PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.
Information Lifecycle
Management Strategy
Copyright 2021, Faulkner Information Services. All
Rights Reserved.
Docid: 00021123
Publication Date: 2111
Report Type: TUTORIAL
Preview
Information is the currency of modern commerce and must be managed
intelligently to ensure enterprise success. Just as physical assets such as
facilities and equipment cycle from useful to useless, so do information
assets. Intellectual property (trade secrets), enterprise plans and
schedules, internal or client correspondence (including e-mail), and
personnel records may move from important, must-have data to archival
material to waste that must be disposed of in an appropriate manner. At
each stage, the material must be secured to ensure that vital enterprise
information is properly protected from loss, theft, contamination, or
misappropriation. To deal with the lifecycle of this information,
enterprise planners must develop and execute an Information Lifecycle
Management strategy.
Report Contents:
Executive Summary
[return to top of this
report]
Information is the currency of modern commerce, and must be managed to
ensure enterprise success. Just as physical assets, like facilities
and equipment, have a lifecycle (or series of life stages from figurative
birth to death), so do information assets, like intellectual property
(trade secrets), enterprise plans and schedules, customer correspondence
(including e-mail), and personnel records.
Related Faulkner Reports |
Product Lifecycle Management Market Trends Market |
To ensure enterprise information is properly protected from loss, theft,
contamination, or misappropriation throughout its lifecycle, enterprise
planners must develop – and execute – an Information Lifecycle Management
(ILM) strategy.
The three goals of ILM, as defined by Veritas, a leading information
management firm, are:
Data Security and Confidentiality
– Protecting sensitive,
confidential, and proprietary information from unauthorized access;
Availability
– Ensuring information is present when needed; and
Integrity
– Ensuring information is correct and consistent
across all information platforms.1
As a means of implementing ILM, the ILM strategy prescribes how certain
information (or types of information) should be treated during their
lifecycle, from creation or acquisition to final disposition.
Figure 1, for example, illustrates how “active” or
frequently-referenced information might be housed in a ‘high performance”
store, while “inactive” information might be relegated to an “archival”
repository.
Figure 1. Enterprise Information Lifecycle
Regrettably, there is no single strategy for managing enterprise
information throughout its lifecycle. For each enterprise, strategy
development relies on several factors, including:
- The amount of resources that can be applied to information lifecycle
management (ILM) – ILM normally is a large enterprise discipline. - The need to satisfy regulatory requirements, such as Sarbanes-Oxley
(SOX), the Health Insurance Portability and Accountability Act (HIPAA),
Gramm-Leach-Bliley (GLBA), and, more recently, the European Union (EU)
General Data Protection Regulation (GDPR) and the California Consumer
Privacy Act (CCPA). - The need to produce enterprise information on demand, especially in
response to a subpoena or other “e-discovery” order. - The need to manage – actually, reduce – runaway storage growth.
Developing an Information Lifecycle Management Strategy revolves around
two basic processes:
- Classifying Information
- Establishing Information-Oriented “Service Level Objectives”2
Classifying information involves separating “information elements”
(discrete items of information at the file or record level) into specific
categories, such as Secret, Confidential, or Unclassified. While
individual information elements may be categorized, classification
typically occurs at the record type level, such as customer records or
financial records.
Once enterprise officials have created information categories – and
populated these categories with the appropriate information elements – the
officials must determine how the information within each category will be
managed; in other words, what are the service level objectives for each
category? More specifically, what are the standards for:
- Security?
- Availability?
- Recoverability (in the event of sudden information loss)?
- Retention?
- Normal Use?
What distinguishes information lifecycle management from allied
disciplines, such as information management, data management, and records
management, is the obligation to manage information elements according to
their respective age, or relative position within their
lifecycle. For example, records related to current employees are
highly active and must be highly available. Records related to retired
employees (pensioners) are less active and may be less
available. Records related to employees who have resigned or been
terminated are inactive and may be archived.
Description
[return to top of this
report]
Executing an effective Information Lifecycle Management Strategy depends
on establishing and maintaining a solid foundation of essential
information management processes, including:
- Information Backup and Recovery – Guarding against
information loss or contamination. - Information Disposal – Providing for the reliable
and secure elimination of obsolete information. - Information Security – Protecting against information
theft, contamination, or misappropriation.
