Information Governance - 2 Questions And Need 1 Answer For Each Question - Textbook Attached
Discussion Question for Ch. 10: Of the 4 Information Governance Best Practices on page 190 of your textbook pick one and provide pros and cons of implementing at your workplace.
Discussion Question for Ch. 11: What security risk do you feel is the biggest challenge to overcome and how do you lower the risk of impact if it happened?
INFORMATION GOVERNANCE
Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offi ces in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding.
The Wiley CIO series provides information, tools, and insights to IT executives and managers. The products in this series cover a wide range of topics that supply strategic and implementation guidance on the latest technology trends, leadership, and emerging best practices.
Titles in the Wiley CIO series include:
The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and Mobile Computing Are Changing Enterprise IT by Jason BloombergT
Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today’s Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj
The Chief Information Offi cer’s Body of Knowledge: People, Process, and Technology by Dean Lane
CIO Best Practices: Enabling Strategic Value with Information Technology (Second Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert
The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by Nicholas R. Colisto
Enterprise Performance Management Done Right: An Operating System for Your Organization by Ron Dimon
Executive’s Guide to Virtual Worlds: How Avatars Are Transforming Your Business and Your Brand by Lonnie Bensond
IT Leadership Manual: Roadmap to Becoming a Trusted Business Partner by Alan R. r Guibord
Managing Electronic Records: Methods, Best Practices, and Technologies by Robert F. s Smallwood
On Top of the Cloud: How CIOs Leverage New Technologies to Drive Change and Build Value Across the Enterprise by Hunter Muller
Straight to the Top: CIO Leadership in a Mobile, Social, and Cloud-based World (Second Edition) by Gregory S. Smith
Strategic IT: Best Practices for Managers and Executives by Arthur M. Langer ands Lyle Yorks
Transforming IT Culture: How to Use Social Intelligence, Human Factors, and Collaboration to Create an IT Department That Outperforms by Frank Wanders
Unleashing the Power of IT: Bringing People, Business, and Technology Together by Dan Roberts
The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save America’s Future by Gary J. Beach
Information Governance: Concepts, Strategies and Best Practices by Robert F. Smallwoods
Robert F. Smallwood
INFORMATION GOVERNANCE
CONCEPTS, STRATEGIES AND
BEST PRACTICES
Cover image: © iStockphoto / IgorZh Cover design: Wiley
Copyright © 2014 by Robert F. Smallwood. All rights reserved.
Chapter 7 © 2014 by Barclay Blair
Portions of Chapter 8 © 2014 by Randolph Kahn
Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifi cally disclaim any implied warranties of merchantability or fi tness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profi t or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
Smallwood, Robert F., 1959- Information governance : concepts, strategies, and best practices / Robert F. Smallwood. pages cm. — (Wiley CIO series)
ISBN 978-1-118-21830-3 (cloth); ISBN 978-1-118-41949-6 (ebk); ISBN 978-1-118-42101-7 (ebk) 1. Information technology—Management. 2. Management information systems. 3. Electronic
records—Management. I. Title. HD30.2.S617 2014 658.4’038—dc23
2013045072
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
http://www.copyright.com
http://www.wiley.com/go/permissions
http://booksupport.wiley.com
http://www.wiley.com
For my sons
and the next generation of tech-savvy managers
vii
CONTENTS
PREFACE xv
ACKNOWLEDGMENTS xvii
PART ONE—Information Governance Concepts, Defi nitions, and Principles 1p
CHAPTER 1 The Onslaught of Big Data and the Information Governance Imperative 3
Defi ning Information Governance 5
IG Is Not a Project, But an Ongoing Program 7
Why IG Is Good Business 7
Failures in Information Governance 8
Form IG Policies, Then Apply Technology for Enforcement 10
Notes 12
CHAPTER 2 Information Governance, IT Governance, Data Governance: What’s the Difference? 15
Data Governance 15
IT Governance 17
Information Governance 20
Impact of a Successful IG Program 20
Summing Up the Differences 21
