Information Governance Essay: 500 word, APA, 2 references & Intext citation

**** Need it by 01/12/2020 7 PM EST****

APA Format NEEDED

Don't use plagiarized sources. Get Your Custom Essay on

Just from $13/Page

Order Essay

In-text Citations

NO PLAGIARISM

SUBJECT: Information Governance

In at least 500 words, discuss two things that you learned from week 1 lecture, discussion questions, and course text.

Refer the attached the PPT , text book (Chapter 1 & 2)

ITS 833 – INFORMATION GOVERNANCE

Chapter

– The Onslaught of Big Data and Information Governance Imperative

Dr. Geanie Asante

CHAPTER GOALS AND OBJECTIVES
Define or identify what is meant by “Big Data”
What is the practical effects and problems associated with Big Data
Solution to the Big Data problem
Defining Information Governance (“IG”)
Why we do not incorporate IG into everyday business
Advantage of IG
Effects of not incorporating IG
General approach to implementing IG

What is “Big Data”?
It is a business asset capable of being leveraged.
“High-volume, high-velocity and high-variety information that demands cost-effective innovative forms of information processing for enhanced insight and decision making”
A combination of both structured and unstructured data that is so massive that it cannot be processed using today’s database tools and analytical software techniques.
Copyright@Geanie Asante 2019
3

What is the practical effect of “Big Data”?
Whether or not a business enterprise will be able to sustain a competitive advantage will depend on the business’ ability to manipulate the large amount of data in a way that it to differentiate itself.
Estimates are that 90% of the data existing today was created over the pat two years.
Big Data and related technology and services are projected to grow at a compound annual rate of approximately 27% – leading to new opportunities for data mining and business intelligence.
Copyright@Geanie Asante 2019
4

Issues Related to Big Data
Expense –Only about 25% of data stored has real business value, 5% more is required to be maintained for legal reasons, 1% retained due to litigation hold, leaving about 69% with no real value.
A great deal of irrelevant information
Increased storage costs
System failures
Legal costs
Conversion costs
Copyright@Geanie Asante 2019
5

SOLUTION TO BIG DATA PROBLEMS?
Information Governance
Rigid
Enforced
Creates a smaller “information footprint”
Allows business to more easily find what they need and derive business value from it
Copyright@Geanie Asante 2019
6

So…What is “Information Governance”?
It is discipline that emerged out of necessity…
Subset of corporate governance
Merged from records management, content management, information technology, data governance, information security, data privacy, risk management, litigation readiness, regulatory compliance, data preservation and business intelligence
It is the way by which an organization manages the totality of its information
A strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to the organizations goals. (Association of Records Management and Administrators)Glossary of Records and Information Management Terms, 4th Ed., 2012, TR 22-2012)
Copyright@Geanie Asante 2019
7

WHY INCORPORATE “IG”?
We can’t keep everything forever
We can’t throw everything away
E-discovery
Employees want it
It improves information delivery and improves productivity
It does not get easier to do over time
Legal requirements
Helps mitigate information management risk
E-mail
Copyright@Geanie Asante 2019
8

WHY DON’T WE INCORPORATE “IG”?
Cost
Lack of understanding
Lack of support from top
Copyright@Geanie Asante 2019
9

FAILURES OF INFORMATION GOVERNANCE?
Theft of valuable information
Inability to protect personal, private information
Breaches in legal requirements
Loss of trade secrets
Public reputation damage
Copyright@Geanie Asante 2019
10

Approaches to Implementing IG
Form proper IG policies first
Review existing policy…if any
Implement an awareness policy
Develop an approach
Project approach vs. Strategic program
Identify governance body or steering committee
Apply appropriate technologies for enforcement
Copyright@Geanie Asante 2019
11

Thank You
Copyright@Geanie Asante 2019
12

ITS 833 – INFORMATION
GOVERNANCE

Chapter 2 – Information Governance, IT Governance, Data Governance: What’s the Difference?

Dr. Geanie Asante

CHAPTER GOALS AND OBJECTIVES
Distinguish between Data Governance, Information Governance and Information Technology Governance and be able to define or explain each
How to increase the likelihood of success of a data governance program
Identify IT Governance Frameworks
Identify the impact of a successful IG program
Copyright@Geanie Asante 2019
2

What is “Data Governance”?
Includes processes and controls to ensure that information at the data level – raw data- is true, accurate and unique.
Involves data cleansing and de-duplication
Focus is on information quality
Hybrid quality control discipline
Data quality
Data management
IG policy development
Business process improvement
Compliance
Risk Management
Copyright@Geanie Asante 2019
3

How can you improve data governance success ?
Identify a measurable impact
Assign accountability for data quality to a business unit
Recognize the uniqueness of data as an asset
Forget the past-use a forward going strategy
Management the Change
Copyright@Geanie Asante 2019
4

WHAT IS INFORMATION TECHNOLOGY GOVERNANCE?
Primary way that stakeholders can ensure that investments in IT create business value and contribute to business objectives
Function to improve IT performance and deliver optimum business value and ensure regulatory compliance
Focus is on making IT efficient and effective
Copyright@Geanie Asante 2019
5

IT Governance Framework(s)
CobiT® – Control Objective for Information and Related Technology
ValIT®
ITIL
ISO/IEC38500:2008
Copyright@Geanie Asante 2019
6

CobIT®
Three Basic Organizational Levels/Responsibilities
Board of Directors and Executive Management
IT and Business Management
Line-Level Governance
Divided into four (4) IT Domains
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Includes 34 processes and 210 Control Objectives
ISO 17799
Compatible with IT Infrastructure Library (ITIL)
Process oriented IT governance framework
Codeveloped by IT Governance Institute and ISACA
Focus on:
Business Risks
Control Requirements
Compliance
Technical Issues
Under continuous refinement
Copyright@Geanie Asante 2019
7

ValIT®
Value Oriented Framework
Compatible and complimentary with CobiT®
Focus is on leveraging IT investments for maximum value
40 Essential Management Practices (same as CobiT® control objectives)
Supports three processes:
Value Governance
Portfolio Management
Investment Management
Copyright@Geanie Asante 2019
8

ITIL – Information Technology Infrastructure Library
Process Oriented
Developed in United Kingdom
Applicable to both public and private sector
Most widely accepted approach to IT service management in the world
Focus is on providing guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth
Foundation for ISO/IEC 20000
Five Volumes that map IT service cycle as follows:
ITIL Service Strategy
ITIL Service Design
ITIL Service Transition
ITIL Service Operation
ITIL Continual Service Improvement
Copyright@Geanie Asante 2019
9

ISO/IEC 38500:2008
International Standard
Focus is on high-level principles for senior executives, directors and advisors of IT
Applies to the governance of management processes that are performed at the IT service level
Three main sections:
Scope, Application and Objectives
Framework for Good Corporate Governance of IT
Guidance for Corporate Governance of IT
Copyright@Geanie Asante 2019
10

INFORMATION GOVERNANCE
A part of “Corporate Governance” which is the highest level of governance of an organization
Processes which are at a higher level than data governance or IT governance
Contains and includes both data governance and IT governance
Approach focuses on controlling the information that is generated by IT systems, rather than the detailed IT o data capture and quality control processes
Goal is to manage and control information assets to lower risk, ensure compliance with regulations and improve information quality and accessibility while implementing security measure to protect and preserve information that has business value
Copyright@Geanie Asante 2019
11

IMPACT OF SUCCESSFUL INFORMATION GOVERNANCE
Enable the use of common terms across the enterprise
Development of standard definitions and terms
Map Information creation and usage
Who
Which
When
Where
Information Confidentiality
Integrity
Validity
Accuracy
Quality
Harvest and Leverage Information
Copyright@Geanie Asante 2019
12

DIFFERENCES BETWEEN IG, ITG AND DG
Information Governance
Overarching policies and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations that are consistent with organizational objectives.
Higher level approach, incorporating IT Governance and Data Governance
IT Governance
Following established frameworks and best practices to gain the most leverage and benefit from IT investments and support accomplishment of business objectives
Data Governance
Consists of processes methods and techniques to ensure that data is of high quality, reliable and unique so that its results are trusted and accurate
Copyright@Geanie Asante 2019
13

RELATIONSHIP BETWEEN COROPRATE GOVERNANCE, INFORMATION GOVERNANCE, IT GOVERNANCE AND DATA GOVERNANCE
Copyright@Geanie Asante 2019
14

Information Governance

IT Governance

Data Governance

Corporate Governance

Thank You
Copyright@Geanie Asante 2019
15

INFORMATION
GOVERNANCE

Foun

ed in 1807, John Wiley & Sons is the oldest independent publishing company in
the United States. With offi ces in North America, Europe, Asia, and Australia, Wiley
is globally committed to developing and marketing print and electronic products and
services for our customers’ professional and personal knowledge and understanding

The Wiley CIO series provides information, tools, and insights to IT executives
and managers.

The products in this series cover a wide range of topics that supply
strategic and implementation guidance on the latest technology trends, leadership, an

emerging best practices.

Titles in the Wiley CIO series include:

The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and
Mobile Computing Are Changing Enterprise IT by Jason BloombergT

Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today’s
Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj

The Chief Information Offi cer’s Body of Knowledge: People, Process, and Technology by
Dean Lane

CIO Best Practices: Enabling Strategic Value with Information Technology (Second
Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill
Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert

The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by
Nicholas R. Colisto

Enterprise Performance Management Done Right: An Operating System for Your
Organization by Ron Dimon

Executive’s Guide to Virtual Worlds: How Avatars Are Transforming Your Business and
Your Brand by Lonnie Bensond

IT Leadership Manual: Roadmap to Becoming a Trusted Business Partner by Alan R. r
Guibord

Managing Electronic Records: Methods, Best Practices, and Technologies by Robert F. s
Smallwood

On Top of the Cloud: How CIOs Leverage New Technologies to Drive Change and Build
Value Across the Enterprise by Hunter Muller

Straight to the Top: CIO Leadership in a Mobile, Social, and Cloud-based World (Second
Edition) by Gregory S. Smith

Strategic IT: Best Practices for Managers and Executives by Arthur M. Langer ands
Lyle Yorks

Transforming IT Culture: How to Use Social Intelligence, Human Factors, and
Collaboration to Create an IT Department That Outperforms by Frank Wanders

Unleashing the Power of IT: Bringing People, Business, and Technology Together by Dan
Roberts

The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save
America’s Future by Gary J. Beach

Information Governance: Concepts, Strategies and Best Practices by Robert F. Smallwoods

Robert F. Smallwood

INFORMATION
G

OVERNANCE

CONCEPTS, STRATEGIES AND

BEST PRACTICES

Cover image: © iStockphoto / IgorZh
Cover design: Wiley

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as
permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy fee
to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their bes

efforts in preparing this book, they make no representations or warranties with respect to the accuracy
or completeness of the contents of this book and specifi cally disclaim any implied warranties of
merchantability or fi tness for a particular purpose. No warranty may be created or extended by sales
representatives or written sales materials. The advice and strategies contained herein may not be suitable
for your situation. You should consult with a professional where appropriate. Neither the publisher nor
author shall be liable for any loss of profi t or any other commercial damages, including but not limited to
special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our
Customer Care Department within the United States at (800) 762-2974, outside the United States at (317)
572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included
with standard print versions of this book may not be included in e-books or in print-on-demand. If this book
refers to media such as a CD or DVD that is not included in the version you purchased, you may download this
material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Smallwood, Robert F., 1959-
Information governance : concepts, strategies, and best practices / Robert F. Smallwood.
pages cm. — (Wiley CIO series)

ISBN 978-1-118-21830-3 (cloth); ISBN 978-1-118-41949-6 (ebk); ISBN 978-1-118-42101-7 (ebk)
1. Information technology—Management. 2. Management information systems. 3. Electronic

records—Management. I. Titl

HD30.2.S617 2014
658.4’038—dc2

2013045072

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

http://www.copyright.com

http://www.wiley.com/go/permissions

http://booksupport.wiley.com

http://www.wiley.com

For my sons

and the next generation of tech-savvy managers

vii

CONTENTS

PREFACE

ACKNOWLEDGMENTS

xvii

PA RT O N E — Information Governance Concepts,
Defi nitions, and Principles 1

C H A P T E R 1 The Onslaught of Big Data and the Information Governance
Imperative 3

Defi ning Information Governance 5

IG Is Not a Project, But an Ongoing Program 7

Why IG Is Good Business 7

Failures in Information Governance 8

Form IG Policies, Then Apply Technology for Enforcement 10

Notes 12

C H A P T E R 2 Information Governance, IT Governance, Data
Governance: What’s the Difference?

