question -1 – 250 words
research paper
Read the instructions and do the work
week-3,week-5 (done)
week-7 (need help)
Please watch prof video and instructions carefully.
research-paper/ITS833 – Portfolio Project_8wk(3).docx
Scenario:
You have recently been hired as a Chief Information Governance Officer (CIGO) at a large company (You may choose your industry). This is a newly created position and department within the organization that was founded on the need to coordinate all areas of the business and to provide governance of the information. You will need to hire for all positions within your new department.
The company has been in business for more than 50 years and in this time has collected vast amounts of data. Much of this data has been stored in hard copy format in filing cabinets at an offsite location but in recent times, collected business data is in electronic format stored in file shares. Customer data is being stored in a relational database, but the lack of administration has caused data integrity issues such as duplication. There are currently no policies in place to address the handling of data, business or customer. The company also desires to leverage the marketing power of social media, but has no knowledge of the types of policies or legal issues they would need to consider. You will also need to propose relevant metrics that should be collected to ensure that the information governance program is effective.
The CEO and Board of Directors have tasked you to develop a proposal (paper) that will give them the knowledge needed to make informed decisions on an enterprise-wide Information Governance program, addressing (at a minimum) all of these issues, for the company.
Requirements:
The paper should include at a minimum of the following sections:
a. Title page
b. Executive Summary (Abstract)
c. Body
i. Introduction (including industry discussion – 1-2 pages)
ii. Annotated Bibliography (2-3 pages)
iii. Literature review (2-3 pages)
iv. Program and technology recommendations, including:
1. Metrics
2. Data that matters to the executives in that industry, the roles for those executives, and some methods for getting this data into their hands.
3. Regulatory, security, and privacy compliance expectations for your company
4. Email and social media strategy
5. Cloud Computing strategy
d. Conclusion
e. References
2. You must include at least two figures or tables. These must be of your own creation. Do not copy from other sources.
3. Must cite at least 10 references and 5 must be from peer reviewed scholarly journals (accessible from the UC Library).
4. This paper should be in proper APA format and avoid plagiarism when paraphrasing content. It should be a minimum of 8 pages in length (double-spaced), excluding the title page and references.
Milestones:
· Week 3 – Introduction Section – A 2-3 page paper describing the industry chosen and potential resources to be used. 100 pts.
· Week 5 – Develop a full annotated bibliography (3-4 pages) and develop the literature review (3-4 pages). 200 pts.
· Week 7 – Completed final research paper (both milestones combined together and include the last sections as discussed in the list above). 300 pts.
Total: 600 pts
research-paper/week-3/InformationGovernance2 (1).docx
RUNNING HEAD: INFORMATION GOVERNANCE 1
INFORMATION GOVERNANCE 2
Information Governance
Krishna C Sanagavarapu
Department of IT, University of the Cumberlands
ITS 833: Information Governance
Dr. Mary Cecil
September 13th, 2020
The healthcare industry is one of the largest and fastest-growing industries worldwide as in developed countries; it claims around 10% of the Gross Domestic Product (Pappas, et al, 2018). Healthcare relies on integrating sectors within the economy of a country to provide goods and services to provide quality healthcare to the patients. Healthcare provides patients with preventive, curative, palliative, and rehabilitative care. It is divided into three branches, namely, services, products, and finances. The provision of quality healthcare is the push and focus of this industry to ensure that the patients receive the best care they can ad they do everything to save the lives of people around the world.
The provision of quality healthcare comes with the cost of providing the best services to the patient and even keeping the records of the patients safe. The healthcare industry is one of the sectors where big data is produced day in day out. Big data comprises structured, semi-structured, and unstructured data. Structured information is the one that is organized in a specific acceptable format, and it is easy to understand and Interpret. Unstructured data is not contained in any format, and it proves hard to understand while semi-structured information is made of both firms of data, both structured and unstructured (Pappas, et al., 2018).
To provide quality care to the patients, information governance is critical in these hospital organizations. When a patient is first admitted, they are equipped with a form to fill all the necessary details that the doctors will need to perform an accurate diagnosis. Such information may include family health history and allergies. This information is then stored by the hospital and is retrieved whenever the patient will revisit the hospital. Most institutions have adopted Electronic Health Records in which the patient’s records are put in the system for easy reference when needed and even storage. Both manual and electronic recording of data requires a lot of information governance protocols to contribute to the provision of quality healthcare to the patients.
Displacing these records or even hacking can present many challenges in the management of this enormous amount of data (Pappas, et al., 2018). The challenge faced in the information governance in this industry includes the capturing, storage, and the security of the obtained data. To capture accurate, clean, and complete data while transferring it to the electronic records can be challenging to the hospital personnel. Many mistakes can be made in the procedure leading to misplacement or omission of critical patient history, which can be chaotic. Also, the storage of the data obtained can be very challenging.
The enormous amount of data that id obtained in the hospital needs a vast space to be secured securely, and this requires complicated systems to accommodate this data. Many industries are proposing the use of cloud services as a solution to the massive amounts of data. The healthcare industry faces many security vulnerabilities ranging from phishing emails, malware hacking, and high-profile breaches (Green, 2017). Many hospitals have made the highlights as victims of cybercrime, which is one of the significant challenges in the data storage.
References
Mikalef, P., Krogstie, J., van de Wetering, R., Pappas, I., & Giannakos, M. (2018, January). Information Governance in the big data era: aligning organizational capabilities. In Proceedings of the 51st Hawaii International Conference on System Sciences. Retrieved from https://scholarspace.manoa.hawaii.edu/handle/10125/50504
Green, D. (2017). A road map for information governance implementation in healthcare. HIM- Interchange, 71(1), 32-34. Retrieved from http://www.himaa2.org.au/HIM- I/sites/default/files/170305%20HIM-I%207-1%20Green.pdf
research-paper/week-3/week-3-milestone.txt
Portfolio Project: Milestone 1: Introduction Attached Files: File ITS833 – Portfolio Project_8wk.docx (15.837 KB) Your final project paper is broken down into 3 parts, worth a total of 600 points towards your final grade. This milestone is worth 100 points. For this piece of that assignment, you will write the introduction to your final portfolio project (2-3 pages), comprehensively describing the industry you are choosing to use in the paper and preliminary challenges with information governance that you have identified. Be sure to utilize 3-5 sources from the UC Library. Review the instructions in the Portfolio Project document first (attached here). Each milestone is a separate writing assignment, leading up to the final submission in week 7. Expectations are that it will be a scholarly work, using largely peer-reviewed resources, formatted to APA 7 style. Grammar, spelling, and punctuation are significantly weighted. Any instance of plagiarism will result in a 0 on the activity (first offense) or failing the course (2nd offense).
research-paper/week-5/IGdoc (1).docx
Running Head: INFORMATION GOVERNANCE 1
INFORMATION GOVERNANCE 16
Information Governance
Student Name
Institution Affiliation
Abstract
Information governance is a crucial sector in any department as far as data security and privacy are concerned. Through proper governance, it ensures accountability by regulating and identifying who is responsible for specific information, where the information is and where it is supposed to be, how the information is supposed to be used appropriately, and the individuals who can be given access to the information. An adequately designed information system should govern the acquisition, management, maintenance, and disposal of the data at hand. The sole purpose of having information governance in an organization is to ensure that all the relevant information obtained is used in the most appropriate way as it was supposed to and by the individuals who have been authorized, (Kwan, et al, 2020)
There is a large volume of data collected each day; this brings about good governance. Using information governance tools can accomplish its goals by taking all the necessary accountability measures necessary. This will guarantee information safety and patients’ security and privacy.
Introduction
The Healthcare sector deals with critical information that can be a life and death situations. That means all measures must be put in place to ensure data is protected. Many people view information security and privacy as a back born of any health care organization. In the health care sector, to provide protection, efficient and high-quality care, they must first have a clear understanding of the information and the tools they are supposed to use in safeguarding the information. Information governance is also interested in managing the new and expired information to ensure its effectiveness, thereby serving as a cost-effective tool. In most cases, organizations negligent in managing their resources tend to pay a high price in the long run. Producers, distributors, and the end-users of this information must understand that there are different types of information in the health care sector since they are created differently; this information must be governed in the best way possible.
The exponential growth of Data and Information: comparison between data growth versus the use of information governance
From the research above, the amount of data doubles after every 18 months. This issue can only be addressed through the adoption of information governance strategies, which can reduce data growth by 60% in a year.
Annotated bibliography
Mullon, P. A., & Ngoepe, M. (2019). An integrated framework to elevate information governance to a national level in South Africa. Records Management Journal.
The authors, Mullon and Ngeope, talk about information governance as an emerging trend that can present very severe challenges to the health sector if not acted upon it very first. The author has depicted the information governance that it has not been able to solve the problems that exist, for instance, record management, information management, and data protection.
Kwan, H., Riley, M., Prasad, N., & Robinson, K. (2020). An investigation of the status and maturity of hospitals’ health information governance in Victoria, Australia. Health Information Management Journal, 1833358320938309. Retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Kwan%2C+H.%2C+Riley%2C+M.%2C+Prasad%2C+N.%2C+%26+Robinson%2C+K.+%282020%29.+An+investigation+of+the+status+and+maturity+of+hospitals%E2%80%99+health+information+governance+in+Victoria%2C+Australia.+Health+Information+Management+Journal%2C+1833358320938309.&btnG
Kwan, et al, (2020) I his article identified the barriers affecting IG in the health sector and examines data breachment response in the employees.
Ramesh, G., Dhushyanth, R., Secci, F., Sadia, C., & Frere, J. J. (2018). Health and nutrition in urban Bangladesh: social determinants and health sector governance. Health and https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=rRamesh%2C+G.%2C+Dhushyanth%2C+R.%2C+Secci%2C+F.%2C+Sadia%2C+C.%2C+%26+Frere%2C+J.+J.+%282018%29.+Health+and+nutrition+in+urban+Bangladesh%3A+social+determinants+and+health+sector+governance.+Health+and+nutrition+in+urban+Bangladesh%3A+social+determinants+and+health+sector+governance.&btnG
The authors in this article talks of the effects of urbanization in Bangladesh exerting pressure in the healthcare sector hence the need for information governance.
Smallwood, R. F. (2019). Information governance: Concepts, strategies and best practices. John Wiley & Sons. Retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Smallwood%2C+R.+F.+%282019%29.+Information+governance%3A+Concepts%2C+strategies+and+best+practices.+John+Wiley+%26+Sons.&btnG
In this article the author talks of the importance of adopting information governance in large healthcare sector. The author explains the need of computerizing record keeping system in healthcare.
Tu, J. (2019). Gift Practice in the Chinese Health Sector: Inequality, Power and Governance. In Health Care Transformation in Contemporary China (pp. 111-139). Springer, Singapore. Retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Tu%2C+J.+%282019%29.+Gift+Practice+in+the+Chinese+Health+Sector%3A+Inequality%2C+Power+and+Governance.+In+Health+Care+Transformation+in+Contemporary+China+%28pp.+111-139%29.+Springer%2C+Singapore.&btnG
In this article the author explains the scenario in Chinese healthcare system where doctors require more monetary gifts to deliver services. The author emphasizes on the need for IG in Chinese healthcare sector
Velasquez, A., Suarez, D., & Nepo-Linares, E. (2016). Health sector reform in Peru: Law, governance, universal coverage, and responses to health risks. Revista peruana de medicina experimental y salud publica, 33(3), 546.retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Velasquez%2C+A.%2C+Suarez%2C+D.%2C+%26+Nepo-Linares%2C+E.+%282016%29.+Health+sector+reform+in+Peru%3A+Law%2C+governance%2C+universal+coverage%2C+and+responses+to+health+risks.+Revista+peruana+de+medicina+experimental+y+salud+publica%2C+33%283%29%2C+546.&btnG=
In this article the authors talks of the healthcare system in peru, they consider healthcare as a right which must be protected by the state by eliminating all barriers and enhancing patients privacy and security.
