Information Lifecycle Management Strategy










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download
.

Information Lifecycle
Management Strategy

by James G. Barr

Docid: 00021123

Publication Date: 2111

Report Type: TUTORIAL

Preview

Information is the currency of modern commerce and must be managed
intelligently to ensure enterprise success. Just as physical assets such as
facilities and equipment cycle from useful to useless, so do information
assets. Intellectual property (trade secrets), enterprise plans and
schedules, internal or client correspondence (including e-mail), and
personnel records may move from important, must-have data to archival
material to waste that must be disposed of in an appropriate manner. At
each stage, the material must be secured to ensure that vital enterprise
information is properly protected from loss, theft, contamination, or
misappropriation. To deal with the lifecycle of this information,
enterprise planners must develop and execute an Information Lifecycle
Management strategy.

Report Contents:

Executive Summary

[return to top of this
report]

Information is the currency of modern commerce, and must be managed to
ensure enterprise success. Just as physical assets, like facilities
and equipment, have a lifecycle (or series of life stages from figurative
birth to death), so do information assets, like intellectual property
(trade secrets), enterprise plans and schedules, customer correspondence
(including e-mail), and personnel records.

 


Related Faulkner Reports
Product Lifecycle Management Market Trends Market

To ensure enterprise information is properly protected from loss, theft,
contamination, or misappropriation throughout its lifecycle, enterprise
planners must develop – and execute – an Information Lifecycle Management
(ILM) strategy.

The three goals of ILM, as defined by Veritas, a leading information
management firm, are:


  • Data Security and Confidentiality

    – Protecting sensitive,
    confidential, and proprietary information from unauthorized access;

  • Availability

    – Ensuring information is present when needed; and

  • Integrity

    – Ensuring information is correct and consistent
    across all information platforms.1

As a means of implementing ILM, the ILM strategy prescribes how certain
information (or types of information) should be treated during their
lifecycle, from creation or acquisition to final disposition.

Figure 1, for example, illustrates how “active” or
frequently-referenced information might be housed in a ‘high performance”
store, while “inactive” information might be relegated to an “archival”
repository.

Figure 1. Enterprise Information Lifecycle

Figure 1. Enterprise Information Lifecycle

Regrettably, there is no single strategy for managing enterprise
information throughout its lifecycle. For each enterprise, strategy
development relies on several factors, including:

  • The amount of resources that can be applied to information lifecycle
    management (ILM) – ILM normally is a large enterprise discipline.
  • The need to satisfy regulatory requirements, such as Sarbanes-Oxley
    (SOX), the Health Insurance Portability and Accountability Act (HIPAA),
    Gramm-Leach-Bliley (GLBA), and, more recently, the European Union (EU)
    General Data Protection Regulation (GDPR) and the California Consumer
    Privacy Act (CCPA). 
  • The need to produce enterprise information on demand, especially in
    response to a subpoena or other “e-discovery” order.
  • The need to manage – actually, reduce – runaway storage growth.

Developing an Information Lifecycle Management Strategy revolves around
two basic processes:

  1. Classifying Information
  2. Establishing Information-Oriented “Service Level Objectives”2

Classifying information involves separating “information elements”
(discrete items of information at the file or record level) into specific
categories, such as Secret, Confidential, or Unclassified. While
individual information elements may be categorized, classification
typically occurs at the record type level, such as customer records or
financial records.

Once enterprise officials have created information categories – and
populated these categories with the appropriate information elements – the
officials must determine how the information within each category will be
managed; in other words, what are the service level objectives for each
category? More specifically, what are the standards for:

  • Security?
  • Availability?
  • Recoverability (in the event of sudden information loss)? 
  • Retention?
  • Normal Use? 

What distinguishes information lifecycle management from allied
disciplines, such as information management, data management, and records
management, is the obligation to manage information elements according to
their respective age, or relative position within their
lifecycle. For example, records related to current employees are
highly active and must be highly available. Records related to retired
employees (pensioners) are less active and may be less
available. Records related to employees who have resigned or been
terminated are inactive and may be archived.

Description

[return to top of this
report]

Executing an effective Information Lifecycle Management Strategy depends
on establishing and maintaining a solid foundation of essential
information management processes, including:

  • Information Backup and Recovery – Guarding against
    information loss or contamination.
  • Information Disposal – Providing for the reliable
    and secure elimination of obsolete information.
  • Information Security – Protecting against information
    theft, contamination, or misappropriation.

