An information management framework (IMF) includes four layers: policy, management, operations, and infrastructure.
By James E. Geis
Corporations around the globe now view information as an asset. As raw data, it’s useless, but as business intelligence, it’s highly valuable. There is not an inventory tag or an SKU necessarily associated with information, but its use and misuse can make or break corporate and personal reputations and create or discontinue revenue streams, and its treatment and dissemination have legal ramifications.
Handling information has grown increasingly complex as the interdependencies and the value of information have superseded the technology that supports it. You’ve heard dozens of colloquialisms: Knowledge is power, information is king, and use it or lose it. Digital information is one of the cornerstones of our 21st-century society. For decades, the IT industry has been focused on the technological elements of processing, storing, and delivering information. As computing technology has advanced along with the commercialization of the Internet, information has taken on a new face-a face shaped by data warehousing, information mining, 24x7 applications, availability, recovery, privacy, security, and storage-all of which converge on one central theme: Information means money.
We’re all aware of the corporate scandals and the flurry of litigation that have permeated the media, which in turn has been the impetus for many new technologies and industry sectors, as well as laws and regulations that govern information management. The SEC, HIPAA, CISP, and NASD are just a few governing bodies and acts that have resulted in corporations rethinking the principles and administrative framework for handling information.
Building such a framework involves an organizational approach to understanding the value and use of information while defining roles and responsibilities for anyone in the organization involved in the custody chain for handling information. The framework must address the full information lifecycle-from creation to metamorphosis to demise-taking into consideration security, data integrity and protection, and permanent archiving. Information management is no longer just a storage technology problem; it has become a legal and fiduciary responsibility issue.
An information management framework (IMF) is constructed of four separate but interdependent layers: policy, management, operations, and infrastructure (see figure). (Note: Infrastructure here refers to the foundational core of applications and network, server, and storage hardware that process and deliver information.)
To develop an effective information management framework, we must first discuss the governing policies that dictate the usage and treatment of the information being handled. Because of the way industry and technology evolved, in the past we built our conceptual frameworks upon each technology and the options it presented. No one can be faulted for this approach, as technological advancements grew faster than our ability to integrate them.
But it is policy, not technology, that provides clear guidelines for sometimes-ambiguous circumstances. Our court system relies on policy to determine alleged wrongdoing or to ascertain appropriate conduct. As a result, policies must be documented, communicated, monitored in real-time, and audited (retrospectively). Policies also must be measurable and have a constant feedback loop. At a high level, information policy dictates why information is created, how it is accessed, stored, and used, how long it must be retained, and when it finally becomes useless and can be deleted.
Policy can basically be divided into four categories: IT governance, organizational, architectural/engineering, and operational. IT governance policy is a strategy enacted for the decision-making process, assigning power to responsible owner(s) who have purchasing-decision power, as well as knowing who will ensure the quality, disposition, and security of information assets-in other words, determining who has what authority. Such policy defines the fiduciary responsibility for the information and its use in the context of service delivery and service management. IT governance policy is becoming a hot-button topic as many organizations are choosing control frameworks to devise IT service delivery, service management, and the underlying support processes, COBIT and ITIL being the most common.
Organizational policy covers a wide variety of actions under the information management umbrella, but mainly staff roles and responsibilities and the appropriate use and treatment of information (e.g., who sees what information, how and why it’s accessed, when and under what circumstances it can be used). An organizational policy statement about the appropriate use of electronic mail, instant messaging, or Internet usage is a good example of an over-arching organizational policy. Another example would be a policy regarding what information can be stored on corporate assets without risk of liability due to, for instance, copyright infringement or human resources issues. A typical combination of organizational and operational policy comes together under HIPAA: Any medical facility you visit as a patient must, under HIPAA regulations, educate you about their policies surrounding your personal health information.
Architectural and engineering policies outline how the technology must be built to support information delivery with security and data protection in mind. What technology or technical approach will prevent the misuse of information and increase the ability to protect information against disaster or business interruption? What are the gaps between business continuity expectations and reality?
Operational policy delineates administrative-level details that are the outcome of application and business requirements. Architectural and engineering policies then translate these operational requirements into technology requirements: How is information stored and on what medium? How does information get backed up for restore or recovery purposes? How many copies of information can be made on multiple mediums, and what dictates when a copy can or must be released or destroyed? What information or applications are to be stored in highly available architectures? At what point does information become reference information, or static enough that it can be transferred to another platform for the long-term storage and retrieval requirements?