Shu, I. N., & Jahankhani, H. (2017, November). The Impact of the new European General Data Protection Regulation (GDPR) on the Information Governance Toolkit in Health and Social care with special reference to Primary care in England. In 2017 Cybersecurity and Cyberforensics Conference (CCC) (pp. 31-37). IEEE.retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Cloud+computing+strategy+In+Information+Governance+in+healthcare&btnG=
The authors in this article stress the need to upgrade healthcare database so as to safeguard patients’ privacy by adopting cloud computing techniques
Gbadeyan, A., Butakov, S., & Aghili, S. (2017). IT governance and risk mitigation approach for private cloud adoption: case study of provincial healthcare provider. Annals of Telecommunications, 72(5-6), 347-357. Retrieved from https://scholar.google.com/scholar?start=10&q=Cloud+computing+strategy+In+Information+Governance+in+healthcare&hl=en&as_sdt=0,5&as_ylo=2016
The author of the article describes cloud computing as having a very significant role in the health sector. The privacy and security of the data is the key in a hospital and therefore the need to address it before adopting the technology.
Paglialonga, A., Patel, A. A., Pinto, E., Mugambi, D., & Keshavjee, K. (2019). The healthcare system perspective in mHealth. In m_Health Current and Future Applications (pp. 127-142). Springer, Cham.retrieved from https://scholar.google.com/scholar?start=10&q=Cloud+computing+strategy+In+Information+Governance+in+healthcare&hl=en&as_sdt=0,5&as_ylo=2016
The article talks about how mobile devices have transformed the health sector. There are so many opportunities in the health care that have presented themselves since the adoption of a good information governance.
In, J., Bradley, R., Bichescu, B. C., & Autry, C. W. (2019). Supply chain information governance: Toward a conceptual framework. The International Journal of Logistics Management. Retrieved from https://scholar.google.com/scholar?start=10&q=information+governance+and+email+in+health+sector&hl=en&as_sdt=0,5&as_ylo=2016
The paper proposes frameworks in the health care sector that can promote information governance and enhance patient’s data privacy and security.
Literature review
The paper reviewed several literature pieces in 3 areas; data governance, ethics, and the stakeholders’ relations. The research dealt with information protection and governance and the stakeholders’ impact on the use and misuse of the organization’s information. Organization governance is critical to the strategy used to direct the daily affairs of an organization. Governance dictates the allocation of powers and the establishment of strategies in an organization. The study outlines how governance assists the institution by focusing on the Organization objectives, thus enhancing the available resources’ effective use. The study also evaluates the evolution of information governance as the main that affect information governance. Besides, the research highlights some ethical issues associated with the information governance program.
Metrics in Information Governance
The metrics of business indicate the measurable value and indicate a company; it provides whether a company has achieved its goals. The KPI dashboard usually tracks them. To achieve the set business goals, an organization needs to develop its governance structure to allow the flow of metrics from the decision-maker’s level. Employees need to know how the governance process is relevant to the work and the organization’s objectives. Information security governance has become an essential factor in the entire corporate governance activities, (Mullon & Ngoepe, 2019).
To enhance the efficient governance of an organization. It is essential to secure information, align business metrics, to implement, monitor, and report to the management. This makes sure that the risk is effectively managed, and the healthcare goals are achieved to develop metrics. It is essential to make sure what to be measured is elaborated and understood. Organization measures and metrics should be made to determine if certain functions are achieving business goals. The most critical metrics that ensure information governance is effective are operational and technological metrics.
Operational metrics determine the efficiency and ability to enhance security control made to protect information infrastructure. They are typically associated with the effectiveness of their control on set and their role in business activities. They establish a behavior pattern for data-related functions.
Essential data in an organization and the role of executives.
Business executives make business plans, directs, and coordinates operational activities for the corporation. They usually are responsible for enacting policies and strategies that will meet healthCare’s goals and objectives. The primary function of modern business data is to empower business managers to make decisions based on facts. Business officials must be able to get the correct information so as they can be able to generate the best decisions concerning strategy and growth.
The executives gather data from online sources. This makes them able to determine the most qualified people’s details to be able to employ them. The market department relies on the market segmentation data to find the buyers and increase the sales speed. They must also examine the market trends, such as differences in pricing of resources, shipping, or processing. Great business leaders use data effectively to make a decision. Business data have a more significant impact on the business owner’s profit margin, and therefore it is essential to develop a strategy that keeps the corporation profitable, (Velasquez, et al, 2016).
The program needs to state the roles and responsibilities of every stakeholder in the organization. The stakeholders include both the information and governance committee. The committee comprises members from different departments. This part also includes the primary roles of the committee and the criteria which they should apply
Regulatory, security, and privacy compliance expectations of the company
Compliance is the means of ensuring that a corporation is fulfilling to the least of the related securities requirements. It comprises a set of transparent technical systems and equipment. That protects and defends the information assets. Privacy compliance is the company’s accord to establish individual information protest guidelines, specifications, or legislation. It is essential not to make the compliance needs to determine the organization’s security requirement. There are three types of security obligations which are: business, regulatory, and customer obligation. Privacy compliance .has become a prevalent business concern due to the high profile regulation, which includes the European Union and the general data protection regulation, (Ramesh, et al, 2018).
The information governance program also boosts the legal activities in the organization. By availing all the necessary information, therefore, the legal proceeding is not interfered with. Compliance within the organization will also be enhanced because all employees will have clear guidance and work. Additionally, data will be easily be retrieved in times of need.
Email and social media strategy In Information Governance
Email enables the healthcare to market itself to its targeted customers. The industry customers can choose to receive information about the products they sell or the new product in the market. Email is a fast, affordable, and easily accessible; they provide efficient and effective means to convey all electronic data types. They also allow people to create long-lasting relationships. Email enhances instantaneous communication by quickly distributing information and providing faster responses to patients’ inquiries. Besides, it fastens problem-solving techniques. As a result, healthcare owners can achieve a more extraordinary result in a short period through email; employees and the industry management can communicate effectively and within a short time. Also, clients can send questions concerning the industry’s products, (Mullon & Ngoepe, 2019).
The main benefit of social media in an industry is to enhance fast and more accessible communication. Clients can contact services fast and more efficiently. It also improves networking, boosts organic visibility, branding to impress patients, and to track business competition. Social media allow a business to interact with customers and share information about the industry’s product. Social media helps one to engage with patients and get feedback about the services. It assists in advertising, promotional giveaways, and mobile application. It also promotes market research and reduces marketing costs
Cloud computing strategy In Information Governance
Cloud computing strategy is an essential paradigm shift in information technology. It was developed from the extension of distributing an application host provider. It provides economies of scale by distributing the expenses across many customers’ organizations and combining computing resources. Cloud computing is massively accessible and can be readily modulated. This strategy provides a more significant potential on-demand computing power, consistent security, and off-site backups in the healthcare sector. Cloud distributions can allow users to enjoy a high level of independence from their IT department; these departments are encouraged to have readily available resources whenever required, (Tu, 2019).
Conclusion
Data security has become a growing concern for healthcare organizations. Regardless of its size, no health care organization is immune to data loss. There are steps the hospital can take to minimize the risk of breaches to PHI in the future. With government incentives and penalties in place, the hospital is incented to implement interventions to provide effective, efficient, and top-quality care while, at the same time, protecting their patients’ PHI.
References
Gbadeyan, A., Butakov, S., & Aghili, S. (2017). IT governance and risk mitigation approach for private cloud adoption: case study of provincial healthcare provider. Annals of Telecommunications, 72(5-6), 347-357. Retrieved from https://scholar.google.com/scholar?start=10&q=Cloud+computing+strategy+In+Information+Governance+in+healthcare&hl=en&as_sdt=0,5&as_ylo=2016
In, J., Bradley, R., Bichescu, B. C., & Autry, C. W. (2019). Supply chain information governance: Toward a conceptual framework. The International Journal of Logistics Management. Retrieved from https://scholar.google.com/scholar?start=10&q=information+governance+and+email+in+health+sector&hl=en&as_sdt=0,5&as_ylo=2016
Kwan, H., Riley, M., Prasad, N., & Robinson, K. (2020). An investigation of the status and maturity of hospitals’ health information governance in Victoria, Australia. Health Information Management Journal, 1833358320938309. Retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&q=Kwan%2C+H.%2C+Riley%2C+M.%2C+Prasad%2C+N.%2C+%26+Robinson%2C+K.+%282020%29.+An+investigation+of+the+status+and+maturity+of+hospitals%E2%80%99+health+information+governance+in+Victoria%2C+Australia.+Health+Information+Management+Journal%2C+1833358320938309.&btnG=
Mullon, P. A., & Ngoepe, M. (2019). An integrated framework to elevate information governance to a national level in South Africa. Records Management Journal.
Ramesh, G., Dhushyanth, R., Secci, F., Sadia, C., & Frere, J. J. (2018). Health and nutrition in urban Bangladesh: social determinants and health sector governance. Health and nutrition in urban Bangladesh: social determinants and health sector governance.retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=rRamesh%2C+G.%2C+Dhushyanth%2C+R.%2C+Secci%2C+F.%2C+Sadia%2C+C.%2C+%26+Frere%2C+J.+J.+%282018%29.+Health+and+nutrition+in+urban+Bangladesh%3A+social+determinants+and+health+sector+governance.+Health+and+nutrition+in+urban+Bangladesh%3A+social+determinants+and+health+sector+governance.&btnG =
Paglialonga, A., Patel, A. A., Pinto, E., Mugambi, D., & Keshavjee, K. (2019). The healthcare system perspective in mHealth. In m_Health Current and Future Applications (pp. 127-142). Springer, Cham.retrieved from https://scholar.google.com/scholar?start=10&q=Cloud+computing+strategy+In+Information+Governance+in+healthcare&hl=en&as_sdt=0,5&as_ylo=2016
Smallwood, R. F. (2019). Information governance: Concepts, strategies and best practices. John Wiley & Sons. Retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Smallwood%2C+R.+F.+%282019%29.+Information+governance%3A+Concepts%2C+strategies+and+best+practices.+John+Wiley+%26+Sons.&btnG=
Shu, I. N., & Jahankhani, H. (2017, November). The Impact of the new European General Data Protection Regulation (GDPR) on the Information Governance Toolkit in Health and Social care with special reference to Primary care in England. In 2017 Cybersecurity and Cyberforensics Conference (CCC) (pp. 31-37). IEEE.retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Cloud+computing+strategy+In+Information+Governance+in+healthcare&btnG=
Tu, J. (2019). Gift Practice in the Chinese Health Sector: Inequality, Power and Governance. In Health Care Transformation in Contemporary China (pp. 111-139). Springer, Singapore. Retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Tu%2C+J.+%282019%29.+Gift+Practice+in+the+Chinese+Health+Sector%3A+Inequality%2C+Power+and+Governance.+In+Health+Care+Transformation+in+Contemporary+China+%28pp.+111-139%29.+Springer%2C+Singapore.&btnG=
Velasquez, A., Suarez, D., & Nepo-Linares, E. (2016). Health sector reform in Peru: Law, governance, universal coverage, and responses to health risks. Revista peruana de medicina experimental y salud publica, 33(3), 546.retrieved from https://scholar.google.com/scholar?hl=en&as_sdt=0%2C5&as_ylo=2016&q=Velasquez%2C+A.%2C+Suarez%2C+D.%2C+%26+Nepo-Linares%2C+E.+%282016%29.+Health+sector+reform+in+Peru%3A+Law%2C+governance%2C+universal+coverage%2C+and+responses+to+health+risks.+Revista+peruana+de+medicina+experimental+y+salud+publica%2C+33%283%29%2C+546.&btnG=
research-paper/week-5/milestone-2.txt
This is the second milestone of the portfolio project (which is due in week 7). For milestone 2 (due in week 5), you will develop an annotated bibliography with a minimum of 10 peer reviewed scholarly articles. Additionally, you will write the literature review for the final project. The entire milestone should be a minimum of 6 pages with 10 peer reviewed scholarly articles. For your reference, the portfolio project guidelines are attached here. Please see the UC library for help in formatting your bibliography. Here are some examples: https://owl.purdue.edu/owl/general_writing/common_writing_assignments/annotated_bibliographies/annotated_bibliography_samples.html https://guides.library.cornell.edu/annotatedbibliography https://sites.umgc.edu/library/libhow/bibliography_tutorial.cfm https://columbiacollege-ca.libguides.com/mla/annot_bib Here are some resources to complete a literature review: https://uscupstate.libguides.com/c.php?g=627058&p=4389968 https://www.youtube.com/watch?v=-ny_EUJXHHs https://umb.libguides.com/litreview https://writingcenter.unc.edu/tips-and-tools/literature-reviews/ https://writingcenter.ashford.edu/writing-literature-review Expectations are that it will be a scholarly work, using largely peer-reviewed resources, formatted to APA 7 style. Grammar, spelling, and punctuation are significantly weighted. ITS833 – Portfolio Project_8wk.docx By submitting this paper, you agree: (1) that you are submitting your paper to be used and stored as part of the SafeAssign™ services in accordance with the Blackboard Privacy Policy; (2) that your institution may use your paper in accordance with your institution’s policies; and (3) that your use of SafeAssign will be without recourse against Blackboard Inc. and its affiliates. Institution Release Statement
research-paper/week-7/week-7-prof-instructions.txt
Information-Governance_-Concepts-Strategies-and-Best-Practices-1st-Edition.pdf
INFORMATION GOVERNANCE
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offi ces in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding.