Information Backup and Recovery 

Traditional methods of data backup and recovery, which usually involve
dumping changed files to a “backup tape” at the end of the day, are simply
not sufficient for today’s businesses. Even small-to-medium-sized
businesses (SMBs) may process hundreds, even thousands, of transactions
per day. Losing a “day’s worth” of business in the event of a disk failure
or other catastrophic situation is intolerable. For maximum
protection, businesses should invest in real-time backup and recovery
schemes, as detailed in Table 1.

Table 1. Real-Time Backup and Recovery Options
Option Description Principal Advantage
Continuous
Data Protection 
CDP is a storage
solution that continuously catches all changes made to critical
data. CDP creates, in effect, an electronic journal of
complete storage snapshots, one snapshot for every instant in time
that data modification occurs.
Preserves every data
transaction automatically.
Online
Backup and Recovery
OBR automatically
transmits every changed file over a secure Internet connection to
a provider-operated OBR data center.
Permits outsourcing
the backup and recovery process to a managed backup and recovery
provider.

In many enterprises, backup and recovery operations resemble Russian
roulette. According to one estimate, forty (40) to fifty (50) percent
of all backups are not fully recoverable. Yet, despite the
statistics, few enterprises conduct routine “retrieve and restore”
exercises, in which random backup media are retrieved from offsite
storage, and their data compared – byte for byte – against pristine data
samples preserved at the time of backup. Such exercises validate the
recovery process by verifying that:

  • Backup volumes can be readily retrieved.
  • Backup data can be restored, in whole or in part.
  • Restored data is identical to the original, i.e., source, data.

Information Disposal

One of the important aspects of Information Lifecycle Management is
“afterlife” processing, ensuring that deleted information is
non-recoverable. To this end, the US National Institute of
Standards and Technology provides guidance on “sanitizing” media
containing electronic data. A sample of this guidance is shown in
Table 2.

Table 2. Media Sanitization Decision Matrix3
Media  Clear Information Purge Information  Destroy Media
Optical
Media
(CD, DVD, BD)
Not Applicable. Not Applicable. Destroy in order of
recommendations:

  1. Removing the information-bearing layers of CD media using a
    commercial optical disk grinding device. Note that this
    applies only to CD and not to DVD or BD media.
  2. Incinerate optical disk media (reduce to ash) using a
    licensed facility.
  3. Use optical disk media shredders or disintegrator devices to
    reduce to particles that have a nominal edge dimensions of
    point five millimeters (.5 mm) and surface area of point two
    five square millimeters (.25 mm2) or smaller.
USB
Removable Media
Overwrite media by
using organizationally approved and validated overwriting
technologies/methods/tools.

USB removable media does not support sanitize commands or, if
supported, the interfaces are not supported in a standardized
way across these devices. Refer to the manufacturer for details
about the availability and functionality of any available
sanitization features and commands.

Shred, disintegrate,
pulverize, or incinerate by burning the device in a licensed
incinerator.

Importantly, procedures should be developed to sanitize obsolete backup
media, including offsite volumes maintained by third-party data backup
providers.

Information Security

Obviously, enterprise information must be protected throughout its
lifecycle. One of the most effective – and, curiously, one of the
most underutilized – mechanisms for ensuring the confidentiality and
integrity of sensitive information is encryption. While encryption is
a staple of e-commerce operations, the technique should be employed more
liberally in all enterprise contexts. Encryption can be applied on
multiple levels, from full disk to single file.

Other Considerations

Among the other considerations in devising an Information Lifecycle
Management Strategy are:

  • Segregation – A lot of relatively valueless
    information – like documents downloaded from the Internet – are “swept
    up” during normal computer backup operations. Information with
    little or no intrinsic value to the enterprise, or information that can
    be readily reproduced if lost or destroyed should be isolated as part of
    the Information Classification process – marked not suitable for
    long-term retention.
  • “Tiering” – Most information decreases in value
    over time. Tiering refers to the process of moving information
    during its lifecycle from high-availability storage (like disk) to
    lower-availability storage (like tape). Tiering ensures faster access to
    vital information, while lowering the cost of storing non-vital
    information.
  • Versioning – Some information exists in multiple
    versions, usually generated over time. Versioning refers to the
    process of uniquely identifying each information version and
    establishing an appropriate lifecycle. Versioning is useful in
    determining which information versions are “active”, and which are
    inactive – and eligible for archiving or destruction. Maintaining
    multiple versions of the same information can result in operational
    errors, and should be avoided.
  • Mining – Information mining is the process of
    performing intelligent scans of large databases to discover “hidden”
    relationships between separate – and often disparate – information
    elements. Information mining is often employed to analyze customer
    information for market intelligence. Information mining often
    affects the lifecycle of subject information, since information which
    was previously inactive (like three-year customer transactions) may be
    restored to active status to facilitate mining operations.