Information Backup and Recovery
Traditional methods of data backup and recovery, which usually involve
dumping changed files to a “backup tape” at the end of the day, are simply
not sufficient for today’s businesses. Even small-to-medium-sized
businesses (SMBs) may process hundreds, even thousands, of transactions
per day. Losing a “day’s worth” of business in the event of a disk failure
or other catastrophic situation is intolerable. For maximum
protection, businesses should invest in real-time backup and recovery
schemes, as detailed in Table 1.
Option | Description | Principal Advantage |
---|---|---|
Continuous Data Protection |
CDP is a storage solution that continuously catches all changes made to critical data. CDP creates, in effect, an electronic journal of complete storage snapshots, one snapshot for every instant in time that data modification occurs. |
Preserves every data transaction automatically. |
Online Backup and Recovery |
OBR automatically transmits every changed file over a secure Internet connection to a provider-operated OBR data center. |
Permits outsourcing the backup and recovery process to a managed backup and recovery provider. |
In many enterprises, backup and recovery operations resemble Russian
roulette. According to one estimate, forty (40) to fifty (50) percent
of all backups are not fully recoverable. Yet, despite the
statistics, few enterprises conduct routine “retrieve and restore”
exercises, in which random backup media are retrieved from offsite
storage, and their data compared – byte for byte – against pristine data
samples preserved at the time of backup. Such exercises validate the
recovery process by verifying that:
- Backup volumes can be readily retrieved.
- Backup data can be restored, in whole or in part.
- Restored data is identical to the original, i.e., source, data.
Information Disposal
One of the important aspects of Information Lifecycle Management is
“afterlife” processing, ensuring that deleted information is
non-recoverable. To this end, the US National Institute of
Standards and Technology provides guidance on “sanitizing” media
containing electronic data. A sample of this guidance is shown in
Table 2.
Media | Clear Information | Purge Information | Destroy Media |
---|---|---|---|
Optical Media (CD, DVD, BD) |
Not Applicable. | Not Applicable. | Destroy in order of recommendations:
|
USB Removable Media |
Overwrite media by using organizationally approved and validated overwriting technologies/methods/tools. |
USB removable media does not support sanitize commands or, if |
Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator. |
Importantly, procedures should be developed to sanitize obsolete backup
media, including offsite volumes maintained by third-party data backup
providers.
Information Security
Obviously, enterprise information must be protected throughout its
lifecycle. One of the most effective – and, curiously, one of the
most underutilized – mechanisms for ensuring the confidentiality and
integrity of sensitive information is encryption. While encryption is
a staple of e-commerce operations, the technique should be employed more
liberally in all enterprise contexts. Encryption can be applied on
multiple levels, from full disk to single file.
Other Considerations
Among the other considerations in devising an Information Lifecycle
Management Strategy are:
- Segregation – A lot of relatively valueless
information – like documents downloaded from the Internet – are “swept
up” during normal computer backup operations. Information with
little or no intrinsic value to the enterprise, or information that can
be readily reproduced if lost or destroyed should be isolated as part of
the Information Classification process – marked not suitable for
long-term retention. - “Tiering” – Most information decreases in value
over time. Tiering refers to the process of moving information
during its lifecycle from high-availability storage (like disk) to
lower-availability storage (like tape). Tiering ensures faster access to
vital information, while lowering the cost of storing non-vital
information. - Versioning – Some information exists in multiple
versions, usually generated over time. Versioning refers to the
process of uniquely identifying each information version and
establishing an appropriate lifecycle. Versioning is useful in
determining which information versions are “active”, and which are
inactive – and eligible for archiving or destruction. Maintaining
multiple versions of the same information can result in operational
errors, and should be avoided. - Mining – Information mining is the process of
performing intelligent scans of large databases to discover “hidden”
relationships between separate – and often disparate – information
elements. Information mining is often employed to analyze customer
information for market intelligence. Information mining often
affects the lifecycle of subject information, since information which
was previously inactive (like three-year customer transactions) may be
restored to active status to facilitate mining operations.
