Fixing the Basics: The Importance of Learning to Crawl before Walking and Running
From building houses to developing an effective, efficient and secure data, information and records management programme, starting with a strong foundation is essential for success. When Infotechtion starts working with a client, our initial assessment is focused on reviewing your foundations – identifying cracks early in the project can avoid unexpected changes in scope, risks or issues cropping up down the line. We’d like to share a recent experience in a project where we discovered certain foundational gaps in information governance and operating practices which were not as developed as we had initially expected.
This highlighted not only the importance of having a strong foundation in which you can build upon to reach the goal of having an effective, efficient, and secure data, information and records management programme, but also the importance as consultants in understanding where your client sits – are they ready to crawl, walk or run?
To address the gaps we found, we decided to introduce an entirely new workstream called, “Fix the Basics.”
Why Fix the Basics?
Because, you shouldn’t try to run before learning to walk. And walking may be hard if you haven’t learnt to crawl yet.
When you engage with subject matter experts to receive guidance and support in areas such as Data Lifecycle Management and Data Security do not be surprised if they ask about the foundational stepping stones such as:
- Is there accountability assigned to those who manage and protect information, records, data
- Do you have a governing body who is responsible for planning, strategizing, and implementing Information Governance requirements
- Do you know your compliance requirements
- What type of data and information within your organisation do you need to protect
- What policies and procedures do you have in place to protect and manage your data?
These are only a few questions which can help with understanding where your organisation stands when it comes to managing your data and information securely. Asking these types of questions will ascertain what is needed in terms of time, people, technology, and processes for the project and can help in writing a very accurate and meaningful Statement of Work or Proposal, or help plan the project moving forward if already engaged.
It is recommended to have this knowledge before a project starts, so no major changes are needed, but as mentioned, this is not always the case and a shift in the project scope may be required.
A Fixing the Basics stage, if required, will provide the foundation required to launch into the next stages within an information governance and security project. If however, you find that the organisation is in good standing and a Fix the Basics stage is not required, that is fantastic. Instead you can focus on walking and running to the next level because the organisation has already learnt to crawl, but for those who need some extra help in building their foundation, here are some things to consider.
What would be considered Fix the Basics?
This will differ based on the client but some examples for data lifecycle management (DLM) and data security are:
- If not formed, create an Information Governance committee or group to:
- Create and implement an information governance strategy and plan
- Assign roles, responsibilities, and accountability for activities and/or tools such as an owner for the Data Loss Prevention tool
- Monitor progress, review, and update plans
- Reviewing joiners, leavers, and movers processes and training to determine if appropriate communication, induction, and training are available and regularly updated to meet any changes
- This could include:
- Team-specific records management and data security training are available
- Access rights are removed or added for joiners, leavers, and movers
- This could include:
- Review the sensitivity classification taxonomy and ensure the classifications meet your needs. If using Microsoft Purview Information Protection ensure your published labels match your taxonomy and are assigned to the correct workloads, libraries, sites, Teams, and/or sensitive information types if using auto-classification
- Review and audit current, Data Loss Prevention (DLP) policies (if using) to ensure they are protecting the categories/scenarios of sensitive information that require protection
- If not using DLP yet, carefully describe and plan which categories of information need protection and what actions you wish to take within the policy, e.g., monitor and provide education with policy tips or block the action such as sending an email with sensitive information
- Perform scans within your tenant such as oversharing reports, or number of SharePoint sites and/or Teams with little or no data, as well as last time accessed.
- These scans can provide a baseline which will also establish necessary actions to complete to implement the necessary features and tools
- For DLM, start clean up activities to find and remove ROT (redundant, obsolete, transitory) information – this can include empty sites which were picked up in the scans
- For data security – review and decide which out-of-the-box Sensitive Information Types (SITs) within Microsoft 365 Purview can be used to protect your information or if you require any custom SITs.
- If you require custom SITs, take this opportunity to plan what types you need and how they will be created (regular expression with or without checksum validation, a keyword list, a keyword dictionary, or a function).
- Evaluate and update, when/if required existing policies and procedures related to information governance and protection
- Create a communication and change management plan to deal with the upcoming changes.
These are some examples of what can be included in a Fix the Basics stage, but as mentioned, this will differ for each client. The important part is to ensure that there is a strong foundation in which to build the more robust and advanced capabilities within the Microsoft 365 (M365) environment.
If you are interested in learning what your Fix the Basics stage would be, contact us at contact@infotechtion.com and let’s get you on your way to improving and upscaling your existing information, records, and data protection and security programme properly.
If you’d like to learn about what walking and running look like, keep your eye out for my next blog on how to build from your foundation and move beyond the crawl into walking and running.