The World of Information Governance

Transcription

1 The World of Information Governance Society of Corporate Compliance and Ethics Maggi Johnsen, CRM October 12, 2012 Table of Contents What is Information Governance (IG)? What Might Lead to an IG Failure? What Challenges Do IG Programs Mitigate? What Models and Standards Are Available? ARMA Generally Accepted Recordkeeping Principals (GARP ) Corporate Governance Oversight Council (CGOC) International Organization of Standardization (ISO) MIKE2.0 Case Study ERAN Services 1 1

2 What is Information Governance (IG)? Information Governance is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival retention (author substitution), and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. -- Gartner Information is defined as the means by which an organisation plans, identifies, creates, receives, collects, organises, governs, secures, uses, controls, disseminates, exchanges, maintains, preserves and disposes of its information; as well as any means through which the organisation ensures that the value of that information is identified and exploited to its fullest extent. -- Queensland (Australia) Government 2 What Might Lead To An IG Failure? Scarcity of behavior based corporate policies standards Lack of clarity around roles and responsibilities Inadequate information governance processes and controls Minimal effective technologies that provide proper, repeatable categorization and organization of unstructured information Lack of recognition that not all information has equal value 3 2

3 What Challenges Do IG Programs Mitigate? Inadequate internal accountability Weakened capacity for informed decision-making Increased legal, financial, or reputational risks Reduced ability to assess information governance program impacts Reduced employee effectiveness and efficiency Increased administrative costs Wasted technology investments Gaps in the organization s corporate memory 4 What Models and Standards Are Available? ARMA Generally Accepted Recordkeeping Principles (GARP ) Corporate Governance Oversight Council (CGOC) Information Lifecycle Governance Model International Organization of Standardization (ISO) ISO Information and documentation Records management ISO Information and documentation Principles and functional requirements for records in electronic office environments MIKE 2.0 (Method for an Integrated Knowledge Environment) 5 3

4 Generally Accepted Recordkeeping Principles (GARP ) A Principle Accountability Definition A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide personnel and ensure the program can be audited. LEGAL BU RIM IA IT CPO T I P C A R D Transparency Integrity Protection Compliance Availability Retention Disposal The processes and activities of an organization s record-keeping program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties. A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability. A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity. The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization s policies. An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information. Retention -- An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements. An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization s policies. Source: ARMA International at 6 GARP Maturity Model Principle Level 1:Substandard Level 2: In Development Level 3: Essential Level 4: Proactive Level 5: Transformational Accountability Transparency Integrity Compliance No senior executive (or person of comparable authority) is responsible for the records management program.... It is difficult to obtain information about the organization or its records in a timely fashion.... There are no systematic audits or defined processes for showing the origin and authenticity of a record.... There is no clear definition of the records the organization is obligated to keep.... No senior executive (or person of comparable authority) is involved in or responsible for the records management program.... The organization realizes that some degree of transparency is important in its recordkeeping for business or regulatory needs.... Some organizational records are stored with their respective metadata that demonstrate authenticity; however, no formal process is defined for metadata storage and chain of custody.... The organization has identified the rules and regulations that govern its business and introduced some compliance policies and recordkeeping practices around those policies. Policies are not complete and there is no apparent or well-defined accountability for compliance.... The records manager is an officer of the organization and is responsible for the tactical operation of the ongoing program on an organization-wide basis.... Transparency in recordkeeping is taken seriously and information is readily and systematically available when needed.... The organization has a formal process to ensure that the required level of authenticity and chain of custody can be applied to its systems and processes.... The organization has identified all relevant compliance laws and regulations.... Continuous update of custodian roles, responsibilities, automatic employee transition alerts.... Transparency is an essential part of the corporate culture and is emphasized in training.... There is a clear definition of metadata requirements for all systems, business applications, and paper records that are needed to ensure the authenticity of records.... The organization has implemented systems to capture and protect records.... The organization s senior management and its governing board place great emphasis on the importance of the program.... The organization's senior management considers transparency as a key component of information governance.... There is a formal, defined process for introducing new record-generating systems and the capture of their metadata and other authenticity requirements, including chain of custody.... The importance of compliance and the role of records and information in it are clearly recognized at the senior management and board levels.... Source: ARMA International at 7 4

