Need an answer for the below

Define Information Governance

INFORMATION
GOVERNANCE
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in
the United States. With offices in North America, Europe, Asia, and Australia, Wiley
is globally committed to developing and marketing print and electronic products and
services for our customers’ professional and personal knowledge and understanding.
The Wiley CIO series provides information, tools, and insights to IT executives
and managers. The products in this series cover a wide range of topics that supply
strategic and implementation guidance on the latest technology trends, leadership, and
emerging best practices.
Titles in the Wiley CIO series include:
The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and
Mobile Computing Are Changing Enterprise IT
T by Jason Bloomberg
Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today’s
Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj
The Chief Information Officer’s Body of Knowledge: People, Process, and Technology by
Dean Lane
CIO Best Practices: Enabling Strategic Value with Information Technology (Second
Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill
Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert
The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by
Nicholas R. Colisto
Enterprise Performance Management Done Right: An Operating System for Your
Organization by Ron Dimon
Executive’s Guide to Virtual Worlds: How Avatars Are Transforming Your Business and
Your Brandd by Lonnie Benson
IT Leadership Manual: Roadmap to Becoming a Trusted Business Partnerr by Alan R.
Guibord
Managing Electronic Records: Methods, Best Practices, and Technologiess by Robert F.
Smallwood
On Top of the Cloud: How CIOs Leverage New Technologies to Drive Change and Build
Value Across the Enterprise by Hunter Muller
Straight to the Top: CIO Leadership in a Mobile, Social, and Cloud-based World (Second
Edition) by Gregory S. Smith
Strategic IT: Best Practices for Managers and Executivess by Arthur M. Langer and
Lyle Yorks
Transforming IT Culture: How to Use Social Intelligence, Human Factors, and
Collaboration to Create an IT Department That Outperformss by Frank Wander
Unleashing the Power of IT: Bringing People, Business, and Technology Together by Dan
Roberts
The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save
America’s Future by Gary J. Beach
Information Governance: Concepts, Strategies and Best Practicess by Robert F. Smallwood
INFORMATION
GOVERNANCE
CONCEPTS, STRATEGIES AND
BEST PRACTICES
Robert F. Smallwood
Cover image: © iStockphoto / IgorZh
Cover design: Wiley
Copyright © 2014 by Robert F. Smallwood. All rights reserved.
Chapter 7 © 2014 by Barclay Blair
Portions of Chapter 8 © 2014 by Randolph Kahn
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as
permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy fee
to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best
efforts in preparing this book, they make no representations or warranties with respect to the accuracy
or completeness of the contents of this book and specifically disclaim any implied warranties of
merchantability or fitness for a particular purpose. No warranty may be created or extended by sales
representatives or written sales materials. The advice and strategies contained herein may not be suitable
for your situation. You should consult with a professional where appropriate. Neither the publisher nor
author shall be liable for any loss of profit or any other commercial damages, including but not limited to
special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our
Customer Care Department within the United States at (800) 762-2974, outside the United States at (317)
572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included
with standard print versions of this book may not be included in e-books or in print-on-demand. If this book
refers to media such as a CD or DVD that is not included in the version you purchased, you may download this
material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
Smallwood, Robert F., 1959Information governance : concepts, strategies, and best practices / Robert F. Smallwood.
pages cm. — (Wiley CIO series)
ISBN 978-1-118-21830-3 (cloth); ISBN 978-1-118-41949-6 (ebk); ISBN 978-1-118-42101-7 (ebk)
1. Information technology—Management. 2. Management information systems. 3. Electronic
records—Management. I. Title.
HD30.2.S617 2014
658.4’038—dc23
2013045072
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
For my sons
and the next generation of tech-savvy managers
CONTENTS
PREFACE
xv
ACKNOWLEDGMENTS xvii
PART ONE— Information Governance Concepts,
Definitions, and Principles
p
1
CH APT ER 1 The Onslaught of Big Data and the Information Governance
Imperative 3
Defining Information Governance 5
IG Is Not a Project, But an Ongoing Program 7
Why IG Is Good Business
7
Failures in Information Governance 8
Form IG Policies, Then Apply Technology for Enforcement
Notes
10
12
2 Information Governance, IT Governance, Data
Governance: What’s the Difference? 15
CH APT ER
Data Governance 15
IT Governance 17
Information Governance 20
Impact of a Successful IG Program
Summing Up the Differences
20
21
Notes 22
CH APT ER
3 Information Governance Principles 25
Accountability Is Key
27
Generally Accepted Recordkeeping Principles®
Contributed by Charmaine Brooks, CRM
Assessment and Improvement Roadmap
27
34
Who Should Determine IG Policies? 35
Notes 38
PART TWO— Information Governance Risk Assessment
and Strategic
g Planning
g
CH APT ER
41
4 Information Risk Planning and Management 43
Step 1: Survey and Determine Legal and Regulatory Applicability
and Requirements 43
vii
viii CONTENTS
Step 2: Specify IG Requirements to Achieve Compliance 46
Step 3: Create a Risk Profile
46
Step 4: Perform Risk Analysis and Assessment
48
Step 5: Develop an Information Risk Mitigation Plan 49
Step 6: Develop Metrics and Measure Results 50
Step 7: Execute Your Risk Mitigation Plan
50
Step 8: Audit the Information Risk Mitigation Program 51
Notes
51
5 Strategic Planning and Best Practices for
Information Governance 53
CH APT ER
Crucial Executive Sponsor Role
54
Evolving Role of the Executive Sponsor 55
Building Your IG Team
56
Assigning IG Team Roles and Responsibilities
56
Align Your IG Plan with Organizational Strategic Plans 57
Survey and Evaluate External Factors 58
Formulating the IG Strategic Plan 65
Notes 69
CH APT ER
6 Information Governance Policy Development 71
A Brief Review of Generally Accepted Recordkeeping Principles® 71
IG Reference Model 72
Best Practices Considerations 75
Standards Considerations
76
Benefits and Risks of Standards 76
Key Standards Relevant to IG Efforts 77
Major National and Regional ERM Standards 81
Making Your Best Practices and Standards Selections to Inform
Your IG Framework 87
Roles and Responsibilities
88
Program Communications and Training
89
Program Controls, Monitoring, Auditing and Enforcement
Notes
PART THREE— Information Governance Key
Impact
p Areas Based on the IG Reference Model
CH APT ER
89
91
95
7 Business Considerations for a Successful IG Program 97
By Barclay T. Blair
Changing Information Environment
97
CONTENTS ix
Calculating Information Costs 99
Big Data Opportunities and Challenges 100
Full Cost Accounting for Information 101
Calculating the Cost of Owning Unstructured Information 102
The Path to Information Value
Challenging the Culture
New Information Models
105
107
107
Future State: What Will the IG-Enabled Organization Look Like? 110
Moving Forward
Notes
CH APT ER
111
113
8 Information Governance and Legal Functions 115
By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy
Introduction to e-Discovery: The Revised 2006 Federal Rules of
Civil Procedure Changed Everything 115
Big Data Impact
117
More Details on the Revised FRCP Rules 117
Landmark E-Discovery Case: Zubulake v. UBS Warburg 119
E-Discovery Techniques
119
E-Discovery Reference Model 119
The Intersection of IG and E-Discovery
By Barry Murphy
122
Building on Legal Hold Programs to Launch Defensible Disposition 125
By Barry Murphy
Destructive Retention of E-Mail 126
Newer Technologies That Can Assist in E-Discovery
126
Defensible Disposal: The Only Real Way To Manage Terabytes and Petabytes
By Randy Kahn, Esq.
Retention Policies and Schedules 137
By Robert Smallwood, edited by Paula Lederman, MLS
Notes 144
9 Information Governance and Records and
Information Management Functions 147
CH APT ER
Records Management Business Rationale 149
Why Is Records Management So Challenging? 150
Benefits of Electronic Records Management
Additional Intangible Benefits
152
153
Inventorying E-Records 154
Generally Accepted Recordkeeping Principles®
E-Records Inventory Challenges 155
155
130
x CONTENTS
Records Inventory Purposes 156
Records Inventorying Steps
157
Ensuring Adoption and Compliance of RM Policy 168
General Principles of a Retention Scheduling 169
Developing a Records Retention Schedule 170
Why Are Retention Schedules Needed? 171
What Records Do You Have to Schedule? Inventory and Classification
173
Rationale for Records Groupings 174
Records Series Identification and Classification
Retention of E-Mail Records
174
175
How Long Should You Keep Old E-Mails?
