Taking the right steps toward ILM

Information life-cycle management is a process that involves capturing, classifying, storing, protecting, accessing, and destroying information.

By Steve Kenniston

ne problem with information life-cycle management (ILM) is that it means different things to different vendors. The definition of ILM has ranged from “the ability to ensure that the right information is on the right storage asset at the right time” to the somewhat-vague “ILM is about people, process and technology.” The reality is that ILM is about one thing: best practices for managing information assets. In short, ILM is about process.

Vendors often overlook the fact that processes used to manage information are already in place. In the physical (paper) world, records managers have been making decisions regarding how information assets are managed, as well as implementing policies about how information needs to be retained for a long time.

The important components of information assets are the following:

  • The asset type
  • Asset retention periods
  • The ability to find assets
  • Security
  • Disposition

The secret to a solid ILM practice is realizing the value of the information assets in your corporation. Understanding the type of information that your company creates, how this information affects your business, and how to manage it properly are the biggest challenges.

Once you identify how the information ties in to your business, you can then investigate technologies to help you manage the process of information management.

The problem

In the records management space, the management of information-although challenging-has been relatively easy because it was contained. In the past, records managers would request that the records management office receive a copy of specific types of records created. At that point the records management department would categorize (assign metadata) and file (store) the asset.

Two factors are now making the challenge of managing information more difficult. First, the volume of digital information is growing much more rapidly. Second, the number of rules and regulations that govern how digital information assets are managed is in the thousands. Trying to stay on top of all of these rules and regulations is tough enough, but enforcing them is even more difficult.

In the digital world, everything is done electronically and more people are using online tools to manage everything from corporate documents to their own credit card and travel information. This means that a great deal of personal and private information is stored within a company and that the company is responsible for the security of this information. To properly secure and manage this information IT organizations have purchased a wide variety of technologies, which only makes managing the information more challenging. IT management disciplines are colliding (see figure), and it’s time to straighten them out.

Click here to enlarge image

Due to litigation and inadvertent personal privacy disclosures, companies have found that the most difficult challenge is knowing where their information and its copies are and finding the information when they are asked for it. Solving this problem starts with knowing more about the information in your environment.

Identify the types of information

The first step is to break down any barriers between IT and the lines of business, especially the records managers. There is no reason to reinvent the wheel; the records managers already have processes in place. They already know what assets are typically created in the corporation, how these assets affect the business (including legal implications), and how the assets need to be managed (at least physical documents). Translating this information into the digital world should be a fairly simple process.

In the digital world you may want to take some extra steps. For example, perform an assessment of the type of information that is created in your environment. Be sure to look at the different applications in the environment and the information that comes out of them. Look at e-mail, CRM tools, databases, and collaboration tools. Once you understand the applications and how the information that comes from these applications is used, you will be better equipped to make decisions on how to manage the information.

The next step is to tie the information to a retention program. Again, records managers can help here because they understand the retention policies for different types of information assets. By working with records managers and informing them of the different digital information assets that are created, they will be able to tell you how long the information needs to be retained, the manner in which the information needs to be retained (e.g., online, nearline, offline), how the information needs to be protected, and how the information needs to be disposed of. And don’t be alarmed: Retention schedules and asset types may sound daunting; however, when you break it down, you probably only need between 4 and 10 asset types. The next task is to tie these to a retention schedule, either via legislation, good corporate governance, or IT best practices.

The last thing to take into consideration is information management best practices the corporation may want-or need-to adhere to. This would include recovery time objective (RTO) and recovery point objective (RPO), as well as business continuity and disaster-recovery practices. This is the basis of the process used to manage information.

Capture and classify information

Understanding the types of information created and how they should be managed is the first step. The next step is to efficiently capture and classify the information.

Information can be captured in a number of ways. For example, archiving tools can capture information as it is stored and create a secondary copy. However, capturing the information is only half the battle; classifying the information is the other challenge.

It is important to create a classification schema for the information in your environment. For example, information that needs to be retained for legal purposes needs to follow certain criteria. Most of the information needs to be stored securely, with audit trails to prove its authenticity. In addition, information needs to be discoverable and auditable. The main objective behind classifying digital information is to add metadata tags to the files to properly categorize and store the information.

Protect the information

Information protection comes in a variety of forms. The objective is to protect the right class of information using the right tools and processes so that it can be recovered quickly, efficiently, and inexpensively. Keep in mind that backups are only point-in-time snapshots of your information. Backups are good for system-level recoveries, but may miss information that needs to be captured throughout the day. Archiving tools have the ability to capture all information, but you may not need to capture all the information created in your environment. The objective is to not make too many additional copies of information in the process of trying to protect it. Putting the same information on multiple disk drives and/or tapes is costly and makes it difficult to find and dispose of every copy.

Accessibility and disposition

Proper access controls are essential to ensure information authenticity and security. Information that is protected or archived should be accessed only by the proper individuals. Original copies of information can be viewed, reviewed, and modified by the “owner” of the information or their supervisors. Information that is protected for compliance or corporate governance needs to be tamperproof and have very limited access.

Information access deals with who has access and how intruders may gain access to information. For example, is it possible for someone to grab a box of tapes and then have access to the information on the tapes?

Click here to enlarge image

This brings up the issue of encryption. Ensuring that people outside the “need-to-know” group cannot access information goes a long way to protecting your corporation and your customers.

The final component to ILM is what to do at the end of the information life cycle. For information that is compliance-driven, disposition is particularly important.

You have to ensure that every copy-no matter where it is stored (tape or disk)-is disposed of properly. Some regulations also control how the information is disposed of. While disposition may be a small part of the process, it is key to controlling storage costs.

ILM = process

Vendors are good at selling technologies that address ILM, but the key component they leave out is the process. ILM is more than just a storage issue and is often driven by compliance.

Having the proper access to your information, quickly and efficiently, allows you to get information in the hands of the people who need it. This ranges from finding a contract that a user has lost and ensuring they are up and running and not wasting valuable company time finding and retrieving information, to getting information in the hands of general counsel to ensure your company stays out of trouble.

Once you have developed a process around these steps, the right information assets will be on the right storage assets at the right time. And if you are audited, having a good process will ensure you are less vulnerable. Finally, you will save on your storage costs, and when it is time to find a piece of information, you will be able to-quickly and easily.

Steve Kenniston is a technology partner with the Ridge Partners LLC storage consulting firm. He can be contacted at skenniston@ridgellc.com.

This article was originally published on October 01, 2005