New 2011 Report! Information Governance Fundamentals, Best Practices & Implementation Issues A Management Primer Including: Information Governance Framework Information Governance Maturity Models E-Document Security SharePoint 2010 Information Governance by Robert F. Smallwood, MBA Information Governance Primer 2011 R. F. Smallwood Do Not Copy 1
Who we are IMERGE Consulting is North America's largest and most experienced team of experts in the fields of enterprise content management (ECM) and business process optimization. IMERGE is also a leading provider of education courses in records management, electronic document capture and e-discovery. IMERGE has offices in major cities including Boston, San Francisco, Toronto, Chicago, Houston, Los Angeles, Minneapolis, Seattle, New Orleans and Washington, DC. Our track record speaks for itself: We have completed more successful projects, published more articles and given more expert presentations than any other enterprise content management consulting firm in the world. Learn more about us at imergeconsult.com or contact an IMERGE professional today to discuss putting our expertise to work for you. About the Author Robert Smallwood, MBA, Master of Information Technology, Laureate of Information Technology is a founding Partner of IMERGE Consulting and has been recognized as one of the industry s 25 Most Influential People and Top 3 Independent Consultants by KM World magazine. Some of his past organizations include Bank of America, AT&T, Xerox and IBM. He has published more than 100 articles and given more than 50 conference presentations on document, records and content management. He is the author of the book, Taming the Email Tiger, and several others. Disclaimer The references provided in this book should not be considered as legal advice, and is only provided as a resource and starting reference point for further foundation to your own research. All cited references should be verified and updated with your own organization s legal counsel and findings as applicable. 2
Information Governance A Management Primer Table of Contents Executive Summary... 4 Information Governance Defined... 5 WikiLeaks: A Basic Failure in IG... 8 EU Warns of Cloud Use for Sensitive Data... 9 Corporate and Industrial Espionage to Rise In 2011...10 Alarming Breaches of Confidential Patient Data...12 Data Breaches: Who is to Blame?...13 6 Consequences of Not Employing E-Document Security...14 8 Reasons Why IG Makes Sense...15 Impact of a Successful IG Program...16 Information Governance Framework...17 4 Key Components of an IG Framework...18 Critical Factors in an IG Program...22 IG is a Moving Target...25 ARMA Maturity Model of Information Governance...25 MIKE Information Maturity Model...28 How Should IG Be Implemented?...29 Who Should Determine IG policies?...31 Governance Features in SharePoint 2007...32 Applied SharePoint 2010 Governance...35 Protecting E-Documents Inside & Outside of an Enterprise...40 Limitations of Current e-document Security...41 A Quick Primer on Information Rights Management Capabilities...44 10 Legal, Regulatory, and Business Reasons to Archive Email...49 3 Best Practices for Email Record Management...51 Are All Emails a Record?...51 How Long Should You Keep Old Email?...53 Destructive Retention of Email...53 5 Characteristics of Reliable Email Evidence...53 5 Risks of Corporate IM Use...55 How to Offset IM Security Risks...56 5 Key Characteristics of IMs as Reliable Legal Evidence...59 5 Best Practices for Business IM Use...60 8 Tips for Safer IM...65 5 Ways to Control Business IM Use...66 Regulations Related to Records Management...67 Glossary of Terms...70 Information Governance Primer 2011, R. F. Smallwood, Do Not Copy 3
Executive Summary Information Governance (IG) is an emerging multidiscipline field which is still being defined, but it has gained traction in the last several years, appearing more and more on executives radar. It is an all-encompassing term for how and organization is going to manage the totality of its information. Specific policies apply to specific information and document types. IG is a subset of corporate governance, which has been around as long as corporations have been around, and it draws on IT governance, but it goes much further. IG is the set of policies, procedures and controls to manage information in compliance with external regulatory requirements and internal governance frameworks. With the revelations of the WikiLeaks scandal, security of electronic documents and records is a critical issue on managers minds, and utilizing information rights management and information governance to create and enforce security policies are presented in this report. More and more organizations are looking at systematic ways in which they can manage their information. One way that can make a real difference is by adopting an Information Governance Framework (IGF). 1 An Information Governance Framework brings together all the requirements, standards and best practice that apply to the management of information. It can help you assess how well your organization manages the information it creates. The Maturity Model for Information Governance begins to paint a more complete picture of what effective information governance looks like. It is based on the eight Generally Accepted Recordkeeping Principles (GARP ) from ARMA International, as well as a foundation of standards, best practices, and legal/regulatory requirements. The maturity model goes beyond a mere statement of the principles by beginning to define characteristics of various levels of recordkeeping programs. The need for IG is increasing, based on the growth of theft and misuse of internal documents and communications. Organizations should reevaluate IG policies and their internal processes following any security breach or theft. This Management Primary will assist senior managers, records managers, IT managers, compliance managers and others involved in electronic records and e- discovery implementations to make intelligent, informed decisions. 1 http://adventuresinrecordsmanagement.blogspot.com/2007/11/information-governance-framework.html 4