Current View

[return to top of this
report]

Basic Business Benefits

According to Deloitte, the business benefits of information lifecycle
management include:

  • Reduced risk – Reducing the volume of unneeded
    information lessens the risk of unfavorable content being discovered (or
    leaking). Additionally, knowing where to look for electronically stored
    information (ESI) reduces the chance of missing critical information
    when searching.
  • Cost savings – eDiscovery, storage, and legal hold
    costs can be reduced with better management of information.
  • Improved service – Archiving, eDiscovery, and
    Records Management may become less of a distraction and drain on IT and
    Legal.
  • More effective governance – ILM can introduce
    management rigor and controls that benefit the enterprise.”4

Laws and Regulations

It is probably fair to observe that the concept of Information Lifecycle
Management has received its biggest boost from forces outside the
enterprise – specifically, government regulators.

Owing to a host of laws and regulations that extend beyond the
traditional IRS requirements – statutes like SOX, HIPAA, GLBA, GDPR, and
CCPA – today’s enterprise officials are obliged to retain certain
financial and operational information for prescribed periods, and produce
such information on demand. Information Lifecycle Management helps
facilitate this process by ensuring enterprise information is properly
classified, and managed according to specific service level objectives –
objectives that enable compliance with e-discovery orders.

Importantly, both from a regulatory and information storage perspective,
Information Lifecycle Management can be instrumental in identifying and
helping delete obsolete information – reducing exposure to government
sanctions, and releasing valuable – and expensive – storage space.

Paper Lifecycle Management

As presently practiced, Information Lifecycle Management is focused,
almost exclusively, on electronic information. Paper and other hardcopy
information are generally ignored unless such assets are converted to
electronic form through document imaging or other means. In developing an
Information Lifecycle Management Strategy, it is incumbent upon enterprise
officials to establish – and enforce – lifecycle requirements for paper
records. One of the most important of these requirements involves the
disposition of obsolete or extraneous paper assets.

At the end of its lifecycle, customer and other confidential data must be
securely and completely destroyed. For data residing on paper or
hardcopy documents:

  • Use crosscut shredders. Documents shredded with
    traditional strip-cut shredders can, with a little effort, be
    reassembled. Also crosscut shredders are required under federal document
    security guidelines.
  • Use secure document bins to store documents prior to disposal to
    prevent “dumpster diving.”
  • Place the secure bins in high-traffic areas where photocopying and
    faxing services are most prevalent.
  • Use a document destruction service for high-volume disposal.
  • If possible, engage a service that can destroy documents on-site,
    under the scrutiny of company security officials.
  • Obtain “Certificates of Destruction” from the document destruction
    service.

Data Lifecycle Management

For those who might be curious, the terms “information lifecycle
management” and “data lifecycle management” are often employed
interchangeably. But, as analyst Aleksander Hougen observes, “ILM operates
on a much larger scale because it takes into account a greater amount of
information and data than DLM does. DLM is primarily concerned with what
you might call metadata (a file’s age, name, edit times, size, etc.),
whereas ILM also involves file-specific data, such as phone numbers, email
addresses or pretty much anything else you can think of.”5

Outlook

[return to top of this
report]

Distributed Strategy

In addition to incorporating non-electronic, i.e. paper-based,
information, ILM practitioners must develop an Information Lifecycle
Management Strategy that reflects the reality of today’s de-centralized,
or distributed, information technology (IT) environment. At issue are:

  • Mobile Information Systems – managing information
    stored on laptops, PDAs, smartphones, and tablets.
  • Portable Storage Devices – managing information
    stored on CDs, DVDs, and USB (“flash”) drives.
  • Cloud Computing Services – managing outsourced
    information, in which enterprise officials effectively relinquish their
    information, information services, and Information Lifecycle Management
    responsibilities to one or more third-party providers.

