In order to have a successful IG program, one of the eight (8) Information Risk Planning and Management step is to develop metrics and measure results. Why are metrics required? Briefly provide your explanation
ITS 833 – INFORMATION GOVERNANCE
Don't use plagiarized sources. Get Your Custom Essay on
Discussion
Just from $13/Page
Chapter 5
Strategic Planning and Best Practices for Information governance
Dr. Omar Mohamed
Copyright Omar Mohamed 20
1
9
1
1
CHAPTER GOALS AND OBJECTIVES
Be able to explain the general steps required in the strategic planning for an IG Plan
Be able to identify key Best Practices as they relate to strategic planning for an IG Plan
Copyright Omar Mohamed 2019
2
2
First Step in Strategic Planning for Information Governance Program
Secure commitment/sponsorship of executive management
Resource acquisition
Time
Labor/Manpower
$$$
Accountability
But who??
Suggested: Chief compliance officer, Chief Information Officer, Chief Executive Officer
Copyright Omar Mohamed 2019
3
3
Crucial Roles:
So what is the role of this Executive Sponsor?
Budget
Planning and Control
Decision Making
Expectation Management
Anticipation/Runs Interference for PM
Approval
Copyright Omar Mohamed 2019
4
What is the role of the Project Manager?
Keep Executive Sponsor apprised of progress
Implement/oversee daily tasks
Track detailed progress
Involve Executive Management only when necessary to do so
4
EVOVING ROLE OF EXECUTIVE SPONSOR
The Role of the Executive Sponsor will change over the lifecycle of the IG program implementation
Initial involvement requires greater TIME investment by executive management
Early Implementation – Visible and Accessible
Post-Implementation – Responsible for maintenance –ongoing communication with PM
Copyright Omar Mohamed 2019
5
5
THE IG TEAM
Who Should Be On Your IG Team?
Take a Cross-Functional Approach
Required:
Executive Sponsor
Legal Department or Outside Attorney
IT Department
Senior Records Officer
Risk Management Specialist
IG Program Manager
Elective:
Human Resources
Analyst
Rep from different business units or departments
Copyright Omar Mohamed 2019
6
6
ASSIGNMENT OF ROLES
AND RESPONSIBILITIES
Executive Sponsor – designation of roles for:
Project Manager
Possibly from Legal, Compliance, Risk management, Records Management or IT
Logically each IG team members take responsibility for their functional area of expertise
Pair up team members or assign small work groups
Resulting output of team effort: Final Draft of the IT strategic plan – Should be in a form ready to align with organizational strategic plan
Copyright Omar Mohamed 2019
7
7
ALIGNEMENT OF IG PLAN TO
ORGANIZATIONAL STRATEGIC PLAN
IG Plan MUST support the achievement of the Organization’s business objectives and its strategic plan
IG Plan MUST be integrated with the IT strategy
Decisions must be made with regard to the use of E-Discovery techniques like predictive coding technology in early case assessment and software that uses artificial intelligence
Must take resource allocation into consideration
Copyright Omar Mohamed 2019
8
8
SURVEY AND EVALUATE
EXTERNAL FACTORS
What External Factors?
IT Trends – What new is coming online? What new is being developed? Which are too risky? What is the plan for long term digital preservation?
Business Conditions and Economic Environment-Where is the industry/country in the recurring business cycle? What is the state of business conditions in your industry?
Relevant Legal, Regulatory and Political Factor – Identify regulation affecting your industry. What is expected of future and anticipated regulation?