Data Governance 15

IT Governance 17

Information Governance 20

Impact of a Successful IG Program 20

Summing Up the Differences 21

Notes 22

C H A P T E R 3 Information Governance Principles

Accountability Is Key 27

Generally Accepted Recordkeeping Principles® 27
Contributed by Charmaine Brooks, CRM

Assessment and Improvement Roadmap 34

Who Should Determine IG Policies? 35

Notes 38

PA RT T W O — Information Governance Risk Assessment
and Strategic Planning 41g g

C H A P T E R 4 Information Risk Planning and Management

Step 1: Survey and Determine Legal and Regulatory Applicabili

and Requirements 43

viii CONTENTS

Step 2: Specify IG Requirements to Achieve Compliance 46

Step 3: Create a Risk Profi le 46

Step 4: Perform Risk Analysis and Assessment 48

Step 5: Develop an Information Risk Mitigation Plan 49

Step 6: Develop Metrics and Measure Results 50

Step 7: Execute Your Risk Mitigation Plan 50

Step 8: Audit the Information Risk Mitigation Program 51

Notes 51

C H A P T E R 5 Strategic Planning and Best Practices for
Information Governance

Crucial Executive Sponsor Role 54

Evolving Role of the Executive Sponsor 55

Building Your IG Team 56

Assigning IG Team Roles and Responsibilities 56

Align Your IG Plan with Organizational Strategic Plans 57

Survey and Evaluate External Factors 58

Formulating the IG Strategic Plan 65

Notes 69

C H A P T E R 6 Information Governance Policy Development

A Brief Review of Generally Accepted Recordkeeping Principles® 71

IG Reference Model 72

Best Practices Considerations 75

Standards Considerations 76

Benefi ts and Risks of Standards 76

Key Standards Relevant to IG Efforts 77

Major National and Regional ERM Standards 81

Making Your Best Practices and Standards Selections to Inform
Your IG Framework 87

Roles and Responsibilities 88

Program Communications and Training 89

Program Controls, Monitoring, Auditing and Enforcement 89

Notes 91

PA RT T H R E E — Information Governance Key
Impact Areas Based on the IG Reference Model 95p

C H A P T E R 7 Business Considerations for a Successful IG Program

By Barclay T. Blair

Changing Information Environment 97

CONTENTS ix

Calculating Information Costs 99

Big Data Opportunities and Challenges 100

Full Cost Accounting for Information 101

Calculating the Cost of Owning Unstructured Information 102

The Path to Information Value 105

Challenging the Culture 107

New Information Models 107

Future State: What Will the IG-Enabled Organization Look Like? 110

Moving Forward 111

Notes 113

C H A P T E R 8 Information Governance and Legal Functions 115

By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy

Introduction to e-Discovery: The Revised 2006 Federal Rules of
Civil Procedure Changed Everything 115

Big Data Impact 117

More Details on the Revised FRCP Rules 117

Landmark E-Discovery Case: Zubulake v. UBS Warburg 119

E-Discovery Techniques 119

E-Discovery Reference Model 119

The Intersection of IG and E-Discovery 122
By Barry Murphy

Building on Legal Hold Programs to Launch Defensible Disposition 125
By Barry Murphy

Destructive Retention of E-Mail 126

Newer Technologies That Can Assist in E-Discovery 126

Defensible Disposal: The Only Real Way To Manage Terabytes and Petabytes 130
By Randy Kahn, Esq.

Retention Policies and Schedules 1

By Robert Smallwood, edited by Paula Lederman, MLS

Notes 144

C H A P T E R 9 Information Governance and Records and
Information Management Functions 147

Records Management Business Rationale 149

Why Is Records Management So Challenging? 150

Benefi ts of Electronic Records Management 152

Additional Intangible Benefi ts 153

Inventorying E-Records 154

Generally Accepted Recordkeeping Principles® 155

E-Records Inventory Challenges 155

x CONTENTS

Records Inventory Purposes 156

Records Inventorying Steps 157

Ensuring Adoption and Compliance of RM Policy 168

General Principles of a Retention Scheduling 169

Developing a Records Retention Schedule 170

Why Are Retention Schedules Needed? 171

What Records Do You Have to Schedule? Inventory and Classifi cation 173

Rationale for Records Groupings 174

Records Series Identifi cation and Classifi cation 174

Retention of E-Mail Records 175

How Long Should You Keep Old E-Mails? 176

Destructive Retention of E-Mail 177

Legal Requirements and Compliance Research 178

Event-Based Retention Scheduling for Disposition of E-Records 179

Prerequisites for Event-Based Disposition 180

Final Disposition and Closure Criteria 181

Retaining Transitory Records 182

Implementation of the Retention Schedule and Disposal of Records 182

Ongoing Maintenance of the Retention Schedule 183

Audit to Manage Compliance with the Retention Schedule 183

Notes 186

C H A P T E R 10 Information Governance and Information
Technology Functions 189

Data Governance 191

Steps to Governing Data Effectively 192

Data Governance Framework 193

Information Management 194

IT Governance 196

IG Best Practices for Database Security and Compliance 202

Tying It All Together 204

Notes 205

C H A P T E R 11 Information Governance and Privacy and
Security Functions 207

Cyberattacks Proliferate 207

Insider Threat: Malicious or Not 208

Privacy Laws 210

Defense in Depth 212

Controlling Access Using Identity Access Management 212

Enforcing IG: Protect Files with Rules and Permissions 213

CONTENTS xi

Challenge of Securing Confi dential E-Documents 213

Apply Better Technology for Better Enforcement in the Extended Enterprise 215

E-Mail Encryption 217

Secure Communications Using Record-Free E-Mail 217

Digital Signatures 218

Document Encryption 219

Data Loss Prevention (DLP) Technology 220

Missing Piece: Information Rights Management (IRM) 222

Embedded Protection 226

Hybrid Approach: Combining DLP and IRM Technologies 227

Securing Trade Secrets after Layoffs and Terminations 228

Persistently Protecting Blueprints and CAD Documents 228

Securing Internal Price Lists 229

Approaches for Securing Data Once It Leaves the Organization 230

Document Labeling 231

Document Analytics 232

Confi dential Stream Messaging 233

Notes 2

PA RT F O U R — Information Governance for
Delivery Platforms 239y

C H A P T E R 12 Information Governance for E-Mail and Instant Messaging 241

Employees Regularly Expose Organizations to E-Mail Risk 242

E-Mail Polices Should Be Realistic and Technology Agnostic 243

E-Record Retention: Fundamentally a Legal Issue 243

Preserve E-Mail Integrity and Admissibility with Automatic Archiving 244

Instant Messaging 247

Best Practices for Business IM Use 247

Technology to Monitor IM 249

Tips for Safer IM 249

Notes 251

C H A P T E R 13 Information Governance for Social Media 253

By Patricia Franks, Ph.D, CRM, and Robert Smallwood

Types of Social Media in Web 2.0 253

Additional Social Media Categories 255

Social Media in the Enterprise 256

Key Ways Social Media Is Different from E-Mail and Instant Messaging 257

Biggest Risks of Social Media 257

Legal Risks of Social Media Posts 259

xii CONTENTS

Tools to Archive Social Media 261

IG Considerations for Social Media 262

Key Social Media Policy Guidelines 263

Records Management and Litigation Considerations for Social Media 264

Emerging Best Practices for Managing Social Media Records 267

Notes 269

C H A P T E R 14 Information Governance for Mobile Devices 271

Current Trends in Mobile Computing 273

Security Risks of Mobile Computing 274

Securing Mobile Data 274

Mobile Device Management 275

IG for Mobile Computing 276

Building Security into Mobile Applications 277

Best Practices to Secure Mobile Applications 280

Developing Mobile Device Policies 281

Notes 283

C H A P T E R 15 Information Governance for Cloud Computing 285

By Monica Crocker CRM, PMP, CIP, and Robert Smallwood

Defi ning Cloud Computing 286

Key Characteristics of Cloud Computing 287

What Cloud Computing Really Means 288

Cloud Deployment Models 289

Security Threats with Cloud Computing 290

Benefi ts of the Cloud 298

Managing Documents and Records in the Cloud 299

IG Guidelines for Cloud Computing Solutions 300

Notes 301

C H A P T E R 16 SharePoint Information Governance 303

By Monica Crocker, CRM, PMP, CIP, edited by Robert Smallwood

Process Change, People Change 304

Where to Begin the Planning Process 306

Policy Considerations 310

Roles and Responsibilities 311

Establish Processes 312

Training Plan 313

Communication Plan 313

Note 314

CONTENTS xiii

PA RT F I V E — Long-Term Program Issues 315g g

C H A P T E R 17 Long-Term Digital Preservation 317

By Charles M. Dollar and Lori J. Ashley

Defi ning Long-Term Digital Preservation 317

Key Factors in Long-Term Digital Preservation 318

Threats to Preserving Records 320

Digital Preservation Standards 321

PREMIS Preservation Metadata Standard 328

Recommended Open Standard Technology-Neutral Formats 329

Digital Preservation Requirements 333

Long-Term Digital Preservation Capability Maturity Model® 334

Scope of the Capability Maturity Model 336

Digital Preservation Capability Performance Metrics 341

Digital Preservation Strategies and Techniques 341

Evolving Marketplace 344

Looking Forward 344

Notes 346

C H A P T E R 18 Maintaining an Information Governance Program
and Culture of Compliance 349

Monitoring and Accountability 349

Staffi ng Continuity Plan 350

Continuous Process Improvement 351

Why Continuous Improvement Is Needed 351

Notes 353

A P P E N D I X A Information Organization and Classifi cation:
Taxonomies and Metadata 355

By Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley

Importance of Navigation and Classifi cation 357

When Is a New Taxonomy Needed? 358

Taxonomies Improve Search Results 358

Metadata and Taxonomy 359

Metadata Governance, Standards, and Strategies 360

Types of Metadata 362

Core Metadata Issues 363

International Metadata Standards and Guidance 364

Records Grouping Rationale 368

Business Classifi cation Scheme, File Plans, and Taxonomy 368

Classifi cation and Taxonomy 369

xiv CONTENTS

Prebuilt versus Custom Taxonomies 370

Thesaurus Use in Taxonomies 371

Taxonomy Types 371

Business Process Analysis 377

Taxonomy Testing: A Necessary Step 379

Taxonomy Maintenance 380

Social Tagging and Folksonomies 381

Notes 383

A P P E N D I X B Laws and Major Regulations Related to
Records Management 385

United States 385

Canada 387
By Ken Chasse, J.D., LL.M.

United Kingdom 389

Australia 391

Notes 394

A P P E N D I X C Laws and Major Regulations
Related to Privacy 397

United States 397

Major Privacy Laws Worldwide, by Country 398

Notes 400

GLOSSARY 401

ABOUT THE AUTHOR 417

ABOUT THE MAJOR CONTRIBUTORS 419

INDEX 421

PREFACE

I
nformation governance (IG) has emerged as a key concern for business executives
and managers in today’s environment of Big Data, increasing information risks, co-
lossal leaks, and greater compliance and legal demands. But few seem to have a clear

understanding of what IG is; that is, how you defi ne what it is and is not, and how to
implement it. This book clarifi es and codifi es these defi nitions and provides key in-
sights as to how to implement and gain value from IG programs. Based on exhaustive
research, and with the contributions of a number of industry pioneers and experts, this
book lays out IG as a complete discipline in and of itself for the fi rst time.

IG is a super-discipline that includes components of several key fi elds: law, records
management, information technology (IT), risk management, privacy and security,
and business operations. This unique blend calls for a new breed of information pro-
fessional who is competent across these established and quite complex fi elds. Training
and education are key to IG success, and this book provides the essential underpinning
for organizations to train a new generation of IG professionals.

Those who are practicing professionals in the component fi elds of IG will fi nd
the book useful in expanding their knowledge from traditional fi elds to the emerging
tenets of IG. Attorneys, records and compliance managers, risk managers, IT manag-
ers, and security and privacy professionals will fi nd this book a particularly valuable
resource.

The book strives to offer clear IG concepts, actionable strategies, and proven best
practices in an understandable and digestible way; a concerted effort was made to
simplify language and to offer examples. There are summaries of key points through-
out and at the end of each chapter to help the reader retain major points. The text
is organized into fi ve parts: (1) Information Governance Concepts, Defi nitions, and
Principles; (2) IG Risk Assessment and Strategic Planning; (3) IG Key Impact Areas;
(4) IG for Delivery Platforms; and (5) Long-Term Program Issues. Also included are
appendices with detailed information on taxonomy and metadata design and on re-
cords management and privacy legislation.

One thing that is sure is that the complex fi eld of IG is evolving. It will continue
to change and solidify. But help is here: No other book offers the kind of compre-
hensive coverage of IG contained within these pages. Leveraging the critical advi

provided here will smooth your path to understanding and implementing successful
IG programs.

Robert F. Smallwood

xvii

ACKNOWLEDGMENTS

I
would like to sincerely thank my colleagues for their support and generous contribu-
tion of their expertise and time, which made this pioneering text possible.

Many thanks to Lori Ashley, Barb Blackburn, Barclay Blair, Charmaine Brooks,
Ken Chasse, Monica Crocker, Charles M. Dollar, Seth Earley, Dr. Patricia Franks,
Randy Kahn, Paula Lederman, and Barry Murphy.

I am truly honored to include their work and owe them a great debt of gratitude.

PA RT O N E
Information
Governance
Concepts,
Defi nitions, and
Principles

The Onslaught
of Big Data and
the Information
Governance Imperative

C H A P T E R 1

T
he value of information in business is rising, and business leaders are more and
more viewing the ability to govern, manage, and harvest information as critical
to success. Raw data is now being increasingly viewed as an asset that can be

leveraged, just like fi nancial or human capital.1 Some have called this new age of “Big
Data” the “industrial revolution of data.”

