6 information governance best practices

What is information governance?

Organizations use information governance strategies to manage access and control of digital assets across content management systems and other information repositories, such as file servers, intranet sites or cloud storage services. Information governance policies also outline the processes, people and technology that organizations need to meet their compliance requirements.

People sometimes conflate information governance with data governance, but they are distinct disciplines. Information governance focuses on broader policies to help organizations manage all types of information -- whether structured or unstructured. Data governance, on the other hand, focuses more narrowly on data quality and the management of structured data.

What role does information governance play in content management?

Information governance offers the essential requirements organizations need to implement appropriate permissions and content policies. These guidelines are critical to how organizations manage content and meet compliance goals.

For example, an information governance program might define an organization's policies for email archiving and records retention. It might also offer training to help employees manage sensitive information in compliance with regulations, such as the Sarbanes Oxley Act, HIPAA, GDPR and CCPA.

6 information governance best practices

Successful information governance starts with a plan. The following best practices can help organizations implement an effective information governance strategy.

1. Form a committee of key stakeholders

An information governance plan affects many aspects of an organization, including who can access what information and how the business manages data. Therefore, it requires individuals in HR, legal, compliance and IT to form a committee.

This committee should outline the plan's objectives, although it requires input and buy-in from C-suite leadership to ensure wider adoption.

2. Define business and compliance requirements

Not all organizations require the same sets of data access rules and retention policies, because they must adhere to industry-specific regulations. In the early planning stages, information governance committees must identify their organization's specific criteria and align with their compliance policies.

For example, healthcare criteria might include classifying data based on its content and whether it includes protected health information. For other industries, such as the legal sector, content classification revolves around client information. Each organization is different and has its own unique business and compliance requirements that it must identify.

3. Offer policies for remote work

After the COVID-19 pandemic, many organizations embraced remote and hybrid work, leading to increased reliance on cloud storage and enterprise content management (ECM) systems for remote access.

Remote and hybrid workplaces generate recorded meetings, instant messages from collaboration tools and documents stored in cloud systems, such as Microsoft OneDrive, SharePoint Online, Dropbox and Box. To avoid compliance failures, organizations should ensure they have effective information governance policies for this type of content, such as guidelines for how to securely store recorded meetings.

4. Outline key governance plans in policies and standard operating procedures

Effective information governance requires IT teams to do more than implement software-based rules that limit access to content. For instance, they must define processes and procedures for users to follow and train them on those procedures.

Additionally, HR or compliance teams must enforce the rules and hold users accountable when incidents, such as data leaks or compliance failures, occur. Otherwise, the plan will only exist on paper.

5. Define reports and alerts to monitor compliance

Once an organization has its content policies in place, it must outline specific alerts and reports to track compliance incidents. Incidents that require alerts include policy violations by user, unauthorized content deletion, sensitive content creation and external sharing of confidential data.

The information governance plan should also include instructions on how to handle these incidents. For example, if someone stores sensitive information in an unsecured area or repository, HR or compliance teams should formally document the incident, store it in the employee's file and discuss the incident with that person. Depending on the severity of the incident, the organization might consider retraining or termination.

6. Continuously monitor and review the plan

As an organization evolves, it should update its information governance plan to ensure policies remain relevant and effective. For instance, if an organization adopts a new digital asset management system, enters a new line of business or upgrades its ECM system, it should review its information governance policies and make any necessary changes. Regular updates ensure that these policies align with new tools, business goals and regulations.

Organizations of all sizes rely on information governance policies. They set boundaries around data access and controls to support an organization's needs and protect its data. Leadership buy-in is key because this type of initiative is not just an IT project but a company-wide endeavor.

Editor's note: This article was originally written in 2022. It was updated and expanded in 2024.

Reda Chouffani runs a consulting practice he co-founded, Biz Technology Solutions Inc., and is CTO at New Charter Technologies. He is a technology consultant with a focus on healthcare and manufacturing, cloud expert and business intelligence architect who helps enterprises make the best use of technology.