Destructive Retention of E-Mail
176
177
Legal Requirements and Compliance Research
178
Event-Based Retention Scheduling for Disposition of E-Records 179
Prerequisites for Event-Based Disposition 180
Final Disposition and Closure Criteria 181
Retaining Transitory Records 182
Implementation of the Retention Schedule and Disposal of Records 182
Ongoing Maintenance of the Retention Schedule 183
Audit to Manage Compliance with the Retention Schedule 183
Notes
186
10 Information Governance and Information
Technology Functions 189
CH APT ER
Data Governance 191
Steps to Governing Data Effectively 192
Data Governance Framework 193
Information Management
194
IT Governance 196
IG Best Practices for Database Security and Compliance 202
Tying It All Together
Notes
204
205
11 Information Governance and Privacy and
Security Functions 207
CH APT ER
Cyberattacks Proliferate 207
Insider Threat: Malicious or Not
Privacy Laws
208
210
Defense in Depth 212
Controlling Access Using Identity Access Management 212
Enforcing IG: Protect Files with Rules and Permissions 213
CONTENTS xi
Challenge of Securing Confidential E-Documents
213
Apply Better Technology for Better Enforcement in the Extended Enterprise 215
E-Mail Encryption
217
Secure Communications Using Record-Free E-Mail 217
Digital Signatures
218
Document Encryption
219
Data Loss Prevention (DLP) Technology
220
Missing Piece: Information Rights Management (IRM) 222
Embedded Protection 226
Hybrid Approach: Combining DLP and IRM Technologies
Securing Trade Secrets after Layoffs and Terminations
227
228
Persistently Protecting Blueprints and CAD Documents 228
Securing Internal Price Lists
229
Approaches for Securing Data Once It Leaves the Organization 230
Document Labeling
231
Document Analytics 232
Confidential Stream Messaging
233
Notes 236
PART FOUR— Information Governance for
Deliveryy Platforms
CH APT ER
239
12 Information Governance for E-Mail and Instant Messaging 241
Employees Regularly Expose Organizations to E-Mail Risk 242
E-Mail Polices Should Be Realistic and Technology Agnostic
243
E-Record Retention: Fundamentally a Legal Issue 243
Preserve E-Mail Integrity and Admissibility with Automatic Archiving
244
Instant Messaging 247
Best Practices for Business IM Use 247
Technology to Monitor IM
Tips for Safer IM
Notes
CH APT ER
249
249
251
13 Information Governance for Social Media 253
By Patricia Franks, Ph.D, CRM, and Robert Smallwood
Types of Social Media in Web 2.0
253
Additional Social Media Categories 255
Social Media in the Enterprise 256
Key Ways Social Media Is Different from E-Mail and Instant Messaging 257
Biggest Risks of Social Media 257
Legal Risks of Social Media Posts 259
xii CONTENTS
Tools to Archive Social Media
261
IG Considerations for Social Media 262
Key Social Media Policy Guidelines 263
Records Management and Litigation Considerations for Social Media 264
Emerging Best Practices for Managing Social Media Records 267
Notes
CH APT ER
269
14 Information Governance for Mobile Devices 271
Current Trends in Mobile Computing
273
Security Risks of Mobile Computing 274
Securing Mobile Data
274
Mobile Device Management
IG for Mobile Computing
275
276
Building Security into Mobile Applications 277
Best Practices to Secure Mobile Applications 280
Developing Mobile Device Policies 281
Notes 283
CH APT ER
15 Information Governance for Cloud Computing 285
By Monica Crocker CRM, PMP, CIP, and Robert Smallwood
Defining Cloud Computing
286
Key Characteristics of Cloud Computing 287
What Cloud Computing Really Means
Cloud Deployment Models
288
289
Security Threats with Cloud Computing 290
Benefits of the Cloud 298
Managing Documents and Records in the Cloud 299
IG Guidelines for Cloud Computing Solutions 300
Notes
CH APT ER
301
16 SharePoint Information Governance 303
By Monica Crocker, CRM, PMP, CIP, edited by Robert Smallwood
Process Change, People Change 304
Where to Begin the Planning Process 306
Policy Considerations
310
Roles and Responsibilities 311
Establish Processes 312
Training Plan
313
Communication Plan 313
Note
314
CONTENTS xiii
PART FIVE— Long-Term
g
Program
g
Issues
CH APT ER
315
17 Long-Term Digital Preservation 317
By Charles M. Dollar and Lori J. Ashley
Defining Long-Term Digital Preservation
317
Key Factors in Long-Term Digital Preservation
Threats to Preserving Records
320
Digital Preservation Standards
321
318
PREMIS Preservation Metadata Standard 328
Recommended Open Standard Technology-Neutral Formats
329
Digital Preservation Requirements 333
Long-Term Digital Preservation Capability Maturity Model® 334
Scope of the Capability Maturity Model 336
Digital Preservation Capability Performance Metrics
341
Digital Preservation Strategies and Techniques 341
Evolving Marketplace
Looking Forward
Notes
344
344
346
18 Maintaining an Information Governance Program
and Culture of Compliance 349
CH APT ER
Monitoring and Accountability 349
Staffing Continuity Plan
350
Continuous Process Improvement
351
Why Continuous Improvement Is Needed 351
Notes 353
A Information Organization and Classification:
Taxonomies and Metadata 355
APPEN DI X
By Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley
Importance of Navigation and Classification
357
When Is a New Taxonomy Needed? 358
Taxonomies Improve Search Results 358
Metadata and Taxonomy
359
Metadata Governance, Standards, and Strategies 360
Types of Metadata
362
Core Metadata Issues 363
International Metadata Standards and Guidance 364
Records Grouping Rationale 368
Business Classification Scheme, File Plans, and Taxonomy
Classification and Taxonomy
369
368
xiv CONTENTS
Prebuilt versus Custom Taxonomies 370
Thesaurus Use in Taxonomies 371
Taxonomy Types
371
Business Process Analysis
377
Taxonomy Testing: A Necessary Step
Taxonomy Maintenance
379
380
Social Tagging and Folksonomies 381
Notes
383
B Laws and Major Regulations Related to
Records Management 385
APPEN DI X
United States 385
Canada 387
By Ken Chasse, J.D., LL.M.
United Kingdom
389
Australia 391
Notes 394
C Laws and Major Regulations
Related to Privacy 397
APPEN DI X
United States 397
Major Privacy Laws Worldwide, by Country
Notes
GLOSSARY
400
401
ABOUT THE AUTHOR 417
ABOUT THE MAJOR CONTRIBUTORS 419
INDEX
421
398
PREFACE
I
nformation governance (IG) has emerged as a key concern for business executives
and managers in today’s environment of Big Data, increasing information risks, colossal leaks, and greater compliance and legal demands. But few seem to have a clear
understanding of what IG is; that is, how you define what it is and is not, and how to
implement it. This book clarifies and codifies these definitions and provides key insights as to how to implement and gain value from IG programs. Based on exhaustive
research, and with the contributions of a number of industry pioneers and experts, this
book lays out IG as a complete discipline in and of itself for the first time.
IG is a super-discipline that includes components of several key fields: law, records
management, information technology (IT), risk management, privacy and security,
and business operations. This unique blend calls for a new breed of information professional who is competent across these established and quite complex fields. Training
and education are key to IG success, and this book provides the essential underpinning
for organizations to train a new generation of IG professionals.
Those who are practicing professionals in the component fields of IG will find
the book useful in expanding their knowledge from traditional fields to the emerging
tenets of IG. Attorneys, records and compliance managers, risk managers, IT managers, and security and privacy professionals will find this book a particularly valuable
resource.
The book strives to offer clear IG concepts, actionable strategies, and proven best
practices in an understandable and digestible way; a concerted effort was made to
simplify language and to offer examples. There are summaries of key points throughout and at the end of each chapter to help the reader retain major points. The text
is organized into five parts: (1) Information Governance Concepts, Definitions, and
Principles; (2) IG Risk Assessment and Strategic Planning; (3) IG Key Impact Areas;
(4) IG for Delivery Platforms; and (5) Long-Term Program Issues. Also included are
appendices with detailed information on taxonomy and metadata design and on records management and privacy legislation.
One thing that is sure is that the complex field of IG is evolving. It will continue
to change and solidify. But help is here: No other book offers the kind of comprehensive coverage of IG contained within these pages. Leveraging the critical advice
provided here will smooth your path to understanding and implementing successful
IG programs.
Robert F. Smallwood
xv
ACKNOWLEDGMENTS
I
would like to sincerely thank my colleagues for their support and generous contribution of their expertise and time, which made this pioneering text possible.
Many thanks to Lori Ashley, Barb Blackburn, Barclay Blair, Charmaine Brooks,
Ken Chasse, Monica Crocker, Charles M. Dollar, Seth Earley, Dr. Patricia Franks,
Randy Kahn, Paula Lederman, and Barry Murphy.
I am truly honored to include their work and owe them a great debt of gratitude.
xvii
PART ONE
Information
Governance
Concepts,
Definitions, and
Principles
CHAPTER
1
The Onslaught
of Big Data and
the Information
Governance Imperative
T
he value of information in business is rising, and business leaders are more and
more viewing the ability to govern, manage, and harvest information as critical
to success. Raw data is now being increasingly viewed as an asset that can be
leveraged, just like financial or human capital.1 Some have called this new age of “Big
Data” the “industrial revolution of data.”
According to the research group Gartner, Inc., Big Data is defined as “high-volume,
high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.”2
A practical definition should also include the idea that the amount of data—both structured (in databases) and unstructured (e.g., e-mail, scanned documents) is so massive that it cannot be processed using today’s database tools and analytic software
techniques.3
In today’s information overload era of Big Data—characterized by massive growth
in business data volumes and velocity—the ability to distill key insights from enormous amounts of data is a major business differentiator and source of sustainable competitive advantage. In fact, a recent report by the World Economic Forum stated that
data is a new asset class and personal data is “the new oil.”4 And we are generating more
than we can manage effectively with current methods and tools.