According to the research group Gartner, Inc., Big Data is defi ned as “high-volume,
high-velocity and high-variety information assets that demand cost-effective, inno-
vative forms of information processing for enhanced insight and decision making.” 2
A practical defi nition should also include the idea that the amount of data—both struc-
tured (in databases) and unstructured (e.g., e-mail, scanned documents) is so mas-
sive that it cannot be processed using today’s database tools and analytic software
techniques. 3

In today’s information overload era of Big Data—characterized by massive growth
in business data volumes and velocity—the ability to distill key insights from enor-
mous amounts of data is a major business differentiator and source of sustainable com-
petitive advantage. In fact, a recent report by the World Economic Forum stated that
data is a new asset class and personal data is “the new oil.” 4 And we are generating more
than we can manage effectively with current methods and tools.

The Big Data numbers are overwhelming: Estimates and projections vary, but it
has been stated that 90 percent of the data existing worldwide today was created in the
last two years 5 and that every two days more information is generated than was from
the dawn of civilization until 2003. 6 This trend will continue: The global market for
Big Data technology and services is projected to grow at a compound annual rate of
27 percent through 2017, about six times faster than the general information and com-
munications technology (ICT) market. 7

Many more comparisons and statistics are available, and all demonstrate the
incredible and continued growth of data.

Certainly, there are new and emerging opportunities arising from the accu-
mulation and analysis of all that data we are busy generating and collecting. New
enterprises are springing up to capitalize on data mining and business intelligence
opportunities. The U.S. federal government joined in, announcing $200 million in
Big Data research programs in 2012.8

4 INFORMATION GOVERNANCE

Big Data values massive accumulation of data, whereas in business, e-discovery
realities and potential legal liabilities dictate that data be culled to only that
which has clear business value.

But established organizations, especially larger ones, are being crushed by this
onslaught of Big Data: It is just too expensive to keep all the information that is being
generated, and unneeded information is a sort of irrelevant sludge for decision makers
to wade through. They have diffi culty knowing which information is an accurate and
meaningful “wheat” and which is simply irrelevant “chaff.” This means they do not
have the precise information they need to base good business decisions upon.

And all that Big Data piling up has real costs: The burden of massive stores of
information has increased storage management costs dramatically, caused overloaded
systems to fail, and increased legal discovery costs. 9 Further, the longer that data is
kept, the more likely that it will need to be migrated to newer computing platforms,
driving up conversion costs; and legally, there is the risk that somewhere in that
mountain of data an organization stores is a piece of information that represents a
signifi cant legal liability.10

This is where the worlds of Big Data and business collide . For Big Data proponents,
more data is always better, and there is no perceived downside to accumulation of mas-
sive amounts of data. In the business world, though, the realities of legal e-discovery
mean the opposite is true. 11 To reduce risk, liability, and costs, it is critical for unneeded
information to be disposed of in a systematic, methodical, and “legally defensible” (jus-
tifi able in legal proceedings) way, when it no longer has legal, regulatory, or business
value. And there also is the high-value benefi t of basing decisions on better, cleaner
data, which can come about only through rigid, enforced information governance
(IG) policies that reduce information glut.

Organizations are struggling to reduce and right-size their information footprint
by discarding superfl uous and redundant data, e-documents, and information. But the
critical issue is devising policies, methods, and processes and then deploying information technol-
ogy (IT) to sort through which information is valuable and which no longer has business value
and can be discarded.

IT, IG, risk, compliance, and legal representatives in organizations have a clear
sense that most of the information stored is unneeded, raises costs, and poses risks.
According to a survey taken at a recent Compliance, Governance and Oversight
Counsel summit, respondents estimated that approximately 25 percent of information
stored in organizations has real business value, while 5 percent must be kept as busi-
ness records and about 1 percent is retained due to a litigation hold. “This means that

The onslaught of Big Data necessitates that information governance (IG) be
implemented to discard unneeded data in a legally defensible way.

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 5

[about] 69 percent of information in most companies has no business, legal, or regulatory value.
Companies that are able to dispose of this data debris return more profi t to sharehold-
ers, can leverage more of their IT budgets for strategic investments, and can avoid
excess expense in legal and regulatory response” (emphasis added). 12

With a smaller information footprint , organizations can more easily fi nd what they tt
need and derive business value from it.13 They must eliminate the data debris regularly
and consistently, and to do this, processes and systems must be in place to cull valuable
information and discard the data debris daily. An IG program sets the framework to
accomplish this.

The business environment has also underscored the need for IG. According to
Ted Friedman at Gartner, “The recent global fi nancial crisis has put information gov-
ernance in the spotlight. . . . [It] is a priority of IT and business leaders as a result of
various pressures, including regulatory compliance mandates and the urgent need for
improved decision-making.” 14

And IG mastery is critical for executives: Gartner predicts that by 2016, one in fi ve chief
information offi cers in regulated industries will be fi red from their jobs for failed IG initiatives. s 15

Defi ning Information Governance

IG is a sort of super discipline that has emerged as a result of new and tightened legislation
governing businesses, external threats such as hacking and data breaches, and the recog-
nition that multiple overlapping disciplines were needed to address today’s information
management challenges in an increasingly regulated and litigated business environment.16

IG is a subset of corporate governance, and includes key concepts from re-
cords management, content management, IT and data governance, information se-
curity, data privacy, risk management, litigation readiness, regulatory compliance,
long-term digital preservation , and even business intelligence. This also means
that it includes related technology and discipline subcategories, such as document
management, enterprise search, knowledge management, and business continuity/
disaster recovery.

Only about one quarter of information organizations are managing has real
business value.

With a smaller information footprint, it is easier for organizations to fi nd the
information they need and derive business value from it.

IG is a subset of corporate governance.

6 INFORMATION GOVERNANCE

IG is a sort of superdiscipline that encompasses a variety of key concepts from
a variety of related disciplines.

Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information and to secure confi dential in-
formation, which may include trade secrets, strategic plans, price lists, blueprints, or
personally identifi able information (PII) subject to privacy laws; it provides the basis
for consistent, reliable methods for managing data, e-documents, and records.

Having trusted and reliable records, reports, data, and databases enables managers
to make key decisions with confi dence.17 And accessing that information and business
intelligence in a timely fashion can yield a long-term sustainable competitive advan-
tage, creating more agile enterprises.

To do this, organizations must standardize and systematize their handling of in-
formation. They must analyze and optimize how information is accessed, controlled,
managed, shared, stored, preserved, and audited. They must have complete, current,
and relevant policies, processes, and technologies to manage and control information,
including who is able to access what information , and when, to meet external legal
and regulatory demands and internal governance policy requirements. In short, IG is
about information control and compliance.

IG is a subset of corporate governance, which has been around as long as corpora-
tions have existed. IG is a rather new multidisciplinary fi eld that is still being defi ned,
but has gained traction increasingly over the past decade. The focus on IG comes not
only from compliance, legal, and records management functionaries but also from ex-
ecutives who understand they are accountable for the governance of information and
that theft or erosion of information assets has real costs and consequences.

“Information governance” is an all-encompassing term for how an organization
manages the totality of its information.

According to the Association of Records Managers and Administrators
(ARMA), IG is “a strategic framework composed of standards, processes, roles, and
metrics that hold organizations and individuals accountable to create, organize, secure,
maintain, use, and dispose of information in ways that align with and contribute to the
organization’s goals.”18

IG includes the set of policies, processes, and controls to manage information in compliance
with external regulatory requirements and internal governance frameworks . Specifi c policiess
apply to specifi c data and document types, records series, and other business informa-
tion, such as e-mail and reports.

Stated differently, IG is “a quality-control discipline for managing, using, improv-
ing, and protecting information.” 19

Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information.

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 7

IG is “a strategic framework composed of standards, processes, roles, and
metrics, that hold organizations and individuals accountable to create, orga-
nize, secure, maintain, use, and dispose of information in ways that align with
and contribute to the organization’s goals.” 20

Fleshing out the defi nition further: “Information governance is policy-based man-
agement of information designed to lower costs, reduce risk, and ensure compliance
with legal, regulatory standards, and/or corporate governance.”21 IG necessarily in-
corporates not just policies but information technologies to audit and enforce those
policies. The IG team must be cognizant of information lifecycle issues and be able
to apply the proper retention and disposition policies, including digital preservation
where records need to be maintained for long periods.

IG Is Not a Project, But an Ongoing Program

IG is an ongoing program , not a one-time project. IG provides an umbrella to manage
and control information output and communications. Since technologies change so
quickly, it is necessary to have overarching policies that can manage the various IT
platforms that an organization may use.

Compare it to a workplace safety program; every time a new location, team member,
piece of equipment, or toxic substance is acquired by the organization, the workplace
safety program should dictate how that is handled. If it does not, the workplace safety
policies/procedures/training that are part of the workplace safety program need to be
updated. Regular reviews are conducted to ensure the program is being followed and ad-
justments are made based on the fi ndings. The effort never ends. s 22 The same is true for IG.

IG is not only a tactical program to meet regulatory, compliance, and litigation
demands. It can be strategic , in that it is the necessary underpinning for developing a c
management strategy that maximizes knowledge worker productivity while minimiz-
ing risk and costs.

Why IG Is Good Business

IG is a tough sell. It can be diffi cult to make the business case for IG, unless there has been
some major compliance sanction, fi ne, legal loss, or colossal data breach. In fact, the largest

IG is how an organization maintains security, complies with regulations, and
meets ethical standards when managing information.

IG is a multidisciplinary program that requires an ongoing effort.

8 INFORMATION GOVERNANCE

impediment to IG adoption is simply identifying its benefi ts and costs, according to the Economist
Intelligence Unit. Sure, the enterprise needs better control over its information, but how
much better? At what cost? What is the payback period and the return on investment? 23

It is challenging to make the business case for IG, yet making that case is funda-
mental to getting IG efforts off the ground.

Here are eight reasons why IG makes good business sense, from IG thought
leader Barclay Blair:

1. We can’t keep everything forever. IG makes sense because it enables organiza-
tions to get rid of unnecessary information in a defensible manner. Organi-
zations need a sensible way to dispose of information in order to reduce the
cost and complexity of the IT environment. Having unnecessary informa-
tion around only makes it more diffi cult and expensive to harness informa-
tion that has value.

2. We can’t throw everything away. IG makes sense because organizations can’t
keep everything forever, nor can they throw everything away. We need
information—the right information, in the right place, at the right time.
Only IG provides the framework to make good decisions about what infor-
mation to keep.

3. E-discovery. IG makes sense because it reduces the cost and pain of discov-
ery. Proactively managing information reduces the volume of information
exposed to e-discovery and simplifi es the task of fi nding and producing
responsive information.

4. Your employees are screaming for it—just listen. IG makes sense because it
helps knowledge workers separate “signal” from “noise” in their informa-
tion fl ows. By helping organizations focus on the most valuable informa-
tion, IG improves information delivery and improves productivity.

5. It ain’t gonna get any easier. IG makes sense because it is a proven way for
organizations to respond to new laws and technologies that create new re-
quirements and challenges. The problem of IG will not get easier over
time, so organizations should get started now.

6. The courts will come looking for IG. IG makes sense because courts and regu-
lators will closely examine your IG program. Falling short can lead to fi nes,
sanctions, loss of cases, and other outcomes that have negative business and
fi nancial consequences.

7. Manage risk: IG is a big one. Organizations need to do a better job of identi-
fying and managing risk. The risk of information management failures is a
critical risk that IG helps to mitigate.

8. E-mail: Reason enough. IG makes sense because it helps organizations take con-
trol of e-mail. Solving e-mail should be a top priority for every organization. 24

Failures in

Information Governance

The failure to implement and enforce IG can lead to vulnerabilities that can have dire
consequences. The theft of confi dential U.S. National Security Agency documents

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 9

by Edward Snowden in 2013 could have been prevented by properly enforced IG.
Also, Ford Motor Company is reported to have suffered a loss estimated at $50 to
$100 million as a result of the theft of confi dential documents by one of its own em-
ployees. A former product engineer who had access to thousands of trade secret docu-
ments and designs sold them to a competing Chinese car manufacturer. A strong IG
program would have controlled and tracked access and prevented the theft while pro-
tecting valuable intellectual property. 25

Law enforcement agencies have also suffered from poor IG. In a rather frivolous
case in 2013 that highlighted the lack of policy enforcement for the mobile environ-
ment, it was reported that U.S. agents from the Federal Bureau of Investigation used
government-issued mobile phones to send explicit text messages and nude photographs
to coworkers. The incidents did not have a serious impact but did compromise the
agency and its integrity, and “adversely affected the daily activities of several squads.” 26
Proper mobile communications policies were obviously not developed and enforced.

IG is also about information security and privacy, and serious thought must be
given when creating policies to safeguard personal, classifi ed or confi dential informa-
tion. Schemes to compromise or steal information can be quite deceptive and devious,
masked by standard operating procedures—if proper IG controls and monitoring are
not in place. To wit: Granting remote access to confi dential information assets for
key personnel is common. Granting medical leave is also common. But a deceptive
and dishonest employee could feign a medical leave while downloading volumes of
confi dential information assets for a competitor—and that is exactly what happened at
Accenture, a global consulting fi rm. During a fraudulent medical leave, an employee
was allowed access to Accenture’s Knowledge Exchange (KX), a detailed knowledge
base containing previous proposals, expert reports, cost-estimating guidelines, and
case studies. This activity could have been prevented by monitoring and analytics that
would have shown an inordinate amount of downloads—especially for an “ailing” em-
ployee. The employee then went to work for a direct competitor and continued to
download the confi dential information from Accenture, estimated to be as many as
1,000 critical documents. While the online access to KX was secure, the use of the
electronic documents could have been restricted even after the documents were down-r
loaded, if IG measures were in place and newer technologies (such as information
rights management [IRM] software) were deployed to secure them directly and main-
tain that security remotely. With IRM, software security protections can be employed
to seal the e-documents and control their use—even after they leave the organization.
More details on IRM technology and its capabilities is presented later in this book.