The Wiley CIO series provides information, tools, and insights to IT executives and managers. The products in this series cover a wide range of topics that supply strategic and implementation guidance on the latest technology trends, leadership, and emerging best practices.
Titles in the Wiley CIO series include:
The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and Mobile Computing Are Changing Enterprise IT by Jason BloombergT
Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today’s Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj
The Chief Information Offi cer’s Body of Knowledge: People, Process, and Technology by Dean Lane
CIO Best Practices: Enabling Strategic Value with Information Technology (Second Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert
The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by Nicholas R. Colisto
Enterprise Performance Management Done Right: An Operating System for Your Organization by Ron Dimon
Executive’s Guide to Virtual Worlds: How Avatars Are Transforming Your Business and Your Brand by Lonnie Bensond
IT Leadership Manual: Roadmap to Becoming a Trusted Business Partner by Alan R. r Guibord
Managing Electronic Records: Methods, Best Practices, and Technologies by Robert F. s Smallwood
On Top of the Cloud: How CIOs Leverage New Technologies to Drive Change and Build Value Across the Enterprise by Hunter Muller
Straight to the Top: CIO Leadership in a Mobile, Social, and Cloud-based World (Second Edition) by Gregory S. Smith
Strategic IT: Best Practices for Managers and Executives by Arthur M. Langer ands Lyle Yorks
Transforming IT Culture: How to Use Social Intelligence, Human Factors, and Collaboration to Create an IT Department That Outperforms by Frank Wanders
Unleashing the Power of IT: Bringing People, Business, and Technology Together by Dan Roberts
The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save America’s Future by Gary J. Beach
Information Governance: Concepts, Strategies and Best Practices by Robert F. Smallwoods
Robert F. Smallwood
INFORMATION GOVERNANCE
CONCEPTS, STRATEGIES AND
BEST PRACTICES
Cover image: © iStockphoto / IgorZh Cover design: Wiley
Copyright © 2014 by Robert F. Smallwood. All rights reserved.
Chapter 7 © 2014 by Barclay Blair
Portions of Chapter 8 © 2014 by Randolph Kahn
Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifi cally disclaim any implied warranties of merchantability or fi tness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profi t or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
Smallwood, Robert F., 1959- Information governance : concepts, strategies, and best practices / Robert F. Smallwood. pages cm. — (Wiley CIO series)
ISBN 978-1-118-21830-3 (cloth); ISBN 978-1-118-41949-6 (ebk); ISBN 978-1-118-42101-7 (ebk) 1. Information technology—Management. 2. Management information systems. 3. Electronic
records—Management. I. Title. HD30.2.S617 2014 658.4’038—dc23
2013045072
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
Home
http://www.wiley.com/go/permissions
http://booksupport.wiley.com
http://www.wiley.com
For my sons
and the next generation of tech-savvy managers
vii
CONTENTS
PREFACE xv
ACKNOWLEDGMENTS xvii
PART ONE—Information Governance Concepts, Defi nitions, and Principles 1p
CHAPTER 1 The Onslaught of Big Data and the Information Governance Imperative 3
Defi ning Information Governance 5
IG Is Not a Project, But an Ongoing Program 7
Why IG Is Good Business 7
Failures in Information Governance 8
Form IG Policies, Then Apply Technology for Enforcement 10
Notes 12
CHAPTER 2 Information Governance, IT Governance, Data Governance: What’s the Difference? 15
Data Governance 15
IT Governance 17
Information Governance 20
Impact of a Successful IG Program 20
Summing Up the Differences 21
Notes 22
CHAPTER 3 Information Governance Principles 25
Accountability Is Key 27
Generally Accepted Recordkeeping Principles® 27 Contributed by Charmaine Brooks, CRM
Assessment and Improvement Roadmap 34
Who Should Determine IG Policies? 35
Notes 38
PART TWO—Information Governance Risk Assessment and Strategic Planning 41g g
CHAPTER 4 Information Risk Planning and Management 43
Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements 43
viii CONTENTS
Step 2: Specify IG Requirements to Achieve Compliance 46
Step 3: Create a Risk Profi le 46
Step 4: Perform Risk Analysis and Assessment 48
Step 5: Develop an Information Risk Mitigation Plan 49
Step 6: Develop Metrics and Measure Results 50
Step 7: Execute Your Risk Mitigation Plan 50
Step 8: Audit the Information Risk Mitigation Program 51
Notes 51
CHAPTER 5 Strategic Planning and Best Practices for Information Governance 53
Crucial Executive Sponsor Role 54
Evolving Role of the Executive Sponsor 55
Building Your IG Team 56
Assigning IG Team Roles and Responsibilities 56
Align Your IG Plan with Organizational Strategic Plans 57
Survey and Evaluate External Factors 58
Formulating the IG Strategic Plan 65
Notes 69
CHAPTER 6 Information Governance Policy Development 71
A Brief Review of Generally Accepted Recordkeeping Principles® 71
IG Reference Model 72
Best Practices Considerations 75
Standards Considerations 76
Benefi ts and Risks of Standards 76
Key Standards Relevant to IG Efforts 77
Major National and Regional ERM Standards 81
Making Your Best Practices and Standards Selections to Inform Your IG Framework 87
Roles and Responsibilities 88
Program Communications and Training 89
Program Controls, Monitoring, Auditing and Enforcement 89
Notes 91
PART THREE—Information Governance Key Impact Areas Based on the IG Reference Model 95p
CHAPTER 7 Business Considerations for a Successful IG Program 97
By Barclay T. Blair
Changing Information Environment 97
CONTENTS ix
Calculating Information Costs 99
Big Data Opportunities and Challenges 100
Full Cost Accounting for Information 101
Calculating the Cost of Owning Unstructured Information 102
The Path to Information Value 105
Challenging the Culture 107
New Information Models 107
Future State: What Will the IG-Enabled Organization Look Like? 110
Moving Forward 111
Notes 113
CHAPTER 8 Information Governance and Legal Functions 115
By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy
Introduction to e-Discovery: The Revised 2006 Federal Rules of Civil Procedure Changed Everything 115
Big Data Impact 117
More Details on the Revised FRCP Rules 117
Landmark E-Discovery Case: Zubulake v. UBS Warburg 119
E-Discovery Techniques 119
E-Discovery Reference Model 119
The Intersection of IG and E-Discovery 122 By Barry Murphy
Building on Legal Hold Programs to Launch Defensible Disposition 125 By Barry Murphy
Destructive Retention of E-Mail 126
Newer Technologies That Can Assist in E-Discovery 126
Defensible Disposal: The Only Real Way To Manage Terabytes and Petabytes 130 By Randy Kahn, Esq.