The Big Data numbers are overwhelming: Estimates and projections vary, but it
has been stated that 90 percent of the data existing worldwide today was created in the
last two years5 and that every two days more information is generated than was from
the dawn of civilization until 2003.6 This trend will continue: The global market for
Big Data technology and services is projected to grow at a compound annual rate of
27 percent through 2017, about six times faster than the general information and communications technology (ICT) market.7
Many more comparisons and statistics are available, and all demonstrate the
incredible and continued growth of data.
Certainly, there are new and emerging opportunities arising from the accumulation and analysis of all that data we are busy generating and collecting. New
enterprises are springing up to capitalize on data mining and business intelligence
opportunities. The U.S. federal government joined in, announcing $200 million in
Big Data research programs in 2012.8
3
4 INFORMATION GOVERNANCE
The onslaught of Big Data necessitates that information governance (IG) be
implemented to discard unneeded data in a legally defensible way.
But established organizations, especially larger ones, are being crushed by this
onslaught of Big Data: It is just too expensive to keep all the information that is being
generated, and unneeded information is a sort of irrelevant sludge for decision makers
to wade through. They have difficulty knowing which information is an accurate and
meaningful “wheat” and which is simply irrelevant “chaff.” This means they do not
have the precise information they need to base good business decisions upon.
And all that Big Data piling up has real costs: The burden of massive stores of
information has increased storage management costs dramatically, caused overloaded
systems to fail, and increased legal discovery costs.9 Further, the longer that data is
kept, the more likely that it will need to be migrated to newer computing platforms,
driving up conversion costs; and legally, there is the risk that somewhere in that
mountain of data an organization stores is a piece of information that represents a
significant legal liability.10
This is where the worlds of Big Data and business collide. For Big Data proponents,
more data is always better, and there is no perceived downside to accumulation of massive amounts of data. In the business world, though, the realities of legal e-discovery
mean the opposite is true.11 To reduce risk, liability, and costs, it is critical for unneeded
information to be disposed of in a systematic, methodical, and “legally defensible” (justifiable in legal proceedings) way, when it no longer has legal, regulatory, or business
value. And there also is the high-value benefit of basing decisions on better, cleaner
data, which can come about only through rigid, enforced information governance
(IG) policies that reduce information glut.
Organizations are struggling to reduce and right-size their information footprint
by discarding superfluous and redundant data, e-documents, and information. But the
critical issue is devising policies, methods, and processes and then deploying information technology (IT) to sort through which information is valuable and which no longer has business value
and can be discarded.
IT, IG, risk, compliance, and legal representatives in organizations have a clear
sense that most of the information stored is unneeded, raises costs, and poses risks.
According to a survey taken at a recent Compliance, Governance and Oversight
Counsel summit, respondents estimated that approximately 25 percent of information
stored in organizations has real business value, while 5 percent must be kept as business records and about 1 percent is retained due to a litigation hold. “This means that
Big Data values massive accumulation of data, whereas in business, e-discovery
realities and potential legal liabilities dictate that data be culled to only that
which has clear business value.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 5
Only about one quarter of information organizations are managing has real
business value.
With a smaller information footprint, it is easier for organizations to find the
information they need and derive business value from it.
[about] 69 percent of information in most companies has no business, legal, or regulatory value.
Companies that are able to dispose of this data debris return more profit to shareholders, can leverage more of their IT budgets for strategic investments, and can avoid
excess expense in legal and regulatory response” (emphasis added).12
With a smaller information footprintt, organizations can more easily find what they
need and derive business value from it.13 They must eliminate the data debris regularly
and consistently, and to do this, processes and systems must be in place to cull valuable
information and discard the data debris daily. An IG program sets the framework to
accomplish this.
The business environment has also underscored the need for IG. According to
Ted Friedman at Gartner, “The recent global financial crisis has put information governance in the spotlight. . . . [It] is a priority of IT and business leaders as a result of
various pressures, including regulatory compliance mandates and the urgent need for
improved decision-making.”14
And IG mastery is critical for executives: Gartner predicts that by 2016, one in five chief
information officers in regulated industries will be fired from their jobs for failed IG initiatives.
s 15
Defining Information Governance
IG is a sort of super discipline that has emerged as a result of new and tightened legislation
governing businesses, external threats such as hacking and data breaches, and the recognition that multiple overlapping disciplines were needed to address today’s information
management challenges in an increasingly regulated and litigated business environment.16
IG is a subset of corporate governance, and includes key concepts from records management, content management, IT and data governance, information security, data privacy, risk management, litigation readiness, regulatory compliance,
long-term digital preservation, and even business intelligence. This also means
that it includes related technology and discipline subcategories, such as document
management, enterprise search, knowledge management, and business continuity/
disaster recovery.
IG is a subset of corporate governance.
6 INFORMATION GOVERNANCE
IG is a sort of superdiscipline that encompasses a variety of key concepts from
a variety of related disciplines.
Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information and to secure confidential information, which may include trade secrets, strategic plans, price lists, blueprints, or
personally identifiable information (PII) subject to privacy laws; it provides the basis
for consistent, reliable methods for managing data, e-documents, and records.
Having trusted and reliable records, reports, data, and databases enables managers
to make key decisions with confidence.17 And accessing that information and business
intelligence in a timely fashion can yield a long-term sustainable competitive advantage, creating more agile enterprises.
To do this, organizations must standardize and systematize their handling of information. They must analyze and optimize how information is accessed, controlled,
managed, shared, stored, preserved, and audited. They must have complete, current,
and relevant policies, processes, and technologies to manage and control information,
including who is able to access what information, and when, to meet external legal
and regulatory demands and internal governance policy requirements. In short, IG is
about information control and compliance.
IG is a subset of corporate governance, which has been around as long as corporations have existed. IG is a rather new multidisciplinary field that is still being defined,
but has gained traction increasingly over the past decade. The focus on IG comes not
only from compliance, legal, and records management functionaries but also from executives who understand they are accountable for the governance of information and
that theft or erosion of information assets has real costs and consequences.
“Information governance” is an all-encompassing term for how an organization
manages the totality of its information.
According to the Association of Records Managers and Administrators
(ARMA), IG is “a strategic framework composed of standards, processes, roles, and
metrics that hold organizations and individuals accountable to create, organize, secure,
maintain, use, and dispose of information in ways that align with and contribute to the
organization’s goals.”18
IG includes the set of policies, processes, and controls to manage information in compliance
with external regulatory requirements and internal governance frameworkss. Specific policies
apply to specific data and document types, records series, and other business information, such as e-mail and reports.
Stated differently, IG is “a quality-control discipline for managing, using, improving, and protecting information.”19
Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 7
IG is “a strategic framework composed of standards, processes, roles, and
metrics, that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with
and contribute to the organization’s goals.”20
IG is how an organization maintains security, complies with regulations, and
meets ethical standards when managing information.
Fleshing out the definition further: “Information governance is policy-based management of information designed to lower costs, reduce risk, and ensure compliance
with legal, regulatory standards, and/or corporate governance.”21 IG necessarily incorporates not just policies but information technologies to audit and enforce those
policies. The IG team must be cognizant of information lifecycle issues and be able
to apply the proper retention and disposition policies, including digital preservation
where records need to be maintained for long periods.
IG Is Not a Project, But an Ongoing Program
IG is an ongoing program, not a one-time project. IG provides an umbrella to manage
and control information output and communications. Since technologies change so
quickly, it is necessary to have overarching policies that can manage the various IT
platforms that an organization may use.
Compare it to a workplace safety program; every time a new location, team member,
piece of equipment, or toxic substance is acquired by the organization, the workplace
safety program should dictate how that is handled. If it does not, the workplace safety
policies/procedures/training that are part of the workplace safety program need to be
updated. Regular reviews are conducted to ensure the program is being followed and adjustments are made based on the findings. The effort never ends.
s 22 The same is true for IG.
IG is not only a tactical program to meet regulatory, compliance, and litigation
demands. It can be strategicc, in that it is the necessary underpinning for developing a
management strategy that maximizes knowledge worker productivity while minimizing risk and costs.
Why IG Is Good Business
IG is a tough sell. It can be difficult to make the business case for IG, unless there has been
some major compliance sanction, fine, legal loss, or colossal data breach. In fact, the largest
IG is a multidisciplinary program that requires an ongoing effort.
8 INFORMATION GOVERNANCE
impediment to IG adoption is simply identifying its benefits and costs, according to the Economist
Intelligence Unit. Sure, the enterprise needs better control over its information, but how
much better? At what cost? What is the payback period and the return on investment?23
It is challenging to make the business case for IG, yet making that case is fundamental to getting IG efforts off the ground.
Here are eight reasons why IG makes good business sense, from IG thought
leader Barclay Blair:
1. We can’t keep everything forever. IG makes sense because it enables organizations to get rid of unnecessary information in a defensible manner. Organizations need a sensible way to dispose of information in order to reduce the
cost and complexity of the IT environment. Having unnecessary information around only makes it more difficult and expensive to harness information that has value.
2. We can’t throw everything away. IG makes sense because organizations can’t
keep everything forever, nor can they throw everything away. We need
information—the right information, in the right place, at the right time.
Only IG provides the framework to make good decisions about what information to keep.
3. E-discovery. IG makes sense because it reduces the cost and pain of discovery. Proactively managing information reduces the volume of information
exposed to e-discovery and simplifies the task of finding and producing
responsive information.