Other recent high-profi le data and document leakage cases revealing information
security weaknesses that could have been prevented by a robust IG program include:

■ Huawei Technologies, the largest networking and mobile communications
company in China, was sued by U.S.-based Motorola for allegedly conspiring
to steal trade secrets through former Motorola employees.

Ford’s loss from stolen documents in a single case of intellectual property (IP)
theft was estimated at $50 to $100 million.

10 INFORMATION GOVERNANCE

■ MI6, the U.K. equivalent of the U.S. Central Intelligence Agency, learned that
one of its agents in military intelligence attempted to sell confi dential docu-
ments to the intelligence services of the Netherlands for £2 million GBP
($3 million USD).

And breaches of personal information revealing failures in privacy protection
abound; here are just a few:

■ Health information of 1,600 cardiology patients at Texas Children’s Hospital
was compromised when a doctor’s laptop was stolen. The information includ-
ed personal and demographic information about the patients, including their
names, dates of birth, diagnoses, and treatment histories. 27

■ U.K. medics lost the personal records of nearly 12,000 National Health Service
patients in just eight months. Also, a hospital worker was suspended after it was
discovered he had sent a fi le containing pay-slip details for every member of
staff to his home e-mail account. 28

■ Personal information about more than 600 patients of the Fraser Health
Authority in British Columbia, Canada, was stored on a laptop stolen from
Burnaby General Hospital.

■ In December 2013, Target stores in the U.S. reported that as many as 110 million
customer records had been breached in a massive attack that lasted weeks.

The list of breaches and IG failures could go on and on, more than fi lling the
pages of this book. It is clear that it is occurring and that it will continue. IG controls to
safeguard confi dential information assets and protect privacy cannot rely solely on the trustwor-
thiness of employees and basic security measures. Up-to-date IG policies and enforcement
efforts and newer technology sets are needed, with active, consistent monitoring and
program adjustments to continue to improve.

Executives and senior managers can no longer avoid the issue, as it is abundantly
clear that the threat is real and the costs of taking such avoidable risks can be high. A
single security breach is an IG failure and can cost the entire business. According to
Debra Logan of Gartner, “When organizations suffer high-profi le data losses, espe-
cially involving violations of the privacy of citizens or consumers, they suffer serious
reputational damage and often incur fi nes or other sanctions. IT leaders will have to
take at least part of the blame for these incidents.” 29

Form IG Policies, Then Apply Technology for Enforcement

Typically, some policies governing the use and control of information and records
may have been established for fi nancial and compliance reports, and perhaps e-mail,
but they are often incomplete and out-of-date and have not been adjusted for changes
in the business environment, such as new technology platforms (e.g., Web 2.0, soci

IG controls to safeguard confi dential information assets and protect privacy can-
not rely solely on the trustworthiness of employees and basic security measures.

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 11

media), changing laws (e.g., U.S. Federal Rules of Civil Procedure 2006 changes), and
additional regulations.

Further adding to the challenge is the rapid proliferation of mobile devices like
tablets, phablets, and smartphones used in business—information can be more easily
lost or stolen—so IG efforts must be made to preserve and protect the enterprise’s
information assets.

Proper IG requires that policies are fl exible enough not to hinder the proper fl ow
of information in the heat of the business battle yet strict enough to control and audit
for misuse, policy violations, or security breaches. This is a continuous iterative policy-
making process that must be monitored and fi ne-tuned. Even with the absolute best
efforts, some policies will miss the mark and need to be reviewed and adjusted.

Getting started with IG awareness is the crucial fi rst step. It may have popped up on an
executive’s radar at one point or another and an effort might have been made, but many
organizations leave these policies on the shelf and do not revise them on a regular basis.

IG is the necessary underpinning for a legally defensible disposition program that
discards data debris and helps narrow the search for meaningful information on which
to base business decisions. IG is also necessary to protect and preserve critical infor-
mation assets. An IG strategy should aim to minimize exposure to risk, at a reasonable
cost level, while maximizing productivity and improving the quality of information
delivered to knowledge users.

But a reactive, tactical project approach is not the way to go about it—haphazardly t
swatting at technological, legal, and regulatory fl ies. A proactive, strategic program,
with a clear, accountable sponsor, an ongoing plan, and regular review process, is the
only way to continuously adjust IG policies to keep them current so that they best
serve the organization’s needs.

Some organizations have created formal governance bodies to establish strat-
egies, policies, and procedures surrounding the distribution of information inside
and outside the enterprise. These governance bodies, steering committees, or teams
should include members from many different functional areas, since proper IG ne-
cessitates input from a variety of stakeholders. Representatives from IT, records man-
agement, corporate or agency archiving, risk management, compliance, operations,
human resources, security, legal, fi nance, and perhaps knowledge management are
typically a part of IG teams. Often these efforts are jump-started and organized by
an executive sponsor who utilizes third-party consulting resources that specialize in
IG efforts, especially considering the newness of IG and its emerging best practices.

So in this era of ever-growing Big Data, leveraging IG policies to focus on re-
taining the information that has real business value, while discarding the majority of
information that has no value and carries associated increased costs and risks, is criti-
cal to success for modern enterprises. This must be accomplished in a systematic,
consistent, and legally defensible manner by implementing a formal IG program.
Other crucial elements of an IG program are the steps taken to secure confi dential
information by enforcing and monitoring policies using the appropriate information
technologies.

Getting started with IG awareness is the crucial fi rst step.

12 INFORMATION GOVERNANCE

CHAPTER SUMMARY: KEY POINTS

■ The onslaught of Big Data necessitates that IG be implemented to discard
unneeded data in a legally defensible way.

■ Big Data values massive accumulation of data, whereas in business, e-discovery
realities and potential legal liabilities dictate that data be culled to only that
which has clear business value.

■ Only about one quarter of the information organizations are managing has
real business value.

■ With a smaller information footprint, it is easier for organizations to fi nd the
information they need and derive business value from it.

■ IG is a subset of corporate governance and encompasses the policies and
leveraged technologies meant to manage what corporate information is re-
tained, where, and for how long, and also how it is retained.

■ IG is a sort of super discipline that encompasses a variety of key concepts
from a variety of related and overlapping disciplines.

■ Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information.

■ According to ARMA, IG is “a strategic framework composed of standards,
processes, roles, and metrics that hold organizations and individuals account-
able to create, organize, secure, maintain, use, and dispose of information in
ways that align with and contribute to the organization’s goals.” 30

■ IG is how an organization maintains security, complies with regulations and
laws, and meets ethical standards when managing information.

■ IG is a multidisciplinary program that requires an ongoing effort and active
participation of a broad cross-section of functional groups and stakeholders.

■ IG controls to safeguard confi dential information assets and protect privacy
cannot rely solely on the trustworthiness of employees and basic security
measures.

■ Getting started with IG awareness is the crucial fi rst step.

Notes

1. The Economist, “Data, Data Everywhere,” February 25, 2010, www.economist.com/node/15557443
2. Gartner, Inc., “IT Glossary: Big Data,” www.gartner.com/it-glossary/big-data/ (accessed April 15, 2013).
3. Webopedia, “Big Data,” www.webopedia.com/TERM/B/big_data.html (accessed April 15, 2013).

http://www.economist.com/node/15557443

http://www.gartner.com/it-glossary/big-data/

http://www.webopedia.com/TERM/B/big_data.html

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 13

4. World Economic Forum, “Personal Data:The Emergence of a New Asset Class”(January 2011), http://
www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011

5. Deidra Paknad, “Defensible Disposal: You Can’t Keep All Your Data Forever,” July 17, 2012, www
.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/

6. Susan Karlin, “Earth’s Nervous System: Looking at Humanity Through Big Data,” www.fastcocreate
.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1(accessed March 5,
2013).

7. IDC Press Release, December 18, ,2013, http://www.idc.com/getdoc.jsp?containerId=prUS24542113
New IDC Worldwide Big Data Technology and Services Forecast Shows Market Expected to Grow to
$32.4 Billion in 2017

8. Steve Lohr, “How Big Data Became So Big,” New York Times, August 11, 2012, www.nytimes.
com/2012/08/12/business/how-big-data-became-so-big-unboxed.html?_r=2&smid=tw-share&

9. Kahn Consulting, “Information Governance Brief,” sponsored by IBM, www.delve.us/downloads/
Brief-Defensible-Disposal (accessed March 4, 2013).

10. Barclay T. Blair, “Girding for Battle,” Law Technology News, October 1, 2012, www.law.com/jsp/lawtech-
nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1

11. Ibid.
12. Paknad, “Defensible Disposal.”
13. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, November 28, 2012.
14. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective

Information Governance,” www.gartner.com/newsroom/id/1898914, January 19, 2012
15. Ibid.
16. Monica Crocker, e-mail to author, June 21, 2012.
17. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership/

business-view/future-information-governance.htm (accessed November 14, 2013).
18. ARMA International, Glossary of Records and Information Management Terms , 4th ed., 2012, TR 22–2012.s
19. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” IT Business Edge , posted March 9, 2011,

www.itbusinessedge.com/guest-opinions/three-steps-trusting-your-data-2011 . (accessed November
14, 2013).

20. ARMA International, Glossary of Records and Information Management Terms , 4th ed., 2012, TR 22–2012.s
21. Laura DuBoisand Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Pro-

ductivity,” IDC White Paper (August 2010), www.emc.com/collateral/analyst-reports/idc-practical-
information-governance-ar

22. Monica Crocker, e-mail to author, June 21, 2012.
23. Barclay T. Blair, Making the Case for Information Governance: Ten Reasons IG Makes Sense , ViaLumina

Ltd, 2010. Online at http://barclaytblair.com/making-the-case-for-ig-ebook/ (accessed November 14,
2013).

24. Barclay T. Blair, “8 Reasons Why Information Governance (IG) Makes Sense,” June 29, 2009, www.
digitallandfi ll.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html

25. Peter Abatan, “Corporate and Industrial Espionage to Rise in 2011,” Enterprise Digital Rights Man-
agement, http://enterprisedrm.tumblr.com/post/2742811887/corporate-espionage-to-rise-in-2011 .
(accessed November 14, 2013).

26. BBC News, “FBI Staff Disciplined for Sex Texts and Nude Pictures,” February 22, 2013, www.bbc.
co.uk/news/world-us-canada-21546135

27. Todd Ackerman, “Laptop Theft Puts Texas Children’s Patient Info at Risk,” Houston Chronicle , July 30, 2009, e
www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.
php . (accessed March 2, 2012).

28. Jonny Greatrex, “Bungling West Midlands Medics Lose 12,000 Private Patient Records,” Sunday Mer-
cury, September 5, 2010, www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-
gling-west-midlands-medics-lose-12–000-private-patient-records-66331–27203177/ (accessed March
2, 2012).

29. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective
Information Governance.”

30. ARMA International, Glossary of Records and Information Management Terms. s

http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011

http://www.fastcocreate.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1

http://www.idc.com/getdoc.jsp?containerId=prUS24542113

http://www.delve.us/downloads/Brief-Defensible-Disposal

http://www.law.com/jsp/lawtech-nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1

https://twitter.com/InfoParkingLot/status/273791612172259329

http://www.gartner.com/newsroom/id/1898914

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.itbusinessedge.com/guest-opinions/three-steps-trusting-your-data-2011

http://www.emc.com/collateral/analyst-reports/idc-practical-information-governance-ar

http://barclaytblair.com/making-the-case-for-ig-ebook/

http://www.digitallandfill.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html

http://enterprisedrm.tumblr.com/post/2742811887/corporate-espionage-to-rise-in-2011

http://www.bbc.co.uk/news/world-us-canada-21546135

http://www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.php

http://www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-gling-west-midlands-medics-lose-12%E2%80%93000-private-patient-records-66331%E2%80%9327203177/

http://www.fastcocreate.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1

http://www.delve.us/downloads/Brief-Defensible-Disposal

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.digitallandfill.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html

http://www.bbc.co.uk/news/world-us-canada-21546135

http://www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.php

http://www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-gling-west-midlands-medics-lose-12%E2%80%93000-private-patient-records-66331%E2%80%9327203177/

http://www.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/

Information
Governance,
IT Governance, Data
Governance: What’s
the Difference?

C H A P T E R 2

T
here has been a great deal of confusion around the term information gover-
nance (IG) and how it is distinct from other similar industry terms, such as
information technology (IT) governance and data governance . They are all

a subset of corporate governance, and in the above sequence, become increasingly
more granular in their approach. Data governance is a part of broader IT governance,
which is also a part of even broader information governance. The few texts that exist
have compounded the confusion by offering a limited defi nition of IG, or sometimes
offering a defi nition of IG that is just plain incorrect , often confusing it with simple datat
governance.

So in this chapter we spell out the differences and include examples in hopes of
clarifying what the meaning of each term is and how they are related.

Data Governance

Data governance involves processes and controls to ensure that information at the data
level—raw alphanumeric characters that the organization is gathering and inputting—
is true and accurate, and unique (not redundant). It involves data cleansing ( or data
scrubbing) to strip out corrupted, inaccurate, or extraneous data and gg de-duplication,
to eliminate redundant occurrences of data.