Retention Policies and Schedules 137 By Robert Smallwood, edited by Paula Lederman, MLS
Notes 144
CHAPTER 9 Information Governance and Records and Information Management Functions 147
Records Management Business Rationale 149
Why Is Records Management So Challenging? 150
Benefi ts of Electronic Records Management 152
Additional Intangible Benefi ts 153
Inventorying E-Records 154
Generally Accepted Recordkeeping Principles® 155
E-Records Inventory Challenges 155
x CONTENTS
Records Inventory Purposes 156
Records Inventorying Steps 157
Ensuring Adoption and Compliance of RM Policy 168
General Principles of a Retention Scheduling 169
Developing a Records Retention Schedule 170
Why Are Retention Schedules Needed? 171
What Records Do You Have to Schedule? Inventory and Classifi cation 173
Rationale for Records Groupings 174
Records Series Identifi cation and Classifi cation 174
Retention of E-Mail Records 175
How Long Should You Keep Old E-Mails? 176
Destructive Retention of E-Mail 177
Legal Requirements and Compliance Research 178
Event-Based Retention Scheduling for Disposition of E-Records 179
Prerequisites for Event-Based Disposition 180
Final Disposition and Closure Criteria 181
Retaining Transitory Records 182
Implementation of the Retention Schedule and Disposal of Records 182
Ongoing Maintenance of the Retention Schedule 183
Audit to Manage Compliance with the Retention Schedule 183
Notes 186
CHAPTER 10 Information Governance and Information Technology Functions 189
Data Governance 191
Steps to Governing Data Effectively 192
Data Governance Framework 193
Information Management 194
IT Governance 196
IG Best Practices for Database Security and Compliance 202
Tying It All Together 204
Notes 205
CHAPTER 11 Information Governance and Privacy and Security Functions 207
Cyberattacks Proliferate 207
Insider Threat: Malicious or Not 208
Privacy Laws 210
Defense in Depth 212
Controlling Access Using Identity Access Management 212
Enforcing IG: Protect Files with Rules and Permissions 213
CONTENTS xi
Challenge of Securing Confi dential E-Documents 213
Apply Better Technology for Better Enforcement in the Extended Enterprise 215
E-Mail Encryption 217
Secure Communications Using Record-Free E-Mail 217
Digital Signatures 218
Document Encryption 219
Data Loss Prevention (DLP) Technology 220
Missing Piece: Information Rights Management (IRM) 222
Embedded Protection 226
Hybrid Approach: Combining DLP and IRM Technologies 227
Securing Trade Secrets after Layoffs and Terminations 228
Persistently Protecting Blueprints and CAD Documents 228
Securing Internal Price Lists 229
Approaches for Securing Data Once It Leaves the Organization 230
Document Labeling 231
Document Analytics 232
Confi dential Stream Messaging 233
Notes 236
PART FOUR—Information Governance for Delivery Platforms 239y
CHAPTER 12 Information Governance for E-Mail and Instant Messaging 241
Employees Regularly Expose Organizations to E-Mail Risk 242
E-Mail Polices Should Be Realistic and Technology Agnostic 243
E-Record Retention: Fundamentally a Legal Issue 243
Preserve E-Mail Integrity and Admissibility with Automatic Archiving 244
Instant Messaging 247
Best Practices for Business IM Use 247
Technology to Monitor IM 249
Tips for Safer IM 249
Notes 251
CHAPTER 13 Information Governance for Social Media 253
By Patricia Franks, Ph.D, CRM, and Robert Smallwood
Types of Social Media in Web 2.0 253
Additional Social Media Categories 255
Social Media in the Enterprise 256
Key Ways Social Media Is Different from E-Mail and Instant Messaging 257
Biggest Risks of Social Media 257
Legal Risks of Social Media Posts 259
xii CONTENTS
Tools to Archive Social Media 261
IG Considerations for Social Media 262
Key Social Media Policy Guidelines 263
Records Management and Litigation Considerations for Social Media 264
Emerging Best Practices for Managing Social Media Records 267
Notes 269
CHAPTER 14 Information Governance for Mobile Devices 271
Current Trends in Mobile Computing 273
Security Risks of Mobile Computing 274
Securing Mobile Data 274
Mobile Device Management 275
IG for Mobile Computing 276
Building Security into Mobile Applications 277
Best Practices to Secure Mobile Applications 280
Developing Mobile Device Policies 281
Notes 283
CHAPTER 15 Information Governance for Cloud Computing 285
By Monica Crocker CRM, PMP, CIP, and Robert Smallwood
Defi ning Cloud Computing 286
Key Characteristics of Cloud Computing 287
What Cloud Computing Really Means 288
Cloud Deployment Models 289
Security Threats with Cloud Computing 290
Benefi ts of the Cloud 298
Managing Documents and Records in the Cloud 299
IG Guidelines for Cloud Computing Solutions 300
Notes 301
CHAPTER 16 SharePoint Information Governance 303
By Monica Crocker, CRM, PMP, CIP, edited by Robert Smallwood
Process Change, People Change 304
Where to Begin the Planning Process 306
Policy Considerations 310
Roles and Responsibilities 311
Establish Processes 312
Training Plan 313
Communication Plan 313
Note 314
CONTENTS xiii
PART FIVE—Long-Term Program Issues 315g g
CHAPTER 17 Long-Term Digital Preservation 317
By Charles M. Dollar and Lori J. Ashley
Defi ning Long-Term Digital Preservation 317
Key Factors in Long-Term Digital Preservation 318
Threats to Preserving Records 320
Digital Preservation Standards 321
PREMIS Preservation Metadata Standard 328
Recommended Open Standard Technology-Neutral Formats 329
Digital Preservation Requirements 333
Long-Term Digital Preservation Capability Maturity Model® 334
Scope of the Capability Maturity Model 336
Digital Preservation Capability Performance Metrics 341
Digital Preservation Strategies and Techniques 341
Evolving Marketplace 344
Looking Forward 344
Notes 346
CHAPTER 18 Maintaining an Information Governance Program and Culture of Compliance 349
Monitoring and Accountability 349
Staffi ng Continuity Plan 350
Continuous Process Improvement 351
Why Continuous Improvement Is Needed 351
Notes 353
APPENDIX A Information Organization and Classifi cation: Taxonomies and Metadata 355
By Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley
Importance of Navigation and Classifi cation 357
When Is a New Taxonomy Needed? 358
Taxonomies Improve Search Results 358
Metadata and Taxonomy 359
Metadata Governance, Standards, and Strategies 360
Types of Metadata 362
Core Metadata Issues 363
International Metadata Standards and Guidance 364
Records Grouping Rationale 368
Business Classifi cation Scheme, File Plans, and Taxonomy 368
Classifi cation and Taxonomy 369
xiv CONTENTS
Prebuilt versus Custom Taxonomies 370
Thesaurus Use in Taxonomies 371
Taxonomy Types 371
Business Process Analysis 377
Taxonomy Testing: A Necessary Step 379
Taxonomy Maintenance 380
Social Tagging and Folksonomies 381
Notes 383
APPENDIX B Laws and Major Regulations Related to Records Management 385
United States 385
Canada 387 By Ken Chasse, J.D., LL.M.
United Kingdom 389
Australia 391
Notes 394
APPENDIX C Laws and Major Regulations Related to Privacy 397
United States 397
Major Privacy Laws Worldwide, by Country 398
Notes 400
GLOSSARY 401
ABOUT THE AUTHOR 417
ABOUT THE MAJOR CONTRIBUTORS 419
INDEX 421
xv
PREFACE
Information governance (IG) has emerged as a key concern for business executivesand managers in today’s environment of Big Data, increasing information risks, co-lossal leaks, and greater compliance and legal demands. But few seem to have a clear understanding of what IG is; that is, how you defi ne what it is and is not, and how to implement it. This book clarifi es and codifi es these defi nitions and provides key in- sights as to how to implement and gain value from IG programs. Based on exhaustive research, and with the contributions of a number of industry pioneers and experts, this book lays out IG as a complete discipline in and of itself for the fi rst time.
IG is a super-discipline that includes components of several key fi elds: law, records management, information technology (IT), risk management, privacy and security, and business operations. This unique blend calls for a new breed of information pro- fessional who is competent across these established and quite complex fi elds. Training and education are key to IG success, and this book provides the essential underpinning for organizations to train a new generation of IG professionals.
Those who are practicing professionals in the component fi elds of IG will fi nd the book useful in expanding their knowledge from traditional fi elds to the emerging tenets of IG. Attorneys, records and compliance managers, risk managers, IT manag- ers, and security and privacy professionals will fi nd this book a particularly valuable resource.
The book strives to offer clear IG concepts, actionable strategies, and proven best practices in an understandable and digestible way; a concerted effort was made to simplify language and to offer examples. There are summaries of key points through- out and at the end of each chapter to help the reader retain major points. The text is organized into fi ve parts: (1) Information Governance Concepts, Defi nitions, and Principles; (2) IG Risk Assessment and Strategic Planning; (3) IG Key Impact Areas; (4) IG for Delivery Platforms; and (5) Long-Term Program Issues. Also included are appendices with detailed information on taxonomy and metadata design and on re- cords management and privacy legislation.
One thing that is sure is that the complex fi eld of IG is evolving. It will continue to change and solidify. But help is here: No other book offers the kind of compre- hensive coverage of IG contained within these pages. Leveraging the critical advice provided here will smooth your path to understanding and implementing successful IG programs.
Robert F. Smallwood
xvii
ACKNOWLEDGMENTS
I would like to sincerely thank my colleagues for their support and generous contribu-tion of their expertise and time, which made this pioneering text possible. Many thanks to Lori Ashley, Barb Blackburn, Barclay Blair, Charmaine Brooks, Ken Chasse, Monica Crocker, Charles M. Dollar, Seth Earley, Dr. Patricia Franks, Randy Kahn, Paula Lederman, and Barry Murphy.
I am truly honored to include their work and owe them a great debt of gratitude.
PART ONE Information Governance Concepts, Defi nitions, and Principles
3
The Onslaught of Big Data and the Information Governance Imperative
C H A P T E R 1
The value of information in business is rising, and business leaders are more andmore viewing the ability to govern, manage, and harvest information as critical to success. Raw data is now being increasingly viewed as an asset that can be leveraged, just like fi nancial or human capital.1 Some have called this new age of “Big Data” the “industrial revolution of data.”
According to the research group Gartner, Inc., Big Data is defi ned as “high-volume, high-velocity and high-variety information assets that demand cost-effective, inno- vative forms of information processing for enhanced insight and decision making.” 2 A practical defi nition should also include the idea that the amount of data—both struc- tured (in databases) and unstructured (e.g., e-mail, scanned documents) is so mas- sive that it cannot be processed using today’s database tools and analytic software techniques. 3
In today’s information overload era of Big Data—characterized by massive growth in business data volumes and velocity—the ability to distill key insights from enor- mous amounts of data is a major business differentiator and source of sustainable com- petitive advantage. In fact, a recent report by the World Economic Forum stated that data is a new asset class and personal data is “the new oil.” 4 And we are generating more than we can manage effectively with current methods and tools.
The Big Data numbers are overwhelming: Estimates and projections vary, but it has been stated that 90 percent of the data existing worldwide today was created in the last two years 5 and that every two days more information is generated than was from the dawn of civilization until 2003. 6 This trend will continue: The global market for Big Data technology and services is projected to grow at a compound annual rate of 27 percent through 2017, about six times faster than the general information and com- munications technology (ICT) market. 7
Many more comparisons and statistics are available, and all demonstrate the incredible and continued growth of data.
Certainly, there are new and emerging opportunities arising from the accu- mulation and analysis of all that data we are busy generating and collecting. New enterprises are springing up to capitalize on data mining and business intelligence opportunities. The U.S. federal government joined in, announcing $200 million in Big Data research programs in 2012.8
4 INFORMATION GOVERNANCE
Big Data values massive accumulation of data, whereas in business, e-discovery realities and potential legal liabilities dictate that data be culled to only that which has clear business value.
But established organizations, especially larger ones, are being crushed by this onslaught of Big Data: It is just too expensive to keep all the information that is being generated, and unneeded information is a sort of irrelevant sludge for decision makers to wade through. They have diffi culty knowing which information is an accurate and meaningful “wheat” and which is simply irrelevant “chaff.” This means they do not have the precise information they need to base good business decisions upon.
And all that Big Data piling up has real costs: The burden of massive stores of information has increased storage management costs dramatically, caused overloaded systems to fail, and increased legal discovery costs. 9 Further, the longer that data is kept, the more likely that it will need to be migrated to newer computing platforms, driving up conversion costs; and legally, there is the risk that somewhere in that mountain of data an organization stores is a piece of information that represents a signifi cant legal liability.10
This is where the worlds of Big Data and business collide . For Big Data proponents, more data is always better, and there is no perceived downside to accumulation of mas- sive amounts of data. In the business world, though, the realities of legal e-discovery mean the opposite is true. 11 To reduce risk, liability, and costs, it is critical for unneeded information to be disposed of in a systematic, methodical, and “legally defensible” (jus- tifi able in legal proceedings) way, when it no longer has legal, regulatory, or business value. And there also is the high-value benefi t of basing decisions on better, cleaner data, which can come about only through rigid, enforced information governance (IG) policies that reduce information glut.
Organizations are struggling to reduce and right-size their information footprint by discarding superfl uous and redundant data, e-documents, and information. But the critical issue is devising policies, methods, and processes and then deploying information technol- ogy (IT) to sort through which information is valuable and which no longer has business value and can be discarded.
IT, IG, risk, compliance, and legal representatives in organizations have a clear sense that most of the information stored is unneeded, raises costs, and poses risks. According to a survey taken at a recent Compliance, Governance and Oversight Counsel summit, respondents estimated that approximately 25 percent of information stored in organizations has real business value, while 5 percent must be kept as busi- ness records and about 1 percent is retained due to a litigation hold. “This means that
The onslaught of Big Data necessitates that information governance (IG) be implemented to discard unneeded data in a legally defensible way.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 5
[about] 69 percent of information in most companies has no business, legal, or regulatory value. Companies that are able to dispose of this data debris return more profi t to sharehold- ers, can leverage more of their IT budgets for strategic investments, and can avoid excess expense in legal and regulatory response” (emphasis added). 12
With a smaller information footprint , organizations can more easily fi nd what they tt need and derive business value from it.13 They must eliminate the data debris regularly and consistently, and to do this, processes and systems must be in place to cull valuable information and discard the data debris daily. An IG program sets the framework to accomplish this.
The business environment has also underscored the need for IG. According to Ted Friedman at Gartner, “The recent global fi nancial crisis has put information gov- ernance in the spotlight. . . . [It] is a priority of IT and business leaders as a result of various pressures, including regulatory compliance mandates and the urgent need for improved decision-making.” 14
And IG mastery is critical for executives: Gartner predicts that by 2016, one in fi ve chief information offi cers in regulated industries will be fi red from their jobs for failed IG initiatives. s 15
Defi ning Information Governance
IG is a sort of super discipline that has emerged as a result of new and tightened legislation governing businesses, external threats such as hacking and data breaches, and the recog- nition that multiple overlapping disciplines were needed to address today’s information management challenges in an increasingly regulated and litigated business environment.16
IG is a subset of corporate governance, and includes key concepts from re- cords management, content management, IT and data governance, information se- curity, data privacy, risk management, litigation readiness, regulatory compliance, long-term digital preservation , and even business intelligence. This also means that it includes related technology and discipline subcategories, such as document management, enterprise search, knowledge management, and business continuity/ disaster recovery.
