Information governance reference model igrm diagram

INFORMATION GOVERNANCE

Chapter 6

Information Governance policy development

Dr. Geanie Asante

Copyright@ Geanie Assante 2019

1

1

CHAPTER GOALS AND OBJECTIVES

Know the 8 Generally Accepted Recordkeeping Principles®

What is the IG Reference Model?

What does the IGRM Diagram consist of?

What are the best practice considerations?

What is the benefits and risks of having standards?

What are the key standards relevant to IG

Copyright@ Geanie Assante 2019

2

2

A Review of the 8 Generally Accepted Recording Keeping Principles®

Accountability

Transparency

Integrity

Protection

Compliance

Availability

Retention

Disposition

So…what is the significance of these principles?

Copyright@ Geanie Assante 2019

3

3

IG REFERENCE MODEL

Who?

ARMA International & CGOC

When?

2012

Where?

As part of the EDRM Project Version 3.0

Why?

To foster the adoption by facilitating communication and collaboration between IG stakeholder functions, legal, records management, risk management, and business unit stakeholders.

Copyright@ Geanie Assante 2019

4

4

HOW TO INTERPRET THE IGRM DIAGRAM

Outer Ring: Complex set of interoperable processes and implementing he procedures and structural element to put them into practice

Requirements:

Understanding of business imperatives

Knowledge of appropriate tools and infrastructure

Sensitivity to legal and regulatory obligations

Inner Ring: Depicts a work-flow (life-cycle) diagram. Shows that information management is important at all stages of the lifecycle

Copyright@ Geanie Assante 2019

5

5

How the IGRM Diagram related to the Generally Accepted Recordkeeping Principles®

Support the ARMA Principle by identifying the cross-functional groups of IG stakeholders

Depicts the intersecting objectives of the organization

Depicts the relationship duty, value and information assets

Used by proactive organizations as an introspective lens to facilitate visualization, understanding and discussion concerning how to apple the “Principles” to the organization.

Puts focus on the “Principles”

Provides essential context for the maturity model

Copyright@ Geanie Assante 2019

6

6

Considerations in IG Policy Formation

Best Practices?

YES!

Understand that Best Practices will vary per organization

Review 25 generic Best Practices, Pages 75 and 76 of text book

Copyright@ Geanie Assante 2019

7

Standards?

YES!

Two types to consider

De Jure Standards - Legal standards published by standards setting bodies such as IOS, ANSI, NIST, BTS and others

De Facto Standards – Informal standards regarded by many as actual standards – arising through popular use (Example: Windows in the business world in 2001-2010). May be published by formal standards setting bodies without having “Formal” status

7

Benefits and Risks of Standards

Benefits

Quality Assurance Support

Interoperability Support

Implementation Framework and Certification Checklists

Cost Reduction

International Consensus

Copyright@ Geanie Assante 2019

8

Risks

Possible Decreased Flexibility

Standards Confusion

Real-World Shortcomings to due Theoretical Basis

Cost and Maintenance Involving in Updating Standard

8

KEY STANDARDS RELEVANT TO IG

Risk Management

ISO 31000-2009 – States principles and generic guidelines of risk management applicable to IG

Provides a structured framework for development and implementation of risk management strategies and programs

“Risk Management Framework”: Set of two basic components (foundations and organizational arrangements) that support and sustain risk management throughout the organization.

Copyright@ Geanie Assante 2019

9

9

KEY STANDARDS RELEVANT TO IG

Information Security Management

ISO/IEC 27001:2005- Information Security Management System Standard that provides guidance in development of security controls for protection of information assets

Flexible –can be applied to different activities and processes

Includes use of standards by auditors and stakeholders

ISO/IEC 27002:2005-Information Technology-Security Techniques-Code of Practice for Information Security

Establishes guidelines and general principle for initiating, implementing, maintaining and improving information security mgt.

