Fundamentals of Information Governance:

Transcription

1 Fundamentals of Information Governance: More than just records management PETER KURILECZ CRM CA IGP

2 Hard as I try, I simply cannot make myself understand how Information Governance isn t just a different name for Records Management. some of the IG evangelists that have posted on this and other forums the IGer must have expertise in all of the disciplines, not just a few. That is a tall order for someone in today's dynamic environment. Is this individual a ringleader or conductor? Does he or she own the process or just a facilitator? I've seen different answers depending on who posts. Call me dense but I am somewhat confused the role an IGer plays in all of this.?

3 Fundamentals of Information Governance Part 1 What is Information Governance? Part 2 How is Information Governance different from Records Management? Part 3 What are the required components for Information Governance? Part 4 How to start an Information Governance Program? Part 5 Benefits of Information Governance Part 6 Future of Information Governance Part 7 Resources

4 What is information governance?

5 From John Isaza presentation

6 What is information governance? ARMA International Information governance is a strategic framework comprised of standards, processes, roles, and metrics that holds organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization s goals. Gartner - the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. Wikipedia the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization's immediate and future regulatory, legal, risk, environmental and operational requirements.

7 What is information governance? An accountability program that enforces behavior in the creation, use, archiving, and deletion of corporate information. Requires a cross-functional team involving (at a minimum) legal, records management compliance, business and IT. Enables central management of retention policy and metadata Supports enforcement of IG policies across business functions, locations and information silos. A superset of records management programs that feature similar methodologies and processes Tamir Sigal, VP RSD

8 What is information governance? Involves Multiple Systems Computing environments Content Management Systems Cloud Applications Employee Devices Physical Warehouses Multiple Jurisdictions and Laws Over 14,000 laws and regulations related to information management

9 Principles of Holistic Information Governance (PHIGs) 1. Information is an asset 2. Information has purpose 3. Information has sources & targets 4. Information has deadlines 5. Information has consumers 6. Information carries obligations 7. Information carries risks 8. Information has many forms 9. Information isn t immortal 10. Information demands accountability Chris Walker - Presentation to ARMA Calgary Chapter - May 13,

10 Cohasset Information Governance Survey IG Programs are more prevalent, better-designed and inclusive of ESI Effective IG is increasingly recognized as imperative for corporate compliance and risk mitigation Information governance must modernize or forever be losing in a game of catch-up Legal hold processes are more commonplace

11 What is information governance? Key takeaways Information is an asset Volume continues to grow across structured and unstructured systems It is a framework to better manage all corporate Information Must include the wide variety of laws and regulations from across multiple jurisdictions

12 Information Governance

13 Part 2 How is IG different from RM

14 Information Governance vs Records Management Information Governance Holistic Strategic View Long-term Broad view Records Management Tactical View Short-term Narrow focused view HOWEVER RM is a key component of Information Governance

15 What role will records manager take in IG? Two distinct roles 1. Strategic Embraces and learns all facets of information governance Sits at the table with Legal, IT, Privacy and other IG members to develop the organizations strategic IG plan 2. Tactical Implements decisions made by the IG committee Continues in a traditional records manager role.

16 IG oversees Content and Repositories Iron Mountain- A Practical Guide to Information Governance for Financial Services

17 Part 3 What are the required components for Information Governance?

18 Part 3 What are the required components for Information Governance? Steering Committee Legal Records Management IT Privacy Compliance Security Others as Needed Human Resources Finance LOBs

19 Part 3 What are the required components for Information Governance? Mission Statement Policy Statement What information should be governed? Why does it have to be governed? Business reasons Legal reasons When should the information be disposed? How should the information be governed? Master Classification aka File Plan Policy Enforcement Audit

20 Part 3 What are the required components for Information Governance? Key takeaways Comprehensive Global Policy Unifies Legal, RM, Regulatory, etc., under one policy Full Audit trail of actions taken Active Policy Enforcement Executives have enterprise-wide fiduciary responsibility

21 Part 4 How to start an IG Program

22 Part 4 How to start an IG Program Steering Committee Boss (1 person) Doers (Responsible) RIM Information Security Legal Etc Consulted (Advisers) Legal Information Security RIM Etc Informed (Dependents)

23 Graphic : Part 4 How to start an IG Program List and prioritize IG projects Focus on Critical Use Cases Policy Definition and Maintenance Defensible Disposal ediscovery and Legal Holds Controlling Shared Drives Controlling SharePoint Physical Records