Notes 22
CHAPTER 3 Information Governance Principles 25
Accountability Is Key 27
Generally Accepted Recordkeeping Principles® 27 Contributed by Charmaine Brooks, CRM
Assessment and Improvement Roadmap 34
Who Should Determine IG Policies? 35
Notes 38
PART TWO—Information Governance Risk Assessment and Strategic Planning 41g g
CHAPTER 4 Information Risk Planning and Management 43
Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements 43
viii CONTENTS
Step 2: Specify IG Requirements to Achieve Compliance 46
Step 3: Create a Risk Profi le 46
Step 4: Perform Risk Analysis and Assessment 48
Step 5: Develop an Information Risk Mitigation Plan 49
Step 6: Develop Metrics and Measure Results 50
Step 7: Execute Your Risk Mitigation Plan 50
Step 8: Audit the Information Risk Mitigation Program 51
Notes 51
CHAPTER 5 Strategic Planning and Best Practices for Information Governance 53
Crucial Executive Sponsor Role 54
Evolving Role of the Executive Sponsor 55
Building Your IG Team 56
Assigning IG Team Roles and Responsibilities 56
Align Your IG Plan with Organizational Strategic Plans 57
Survey and Evaluate External Factors 58
Formulating the IG Strategic Plan 65
Notes 69
CHAPTER 6 Information Governance Policy Development 71
A Brief Review of Generally Accepted Recordkeeping Principles® 71
IG Reference Model 72
Best Practices Considerations 75
Standards Considerations 76
Benefi ts and Risks of Standards 76
Key Standards Relevant to IG Efforts 77
Major National and Regional ERM Standards 81
Making Your Best Practices and Standards Selections to Inform Your IG Framework 87
Roles and Responsibilities 88
Program Communications and Training 89
Program Controls, Monitoring, Auditing and Enforcement 89
Notes 91
PART THREE—Information Governance Key Impact Areas Based on the IG Reference Model 95p
CHAPTER 7 Business Considerations for a Successful IG Program 97
By Barclay T. Blair
Changing Information Environment 97
CONTENTS ix
Calculating Information Costs 99
Big Data Opportunities and Challenges 100
Full Cost Accounting for Information 101
Calculating the Cost of Owning Unstructured Information 102
The Path to Information Value 105
Challenging the Culture 107
New Information Models 107
Future State: What Will the IG-Enabled Organization Look Like? 110
Moving Forward 111
Notes 113
CHAPTER 8 Information Governance and Legal Functions 115
By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy
Introduction to e-Discovery: The Revised 2006 Federal Rules of Civil Procedure Changed Everything 115
Big Data Impact 117
More Details on the Revised FRCP Rules 117
Landmark E-Discovery Case: Zubulake v. UBS Warburg 119
E-Discovery Techniques 119
E-Discovery Reference Model 119
The Intersection of IG and E-Discovery 122 By Barry Murphy
Building on Legal Hold Programs to Launch Defensible Disposition 125 By Barry Murphy
Destructive Retention of E-Mail 126
Newer Technologies That Can Assist in E-Discovery 126
Defensible Disposal: The Only Real Way To Manage Terabytes and Petabytes 130 By Randy Kahn, Esq.
Retention Policies and Schedules 137 By Robert Smallwood, edited by Paula Lederman, MLS
Notes 144
CHAPTER 9 Information Governance and Records and Information Management Functions 147
Records Management Business Rationale 149
Why Is Records Management So Challenging? 150
Benefi ts of Electronic Records Management 152
Additional Intangible Benefi ts 153
Inventorying E-Records 154
Generally Accepted Recordkeeping Principles® 155
E-Records Inventory Challenges 155
x CONTENTS
Records Inventory Purposes 156
Records Inventorying Steps 157
Ensuring Adoption and Compliance of RM Policy 168
General Principles of a Retention Scheduling 169
Developing a Records Retention Schedule 170
Why Are Retention Schedules Needed? 171
What Records Do You Have to Schedule? Inventory and Classifi cation 173
Rationale for Records Groupings 174
Records Series Identifi cation and Classifi cation 174
Retention of E-Mail Records 175
How Long Should You Keep Old E-Mails? 176
Destructive Retention of E-Mail 177
Legal Requirements and Compliance Research 178
Event-Based Retention Scheduling for Disposition of E-Records 179
Prerequisites for Event-Based Disposition 180
Final Disposition and Closure Criteria 181
Retaining Transitory Records 182
Implementation of the Retention Schedule and Disposal of Records 182
Ongoing Maintenance of the Retention Schedule 183
