Purpleboar
  1. Home
    2.  » 
  2. Posts
    3.  » 

Three Legged Stool of Good InfoSec/InfoGov

#InfoGov
#InfoSec

Reflecting this week and speaking with colleagues across the sector I am reminded of some truths that I learned early in my InfoSec/InfoGov journey. Two that have stood out are that having well written policies and robust processes does not mean that people will follow them. And inexorably linked to the first is that training staff, and importantly senior officers and key staff is only half a job if they aren’t able to demonstrate their understanding and put it into practice.

What is a policy?

A policy is a document that is a statement of intent, outlining roles, responsibilities, standards, and procedures. Data policies policies supports accountability and consistent data handling across departments created and signed off by an organisations to that is used to create a creates a system to guide decisions and achieve rational outcomes.

What a policy is not

A policy cannot enact change in itself, it is not a guarantee of behaviour, compliance, accountability and does not build a culture.

The Three Legged Stool

I’d like to introduce you to my three legged stool of information governance, no snickering in the back! You have met the first, policy. Policy is the roadmap, the structure, it is expressed through procedures and together it is what tells people what needs to be done. Information governance policy defines how an organization manages data access, quality, security, and usage. The second leg is training, fundamental to spreading the message of the policy, to reach the people who need to know. To equip an organisations staff with the knowledge and skills to be good custodians of data.

The final leg has several names, but here I am going to call it culture. This the embedding of the spirit of the policy into the organisation, getting buy in from staff, and dramatically improves the practical application of the policy and the processes disseminated by training.

A member of staff tasked with the redaction of personal or confidential information. They might know how to redact, whether in a button clicking sense, or you may have tools that simplify this, but without a level of engagement, an appreciation of why this is needed will they identify the unusual language or the more indirect reference to that information.

You may have trained your senior or key staff to know what a Subject Access Request is and how to deal with them. But without the engagement, practical understanding will they recognise when a normal request is actually a subject access request from content or timescale and handle it appropriately.

Effective information governance needs three legs to support itself effectively. Without all three, the stool may stand but it it wont be stable, it wont withstand any significant amount of pressure.