Properly Managing Your Agency ’ s High-Value Assets
By Tyler Morris , Director , Product Management , Iron Mountain
Tyler Morris
For many , information management is about finding the optimal trade-off between usability and security .
Without this type of comprehensive understanding , it quickly becomes impossible to keep track of agency-owned information assets .
And without knowing what type of information is owned and where it is stored , agencies are exponentially more vulnerable to external breaches , insider threats , improper use or deletion of vital information or records .
So how can agencies protect their HVAs from an information management and governance perspective ?
This issue is top-of-mind for many agencies , especially after the release of a recent OMB memo in December , entitled “ Management of Federal High Value Assets .”
High Value Assets ( HVAs ) are defined in this memo as “ Federal information systems , information , and data for which an unauthorized access , use , disclosure , disruption , modification , or destruction could cause a significant impact to the United States ’ national security interests , foreign relations , economy , or to the public confidence , civil liberties , or public health and safety of the American people .”
This makes them a high priority target for criminals or nation states who are seeking to profit from , or cause damage to , these assets .
And although cybersecurity investments can provide a significant degree of protection against these threats , they cannot address every underlying problem that is driving information risk . A primary , but often overlooked , risk-generating factor for many agencies is their tendency to approach records and information management in an asset-by-asset fashion , instead of viewing singular assets as just one component of a larger information enterprise .
As stated by OMB , “ Agencies must take a strategic enterprise-wide view of risk that accounts for all critical business and mission functions when identifying HVAs .”
The first , and most important step is to establish a formalized information framework that addresses a variety of issues , spanning risk management , retention , compliance and disposition .
This will allow agencies to introduce added control over their assets , from the moment of creation to the end of the information lifecycle .
In standing up this framework , agencies must first be aware of the requirements and rules that govern the information they store . This will provide a high-level skeleton from which they can make more substantive and detailed improvements .
However , this is no simple task , especially given that the federal rules and regulations governing this information are being constantly updated . And although it may be difficult to keep pace with these changes , emerging technologies like automated retention and disposition can help agencies to keep their information stores updated and compliant .
This facilitates the development and revision of retention schedules , helping to keep agencies abreast of the latest applicable policy changes . It also ensures that a continuous and consistent retention policy is enforced throughout the information lifecycle .
After this , agencies will be ready to progress on to the next step : identifying their HVAs .
52