Audit to Manage Compliance with the Retention Schedule 183
Notes 186
CHAPTER 10 Information Governance and Information Technology Functions 189
Data Governance 191
Steps to Governing Data Effectively 192
Data Governance Framework 193
Information Management 194
IT Governance 196
IG Best Practices for Database Security and Compliance 202
Tying It All Together 204
Notes 205
CHAPTER 11 Information Governance and Privacy and Security Functions 207
Cyberattacks Proliferate 207
Insider Threat: Malicious or Not 208
Privacy Laws 210
Defense in Depth 212
Controlling Access Using Identity Access Management 212
Enforcing IG: Protect Files with Rules and Permissions 213
CONTENTS xi
Challenge of Securing Confi dential E-Documents 213
Apply Better Technology for Better Enforcement in the Extended Enterprise 215
E-Mail Encryption 217
Secure Communications Using Record-Free E-Mail 217
Digital Signatures 218
Document Encryption 219
Data Loss Prevention (DLP) Technology 220
Missing Piece: Information Rights Management (IRM) 222
Embedded Protection 226
Hybrid Approach: Combining DLP and IRM Technologies 227
Securing Trade Secrets after Layoffs and Terminations 228
Persistently Protecting Blueprints and CAD Documents 228
Securing Internal Price Lists 229
Approaches for Securing Data Once It Leaves the Organization 230
Document Labeling 231
Document Analytics 232
Confi dential Stream Messaging 233
Notes 236
PART FOUR—Information Governance for Delivery Platforms 239y
CHAPTER 12 Information Governance for E-Mail and Instant Messaging 241
Employees Regularly Expose Organizations to E-Mail Risk 242
E-Mail Polices Should Be Realistic and Technology Agnostic 243
E-Record Retention: Fundamentally a Legal Issue 243
Preserve E-Mail Integrity and Admissibility with Automatic Archiving 244
Instant Messaging 247
Best Practices for Business IM Use 247
Technology to Monitor IM 249
Tips for Safer IM 249
Notes 251
CHAPTER 13 Information Governance for Social Media 253
By Patricia Franks, Ph.D, CRM, and Robert Smallwood
Types of Social Media in Web 2.0 253
Additional Social Media Categories 255
Social Media in the Enterprise 256
Key Ways Social Media Is Different from E-Mail and Instant Messaging 257
Biggest Risks of Social Media 257
Legal Risks of Social Media Posts 259
xii CONTENTS
Tools to Archive Social Media 261
IG Considerations for Social Media 262
Key Social Media Policy Guidelines 263
Records Management and Litigation Considerations for Social Media 264
Emerging Best Practices for Managing Social Media Records 267
Notes 269
CHAPTER 14 Information Governance for Mobile Devices 271
Current Trends in Mobile Computing 273
Security Risks of Mobile Computing 274
Securing Mobile Data 274
Mobile Device Management 275
IG for Mobile Computing 276
Building Security into Mobile Applications 277
Best Practices to Secure Mobile Applications 280
Developing Mobile Device Policies 281
Notes 283
CHAPTER 15 Information Governance for Cloud Computing 285
By Monica Crocker CRM, PMP, CIP, and Robert Smallwood
Defi ning Cloud Computing 286
Key Characteristics of Cloud Computing 287
What Cloud Computing Really Means 288
Cloud Deployment Models 289
Security Threats with Cloud Computing 290
Benefi ts of the Cloud 298
Managing Documents and Records in the Cloud 299
IG Guidelines for Cloud Computing Solutions 300
Notes 301
CHAPTER 16 SharePoint Information Governance 303
By Monica Crocker, CRM, PMP, CIP, edited by Robert Smallwood
Process Change, People Change 304
Where to Begin the Planning Process 306
Policy Considerations 310
Roles and Responsibilities 311
Establish Processes 312
Training Plan 313
Communication Plan 313
Note 314
CONTENTS xiii
PART FIVE—Long-Term Program Issues 315g g
CHAPTER 17 Long-Term Digital Preservation 317
By Charles M. Dollar and Lori J. Ashley
Defi ning Long-Term Digital Preservation 317
Key Factors in Long-Term Digital Preservation 318
Threats to Preserving Records 320
Digital Preservation Standards 321
PREMIS Preservation Metadata Standard 328
Recommended Open Standard Technology-Neutral Formats 329
Digital Preservation Requirements 333
Long-Term Digital Preservation Capability Maturity Model® 334
Scope of the Capability Maturity Model 336
Digital Preservation Capability Performance Metrics 341
Digital Preservation Strategies and Techniques 341
Evolving Marketplace 344
Looking Forward 344
Notes 346