Only about one quarter of information organizations are managing has real business value.
With a smaller information footprint, it is easier for organizations to fi nd the information they need and derive business value from it.
IG is a subset of corporate governance.
6 INFORMATION GOVERNANCE
IG is a sort of superdiscipline that encompasses a variety of key concepts from a variety of related disciplines.
Practicing good IG is the essential foundation for building legally defensible disposition practices to discard unneeded information and to secure confi dential in- formation, which may include trade secrets, strategic plans, price lists, blueprints, or personally identifi able information (PII) subject to privacy laws; it provides the basis for consistent, reliable methods for managing data, e-documents, and records.
Having trusted and reliable records, reports, data, and databases enables managers to make key decisions with confi dence.17 And accessing that information and business intelligence in a timely fashion can yield a long-term sustainable competitive advan- tage, creating more agile enterprises.
To do this, organizations must standardize and systematize their handling of in- formation. They must analyze and optimize how information is accessed, controlled, managed, shared, stored, preserved, and audited. They must have complete, current, and relevant policies, processes, and technologies to manage and control information, including who is able to access what information , and when, to meet external legal and regulatory demands and internal governance policy requirements. In short, IG is about information control and compliance.
IG is a subset of corporate governance, which has been around as long as corpora- tions have existed. IG is a rather new multidisciplinary fi eld that is still being defi ned, but has gained traction increasingly over the past decade. The focus on IG comes not only from compliance, legal, and records management functionaries but also from ex- ecutives who understand they are accountable for the governance of information and that theft or erosion of information assets has real costs and consequences.
“Information governance” is an all-encompassing term for how an organization manages the totality of its information.
According to the Association of Records Managers and Administrators (ARMA), IG is “a strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.”18
IG includes the set of policies, processes, and controls to manage information in compliance with external regulatory requirements and internal governance frameworks . Specifi c policiess apply to specifi c data and document types, records series, and other business informa- tion, such as e-mail and reports.
Stated differently, IG is “a quality-control discipline for managing, using, improv- ing, and protecting information.” 19
Practicing good IG is the essential foundation for building legally defensible disposition practices to discard unneeded information.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 7
IG is “a strategic framework composed of standards, processes, roles, and metrics, that hold organizations and individuals accountable to create, orga- nize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.” 20
Fleshing out the defi nition further: “Information governance is policy-based man- agement of information designed to lower costs, reduce risk, and ensure compliance with legal, regulatory standards, and/or corporate governance.”21 IG necessarily in- corporates not just policies but information technologies to audit and enforce those policies. The IG team must be cognizant of information lifecycle issues and be able to apply the proper retention and disposition policies, including digital preservation where records need to be maintained for long periods.
IG Is Not a Project, But an Ongoing Program
IG is an ongoing program , not a one-time project. IG provides an umbrella to manage and control information output and communications. Since technologies change so quickly, it is necessary to have overarching policies that can manage the various IT platforms that an organization may use.
Compare it to a workplace safety program; every time a new location, team member, piece of equipment, or toxic substance is acquired by the organization, the workplace safety program should dictate how that is handled. If it does not, the workplace safety policies/procedures/training that are part of the workplace safety program need to be updated. Regular reviews are conducted to ensure the program is being followed and ad- justments are made based on the fi ndings. The effort never ends. s 22 The same is true for IG.
IG is not only a tactical program to meet regulatory, compliance, and litigation demands. It can be strategic , in that it is the necessary underpinning for developing a c management strategy that maximizes knowledge worker productivity while minimiz- ing risk and costs.
Why IG Is Good Business
IG is a tough sell. It can be diffi cult to make the business case for IG, unless there has been some major compliance sanction, fi ne, legal loss, or colossal data breach. In fact, the largest
IG is how an organization maintains security, complies with regulations, and meets ethical standards when managing information.
IG is a multidisciplinary program that requires an ongoing effort.
8 INFORMATION GOVERNANCE
impediment to IG adoption is simply identifying its benefi ts and costs, according to the Economist Intelligence Unit. Sure, the enterprise needs better control over its information, but how much better? At what cost? What is the payback period and the return on investment? 23
It is challenging to make the business case for IG, yet making that case is funda- mental to getting IG efforts off the ground.
Here are eight reasons why IG makes good business sense, from IG thought leader Barclay Blair:
1. We can’t keep everything forever. IG makes sense because it enables organiza- tions to get rid of unnecessary information in a defensible manner. Organi- zations need a sensible way to dispose of information in order to reduce the cost and complexity of the IT environment. Having unnecessary informa- tion around only makes it more diffi cult and expensive to harness informa- tion that has value.
2. We can’t throw everything away. IG makes sense because organizations can’t keep everything forever, nor can they throw everything away. We need information—the right information, in the right place, at the right time. Only IG provides the framework to make good decisions about what infor- mation to keep.
3. E-discovery. IG makes sense because it reduces the cost and pain of discov- ery. Proactively managing information reduces the volume of information exposed to e-discovery and simplifi es the task of fi nding and producing responsive information.
4. Your employees are screaming for it—just listen. IG makes sense because it helps knowledge workers separate “signal” from “noise” in their informa- tion fl ows. By helping organizations focus on the most valuable informa- tion, IG improves information delivery and improves productivity.
5. It ain’t gonna get any easier. IG makes sense because it is a proven way for organizations to respond to new laws and technologies that create new re- quirements and challenges. The problem of IG will not get easier over time, so organizations should get started now.
6. The courts will come looking for IG. IG makes sense because courts and regu- lators will closely examine your IG program. Falling short can lead to fi nes, sanctions, loss of cases, and other outcomes that have negative business and fi nancial consequences.
7. Manage risk: IG is a big one. Organizations need to do a better job of identi- fying and managing risk. The risk of information management failures is a critical risk that IG helps to mitigate.
8. E-mail: Reason enough. IG makes sense because it helps organizations take con- trol of e-mail. Solving e-mail should be a top priority for every organization. 24
Failures in Information Governance
The failure to implement and enforce IG can lead to vulnerabilities that can have dire consequences. The theft of confi dential U.S. National Security Agency documents
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 9
by Edward Snowden in 2013 could have been prevented by properly enforced IG. Also, Ford Motor Company is reported to have suffered a loss estimated at $50 to $100 million as a result of the theft of confi dential documents by one of its own em- ployees. A former product engineer who had access to thousands of trade secret docu- ments and designs sold them to a competing Chinese car manufacturer. A strong IG program would have controlled and tracked access and prevented the theft while pro- tecting valuable intellectual property. 25
Law enforcement agencies have also suffered from poor IG. In a rather frivolous case in 2013 that highlighted the lack of policy enforcement for the mobile environ- ment, it was reported that U.S. agents from the Federal Bureau of Investigation used government-issued mobile phones to send explicit text messages and nude photographs to coworkers. The incidents did not have a serious impact but did compromise the agency and its integrity, and “adversely affected the daily activities of several squads.” 26 Proper mobile communications policies were obviously not developed and enforced.
IG is also about information security and privacy, and serious thought must be given when creating policies to safeguard personal, classifi ed or confi dential informa- tion. Schemes to compromise or steal information can be quite deceptive and devious, masked by standard operating procedures—if proper IG controls and monitoring are not in place. To wit: Granting remote access to confi dential information assets for key personnel is common. Granting medical leave is also common. But a deceptive and dishonest employee could feign a medical leave while downloading volumes of confi dential information assets for a competitor—and that is exactly what happened at Accenture, a global consulting fi rm. During a fraudulent medical leave, an employee was allowed access to Accenture’s Knowledge Exchange (KX), a detailed knowledge base containing previous proposals, expert reports, cost-estimating guidelines, and case studies. This activity could have been prevented by monitoring and analytics that would have shown an inordinate amount of downloads—especially for an “ailing” em- ployee. The employee then went to work for a direct competitor and continued to download the confi dential information from Accenture, estimated to be as many as 1,000 critical documents. While the online access to KX was secure, the use of the electronic documents could have been restricted even after the documents were down-r loaded, if IG measures were in place and newer technologies (such as information rights management [IRM] software) were deployed to secure them directly and main- tain that security remotely. With IRM, software security protections can be employed to seal the e-documents and control their use—even after they leave the organization. More details on IRM technology and its capabilities is presented later in this book.
Other recent high-profi le data and document leakage cases revealing information security weaknesses that could have been prevented by a robust IG program include:
■ Huawei Technologies, the largest networking and mobile communications company in China, was sued by U.S.-based Motorola for allegedly conspiring to steal trade secrets through former Motorola employees.
Ford’s loss from stolen documents in a single case of intellectual property (IP) theft was estimated at $50 to $100 million.
10 INFORMATION GOVERNANCE
■ MI6, the U.K. equivalent of the U.S. Central Intelligence Agency, learned that one of its agents in military intelligence attempted to sell confi dential docu- ments to the intelligence services of the Netherlands for £2 million GBP ($3 million USD).
And breaches of personal information revealing failures in privacy protection abound; here are just a few:
■ Health information of 1,600 cardiology patients at Texas Children’s Hospital was compromised when a doctor’s laptop was stolen. The information includ- ed personal and demographic information about the patients, including their names, dates of birth, diagnoses, and treatment histories. 27
■ U.K. medics lost the personal records of nearly 12,000 National Health Service patients in just eight months. Also, a hospital worker was suspended after it was discovered he had sent a fi le containing pay-slip details for every member of staff to his home e-mail account. 28
■ Personal information about more than 600 patients of the Fraser Health Authority in British Columbia, Canada, was stored on a laptop stolen from Burnaby General Hospital.
■ In December 2013, Target stores in the U.S. reported that as many as 110 million customer records had been breached in a massive attack that lasted weeks.
The list of breaches and IG failures could go on and on, more than fi lling the pages of this book. It is clear that it is occurring and that it will continue. IG controls to safeguard confi dential information assets and protect privacy cannot rely solely on the trustwor- thiness of employees and basic security measures. Up-to-date IG policies and enforcement efforts and newer technology sets are needed, with active, consistent monitoring and program adjustments to continue to improve.
Executives and senior managers can no longer avoid the issue, as it is abundantly clear that the threat is real and the costs of taking such avoidable risks can be high. A single security breach is an IG failure and can cost the entire business. According to Debra Logan of Gartner, “When organizations suffer high-profi le data losses, espe- cially involving violations of the privacy of citizens or consumers, they suffer serious reputational damage and often incur fi nes or other sanctions. IT leaders will have to take at least part of the blame for these incidents.” 29
Form IG Policies, Then Apply Technology for Enforcement
Typically, some policies governing the use and control of information and records may have been established for fi nancial and compliance reports, and perhaps e-mail, but they are often incomplete and out-of-date and have not been adjusted for changes in the business environment, such as new technology platforms (e.g., Web 2.0, social
IG controls to safeguard confi dential information assets and protect privacy can- not rely solely on the trustworthiness of employees and basic security measures.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 11
media), changing laws (e.g., U.S. Federal Rules of Civil Procedure 2006 changes), and additional regulations.
Further adding to the challenge is the rapid proliferation of mobile devices like tablets, phablets, and smartphones used in business—information can be more easily lost or stolen—so IG efforts must be made to preserve and protect the enterprise’s information assets.
Proper IG requires that policies are fl exible enough not to hinder the proper fl ow of information in the heat of the business battle yet strict enough to control and audit for misuse, policy violations, or security breaches. This is a continuous iterative policy- making process that must be monitored and fi ne-tuned. Even with the absolute best efforts, some policies will miss the mark and need to be reviewed and adjusted.