Data governance focuses on information quality from the ground up at the lowest
or root level, so that subsequent reports, analyses, and conclusions are based on clean,
reliable, trusted data (or records) in database tables. Data governance is the most rudi-
mentary level at which to implement information governance. Data governance efforts
seek to ensure that formal management controls—systems, processes, and accountable
employees who are stewards and custodians of the data—are implemented to govern
critical data assets to improve data quality and to avoid negative downstream effects of
poor data. The biggest negative consequence of poor or inaccurate data is poorly and
inaccurately based decisions.

16 INFORMATION GOVERNANCE

Data governance is a newer, hybrid quality control discipline that includes
elements of data quality, data management, IG policy development, business process
improvement, and compliance and risk management.

Data Governance Strategy Tips

Everyone in an organization wants good-quality data to work with. But it is not so
easy to implement a data governance program. First of all, data is at such a low level
that executives and board members are typically unaware of the details of the “smoky
back room” of data collection: cleansing, normalization, and input. So it is diffi cult to
gain an executive sponsor and funding to initiate the effort. 1 And if a data governance
program does move forward, there are challenges in getting business users to adhere
to new policies. This is a crucial point, since much of the data is being generated by
business units. But there are some general guidelines that can help improve a data
governance program’s chances for success:

■ Identify a measureable impact. A data governance program must be able to dem-
onstrate business value, or it will not get the executive sponsorship and funding
it needs to move forward. A readiness assessment should capture the current
state of data quality and whether an enterprise or business unit level effort
is warranted. Other key issues include: Can the organization save hard costs
by implementing data governance? Can it reach more customers or increase
revenue generated from existing customers?2

■ Assign accountability for data quality to business units, not IT. Typically, IT has had
responsibility for data quality, yet it is mostly not under that department’s con-
trol, since most of the data is being generated in the business units. A pointed
effort must be made to push responsibility and ownership for data to the busi-
ness units that create and use the data.

■ Recognize the uniqueness of data as an asset. Unlike other assets, such as people,
factories, equipment, and even cash, data is largely unseen, out of sight, and
intangible. It changes daily. It spreads throughout business units. It is copied
and deleted. Data growth can spiral out of control, obscuring the data that has
true business value. So data has to be treated differently, and its unique qualities
must be considered.

■ Forget the past; implement a going-forward strategy. It is a signifi cantly greater
task to try to improve data governance across the enterprise for existing data.
Remember, you may be trying to fi x decades of bad behavior, mismanagement,
and lack of governance. Taking an incremental approach with an eye to the
future provides for a clean starting point and can substantially reduce the pain
required to implement. A proven best practice is to implement a from-this-
point-on strategy where new data governance policies for handling data are
implemented beginning on a certain date.

Data governance uses techniques like data cleansing and de-duplication to
improve data quality and reduce redundancies.

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 17

Good data governance ensures that downstream negative effects of poor data
are avoided and that subsequent reports, analyses, and conclusions are based
on reliable, trusted data.

■ Manage the change. Educate, educate, educate. People must be trained to under-
stand why the data governance program is being implemented and how it will
benefi t the business. The new policies represent a cultural change, and people
need supportive program messages and training in order to make the shift. 3

IT Governance

IT governance is the primary way that stakeholders can ensure that investments in IT create
business value and contribute toward meeting business objectives.4 This strategic align-
ment of IT with the business is challenging yet essential. IT governance programs
go further and aim to “improve IT performance, deliver optimum business value and
ensure regulatory compliance.” 5

Although the CIO typically has line responsibility for implementing IT gover-
nance, the CEO and board of directors must receive reports and updates to discharge
their responsibilities for IT governance and to see that the program is functioning well
and providing business benefi ts.

Typically, in past decades, board members did not get involved in overseeing IT
governance. But today it is a critical and unavoidable responsibility. According to the
IT Governance Institute’s Board Briefi ng on IT Governance , “IT governance is the re-
sponsibility of the board of directors and executive management. It is an integral part
of enterprise governance and consists of the leadership and organizational structures
and processes that ensure that the organization’s IT sustains and extends the organiza-
tion’s strategies and objectives.” 6

The focus is on the actual software development and maintenance activities of the
IT department or function, and IT governance efforts focus on making IT effi cient
and effective. That means minimizing costs by following proven software develop-
ment methodologies and best practices, principles of data governance and information
quality, and project management best practices while aligning IT efforts with the busi-
ness objectives of the organization.

IT Governance Frameworks

Several IT governance frameworks can be used as a guide to implementing an IT
governance program. (They are introduced in this chapter in a cursory way; detailed
discussions of them are best suited to books focused solely on IT governance.)

IT governance seeks to align business objectives with IT strategy to deliver
business value.

18 INFORMATION GOVERNANCE

Although frameworks and guidance like CobiT® and ITIL have been widely
adopted, there is no absolute standard IT governance framework; the combination
that works best for an organization depends on business factors, corporate culture, IT
maturity, and staffi ng capability. The level of implementation of these frameworks will
also vary by organization.

CobiT®
CobiT (Control Objectives for Information and related Technology) is a process-T
based IT governance framework that represents a consensus of experts worldwide.
Codeveloped by the IT Governance Institute and ISACA (previously known as the
Information Systems Audit and Control Association), CobiT addresses business
risks, control requirements, compliance, and technical issues. 7

CobiT offers IT controls that:

■ Cut IT risks while gaining business value from IT under an umbrella of a glob-
ally accepted framework.

■ Assist in meeting regulatory compliance requirements.
■ Utilize a structured approach for improved reporting and management deci-

sion making.
■ Provide solutions to control assessments and project implementations to im-

prove IT and information asset control. 8

CobiT consists of detailed descriptions of processes required in IT and also tools
to measure progress toward maturity of the IT governance program. It is industry
agnostic and can be applied across all vertical industry sectors, and it continues to be
revised and refi ned. 9

CobiT is broken out into three basic organizational levels and their responsibili-
ties: (1) board of directors and executive management; (2) IT and business manage-
ment; and (3) line-level governance, and security and control knowledge workers. 10

The CobiT model draws on the traditional “plan, build, run, monitor” paradigm of
traditional IT management, only with variations in semantics. The CobiT framework
is divided into four IT domains—(1) plan and organize, (2) acquire and implement, (3)
deliver and support, and (4) monitor and evaluate—which contain 34 IT processes and
210 control objectives. Specifi c goals and metrics are assigned, and responsibilities and
accountabilities are delineated.

The CobiT framework maps to the international information security standard,
ISO 17799, and is also compatible with IT Infrastructure Library (ITIL) and other y
“accepted practices” in IT development and operations.11

ValIT®
ValIT is a newer value-oriented framework that is compatible with and complemen-
tary to CobiT. Its principles and best practices focus is on leveraging IT investments
to gain maximum value. Forty key ValIT essential management practices (analogous to
CobiT’s control objectives) support three main processes: value governance, portfolio
management, and investment management. ValIT and CobiT “provide a full frame-
work and supporting tool set” to help managers develop policies to manage business
risks and deliver business value while addressing technical issues and meeting control
objectives in a structured, methodic way. 12

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 19

ITIL
ITIL (Information Technology Infrastructure Library) is a set of process-oriented
best practices and guidance originally developed in the United Kingdom to standard-
ize delivery of IT service management. ITIL is applicable to both the private and
public sectors and is the “most widely accepted approach to IT service management
in the world.”13 As with other IT governance frameworks, ITIL provides essential
guidance for delivering business value through IT, and it “provides guidance to or-
ganizations on how to use IT as a tool to facilitate business change, transformation
and growth.”14

ITIL best practices form the foundation for ISO/IEC 20000 (previously BS15000),
the International Service Management Standard for organizational certifi cation and
compliance. 15 ITIL 2011 is the latest revision (as of this printing), and it consists of fi ve
core published volumes that map the IT service cycle in a systematic way:

1. ITIL Service Strategy
2. ITIL Service Design
3. ITIL Service Transition
4. ITIL Service Operation
5. ITIL Continual Service Improvement 16

ISO 38500
ISO/IEC 38500:2008 is an international standard that provides high-level principles
and guidance for senior executives and directors, and those advising them, for the
effective and effi cient use of IT. 17 Based primarily on AS 8015, the Australian IT gov-
ernance standard, it “applies to the governance of management processes” that are
performed at the IT service level, but the guidance assists executives in monitoring IT
and ethically discharging their duties with respect to legal and regulatory compliance
of IT activities.

The ISO 38500 standard comprises three main sections:

1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT

CobiT is process-oriented and has been widely adopted as an IT governance
framework. ValIT is value-oriented and compatible and complementary with
CobiT, yet focuses on value delivery.

ITIL is the “most widely accepted approach to IT service management in the
world.”

20 INFORMATION GOVERNANCE

It is largely derived from AS 8015, the guiding principles of which were:

■ Establish responsibilities
■ Plan to best support the organization
■ Acquire validly
■ Ensure performance when required
■ Ensure conformance with rules
■ Ensure respect for human factors

The standard also has relationships with other major ISO standards, and embraces
the same methods and approaches. 18

Information Governance

Corporate governance is the highest level of governance in an organization, and a
key aspect of it is IG. IG processes are higher level than the details of IT governance
and much higher than data governance, but both data and IT governance can be (and
should be) a part of an overall IG program. The IG approach to governance focuses
not on detailed IT or data capture and quality processes but rather on controlling the
information that is generated by IT and offi ce systems. d

IG efforts seek to manage and control information assets to lower risk, ensure com-
pliance with regulations, and improve information quality and accessibility while imple-
menting information security measures to protect and preserve information that has busi-
ness value.19 (See Chapter 1 for more detailed defi nitions.)

Impact of a Successful IG Program

When making the business case for IG and articulating its benefi ts, it is useful to focus
on its central impact. Putting cost-benefi t numbers to this may be diffi cult, unless you

ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.

IG is how an organization maintains security, complies with regulations and
laws, and meets ethical standards when managing information.

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 21

also consider the worst-case scenario of loss or misuse of corporate or agency records.
What is losing the next big lawsuit worth? How much are confi dential merger and
acquisition documents worth? How much are customer records worth? Frequently,
executives and managers do not understand the value of IG until it is a crisis, an ex-
pensive legal battle is lost, heavy fi nes are imposed for noncompliance, or executives
go to jail.

There are some key outputs from implementing an IG program. A successful IG
program should enable organizations to:

■ Use common terms across the enterprise. This means that departments must agree
on how they are going to classify document types, which requires a cross-
functional effort. With common enterprise terms, searches for information
are more productive and complete. This normalization process begins with
developing a standardized corporate taxonomy, which defi nes the terms (and
substitute terms in a custom corporate thesaurus), document types, and their
relationships in a hierarchy.

■ Map information creation and usage. This effort can be buttressed with the use of
technology tools such as data loss prevention , which can be used to discover
the fl ow of information within and outside of the enterprise. You must fi rst
determine who is accessing which information when and where it is going. Then
you can monitor and analyze these information fl ows. The goal is to stop the
erosion or misuse of information assets and to stem data breaches with moni-
toring and security technology.

■ Obtain “information confi dence” —that is, the assurance that information has ”
integrity, validity, accuracy, and quality; this means being able to prove that the
information is reliable and that its access, use, and storage meet compliance and
legal demands.

■ Harvest and leverage information. Using techniques and tools like data min-
ing and business intelligence, new insights may be gained that provide an
enterprise with a sustainable competitive advantage over the long term,
since managers will have more and better information as a basis for busi-
ness decisions.21

Summing Up the Differences

IG consists of the overarching polices and processes to optimize and leverage informa-
tion while keeping it secure and meeting legal and privacy obligations in alignment
with stated organizational business objectives.

IT governance consists of following established frameworks and best practices to
gain the most leverage and benefi t out of IT investments and support accomplishment
of business objectives.

Data governance consists of the processes, methods, and techniques to ensure that
data is of high quality, reliable, and unique (not duplicated), so that downstream uses
in reports and databases are more trusted and accurate.

22 INFORMATION GOVERNANCE

Notes

1. “New Trends and Best Practices for Data Governance Success,” SeachDataManagement.com eBook,
http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB-
ook_1104 , accessed March 11, 2013.

2. Ibid.
3. Ibid.
4. M.N. Kooper, R. Maes, and E.E.O. RoosLindgreen, “On the Governance of Information: Introducing

a New Concept of Governance to Support the Management of Information,” International Journal of
Information Management 31 (2011): 195–120, http://dl.acm.org/citation.cfm?id=2297895 . (accessed t
November 14, 2013).

5. Nick Robinson, “The Many Faces of IT Governance: Crafting an IT Governance Architecture,”
ISACA Journal 1 (2007), www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-l
of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx

6. Bryn Phillips, “IT Governance for CEOs and Members of the Board,” 2012, p.18.
7. Ibid., p.26.
8. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech-

nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance,” http://
www-304.ibm.com/industries/publicsector/fi leserve?contentid=187551(accessed March 11, 2013).

CHAPTER SUMMARY: KEY POINTS

■ Data governance uses techniques like data cleansing and de-duplication to
improve data quality and reduce redundancies.

■ Good data governance ensures that downstream negative effects of poor
data are avoided and that subsequent reports, analyses, and conclusions are
based on reliable, trusted data.

■ IT governance seeks to align business objectives with IT strategy to deliver
business value.

