Introduction
In today’s digital landscape, it is increasingly important for organization to keep track of their information. Over the past two to three decades, many regulations have emerged to address how information is handled and secured, including HIPAA, GLBA, FISMA, CCPA, GDPR, NIS2, PIPEDA, PIPL DPDPA, APPI, ISO 27001, NIST Cybersecurity, and EU Cybersecurity. Compliance with these regulations requires a robust understanding of what information exists, where it exists, and how it is managed. Regulations not withstanding, an organization will operate more efficiently if it knows what information exists and where it exists.
Understanding Where Information Exists
Information exists in information systems. To effectively track and manage information, organizations must first identify their information systems. Access to information is controlled at the system level. Knowing what information systems exist is foundational to understanding what information is stored and where it resides.
Information systems can take many forms, including:
- Traditional IT systems – application servers with database servers
- Traditional IT integrations – using brokers or middleware
- Hierarchical folder structures – in shared file systems
- Document areas/folders/domains – in document management platforms
- Sites and Spaces – in collaboration platforms, such as SharePoint and Confluence
- Cloud-based IT systems – functionally similar to traditional IT systems but with different infrastructure
- Data Areas – in data platform systems, such as data warehouses, data hubs, data lakes, and data lake houses.
- Dashboards, Reports, and Applications – on different information presentation platforms
- Projects, Repos, or Areas – in version control systems
- Repositories or Areas – in artifact or media storage systems
Limitations of Traditional IT Service Management (ITSM) Solutions
Current ITSM solutions primarily focus on IT systems, referred to as Applications, which are dependent on machine-based infrastructure, such as virtual or physical servers. This traditional, technology-centric perspective is limiting for organizations aiming to comprehensively track all information systems that store or process information.
However, information systems are not always tied to physical or virtual machines. A shared folder, a repository in a version control system, or a space in a collaboration platform are all legitimate information systems that need to be recognized and managed.
A Simple Alternative: Business Self-Registration of Information Systems
A more flexible and inclusive approach is business self-registration of information systems. This model operates on the principle that any entity that stores or processes information is an information system, provided it:
- Clearly exists – The system’s existence is verifiable.
- Has a defined lifecycle – The system has a beginning, can change, and will end at some point.
To make this work, a named individual is assigned as the executive of the information system (rather than an “owner” to emphasize ultimate responsibility). This executive:
- Is responsible for maintaining an accurate record of the information system.
- Gets to define and describe what the information system is, in a clear, evidenced-based manner.
- Ensures the description allows anyone to understand what the information system is.
Key Principles of Self-Registration
Defining the System, Not Just the Information
Instead of describing a system based on the data it holds (e.g., “The folder where finalized contracts are stored”), the system should be explicitly named and located (e.g., smb://fileserver01/Documents/Contracts/Done).
Avoiding Overlapping Systems
Just as land properties should not overlap, information systems must be clearly delineated to avoid overlap, ambiguity, and confusion.
Systems are Hierarchical
Systems can contain sub-systems or be part of larger super-systems. It is important that it is the executive that determines the appropriate level at which the system is defined, so it aligns effectively with business operations.
Getting Started with Self-Registration
Organizations can implement this model with minimal effort by initially collecting just three pieces of information:
- The name of the executive responsible for the system.
- The unique name of the information system.
- A clear and distinct definition and description of the system.
Over time, additional details can be incorporated iteratively to match the organization’s evolving maturity and needs.
Conclusion
Business self-registration of information systems provides a simple, scalable, practical, and regulation-compliant approach to managing information across an organization. By shifting the focus from traditional IT-centric perspectives to a broader definition of information systems, organizations can achieve better visibility, control, and governance over their data assets.