Upload
opentext-documentum
View
2.296
Download
0
Embed Size (px)
Citation preview
Data Lifecycle Management and Information Governance: A Doculabs White Paper
[Type here]
How do you purge your data? Are your data
management practices in compliance with
recordkeeping conventions and with legal
standards? This white paper reports some surprising
findings about how organizations approach data
lifecycle management, discusses its impact on
information governance, and offers
recommendations for how to improve.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
3
Survey Overview
Doculabs recently partnered with Executive Functions Management, Inc.
(EFM) to develop and issue a survey to the EFM membership, which is
made up of IT leaders at organizations of all sizes, from across all
industries. The goal of the survey was to investigate how firms are
governing the lifecycle and disposal of the data they generate.
The questions ranged from how IT leaders manage, pay for, and cost their
applications and storage, to what policies are in place for domains such
as information security and records management, to whether they
currently tier or purge data and whether they charge back to the business
for services.
We received 480 responses to the survey, with the respondents
representing 432 organizations across a wide range of industries and of
all sizes (see Figures 1 and 2).
Figure 1: Respondents by Industry
Data Lifecycle Management and Information Governance: A Doculabs White Paper
4
Figure 2: Respondents by Firm Size
Although there were many interesting points in the responses, in this
white paper we’re going to drill down into one issue in particular: how
firms reported that they purge (or don’t purge) data. Doculabs believes
that where firms stand on this issue has significant consequences for
their ability to adhere to core corporate compliance requirements and
also has a direct impact on a company’s legal and compliance risk
profile.
How a company purges its data has implications for
its ability to meet compliance requirements as well
having an impact on the company’s risk profile.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
5
Data Management Is a Compliance Issue
Among the questions we asked was how our respondents’ companies
purge data after it has passed its legal or operational life (see Figure 3).
Figure 3: How Do You Purge Data that Has Passed Its Legal or Operational Life?
At first glance, the response to this question seems to paint a fairly rosy
picture of how organizations are purging data: Fully 70 percent of
respondents reported that they purge in some way, with 25 percent
reporting that they don’t purge at all (5 percent were not sure whether
they do or not). For all the “keep everything forever,” “digital landfill”
doom and gloom we hear out there, this sounds pretty good.
That is, until you look at the nature of the purging that’s going on. Only
one-third of respondents reported doing regular purging, whether
automated (21 percent) or manual (12 percent). The rest reported
purging on an ad hoc basis, whether automated (10 percent) or manual
(26 percent).
Considered from the perspective of records management and e-
discovery, these percentages should give us pause. If a firm is purging on
anything other than a regular basis and according to published policies
and procedures, they’re not compliant—either with recordkeeping
conventions or with the ways judges have tended to interpret the Federal
Rules of Civil Procedure (FRCP) to apply to corporations. Ad hoc purging is
risky because the courts typically regard it as capricious in that it doesn’t
follow established policies and procedures that provide an audit trail.
Even if ad hoc purging doesn’t lead to spoliation in a given case, the point
is that it could have, because the organization didn’t have controls in
place to protect against it.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
6
So what these numbers from our survey question suggest is that two-
thirds of respondents are not compliant with either recordkeeping
conventions or the FRCP—a very big number.
We decided to do a more detailed analysis of how the responses to this
particular question correlate to other questions in the survey, to see
whether we could infer anything about why firms approach purging data
the way they do, and what factors might contribute positively or negatively
to their ability to be compliant in how they manage their data.
Fully two-thirds of respondents to our survey reported
that their organizations are not purging data
regularly—and therefore are not in compliance with
good recordkeeping practices or with the FRCP.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
7
Technology Usage
A potentially important factor in whether and how organizations purge is the technology capabilities
they have in place—i.e. do they have in place the tools that would facilitate regular purging of data?
For this survey, we asked participants about six categories of technology:
Enterprise Content Management (ECM)
Records Management (RM)
Data Archiving (Application Level)
Data Archiving (Across All Applications)
Structured Application Decommissioning
Unstructured Application Decommissioning
We then analyzed the data according to respondents’ reported approach to data purging, looking to
see the extent to which respondents in each group also made use of any of these technologies. For
ECM and RM, respondents in all categories reported high usage (see Figures 4 and 5), which
suggests that there isn’t a strong correlation between having these technology capabilities and
whether and how organizations purge.