Current View
[return to top of this
report]
Basic Business Benefits
According to Deloitte, the business benefits of information lifecycle
management include:
- “Reduced risk – Reducing the volume of unneeded
information lessens the risk of unfavorable content being discovered (or
leaking). Additionally, knowing where to look for electronically stored
information (ESI) reduces the chance of missing critical information
when searching. - “Cost savings – eDiscovery, storage, and legal hold
costs can be reduced with better management of information. - “Improved service – Archiving, eDiscovery, and
Records Management may become less of a distraction and drain on IT and
Legal. - “More effective governance – ILM can introduce
management rigor and controls that benefit the enterprise.”4
Laws and Regulations
It is probably fair to observe that the concept of Information Lifecycle
Management has received its biggest boost from forces outside the
enterprise – specifically, government regulators.
Owing to a host of laws and regulations that extend beyond the
traditional IRS requirements – statutes like SOX, HIPAA, GLBA, GDPR, and
CCPA – today’s enterprise officials are obliged to retain certain
financial and operational information for prescribed periods, and produce
such information on demand. Information Lifecycle Management helps
facilitate this process by ensuring enterprise information is properly
classified, and managed according to specific service level objectives –
objectives that enable compliance with e-discovery orders.
Importantly, both from a regulatory and information storage perspective,
Information Lifecycle Management can be instrumental in identifying and
helping delete obsolete information – reducing exposure to government
sanctions, and releasing valuable – and expensive – storage space.
Paper Lifecycle Management
As presently practiced, Information Lifecycle Management is focused,
almost exclusively, on electronic information. Paper and other hardcopy
information are generally ignored unless such assets are converted to
electronic form through document imaging or other means. In developing an
Information Lifecycle Management Strategy, it is incumbent upon enterprise
officials to establish – and enforce – lifecycle requirements for paper
records. One of the most important of these requirements involves the
disposition of obsolete or extraneous paper assets.
At the end of its lifecycle, customer and other confidential data must be
securely and completely destroyed. For data residing on paper or
hardcopy documents:
- Use crosscut shredders. Documents shredded with
traditional strip-cut shredders can, with a little effort, be
reassembled. Also crosscut shredders are required under federal document
security guidelines. - Use secure document bins to store documents prior to disposal to
prevent “dumpster diving.” - Place the secure bins in high-traffic areas where photocopying and
faxing services are most prevalent. - Use a document destruction service for high-volume disposal.
- If possible, engage a service that can destroy documents on-site,
under the scrutiny of company security officials. - Obtain “Certificates of Destruction” from the document destruction
service.
Data Lifecycle Management
For those who might be curious, the terms “information lifecycle
management” and “data lifecycle management” are often employed
interchangeably. But, as analyst Aleksander Hougen observes, “ILM operates
on a much larger scale because it takes into account a greater amount of
information and data than DLM does. DLM is primarily concerned with what
you might call metadata (a file’s age, name, edit times, size, etc.),
whereas ILM also involves file-specific data, such as phone numbers, email
addresses or pretty much anything else you can think of.”5
Outlook
[return to top of this
report]
Distributed Strategy
In addition to incorporating non-electronic, i.e. paper-based,
information, ILM practitioners must develop an Information Lifecycle
Management Strategy that reflects the reality of today’s de-centralized,
or distributed, information technology (IT) environment. At issue are:
- Mobile Information Systems – managing information
stored on laptops, PDAs, smartphones, and tablets. - Portable Storage Devices – managing information
stored on CDs, DVDs, and USB (“flash”) drives. - Cloud Computing Services – managing outsourced
information, in which enterprise officials effectively relinquish their
information, information services, and Information Lifecycle Management
responsibilities to one or more third-party providers.
Cloud computing can be particularly troublesome unless the enterprise –
in concert with its cloud service providers – crafts a service level
agreement that specifies how enterprise information should be managed
throughout its lifecycle. Among the principal concerns are:
- Information Availability – Ensuring enterprise
information, especially “active” information, is readily available to
enterprise customers. - Reliable Removal – The outsourcer should outline
its process for removing obsolete enterprise information, i.e.,
information at the end of its lifecycle, ensuring that no residual
traces exist. - Information Security – The outsourcer should
describe its process for ensuring the confidentiality and integrity of
enterprise information entrusted to its care. - Business Continuity – The outsourcer should describe
its business continuity (or disaster recovery) process to ensure against
the “premature death” of enterprise information. - Contract Termination – The outsourcer should describe
its process for returning – and locally removing – enterprise
information at end of contract.
e-Discovery Strategy
Another phenomenon affecting information lifecycle management is
electronic discovery. Electronic discovery (or e-discovery) is the process
of finding information of a particular type that is stored in electronic
files, databases, or archives. While the roots of e-discovery can be
traced to the early 1990s when enterprises began “mining” large-scale
databases to gain market intelligence, e-discovery today generally
involves the on-demand production of information relevant to specific
legal orders and regulatory requirements.