Cloud computing can be particularly troublesome unless the enterprise –
in concert with its cloud service providers – crafts a service level
agreement that specifies how enterprise information should be managed
throughout its lifecycle. Among the principal concerns are:

  • Information Availability – Ensuring enterprise
    information, especially “active” information, is readily available to
    enterprise customers.
  • Reliable Removal – The outsourcer should outline
    its process for removing obsolete enterprise information, i.e.,
    information at the end of its lifecycle, ensuring that no residual
    traces exist.
  • Information Security – The outsourcer should
    describe its process for ensuring the confidentiality and integrity of
    enterprise information entrusted to its care. 
  • Business Continuity – The outsourcer should describe
    its business continuity (or disaster recovery) process to ensure against
    the “premature death” of enterprise information.
  • Contract Termination – The outsourcer should describe
    its process for returning – and locally removing – enterprise
    information at end of contract.

e-Discovery Strategy

Another phenomenon affecting information lifecycle management is
electronic discovery. Electronic discovery (or e-discovery) is the process
of finding information of a particular type that is stored in electronic
files, databases, or archives. While the roots of e-discovery can be
traced to the early 1990s when enterprises began “mining” large-scale
databases to gain market intelligence, e-discovery today generally
involves the on-demand production of information relevant to specific
legal orders and regulatory requirements.

The principal driver behind this new form of e-discovery is the US
Supreme Court. On April 12, 2006, the Court approved and forwarded to
Congress a number of revisions to the Federal Rules of Civil Procedure
(FRCP) that address the preservation and discovery of data in electronic
media. The new rules, which went into effect on December 1, 2006,
establish a new form of discoverable data called “electronically stored
information” (ESI).

According to Rule 34, electronically stored information includes
writings, drawings, graphs, charts, photographs, sound recordings, images,
and other data or data compilations stored in any medium from which
information can be obtained. Importantly, electronically stored
information stands on equal footing with the discovery of paper documents,
meaning ESI must be produced on demand in response to a subpoena or other
court order.

While the Federal Rules of Civil Procedure apply to federal courts, most
state court systems have adopted the same or similar rules. As a
consequence, virtually all enterprises must be prepared to produce
relevant electronic information as required and requested.

From an ILM perspective, enterprise officials should be careful to retain
records relevant to transactions with customers, business partners,
regulators, or other parties with whom the enterprise “does business.”
This process should:

  • Involve the enterprise General Counsel (as a source of ESI expertise);
    and
  • Be biased toward keeping more potentially “discoverable” records, not
    less (the “better safe than sorry” approach).

An important element of complying with legal-style e-discovery
requirements is the ability to apply “document holds,” essentially
freezing information that the enterprise has reason to believe may be the
subject of an imminent e-discovery order.

Big Data

One of the “big” challenges for information lifecycle management
providers is the emergence – or, perhaps more accurately, the sudden
recognition – of “Big Data” as an enterprise asset. Big Data refers to the
massive amounts of data being generated on a daily basis by businesses and
consumers alike – data which cannot be processed using conventional data
analysis tools owing to its sheer size and, in many case, its unstructured
nature. 

Much like the universe is composed more of “dark matter” than regular
matter, today’s enterprise is probably comprised more of Big Data than
regular data. Enterprise clients will look to ILM products to help define
Big Data, describe its lifecycle, and detail methods for Big Data
lifecycle management.

Social Media

Although the initial response of enterprise executives to social media
sites like Facebook and Twitter was to ignore them, enterprise marketers
began to realize that social media offered an opportunity to promote the
enterprise – especially to a younger demographic – and to sell products.
In this environment, information transmitted and received by enterprise
employees via social media becomes enterprise information, subject to the
same lifecycle management principles as information traded through more
conventional means.

As with Big Data, enterprise information managers will likely gravitate
to those ILM products that promise some measure of control over enterprise
Facebook postings and Twitter tweets.

Lifecycle Paradigm

One of the virtues of the Information Lifecycle Management approach to
information management is the lifecycle paradigm itself. Those practicing
ILM are probably familiar with other business lifecycles, like the Project
Management Lifecycle, the Software/System Development Lifecycle (pictured
in Figure 2), and the Business Continuity Management Lifecycle, to name a
few.