Figure 4: ECM Technology Usage
But what’s worth remarking is that 67 percent of those who report that they don’t purge also report
that they use RM tools moderately to extensively. The main value of RM tools is to allow
organizations to retain documents and data for the time required by laws and regulations, and then
purge them after their legal and operational usefulness is past—so it’s hard to imagine what these
organizations are doing when they “use RM tools” if they’re not purging data, i.e. if they are in effect
keeping everything forever.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
8
Figure 5: RM Technology Usage
For data archiving tools, we found more disparity in how firms were leveraging these capabilities. For
data archiving by application (i.e. within a single application), most firms are doing well, with 62
percent to 86 percent of firms reporting that they archive by application (see Figure 6). The outliers
were firms that reported that they don’t purge: Only 49 percent of them are archiving data by
application.
Figure 6: Data Archiving by Application
For data archiving across all applications, the picture is substantially the same, but at lower levels
across the board: 55 percent to 73 percent for most firms and 39 percent for firms that reported
that they didn’t purge (see Figure 7).
Data Lifecycle Management and Information Governance: A Doculabs White Paper
9
Figure 7: Data Archiving Across Applications
When we turn to application decommissioning, however, the discrepancy between those who don’t
purge and those who do becomes more pronounced (see Figures 8 and 9). For both structured and
unstructured application decommissioning, 78 percent and 71 percent respectively of those who
reported that their organizations don’t purge data also don’t leverage application decommissioning
tools.
But overall, the number of firms who report using structured application decommissioning tools is
low. Organizations that are purging using automated tools (whether ad hoc or regularly) reported the
highest use of structured application decommissioning tools (54 percent and 57 percent,
respectively).
Figure 8: Structured Application Decommissioning
View the Webcast http://bitly.com/1PSISTg
Data Lifecycle Management and Information Governance: A Doculabs White Paper
10
For unstructured application decommissioning, the glaring standouts are firms that purge on an ad
hoc basis using automated tools: 73 percent of them reported using unstructured application
decommissioning tools moderately or extensively, compared to a range of 29 percent to 58 percent
for the rest of the respondents.
Figure 9: Unstructured Application Decommissioning
Data Lifecycle Management and Information Governance: A Doculabs White Paper
11
Governance Maturity
Next we looked at what we could discern about the respondent firms’ maturity of governance
structures. After all, the technology capabilities we just discussed are hard pressed to deliver value if
the organization does not have the people/process controls in place to leverage those capabilities
adequately. We asked respondents to tell us how strongly they had governance in place around four
domains:
Records Management
Regulatory Compliance
Information Security /Privacy
Disaster Recovery/Business Continuity (DR/BC)
Let’s look at each of these in more detail.
Records Management
There was a significant correlation between those firms which reported having a moderate to strong
Records Management (RM) function and those who purge, whether ad hoc or on a regular basis (see
Figure 10). Not surprisingly, those firms who reported that they have no or weak RM were the same
firms which reported that they don’t purge data. After all, without clear guidance on what corporate
data needs to be kept and for how long, purging is difficult, if not impossible. And left to their own
devices without guidance from RM, IT will tend to keep everything forever to avoid the risk of either
deleting something the business needs or spoliation of data on legal hold.
Figure 10: Records Management Maturity
But if we look more closely at the firms that report having moderate to strong RM, 38 percent of
those firms also reported that they don’t purge data. As with the high number of firms that reported
having moderate to strong use of RM tools yet didn’t purge data, there’s a disconnect here between
the aims and goals of an RM program (retaining data for the amount of time required by the law and
then disposing of it) and on-the-ground practices (keeping everything forever).
The responses showed no correlation, however, between those who had moderate to strong RM and
regular versus ad hoc purging. It seems the kind of purging was less significant than that they
purged.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
12
Regulatory Compliance
The reported rates of moderate to strong regulatory compliance were high across all categories, no
matter how firms reported they purged data (see Figure 11). This isn’t surprising, given the
importance of regulatory compliance for firms of all sizes across industries. However, those who
reported purging using automated tools (whether regularly or ad hoc) reported 91 percent to 95
percent moderate or strong regulatory compliance, versus 71 percent to 85 percent for firms that
purged manually or didn’t purge at all. This seems to suggest at least a mild correlation between
moderate/strong regulatory compliance and automated purging—not surprising, because purging
corporate data requires policies and guidelines to provide the framework within which purging can
be executed defensibly.
