Based on Chapter 6 lecture, in your OWN opinion what department or role do you believe should own the IG development policy process? IT? Legal? HR? Risk Management? Records Management? Once the IG policy is developed what would be your Communication Strategy plan for your organization?  

CHAPTER

6

INFORMATION GOVERNANCE

Information Governance Policy Development
ITS

8

3

3

Dr. Mia Simmons

Chapter Overview

■ This chapter will cover pages

7

1-

9

4

in your book.

■ This chapter will cover how to develop an Information

Governance Policy.

– Inform and frame the policy with internal and external

frameworks, models, best practices, and standards—

those that apply to your organization and the scope of its

planned IG program.

2

Review of Record Keeping

■ Chapter 3 – ARMA International’s eight Generally Accepted

Recordkeeping Principles

1. Accountability

2. Transparency

3. Integrity

4. Protection

5

. Compliance

6. Availability

7. Retention

8. Disposition

3

IG
REFERENCE

MODEL

4

IG Reference Model
■ Outer Ring

– An understanding of the business imperatives of the enterprise,

– Knowledge of the appropriate tools and infrastructure for managing

information, and

– Sensitivity to the legal and regulatory obligations with which the

enterprise must comply

For any piece of information you hope to manage, the primary

stakeholder is the business user of that

information

■ Center

– Life-cycle or Work-Flow – information management is important
at all stages of the information life cycle—from its creation through

its ultimate disposition.

5

Best Practice Considerations
■ IG best practices are evolving & expanding, therefore it should also be

considered in policy formulation

■ 25 Best practices review in Chapter 5

1. IG is a key underpinning for a successful ERM program.

2. IG is not a project but rather an ongoing program.

3. .

4. .

5. .

6. .

24. Some digital information assets must be preserved permanently as

part of an organization’s documentary heritage.

25. Executive sponsorship is crucial

6

Standards Consideration
■ Two Types of standards should be included in policy :

1. De jure (“the law”)

■ published by recognized standards-setting bodies, such as the

International Organization for Standardization (ISO), American

National Standards Institute (ANSI), National Institute of Standards

and Technology (NIST—this is how most people refer to it, as they do

not know what the acronym stands for), British Standards Institute

(BSI), Standards Council of Canada, and Standards Australia.

2. De facto (“the fact”)

■ not formal standards but are regarded by many as if they were.

They may arise though popular use (e.g., Windows at the busi-ness

desktop in the 2001–20

10

decade) or may be published by other

bodies, such as the U.S. National Archives and Records

Administration (NARA) or Department of Defense (DoD) for the U.S.

military sector.

7

Benefits and Risks of Standards
■ Quality assurance support. If a product meets a standard, you can be

confident of a certain level of quality.

■ Interoperability support. Some standards are detailed and mature enough

to allow for system interoperability between different vendor platforms.

■ Implementation frameworks and certification checklists. These help to

provide guides for projects and programs to ensure all necessary steps are

taken.

■ Cost reduction, due to supporting uniformity of systems. Users have lower

maintenance requirements and training and support costs when systems

are more uniform.

■ International consensus. Standards can represent “best practice”

recommendations based on global experiences

8

Benefits and Risks of Standards
Some Downsides

■ Possible decreased Flexibility in development or implementation.

Standards can, at times, act as a constraint when they are tied to older

technologies or methods, which can reduce innovation.

■ “Standards confusion” from competing and overlapping standards. For

instance, an ISO standard may be theory-based and use different

terminology, whereas regional or national standards are more specific,

applicable, and understandable than broad international ones.

■ Real-world shortcomings due to theoretical basis. Standards often are

guides based on theory rather than practice.

■ Changing and updating requires cost and maintenance. There are costs to

developing, maintaining, and publishing standards

9

Key Standards
■ Risk Management

– ISO 31000:2009 – principles and generic guidelines” of risk

management that can be applied to not only IG but also to a

wide range of organizational activities and processes throughout the

life of an organization

■ Information Security and Governance

– ISO/IEC 27001:2005 – provides guidance on IG policy development

– ISO/IEC 27002:2005 – establishes guidelines and general principles

for initiating, implementing, maintaining, and improving information

security management in an organization

– ISO/IEC 38500:2008 – is an international standard that provides

high-level principles and guidance for senior executives and

directors, and those advising them, for the effective and efficient use

of IT

–

10

Key Standards
■ Records and E-Records Management

– ISO 15489–1:2001 – international standard which identifies the

elements of RM and provides a framework and high-level overview of

RM core principles.

– ISO 30300:20

11

– “Information and Documentation—Management

Systems for Records—Fundamentals and Vocabulary”

– ISO 30301:2011 -“Information and Documentation—Management

Systems for Records—Requirements”

11

Business Continuity Standard

■ ISO 22301:20

12

, “Societal Security—Business Continuity Management
Systems—Requirements,” spells out the requirements for creating and
implementing a standardized approach to business continuity management
(BCM, also known as di-aster recovery [DR]), in the event an organization is hit
with a disaster or major business interruption.

■ Benefits of ISO 22301

– Threat identification and assessment. Discover, name, and evaluate
potential serious threats to the viability of the business.

– Threat and recovery planning. so the impact and resultant downtime and
recovery from real threats that do become incidents is minimized

– Mission-critical process protection. Identifying key processes and taking
steps to ensure they continue to operate even during a business
interruption.

– Stakeholder confidence. Shows prudent management planning and
business resilience to internal and external stakeholders, including
employees, business units, customers, and suppliers.

12

Policy Components
■ Roles & Responsibilities

– Clear lines of authority and accountability must be drawn, and

responsibilities must be assigned

■ Program Communications & Training

– identify and segment your stake-holder audiences and to customize

or modify your message to the degree that is necessary to

be effective.

– Training should consist of multiple avenues, to reach all employees

■ Program Controls, Monitoring, Auditing, & Enforcement

– Testing and auditing the program provides an opportunity to give

feedback to employees on how well they are doing and to

recommend changes they may make

13

Chapter Summary
■ The business user is the primary stakeholder of managed

information

■ The IGRM was developed by the EDRM Project to foster

communication among stakeholders and adoption of IG. It

complements ARMA’s The Principles

■ ISO/IEC 27001 and ISO/IEC 27002 are ISMS standards that provide

guidance in the development of security controls

■ The ICA-Req standard was adopted as ISO 16175. It does not contain

a testing regime for certification

■ DoD 5015.2 is the U.S. ERM standard; the European ERM standard

isMoReq2010. Australia has adopted all three parts of ISO 16175 as

its e-records management standard.

■ Communications regarding your IG program should be consistent

and clear and somewhat customized for various stakeholder groups

14

Information Governance

Chapter 6

Complete Week 5 Objectives