The principal driver behind this new form of e-discovery is the US
Supreme Court. On April 12, 2006, the Court approved and forwarded to
Congress a number of revisions to the Federal Rules of Civil Procedure
(FRCP) that address the preservation and discovery of data in electronic
media. The new rules, which went into effect on December 1, 2006,
establish a new form of discoverable data called “electronically stored
information” (ESI).
According to Rule 34, electronically stored information includes
writings, drawings, graphs, charts, photographs, sound recordings, images,
and other data or data compilations stored in any medium from which
information can be obtained. Importantly, electronically stored
information stands on equal footing with the discovery of paper documents,
meaning ESI must be produced on demand in response to a subpoena or other
court order.
While the Federal Rules of Civil Procedure apply to federal courts, most
state court systems have adopted the same or similar rules. As a
consequence, virtually all enterprises must be prepared to produce
relevant electronic information as required and requested.
From an ILM perspective, enterprise officials should be careful to retain
records relevant to transactions with customers, business partners,
regulators, or other parties with whom the enterprise “does business.”
This process should:
- Involve the enterprise General Counsel (as a source of ESI expertise);
and - Be biased toward keeping more potentially “discoverable” records, not
less (the “better safe than sorry” approach).
An important element of complying with legal-style e-discovery
requirements is the ability to apply “document holds,” essentially
freezing information that the enterprise has reason to believe may be the
subject of an imminent e-discovery order.
Big Data
One of the “big” challenges for information lifecycle management
providers is the emergence – or, perhaps more accurately, the sudden
recognition – of “Big Data” as an enterprise asset. Big Data refers to the
massive amounts of data being generated on a daily basis by businesses and
consumers alike – data which cannot be processed using conventional data
analysis tools owing to its sheer size and, in many case, its unstructured
nature.
Much like the universe is composed more of “dark matter” than regular
matter, today’s enterprise is probably comprised more of Big Data than
regular data. Enterprise clients will look to ILM products to help define
Big Data, describe its lifecycle, and detail methods for Big Data
lifecycle management.
Social Media
Although the initial response of enterprise executives to social media
sites like Facebook and Twitter was to ignore them, enterprise marketers
began to realize that social media offered an opportunity to promote the
enterprise – especially to a younger demographic – and to sell products.
In this environment, information transmitted and received by enterprise
employees via social media becomes enterprise information, subject to the
same lifecycle management principles as information traded through more
conventional means.
As with Big Data, enterprise information managers will likely gravitate
to those ILM products that promise some measure of control over enterprise
Facebook postings and Twitter tweets.
Lifecycle Paradigm
One of the virtues of the Information Lifecycle Management approach to
information management is the lifecycle paradigm itself. Those practicing
ILM are probably familiar with other business lifecycles, like the Project
Management Lifecycle, the Software/System Development Lifecycle (pictured
in Figure 2), and the Business Continuity Management Lifecycle, to name a
few.
The ubiquity of the lifecycle model helps ILM newcomers understand
information management principles and requirements, and adapt to an information
management regime that demands continuous monitoring, continuous improvement,
and continuous vigilance.
Figure 2. Software/System Development Lifecycle
Source: Wikimedia Commons
Recommendations
[return to top of this
report]
Adopt AIIM Best Practices
AIIM, a non-profit organization that provides independent research,
training, and certification for information professionals, has identified
three best practices for ILM governance:
- “Audit Your Information
– The first step is to understand exactly what information you have,
how much, and where it is all located. - “Get Rid of ROT – One
way to battle content growth is to get rid of ‘ROT’ – redundant,
obsolete, and trivial information that an organization continues to
retain even though the information has no continued business or legal
value. - “Author Policies, Automate Governance – Effective
information lifecycle management requires a fully focused approach
rooted in formal governance policies and procedures. Adoption of
technologies and solutions should work to automate the governance
process with tools that extend the value and effectiveness of
information to boost organizational performance.”6
Procure an ILM Product
To expedite the development and implementation of an Information
Lifecycle Management Strategy, enterprise officials should consider
acquiring a commercial ILM product, like Oracle Information Lifecycle
Management or Oracle ILM.