Figure 11: Regulatory Compliance Maturity
Information Security and Privacy
Given the increasing scrutiny of information security and privacy in the aftermath of high-profile data
breaches at organizations such as Target, The Home Depot, Premera, Anthem, and CHS, it’s not
surprising that the reported levels of maturity for information security and privacy are as high as the
regulatory numbers we saw in the previous subsection. And, as with regulatory compliance, those
firms that reported they didn’t purge data had a higher incidence of no or weak information security
and privacy compliance than other firms: 29 percent versus 8 percent to 22 percent. Similar to the
discussion of regulatory compliance above, we believe the correlation likely has a similar basis: I.e.
good information security and privacy policies and controls in place (1) enable IT to purge data
without fear of “doing something wrong” and also (2) encourage IT to do so in order to comply with
corporate policies and standards.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
13
Figure 12: Information Security and Privacy Compliance Maturity
Disaster Recovery and Business Continuity
Disaster recovery and business continuity (DR/BC) is a critical business capability; without it, an
organization is at risk for disruptions to operations from a range of potential threats: so-called acts of
God, terrorism, hardware and software failure, criminal activity, etc. So it’s not surprising that
respondents in general reported having high levels of DR/BC controls in place. Again, the outliers
were those firms that reported either that they didn’t purge or that they purged manually on an ad
hoc basis. These two categories reported that they had no or weak DR/BC in 41 percent and 47
percent of cases, respectively. Firms that regularly purge or that purge on an ad hoc basis but with
automated tools reported moderate to strong DR/BC in 71 percent to 85 percent of cases.
Figure 13: Disaster Recovery and Business Continuity Maturity
Data Lifecycle Management and Information Governance: A Doculabs White Paper
14
Potential Incentives to Purge Data
Getting buy-in to purge data that’s passed its legal or operational life
sometimes requires incentives. And the incentives that get the most
attention are the ones that have an impact on costs. Here, we look at two
areas of potential opportunity to incent business units to regularly purge
their data: chargeback models and data center models.
Chargeback Models
Chargeback refers to IT billing its internal corporate customers for the
products and service it provides on a granular, service-based model (e.g.
per gigabyte of storage, per user of an application, etc.). In addition to
chargeback, there are two other approaches to billing internal customers
for IT products and services:
Fixed fee: charging each business unit a percentage of total IT spend;
can be straight, i.e. divide IT spend by number of cost centers; or
variable, i.e. based on number of FTEs within each cost center
Percentage of budget: charging each business unit a percentage of
total IT spend, based on what percentage of total corporate spend
that unit’s divisional budget represents
Without getting into a detailed discussion of the pros and cons of IT
costing models, suffice it to say that, as incentives for data purging,
neither the fixed fee nor the percentage of budget model is effective at
encouraging business units to take ownership of data and purge it once
its legal and operational usefulness is done. This is because at most
organizations the cost of IT storage is tied to the total number of business
units, the total number of FTEs, or the total departmental spend, so
purging data and thereby reducing the volume of data IT manages for an
individual business unit doesn’t lower the money that particular business
unit spends on IT. In fact, it actually increases the unit cost per gigabyte:
For example, if a business unit has 10 TB of data and spends $10,000
per year with IT for it, when they purge half of it (and still pay $10,000 per
year), their unit cost has doubled; but if they double their volume of data,
their unit cost drops by 50 percent.
Despite the compelling reasons for using chargeback, very few firms
surveyed reported using either approach. Across all firms, the range was
16 percent to 32 percent. However, when we dig in to the results, we see
some significant differences. Those who do regular, automated purging
top this list of chargeback, at 32 percent. Those doing regular manual
purging placed second, with 22 percent reporting that they chargeback.
The remaining firms reported levels of chargeback of less than 20
percent.
Data Lifecycle Management and Information Governance: A Doculabs White Paper
15
Figure 14: Chargeback Models in Use
Data Center Operational Model
Third-party hosting of a corporate data center can be a powerful incentive to purge data, because
many contracts for data center hosting include volume pricing—i.e. a price per gigabyte per month.
