions. Up to 80% of an organisation’s value rests in its data assets. Data is the foundation of our decision-making, so we must also carefully manage it to ensure that we know what we’ve got, where it is, can rely upon its accuracy, and can obtain it when and where we need it.
Users have access to the data necessary to perform their duties; therefore data is shared across enterprise functions and departments.
Timely access to accurate data is essential to improving the quality and efficiency of enterprise decision-making. It is less costly to maintain timely, accurate data in a single application, and then share it, than it is to maintain duplicative data in multiple applications.
Data is easily accessible for users to perform their functions.
Wide access to data leads to efficiency and effectiveness in decision-making, and affords timely response to information requests and service delivery.
Using information must be considered from an enterprise perspective to allow access by a wide variety of users. Staff time is saved and consistency of data is improved.
Data quality is acceptable and meets the business need for which it is intended.
Data produced and reported must be fit for purpose. That is, it is of sufficient accuracy and integrity proportional to its use and cost of collection and maintenance.
Data is used in all areas of decision-making, operations, planning and performance management in order that the organisation achieves its objectives.
Data is increasingly being used externally by customers, consumers and citizens to inform their personal decisions, and by stakeholders to assess the organisation’s aggregate performance of the organisation. This reinforces the need to ensure that the quality of data held is sufficient to meet diverse needs.
The organisation's information management processes comply with all relevant laws, policies and regulations.
There are a number of legal requirements that govern the use of data in the course of business. These include data protection, financial reporting and other types of regulatory reporting, for example under health and safety rules and waste electrical and electronic regulations.
Data should be trustworthy and safeguarded from unauthorised access, whether malicious fraudulent or erroneous.
Open sharing of information and the release of information via relevant legislation must be balanced against the need to restrict the availability of classified, proprietary, and sensitive information.
Existing laws and regulations require the safeguarding of national security and the privacy of personal data, while permitting free and open access. Pre-decisional (work-in-progress, not yet authorized for release) information must be protected to avoid unwarranted speculation, misinterpretation, and inappropriate use. Integrity, confidentiality and availability are maintained as long as information is needed.
Data should be defined consistently through the organisation, and the definitions are understandable and available to all users.
Both unstructured and structured data must have a common definition throughout the organisation to enable sharing of data.
A common vocabulary will facilitate communications, enable dialogue to be effective and facilitate interoperability of systems.
Development of information services (such as business applications, data warehouses, directory services etc) available across the organisation is preferred over the development of information silos which are only provided to a particular department or group of department.
Duplication capability is expensive and propagates conflicting data.
It also militates against a policy of sustainability in the use of infrastructure resources such as servers and data centre air conditioning.
All departments in the organisation participate in information management decisions are needed to accomplish business objectives. It is staff responsibility
Information users are the key stakeholders in the application of technology to address a business need. In order to ensure information management is aligned with the business, all departmentsor business functions in the organisation must be involved in all aspects of the information environment.
The business experts from across the organisation and the technical staff responsible for developing and sustaining the information environment need to come together as a team to jointly define the goals and objectives of IT. Added into this mix are human resources and additional risk managers, for example lawyers.
A spirit and culture of collaboration and the sharing of data, information and knowledge for the greater corporate good should support all data decisions, especially relating to the selection and prioritisation of programmes, projects and their approval points.
This principle embodies "service above self". Data decisions made from an enterprise-wide perspective have greater long-term value than decisions made from any particular departmental perspective. Maximum return on investment (ROI) requires information management decisions to adhere to enterprise-wide drivers and priorities. No minority group will detract from the benefit of the whole.
However, this principle will not preclude any minority group from getting its job done.