Industry Best Practices-Survey your industry. What is your more progressive competition doing? Will you use 3rd Party consultants
See Sample IG Best Practices taken from Different areas/industries on page 61-64
Copyright Omar Mohamed 2019
9
9
FORMULATING THE IG STRAEGIC PLAN
Synthesize Information –
Make the plan relevant to the information . Don’t linger
Develop IG strategy for each critical area
Maintain focus by developing IG strategy without regard to prioritizing critical areas
Prioritize Strategies and map to organizational goals and objectives
Develop Actionable Plans to Support Organizational Objectives and Goals
Develop policies and plans that identify specific tasks and steps, and define roles and responsibilities
Build checks and audits and other testing methods
Create New IG Programs to Support Business Goals and Objectives
Launch new “Sub-Programs” within the IG program
Assign specific employee responsibility to specific tasks
Have defined timeframes for subprograms
Piece together subprograms
Draft IG Strategic Plan and Gain Input from Broader Group of Stakeholders
Get Buy-in and Sign-Off and Execute Plan
Answer questions of top level management
Address concerns
Get them to buy-in to the program and sign off on it
Copyright Omar Mohamed 2019
10
10
The end
Copyright Omar Mohamed 2019
11
11
ITS 833 – INFORMATION GOVERNANCE
Chapter 4
Information Risk Planning and Management
Dr. Omar Mohamed
Copyright Omar Mohamed 20
1
9
1
1
CHAPTER GOALS AND OBJECTIVES
Be able to outline the progressive steps involved in developing an information risk management plan
Know what is meant by “risk” and a “risk profile”
Know the different ways one would go about creating a risk profile
Know how one would go about conducting a risk assessment
Know what an information risk mitigation plan is
Copyright Omar Mohamed 2019
2
2
What is the purpose of Information Risk Planning?
Identify potential risks to information
Weighing risks against each other
Creating strategic plans for risk mitigation
Creating policies
Develop Metrics
Applying metrics to measure progress
Audit and feedback
Copyright Omar Mohamed 2019
3
3
Steps in Information Risk Planning and Management
Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements
Step 2: Specify IG Requirements to Achieve Compliance
Step 3: Create a Risk Profile
Step 4: Perform Risk Analysis and Assessment
Copyright Omar Mohamed 2019
4
Step 5: Develop an Information Risk Mitigation Plan
Step 6: Develop Metrics and Measure Results
Step 7: Execute The Risk Mitigation Plan
Step 8: Audit the Information Risk Mitigation Program
4
Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements
Conduct Legislative Research-Legal requirements trump all other requirements
Identify the jurisdictions(s) where the company operates
Federal
Provincial (international)
State
Municipal
Approaches to legal research for retention, privacy and security laws:
Records retention citation service (Example: FILELAW®)
Use online Print resources (Example: Code of Federal Regulations “CFR”)
Copyright Omar Mohamed 2019
5
5
Step 2: Specify IG Requirements to Achieve Compliance
Compile list of external compliance requirements
Map data, document, and records to external compliance requirements
Devise a method of keeping legal and records management staff apprised of changes in regulations
Reconcile Internal IG retention requirements with external compliance requirements
Copyright Omar Mohamed 2019
6
6
Step 3: Create a Risk Profile
“RISK” – Effect of uncertainty on objectives1
“RISK PROFILE” – Description of a set of risks2
A part of Enterprise Risk Management
Considerations for creating a Risk Profile
Frequency
External Resources
Stakeholders
ISO 31000 2009 Plain English, Risk Management Dictionary”, www.praxiom.com/iso-31000-terms.htm
Included in Risk Profile
Identification, documentation, assessment and prioritizing risk that an organization may face in pursuing a business objective
Timeline:
Projections 3 to 5 years into future
Create annually
Updated or reviewed semiannually
Copyright Omar Mohamed 2019
7
7
Step 3..Continued
Types of Risk Profile Methodology
Top-10 list-simple listing and ranking of top 10 risks in relation to the objective
Risk Map – Visual tool, easy to grasp, grid depiction of a likelihood axis and impact axis-Generally rated on a 1 to 5 scale
Heat Map-color coded matrix generated by stakeholders voting on risk by color (red is highest risk)
Copyright Omar Mohamed 2019
8
8
Step 3..Continued
Information Gathering for Risk Profile
Surveys
Person-to-Person Interviews
Give interviewees questions in advance
Schedule interviews at convenient times and places
Keep interviews as short as possible
Include questions about:
Access and Security policies
Policy development
Policy adherence
Retention of email
Legal Hold policies
Record Retention
Record destruction
Training and Communications
Consider key events and changes that will impact risk
Generate a list of risks and categorize (Example: natural disasters, regulatory, safety , competitive, etc.)
Copyright Omar Mohamed 2019
9
9
Step 4: Perform Risk Analysis and Assessment
Five steps for Risk Assessment:
Identify the risks –The output of Risk Profile
Determine Potential Impact-Include calculations for range of economic impact in dollars where available. Be as specific as possible
Evaluate Risk Levels and Probabilities and Recommend Action-Recommendations for new procedures, new processes, new investments in IT, and other risk mitigation methods
Create a Report with recommendations and implement-include risk assessment table where available, include written recommendations – implement
Review periodically-at least annually but as appropriate for your organization
Copyright Omar Mohamed 2019
10
10
Step 5: Develop an Information Risk Mitigation Plan
What is a Risk Mitigation Plan?