CHAPTER 18 Maintaining an Information Governance Program and Culture of Compliance 349
Monitoring and Accountability 349
Staffi ng Continuity Plan 350
Continuous Process Improvement 351
Why Continuous Improvement Is Needed 351
Notes 353
APPENDIX A Information Organization and Classifi cation: Taxonomies and Metadata 355
By Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley
Importance of Navigation and Classifi cation 357
When Is a New Taxonomy Needed? 358
Taxonomies Improve Search Results 358
Metadata and Taxonomy 359
Metadata Governance, Standards, and Strategies 360
Types of Metadata 362
Core Metadata Issues 363
International Metadata Standards and Guidance 364
Records Grouping Rationale 368
Business Classifi cation Scheme, File Plans, and Taxonomy 368
Classifi cation and Taxonomy 369
xiv CONTENTS
Prebuilt versus Custom Taxonomies 370
Thesaurus Use in Taxonomies 371
Taxonomy Types 371
Business Process Analysis 377
Taxonomy Testing: A Necessary Step 379
Taxonomy Maintenance 380
Social Tagging and Folksonomies 381
Notes 383
APPENDIX B Laws and Major Regulations Related to Records Management 385
United States 385
Canada 387 By Ken Chasse, J.D., LL.M.
United Kingdom 389
Australia 391
Notes 394
APPENDIX C Laws and Major Regulations Related to Privacy 397
United States 397
Major Privacy Laws Worldwide, by Country 398
Notes 400
GLOSSARY 401
ABOUT THE AUTHOR 417
ABOUT THE MAJOR CONTRIBUTORS 419
INDEX 421
xv
PREFACE
Information governance (IG) has emerged as a key concern for business executivesand managers in today’s environment of Big Data, increasing information risks, co-lossal leaks, and greater compliance and legal demands. But few seem to have a clear understanding of what IG is; that is, how you defi ne what it is and is not, and how to implement it. This book clarifi es and codifi es these defi nitions and provides key in- sights as to how to implement and gain value from IG programs. Based on exhaustive research, and with the contributions of a number of industry pioneers and experts, this book lays out IG as a complete discipline in and of itself for the fi rst time.
IG is a super-discipline that includes components of several key fi elds: law, records management, information technology (IT), risk management, privacy and security, and business operations. This unique blend calls for a new breed of information pro- fessional who is competent across these established and quite complex fi elds. Training and education are key to IG success, and this book provides the essential underpinning for organizations to train a new generation of IG professionals.
Those who are practicing professionals in the component fi elds of IG will fi nd the book useful in expanding their knowledge from traditional fi elds to the emerging tenets of IG. Attorneys, records and compliance managers, risk managers, IT manag- ers, and security and privacy professionals will fi nd this book a particularly valuable resource.
The book strives to offer clear IG concepts, actionable strategies, and proven best practices in an understandable and digestible way; a concerted effort was made to simplify language and to offer examples. There are summaries of key points through- out and at the end of each chapter to help the reader retain major points. The text is organized into fi ve parts: (1) Information Governance Concepts, Defi nitions, and Principles; (2) IG Risk Assessment and Strategic Planning; (3) IG Key Impact Areas; (4) IG for Delivery Platforms; and (5) Long-Term Program Issues. Also included are appendices with detailed information on taxonomy and metadata design and on re- cords management and privacy legislation.
One thing that is sure is that the complex fi eld of IG is evolving. It will continue to change and solidify. But help is here: No other book offers the kind of compre- hensive coverage of IG contained within these pages. Leveraging the critical advice provided here will smooth your path to understanding and implementing successful IG programs.
Robert F. Smallwood
xvii
ACKNOWLEDGMENTS
I would like to sincerely thank my colleagues for their support and generous contribu-tion of their expertise and time, which made this pioneering text possible. Many thanks to Lori Ashley, Barb Blackburn, Barclay Blair, Charmaine Brooks, Ken Chasse, Monica Crocker, Charles M. Dollar, Seth Earley, Dr. Patricia Franks, Randy Kahn, Paula Lederman, and Barry Murphy.