5 Corporate Governance Oversight Council (CGOC) Information Governance Risks LEGAL BU RIM Process Risk Posed by Process A Employee on Legal Hold Custodians are not identified and potentially relevant information is inadvertently modified or deleted. B Data on Legal Hold Actual, rogue, or IT-managed data sources missed in hold execution, potentially relevant information is inadvertently modified or deleted. C Hold Publication IT or employees migrate, retire, or modify data because they lacked hold visibility. D Legal Interviews Dynamic, diverse information facts not considered in preservation and collection planning, data is overlooked; no follow through on information identified in custodian interviews. E Evidence Collection Collection failure from overlooked source, departing employee, incomplete prior collection inventory, communication, and tracking errors. F Evidence Analysis and Cost Material issues in dispute are poorly understood until after strategy established and expenses incurred. Excessive data causes litigation Controls costs to exceed dispute value. G H I Legal Record Master Retention Schedule and Taxonomy Departmental Information Practices Unable to readily assemble, understand or defend preservation and discovery record. Failures in custodian and data source management. Preservation, collection detected long after occurrence and cause unnecessary remediation cost and risk. Company is unable to comply or demonstrate compliance with its regulatory record keeping obligations. Disparate nomenclatures for records make applications of retention schedules / procedures difficult to apply and audit. IT saves everything which increases discoverable mass, complexity, and legal risk; IT disposes of information of business value undermining enterprise operation. Procedures for retention / disposal difficult to articulate and defend and unapplied by LoB. IA IT CPO J K L M N O P Privacy and Data Protection Data Source Catalog and Stewardship System Provisioning Disposal and Decommissioning Legacy Data Storage Alignment Audit Access, transport, and use limitations are not understood by employees with information custody or collections responsibility and customers or employees rights are impacted. The type and nature of data in a system or process is poorly understood, leading incomplete or inaccurate application of retention, preservation, privacy, and collection and disposition policy. Systems are unable to comply with or execute defined procedures for retaining, preserving, collecting, protecting, and disposing of information, exposing the company to significantly higher costs and risks. IT is unable to dispose of data and decommission systems causing significant unnecessary cost and risk; IT improperly disposes of data causing unnecessary risk and legal or business expense. IT is unable to associate data with business stakeholders or ensure legal duties are met, leading to oversight in collecting evidence and unnecessary legal and operating costs. Storage is over-allocated, misaligned with business needs and consumes unnecessary capital; IT is unable to reclaim storage and eliminate cost after data id deleted causing unnecessary cost. Unable to demonstrate reasonable efforts to establish and follow governance policies and procedures increases sanction risks, penalties, and judgments, and erodes customer trust. Source: Compliance, Governance and Oversight Council (CGOC) 12 CGOC Information Governance Risk Profile Potential Impact E A F M J L K High risk requires constant monitoring and review, immediate escalation on failure or impending failure. 50% likelihood Moderate risk requires frequent monitoring to prevent and detect; costly to correct or mitigate. Between 10% --50% likelihood. IT Low risk does not require constant monitoring and is easy to prevent, detect, correct, defend. Less than 10% likelihood. IA B C D N I P G H O Likelihood to Occur Source: Compliance, Governance and Oversight Council (CGOC) 13 5

6 CGOC Information Governance Maturity Model LEGAL BU RIM IA IT CPO Process H. Master Retention Schedule and Taxonomy I. Departmental Information Practices J. Privacy and Data Protection Level 1: Ad Hoc, Manual, Unstructured Define retention periods only for physical records. No knowledge of actual procedures; no inventory of information capturing location, use, or value. Each country and business keeps a list of applicable privacy rules. Implementation is done locally and informally. Level 2: Manual, Structured Updated retention schedule for physical and electronic records. Conduct inventory of departmental practice and information. Network of records coordinators exists but is focused on physical records management. Privacy and data protection requirements are tracked in the privacy office and corporate policies are published on the intranet; implementation decisions are left to local business and system owners. Level 3: Semi-Automated, Siloed Established retention periods for all information, define country/ jurisdiction specific schedules (without over- or under-retention of records). Departmental records coordinators work with their line of business to define what information is of value for how long and where it is retained; this feeds more comprehensive retention schedules that incorporate business value in addition to regulatory requirements. Enable change request workflow to master schedule and department/country schedules to encompass retention and disposition of all information. There is an accurate catalog of privacy laws and policies by country accessible to privacy. Policy communications are routine and semi-automated to records, business, and system stakeholders. Critical systems are provisioned with some privacy controls. Level 4: Automated and Full Integrated Across Functions Value-based retention schedules are published appropriate for business, country operations. Library of country protocols for discovery, privacy, retention. Schedules align with and are systematically used to dispose of production and backup data whether structured, unstructured, electronic, physical, record or business information. Level 3 capabilities. Retention schedules are automatically executed across information environment. Cost and benefit are weighed in determining retention periods and the enterprise impact is considered. Schedule changes are syndicated to IT, systems directly and department delegates when business objectives or laws change. Legal, IT, and department delegates continually assess accurate retention schedules, legal holds, privacy procedures. Level 3 capabilities. Systems are provisioned with access, masking, and controls to protect privacy; information stakeholders in business, legal, and IT have access to privacy constraints in real time; changes in law are applied to protocols within 7 days; litigation has access to current privacy law and protocol and factors law into evidence collection/ analysis plan; process is audited. Level 3 capabilities. Source: Compliance, Governance and Oversight Council (CGOC) 14 International Organization of Standardization (ISO) LEGAL ISO Information and documentation Records management ISO Information and documentation Principles and functional requirements for records in electronic office environments IA IT CPO BU RIM 15 6