Plan which includes
Options to reduce specific risks and increases likelihood of achieving objectives
Tasks to reduce specific risks and increases likelihood of achieving objectives
Timetable implementation of risk mitigation measures
Milestones for implementing risk mitigation measures
Timetable/Milestones for IT acquisitions
Timetable/Milestones for assigning roles and responsibilities
Copyright Omar Mohamed 2019
11
11
Step 6: Develop Metrics and Measure Results
Assign quantitative measures that are
Meaningful
Measure progress
What are relevant metrics? – Must be relevant to your organization. Examples are:
Educe the data lost on stolen or misplaced laptops and mobile devices by ___ % over the prior year
Reduce the number of hacker intrusion events by ___ over prior year
Reduce e-discovery costs by __ % over prior year
Reduce the number of adverse findings in the risk and compliance audit by ___% over last year
Provide information risk training to __%of knowledge level workers this year
Provide confidential messaging services for the organization’s top ___ executives this year
Copyright Omar Mohamed 2019
12
12
Step 7: Execute Your Risk Mitigation Plan
Set up regular project/program team meetings
Develop Key Reports on key risk mitigation metrics
Manage the process
Use Project management tools and techniques
Clear and concise communication with the IG team on progress and status
Copyright Omar Mohamed 2019
13
13
Step 8: Audit the Information Risk Mitigation Program
Key tools in the audit process?
Metrics used to measure risk mitigation effectiveness
Use Audit results for further redevelopment and fine tuning of the risk mitigation program
Don’t misuse the audit results-Don’t use it to beat up on people-Use it for feedback and improvement
Copyright Omar Mohamed 2019
14
14
The End
Copyright Omar Mohamed 2019
15
15
ITS833 – INFORMATION GOVERNANCE
Chapter 3 – Information Governance Principles
Dr. Omar Mohamed
Copyright Omar Mohamed 2019
1
CHAPTER GOALS AND OBJECTIVES
Know the 10 key principles of IG
What are the Generally Accepted Recordkeeping Principles®
What is the difference between disposition and destruction
Who should be involved in the information governance development process
Know the 8 GAR principle
Know the 5 GAR Principle Levels
Know which of the four area(s) of improvement each of the 8 GAR principles map to
Copyright Omar Mohamed 2019
2
10 key principles for the IG approach
Executive Sponsorship
Information Policy Development and Communication
Information Integrity
Information Organization and Classification
Information Security
Information Accessibility
Information Control
Information Governance Monitoring and Auditing
Stakeholder Consultation
Continuous Improvement
Copyright Omar Mohamed 2019
3
3
The Key to Information Governance
Accountability
Copyright Omar Mohamed 2019
4
Often the root of many problems is that no one is held accountable
RECORDING KEEPING PRINCIPLES®
Formal Business records account for about 9% of all information in an organization
Formal record keeping allows the organization to demonstrate legal compliance, and applicable standards
Generally Accepted Recordkeeping Principles® were developed in 2009 by ARMA International to foster awareness of good recordkeeping practices
Copyright Omar Mohamed 2019
5
5
Generally Accepted Recordkeeping Principles®
Accountability
Transparency
Integrity
Protection
Compliance
Availability
Retention
Disposition
Copyright Omar Mohamed 2019
6
6
GAR Principles Levels
Used to define the characteristics of evolving and maturing Records Management Programs
1. Standard – whether recordkeeping concerns are being addressed
2. In Development – developing recognition that recordkeeping has an impact and benefit from more defined IG program
3. Essential – where defined policies and procedures exist that address minimum legal and regulatory requirements but more action is required to improve recordkeeping
4. Proactive – where information governance issues are integrated into business decisions with organization consistently meeting its legal and regulatory obligations
5. Transformational – Integrated IG into corporate infrastructure and business processes to such an extent that compliance is routine
Copyright Omar Mohamed 2019
7
7
RM responsibility at the senior level of executive authority
Understanding of regulatory and legal framework
Responsibility for ensuring that processes, procedures and governance structures and documentation are developed
Development of organization wide audit process for all aspects of RM
Reinforce compliance and require accountability
GAR PRINCIPLE 1: ACCOUNTABILITY
Copyright Omar Mohamed 2019
8
Practices that document processes and promote an understanding of the roles and responsibilities of the stakeholders
Policies are formalized and integrated into business processes
Must be recognized by senior management
Employees must have access to the policies and procedures of RM
Employee training
Documentation in the form of policies, procedures, guidelines, instructions, diagrams, flowcharts, system documentation, user manuals, etc.