4. Your employees are screaming for it—just listen. IG makes sense because it
helps knowledge workers separate “signal” from “noise” in their information flows. By helping organizations focus on the most valuable information, IG improves information delivery and improves productivity.
5. It ain’t gonna get any easier. IG makes sense because it is a proven way for
organizations to respond to new laws and technologies that create new requirements and challenges. The problem of IG will not get easier over
time, so organizations should get started now.
6. The courts will come looking for IG. IG makes sense because courts and regulators will closely examine your IG program. Falling short can lead to fines,
sanctions, loss of cases, and other outcomes that have negative business and
financial consequences.
7. Manage risk: IG is a big one. Organizations need to do a better job of identifying and managing risk. The risk of information management failures is a
critical risk that IG helps to mitigate.
8. E-mail: Reason enough. IG makes sense because it helps organizations take control of e-mail. Solving e-mail should be a top priority for every organization.24
Failures in Information Governance
The failure to implement and enforce IG can lead to vulnerabilities that can have dire
consequences. The theft of confidential U.S. National Security Agency documents
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 9
by Edward Snowden in 2013 could have been prevented by properly enforced IG.
Also, Ford Motor Company is reported to have suffered a loss estimated at $50 to
$100 million as a result of the theft of confidential documents by one of its own employees. A former product engineer who had access to thousands of trade secret documents and designs sold them to a competing Chinese car manufacturer. A strong IG
program would have controlled and tracked access and prevented the theft while protecting valuable intellectual property.25
Law enforcement agencies have also suffered from poor IG. In a rather frivolous
case in 2013 that highlighted the lack of policy enforcement for the mobile environment, it was reported that U.S. agents from the Federal Bureau of Investigation used
government-issued mobile phones to send explicit text messages and nude photographs
to coworkers. The incidents did not have a serious impact but did compromise the
agency and its integrity, and “adversely affected the daily activities of several squads.”26
Proper mobile communications policies were obviously not developed and enforced.
IG is also about information security and privacy, and serious thought must be
given when creating policies to safeguard personal, classified or confidential information. Schemes to compromise or steal information can be quite deceptive and devious,
masked by standard operating procedures—if proper IG controls and monitoring are
not in place. To wit: Granting remote access to confidential information assets for
key personnel is common. Granting medical leave is also common. But a deceptive
and dishonest employee could feign a medical leave while downloading volumes of
confidential information assets for a competitor—and that is exactly what happened at
Accenture, a global consulting firm. During a fraudulent medical leave, an employee
was allowed access to Accenture’s Knowledge Exchange (KX), a detailed knowledge
base containing previous proposals, expert reports, cost-estimating guidelines, and
case studies. This activity could have been prevented by monitoring and analytics that
would have shown an inordinate amount of downloads—especially for an “ailing” employee. The employee then went to work for a direct competitor and continued to
download the confidential information from Accenture, estimated to be as many as
1,000 critical documents. While the online access to KX was secure, the use of the
electronic documents could have been restricted even afterr the documents were downloaded, if IG measures were in place and newer technologies (such as information
rights management [IRM] software) were deployed to secure them directly and maintain that security remotely. With IRM, software security protections can be employed
to seal the e-documents and control their use—even after they leave the organization.
More details on IRM technology and its capabilities is presented later in this book.
Other recent high-profile data and document leakage cases revealing information
security weaknesses that could have been prevented by a robust IG program include:
■
Huawei Technologies, the largest networking and mobile communications
company in China, was sued by U.S.-based Motorola for allegedly conspiring
to steal trade secrets through former Motorola employees.
Ford’s loss from stolen documents in a single case of intellectual property (IP)
theft was estimated at $50 to $100 million.
10 INFORMATION GOVERNANCE
■
MI6, the U.K. equivalent of the U.S. Central Intelligence Agency, learned that
one of its agents in military intelligence attempted to sell confidential documents to the intelligence services of the Netherlands for £2 million GBP
($3 million USD).
And breaches of personal information revealing failures in privacy protection
abound; here are just a few:
■
■
■
■
Health information of 1,600 cardiology patients at Texas Children’s Hospital
was compromised when a doctor’s laptop was stolen. The information included personal and demographic information about the patients, including their
names, dates of birth, diagnoses, and treatment histories.27
U.K. medics lost the personal records of nearly 12,000 National Health Service
patients in just eight months. Also, a hospital worker was suspended after it was
discovered he had sent a file containing pay-slip details for every member of
staff to his home e-mail account.28
Personal information about more than 600 patients of the Fraser Health
Authority in British Columbia, Canada, was stored on a laptop stolen from
Burnaby General Hospital.
In December 2013, Target stores in the U.S. reported that as many as 110 million
customer records had been breached in a massive attack that lasted weeks.
The list of breaches and IG failures could go on and on, more than filling the
pages of this book. It is clear that it is occurring and that it will continue. IG controls to
safeguard confidential information assets and protect privacy cannot rely solely on the trustworthiness of employees and basic security measures. Up-to-date IG policies and enforcement
efforts and newer technology sets are needed, with active, consistent monitoring and
program adjustments to continue to improve.
Executives and senior managers can no longer avoid the issue, as it is abundantly
clear that the threat is real and the costs of taking such avoidable risks can be high. A
single security breach is an IG failure and can cost the entire business. According to
Debra Logan of Gartner, “When organizations suffer high-profile data losses, especially involving violations of the privacy of citizens or consumers, they suffer serious
reputational damage and often incur fines or other sanctions. IT leaders will have to
take at least part of the blame for these incidents.”29
Form IG Policies, Then Apply Technology for Enforcement
Typically, some policies governing the use and control of information and records
may have been established for financial and compliance reports, and perhaps e-mail,
but they are often incomplete and out-of-date and have not been adjusted for changes
in the business environment, such as new technology platforms (e.g., Web 2.0, social
IG controls to safeguard confidential information assets and protect privacy cannot rely solely on the trustworthiness of employees and basic security measures.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 11
media), changing laws (e.g., U.S. Federal Rules of Civil Procedure 2006 changes), and
additional regulations.
Further adding to the challenge is the rapid proliferation of mobile devices like
tablets, phablets, and smartphones used in business—information can be more easily
lost or stolen—so IG efforts must be made to preserve and protect the enterprise’s
information assets.
Proper IG requires that policies are flexible enough not to hinder the proper flow
of information in the heat of the business battle yet strict enough to control and audit
for misuse, policy violations, or security breaches. This is a continuous iterative policymaking process that must be monitored and fine-tuned. Even with the absolute best
efforts, some policies will miss the mark and need to be reviewed and adjusted.
Getting started with IG awareness is the crucial first step. It may have popped up on an
executive’s radar at one point or another and an effort might have been made, but many
organizations leave these policies on the shelf and do not revise them on a regular basis.
IG is the necessary underpinning for a legally defensible disposition program that
discards data debris and helps narrow the search for meaningful information on which
to base business decisions. IG is also necessary to protect and preserve critical information assets. An IG strategy should aim to minimize exposure to risk, at a reasonable
cost level, while maximizing productivity and improving the quality of information
delivered to knowledge users.
But a reactive, tactical projectt approach is not the way to go about it—haphazardly
swatting at technological, legal, and regulatory flies. A proactive, strategic program,
with a clear, accountable sponsor, an ongoing plan, and regular review process, is the
only way to continuously adjust IG policies to keep them current so that they best
serve the organization’s needs.
Some organizations have created formal governance bodies to establish strategies, policies, and procedures surrounding the distribution of information inside
and outside the enterprise. These governance bodies, steering committees, or teams
should include members from many different functional areas, since proper IG necessitates input from a variety of stakeholders. Representatives from IT, records management, corporate or agency archiving, risk management, compliance, operations,
human resources, security, legal, finance, and perhaps knowledge management are
typically a part of IG teams. Often these efforts are jump-started and organized by
an executive sponsor who utilizes third-party consulting resources that specialize in
IG efforts, especially considering the newness of IG and its emerging best practices.
So in this era of ever-growing Big Data, leveraging IG policies to focus on retaining the information that has real business value, while discarding the majority of
information that has no value and carries associated increased costs and risks, is critical to success for modern enterprises. This must be accomplished in a systematic,
consistent, and legally defensible manner by implementing a formal IG program.
Other crucial elements of an IG program are the steps taken to secure confidential
information by enforcing and monitoring policies using the appropriate information
technologies.
Getting started with IG awareness is the crucial first step.
12 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■
The onslaught of Big Data necessitates that IG be implemented to discard
unneeded data in a legally defensible way.
■
Big Data values massive accumulation of data, whereas in business, e-discovery
realities and potential legal liabilities dictate that data be culled to only that
which has clear business value.
■
Only about one quarter of the information organizations are managing has
real business value.
■
With a smaller information footprint, it is easier for organizations to find the
information they need and derive business value from it.
■
IG is a subset of corporate governance and encompasses the policies and
leveraged technologies meant to manage what corporate information is retained, where, and for how long, and also how it is retained.
■
IG is a sort of super discipline that encompasses a variety of key concepts
from a variety of related and overlapping disciplines.
■
Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information.
■
According to ARMA, IG is “a strategic framework composed of standards,
processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in
ways that align with and contribute to the organization’s goals.”30
■
IG is how an organization maintains security, complies with regulations and
laws, and meets ethical standards when managing information.
■
IG is a multidisciplinary program that requires an ongoing effort and active
participation of a broad cross-section of functional groups and stakeholders.