7 MIKE2.0 MIKE2.0, Method for an Integrated Knowledge Environment, Open-source methodology for Enterprise Information Framework for information management best practices linked into common business issues and technology-specific solutions. Its scope covers the complete information supply chain within an organization: from how it is created, accessed, presented and used in decision-making to how it is kept secure, stored and destroyed Source: Mike2.0, Wikipedia. Retrieved September 18, MIKE2.0 Core Solutions MIKE 2.0 Core Solutions Business Intelligence Information Asset Access, Search, and Delivery Enterprise Data Enterprise Content IM Strategy Architecture Governance Enterprise Performance Information Lifecycle Enterprise Portals & Information Delivery Data Warehousing Document Information Governance Operational Business Intelligence Information Security Enterprise Search Master Data Records, Contracts, and IP SOA, EII, and Model- Driven Architecture Predictive Analytics Metadata, Taxonomy, Cataloging Mobile Device Access Customer Data Integration ERP Document Integration Enterprise Data Strategy Composite Solutions Information Strategy Data-Driven IT Transformation Information Sharing Enterprise 2.0 Governance 2.0 Agile Information Development Open Sustainability Workflow Information Data Center Access Monitoring and Control Data Quality Improvement Data Migration Digital Asset Web Content Collaboration, COI, and Knowledge Capture Enterprise Content Strategy Enterprise Information Assessment IM COE & Shared Services Model Information System Usability Source: Mike2.0, mike2.openmethodology.org. Retrieved September 18,

8 MIKE2.0 Business Plan / Project Plan PHASE 1: Business Assessment and Strategy Definition Blueprint Activity 1: Strategic Mobilization 1.1 Objective 1.2 Major 1.3 Tasks Conduct Initial Direction Setting with Sponsor Meet with Key Stakeholders Begin Collection of Artifacts Understanding Current State of Project Activities Establish Charter for Information Plan Introduce Overall MIKE2.0 Program Plan 1.4 Core Support Assets 1.5 Yellow Flags 1.6 Key Resource Requirements Source: Mike2.0, mike2.openmethodology.org. 10 Retrieved September 18, 2012 MIKE2.0 Usage Model Source: Mike2.0, mike2.openmethodology.org. Retrieved September 18,

9 An Information Governance Program Case Study: ERAN Services, Inc. 16 ERAN Services Program Roadmap Establish an Overall Governance Structure Identify Relevant Laws, Regulations, and Legal Consideration Assess Information Governance Program Determine Components of a Compliant, Legally-Sufficient IG Program Assure that information governance strategies and initiatives are developed, implemented, and maintained by cross functional teams that report to senior leadership. Delineation of the goals of Information Governance at ERAN Services. Documented governance structure including mission, vision, and roles and responsibilities. Appointment of qualified employees to identified roles and teams. Understand the legal requirements placed on ERAN Services regarding the manner which it must manage and protect its business information. Current inventory of laws, regulations, and legal considerations related to information governance and how they apply to ERAN Services. Assessment of the impact the legal requirements have on operations of the company. Recognize ERAN Services current information governance strengths and gaps. Collection of reports containing the findings when current state is assessed against models (e.g., GARP, CGOC, and MIKE2.0). Documented strategy for addressing each of the gaps going forward. Assure that the ERAN Services information Governance Program meets the definition of legal sufficiency and that it incorporates the necessary elements (e.g., data privacy, information retention management, data quality management, and copyright). Diagram of the elements of an Information Governance Program and how they interrelate. NOTE: This component must take into consideration the governance structure Assign Responsibility for Individual Program Components Develop / Update and Implement Policies, Standards, and Processes Purchase, Implement, and Maintain Supporting IG Technology Monitor and Audit Performance Ensure that components of Information Governance Program are properly staffed by dedicated employees and crossfunctional teams. Organizational chart depicting primary program components and assigned teams/individuals. Ensure that ERAN Services maintains a corporate stance on the essential nature and value of information Ensure that stakeholders understand their obligations and provide guidance to assist them in meeting Program requirements. Inventory and assessment of current information governance related policies, standards, and processes. Published complete and up to date policies, standards, and processes, both enterprisewide and for individual business unit. Facilitate information governance strategies and practices through the purchase, implementation, and maintenance of an appropriate computing infrastructure. o Documented technology strategic plan based on input from Legal/Compliance, IT, and Records and Information and approved by senior leadership representing key stakeholders. o Project plans for each approved initiatives. Assure that the ERAN Services Information Governance Program is effective and efficient. o Documented audit protocols for audits conducted by internal resources. o Contracts with contracted third parties for evaluations of the Information Governance Program by external firms. Develop Knowledgeable Stakeholders Within a Supportive Corporate Culture and Deploy Communication and Training Develop a corporate culture that supports information governance as a core value. Assure that employees and contracted third parties are knowledgeable about their obligations as well as the strategies/process to meet those obligations. Communication strategy and plan regarding information governance that is segmented by audience. Training that is segmented by audience. 18 9