I am truly honored to include their work and owe them a great debt of gratitude.
PART ONE Information Governance Concepts, Defi nitions, and Principles
3
The Onslaught of Big Data and the Information Governance Imperative
C H A P T E R 1
The value of information in business is rising, and business leaders are more andmore viewing the ability to govern, manage, and harvest information as critical to success. Raw data is now being increasingly viewed as an asset that can be leveraged, just like fi nancial or human capital.1 Some have called this new age of “Big Data” the “industrial revolution of data.”
According to the research group Gartner, Inc., Big Data is defi ned as “high-volume, high-velocity and high-variety information assets that demand cost-effective, inno- vative forms of information processing for enhanced insight and decision making.” 2 A practical defi nition should also include the idea that the amount of data—both struc- tured (in databases) and unstructured (e.g., e-mail, scanned documents) is so mas- sive that it cannot be processed using today’s database tools and analytic software techniques. 3
In today’s information overload era of Big Data—characterized by massive growth in business data volumes and velocity—the ability to distill key insights from enor- mous amounts of data is a major business differentiator and source of sustainable com- petitive advantage. In fact, a recent report by the World Economic Forum stated that data is a new asset class and personal data is “the new oil.” 4 And we are generating more than we can manage effectively with current methods and tools.
The Big Data numbers are overwhelming: Estimates and projections vary, but it has been stated that 90 percent of the data existing worldwide today was created in the last two years 5 and that every two days more information is generated than was from the dawn of civilization until 2003. 6 This trend will continue: The global market for Big Data technology and services is projected to grow at a compound annual rate of 27 percent through 2017, about six times faster than the general information and com- munications technology (ICT) market. 7
Many more comparisons and statistics are available, and all demonstrate the incredible and continued growth of data.
Certainly, there are new and emerging opportunities arising from the accu- mulation and analysis of all that data we are busy generating and collecting. New enterprises are springing up to capitalize on data mining and business intelligence opportunities. The U.S. federal government joined in, announcing $200 million in Big Data research programs in 2012.8
4 INFORMATION GOVERNANCE
Big Data values massive accumulation of data, whereas in business, e-discovery realities and potential legal liabilities dictate that data be culled to only that which has clear business value.
But established organizations, especially larger ones, are being crushed by this onslaught of Big Data: It is just too expensive to keep all the information that is being generated, and unneeded information is a sort of irrelevant sludge for decision makers to wade through. They have diffi culty knowing which information is an accurate and meaningful “wheat” and which is simply irrelevant “chaff.” This means they do not have the precise information they need to base good business decisions upon.
And all that Big Data piling up has real costs: The burden of massive stores of information has increased storage management costs dramatically, caused overloaded systems to fail, and increased legal discovery costs. 9 Further, the longer that data is kept, the more likely that it will need to be migrated to newer computing platforms, driving up conversion costs; and legally, there is the risk that somewhere in that mountain of data an organization stores is a piece of information that represents a signifi cant legal liability.10
This is where the worlds of Big Data and business collide . For Big Data proponents, more data is always better, and there is no perceived downside to accumulation of mas- sive amounts of data. In the business world, though, the realities of legal e-discovery mean the opposite is true. 11 To reduce risk, liability, and costs, it is critical for unneeded information to be disposed of in a systematic, methodical, and “legally defensible” (jus- tifi able in legal proceedings) way, when it no longer has legal, regulatory, or business value. And there also is the high-value benefi t of basing decisions on better, cleaner data, which can come about only through rigid, enforced information governance (IG) policies that reduce information glut.
Organizations are struggling to reduce and right-size their information footprint by discarding superfl uous and redundant data, e-documents, and information. But the critical issue is devising policies, methods, and processes and then deploying information technol- ogy (IT) to sort through which information is valuable and which no longer has business value and can be discarded.
IT, IG, risk, compliance, and legal representatives in organizations have a clear sense that most of the information stored is unneeded, raises costs, and poses risks. According to a survey taken at a recent Compliance, Governance and Oversight Counsel summit, respondents estimated that approximately 25 percent of information stored in organizations has real business value, while 5 percent must be kept as busi- ness records and about 1 percent is retained due to a litigation hold. “This means that
The onslaught of Big Data necessitates that information governance (IG) be implemented to discard unneeded data in a legally defensible way.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 5
[about] 69 percent of information in most companies has no business, legal, or regulatory value. Companies that are able to dispose of this data debris return more profi t to sharehold- ers, can leverage more of their IT budgets for strategic investments, and can avoid excess expense in legal and regulatory response” (emphasis added). 12
With a smaller information footprint , organizations can more easily fi nd what they tt need and derive business value from it.13 They must eliminate the data debris regularly and consistently, and to do this, processes and systems must be in place to cull valuable information and discard the data debris daily. An IG program sets the framework to accomplish this.