■ CobiT is processoriented and has been widely adopted as an IT governance
framework. ValIT is valueoriented and compatible and complementary with
CobiT yet focuses on value delivery.

■ The CobiT framework maps to the international information security stan-
dard ISO 17799 and is also compatible with ITIL (IT Infrastructure Library).

■ ITIL is the “most widely accepted approach to IT service management in the
world.”

■ ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.

■ Information governance is how an organization maintains security, complies
with regulations and laws, and meets ethical standards when managing
information.

http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB-ook_1104

http://dl.acm.org/citation.cfm?id=2297895

http://www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx

http://www-304.ibm.com/industries/publicsector/fileserve?contentid=187551

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 23

9. Phillips, “IT Governance for CEOs and Members of the Board.”
10. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech-

nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance.”
11. Ibid.
12. Ibid.
13. www.itil-offi cialsite.com/ (accessed March 12, 2013).
14. ITIL, “What Is ITIL?” www.itil-offi cialsite.com/AboutITIL/WhatisITIL.aspx(accessed March 12, 2013).
15. Ibid.
16. Ibid.
17. “ISO/IEC 38500:2008 “Corporate Governance of Information Technology” www.iso.org/iso/

catalogue_detail?csnumber=51639(accessed November 14, 2013).
18. ISO 38500 www.38500.org/ (accessed March 12, 2013).
19. www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/ (accessed November 14,

2013).
20. ARMA International, Glossary of Records and Information Management Terms , 4th ed. TR 22–2012 (from s

ARMA.org).
21. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” CTO Edge , March 9, 2011, www.ctoedge

.com/content/three-steps-trusting-your-data-2011

http://www.itil-officialsite.com/

http://www.itil-officialsite.com/AboutITIL/WhatisITIL.aspx

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.38500.org/

http://www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/

http://www.ctoedge.com/content/three-steps-trusting-your-data-2011

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.ctoedge.com/content/three-steps-trusting-your-data-2011

Information
Governance
Principles *

C H A P T E R 3

P
rinciples of information governance (IG) are evolving and expanding. Successful
IG programs are characterized by ten key principles, which are the basis for best
practices and should be designed into the IG approach. They include:

1. Executive sponsorship. No IG effort will survive and be successful if it does not
have an accountable, responsible executive sponsor. The sponsor must drive
the effort, clear obstacles for the IG team or committee, communicate the
goals and business objectives that the IG program addresses, and keep upper
management informed on progress.

2. Information policy development and communication. Clear policies must be es-
tablished for the access and use of information, and those policies must be
communicated regularly and crisply to employees. Policies for the use of e-
mail, instant messaging, social media, cloud computing, mobile computing,
and posting to blogs and internal sites must be developed in consultation
with stakeholders and communicated clearly. This includes letting employees
know what the consequences of violating IG policies are, as well as its value.

3. Information integrity. This area considers the consistency of methods used to
create, retain, preserve, distribute, and track information. Adhering to good
IG practices include data governance techniques and technologies to ensure
quality data. Information integrity means there is the assurance that informa-
tion is accurate, correct, and authentic. IG efforts to improve data quality
and information integrity include de-duplicating (removing redundant data)
and maintaining only unique data to reduce risk, storage costs, and informa-
tion technology (IT) labor costs while providing accurate, trusted information
for decision makers. Supporting technologies must enforce policies to meet
legal standards of admissibility and preserve the integrity of information to
guard against claims that it has been altered, tampered with, or deleted (called
“ spoliation ”). Audit trails must be kept and monitored to ensure compliance
with IG policies to assure information integrity. 1

4. Information organization and classifi cation. This means standardizing formats,
categorizing all information, and semantically linking it to related information.
It also means creating a retention and disposition schedule that spells out how

* Portions of this chapter are adapted from Chapter 3 of Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc. s

26 INFORMATION GOVERNANCE

long the information (e.g. e-mail, e-documents, spreadsheets, reports) and
records should be retained and how they are to be disposed of or archived.
Information, and particularly documents, should be classifi ed according to a
global or corporate taxonomy that considers the business function and owner
of the information, and semantically links related information. Information
must be standardized in form and format. Tools such as document labeling
can assist in identifying and classifying documents. Metadata associated with
documents and records must be standardized and kept up-to-date. Good IG
means good metadata management and utilizing metadata standards that are
appropriate to the organization.

5. Information security. This means securing information in its three states: at rest,
in motion, and in use. It means implementing measures to protect information
from damage, theft, or alteration by malicious outsiders and insiders as well
as nonmalicious (accidental) actions that may compromise information. For
instance, an employee may lose a laptop with confi dential information, but
if proper IG policies are enforced using security-related information tech-
nologies, the information can be secured. This can be done by access control
methods, data or document encryption, deploying information rights manage-
ment software, using remote digital shredding capabilities, and implement-
ing enhanced auditing procedures. Information privacy is closely related to
information security and is critical when dealing with personally identifi able
information (PII).n

6. Information accessibility. Accessibility is vital not only in the short term but also
over time using long-term digital preservation (LTDP) techniques when
appropriate (generally if information is needed for over fi ve years). Accessibil-
ity must be balanced with information security concerns. Information acces-
sibility includes making the information as simple as possible to locate and
access, which involves not only the user interface but also enterprise search
principles, technologies, and tools. It also includes basic access controls, such
as password management, identity and access management , and delivering t
information to a variety of hardware devices.

7. Information control. Document management and report management software
must be deployed to control the access to, creation, updating, and printing
of documents and reports. When documents or reports are declared records,
they must be assigned to the proper retention and disposition schedule to be
retained for as long as the records are needed to comply with legal retention
periods and regulatory requirements. Also, information that may be needed or
requested in legal proceedings is safeguarded through a legal hold process.

8. Information governance monitoring and auditing. To ensure that guidelines and
policies are being followed and to measure employee compliance levels, in-
formation access and use must be monitored. To guard against claims of spo-
liation, use of e-mail, social media, cloud computing, and report generation
should be logged in real time and maintained as an audit record. Technology
tools such as document analytics can track how many documents or reports
users access and print and how long they spend doing so.

9. Stakeholder consultation. Those who work most closely to information are the
ones who best know why it is needed and how to manage it, so business units
must be consulted in IG policy development. The IT department understands

INFORMATION GOVERNANCE PRINCIPLES 27

its capabilities and technology plans and can best speak to those points. Le-
gal issues must always be deferred to the in-house council or legal team. A
cross-functional collaboration is needed for IG policies to hit the mark and
be effective. The result is not only more secure information but also better
information to base decisions on and closer adherence to regulatory and legal
demands. 2

10. Continuous improvement. IG programs are not one-time projects but rather
ongoing programs that must be reviewed periodically and adjusted to account
for gaps or shortcomings as well as changes in the business environment, tech-
nology usage, or business strategy.

Accountability Is Key

According to Debra Logan at Gartner Group, none of the proffered defi nitions of IG in-
cludes “any notion of coercion, but rather ties governance to accountability [emphasis added]
that is designed to encourage the right behavior. . . . The word that matters most is
accountability .” The root of many problems with managing information is the “fact that
there is no accountability for information as such.” 3

Establishing policies, procedures, processes, and controls to ensure the quality, in-
tegrity, accuracy, and security of business records are the fundamental steps needed to
reduce the organization’s risk and cost structure for managing these records. Then it is
essential that IG efforts are supported by IT. The auditing, testing, maintenance, and im-
provement of IG is enhanced by using electronic records management (ERM) software
along with other complementary technology sets, such as workfl ow and business process
management suite (BPMS) software and digital signatures.

Generally Accepted Recordkeeping Principles ®

Contributed by Charmaine Brooks, CRM
A major part of an IG program is managing formal business records. Although they
account for only about 7 to 9 percent of the total information that an organization
holds, they are the most critically important subset to manage, as there are serious
compliance and legal ramifi cations to not doing so.

Principles of successful IG programs are emerging. They include executive
sponsorship, information classifi cation, integrity, security, accessibility, control,
monitoring, auditing, policy development, and continuous improvement.

Accountability is a key aspect of IG.

28 INFORMATION GOVERNANCE

Records and recordkeeping are inextricably linked with any organized business
activity. Through the information that an organization uses and records, creates, or
receives in the normal course of business, it knows what has been done and by whom.
This allows the organization to effectively demonstrate compliance with applicable
standards, laws, and regulations as well as plan what it will do in the future to meet its
mission and strategic objectives.

Standards and principles of recordkeeping have been developed by records and
information management (RIM) practitioners to establish benchmarks for how or-t
ganizations of all types and sizes can build and sustain compliant, defensible records
management (RM) programs. t

The Principles

In 2009 ARMA International published a set of eight Generally Accepted Recordkeep-
ing Principles,® known as The Principles 4 (or sometimes GAR Principles), to foster
awareness of good recordkeeping practices. These principles and associated metrics
provide an IG framework that can support continuous improvement.

The eight Generally Accepted Recordkeeping Principles are:

1. Accountability. A senior executive (or person of comparable authority) oversees
the recordkeeping program and delegates program responsibility to appro-
priate individuals. The organization adopts policies and procedures to guide
personnel, and ensure the program can be audited.

2. Transparency. The processes and activities of an organization’s recordkeeping
program are documented in a manner that is open and verifi able and is avail-
able to all personnel and appropriate interested parties.

3. Integrity. A recordkeeping program shall be constructed so the records and
information generated or managed by or for the organization have a reason-
able and suitable guarantee of authenticity and reliability.

4. Protection. A recordkeeping program shall be constructed to ensure a reason-
able level of protection to records and information that are private, confi den-
tial, privileged, secret, or essential to business continuity.

5. Compliance. The recordkeeping program shall be constructed to comply with ap-
plicable laws and other binding authorities, as well as the organization’s policies.

6. Availability. An organization shall maintain records in a manner that ensures
timely, effi cient, and accurate retrieval of needed information.

7. Retention. An organization shall maintain its records and information for an
appropriate time, taking into account legal, regulatory, fi scal, operational, and
historical requirements.

8. Disposition. An organization shall provide secure and appropriate disposition
for records that are no longer required to be maintained by applicable laws
and the organization’s policies. 5

The Generally Accepted Recordkeeping Principles consist of eight principles
that provide an IG framework that can support continuous improvement.

INFORMATION GOVERNANCE PRINCIPLES 29

The Principles apply to all sizes of organizations, in all types of industries, in both
the private and public sectors, and can be used to establish consistent practices across
business units. The Principles are an IG maturity model, and it is used as a preliminary
evaluation of recordkeeping programs and practices.

Interest in and the application of The Principles for assessing an organization’s
recordkeeping practices have steadily increased since their establishment in 2009. The
Principles form an accountability framework that includes the processes, roles, stan-
dards, and metrics that ensure the effective and effi cient use of records and informa-
tion in support of an organization’s goals and business objectives.

As shown in Table 3.1 , the Generally Accepted Recordkeeping Principles matu-
rity model associates characteristics that are typical in fi ve levels of recordkeeping
capabilities ranging from 1 (substandard) to 5 (transformational). The levels are both
descriptive and color coded for ease of understanding. The eight principles and levels
(metrics) are applied to the current state of an organization’s recordkeeping capabili-
ties and can be cross-referenced to the policies and procedures. While it is not unusual
for an organization to be at different levels of maturity in the eight principles, the question
“How good is good enough?” must be raised and answered ; a rating of less than “transforma-d
tional” may be acceptable, depending on the organization’s tolerance for risk and an
analysis of the costs and benefi ts of moving up each level.

The maturity levels defi ne the characteristics of evolving and maturing RM programs. The
assessment should refl ect the current RM environment and practices. The principles
and maturity level defi nitions, along with improvement recommendations (roadmap),
outline the tasks required to proactively approach addressing systematic RM practices
and reach the next level of maturity for each principle. While the Generally Accepted

Table 3.1 Generally Accepted Recordkeeping Principles Levels

Leve

l 1

Substandard

Characterized by an environment where recordkeeping concerns are either not
addressed at all or are addressed in an ad hoc manner.

Leve

l 2

In Development

Characterized by an environment where there is a developing recognition that
recordkeeping has an impact on the organization, and the organization may
benefi t from a more defi ned information governance program.

Leve

l 3

Essential

Characterized by an environment where defi ned policies and procedures exist
that address the minimum or essential legal and regulatory requirements, but
more specifi c actions need to be taken to improve recordkeeping.

Level 4

Proactive

Characterized by an environment where information governance issues and
considerations are integrated into business decisions on a routine basis, and
the organization consistently meets its legal and regulatory obligations.

Level 5

Transformational

Characterized by an environment that has integrated information governance
into its corporate infrastructure and business processes to such an extent that
compliance with program requirements is routine.

Source: Used with permission from ARMA.

The Generally Accepted Recordkeeping Principles maturity model measures
recordkeeping maturity in fi ve levels.

30 INFORMATION GOVERNANCE

Recordkeeping Principles are broad in focus, they illustrate the requirements of good
RM practices. The Principles Assessment can also be a powerful communication tool
to promote cross-functional dialogue and collaboration among business units and staff.

Accountability
The principle of accountability covers the assigned responsibility for RM at a seniory
level to ensure effective governance with the appropriate level of authority. A senior-
level executive must be high enough in the organizational structure to have suffi cient
authority to operate the RM program effectively. The primary role of the senior ex-
ecutive is to develop and implement RM policies, procedures, and guidance and to
provide advice on all recordkeeping issues. The direct responsibility for managing or
operating facilities or services may be delegated.