Oracle ILM describes five steps to implementing an ILM strategy:
Step 1.
Define the Data Classes. For the primary
databases that drive your business, identify the types of data in each
database and where it is stored, and then determine:
- Which data is important, where it is, and what must be retained
- How this data flows within the organization
- What happens to this data over time and when is it no longer actively
needed - The degree of data availability, and protection, that is needed
- Data retention for legal and business requirements
Step 2:
Create Logical Storage Tiers. For the data
classes that represent the different types of storage tiers available in
your environment.
Step 3:
Define a Lifecycle. A lifecycle definition
describes how data migrates across logical storage tiers during its
lifetime. A lifecycle definition comprises one or more lifecycle stages
that select a logical storage tier, data attributes such as compression
and read-only, and a duration for data residing on that lifecycle stage.
To summarize, a lifecycle defines WHERE to store data, HOW to store data
and HOW LONG data should be retained.
Step 4:
Assign a Lifecycle to Database Tables/Partitions
Step 5:
Define and Enforce Compliance Policies
Know Where Information Is
The process of managing information throughout its lifecycle depends on
knowing where the subject information is stored and
processed. Certain technological advances like personal clouds have
enabled enterprise employees to store and process enterprise information
in non-enterprise repositories like Dropbox. Enterprise officials
should work with employees to minimize such “data leakage,” and
reestablish control over enterprise information assets.
Make Cybersecurity a Priority
The nation’s information repositories, both public and private, are being
probed with increasing success by gangs of hackers – many state-sponsored
– using sophisticated tools and techniques designed to penetrate even
robust cyber defenses.
While enterprise security officials may feel “outmanned and outgunned” in
their efforts to protect enterprise vital records, they are nonetheless
responsible for deploying all the security measures at their disposal,
including:
- Anti-malware programs
- Anti-spyware software
- Network firewalls
- Intrusion prevention systems
- Data loss prevention (DLP) packages
- Application security schemes
Along with basic data encryption (discussed previously), these
cybersecurity mechanisms will help ensure the integrity and
confidentiality of enterprise information throughout its lifecycle.
Engage Everyone In ILM
The process of developing an Information Lifecycle Management Strategy
should involve the entire enterprise community – especially the user
community. Information users can offer a valuable perspective on how
information is used, and how it should be presented. It is important
to remember that a single information element may be used by different
parties during its lifecycle – a financial element, for example, may be
used at different stages by enterprise customers, Finance, Sales,
Production, and Audit, even by external regulators. The relationship
between information elements and their users – and the timing of these
relationships – must be ascertained to make sound Information Lifecycle
Management Strategy decisions.
References
1 “The Comprehensive Guide to Information Lifecycle
Management.”
Veritas
. 2021.
2 “Developing an Information Lifecycle Management
Strategy.”
Internet.com
.2006:6.
3 Richard Kissel, Andrew Regenscheid, Matthew Scholl, and
Kevin Stine. SP800-88, Revision 1: “Guidelines for Media Sanitization.”
US National Institute of Standards and Technology
. December
2014:35,36,38,39.
4 “Information Life Cycle Management.”
Deloitte Development
LLC
. 2015:1-2.
5 Aleksander Hougen. “What Is Data Lifecycle Management? A
2021 Guide For Your Business.”
Cloudwards.net
. February 16, 2021.
6 Kevin Craine. “Best Practices for Governing Information
Lifecycle Management.”
AIIM
. 2019.
Web Links
[return to top of this
report]
- ARMA International:
http://www.arma.org/ - Iron Mountain: http://www.ironmountain.com/
- Oracle: http://www.oracle.com/
- US National Institute of Standards and Technology: http://www.nist.gov/
About the Author
[return to top of this
report]
James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
“Who’ s Who in Finance and Industry,” Mr. Barr has designed, developed,
and deployed business continuity plans for a number of Fortune 500
firms. He is the author of several books, including How to
Succeed in Business BY Really Trying, a member of Faulkner’s
Advisory Panel, and a senior editor for Faulkner’s Security
Management Practices. Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.
[return to top of this
report]