Getting started with IG awareness is the crucial fi rst step. It may have popped up on an executive’s radar at one point or another and an effort might have been made, but many organizations leave these policies on the shelf and do not revise them on a regular basis.
IG is the necessary underpinning for a legally defensible disposition program that discards data debris and helps narrow the search for meaningful information on which to base business decisions. IG is also necessary to protect and preserve critical infor- mation assets. An IG strategy should aim to minimize exposure to risk, at a reasonable cost level, while maximizing productivity and improving the quality of information delivered to knowledge users.
But a reactive, tactical project approach is not the way to go about it—haphazardly t swatting at technological, legal, and regulatory fl ies. A proactive, strategic program, with a clear, accountable sponsor, an ongoing plan, and regular review process, is the only way to continuously adjust IG policies to keep them current so that they best serve the organization’s needs.
Some organizations have created formal governance bodies to establish strat- egies, policies, and procedures surrounding the distribution of information inside and outside the enterprise. These governance bodies, steering committees, or teams should include members from many different functional areas, since proper IG ne- cessitates input from a variety of stakeholders. Representatives from IT, records man- agement, corporate or agency archiving, risk management, compliance, operations, human resources, security, legal, fi nance, and perhaps knowledge management are typically a part of IG teams. Often these efforts are jump-started and organized by an executive sponsor who utilizes third-party consulting resources that specialize in IG efforts, especially considering the newness of IG and its emerging best practices.
So in this era of ever-growing Big Data, leveraging IG policies to focus on re- taining the information that has real business value, while discarding the majority of information that has no value and carries associated increased costs and risks, is criti- cal to success for modern enterprises. This must be accomplished in a systematic, consistent, and legally defensible manner by implementing a formal IG program. Other crucial elements of an IG program are the steps taken to secure confi dential information by enforcing and monitoring policies using the appropriate information technologies.
Getting started with IG awareness is the crucial fi rst step.
12 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■ The onslaught of Big Data necessitates that IG be implemented to discard unneeded data in a legally defensible way.
■ Big Data values massive accumulation of data, whereas in business, e-discovery realities and potential legal liabilities dictate that data be culled to only that which has clear business value.
■ Only about one quarter of the information organizations are managing has real business value.
■ With a smaller information footprint, it is easier for organizations to fi nd the information they need and derive business value from it.
■ IG is a subset of corporate governance and encompasses the policies and leveraged technologies meant to manage what corporate information is re- tained, where, and for how long, and also how it is retained.
■ IG is a sort of super discipline that encompasses a variety of key concepts from a variety of related and overlapping disciplines.
■ Practicing good IG is the essential foundation for building legally defensible disposition practices to discard unneeded information.
■ According to ARMA, IG is “a strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals account- able to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.” 30
■ IG is how an organization maintains security, complies with regulations and laws, and meets ethical standards when managing information.
■ IG is a multidisciplinary program that requires an ongoing effort and active participation of a broad cross-section of functional groups and stakeholders.
■ IG controls to safeguard confi dential information assets and protect privacy cannot rely solely on the trustworthiness of employees and basic security measures.
■ Getting started with IG awareness is the crucial fi rst step.
Notes
1. The Economist, “Data, Data Everywhere,” February 25, 2010, www.economist.com/node/15557443 2. Gartner, Inc., “IT Glossary: Big Data,” www.gartner.com/it-glossary/big-data/ (accessed April 15, 2013). 3. Webopedia, “Big Data,” www.webopedia.com/TERM/B/big_data.html (accessed April 15, 2013).
http://www.economist.com/node/15557443
http://www.gartner.com/it-glossary/big-data/
http://www.webopedia.com/TERM/B/big_data.html
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 13
4. World Economic Forum, “Personal Data:The Emergence of a New Asset Class”(January 2011), http:// www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011.pdf
5. Deidra Paknad, “Defensible Disposal: You Can’t Keep All Your Data Forever,” July 17, 2012, www .forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/
6. Susan Karlin, “Earth’s Nervous System: Looking at Humanity Through Big Data,” www.fastcocreate .com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1(accessed March 5, 2013).
7. IDC Press Release, December 18, ,2013, http://www.idc.com/getdoc.jsp?containerId=prUS24542113 New IDC Worldwide Big Data Technology and Services Forecast Shows Market Expected to Grow to $32.4 Billion in 2017
8. Steve Lohr, “How Big Data Became So Big,” New York Times, August 11, 2012, www.nytimes. com/2012/08/12/business/how-big-data-became-so-big-unboxed.html?_r=2&smid=tw-share&
9. Kahn Consulting, “Information Governance Brief,” sponsored by IBM, www.delve.us/downloads/ Brief-Defensible-Disposal.pdf (accessed March 4, 2013).
10. Barclay T. Blair, “Girding for Battle,” Law Technology News, October 1, 2012, www.law.com/jsp/lawtech- nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1
11. Ibid. 12. Paknad, “Defensible Disposal.” 13. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, November 28, 2012. 14. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective
Information Governance,” www.gartner.com/newsroom/id/1898914, January 19, 2012 15. Ibid. 16. Monica Crocker, e-mail to author, June 21, 2012. 17. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership/
business-view/future-information-governance.htm (accessed November 14, 2013). 18. ARMA International, Glossary of Records and Information Management Terms , 4th ed., 2012, TR 22–2012.s 19. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” IT Business Edge , posted March 9, 2011,
www.itbusinessedge.com/guest-opinions/three-steps-trusting-your-data-2011 . (accessed November 14, 2013).
20. ARMA International, Glossary of Records and Information Management Terms , 4th ed., 2012, TR 22–2012.s 21. Laura DuBoisand Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Pro-
ductivity,” IDC White Paper (August 2010), www.emc.com/collateral/analyst-reports/idc-practical- information-governance-ar.pdf
22. Monica Crocker, e-mail to author, June 21, 2012. 23. Barclay T. Blair, Making the Case for Information Governance: Ten Reasons IG Makes Sense , ViaLumina
Ltd, 2010. Online at http://barclaytblair.com/making-the-case-for-ig-ebook/ (accessed November 14, 2013).
24. Barclay T. Blair, “8 Reasons Why Information Governance (IG) Makes Sense,” June 29, 2009, www. digitallandfi ll.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html
25. Peter Abatan, “Corporate and Industrial Espionage to Rise in 2011,” Enterprise Digital Rights Man- agement, http://enterprisedrm.tumblr.com/post/2742811887/corporate-espionage-to-rise-in-2011 . (accessed November 14, 2013).
26. BBC News, “FBI Staff Disciplined for Sex Texts and Nude Pictures,” February 22, 2013, www.bbc. co.uk/news/world-us-canada-21546135
27. Todd Ackerman, “Laptop Theft Puts Texas Children’s Patient Info at Risk,” Houston Chronicle , July 30, 2009, e www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473. php . (accessed March 2, 2012).
28. Jonny Greatrex, “Bungling West Midlands Medics Lose 12,000 Private Patient Records,” Sunday Mer- cury, September 5, 2010, www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun- gling-west-midlands-medics-lose-12–000-private-patient-records-66331–27203177/ (accessed March 2, 2012).
29. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective Information Governance.”
30. ARMA International, Glossary of Records and Information Management Terms. s
http://www.fastcocreate.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1
http://www.idc.com/getdoc.jsp?containerId=prUS24542113
http://www.law.com/jsp/lawtech-nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1
http://www.law.com/jsp/lawtech-nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1
http://www.law.com/jsp/lawtech-nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1
https://twitter.com/InfoParkingLot/status/273791612172259329
http://www.gartner.com/newsroom/id/1898914
http://www.emc.com/leadership/business-view/future-information-governance.htm
http://www.itbusinessedge.com/guest-opinions/three-steps-trusting-your-data-2011
http://barclaytblair.com/making-the-case-for-ig-ebook/
http://www.digitallandfill.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html
http://enterprisedrm.tumblr.com/post/2742811887/corporate-espionage-to-rise-in-2011
http://www.bbc.co.uk/news/world-us-canada-21546135
http://www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.php
http://www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-gling-west-midlands-medics-lose-12%E2%80%93000-private-patient-records-66331%E2%80%9327203177/
http://www.fastcocreate.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1
http://www.emc.com/leadership/business-view/future-information-governance.htm
http://www.digitallandfill.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html
http://www.bbc.co.uk/news/world-us-canada-21546135
http://www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.php
http://www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-gling-west-midlands-medics-lose-12%E2%80%93000-private-patient-records-66331%E2%80%9327203177/
http://www.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/
http://www.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/
15
Information Governance, IT Governance, Data Governance: What’s the Difference?
C H A P T E R 2
There has been a great deal of confusion around the term information gover-nance (IG) and how it is distinct from other similar industry terms, such as information technology (IT) governance and data governance . They are all a subset of corporate governance, and in the above sequence, become increasingly more granular in their approach. Data governance is a part of broader IT governance, which is also a part of even broader information governance. The few texts that exist have compounded the confusion by offering a limited defi nition of IG, or sometimes offering a defi nition of IG that is just plain incorrect , often confusing it with simple datat governance.
So in this chapter we spell out the differences and include examples in hopes of clarifying what the meaning of each term is and how they are related.
Data Governance
Data governance involves processes and controls to ensure that information at the data level—raw alphanumeric characters that the organization is gathering and inputting— is true and accurate, and unique (not redundant). It involves data cleansing ( or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and gg de-duplication, to eliminate redundant occurrences of data.
Data governance focuses on information quality from the ground up at the lowest or root level, so that subsequent reports, analyses, and conclusions are based on clean, reliable, trusted data (or records) in database tables. Data governance is the most rudi- mentary level at which to implement information governance. Data governance efforts seek to ensure that formal management controls—systems, processes, and accountable employees who are stewards and custodians of the data—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data. The biggest negative consequence of poor or inaccurate data is poorly and inaccurately based decisions.
16 INFORMATION GOVERNANCE
Data governance is a newer, hybrid quality control discipline that includes elements of data quality, data management, IG policy development, business process improvement, and compliance and risk management.
Data Governance Strategy Tips
Everyone in an organization wants good-quality data to work with. But it is not so easy to implement a data governance program. First of all, data is at such a low level that executives and board members are typically unaware of the details of the “smoky back room” of data collection: cleansing, normalization, and input. So it is diffi cult to gain an executive sponsor and funding to initiate the effort. 1 And if a data governance program does move forward, there are challenges in getting business users to adhere to new policies. This is a crucial point, since much of the data is being generated by business units. But there are some general guidelines that can help improve a data governance program’s chances for success:
■ Identify a measureable impact. A data governance program must be able to dem- onstrate business value, or it will not get the executive sponsorship and funding it needs to move forward. A readiness assessment should capture the current state of data quality and whether an enterprise or business unit level effort is warranted. Other key issues include: Can the organization save hard costs by implementing data governance? Can it reach more customers or increase revenue generated from existing customers?2
■ Assign accountability for data quality to business units, not IT. Typically, IT has had responsibility for data quality, yet it is mostly not under that department’s con- trol, since most of the data is being generated in the business units. A pointed effort must be made to push responsibility and ownership for data to the busi- ness units that create and use the data.
■ Recognize the uniqueness of data as an asset. Unlike other assets, such as people, factories, equipment, and even cash, data is largely unseen, out of sight, and intangible. It changes daily. It spreads throughout business units. It is copied and deleted. Data growth can spiral out of control, obscuring the data that has true business value. So data has to be treated differently, and its unique qualities must be considered.