The senior executive must possess an understanding of the business and legislative
environment within which the organization operates, business functions and activities,
and the required relationships with key external stakeholders to understand how RM
contributes to achieving the corporate mission, aims, and objectives.

It is important for top-level executives to take ownership of the RM issues of
the organization and to identify corrective actions required for mitigation or ensure
resolution of problems and recordkeeping challenges. An executive sponsor should
identify opportunities to raise awareness of the relevance and importance of RM and
effectively communicate the benefi ts of good RM to staff and management.

The regulatory and legal framework for RM must be clearly identifi ed and
understood. The senior executive must have a sound knowledge of the organization’s
information and technological architecture and actively participate in strategic deci-
sions for IT systems acquisition and implementation.

The senior executive is responsible for ensuring that the processes, procedures,
governance structures, and related documentation are developed. The policies should
identify the roles and responsibilities at all levels of the organization.

An audit process must be developed to cover all aspects of RM within the organization,
including substantiating that suffi cient levels of accountability have been assigned and
accountability defi ciencies are identifi ed and remedied. Audit processes should include
compliance with the organization policies and procedures for all records, regardless
of format or media. Accountability audit requirements for electronic records include
employing appropriate technology to audit the information architecture and systems.
Accountability structures must be updated and maintained as changes occur in the
technology infrastructure.

The audit process must reinforce compliance and hold individuals accountable.
The results should be constructive, encourage continuous improvement, but not be
used as a means of punishment. The audit should contribute to records program improve-
ments in risk mitigation, control, and governance issues and have the capacity to support
sustainability.

An audit process must be developed to cover all aspects of RM in the
organization.

INFORMATION GOVERNANCE PRINCIPLES 31

Transparency
Policies are broad guidelines for the operation of the organization and provide a basic
guide to action that prescribes the boundaries within which business activities are to
take place. They state the course of action to be followed by the organization, business
unit, department, and employees.

Transparency of recordkeeping practices includes documenting processes and y
promoting an understanding of the roles and responsibilities of all stakeholders. To be
effective, policies must be formalized and integrated into business processes. Business rules and
recordkeeping requirements need to be communicated and installed at all levels of the
organization.

Senior management must recognize that transparency is fundamental to IG and
compliance. Documentation must be consistent, current, and complete. A review and
approval process must be established to ensure that the introduction of new programs
or changes can be implemented and integrated into business processes.

Employees must have ready access to RM policies and procedures. They must re-
ceive guidance and training to ensure they understand their roles and requirements for
RM. Recordkeeping systems and business processes must be designed and developed
to clearly defi ne the records lifecycle.

In addition to policies and procedures, guidelines and operational instructions,
diagrams and fl owcharts, system documentation, and user manuals must include clear
guidance on how records are to be created, retained, stored, and dispositioned. The
documentation must be readily available and incorporated in communications and
training provided to staff.

Integrity
Record generating systems and repositories must be assessed to determine record-
keeping capabilities. A formalized process must be in place for acquiring or developing new
systems, including requirements for capturing the metadata required for lifecycle management
of records in the systems. In addition, the record must contain all the necessary elements
of an offi cial record, including structure, content, and context. Records integrity, y
reliability, and trustworthiness are confi rmed by ensuring that a record was created by
a competent authority according to established processes.

Maintaining the integrity of records means that they are complete and protected from
being altered. The authenticity of a record is ascertained from internal and exter-
nal evidence, including the characteristics, structure, content, and context of the
records, to verify they are genuine and not corrupted or altered. In order to trust
that a record is authentic, organizations must ensure that recordkeeping systems
that create, capture , and manage electronic records are capable of protecting re-
cords from accidental or unauthorized alteration or deletion while the record has
value.

To be effective, policies must be formalized and integrated into business
processes.

32 INFORMATION GOVERNANCE

Protection
Organizations must ensure the protection of records and ensure they are unaltered through
loss, tampering, or corruption. This includes technological change or the failure of digital
storage media and protecting records against damage or deterioration.

This principle applies equally to physical and electronic records, each of which has
unique requirements and challenges.

Access and security controls need to be established, implemented, monitored, and
reviewed to ensure business continuity and minimize business risk. Restrictions on
access and disclosure include the methods for protecting personal privacy and propri-
etary information. Access and security requirements must be integrated into the busi-
ness systems and processes for the creation, use, and storage of records.

LTDP is a series of managed activities required to ensure continued access to digi-
tal materials for as long as necessary. Electronic records requiring long-term retention
may require conversion to a medium and format suitable to ensure long-term access
and readability.

Compliance
RM programs include the development and training of the fundamental components,
including compliance monitoring to ensure sustainability of the program.g

Monitoring for compliance involves reviewing and inspecting the various facets of records
management, including ensuring records are being properly created and captured, im-
plementation of user permissions and security procedures, workfl ow processes through
sampling to ensure adherence to policies and procedures, ensuring records are being
retained following disposal authorization, and documentation of records destroyed or
transferred to determine whether destruction/transfer was authorized in accordance
with disposal instructions.

Compliance monitoring can be carried out by an internal audit, external organiza-
tion, or RM and must be done on a regular basis.

Availability
Organizations should evaluate how effectively and effi ciently records and information are
stored and retrieved using present equipment, networks, and software . The evaluation
should identify current and future requirements and recommend new systems
as appropriate. Certain factors should be considered before upgrading or imple-
menting new systems. These factors are practicality, cost, and effectiveness of new
confi gurations.

A major challenge for organizations is ensuring timely and reliable access to and
use of information and that records are accessible and usable for the entire length of
the retention period. Rapid changes and enhancements to both hardware and software
compound this challenge.

Retention
Retention is the function of preserving and maintaining records for continuing use. The reten-
tion schedule identifi es the actions needed to fulfi ll the requirements for the retention
and disposal of records and provides the authority for employees and systems to retain,
destroy, or transfer records. The records retention schedule documents the record-
keeping requirements and procedures, identifying how records are to be organized

INFORMATION GOVERNANCE PRINCIPLES 33

and maintained, what needs to happen to records and when, who is responsible for
doing what, and whom to contact with questions or guidance.

Organizations must identify the scope of their recordkeeping requirements for
documenting business activities based on regulated activities and jurisdictions that im-
pose control over records. This includes business activities regulated by the govern-
ment for every location or jurisdiction in which the company does business. Other
considerations for determining retention requirements include operational, legal, fi s-
cal, and historical ones.

Records appraisal is the process of assessing the value and risk of records to
determine their retention and disposition requirements. Legal research is outlined in
appraisal reports. This appraisal process may be accomplished as a part of the process
of developing the records retention schedules as well as conducting a regular review to
ensure that citations and requirements are current.

The records retention period is the length of time that records should be retained and d
the actions taken for them to be destroyed or preserved. The retention periods for different
records should be based on legislative or regulatory requirements as well as on admin-
istrative and operational requirements.

It is important to document the legal research conducted and used to determine
whether the law or regulation has been reasonably applied to the recordkeeping prac-
tices and provide evidence to regulatory offi cials or courts that due diligence has been
conducted in good faith to comply with all applicable requirements.

Disposition
Disposition is the last stage in the life cycle of records. When the retention requirements
have been met and the records no longer serve a useful business purpose, records may
be destroyed. Records requiring long-term or permanent retention should be trans-
ferred to an archive for preservation. The timing of the transfer of physical or elec-
tronic records should be determined through the records retention schedule process.
Additional methods, including migration or conversion, are often required to preserve
electronic records.

Records must be destroyed in a controlled and secure manner and in accordance
with authorized disposal instructions. The destruction of records must be clearly doc-
umented to provide evidence of destruction according to an agreed-on program.

Destruction of records must be undertaken by methods appropriate to the con-
fi dentiality of the records and in accordance with disposal instructions in the records
retention schedule. An audit trail documenting the destruction of records should be
maintained, and certifi cates of destruction should be obtained for destruction under-
taken by third parties. In the event disposal schedules are not in place, written autho-
rization should be obtained prior to destruction. Procedures should specify who must
supervise the destruction of records. Approved methods of destruction must be speci-
fi ed for each media type to ensure that information cannot be reconstructed.

Disposition is the last stage in the life cycle of records. Disposition is not syn-
onymous with destruction, although destruction may be one disposal option.

34 INFORMATION GOVERNANCE

Disposition is not synonymous with destruction, although destruction may be one disposal
option. Destruction of records must be carried out under controlled, confi dential
conditions by shredding or permanent disposition. This includes the destruction of
confi dential microfi lm, microfi che, computer cassettes, and computer tapes as well
as paper.

Methods of Disposition

■ Discard. The standard destruction method for nonconfi dential records. If pos-
sible, all records should be shredded prior to recycling. Note that transitory
records can also be shredded.

■ Shred. Confi dential and sensitive records should be processed under strict
security. This may be accomplished internally or by secure on-site shredding
by a third party vendor who provides certifi cates of secure destruction. The
shredded material is then recycled.

■ Archive. This designation is for records requiring long-term or permanent
preservation. Records of enduring legal, fi scal, administrative, or historical
value are retained.

■ Imaging. Physical records converted to digital images, after which the original
paper documents are destroyed.

■ Purge. This special designation is for data, documents, or records sets that need
to be purged by removing material based on specifi ed criteria. This often ap-
plies to structure records in databases and applications.

Assessment and Improvement Roadmap

The Generally Accepted Recordkeeping Principles® maturity model can be lever-
aged to develop a current state assessment of an organization’s recordkeeping prac-
tices and resources, identify gaps and assess risks, and develop priorities for desired
improvements.

The Principles were developed by ARMA International to identify characteristics
of an effective recordkeeping program. Each of the eight principles identifi es issues
and practices that, when evaluated against the unique needs and circumstances of an
organization, can be applied to improvements for a recordkeeping program that meets
recordkeeping requirements. The Principles identify requirements and can be used to
guide incremental improvement in creation, organization, security, maintenance, and
other activities over a period of one to fi ve years. Fundamentally, RM and information
governance are business disciplines that must be tightly integrated with operational
policies, procedures, and infrastructure.

The Principles can be mapped to the four improvement areas in Table 3.2 .
As an accepted industry guidance maturity model, the Principles provide a con-

venient and complete framework for assessing the current state of an organization’s
recordkeeping and developing a roadmap to identify improvements that will bring
the organization into compliance. An assessment/analysis of the current RM practices,
procedures, and capabilities together with current and future state practices provides
two ways of looking at the future requirements of a complete RM (see Table 3.3 ).

INFORMATION GOVERNANCE PRINCIPLES 35

Table 3.2 Improvement Areas for Generally Accepted Recordkeeping Principles

Improvement Area

A
cc

o
u

n
ta

b
ili

Tr
an

p
ar

e
n

In
te

g
ri

P
ro

te
ct

o
n

m
p

lia
n

A
va

la
b

ili
ty

R
e
te

n
ti

o
n

D
is

p
o

si
ti

o
n

Roles and responsibilities ◊ ◊ ◊

Policies and procedures ◊ ◊ ◊ ◊ ◊ ◊ ◊ ◊

Communication and training ◊ ◊ ◊ ◊ ◊

Systems and automation ◊ ◊ ◊ ◊ ◊ ◊

Who Should Determine IG Policies?

When forming an IG steering committee or board, it is essential to include represen-
tatives from cross-functional groups and at different levels of the organization. The
committee must be driven by an executive sponsor and include active members from
key business units as well as other departments, including IT, fi nance, risk, compli-
ance, RM, and legal. Then corporate training/education and communications must be
involved to keep employees trained and current on IG policies. This function may be
performed by an outside consulting fi rm if there is no corporate education staf

Knowledge workers who work with records and sensitive information in any ca-
pacity best understand the nature and value of the records they work with as they
perform their day-to-day functions. IG policies must be developed and communicated
clearly and consistently. Policies are worthless if people do not know or understand them or
how to comply with them . And training is a crucial element that will be examined in any
compliance hearing or litigation that may arise. “Did senior management not only cre-
ate the policies but provide adequate training on them on a consistent basis?” This will
be a key question raised. So a training plan is a necessary piece of IG, and education
should be heavily emphasized. 6

The need for IG is increasing due to increased and tightened regulations, in-
creased litigation, and the increased incidence of theft and misuse of internal docu-
ments and records. Organizations that do not have active IG programs should reevaluate
IG policies and their internal processes following any major loss of records, the inability to

When forming an IG steering committee or board, it is essential to include
representatives from cross-functional groups.

Knowledge workers who work with records in any capacity best understand
the nature and value of the records they work with.

T
ab

le
3

A
ss

es
sm

en
t

R
ep

or
t

an
d

R
oa

d
M

ap
.

P
ri

n
ci

p
le

Le
ve

l
Fi

n
d

n
g

s
R

e
q

u
ir

e
m

e
n

ts
t

o
M

o
ve

t
o

t
h

e
N

e
xt

S
te

p
A
cc

o
u
n

ta
b

ili
ty
Le
ve
l 1

Su
b

st
an

d
ar

o
s

en
io

r
ex

ec
u
ti

ve
(

o
r

p
er

so
n

o
f

o
m

p
ar

b
le

u
th

o
ri

ty
)

is
r

es
p

o
n

si
b

le
f

o
r

h
e

R
M

p
ro

g
ra

m
.