10 ERAN Services Organizational Structure COMPLIANCE AND GOVERNANCE COUNCIL Compliance Managers and Directors Information Governance Executive Council Compliance Risk Teams Environmental Safety and Health Securities Trading Information Governance Copyright Employment Law Electronic Content Strategy Team Data Privacy Governance Team etc. Records and Information Leadership Team. etc. Direct report Communication 19 ERAN Services GARP Program Assessment Accountability Transparency Integrity Protection Compliance Availability Retention Disposition INFORMATION GOVERENCE THEME 1. Governance Structure / Strategy Laws and Regulations Inventory Information Governance Policies / Standards and Procedures Retention Schedule 4 3* 1** 2 5. Copyright Compliance Data Privacy Litigation Support Records Processes Corporate Archives Vital Records and Business Continuity Technology 2 3 Average Maturity Score # Physical Records ** Electronic Records 21 10

11 ERAN Services Information Governance Model LEGAL / COMPLIANCE RIM IT, Law, Regulations, Legal Considerations BUSINESS UNIT Create, Access, Use, Maintain, Dispose System / Application Governance Repository Governance (SharePoint, Documentum, etc. Protection (Privacy and Confidentiality) Information Organization and Taxonomy Information Retention / Disposal Policies, Standards, Processes Reliability, Authenticity, Integrity, Usability Information Ownership 17 ERAN Services Program Elements Information Governance Legal and Regulatory Requirements Corporate Policies and Standards Industry Standards Program Elements Copyright Compliance Data Privacy / Confidentiality Litigation Support Records Vital Records Protection and Recovery Corporate Archives Processes and Recordkeeping Systems Classification / Naming Migration Protection / Recovery Retention Organization / Search Security / Access Preservation Storage Disposal Taxonomy / File Plan Business Rules Metadata Computing Infrastructure 20 11

12 MIKE2.0 Core Solutions MIKE 2.0 Core Solutions Business Intelligence Information Asset Access, Search, and Delivery Enterprise Data Enterprise Content IM Strategy Architecture Governance Enterprise Performance Information Lifecycle Enterprise Portals & Information Delivery Data Warehousing Document Information Governance Operational Business Intelligence Information Security Enterprise Search Master Data Records, Contracts, and IP SOA, EII, and Model- Driven Architecture Predictive Analytics Metadata, Taxonomy, Cataloging Mobile Device Access Customer Data Integration ERP Document Integration Enterprise Data Strategy Composite Solutions Information Strategy Data-Driven IT Transformation Information Sharing Enterprise 2.0 Governance 2.0 Agile Information Development Open Sustainability Workflow Information Data Center Access Monitoring and Control Data Quality Improvement Data Migration Digital Asset Web Content Collaboration, COI, and Knowledge Capture Enterprise Content Strategy Enterprise Information Assessment IM COE & Shared Services Model Information System Usability Source: Mike2.0, mike2.openmethodology.org. Retrieved September 18, Take Home Message Information Governance is just another important type of governance. There are resources available to help you get started. Like many of these efforts, it won t be perfect the first time. It s the journey that is important both as evidence that your organization takes information governance seriously and to reap the benefits that an information governance program provides

13 Sources and Additional Reading Corporate Governance Oversight Council, Information Lifecycle Governance Leader Reference Guide, 2012 KMWorld, Best Practices in Information Governance & Compliance, MIKE2.org Peter Beijer, Information governance: beyond risk and compliance, PrimaVera Working Paper Series, Universiteit van Amsterdam, Michiel Kooper, Rik Maes, and Edo Roos Lindgreen, Information governance: In search of the forgotten grail, PrimaVera Working Paper Series, Universiteit van Amsterdam, Economist Intelligence Group, The future of enterprise information governance, The Economist, The State of Queensland (Department of Public Works), Queensland Government Information Policy Framework Definitions, Food for Thought Let your Eminence give orders throughout each and every province that a public building be allocated, in which building the magistrate is to store the records, choosing someone to have custody over them so that they may remain uncorrupted and may be found quickly by those requiring them, and let there be among them an archives, and let that which has been neglected in the cities be corrected. -Emperor Justinian I (reigned CE) (quoted by Baldassare Bonifacio, De Archivis, 1632) 24 13

14 Contact Information Maggi Johnsen, CRM Southern Company Services, Inc. 30 Ivan Allen Boulevard Atlanta, GA (404)