■
IG controls to safeguard confidential information assets and protect privacy
cannot rely solely on the trustworthiness of employees and basic security
measures.
■
Getting started with IG awareness is the crucial first step.
Notes
1. The Economist, “Data, Data Everywhere,” February 25, 2010, www.economist.com/node/15557443
2. Gartner, Inc., “IT Glossary: Big Data,” www.gartner.com/it-glossary/big-data/ (accessed April 15, 2013).
3. Webopedia, “Big Data,” www.webopedia.com/TERM/B/big_data.html (accessed April 15, 2013).
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 13
4. World Economic Forum, “Personal Data:The Emergence of a New Asset Class”(January 2011), http://
www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011.pdf
5. Deidra Paknad, “Defensible Disposal: You Can’t Keep All Your Data Forever,” July 17, 2012, www
.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/
6. Susan Karlin, “Earth’s Nervous System: Looking at Humanity Through Big Data,” www.fastcocreate
.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1(accessed March 5,
2013).
7. IDC Press Release, December 18, ,2013, http://www.idc.com/getdoc.jsp?containerId=prUS24542113
New IDC Worldwide Big Data Technology and Services Forecast Shows Market Expected to Grow to
$32.4 Billion in 2017
8. Steve Lohr, “How Big Data Became So Big,” New York Times, August 11, 2012, www.nytimes.
com/2012/08/12/business/how-big-data-became-so-big-unboxed.html?_r=2&smid=tw-share&
9. Kahn Consulting, “Information Governance Brief,” sponsored by IBM, www.delve.us/downloads/
Brief-Defensible-Disposal.pdf (accessed March 4, 2013).
10. Barclay T. Blair, “Girding for Battle,” Law Technology News, October 1, 2012, www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1
11. Ibid.
12. Paknad, “Defensible Disposal.”
13. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, November 28, 2012.
14. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective
Information Governance,” www.gartner.com/newsroom/id/1898914, January 19, 2012
15. Ibid.
16. Monica Crocker, e-mail to author, June 21, 2012.
17. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership/
business-view/future-information-governance.htm (accessed November 14, 2013).
18. ARMA International, Glossary of Records and Information Management Termss, 4th ed., 2012, TR 22–2012.
19. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” IT Business Edge, posted March 9, 2011,
www.itbusinessedge.com/guest-opinions/three-steps-trusting-your-data-2011. (accessed November
14, 2013).
20. ARMA International, Glossary of Records and Information Management Termss, 4th ed., 2012, TR 22–2012.
21. Laura DuBoisand Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Productivity,” IDC White Paper (August 2010), www.emc.com/collateral/analyst-reports/idc-practicalinformation-governance-ar.pdf
22. Monica Crocker, e-mail to author, June 21, 2012.
23. Barclay T. Blair, Making the Case for Information Governance: Ten Reasons IG Makes Sense, ViaLumina
Ltd, 2010. Online at http://barclaytblair.com/making-the-case-for-ig-ebook/ (accessed November 14,
2013).
24. Barclay T. Blair, “8 Reasons Why Information Governance (IG) Makes Sense,” June 29, 2009, www.
digitallandfill.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html
25. Peter Abatan, “Corporate and Industrial Espionage to Rise in 2011,” Enterprise Digital Rights Management, http://enterprisedrm.tumblr.com/post/2742811887/corporate-espionage-to-rise-in-2011.
(accessed November 14, 2013).
26. BBC News, “FBI Staff Disciplined for Sex Texts and Nude Pictures,” February 22, 2013, www.bbc.
co.uk/news/world-us-canada-21546135
27. Todd Ackerman, “Laptop Theft Puts Texas Children’s Patient Info at Risk,” Houston Chroniclee, July 30, 2009,
www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.
php. (accessed March 2, 2012).
28. Jonny Greatrex, “Bungling West Midlands Medics Lose 12,000 Private Patient Records,” Sunday Mercury, September 5, 2010, www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bungling-west-midlands-medics-lose-12–000-private-patient-records-66331–27203177/ (accessed March
2, 2012).
29. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective
Information Governance.”
30. ARMA International, Glossary of Records and Information Management Terms.
s
CHAPTER
2
Information
Governance,
IT Governance, Data
Governance: What’s
the Difference?
T
here has been a great deal of confusion around the term information governance (IG) and how it is distinct from other similar industry terms, such as
information technology (IT) governance and data governance. They are all
a subset of corporate governance, and in the above sequence, become increasingly
more granular in their approach. Data governance is a part of broader IT governance,
which is also a part of even broader information governance. The few texts that exist
have compounded the confusion by offering a limited definition of IG, or sometimes
offering a definition of IG that is just plain incorrectt, often confusing it with simple data
governance.
So in this chapter we spell out the differences and include examples in hopes of
clarifying what the meaning of each term is and how they are related.
Data Governance
Data governance involves processes and controls to ensure that information at the data
level—raw alphanumeric characters that the organization is gathering and inputting—
is true and accurate, and unique (not redundant). It involves data cleansing (or data
scrubbing)
g to strip out corrupted, inaccurate, or extraneous data and de-duplication,
to eliminate redundant occurrences of data.
Data governance focuses on information quality from the ground up at the lowest
or root level, so that subsequent reports, analyses, and conclusions are based on clean,
reliable, trusted data (or records) in database tables. Data governance is the most rudimentary level at which to implement information governance. Data governance efforts
seek to ensure that formal management controls—systems, processes, and accountable
employees who are stewards and custodians of the data—are implemented to govern
critical data assets to improve data quality and to avoid negative downstream effects of
poor data. The biggest negative consequence of poor or inaccurate data is poorly and
inaccurately based decisions.
15
16 INFORMATION GOVERNANCE
Data governance uses techniques like data cleansing and de-duplication to
improve data quality and reduce redundancies.
Data governance is a newer, hybrid quality control discipline that includes
elements of data quality, data management, IG policy development, business process
improvement, and compliance and risk management.
Data Governance Strategy Tips
Everyone in an organization wants good-quality data to work with. But it is not so
easy to implement a data governance program. First of all, data is at such a low level
that executives and board members are typically unaware of the details of the “smoky
back room” of data collection: cleansing, normalization, and input. So it is difficult to
gain an executive sponsor and funding to initiate the effort.1 And if a data governance
program does move forward, there are challenges in getting business users to adhere
to new policies. This is a crucial point, since much of the data is being generated by
business units. But there are some general guidelines that can help improve a data
governance program’s chances for success:
■
■
■
■
Identify a measureable impact. A data governance program must be able to demonstrate business value, or it will not get the executive sponsorship and funding
it needs to move forward. A readiness assessment should capture the current
state of data quality and whether an enterprise or business unit level effort
is warranted. Other key issues include: Can the organization save hard costs
by implementing data governance? Can it reach more customers or increase
revenue generated from existing customers?2
Assign accountability for data quality to business units, not IT. Typically, IT has had
responsibility for data quality, yet it is mostly not under that department’s control, since most of the data is being generated in the business units. A pointed
effort must be made to push responsibility and ownership for data to the business units that create and use the data.
Recognize the uniqueness of data as an asset. Unlike other assets, such as people,
factories, equipment, and even cash, data is largely unseen, out of sight, and
intangible. It changes daily. It spreads throughout business units. It is copied
and deleted. Data growth can spiral out of control, obscuring the data that has
true business value. So data has to be treated differently, and its unique qualities
must be considered.
Forget the past; implement a going-forward strategy. It is a significantly greater
task to try to improve data governance across the enterprise for existing data.
Remember, you may be trying to fix decades of bad behavior, mismanagement,
and lack of governance. Taking an incremental approach with an eye to the
future provides for a clean starting point and can substantially reduce the pain
required to implement. A proven best practice is to implement a from-thispoint-on strategy where new data governance policies for handling data are
implemented beginning on a certain date.
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 17
Good data governance ensures that downstream negative effects of poor data
are avoided and that subsequent reports, analyses, and conclusions are based
on reliable, trusted data.
■
Manage the change. Educate, educate, educate. People must be trained to understand why the data governance program is being implemented and how it will
benefit the business. The new policies represent a cultural change, and people
need supportive program messages and training in order to make the shift.3
IT Governance
IT governance is the primary way that stakeholders can ensure that investments in IT create
business value and contribute toward meeting business objectives.4 This strategic alignment of IT with the business is challenging yet essential. IT governance programs
go further and aim to “improve IT performance, deliver optimum business value and
ensure regulatory compliance.”5
Although the CIO typically has line responsibility for implementing IT governance, the CEO and board of directors must receive reports and updates to discharge
their responsibilities for IT governance and to see that the program is functioning well
and providing business benefits.
Typically, in past decades, board members did not get involved in overseeing IT
governance. But today it is a critical and unavoidable responsibility. According to the
IT Governance Institute’s Board Briefing on IT Governance, “IT governance is the responsibility of the board of directors and executive management. It is an integral part
of enterprise governance and consists of the leadership and organizational structures
and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”6
The focus is on the actual software development and maintenance activities of the
IT department or function, and IT governance efforts focus on making IT efficient
and effective. That means minimizing costs by following proven software development methodologies and best practices, principles of data governance and information
quality, and project management best practices while aligning IT efforts with the business objectives of the organization.