24 How different business units see information Iron Mountain- A Practical Guide to Information Governance for Financial Services

25 Graphic : Part 4 How to start an IG Program Deployment: On premise In the Cloud Hybrid

26

27 What is IG built on?

28 Standards Standards (to name just a few) ISO Information and documentation -- Records management (Parts 1 and 2) ISO/IEC :2012 Identification of privacy protection requirements as external constraints on business transactions ISO Principles and functional requirements for records in electronic office environments ISO/TR 17068:2012 Information and documentation - Trusted third party repository for digital records ISO/IEC 18043:2006 Information technology -- Security techniques -- Selection, deployment and operations of intrusion detection systems ISO/TR 18128:2014 Information and documentation -- Risk assessment for records processes and systems ISO :2006 Metadata for records - Part 1: Principles ISO :2009 Managing metadata for records - Part 2: Conceptual and implementation issues ISO :2011 Managing metadata for records - Part 3: Self assessment method ISO Management Systems for Records - Fundamentals and Vocabulary ISO Management Systems for Records - Requirements

29 Generally Accepted Recordkeeping Principles aka The Principles Protection reasonable level of protection for records and information Accountability senior executive shall oversee the IG program Integrity reasonable and suitable guarantee of information authenticity and reliability Disposition - provide secure and appropriate disposition Compliance constructed to comply with applicable laws and other binding authorities Availability ensures timely, efficient, and accurate retrieval of needed information Retention maintain records and information for an appropriate amount of time Transparency document business processes in an open and verifiable while making the documentation available to all personnel and appropriate interested parties.

30 Generally Accepted Recordkeeping Principles aka The Principles PAID CART

31 Sedona Conference Principles on Information Governance Part 1 Implement an IG program to make coordinated decisions Maintain sufficient independence to ensure decisions are for the benefit of the organization All information stakeholders should participate Provide the program with the structure, direction, resources and accountability to provide reasonable assurance that objectives will be achieved Effective, timely and consistent disposal of physical and electronic information is a core component Act in good faith and give due respect to privacy, data protection, security, records and information management, risk management, and sound business practices when reconciling conflicting laws and obligations The Sedona Conference Commentary on Information Governance Dec 2013

32 Sedona Conference Principles on Information Governance Part 2 If an organization acted in good faith a court or other authority should review under a standard of reasonableness Consider reasonable measures for maintaining long-term information assets integrity and availability Consider leveraging the power of new technologies Periodically review and update the program to ensure that it continues to meet the organization s needs as they evolve The Sedona Conference Commentary on Information Governance Dec 2013

33 Part 5 Benefits of Information Governance 7 Benefits Achievable - Powers corporate programs for physical and electronic records Simple Automates enforcement behind the scenes Profitable Preserves content valuable to the business Repeatable Phased deployments Accountable Defensible Disposition Flexible Enables agility and responsiveness to the needs of the business Measurable Provides visibility into the KPIs and KRIs

34 Information Governance is Good Business About effectively using and managing an organization s information assets to Derive maximum value Minimize information-related risks Governance leverages information to conduct business by asking these questions; Why is the information needed? Who can (and should) use the information? How can they use the information? When can they use the information? Where can they use the information? What can they do with the information?

35 Part 6 Resources

36 Part 6 Resources - Conferences

37 Part 6 Resources - Books

38 Part 6 Resources Social Media Blogs Twitter LinkedIn Groups Listservs Networking with Friends And more

39 ARMA International Information Governance Assessment The Information Governance Assessment is a software platform organizations can use to identify informationrelated compliance across the enterprise, drive improvements, and develop metrics for measuring information governance (IG) program maturity. Based upon the Generally Accepted Recordkeeping Principles and The Information Governance Maturity Model The information governance assessment addresses: IG requirements included in FCPA, Sarbanes- Oxley, Dodd-Frank, and COSO IG roles and responsibilities Aligning IT with IG Auditing records and information integrity Information security Third-party IG risks Guarding against improper information disclosure Disaster recovery of electronic records IG compliance risk Litigation holds and e-discovery The sufficiency of IG training and documentation

40 Part 6 Resources Maturity Models

41 Metagovernance

42 OFR (UK) Organizational Maturity Model The OFR Maturity Model has the following attributes: risk awareness, risk oversight and governance, risk appetite and tolerances, risk analysis, reporting and outlook, regulatory controls, decision making, information governance, organisational performance

43 6 Phases of BPM Maturity

44 Inventory Maturity Model for IG

45 Questions?