So if IT reduces the volume of content, its monthly costs go down—a direct line between purging and
operational costs.
However, the respondents to this survey overwhelmingly hosted their own data: a range of from 61
percent to 74 percent host it mostly in house, with 17 percent to 24 percent reporting a hybrid
model. Those reporting mostly outsourced data centers fell between 8 percent and 15 percent.
Given this, it’s not possible to draw a correlation from the survey data about hosting and purging,
although intuitively we would assume that per gigabyte pricing would encourage purging.
Figure 15: Data Center Hosting
Data Lifecycle Management and Information Governance: A Doculabs White Paper
16
Conclusion and Recommendations
We believe the results of this survey provide the basis for some important
conclusions about managing corporate data.
Good governance is strongly correlated with regular data purging. Those
firms that reported that they didn’t purge data also reported that they
had weaker records management, information security and privacy,
and disaster recovery/ business continuity functions.
Purging is strongly correlated with data hygiene in general. Those firms that
reported that they didn’t purge data also reported significantly lower
levels of storage tiering and application decommissioning, possibly as
a result of a pervasive culture of “corporate hoarding” or to an overall
lack of discipline in information lifecycle management.
Many organizations are not getting the value they should from records
management. The high percentage of firms that reported usage of RM
tools or moderate to strong RM functions (or both) also reported that
they didn’t purge data—a clear disconnect between the purpose and
value of RM and what these firms are actually realizing.
Application decommissioning is underutilized relative to its potential returns.
Applications are expensive (hardware, software, and FTE to maintain),
so the low number of firms overall reporting that they decommission
applications suggests that this is an area of opportunity for IT to
deliver value to the organization.
Given these conclusions, Doculabs recommends the following to firms
looking to improve how they manage structured applications and data:
Focus on information governance rather than technology. The survey results
indicated a much stronger correlation between good data hygiene
and good governance than between good data hygiene and
technology capabilities. Without clarity and structure around the
“rules of the road,” organizations will struggle to effectively manage
their data.
Incent good data hygiene with chargeback. If there isn’t a direct tie
between what a business unit pays for IT and how much data they
have (or worse, an inverse relation, as in fixed fee or percentage of
budget models), it’s going to be difficult to get them to agree to purge
their outdated data. It’s also difficult for IT to prove the value they add
to the organization in managing applications and data.
Pursue application decommissioning. Very few firms reported
decommissioning applications, so this is a significant opportunity
area that has not only big dollar savings, but a positive compliance
impact—i.e. less outdated data reduces the impact and severity of
data breaches and lowers the effort and cost of e-discovery.
About Doculabs
We are experts in social collaboration and content management. We help
our clients by delivering highly actionable and comprehensive strategic
plans and roadmaps, helping our clients achieve their business goals and
create competitive advantage. Our consulting services also help our
clients improve their records management and information governance
approaches to facilitate compliance, reduce risk, and reduce the cost of
e-discovery.
Founded in 1993, Doculabs has an established track record in helping its
clients bring content under control and improving the ways they
collaborate. Our engagements focus on guiding our clients with our
expertise, analysis, and in-depth market knowledge. And we’re
independent; we don’t sell software or implementation services, so our
clients can be sure that our recommendations are objective.
Our consultants are highly experienced, averaging more than 20 years of
relevant professional background and many years of working together as
part of the Doculabs team. We’re recognized thought leaders in the
industry, frequent speakers at industry events and webinars, and active
contributors to leading publications, social media sites, and organizations
such as AIIM.
Hundreds of Fortune 1000 organizations and agencies of state and local
government have turned to Doculabs for assistance with their information
management strategies. For more information about our services, visit
the web site at www.doculabs.com or call (312) 433-7793.
About EFM
Executive Function Management, Inc. (EFM) was created with a goal of
providing strategic-level events and peer networking groups for
technology leaders throughout the U.S. EFM offers events for technology
leaders that provide an opportunity for select leading-edge suppliers to
forge new relationships with IT professionals.
EFM’s IT Symposium Conferences are annual gatherings that allow CIOs
and their senior IT leaders to explore critical business, technology, and
leadership strategies and to build a stronger professional peer network
and attain real-world knowledge on business changing technology and
management solutions. EFM IT Symposiums are currently held in 28
cities across the U.S.
View the Webcast http://bitly.com/1PSISTg