Includes Best Practices of Control Objectives in 11 key areas of information security management

ISO/IE 38500:2008 –International Standard for high-level principle and guidance for senior executives and directors, and advisors for effective and efficient use of IT

Three major sections

Scope, Application and Objectives

Framework for Good Corporate Governance of IT

Guidance for Corporate Governance of IT

Copyright@ Geanie Assante 2019

10

10

KEY STANDARDS RELEVANT TO IG

RECORDS AND E-RECORDS MANAGEMENT

ISO 15489-1:2001 and ISO 15489-2:2001– International Standard for Records Management

Part 1:Provides a framework and high-level overview of RM core principles

Part 1:Defines RM as “Field of management responsibility for the efficient and systematic control of creation receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records”1

Part 2: Technical Specifications and Methodology for implementing standard

ISO 30300;2011 – Information and Documentation-Management Systems for Records-Fundamentals and Vocabulary

ISO 30301:2011 – Information and Documentation-Management Systems for Records – Requirements

1ISO 15489-1:2001 Information and Documentation-Records Management, Part 1:General Geneva: ISO, 2001), section 3.16.

Copyright@ Geanie Assante 2019

11

11

NATIONAL, INTERNATIONAL AND REGIONAL ERM STANDARDS

United States E-Records Standard

U.S. DOD 5015.2 Design Criteria Standard For Electronic Records Management Software Applications

Developed in 1997

Updated in 2002 and 2007

Canadian Standards

Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005

Microfilm and Electronic Images as Documentary Evidence CAN/DGSB-72.11-93

Canadian Legal Considerations

Relies on prime directive-that an organization shall always be prepared to produce its records as evidence- and its national standards, for the admissibility of electronic records in court proceedings

The admissibility of records as evidence is determined under the business records provisions of the Evidence Act

Copyright@ Geanie Assante 2019

12

12

NATIONAL, INTERNATIONAL AND REGIONAL ERM STANDARDS…CONTINUED

United Kingdom

The National Archives

To sets of functions requirements to promote the development of the electronic records management software market (one in 1999 and one in 2002)

Model Requirements of Electronic Records

MoReq2

MoReq2010

Australian ERM and Records Management Standards

Has consistently been world leader in this area

Adopted all three parts of ISO 16175 as its e-records standard

Australian Government Recordkeeping Metadata Standard Version 2.0

Australian Government Locator Service

AS 5090:2003 – Work Process Analysis for Recordkeeping

Copyright@ Geanie Assante 2019

13

13

LONG-TERM DIGITAL PRESERVATION

Referred to as “LTDP”

LTDP is a key area for IG policy development

Frequently not addressed in an IG plan

Should be applied in preserving historical and “vital records” and in order to maintain its corporate or organizational memory

Key Standards for LTDP:

PDF/A-2 –official standard format for preserving electronic documents, developed by Adobe.

ISO 19005-1:2005 Document Management is the published specification requiring PDF format

ISO 14721:2012 – Space Data and Information Transfer Systems –Open Archival Information Systems

ISO TR 18492(2005) – Long Term Preservation of Electronic Document Based Information

ISO 16363:2012 – Space Data and Information Transfer Systems-Audit and Certification of Trustworthy Digital Repositories

Copyright@ Geanie Assante 2019

14

14

BUSINESS CONTINUITY MANAGEMENT

ISO 22301:2012 – Societal Security – Business Continuity Management Systems Requirements

Specifies requirements for creating and implementing a standardized approach to business continuity management ----- this is also known as Disaster Recovery

Benefits of ISO 22301

Threat Identification and Assessment

Threat and Recovery Planning

Mission-critical process protection

Stakeholder Confidence

Copyright@ Geanie Assante 2019

15

15

THINGS TO REMEMBER IN DEVELOPING THE IG POLICY

Take into account organizational goals

Draw clear lines of authority

Make sure you have an executive sponsor who can garner executive support for the IG program and policies

IG program must contain communications and training component

Stakeholders must be made aware of new policies and practices

Make sure you have metrics that are relevant and useful and can actually be measured

Test and audit

Give feedback to employees based upon metrics, tests and audit results

Establish and enforce clear penalties for policy violations and communicate that to employees

Take into account organizational culture

Copyright@ Geanie Assante 2019

16

16

The End