The ubiquity of the lifecycle model helps ILM newcomers understand
information management principles and requirements, and adapt to an information
management regime that demands continuous monitoring, continuous improvement,
and continuous vigilance.

Figure 2. Software/System Development Lifecycle

Figure 2. Software/System Development Lifecycle

Source: Wikimedia Commons

Recommendations

[return to top of this
report]

Adopt AIIM Best Practices

AIIM, a non-profit organization that provides independent research,
training, and certification for information professionals, has identified
three best practices for ILM governance:

  1. Audit Your Information
    – The first step is to understand exactly what information you have,
    how much, and where it is all located.
  2. Get Rid of ROT – One
    way to battle content growth is to get rid of ‘ROT’ – redundant,
    obsolete, and trivial information that an organization continues to
    retain even though the information has no continued business or legal
    value.
  3. Author Policies, Automate Governance – Effective
    information lifecycle management requires a fully focused approach
    rooted in formal governance policies and procedures. Adoption of
    technologies and solutions should work to automate the governance
    process with tools that extend the value and effectiveness of
    information to boost organizational performance.”6

Procure an ILM Product

To expedite the development and implementation of an Information
Lifecycle Management Strategy, enterprise officials should consider
acquiring a commercial ILM product, like Oracle Information Lifecycle
Management or Oracle ILM.

Oracle ILM describes five steps to implementing an ILM strategy:

Step 1. 
Define the Data Classes
. For the primary
databases that drive your business, identify the types of data in each
database and where it is stored, and then determine:

  • Which data is important, where it is, and what must be retained
  • How this data flows within the organization
  • What happens to this data over time and when is it no longer actively
    needed
  • The degree of data availability, and protection, that is needed
  • Data retention for legal and business requirements

Step 2: 
Create Logical Storage Tiers
. For the data
classes that represent the different types of storage tiers available in
your environment.

Step 3: 
Define a Lifecycle
. A lifecycle definition
describes how data migrates across logical storage tiers during its
lifetime. A lifecycle definition comprises one or more lifecycle stages
that select a logical storage tier, data attributes such as compression
and read-only, and a duration for data residing on that lifecycle stage.
To summarize, a lifecycle defines WHERE to store data, HOW to store data
and HOW LONG data should be retained.

Step 4: 
Assign a Lifecycle to Database Tables/Partitions

Step 5: 
Define and Enforce Compliance Policies

Know Where Information Is

The process of managing information throughout its lifecycle depends on
knowing where the subject information is stored and
processed. Certain technological advances like personal clouds have
enabled enterprise employees to store and process enterprise information
in non-enterprise repositories like Dropbox. Enterprise officials
should work with employees to minimize such “data leakage,” and
reestablish control over enterprise information assets.

Make Cybersecurity a Priority

The nation’s information repositories, both public and private, are being
probed with increasing success by gangs of hackers – many state-sponsored
– using sophisticated tools and techniques designed to penetrate even
robust cyber defenses.

While enterprise security officials may feel “outmanned and outgunned” in
their efforts to protect enterprise vital records, they are nonetheless
responsible for deploying all the security measures at their disposal,
including:

  • Anti-malware programs
  • Anti-spyware software
  • Network firewalls
  • Intrusion prevention systems
  • Data loss prevention (DLP) packages
  • Application security schemes

Along with basic data encryption (discussed previously), these
cybersecurity mechanisms will help ensure the integrity and
confidentiality of enterprise information throughout its lifecycle.

Engage Everyone In ILM

The process of developing an Information Lifecycle Management Strategy
should involve the entire enterprise community – especially the user
community. Information users can offer a valuable perspective on how
information is used, and how it should be presented. It is important
to remember that a single information element may be used by different
parties during its lifecycle – a financial element, for example, may be
used at different stages by enterprise customers, Finance, Sales,
Production, and Audit, even by external regulators. The relationship
between information elements and their users – and the timing of these
relationships – must be ascertained to make sound Information Lifecycle
Management Strategy decisions. 

References

[return to top of this
report]

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
“Who’ s Who in Finance and Industry,” Mr. Barr has designed, developed,
and deployed business continuity plans for a number of Fortune 500
firms. He is the author of several books, including How to
Succeed in Business BY Really Trying
, a member of Faulkner’s
Advisory Panel, and a senior editor for Faulkner’s Security
Management Practices
. Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this
report]