21st Century Best Practices for Information Governance & Policies Presented by: John Isaza, CEO- Information Governance Solutions, LLC Partner - Rimon PC ARMA NOVA Chapter Friday, February 28, 2014 12:30 to 1:30 p.m. PRESENTATION TOPICS Why update policies?? The Old Paradigm 21 st Century Policies Other Policies Affected PART 1 Why Update Policies? 1
Changing Role of Records Managers Job description calls for management of records irrespective of medium Job descriptions most often include role in ediscovery BIA Informal Survey of 200 CIO s Approx. 70% looking for RIM expertise in hiring for IT positions Role of Records Managers (cont d) Records managers becoming Information Process Managers Increased profile of Records Managers has raised their ethical duty of care based on RIM expertise IG Is More than RIM 2
IG Is More than RIM Information Governance is how you align your use of information to your purpose. Need to establish the purpose for using information, defining how you use it, and aligning said use to the purpose. Some overlooked areas to consider in IG include: Metadata Management Audit Big Data Predictive Analytics Publication & Disclosure Source, Frank Lambert, CMO at IGS Gartner Definition of IG The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. Includes: 1)the processes, 2) roles and policies, 3) standards and 4) metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. Technological Changes Not just records management: Imaging Boxes Tapes Must manage information systems: Enterprise systems Cloud Email BYOD Shared drives 3
Changing Domestic Legal Landscape Ediscovery & Case Law - Proposed revisions to FRCP Focus on compliance, accountability, & transparency S-Ox Massive new regulations Dodd-Frank ObamaCare Data Protection & Privacy Concerns HIPAA U.S. patchwork of regulations Global Concerns Forrester Global Heat Map (privacy & data protection by country) e.g., U.K. Data Protection Act 4
PART 2 The Old Paradigm for Policies Less Is More? Some GC s have taken position that policy statement should be very high level But: Nothing more than mission statements No real guidance do not tell personnel what to do The Kitchen-Sink Approach Other GC s (the minority) want it all in a single document But: Difficult to adapt to changes Too many details difficult to follow and enforce at policy level 5
Ignorance is Bliss Still others (the very small minority) would prefer to avoid the issue altogether Hope that other IT or HR policies will capture information governance Hope is our strategy revealed during Principlesbased assessment Information governance is too daunting Information governance is too high profile PART 3 21 st Century Policies Best Practices Policy document says what to do and procedures say how to do it 6
Best Practices Policy document says what to do and procedures say how to do it Overview Section Statement of Intent This Policy supports the Company s commitment to create and follow standard and good faith business practices for administering records, records retention, and information management throughout the Company Responsibilities Responsibilities for this Policy Global Records Manager and Law Department: Own, author, and administer document on behalf of the Company Review document as needed for changes in laws Revise document promptly when appropriate Initiate disciplinary measures when not followed to its intent 7
Responsibilities (cont d) Responsibilities for this Policy Each employee is responsible for knowing and following this Policy Table of Contents This document contains the following topics: [option: link each title to topic location] Ownership and responsibilities for Company information Definition of and requirements for nonrecord information Definition and examples of records Records Retention Schedule (RRS) Table of Contents (cont d) Requirements with records retention and disposal Requirements for storage of inactive physical records & historical archives Definition and importance of legal holds Requirements for retaining information subject to legal hold 8
Section I: Ownership of and Responsibilities for Company Information Information defined Ownership of information Responsibilities for information Removal & return of information Records custodian defined Records custodian responsibilities Responsibilities of departments Information Defined Information of the Company: Records, data, content, and physical artifacts of the Company Information created or stored by an employee using Company resources or networks Information created by third parties, such as contractors, suppliers, and vendors hired by the Company as addressed during contract negotiations and governed by contractual provisions consistent with this Policy Section II: Non-Records Option 1 Definition: Information Lifecycle A model that defines three states for information that is received by the enterprise from its creation or reception to its final disposition 9
Information Lifecycle Model Diagram: Information Lifecycle Three states for information: Temporary, Work-In- Progress, and Record Section II: Non-Records Option 2 Definition: Non-Record Non-record refers to Information of the Company that does not become a Record. Examples of Non-Records Examples: Non-Records Internal duplicates Convenience copies Communications that have no continuing business value Notes, work in progress files, and drafts that are not the final versions Books, periodicals, catalogs, and other publications or library materials acquired solely for reference purposes 10
Non-Record Timeframe Section III: The RRS Definition of RRS Location Who must follow Responsibilities Definition of indefinite Start of retention periods Section IV: Requirements for Retention & Disposal Conflicts between retention periods Manner of disposal 11
Section V: Storage of Inactive Physical Records & Historical Archives Definition of inactive physical records Disposal date Historical archives Disaster recovery distinguished Section VI: Legal Holds Definition Reasons for legal holds Who issues or lifts Importance of legal holds PART 4 Other Policies Affected 12
Consider Effect on the Following Termination of employees, devices, & their data Audit policies & procedures Data privacy Violation of policy Recommended Procedures Conducting RRS updates Legal holds Information security classifications Voice and electronic mail Vital records Disaster recovery Storage and retrieval Historical archives Department records coordinator roles & responsibilities John Isaza, Esq., FAI Information Governance Solutions, LLC Your First Line of Defense in Information Management Office (844) Info Gov x 102 Cell (949) 632 3860 John@InfoGovSolutions.com 13