Properly Managing Your Agency’s High-Value Assets, Tyler Morris

By Tyler Morris, Director, Product Management, Iron Mountain

For many, information management is about finding the optimal trade-off between usability and security.

This issue is top-of-mind for many agencies, especially after the release of a recent OMB memo in December, entitled “Management of Federal High Value Assets.”

High Value Assets (HVAs) are defined in this memo as “Federal information systems, information, and data for which an unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to the United States’ national security interests, foreign relations, economy, or to the public confidence, civil liberties, or public health and safety of the American people.”

This makes them a high priority target for criminals or nation states who are seeking to profit from, or cause damage to, these assets.

And although cybersecurity investments can provide a significant degree of protection against these threats, they cannot address every underlying problem that is driving information risk.

A primary, but often overlooked, risk-generating factor for many agencies is their tendency to approach records and information management in an asset-by-asset fashion, instead of viewing singular assets as just one component of a larger information enterprise.

As stated by OMB, “Agencies must take a strategic enterprise-wide view of risk that accounts for all critical business and mission functions when identifying HVAs.”

Without this type of comprehensive understanding, it quickly becomes impossible to keep track of agency-owned information assets.

And without knowing what type of information is owned and where it is stored, agencies are exponentially more vulnerable to external breaches, insider threats, improper use or deletion of vital information or records.

So how can agencies protect their HVAs from an information management and governance perspective?

The first, and most important step is to establish a formalized information framework that addresses a variety of issues, spanning risk management, retention, compliance and disposition.

This will allow agencies to introduce added control over their assets, from the moment of creation to the end of the information lifecycle.

In standing up this framework, agencies must first be aware of the requirements and rules that govern the information they store. This will provide a high-level skeleton from which they can make more substantive and detailed improvements.

However, this is no simple task, especially given that the federal rules and regulations governing this information are being constantly updated.

And although it may be difficult to keep pace with these changes, emerging technologies like automated retention and disposition can help agencies to keep their information stores updated and compliant.

This facilitates the development and revision of retention schedules, helping to keep agencies abreast of the latest applicable policy changes. It also ensures that a continuous and consistent retention policy is enforced throughout the information lifecycle.

After this, agencies will be ready to progress on to the next step: identifying their HVAs.

This means scouring both structured and unstructured data for potentially sensitive information, and assigning repositories for individual information assets.

After all, if agencies do not know where HVAs are being kept, how can they adequately protect them, let alone optimize their compliance, risk management and redundancy reduction processes?

Information maps can help agencies to address this concern. An information map is a database that captures an inventory of what systems, applications and repositories agencies have, where they are, and who is responsible for managing them.

With this tool, agencies will be able to keep tabs on their information systems and records, identify sensitive information like PII, PHI or CUI, monitor the use of assets, gain analytical insight and consistently update information stores.

At the end of this process, agencies should have a firm idea of their ideal asset management scenario.

Finally, agencies will be ready to put their policy into action and manage asset-specific concerns in a timely and continuous manner.

After addressing these steps, agencies will have laid the necessary groundwork for responsible governance of HVAs.

They will continue to face challenges associated with keeping their framework and retention schedules continuously up-to-date. This will provide agencies with the quantifiable statistics needed for compliance trails.

After accomplishing all of this, agencies will have completed a large majority of the behind-the-scenes work needed to secure the HVAs under their control.

From there, they will have the foundation that they need to further secure their information assets, whether that be additional cybersecurity, physical controls, or anything in between.

As agencies continue to collect more and more information, the risk of improperly managed HVAs will only continue to increase.

Every agency needs to take OMB’s advice to govern their information in an enterprise fashion, rather than in an ad-hoc fashion.

By continuously updating their information stores in the context of a larger information framework, agencies will be addressing several layers of risk, ranging from improper internal use all the way up to targeted external cybersecurity threats.

(Keeping up-to-date with compliance with privacy and security laws is important for your organization. Find out about records and information managers’ role in this process.Courtesy of Iron Mountain and YouTube)

About the Author

Tyler Morris is a strategy and product executive with experience supporting private and public sector organizations to solve critical business issues, grow market share, and perform large-scale transformation.

Morris’ expertise includes leading business planning efforts for complex products, programs and initiatives including growth strategies, market entry, industry evaluation, and IT transformation, with a demonstrated record of performance working closely with corporate leadership and project teams to develop and implement strategic change.

Morris specializes in strategic planning, product management, government, market research, growth strategy, process re-engineering, management consulting, organizational design, business development, customer relationship management, and coaching.