The Global Positioning System ("GPS") is a network of two dozen satellites orbiting at 12,000 miles above the earth. The network is capable of pinpointing precise locations anywhere on the planet.1 Now, while an Enterprise Information Map (EIM) cannot claim to locate information from 12,000 miles above the earth, it can assist in managing your information by pinpointing your potential high-risk information sources across countless databases, networks, record storage locations and business applications.
Enterprise information mapping is designed to improve your organization's information management capabilities and protect your high-risk information.
The premise of enterprise information mapping is simple: improve your organization's information management capabilities and protect your high risk information by identifying what information you have, where it is located, and whether it is important and/or high-risk enough to spend time and money protecting and securing it. In the current highly litigious environment in the U.S., the increasing volume of information often leads to increased costs in preparing for and responding to litigation. Additional pressures are also brought about by increased needs for maintaining privacy and ensuring intellectual property protection, both of which require stricter controls on the internal management of information, and a greater knowledge of just what you have and where it is stored. This article examines the growing need for adopting an enterprise-wide approach to identifying key information sources and potentially high risk systems, and provides a "GPS" framework for developing your own EIM for any size and type organization.
Elements Of An EIM
As with GPS, an EIM combines three key elements: Space (in this case, your organization's information space, or InfoSpace), Users, and Controls.2
InfoSpace consists of dozens, hundreds, even thousands of locations across your organization that are currently used for creating, maintaining, accessing and storing all types of information. The networks, shared drives, databases, and business applications deployed across your organization create constellations of information that must be mapped to understand what information you have, where it is located, and how it is connected in order to identify all potential sources of record-worthy data and/or all instances of potentially discoverable information for a litigation, audit, or other request. Users are all those individuals that access your InfoSpace in order to create, maintain, access, view and store information in support of core business functions. Understanding such functions, related business processes and resulting information assists in identifying high-risk information and the systems in which it is stored. Finally, we have the Controls. It's all very well recognizing where and what information you store, but without a "master ground station" to control that information on a daily basis, you run the risk of being non-compliant in a number of key areas: i.e., not protecting information that needs to be protected or keeping information too long or not long enough.
The methodology behind enterprise information mapping links key business processes and the resulting critical information with the appropriate information systems and locations, so that the most important data can be easily identified and protected.
How Enterprise Information Mapping Works
Enterprise information mapping works by connecting all of the key elements - InfoSpace, Users and Controls - into your own information "GPS" for the purposes of developing an EIM - a unique view of your organization's information landscape, depicting information and its location within your organization. A key characteristic and advantage of the map is that this "unique view" is just that - it's unique to each organization that looks to understand its information landscape from a different perspective and for its own purposes. For example, you may want to identify all potential sources for discoverable information in your organization, or you may need to identify high-risk systems to modernize or upgrade to ensure ongoing record-keeping compliance. Whatever your driver for conducting mapping activities, the approach, described below, remains the same - and the map shows you what you need to know.
Step One is to conduct an assessment of your current information management environment. Central to the assessment is gaining an understanding of your organization's core business functions, processes, resulting information, and how each is linked. In conducting interviews with key business personnel from departments such as (but not limited to) records and information management, information technology, legal, audit, etc., you not only identify your Users, their business functions and information, but also identify any Controls necessary for the management of the information that is created, used and maintained.
In addition to understanding your business functions, the assessment also involves identifying the locations of your relevant information sources. So, for example, in looking to identify all potential sources of discoverable information, you need to include in your assessment a review of both electronic and hard-copy information, vs. reviewing only electronic sources, if your organization is involved in systems modernization. This tailored review of your InfoSpace results in more than just a list of systems or information storage locations. Rather, it is a function-based inventory of your relevant information that provides the first step in linking business processes, critical information and high-risk systems/locations.
Step Two then looks to target your initial inventory by screening it to identify a subset of systems likely to contain your most relevant and critical information based on the specific drivers you have identified (i.e., 'discoverable' information, privacy data etc.). The screening process begins with a series of questions designed to pinpoint key business functions, identify key characteristics of each information source, types of data or documents housed, and whether the data or documents are shared with other information sources. While this initial set of questions is asked of any organization, the answers are weighted differently based upon your specific mapping drivers. For example, answers from an organization looking to identify critical systems for disaster recovery purposes will not be weighted the same as those from an organization looking to upgrade its critical business applications due to the difference in associated risk factors for both organizations. The result then is a series of scorecards for each information source that captures the importance of information contained, indicates potential risks, and highlights the complexity of relationships between information held across multiple locations.
Step Three involves identifying your actual high-risk systems/locations and associated information by assigning each system/location to one of three categories:
Critical - This group contains systems/locations with the highest overall score, indicating that each is considered a high organizational priority for managing the information contained, tighter process controls, and/or application of other information management principles.
Very Important - This group contains systems/locations with a high overall score, indicating that each is considered a moderate organizational priority for managing the information contained, tighter process controls, and/or application of other information management principles.
Important - This group contains systems/locations with a lower overall score, indicating that each is considered a lower organizational priority for managing the information contained, tighter process controls, and/or application of other information management principles.
Step Four, the final step, involves developing the actual EIM designed to offer a detailed "GPS snapshot" of relevant information systems/locations and the connections and relationships between that information. The EIM is not in fact one map but rather a series of map displays that depict your organization's main business processes, the key information captured as a result of those processes, and where and in what system/location each is stored and maintained.
Value Of Developing An EIM
The concept of "GPS for your organization" in the form of an EIM is a valuable tool in understanding what you do know , and perhaps just as importantly, don't know about the management of your organization's information. By providing an in-depth picture of your information, systems/locations and how each relates across all of your key business functions, the EIM provides value in a number of areas.
Map Display. In developing the EIM you have several options regarding the details you want to include for the specific needs of your organization. The resulting display, as with any GPS device, can be modified to get to the level of detail that you require. For example, the map can display your entire information landscape at a high level (i.e., view from an organizational perspective), or it can take you to street-level (i.e, view from within a particular business function or from a particular perspective, such as identifying all discoverable information sources).
Format. The format of the EIM facilitates your ability to access, view and understand its content. Depending on the size of your organization, you may require only a handful or dozens of people to access the map and its information. Because of this, an EIM can be activated and installed across your organization, either as a single, stand-alone device accessible by only a few or as a dashboard model accessible by many.
Navigation. An EIM also offers value in how it enables you to find your way through a maze of information, data and systems/locations. Designed as a tailored snapshot of your InfoSpace, the map presents variable aspects that offer specific views into certain locations around your organization. In effect, you can search for that specific piece of information you need and pinpoint its actual position, while at the same time understand the different routes it may take as it travels through your organization to its final destination(s).
Accessories. While the EIM can come in various shapes and sizes and contain different levels of detail, there are key accessories you can add to your EIM. Originally designed to map electronic information, you can also apply the concept to your hardcopy world and capture a similar level of understanding relating to all of your organization's paper holdings. The ability to quickly find certain sets of data and related information in any format also offers up some serious potential for helping cut costs related to litigation and discovery requests.
Summary
As with GPS though, the value of the device is in the information it offers and the ability to use it. A good map will be up-to-date and include all the important data and locations to get you where you need to be in order to locate what you're looking for in a timely fashion. The same is true of an EIM. Using the approach outlined in this article, any size or type organization can navigate their InfoSpace, understand their Users and Controls relating to key business functions, and "GPS" key information. The result - an improvement in your organization's information management capabilities and how it identifies, protects and secures your high-risk information.1http://www.angelflightse.org/Portals/9/pdf/GPS.pdf.
Published January 1, 2009.