The business environment has also underscored the need for IG. According to Ted Friedman at Gartner, “The recent global fi nancial crisis has put information gov- ernance in the spotlight. . . . [It] is a priority of IT and business leaders as a result of various pressures, including regulatory compliance mandates and the urgent need for improved decision-making.” 14
And IG mastery is critical for executives: Gartner predicts that by 2016, one in fi ve chief information offi cers in regulated industries will be fi red from their jobs for failed IG initiatives. s 15
Defi ning Information Governance
IG is a sort of super discipline that has emerged as a result of new and tightened legislation governing businesses, external threats such as hacking and data breaches, and the recog- nition that multiple overlapping disciplines were needed to address today’s information management challenges in an increasingly regulated and litigated business environment.16
IG is a subset of corporate governance, and includes key concepts from re- cords management, content management, IT and data governance, information se- curity, data privacy, risk management, litigation readiness, regulatory compliance, long-term digital preservation , and even business intelligence. This also means that it includes related technology and discipline subcategories, such as document management, enterprise search, knowledge management, and business continuity/ disaster recovery.
Only about one quarter of information organizations are managing has real business value.
With a smaller information footprint, it is easier for organizations to fi nd the information they need and derive business value from it.
IG is a subset of corporate governance.
6 INFORMATION GOVERNANCE
IG is a sort of superdiscipline that encompasses a variety of key concepts from a variety of related disciplines.
Practicing good IG is the essential foundation for building legally defensible disposition practices to discard unneeded information and to secure confi dential in- formation, which may include trade secrets, strategic plans, price lists, blueprints, or personally identifi able information (PII) subject to privacy laws; it provides the basis for consistent, reliable methods for managing data, e-documents, and records.
Having trusted and reliable records, reports, data, and databases enables managers to make key decisions with confi dence.17 And accessing that information and business intelligence in a timely fashion can yield a long-term sustainable competitive advan- tage, creating more agile enterprises.
To do this, organizations must standardize and systematize their handling of in- formation. They must analyze and optimize how information is accessed, controlled, managed, shared, stored, preserved, and audited. They must have complete, current, and relevant policies, processes, and technologies to manage and control information, including who is able to access what information , and when, to meet external legal and regulatory demands and internal governance policy requirements. In short, IG is about information control and compliance.
IG is a subset of corporate governance, which has been around as long as corpora- tions have existed. IG is a rather new multidisciplinary fi eld that is still being defi ned, but has gained traction increasingly over the past decade. The focus on IG comes not only from compliance, legal, and records management functionaries but also from ex- ecutives who understand they are accountable for the governance of information and that theft or erosion of information assets has real costs and consequences.
“Information governance” is an all-encompassing term for how an organization manages the totality of its information.
According to the Association of Records Managers and Administrators (ARMA), IG is “a strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.”18
IG includes the set of policies, processes, and controls to manage information in compliance with external regulatory requirements and internal governance frameworks . Specifi c policiess apply to specifi c data and document types, records series, and other business informa- tion, such as e-mail and reports.
Stated differently, IG is “a quality-control discipline for managing, using, improv- ing, and protecting information.” 19
Practicing good IG is the essential foundation for building legally defensible disposition practices to discard unneeded information.
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 7
IG is “a strategic framework composed of standards, processes, roles, and metrics, that hold organizations and individuals accountable to create, orga- nize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.” 20
Fleshing out the defi nition further: “Information governance is policy-based man- agement of information designed to lower costs, reduce risk, and ensure compliance with legal, regulatory standards, and/or corporate governance.”21 IG necessarily in- corporates not just policies but information technologies to audit and enforce those policies. The IG team must be cognizant of information lifecycle issues and be able to apply the proper retention and disposition policies, including digital preservation where records need to be maintained for long periods.