■ Forget the past; implement a going-forward strategy. It is a signifi cantly greater task to try to improve data governance across the enterprise for existing data. Remember, you may be trying to fi x decades of bad behavior, mismanagement, and lack of governance. Taking an incremental approach with an eye to the future provides for a clean starting point and can substantially reduce the pain required to implement. A proven best practice is to implement a from-this- point-on strategy where new data governance policies for handling data are implemented beginning on a certain date.
Data governance uses techniques like data cleansing and de-duplication to improve data quality and reduce redundancies.
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 17
Good data governance ensures that downstream negative effects of poor data are avoided and that subsequent reports, analyses, and conclusions are based on reliable, trusted data.
■ Manage the change. Educate, educate, educate. People must be trained to under- stand why the data governance program is being implemented and how it will benefi t the business. The new policies represent a cultural change, and people need supportive program messages and training in order to make the shift. 3
IT Governance
IT governance is the primary way that stakeholders can ensure that investments in IT create business value and contribute toward meeting business objectives.4 This strategic align- ment of IT with the business is challenging yet essential. IT governance programs go further and aim to “improve IT performance, deliver optimum business value and ensure regulatory compliance.” 5
Although the CIO typically has line responsibility for implementing IT gover- nance, the CEO and board of directors must receive reports and updates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefi ts.
Typically, in past decades, board members did not get involved in overseeing IT governance. But today it is a critical and unavoidable responsibility. According to the IT Governance Institute’s Board Briefi ng on IT Governance , “IT governance is the re- sponsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organiza- tion’s strategies and objectives.” 6
The focus is on the actual software development and maintenance activities of the IT department or function, and IT governance efforts focus on making IT effi cient and effective. That means minimizing costs by following proven software develop- ment methodologies and best practices, principles of data governance and information quality, and project management best practices while aligning IT efforts with the busi- ness objectives of the organization.
IT Governance Frameworks
Several IT governance frameworks can be used as a guide to implementing an IT governance program. (They are introduced in this chapter in a cursory way; detailed discussions of them are best suited to books focused solely on IT governance.)
IT governance seeks to align business objectives with IT strategy to deliver business value.
18 INFORMATION GOVERNANCE
Although frameworks and guidance like CobiT® and ITIL have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for an organization depends on business factors, corporate culture, IT maturity, and staffi ng capability. The level of implementation of these frameworks will also vary by organization.
CobiT® CobiT (Control Objectives for Information and related Technology) is a process-T based IT governance framework that represents a consensus of experts worldwide. Codeveloped by the IT Governance Institute and ISACA (previously known as the Information Systems Audit and Control Association), CobiT addresses business risks, control requirements, compliance, and technical issues. 7
CobiT offers IT controls that:
■ Cut IT risks while gaining business value from IT under an umbrella of a glob- ally accepted framework.
■ Assist in meeting regulatory compliance requirements. ■ Utilize a structured approach for improved reporting and management deci-
sion making. ■ Provide solutions to control assessments and project implementations to im-
prove IT and information asset control. 8
CobiT consists of detailed descriptions of processes required in IT and also tools to measure progress toward maturity of the IT governance program. It is industry agnostic and can be applied across all vertical industry sectors, and it continues to be revised and refi ned. 9
CobiT is broken out into three basic organizational levels and their responsibili- ties: (1) board of directors and executive management; (2) IT and business manage- ment; and (3) line-level governance, and security and control knowledge workers. 10
The CobiT model draws on the traditional “plan, build, run, monitor” paradigm of traditional IT management, only with variations in semantics. The CobiT framework is divided into four IT domains—(1) plan and organize, (2) acquire and implement, (3) deliver and support, and (4) monitor and evaluate—which contain 34 IT processes and 210 control objectives. Specifi c goals and metrics are assigned, and responsibilities and accountabilities are delineated.
The CobiT framework maps to the international information security standard, ISO 17799, and is also compatible with IT Infrastructure Library (ITIL) and other y “accepted practices” in IT development and operations.11
ValIT® ValIT is a newer value-oriented framework that is compatible with and complemen- tary to CobiT. Its principles and best practices focus is on leveraging IT investments to gain maximum value. Forty key ValIT essential management practices (analogous to CobiT’s control objectives) support three main processes: value governance, portfolio management, and investment management. ValIT and CobiT “provide a full frame- work and supporting tool set” to help managers develop policies to manage business risks and deliver business value while addressing technical issues and meeting control objectives in a structured, methodic way. 12
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 19
ITIL ITIL (Information Technology Infrastructure Library) is a set of process-oriented best practices and guidance originally developed in the United Kingdom to standard- ize delivery of IT service management. ITIL is applicable to both the private and public sectors and is the “most widely accepted approach to IT service management in the world.”13 As with other IT governance frameworks, ITIL provides essential guidance for delivering business value through IT, and it “provides guidance to or- ganizations on how to use IT as a tool to facilitate business change, transformation and growth.”14
ITIL best practices form the foundation for ISO/IEC 20000 (previously BS15000), the International Service Management Standard for organizational certifi cation and compliance. 15 ITIL 2011 is the latest revision (as of this printing), and it consists of fi ve core published volumes that map the IT service cycle in a systematic way:
1. ITIL Service Strategy 2. ITIL Service Design 3. ITIL Service Transition 4. ITIL Service Operation 5. ITIL Continual Service Improvement 16
ISO 38500 ISO/IEC 38500:2008 is an international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effective and effi cient use of IT. 17 Based primarily on AS 8015, the Australian IT gov- ernance standard, it “applies to the governance of management processes” that are performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharging their duties with respect to legal and regulatory compliance of IT activities.
The ISO 38500 standard comprises three main sections:
1. Scope, Application and Objectives 2. Framework for Good Corporate Governance of IT 3. Guidance for Corporate Governance of IT
CobiT is process-oriented and has been widely adopted as an IT governance framework. ValIT is value-oriented and compatible and complementary with CobiT, yet focuses on value delivery.
ITIL is the “most widely accepted approach to IT service management in the world.”
20 INFORMATION GOVERNANCE
It is largely derived from AS 8015, the guiding principles of which were:
■ Establish responsibilities ■ Plan to best support the organization ■ Acquire validly ■ Ensure performance when required ■ Ensure conformance with rules ■ Ensure respect for human factors
The standard also has relationships with other major ISO standards, and embraces the same methods and approaches. 18
Information Governance
Corporate governance is the highest level of governance in an organization, and a key aspect of it is IG. IG processes are higher level than the details of IT governance and much higher than data governance, but both data and IT governance can be (and should be) a part of an overall IG program. The IG approach to governance focuses not on detailed IT or data capture and quality processes but rather on controlling the information that is generated by IT and offi ce systems. d
IG efforts seek to manage and control information assets to lower risk, ensure com- pliance with regulations, and improve information quality and accessibility while imple- menting information security measures to protect and preserve information that has busi- ness value.19 (See Chapter 1 for more detailed defi nitions.)
Impact of a Successful IG Program
When making the business case for IG and articulating its benefi ts, it is useful to focus on its central impact. Putting cost-benefi t numbers to this may be diffi cult, unless you
ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance.
IG is how an organization maintains security, complies with regulations and laws, and meets ethical standards when managing information.
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 21
also consider the worst-case scenario of loss or misuse of corporate or agency records. What is losing the next big lawsuit worth? How much are confi dential merger and acquisition documents worth? How much are customer records worth? Frequently, executives and managers do not understand the value of IG until it is a crisis, an ex- pensive legal battle is lost, heavy fi nes are imposed for noncompliance, or executives go to jail.
There are some key outputs from implementing an IG program. A successful IG program should enable organizations to:
■ Use common terms across the enterprise. This means that departments must agree on how they are going to classify document types, which requires a cross- functional effort. With common enterprise terms, searches for information are more productive and complete. This normalization process begins with developing a standardized corporate taxonomy, which defi nes the terms (and substitute terms in a custom corporate thesaurus), document types, and their relationships in a hierarchy.
■ Map information creation and usage. This effort can be buttressed with the use of technology tools such as data loss prevention , which can be used to discover the fl ow of information within and outside of the enterprise. You must fi rst determine who is accessing which information when and where it is going. Then you can monitor and analyze these information fl ows. The goal is to stop the erosion or misuse of information assets and to stem data breaches with moni- toring and security technology.
■ Obtain “information confi dence” —that is, the assurance that information has ” integrity, validity, accuracy, and quality; this means being able to prove that the information is reliable and that its access, use, and storage meet compliance and legal demands.
■ Harvest and leverage information. Using techniques and tools like data min- ing and business intelligence, new insights may be gained that provide an enterprise with a sustainable competitive advantage over the long term, since managers will have more and better information as a basis for busi- ness decisions.21
Summing Up the Differences
IG consists of the overarching polices and processes to optimize and leverage informa- tion while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives.
IT governance consists of following established frameworks and best practices to gain the most leverage and benefi t out of IT investments and support accomplishment of business objectives.
Data governance consists of the processes, methods, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate.
22 INFORMATION GOVERNANCE
Notes
1. “New Trends and Best Practices for Data Governance Success,” SeachDataManagement.com eBook, http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB- ook_1104.pdf, accessed March 11, 2013.
2. Ibid. 3. Ibid. 4. M.N. Kooper, R. Maes, and E.E.O. RoosLindgreen, “On the Governance of Information: Introducing
a New Concept of Governance to Support the Management of Information,” International Journal of Information Management 31 (2011): 195–120, http://dl.acm.org/citation.cfm?id=2297895 . (accessed t November 14, 2013).
5. Nick Robinson, “The Many Faces of IT Governance: Crafting an IT Governance Architecture,” ISACA Journal 1 (2007), www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-l of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx
6. Bryn Phillips, “IT Governance for CEOs and Members of the Board,” 2012, p.18. 7. Ibid., p.26. 8. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech-
nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance,” http:// www-304.ibm.com/industries/publicsector/fi leserve?contentid=187551(accessed March 11, 2013).
CHAPTER SUMMARY: KEY POINTS
■ Data governance uses techniques like data cleansing and de-duplication to improve data quality and reduce redundancies.
■ Good data governance ensures that downstream negative effects of poor data are avoided and that subsequent reports, analyses, and conclusions are based on reliable, trusted data.
■ IT governance seeks to align business objectives with IT strategy to deliver business value.
■ CobiT is processoriented and has been widely adopted as an IT governance framework. ValIT is valueoriented and compatible and complementary with CobiT yet focuses on value delivery.
■ The CobiT framework maps to the international information security stan- dard ISO 17799 and is also compatible with ITIL (IT Infrastructure Library).
■ ITIL is the “most widely accepted approach to IT service management in the world.”
■ ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance.
■ Information governance is how an organization maintains security, complies with regulations and laws, and meets ethical standards when managing information.
http://dl.acm.org/citation.cfm?id=2297895
http://www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx
http://www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx
http://www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx
http://www-304.ibm.com/industries/publicsector/fileserve?contentid=187551
http://www-304.ibm.com/industries/publicsector/fileserve?contentid=187551
INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 23
9. Phillips, “IT Governance for CEOs and Members of the Board.” 10. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech-
nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance.” 11. Ibid. 12. Ibid. 13. www.itil-offi cialsite.com/ (accessed March 12, 2013). 14. ITIL, “What Is ITIL?” www.itil-offi cialsite.com/AboutITIL/WhatisITIL.aspx(accessed March 12, 2013). 15. Ibid. 16. Ibid. 17. “ISO/IEC 38500:2008 “Corporate Governance of Information Technology” www.iso.org/iso/
catalogue_detail?csnumber=51639(accessed November 14, 2013). 18. ISO 38500 www.38500.org/ (accessed March 12, 2013). 19. www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/ (accessed November 14,
2013). 20. ARMA International, Glossary of Records and Information Management Terms , 4th ed. TR 22–2012 (from s
ARMA.org). 21. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” CTO Edge , March 9, 2011, www.ctoedge
.com/content/three-steps-trusting-your-data-2011
http://www.itil-officialsite.com/
http://www.itil-officialsite.com/AboutITIL/WhatisITIL.aspx
http://www.iso.org/iso/catalogue_detail?csnumber=51639
http://www.38500.org/
http://www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/
http://www.ctoedge.com/content/three-steps-trusting-your-data-2011
http://www.iso.org/iso/catalogue_detail?csnumber=51639
http://www.ctoedge.com/content/three-steps-trusting-your-data-2011
25
Information Governance Principles *
C H A P T E R 3
Principles of information governance (IG) are evolving and expanding. SuccessfulIG programs are characterized by ten key principles, which are the basis for best practices and should be designed into the IG approach. They include: 1. Executive sponsorship. No IG effort will survive and be successful if it does not
have an accountable, responsible executive sponsor. The sponsor must drive the effort, clear obstacles for the IG team or committee, communicate the goals and business objectives that the IG program addresses, and keep upper management informed on progress.