IT Governance Frameworks
Several IT governance frameworks can be used as a guide to implementing an IT
governance program. (They are introduced in this chapter in a cursory way; detailed
discussions of them are best suited to books focused solely on IT governance.)
IT governance seeks to align business objectives with IT strategy to deliver
business value.
18 INFORMATION GOVERNANCE
Although frameworks and guidance like CobiT® and ITIL have been widely
adopted, there is no absolute standard IT governance framework; the combination
that works best for an organization depends on business factors, corporate culture, IT
maturity, and staffing capability. The level of implementation of these frameworks will
also vary by organization.
CobiT®
CobiT
T (Control Objectives for Information and related Technology) is a processbased IT governance framework that represents a consensus of experts worldwide.
Codeveloped by the IT Governance Institute and ISACA (previously known as the
Information Systems Audit and Control Association), CobiT addresses business
risks, control requirements, compliance, and technical issues.7
CobiT offers IT controls that:
■
■
■
■
Cut IT risks while gaining business value from IT under an umbrella of a globally accepted framework.
Assist in meeting regulatory compliance requirements.
Utilize a structured approach for improved reporting and management decision making.
Provide solutions to control assessments and project implementations to improve IT and information asset control.8
CobiT consists of detailed descriptions of processes required in IT and also tools
to measure progress toward maturity of the IT governance program. It is industry
agnostic and can be applied across all vertical industry sectors, and it continues to be
revised and refined.9
CobiT is broken out into three basic organizational levels and their responsibilities: (1) board of directors and executive management; (2) IT and business management; and (3) line-level governance, and security and control knowledge workers.10
The CobiT model draws on the traditional “plan, build, run, monitor” paradigm of
traditional IT management, only with variations in semantics. The CobiT framework
is divided into four IT domains—(1) plan and organize, (2) acquire and implement, (3)
deliver and support, and (4) monitor and evaluate—which contain 34 IT processes and
210 control objectives. Specific goals and metrics are assigned, and responsibilities and
accountabilities are delineated.
The CobiT framework maps to the international information security standard,
ISO 17799, and is also compatible with IT Infrastructure Library
y (ITIL) and other
“accepted practices” in IT development and operations.11
ValIT®
ValIT is a newer value-oriented framework that is compatible with and complementary to CobiT. Its principles and best practices focus is on leveraging IT investments
to gain maximum value. Forty key ValIT essential management practices (analogous to
CobiT’s control objectives) support three main processes: value governance, portfolio
management, and investment management. ValIT and CobiT “provide a full framework and supporting tool set” to help managers develop policies to manage business
risks and deliver business value while addressing technical issues and meeting control
objectives in a structured, methodic way.12
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 19
CobiT is process-oriented and has been widely adopted as an IT governance
framework. ValIT is value-oriented and compatible and complementary with
CobiT, yet focuses on value delivery.
ITIL
ITIL (Information Technology Infrastructure Library) is a set of process-oriented
best practices and guidance originally developed in the United Kingdom to standardize delivery of IT service management. ITIL is applicable to both the private and
public sectors and is the “most widely accepted approach to IT service management
in the world.”13 As with other IT governance frameworks, ITIL provides essential
guidance for delivering business value through IT, and it “provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation
and growth.”14
ITIL best practices form the foundation for ISO/IEC 20000 (previously BS15000),
the International Service Management Standard for organizational certification and
compliance.15 ITIL 2011 is the latest revision (as of this printing), and it consists of five
core published volumes that map the IT service cycle in a systematic way:
1.
2.
3.
4.
5.
ITIL Service Strategy
ITIL Service Design
ITIL Service Transition
ITIL Service Operation
ITIL Continual Service Improvement16
ISO 38500
ISO/IEC 38500:2008 is an international standard that provides high-level principles
and guidance for senior executives and directors, and those advising them, for the
effective and efficient use of IT.17 Based primarily on AS 8015, the Australian IT governance standard, it “applies to the governance of management processes” that are
performed at the IT service level, but the guidance assists executives in monitoring IT
and ethically discharging their duties with respect to legal and regulatory compliance
of IT activities.
The ISO 38500 standard comprises three main sections:
1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT
ITIL is the “most widely accepted approach to IT service management in the
world.”
20 INFORMATION GOVERNANCE
ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.
It is largely derived from AS 8015, the guiding principles of which were:
■
■
■
■
■
■
Establish responsibilities
Plan to best support the organization
Acquire validly
Ensure performance when required
Ensure conformance with rules
Ensure respect for human factors
The standard also has relationships with other major ISO standards, and embraces
the same methods and approaches.18
Information Governance
Corporate governance is the highest level of governance in an organization, and a
key aspect of it is IG. IG processes are higher level than the details of IT governance
and much higher than data governance, but both data and IT governance can be (and
should be) a part of an overall IG program. The IG approach to governance focuses
not on detailed IT or data capture and quality processes but rather on controlling the
information that is generatedd by IT and office systems.
IG efforts seek to manage and control information assets to lower risk, ensure compliance with regulations, and improve information quality and accessibility while implementing information security measures to protect and preserve information that has business value.19 (See Chapter 1 for more detailed definitions.)
Impact of a Successful IG Program
When making the business case for IG and articulating its benefits, it is useful to focus
on its central impact. Putting cost-benefit numbers to this may be difficult, unless you
IG is how an organization maintains security, complies with regulations and
laws, and meets ethical standards when managing information.
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 21
also consider the worst-case scenario of loss or misuse of corporate or agency records.
What is losing the next big lawsuit worth? How much are confidential merger and
acquisition documents worth? How much are customer records worth? Frequently,
executives and managers do not understand the value of IG until it is a crisis, an expensive legal battle is lost, heavy fines are imposed for noncompliance, or executives
go to jail.
There are some key outputs from implementing an IG program. A successful IG
program should enable organizations to:
■
■
■
■
Use common terms across the enterprise. This means that departments must agree
on how they are going to classify document types, which requires a crossfunctional effort. With common enterprise terms, searches for information
are more productive and complete. This normalization process begins with
developing a standardized corporate taxonomy, which defines the terms (and
substitute terms in a custom corporate thesaurus), document types, and their
relationships in a hierarchy.
Map information creation and usage. This effort can be buttressed with the use of
technology tools such as data loss prevention, which can be used to discover
the flow of information within and outside of the enterprise. You must first
determine who is accessing which information when and where it is going. Then
you can monitor and analyze these information flows. The goal is to stop the
erosion or misuse of information assets and to stem data breaches with monitoring and security technology.
Obtain “information confidence””—that is, the assurance that information has
integrity, validity, accuracy, and quality; this means being able to prove that the
information is reliable and that its access, use, and storage meet compliance and
legal demands.
Harvest and leverage information. Using techniques and tools like data mining and business intelligence, new insights may be gained that provide an
enterprise with a sustainable competitive advantage over the long term,
since managers will have more and better information as a basis for business decisions.21
Summing Up the Differences
IG consists of the overarching polices and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment
with stated organizational business objectives.
IT governance consists of following established frameworks and best practices to
gain the most leverage and benefit out of IT investments and support accomplishment
of business objectives.
Data governance consists of the processes, methods, and techniques to ensure that
data is of high quality, reliable, and unique (not duplicated), so that downstream uses
in reports and databases are more trusted and accurate.
22 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■
Data governance uses techniques like data cleansing and de-duplication to
improve data quality and reduce redundancies.
■
Good data governance ensures that downstream negative effects of poor
data are avoided and that subsequent reports, analyses, and conclusions are
based on reliable, trusted data.
■
IT governance seeks to align business objectives with IT strategy to deliver
business value.
■
CobiT is processoriented and has been widely adopted as an IT governance
framework. ValIT is valueoriented and compatible and complementary with
CobiT yet focuses on value delivery.
■
The CobiT framework maps to the international information security standard ISO 17799 and is also compatible with ITIL (IT Infrastructure Library).
■
ITIL is the “most widely accepted approach to IT service management in the
world.”
■
ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.
■
Information governance is how an organization maintains security, complies
with regulations and laws, and meets ethical standards when managing
information.
Notes
1. “New Trends and Best Practices for Data Governance Success,” SeachDataManagement.com eBook,
http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EBook_1104.pdf, accessed March 11, 2013.
2. Ibid.
3. Ibid.
4. M.N. Kooper, R. Maes, and E.E.O. RoosLindgreen, “On the Governance of Information: Introducing
a New Concept of Governance to Support the Management of Information,” International Journal of
Information Managementt 31 (2011): 195–120, http://dl.acm.org/citation.cfm?id=2297895. (accessed
November 14, 2013).
5. Nick Robinson, “The Many Faces of IT Governance: Crafting an IT Governance Architecture,”
ISACA Journall 1 (2007), www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Facesof-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx
6. Bryn Phillips, “IT Governance for CEOs and Members of the Board,” 2012, p.18.
7. Ibid., p.26.
8. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Technology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance,” http://
www-304.ibm.com/industries/publicsector/fileserve?contentid=187551(accessed March 11, 2013).
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 23
9. Phillips, “IT Governance for CEOs and Members of the Board.”
10. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Technology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance.”
11. Ibid.
12. Ibid.
13. www.itil-officialsite.com/ (accessed March 12, 2013).