Information Governance Defined Information is the lifeblood of any modern-day business. Companies succeed or falter based on the reliability, availability, and security of their information. But are most companies properly governing how their information is used, shared, and analyzed? 2 The information that companies are busily generating, collecting, and mining offers a wealth of potential benefits. However, its use carries substantial risks. As a result, some organizations are forming formal governance bodies to create strategies, policies, and procedures surrounding the distribution of information inside and outside the firm. Information Governance is an emerging multidiscipline field which is still being defined, but it has gained traction in the last several years, appearing more and more on executives radar. It is an all-encompassing term for how and organization is going to manage the totality of its information. Specific policies apply to specific information and document types. IG is the set of policies, procedure and controls to manage information in compliance with external regulatory requirements and internal governance frameworks. IG is the set of policies, procedure and controls to manage information in compliance with external regulatory requirements and internal governance frameworks. IG is a hybrid field, using a set of multidisciplinary methods and technologies to support an organization s operational and compliance requirements. IG includes elements of records management, IT governance, corporate governance, information security and privacy, enterprise content management, and knowledge management. This means that it also includes subcategories such as document management, email archiving, e-discovery, enterprise search, and business continuity/disaster recovery. What is information governance? There s no single answer to that question. At a high level, information governance encompasses the policies and technologies meant to dictate and manage what corporate information is retained, where and for how long, and also how it is retained (e.g., protected, replicated and secured). Information governance spans retention, security and lifecycle management issues. 3 2 http://www.emc.com/leadership/business-view/future-information-governance.htm 3 http://blogs.the451group.com/information_management/2009/08/05/the-rise-of-information-governance/ 5
Simply put, information governance is the way in which an organization handles, uses and manages its information in an efficient, effective and secure manner to all the appropriate ethical, legal and quality standards. 4 According to Gartner Group, information governance is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. 5 Industry expert Barclay T. Blair of ViaLumina Group defines the Information Governance (IG) market as the market for goods and services designed to help organizations manage their information in accordance with externally or internally defined criteria. 6 Although IG is most commonly Information governance is the way in which an organization handles, uses and manages its information in a secure manner to meet all the appropriate ethical, legal and quality standards. associated with externally-mandated criteria (such as laws, regulations, etc.), it is equally important to recognize that internally-derived criteria (such as providing better customer service, faster time to market, etc.) also provide significant IG drivers. Blair goes on to explain that IG is a relatively new term for which the precise meaning is still being shaped by the market and those that promote its use. However, it is clear that the term incorporates (in whole or in part) concepts from disciplines such as: Records Management Compliance Information Management IT Governance (such as COBIT and ITIL) Corporate Governance (such as COSO, SOX, PCAOB Standards) Information Security/Information Protection Privacy Enterprise search, portals, and knowledge management 4 http://adventuresinrecordsmanagement.blogspot.com/2007/11/information-governance-framework.html 5 http://blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/ 6 http://vialumina.com/our-services/what-is-information-governance/ retrieved 3-15-2011 6
Enterprise content management Document management Archiving Business continuity, backup and disaster recovery E-Discovery This is why IG is a multidisciplinary pursuit. 7 IBM Corporation states that Information Governance offerings establish sustainable management of information quality, master the complete lifecycle of information and secure and protect privacy across all types of information projects. 8 IG is a subset of corporate governance, which has been around as long as corporations have been around. Effective information governance can enhance the quality, availability and integrity of a company s critical data. Organizations are beginning to adopt information governance which can be thought of as a quality-control discipline for managing, using, improving and protecting information. 9 It fosters cross-organizational collaboration and structured policy-making and balances factional silos directly impacting the four factors that an organization cares about most: increasing revenue, lowering costs, reducing risks and increasing data confidence. Information governance is a holistic approach to managing and leveraging information for business benefits and encompasses information quality, information protection and information life cycle management. With information governance, organizations achieve many goals, from improving decision making to simplifying and strengthening regulatory compliance. 10 IG is a subset of corporate governance, which has been around as long as corporations have been around, and it draws on IT governance, but it goes much further. So IG is expansive and amorphous and difficult to get one s arms around but the key is that IG involves creating, maintaining and monitoring policies for the use of information including unstructured information such as electronic documents to meet external compliance demands and internal governance controls. 7 http://vialumina.com/our-services/what-is-information-governance/ retrieved 3-15-2011 8 http://www-01.ibm.com/software/info/itsolutions/information-governance/ 9 http://www.ctoedge.com/content/three-steps-trusting-your-data-2011 10 http://www.ctoedge.com/content/three-steps-trusting-your-data-2011 7