GAR PRINCIPLE 2: TRANSPARENCY
Copyright Omar Mohamed 2019
9
“Record Integrity”: The records are complete and protected from being altered
Record generating systems and repositories are required to be assessed to determine record keeping capabilities.
Here a formalized process is required to be in place for acquiring or developing new systems, required for lifecycle management of records.
Record integrity is confirmed by ensuring that records are created by competent authority based upon established principles
GAR PRINCIPLE 3:INTEGRITY
Copyright Omar Mohamed 2019
10
This is where organizations ensure that the records are unaltered through loss, tampering or corruption
Applies to both physical and electronic records
GAR PRINCIPLE 4: PROTECTION
Copyright Omar Mohamed 2019
11
There should be a process for development and training of the fundamentals of compliance monitoring
Compliance monitoring involves reviewing and inspecting different facets or records management
Compliance monitoring is carried out by audits, whether that be internal audits, external organizations or by records management and must be performed routinely
GAR PRINCIPLE 5: COMPLIANCE
Copyright Omar Mohamed 2019
12
Process of evaluating how effectively and efficiently records and information are stored and retrieved using existing equipment, networks and software of the organization
Intended to identify current and future requirements and recommendations for new systems where appropriate
GAR PRINCIPLE 6: AVAILABILITY
Copyright Omar Mohamed 2019
13
This is the function of preserving and maintaining records for continuing use
A retention schedule is created to identify actions needed to fulfill requirements for retention and disposal of records and to identify and establish authority for employees who will be responsible for retention, destruction and transfer of records
Must identify the scope of the different jurisdictions that impose control over record in each location where the company does business
Includes “records appraisal” – process of assessing the value and risk of records to determine their retention and destruction requirements-part of records retention schedule
Record retention period – length of time that records should be retained and actions taken for them to be destroyed or preserved
Document research performed to identify jurisdictional and legal requirements for record retention
GAR PRINCIPLE 7: RETENTION
Copyright Omar Mohamed 2019
14
Disposition is the last stage in the life cycle of records
When records are required to be retained permanently or on a long term basis they should be “archived” for preservation
Should be part of record retention schedule
When destroyed, destruction must be in a controlled and secure manner in accordance with disposal instructions
Document destruction of record
Maintain an audit trail of the destruction of records
Must have someone designated to oversee destruction of records
GAR PRINCIPLE 8: DISPOSITION
Copyright Omar Mohamed 2019
15
Disposition of records is not the same as destruction of records.
Destruction may be one of the disposal options
Methods of Disposition
Discard-Standard for non-confidential records
Shred – Confidential and sensitive records
Archive – For records retained permanently or for long-term periods
Imaging – Conversion from a physical record to digital images prior to destruction of paper records
Purge – This involves the removal of material based upon specific criteria. Generally applicable to structured database records and applications
Copyright Omar Mohamed 2019
16
16
Generally Accepted Recordkeeping Principles® maturity model is used to identify a company’s areas in need of improvement.
Principles are mapped to four (4) improvement areas:
Roles and responsibilities
Policies and Procedure
Communication and Training
Systems and automation
Copyright Omar Mohamed 2019
17
17
MAPPING OF IMPROVEMENT AREAS FOR GENERALLY ACCEPTED RECORDKEEPING PRINCIPELS®
Copyright Omar Mohamed 2019
18
Improvement Area
Accountability Transparency Integrity Protection Compliance Availability Retention Disposition
Roles and Responsibilities
Policies and Procedure
Communication and Training
Systems and Automation
18
WHO SHOULD DETERMINE THE IG POLICIES?
Steering Committee or Board
Headed by executive sponsor
Include cross-functional groups
Key business units
IT
Finance
Risk
Compliance
Records Management
Legal
Training is essential
Review the Sample Assessment Report and Road Map in Table 3.3, Page 36 and 37 of text book
Copyright Omar Mohamed 2019
19
The End
Copyright Omar Mohamed 2019
20
20