14. ITIL, “What Is ITIL?” www.itil-officialsite.com/AboutITIL/WhatisITIL.aspx(accessed March 12, 2013).
15. Ibid.
16. Ibid.
17. “ISO/IEC 38500:2008 “Corporate Governance of Information Technology” www.iso.org/iso/
catalogue_detail?csnumber=51639(accessed November 14, 2013).
18. ISO 38500 www.38500.org/ (accessed March 12, 2013).
19. www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/ (accessed November 14,
2013).
20. ARMA International, Glossary of Records and Information Management Termss, 4th ed. TR 22–2012 (from
ARMA.org).
21. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” CTO Edge, March 9, 2011, www.ctoedge
.com/content/three-steps-trusting-your-data-2011
CHAPTER
3
Information
Governance
Principles*
P
rinciples of information governance (IG) are evolving and expanding. Successful
IG programs are characterized by ten key principles, which are the basis for best
practices and should be designed into the IG approach. They include:
1. Executive sponsorship. No IG effort will survive and be successful if it does not
have an accountable, responsible executive sponsor. The sponsor must drive
the effort, clear obstacles for the IG team or committee, communicate the
goals and business objectives that the IG program addresses, and keep upper
management informed on progress.
2. Information policy development and communication. Clear policies must be established for the access and use of information, and those policies must be
communicated regularly and crisply to employees. Policies for the use of email, instant messaging, social media, cloud computing, mobile computing,
and posting to blogs and internal sites must be developed in consultation
with stakeholders and communicated clearly. This includes letting employees
know what the consequences of violating IG policies are, as well as its value.
3. Information integrity. This area considers the consistency of methods used to
create, retain, preserve, distribute, and track information. Adhering to good
IG practices include data governance techniques and technologies to ensure
quality data. Information integrity means there is the assurance that information is accurate, correct, and authentic. IG efforts to improve data quality
and information integrity include de-duplicating (removing redundant data)
and maintaining only unique data to reduce risk, storage costs, and information technology (IT) labor costs while providing accurate, trusted information
for decision makers. Supporting technologies must enforce policies to meet
legal standards of admissibility and preserve the integrity of information to
guard against claims that it has been altered, tampered with, or deleted (called
“spoliation”). Audit trails must be kept and monitored to ensure compliance
with IG policies to assure information integrity.1
4. Information organization and classification. This means standardizing formats,
categorizing all information, and semantically linking it to related information.
It also means creating a retention and disposition schedule that spells out how
* Portions of this chapter are adapted from Chapter 3 of Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologiess, © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.
25
26 INFORMATION GOVERNANCE
5.
6.
7.
8.
9.
long the information (e.g. e-mail, e-documents, spreadsheets, reports) and
records should be retained and how they are to be disposed of or archived.
Information, and particularly documents, should be classified according to a
global or corporate taxonomy that considers the business function and owner
of the information, and semantically links related information. Information
must be standardized in form and format. Tools such as document labeling
can assist in identifying and classifying documents. Metadata associated with
documents and records must be standardized and kept up-to-date. Good IG
means good metadata management and utilizing metadata standards that are
appropriate to the organization.
Information security. This means securing information in its three states: at rest,
in motion, and in use. It means implementing measures to protect information
from damage, theft, or alteration by malicious outsiders and insiders as well
as nonmalicious (accidental) actions that may compromise information. For
instance, an employee may lose a laptop with confidential information, but
if proper IG policies are enforced using security-related information technologies, the information can be secured. This can be done by access control
methods, data or document encryption, deploying information rights management software, using remote digital shredding capabilities, and implementing enhanced auditing procedures. Information privacy is closely related to
information security and is critical when dealing with personally identifiable
information
n (PII).
Information accessibility. Accessibility is vital not only in the short term but also
over time using long-term digital preservation (LTDP) techniques when
appropriate (generally if information is needed for over five years). Accessibility must be balanced with information security concerns. Information accessibility includes making the information as simple as possible to locate and
access, which involves not only the user interface but also enterprise search
principles, technologies, and tools. It also includes basic access controls, such
as password management, identity and access managementt, and delivering
information to a variety of hardware devices.
Information control. Document management and report management software
must be deployed to control the access to, creation, updating, and printing
of documents and reports. When documents or reports are declared records,
they must be assigned to the proper retention and disposition schedule to be
retained for as long as the records are needed to comply with legal retention
periods and regulatory requirements. Also, information that may be needed or
requested in legal proceedings is safeguarded through a legal hold process.
Information governance monitoring and auditing. To ensure that guidelines and
policies are being followed and to measure employee compliance levels, information access and use must be monitored. To guard against claims of spoliation, use of e-mail, social media, cloud computing, and report generation
should be logged in real time and maintained as an audit record. Technology
tools such as document analytics can track how many documents or reports
users access and print and how long they spend doing so.
Stakeholder consultation. Those who work most closely to information are the
ones who best know why it is needed and how to manage it, so business units
must be consulted in IG policy development. The IT department understands
INFORMATION GOVERNANCE PRINCIPLES 27
Principles of successful IG programs are emerging. They include executive
sponsorship, information classification, integrity, security, accessibility, control,
monitoring, auditing, policy development, and continuous improvement.
its capabilities and technology plans and can best speak to those points. Legal issues must always be deferred to the in-house council or legal team. A
cross-functional collaboration is needed for IG policies to hit the mark and
be effective. The result is not only more secure information but also better
information to base decisions on and closer adherence to regulatory and legal
demands.2
10. Continuous improvement. IG programs are not one-time projects but rather
ongoing programs that must be reviewed periodically and adjusted to account
for gaps or shortcomings as well as changes in the business environment, technology usage, or business strategy.
Accountability Is Key
According to Debra Logan at Gartner Group, none of the proffered definitions of IG includes “any notion of coercion, but rather ties governance to accountability [emphasis added]
that is designed to encourage the right behavior. . . . The word that matters most is
accountability.” The root of many problems with managing information is the “fact that
there is no accountability for information as such.”3
Establishing policies, procedures, processes, and controls to ensure the quality, integrity, accuracy, and security of business records are the fundamental steps needed to
reduce the organization’s risk and cost structure for managing these records. Then it is
essential that IG efforts are supported by IT. The auditing, testing, maintenance, and improvement of IG is enhanced by using electronic records management (ERM) software
along with other complementary technology sets, such as workflow and business process
management suite (BPMS) software and digital signatures.
Generally Accepted Recordkeeping Principles®
Contributed by Charmaine Brooks, CRM
A major part of an IG program is managing formal business records. Although they
account for only about 7 to 9 percent of the total information that an organization
holds, they are the most critically important subset to manage, as there are serious
compliance and legal ramifications to not doing so.
Accountability is a key aspect of IG.
28 INFORMATION GOVERNANCE
Records and recordkeeping are inextricably linked with any organized business
activity. Through the information that an organization uses and records, creates, or
receives in the normal course of business, it knows what has been done and by whom.
This allows the organization to effectively demonstrate compliance with applicable
standards, laws, and regulations as well as plan what it will do in the future to meet its
mission and strategic objectives.
Standards and principles of recordkeeping have been developed by records and
information managementt (RIM) practitioners to establish benchmarks for how organizations of all types and sizes can build and sustain compliant, defensible records
managementt (RM) programs.
The Principles
In 2009 ARMA International published a set of eight Generally Accepted Recordkeeping Principles,® known as The Principles4 (or sometimes GAR Principles), to foster
awareness of good recordkeeping practices. These principles and associated metrics
provide an IG framework that can support continuous improvement.
The eight Generally Accepted Recordkeeping Principles are:
1. Accountability. A senior executive (or person of comparable authority) oversees
the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide
personnel, and ensure the program can be audited.
2. Transparency. The processes and activities of an organization’s recordkeeping
program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties.
3. Integrity. A recordkeeping program shall be constructed so the records and
information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.
4. Protection. A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity.
5. Compliance. The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.
6. Availability. An organization shall maintain records in a manner that ensures
timely, efficient, and accurate retrieval of needed information.
7. Retention. An organization shall maintain its records and information for an
appropriate time, taking into account legal, regulatory, fiscal, operational, and
historical requirements.
8. Disposition. An organization shall provide secure and appropriate disposition
for records that are no longer required to be maintained by applicable laws
and the organization’s policies.5
The Generally Accepted Recordkeeping Principles consist of eight principles
that provide an IG framework that can support continuous improvement.
INFORMATION GOVERNANCE PRINCIPLES 29
Table 3.1
Generally Accepted Recordkeeping Principles Levels
Level 1
Substandard
Level 2
In Development
Level 3
Essential
Level 4
Proactive
Level 5
Transformational
Characterized by an environment where recordkeeping concerns are either not
addressed at all or are addressed in an ad hoc manner.
Characterized by an environment where there is a developing recognition that
recordkeeping has an impact on the organization, and the organization may
benefit from a more defined information governance program.
Characterized by an environment where defined policies and procedures exist
that address the minimum or essential legal and regulatory requirements, but
more specific actions need to be taken to improve recordkeeping.
Characterized by an environment where information governance issues and
considerations are integrated into business decisions on a routine basis, and
the organization consistently meets its legal and regulatory obligations.
Characterized by an environment that has integrated information governance
into its corporate infrastructure and business processes to such an extent that
compliance with program requirements is routine.
Source: Used with permission from ARMA.
The Principles apply to all sizes of organizations, in all types of industries, in both
the private and public sectors, and can be used to establish consistent practices across
business units. The Principles are an IG maturity model, and it is used as a preliminary
evaluation of recordkeeping programs and practices.