Just as with IT governance policy, a top-down approach is crucial when it comes to information-related policies. Whether organizational, architectural, or technological, information management policy must be based upon the value and importance of information throughout its lifecycle and must be supported, encouraged, and communicated from the upper tiers of management to all staff, as they drive the engineering concepts for the framework.
The terms “information management” and “storage management” are sometimes used interchangeably, but there is a difference. Information management is the process that connects the application owners/business units-i.e., the entity that understands the context, use, and value of the information-with the system administrators responsible for how information is stored, protected, and delivered. In contrast, storage management centers on the technology that houses and delivers information at agreed-upon service levels, with input from the “owners” who require access and delivery. The two processes are inextricable, however; information is housed on storage, and storage works in conjunction with applications, network, and servers to deliver information at agreed-upon and expected operating and service levels.
A third term, information lifecycle management (ILM), can have various definitions depending on who in the organization is speaking, or which vendor or manufacturer is defining the concept. A common theme for ILM is the convergence of people, process, and tools that rely upon storage to administer information throughout its useful period. From this perspective, storage management principles and technology requirements are derived from ILM policies and processes, not the other way around.
A consensus on what ILM means to the organization must be established so the business and IT can agree upon the treatment-meaning the creation, access, retention, and deletion (CARD) requirements-of each class of information. Effective CARD policies begin with an understanding of the purpose and value of the information and the reason it is established. Is the information revenue-generating? Public or confidential? User-based? Customer private? Financial, compliance, or regulatory? Back-office? There are many reasons for information creation and definitions of information type.
Next, it must be determined how each type of information needs to be stored or accessed, from creation through metamorphosis and eventual demise. What security and protection requirements are relevant through that access period? When does the information change from dynamic to static, and how does that affect its storage, protection, and service delivery requirements and transition through the tiered storage infrastructure?
Finally, the organization must identify the retention requirements of each type of information. How easy-to-find does it need to be during the retention period? What events dictate deletion? What processes must be in place to ensure all copies have been deleted?
In the context of the information management framework, operational elements are not only driven by policy, but also by the processes necessary to store, protect, and deliver information in the daily course of business, as well as in extenuating circumstances such as disaster or business interruption. Sound operational elements facilitate backup, restore, recovery, replication, archiving, and data migration and also tie into the business continuity practices outlined to enable disaster recovery.
The policies in this layer need to be influenced and supported by the compliance regulations that outline the appropriate use and treatment of information. For example, how easily can you restore information to resume business operations or supply information in a litigious event? Or, what information management policies would dictate how many copies of information are required (i.e., data replication or recycling backup tapes) or how long information must be kept readily available?
Depending on the industry in which your business operates, information may need to be kept for decades. Input from your legal department, senior management, and business units is essential to correctly define such requirements. Currently, HIPAA requires that patient records (including images, charts, tests, etc.) be kept for two years after the death of any patient. The information management requirements driven by today’s corporate governance environment are fundamentally shifting storage timeframes, hence the talk in the storage industry about the 100-year archive.
At the core of the information management framework is the supporting technology that fulfills the policy requirements for delivery of information. What technology will support information delivery at the prescribed operating and service levels that correlate to the value of the information throughout its useful life? What technology will enhance your ability to store and protect information for the short- and long-term and provide the portability to application and operating systems? What technology will allow you to move information around the tiered storage architecture so applications can have consistent and uninterrupted access?
Granted, the ILM and storage management market is a little cloudy right now, and end users are confused and dissatisfied with the products. But both challenges can be addressed by a well-defined policy program that front-ends the decision-making process for the treatment of information.
Mature point solutions are available for managing some information pools (i.e., databases or message archiving and document management). In addition, applications are becoming more aware of the storage behind the operating system; this will be a requirement for an effective ILM application.
Building the information management framework is an organizational exercise that should encompass all levels of the corporation, including the boardroom, management, end users, customers, system administrators, and application developers. Instead of starting with technology and backing it into what you need to manage information, develop policy that will trickle down and dictate usage. Ensure such policy is influenced by financial, operational, and compliance drivers, and that it is agreed upon and supported by executive management. The resulting policy then translates into information lifecycles and storage management principles. The ILM and storage management principles influence the backup, recovery, replication, and archival guidelines. After determining the storage and data-protection requirements, determine which technology will automate and support the operational behavior and practices to protect your most important asset: your information.
James E. Geis is director of storage solutions at Forsythe Technology (www.forsythe.com) in Skokie, IL.