IG Is Not a Project, But an Ongoing Program
IG is an ongoing program , not a one-time project. IG provides an umbrella to manage and control information output and communications. Since technologies change so quickly, it is necessary to have overarching policies that can manage the various IT platforms that an organization may use.
Compare it to a workplace safety program; every time a new location, team member, piece of equipment, or toxic substance is acquired by the organization, the workplace safety program should dictate how that is handled. If it does not, the workplace safety policies/procedures/training that are part of the workplace safety program need to be updated. Regular reviews are conducted to ensure the program is being followed and ad- justments are made based on the fi ndings. The effort never ends. s 22 The same is true for IG.
IG is not only a tactical program to meet regulatory, compliance, and litigation demands. It can be strategic , in that it is the necessary underpinning for developing a c management strategy that maximizes knowledge worker productivity while minimiz- ing risk and costs.
Why IG Is Good Business
IG is a tough sell. It can be diffi cult to make the business case for IG, unless there has been some major compliance sanction, fi ne, legal loss, or colossal data breach. In fact, the largest
IG is how an organization maintains security, complies with regulations, and meets ethical standards when managing information.
IG is a multidisciplinary program that requires an ongoing effort.
8 INFORMATION GOVERNANCE
impediment to IG adoption is simply identifying its benefi ts and costs, according to the Economist Intelligence Unit. Sure, the enterprise needs better control over its information, but how much better? At what cost? What is the payback period and the return on investment? 23
It is challenging to make the business case for IG, yet making that case is funda- mental to getting IG efforts off the ground.
Here are eight reasons why IG makes good business sense, from IG thought leader Barclay Blair:
1. We can’t keep everything forever. IG makes sense because it enables organiza- tions to get rid of unnecessary information in a defensible manner. Organi- zations need a sensible way to dispose of information in order to reduce the cost and complexity of the IT environment. Having unnecessary informa- tion around only makes it more diffi cult and expensive to harness informa- tion that has value.
2. We can’t throw everything away. IG makes sense because organizations can’t keep everything forever, nor can they throw everything away. We need information—the right information, in the right place, at the right time. Only IG provides the framework to make good decisions about what infor- mation to keep.
3. E-discovery. IG makes sense because it reduces the cost and pain of discov- ery. Proactively managing information reduces the volume of information exposed to e-discovery and simplifi es the task of fi nding and producing responsive information.
4. Your employees are screaming for it—just listen. IG makes sense because it helps knowledge workers separate “signal” from “noise” in their informa- tion fl ows. By helping organizations focus on the most valuable informa- tion, IG improves information delivery and improves productivity.
5. It ain’t gonna get any easier. IG makes sense because it is a proven way for organizations to respond to new laws and technologies that create new re- quirements and challenges. The problem of IG will not get easier over time, so organizations should get started now.
6. The courts will come looking for IG. IG makes sense because courts and regu- lators will closely examine your IG program. Falling short can lead to fi nes, sanctions, loss of cases, and other outcomes that have negative business and fi nancial consequences.
7. Manage risk: IG is a big one. Organizations need to do a better job of identi- fying and managing risk. The risk of information management failures is a critical risk that IG helps to mitigate.
8. E-mail: Reason enough. IG makes sense because it helps organizations take con- trol of e-mail. Solving e-mail should be a top priority for every organization. 24
Failures in Information Governance
The failure to implement and enforce IG can lead to vulnerabilities that can have dire consequences. The theft of confi dential U.S. National Security Agency documents
THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 9
by Edward Snowden in 2013 could have been prevented by properly enforced IG. Also, Ford Motor Company is reported to have suffered a loss estimated at $50 to $100 million as a result of the theft of confi dential documents by one of its own em- ployees. A former product engineer who had access to thousands of trade secret docu- ments and designs sold them to a competing Chinese car manufacturer. A strong IG program would have controlled and tracked access and prevented the theft while pro- tecting valuable intellectual property. 25
Law enforcement agencies have also suffered from poor IG. In a rather frivolous case in 2013 that highlighted the lack of policy enforcement for the mobile environ- ment, it was reported that U.S. agents from the Federal Bureau of Investigation used government-issued mobile phones to send explicit text messages and nude photographs to coworkers. The incidents did not have a serious impact but did compromise the agency and its integrity, and “adversely affected the daily activities of several squads.” 26 Proper mobile communications policies were obviously not developed and enforced.