Interest in and the application of The Principles for assessing an organization’s
recordkeeping practices have steadily increased since their establishment in 2009. The
Principles form an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of records and information in support of an organization’s goals and business objectives.
As shown in Table 3.1, the Generally Accepted Recordkeeping Principles maturity model associates characteristics that are typical in five levels of recordkeeping
capabilities ranging from 1 (substandard) to 5 (transformational). The levels are both
descriptive and color coded for ease of understanding. The eight principles and levels
(metrics) are applied to the current state of an organization’s recordkeeping capabilities and can be cross-referenced to the policies and procedures. While it is not unusual
for an organization to be at different levels of maturity in the eight principles, the question
“How good is good enough?” must be raised and answeredd; a rating of less than “transformational” may be acceptable, depending on the organization’s tolerance for risk and an
analysis of the costs and benefits of moving up each level.
The maturity levels define the characteristics of evolving and maturing RM programs. The
assessment should reflect the current RM environment and practices. The principles
and maturity level definitions, along with improvement recommendations (roadmap),
outline the tasks required to proactively approach addressing systematic RM practices
and reach the next level of maturity for each principle. While the Generally Accepted
The Generally Accepted Recordkeeping Principles maturity model measures
recordkeeping maturity in five levels.
30 INFORMATION GOVERNANCE
Recordkeeping Principles are broad in focus, they illustrate the requirements of good
RM practices. The Principles Assessment can also be a powerful communication tool
to promote cross-functional dialogue and collaboration among business units and staff.
Accountability
The principle of accountability
y covers the assigned responsibility for RM at a senior
level to ensure effective governance with the appropriate level of authority. A seniorlevel executive must be high enough in the organizational structure to have sufficient
authority to operate the RM program effectively. The primary role of the senior executive is to develop and implement RM policies, procedures, and guidance and to
provide advice on all recordkeeping issues. The direct responsibility for managing or
operating facilities or services may be delegated.
The senior executive must possess an understanding of the business and legislative
environment within which the organization operates, business functions and activities,
and the required relationships with key external stakeholders to understand how RM
contributes to achieving the corporate mission, aims, and objectives.
It is important for top-level executives to take ownership of the RM issues of
the organization and to identify corrective actions required for mitigation or ensure
resolution of problems and recordkeeping challenges. An executive sponsor should
identify opportunities to raise awareness of the relevance and importance of RM and
effectively communicate the benefits of good RM to staff and management.
The regulatory and legal framework for RM must be clearly identified and
understood. The senior executive must have a sound knowledge of the organization’s
information and technological architecture and actively participate in strategic decisions for IT systems acquisition and implementation.
The senior executive is responsible for ensuring that the processes, procedures,
governance structures, and related documentation are developed. The policies should
identify the roles and responsibilities at all levels of the organization.
An audit process must be developed to cover all aspects of RM within the organization,
including substantiating that sufficient levels of accountability have been assigned and
accountability deficiencies are identified and remedied. Audit processes should include
compliance with the organization policies and procedures for all records, regardless
of format or media. Accountability audit requirements for electronic records include
employing appropriate technology to audit the information architecture and systems.
Accountability structures must be updated and maintained as changes occur in the
technology infrastructure.
The audit process must reinforce compliance and hold individuals accountable.
The results should be constructive, encourage continuous improvement, but not be
used as a means of punishment. The audit should contribute to records program improvements in risk mitigation, control, and governance issues and have the capacity to support
sustainability.
An audit process must be developed to cover all aspects of RM in the
organization.
INFORMATION GOVERNANCE PRINCIPLES 31
To be effective, policies must be formalized and integrated into business
processes.
Transparency
Policies are broad guidelines for the operation of the organization and provide a basic
guide to action that prescribes the boundaries within which business activities are to
take place. They state the course of action to be followed by the organization, business
unit, department, and employees.
Transparencyy of recordkeeping practices includes documenting processes and
promoting an understanding of the roles and responsibilities of all stakeholders. To be
effective, policies must be formalized and integrated into business processes. Business rules and
recordkeeping requirements need to be communicated and installed at all levels of the
organization.
Senior management must recognize that transparency is fundamental to IG and
compliance. Documentation must be consistent, current, and complete. A review and
approval process must be established to ensure that the introduction of new programs
or changes can be implemented and integrated into business processes.
Employees must have ready access to RM policies and procedures. They must receive guidance and training to ensure they understand their roles and requirements for
RM. Recordkeeping systems and business processes must be designed and developed
to clearly define the records lifecycle.
In addition to policies and procedures, guidelines and operational instructions,
diagrams and flowcharts, system documentation, and user manuals must include clear
guidance on how records are to be created, retained, stored, and dispositioned. The
documentation must be readily available and incorporated in communications and
training provided to staff.
Integrity
Record generating systems and repositories must be assessed to determine recordkeeping capabilities. A formalized process must be in place for acquiring or developing new
systems, including requirements for capturing the metadata required for lifecycle management
of records in the systems. In addition, the record must contain all the necessary elements
of an official record, including structure, content, and context. Records integrity,
y
reliability, and trustworthiness are confirmed by ensuring that a record was created by
a competent authority according to established processes.
Maintaining the integrity of records means that they are complete and protected from
being altered. The authenticity of a record is ascertained from internal and external evidence, including the characteristics, structure, content, and context of the
records, to verify they are genuine and not corrupted or altered. In order to trust
that a record is authentic, organizations must ensure that recordkeeping systems
that create, capture, and manage electronic records are capable of protecting records from accidental or unauthorized alteration or deletion while the record has
value.
32 INFORMATION GOVERNANCE
Protection
Organizations must ensure the protection of records and ensure they are unaltered through
loss, tampering, or corruption. This includes technological change or the failure of digital
storage media and protecting records against damage or deterioration.
This principle applies equally to physical and electronic records, each of which has
unique requirements and challenges.
Access and security controls need to be established, implemented, monitored, and
reviewed to ensure business continuity and minimize business risk. Restrictions on
access and disclosure include the methods for protecting personal privacy and proprietary information. Access and security requirements must be integrated into the business systems and processes for the creation, use, and storage of records.
LTDP is a series of managed activities required to ensure continued access to digital materials for as long as necessary. Electronic records requiring long-term retention
may require conversion to a medium and format suitable to ensure long-term access
and readability.
Compliance
RM programs include the development and training of the fundamental components,
including compliance monitoring
g to ensure sustainability of the program.
Monitoring for compliance involves reviewing and inspecting the various facets of records
management, including ensuring records are being properly created and captured, implementation of user permissions and security procedures, workflow processes through
sampling to ensure adherence to policies and procedures, ensuring records are being
retained following disposal authorization, and documentation of records destroyed or
transferred to determine whether destruction/transfer was authorized in accordance
with disposal instructions.
Compliance monitoring can be carried out by an internal audit, external organization, or RM and must be done on a regular basis.
Availability
Organizations should evaluate how effectively and efficiently records and information are
stored and retrieved using present equipment, networks, and software. The evaluation
should identify current and future requirements and recommend new systems
as appropriate. Certain factors should be considered before upgrading or implementing new systems. These factors are practicality, cost, and effectiveness of new
configurations.
A major challenge for organizations is ensuring timely and reliable access to and
use of information and that records are accessible and usable for the entire length of
the retention period. Rapid changes and enhancements to both hardware and software
compound this challenge.
Retention
Retention is the function of preserving and maintaining records for continuing use.The retention schedule identifies the actions needed to fulfill the requirements for the retention
and disposal of records and provides the authority for employees and systems to retain,
destroy, or transfer records. The records retention schedule documents the recordkeeping requirements and procedures, identifying how records are to be organized
INFORMATION GOVERNANCE PRINCIPLES 33
and maintained, what needs to happen to records and when, who is responsible for
doing what, and whom to contact with questions or guidance.
Organizations must identify the scope of their recordkeeping requirements for
documenting business activities based on regulated activities and jurisdictions that impose control over records. This includes business activities regulated by the government for every location or jurisdiction in which the company does business. Other
considerations for determining retention requirements include operational, legal, fiscal, and historical ones.
Records appraisal is the process of assessing the value and risk of records to
determine their retention and disposition requirements. Legal research is outlined in
appraisal reports. This appraisal process may be accomplished as a part of the process
of developing the records retention schedules as well as conducting a regular review to
ensure that citations and requirements are current.
The records retention period
d is the length of time that records should be retained and
the actions taken for them to be destroyed or preserved. The retention periods for different
records should be based on legislative or regulatory requirements as well as on administrative and operational requirements.
It is important to document the legal research conducted and used to determine
whether the law or regulation has been reasonably applied to the recordkeeping practices and provide evidence to regulatory officials or courts that due diligence has been
conducted in good faith to comply with all applicable requirements.
Disposition
Disposition is the last stage in the life cycle of records. When the retention requirements
have been met and the records no longer serve a useful business purpose, records may
be destroyed. Records requiring long-term or permanent retention should be transferred to an archive for preservation. The timing of the transfer of physical or electronic records should be determined through the records retention schedule process.
Additional methods, including migration or conversion, are often required to preserve
electronic records.
Records must be destroyed in a controlled and secure manner and in accordance
with authorized disposal instructions. The destruction of records must be c…