2. Information policy development and communication. Clear policies must be es- tablished for the access and use of information, and those policies must be communicated regularly and crisply to employees. Policies for the use of e- mail, instant messaging, social media, cloud computing, mobile computing, and posting to blogs and internal sites must be developed in consultation with stakeholders and communicated clearly. This includes letting employees know what the consequences of violating IG policies are, as well as its value.
3. Information integrity. This area considers the consistency of methods used to create, retain, preserve, distribute, and track information. Adhering to good IG practices include data governance techniques and technologies to ensure quality data. Information integrity means there is the assurance that informa- tion is accurate, correct, and authentic. IG efforts to improve data quality and information integrity include de-duplicating (removing redundant data) and maintaining only unique data to reduce risk, storage costs, and informa- tion technology (IT) labor costs while providing accurate, trusted information for decision makers. Supporting technologies must enforce policies to meet legal standards of admissibility and preserve the integrity of information to guard against claims that it has been altered, tampered with, or deleted (called “ spoliation ”). Audit trails must be kept and monitored to ensure compliance with IG policies to assure information integrity. 1
4. Information organization and classifi cation. This means standardizing formats, categorizing all information, and semantically linking it to related information. It also means creating a retention and disposition schedule that spells out how
* Portions of this chapter are adapted from Chapter 3 of Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc. s
26 INFORMATION GOVERNANCE
long the information (e.g. e-mail, e-documents, spreadsheets, reports) and records should be retained and how they are to be disposed of or archived. Information, and particularly documents, should be classifi ed according to a global or corporate taxonomy that considers the business function and owner of the information, and semantically links related information. Information must be standardized in form and format. Tools such as document labeling can assist in identifying and classifying documents. Metadata associated with documents and records must be standardized and kept up-to-date. Good IG means good metadata management and utilizing metadata standards that are appropriate to the organization.
5. Information security. This means securing information in its three states: at rest, in motion, and in use. It means implementing measures to protect information from damage, theft, or alteration by malicious outsiders and insiders as well as nonmalicious (accidental) actions that may compromise information. For instance, an employee may lose a laptop with confi dential information, but if proper IG policies are enforced using security-related information tech- nologies, the information can be secured. This can be done by access control methods, data or document encryption, deploying information rights manage- ment software, using remote digital shredding capabilities, and implement- ing enhanced auditing procedures. Information privacy is closely related to information security and is critical when dealing with personally identifi able information (PII).n
6. Information accessibility. Accessibility is vital not only in the short term but also over time using long-term digital preservation (LTDP) techniques when appropriate (generally if information is needed for over fi ve years). Accessibil- ity must be balanced with information security concerns. Information acces- sibility includes making the information as simple as possible to locate and access, which involves not only the user interface but also enterprise search principles, technologies, and tools. It also includes basic access controls, such as password management, identity and access management , and delivering t information to a variety of hardware devices.
7. Information control. Document management and report management software must be deployed to control the access to, creation, updating, and printing of documents and reports. When documents or reports are declared records, they must be assigned to the proper retention and disposition schedule to be retained for as long as the records are needed to comply with legal retention periods and regulatory requirements. Also, information that may be needed or requested in legal proceedings is safeguarded through a legal hold process.
8. Information governance monitoring and auditing. To ensure that guidelines and policies are being followed and to measure employee compliance levels, in- formation access and use must be monitored. To guard against claims of spo- liation, use of e-mail, social media, cloud computing, and report generation should be logged in real time and maintained as an audit record. Technology tools such as document analytics can track how many documents or reports users access and print and how long they spend doing so.
9. Stakeholder consultation. Those who work most closely to information are the ones who best know why it is needed and how to manage it, so business units must be consulted in IG policy development. The IT department understands
INFORMATION GOVERNANCE PRINCIPLES 27
its capabilities and technology plans and can best speak to those points. Le- gal issues must always be deferred to the in-house council or legal team. A cross-functional collaboration is needed for IG policies to hit the mark and be effective. The result is not only more secure information but also better information to base decisions on and closer adherence to regulatory and legal demands. 2
10. Continuous improvement. IG programs are not one-time projects but rather ongoing programs that must be reviewed periodically and adjusted to account for gaps or shortcomings as well as changes in the business environment, tech- nology usage, or business strategy.
Accountability Is Key
According to Debra Logan at Gartner Group, none of the proffered defi nitions of IG in- cludes “any notion of coercion, but rather ties governance to accountability [emphasis added] that is designed to encourage the right behavior. . . . The word that matters most is accountability .” The root of many problems with managing information is the “fact that there is no accountability for information as such.” 3
Establishing policies, procedures, processes, and controls to ensure the quality, in- tegrity, accuracy, and security of business records are the fundamental steps needed to reduce the organization’s risk and cost structure for managing these records. Then it is essential that IG efforts are supported by IT. The auditing, testing, maintenance, and im- provement of IG is enhanced by using electronic records management (ERM) software along with other complementary technology sets, such as workfl ow and business process management suite (BPMS) software and digital signatures.
Generally Accepted Recordkeeping Principles ®
Contributed by Charmaine Brooks, CRM A major part of an IG program is managing formal business records. Although they account for only about 7 to 9 percent of the total information that an organization holds, they are the most critically important subset to manage, as there are serious compliance and legal ramifi cations to not doing so.
Principles of successful IG programs are emerging. They include executive sponsorship, information classifi cation, integrity, security, accessibility, control, monitoring, auditing, policy development, and continuous improvement.
Accountability is a key aspect of IG.
28 INFORMATION GOVERNANCE
Records and recordkeeping are inextricably linked with any organized business activity. Through the information that an organization uses and records, creates, or receives in the normal course of business, it knows what has been done and by whom. This allows the organization to effectively demonstrate compliance with applicable standards, laws, and regulations as well as plan what it will do in the future to meet its mission and strategic objectives.
Standards and principles of recordkeeping have been developed by records and information management (RIM) practitioners to establish benchmarks for how or-t ganizations of all types and sizes can build and sustain compliant, defensible records management (RM) programs. t
The Principles
In 2009 ARMA International published a set of eight Generally Accepted Recordkeep- ing Principles,® known as The Principles 4 (or sometimes GAR Principles), to foster awareness of good recordkeeping practices. These principles and associated metrics provide an IG framework that can support continuous improvement.
The eight Generally Accepted Recordkeeping Principles are:
1. Accountability. A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appro- priate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited.
2. Transparency. The processes and activities of an organization’s recordkeeping program are documented in a manner that is open and verifi able and is avail- able to all personnel and appropriate interested parties.
3. Integrity. A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reason- able and suitable guarantee of authenticity and reliability.
4. Protection. A recordkeeping program shall be constructed to ensure a reason- able level of protection to records and information that are private, confi den- tial, privileged, secret, or essential to business continuity.
5. Compliance. The recordkeeping program shall be constructed to comply with ap- plicable laws and other binding authorities, as well as the organization’s policies.
6. Availability. An organization shall maintain records in a manner that ensures timely, effi cient, and accurate retrieval of needed information.
7. Retention. An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fi scal, operational, and historical requirements.
8. Disposition. An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies. 5
The Generally Accepted Recordkeeping Principles consist of eight principles that provide an IG framework that can support continuous improvement.
INFORMATION GOVERNANCE PRINCIPLES 29
The Principles apply to all sizes of organizations, in all types of industries, in both the private and public sectors, and can be used to establish consistent practices across business units. The Principles are an IG maturity model, and it is used as a preliminary evaluation of recordkeeping programs and practices.
Interest in and the application of The Principles for assessing an organization’s recordkeeping practices have steadily increased since their establishment in 2009. The Principles form an accountability framework that includes the processes, roles, stan- dards, and metrics that ensure the effective and effi cient use of records and informa- tion in support of an organization’s goals and business objectives.
As shown in Table 3.1 , the Generally Accepted Recordkeeping Principles matu- rity model associates characteristics that are typical in fi ve levels of recordkeeping capabilities ranging from 1 (substandard) to 5 (transformational). The levels are both descriptive and color coded for ease of understanding. The eight principles and levels (metrics) are applied to the current state of an organization’s recordkeeping capabili- ties and can be cross-referenced to the policies and procedures. While it is not unusual for an organization to be at different levels of maturity in the eight principles, the question “How good is good enough?” must be raised and answered ; a rating of less than “transforma-d tional” may be acceptable, depending on the organization’s tolerance for risk and an analysis of the costs and benefi ts of moving up each level.
The maturity levels defi ne the characteristics of evolving and maturing RM programs. The assessment should refl ect the current RM environment and practices. The principles and maturity level defi nitions, along with improvement recommendations (roadmap), outline the tasks required to proactively approach addressing systematic RM practices and reach the next level of maturity for each principle. While the Generally Accepted
Table 3.1 Generally Accepted Recordkeeping Principles Levels
Level 1
Substandard
Characterized by an environment where recordkeeping concerns are either not addressed at all or are addressed in an ad hoc manner.
Level 2
In Development
Characterized by an environment where there is a developing recognition that recordkeeping has an impact on the organization, and the organization may benefi t from a more defi ned information governance program.
Level 3
Essential
Characterized by an environment where defi ned policies and procedures exist that address the minimum or essential legal and regulatory requirements, but more specifi c actions need to be taken to improve recordkeeping.
Level 4
Proactive
Characterized by an environment where information governance issues and considerations are integrated into business decisions on a routine basis, and the organization consistently meets its legal and regulatory obligations.
Level 5
Transformational
Characterized by an environment that has integrated information governance into its corporate infrastructure and business processes to such an extent that compliance with program requirements is routine.
Source: Used with permission from ARMA.
The Generally Accepted Recordkeeping Principles maturity model measures recordkeeping maturity in fi ve levels.
30 INFORMATION GOVERNANCE
Recordkeeping Principles are broad in focus, they illustrate the requirements of good RM practices. The Principles Assessment can also be a powerful communication tool to promote cross-functional dialogue and collaboration among business units and staff.
Accountability The principle of accountability covers the assigned responsibility for RM at a seniory level to ensure effective governance with the appropriate level of authority. A senior- level executive must be high enough in the organizational structure to have suffi cient authority to operate the RM program effectively. The primary role of the senior ex- ecutive is to develop and implement RM policies, procedures, and guidance and to provide advice on all recordkeeping issues. The direct responsibility for managing or operating facilities or services may be delegated.
The senior executive must possess an understanding of the business and legislative environment within which the organization operates, business functions and activities, and the required relationships with key external stakeholders to understand how RM contributes to achieving the corporate mission, aims, and objectives.
It is important for top-level executives to take ownership of the RM issues of the organization and to identify corrective actions required for mitigation or ensure resolution of problems and recordkeeping challenges. An executive sponsor should identify opportunities to raise awareness of the relevance and importance of RM and effectively communicate the benefi ts of good RM to staff and management.
The post You have recently been hired as a Chief Information Governance Officer (CIGO) at a large company (You may choose your industry). appeared first on Versed Writers.