T
h

o
rd

s
m

an
ag

er
r

o
le

is
la

rg
el

y
n

o
n

ex
is

te
n

t
o
r

is
a

n
a

d
m

in
is

tr
at

iv
e

an
d

/
o
r

cl
er

ic
al

r
o
le

d
is

tr
ib

u
te

d
a

m
o
n

g
g

en
er

al
s

ta
ff

1
.

A
ss

ig
n

R
M

r
es

p
o
n

si
b

ili
ti

es
t

o
s
en
io
r
ex
ec
u
ti

ve
.

2
.

H
ir

e
o
r

p
ro

m
o
te

r
ec

o
rd
s
m
an
ag

er
.

Tr
an

s p
ar

en
cy

Le
ve
l 1
Su
b
st
an
d
ar
d

It
is

d
iffi

c
u
lt

t
o
o

b
ta

in
in

fo
rm

at
io

n
a

b
o

u
t

th
e

o
rg

an
iz

at
io

n
o

r
it

s
re

co
rd

ti
m

el
y

fa
sh

io
n

.
N

o
c

le
ar

d
o
cu

m
en

ta
ti

o
n

is
r

ea
d

ily
a

va
ila

b
le
.
T
h

er
e

is
n

o
e

m
p

h
as

is
o

n
t

ra
n

sp
ar

en
cy
.

P
u
b

lic
r

e q
u
es

ts
f

o
r

in
fo

m
at

io
n

,
d

is
co

ve
ry

f
o
r

lit
ig

at
io

n
,
re

u
la

to
ry

r
es
p
o
n

se
s,

o
r

o
th

er
r

eq
u
es

ts
(

e.
g

.,
f

ro
m

p
o
te

n
ti

al
b

u
si

n
es

s
p

ar
tn

er
s,

in
ve

st
o
rs

,
o
r

b
u
ye

rs
)

ca
n

o
t

b
e

re
ad

ily
a

cc
o
m

o
d

at
ed

.
T
h

e
o
rg

an
iz
at
io

n
h

as
n

o
t

es
ta

b
lis

h
ed

c
o
n

o
ls

t
o
e

n
su

re
t

h
e

co
n

si
st

en
cy

o
f

in
fo

rm
at

io
n

d
is

cl
o
su

re
.

B
u
si

n
es
s
p

ro
ce

ss
es

a
re

n
o
t

w
el

d
efi

n
ed

.
1
.

D
ev

o
p

o
lic

ie
s

an
d

p
ro

ce
d

u
re

2
.
D
ev

el
o
p

t
ra

in
in

g
f

o
r

al
l l

ev
el

s
o
f

st
af

3
.

Id
en

ti
fy

r
eq

u
ir

em
en

ts
f
o
r

re
co

rd
s

fi n
d

ab
ili

an
d

a
cc

es
si

b
ili

ty
.

4
.

D
efi

n
e

b
u
si

n
es
s
p
ro
ce
ss
es
.
In
te
g
ri

ty
Le

ve
l 1

Su
b
st
an
d
ar
d
T
h
er
e

ar
e

n
o
s

ys
te

m
at

ic
a

u
d

it
s

o
r
d
efi
n
ed
p
ro

ce
ss

es
f

o
r

o
w

in
g

t
h

e
o
ri

g
in

d
a
u
th

en
ti

ci
ty

o
f

a
re

co
rd
.

V
ar

io
u
s

o
rg
an
iz
at
io

n
al

f
u
n

ct
io

n
s

u
se

a
d

h
o
c

m
et

h
o
d

s
to

d
em

o
n

st
ra

au
th

en
ti
ci
ty

a
n

d
c

h
ai

n
o

f
cu

st
o
d

y,
a

s
ap

p
ro

p
ri

at
e,

b
u
t

th
ei

r
tr

u
st

o
rt

h
in

es
s

ca
n
n
o
t

ea
si

ly
b

e
g

u
ar

an
te

ed
.

1
.
D
ev
el
o
p

a
u
d

it
p

ro
ce

ss
.

2
.
Id
en
ti
fy

b
u
si

n
es

s
ac

ti
vi

ti
es

f
o
r

cr
ea

ti
o
n

a
n

st
o
ra

g
e

o
f
re
co

rd
s.

P
ro
te
ct
io
n
Le
ve
l 1
Su
b
st
an
d
ar
d

N
o
c

o
n

si
d

er
at

io
n

is
g

iv
en

t
o
r

ec
o
rd

p
ri

va
cy

R
ec

o
rd

s
ar

e
st

o
re

d
h

ap
h

az
ar

d
ly

,
w

it
h

p
ro
te
ct
io
n

t
ak

en
b

y
va

ri
o
u
s

g
ro

u
p

s
an

d
ep

ar
tm

en
ts

w
it

h
n

o
c

n
tr

al
iz

ed
a

cc
es

n
tr
o
ls
.
A
cc
es
s
co
n

tr
o
ls

,
if

an
y,

a
re

a
ss

ig
n

ed
b

y
th

e
au

th
o
r.

1
.
A
ss
es
s

se
cu

ri
t y

a
n
d
a
cc
es
s
co
n
tr
o
ls
.
2
.
D
ev
el
o
p
a
cc
es
s
an
d

s
ec

u
ri

ty
c

o
n

tr
o
l s

h
em

C
o
m

p
lia

n
ce

Le
ve
l 3

Es
se

n
ti
al
T
h
e
o
rg
an
iz
at
io
n
h

as
id

en
ti

fi e
d

a
ll

re
le

va
n

t
co

m
p
lia
n

ce
la

w
s

an
d

r
eg

u
la
ti
o
n
s.
R
ec
o
rd

c
re

at
io
n
a
n
d

c
ap

tu
re

a
re

s
ys

te
m

at
ic

al
ly

c
ar

ri
ed

o
u
t

in
a

cc
o
rd

an
ce

w
it

h
R

M
p

ri
n

ci
p

le
s.

T
h
e
o
rg
an
iz
at
io
n
h

as
a

s
tr

o
n

g
c

o
d

e
o
f

b
u
si
n
es
s
co
n
d

u
ct

,
w

h
ic

h
is

in
te

g
ra

te
d

to
it

s
o
ve

ra
ll

IG
s

tr
u
ct

u
re
a
n

d
r

ec
o
rd

-k
ee

p
in

g
p

o
lic

ie
s.

C
o
m
p
lia
n
ce
a
n

d
t

h
e
re
co
rd
s

th
at

d
em
o
n
st
ra

te
it

a
re

h
ig

h
ly

v
al

u
ed

a
n
d
m

ea
su

ra
b

le
.

1
.

Im
p

le
m

en
t

sy
st

m
s

to
c

ap
tu

re
a

n
d
p
ro
te
ct
re
co
rd
s.
2
.
D
ev
el
o
p

m
et

d
at

h
em
e.
3
.
D
ev
el
o
p

r
em

ed
ia

ti
o
n

p
la

n
a
n
d

im
p

le
m
en
t

co
rr

ec
ti

ve
a

ct
io

n
s.

37
T
h

e
h

o
ld

p
ro
ce
ss

is
in

te
g

ra
te

d
in

to
t

h
e
o
rg
an
iz
at
io

n
’s

in
fo

rm
at
io
n

m
an

ag
em

en
t
an
d
d
is

co
ve

ry
p

ro
ce
ss
es
f
o
r
th
e

o
st

c
ri

ti
ca

l s
ys

te
m
s.
T
h
e
o
rg
an
iz
at
io
n
h

as
d

efi
n

ed
s

p
ec

ifi
c

g
o
al

s
re

la
te

d
t
o
c
o
m
p
lia
n
ce
.
A
va
ila
b
ili
ty
Le
ve
l 2

In
D

ev
el
o
p
m
en
t
R
ec
o
rd

r
et

ri
ev

al
m

ec
h

an
is

m
s

h
av

e
b

ee
n

im
p
le
m

en
te

d
in

c
er

ta
in

a
re

as
o

f
th

e
o
rg
an
iz
at
io

n
.

In
t

o
se

a
re

as
w

it
h
r
et
ri
ev
al
m
ec
h
an
is

m
s,

it
is

p
o
ss

ib
le

t
o
d

is
ti

n
g

u
is

h
b

et
w

ee
n

ffi
c

ia
l r

ec
o
rd

s,
d

u
p

lic
at

es
,
an

d
n

o
n
re
co

rd
m

at
er

ia
ls

.
T
h
er
e
ar
e

so
m

e
p

o
lic
ie
s
o
n

w
h

er
e
an
d

h
o
w

t
o
s

to
re

o
ffi
c

ia
l r
ec
o
rd

s,
b

u
t

a
st

an
d

ar
d

is
n

o
t
im
p
o
se
d
a

cr
o
ss

t
h
e
o
rg
an
iz
at
io
n
.

Le
g

al
d

is
co
ve
ry

is
c

o
m

p
lic

at
ed
a
n
d
c
o
st

ly
d

u
e

to
t
h
e

in
co

n
si

st
en

t
tr

ea
tm

en
t

o
f
in
fo
rm
at
io
n
.
1
.
D
ev
el
o
p

e
n

te
rp

ri
se

c
la

ss
ifi

ca
ti

o
n

s
ch

em
e.

2
.
Id
en
ti
fy

u
se

r
se

ar
ch

a
n
d
r

et
ri

ev
al

q
u
ir

em
en

ts
.

3
.
D
ev
el
o
p

s
ta

n
d
ar
d

s
fo

r
m

an
ag
in
g
t
h

e
re

co
rd

s
lif

ec
yc

le
.

R
et

en
ti
o
n
Le
ve
l 2
In
D
ev
el
o
p
m
en
t

A
r

et
en

ti
o
n
s
ch

u
le

is
a

va
ila
b
le
b
u
t

d
o
es

n
o
t

en
co

m
p

as
s

al
l r

ec
o
rd
s,
d

n
o
t

g
o
t

h
ro

u
g

h
o

ffi
c
ia
l r

ev
ie

w
,
an

d
is

n
o
t
w
el

l k
n

o
w
n
t
h
ro
u
g

h
o
u
t

th
e

o
rg
an
iz
at
io
n
.
T
h
e
re
te
n
ti
o
n
s
ch

ed
u
le

is
n
o
t

re
g

u
la

rl
y

u
p
d
at

ed
o

r
m

ai
n

ta
in
ed
.

Ed
u
ca

ti
o
n
a
n
d
t

ra
in

in
g

a
b

o
u
t
th
e

re
te

n
ti
o
n

p
o
lic

ie
s
ar
e
n
o
t

av
ai

la
b
le
.
1
.
D
ev
el
o
p
e
n
te
rp
ri
se

-w
id

e
fu

n
ct

io
n

al
r

et
en
ti
o
n

sc
h
ed
u
le
.
2
.

M
ap

r
et
en
ti
o
n
s
ch
ed
u
le

t
o
c

la
ss

ifi
ca

ti
o
n

sc
h

em
e.
3
.
Im
p
le
m
en
t

an
a

n
n

u
al

r
ev

ie
w

p
ro
ce
ss
f
o
r
re
co

rd
s

er
ie

s
an

d
le

g
al

r
es

ea
rc

h
.

4
.
D
ev
el
o
p
t
ra
in
in
g
f
o
r

cl
as

si
fi c

at
io

n
s

ch
em

e
an

re
te
n
ti
o
n
s
ch
ed
u
le
.
D
is

o
si

ti
o
n
Le
ve
l 2
In
D
ev
el
o
p
m
en
t

P
re

lim
in

ar
y

g
u
id

el
in

es
f
o
r
d
is

p
o
si

ti
o
n
a
re

e
st

ab
lis

h
ed
.
T
h
er
e
is
a

r
ea

liz
at

io
n
o
f
th
e
im
p
o
rt
an
ce
o
f

su
sp

en
d

in
g
d
is
p
o
si
ti
o
n

in
a

co
n
si
st
en

t
m

an
n

er
,
re

p
ea

ta
b

le
b

y
ce

rt
ai

n
le

g
al

g
ro

u
p
in
g
s.
T
h
er
e

m
ay

o
r

m
ay
n
o
t
b
e

en
fo

rc
em

en
t
an
d
a
u
d

it
in

g
o

f
d

is
p

o
si
ti
o
n
.
1
.
D
ev
el
o
p
p
ro
ce
d
u
re
s
fo

r
re

co
rd

s
d

is
p
o
si
ti
o
n
.
2
.
Im
p
le
m
en
t
d
is
p
o
si
ti
o
n
p
ro
ce
ss

es
.

3
.
D
ev
el
o
p
a
u
d

it
t

ra
ils

f
o
r
re
co
rd
s

tr
an

sf
er

s
an
d

d
es

tr
u
ct
io
n
.

O
ve

ra
ll

Le
ve
l 1
Su
b
st
an
d
ar
d

38 INFORMATION GOVERNANCE

CHAPTER SUMMARY: KEY POINTS

■ Principles of successful IG programs are emerging. They include executive
sponsorship, information classifi cation, integrity, security, accessibility, control,
monitoring, auditing, policy development, and continuous improvement.

■ Accountability is a key aspect of IG.

■ The Generally Accepted Recordkeeping Principles® (“The Principles”) consist
of eight principles that provide an IG framework that can support continuous
improvement.

■ An audit process must be developed to cover all aspects of RM in the
organization.

■ To be effective, policies must be formalized and integrated into business
processes.

■ Disposition is the last stage in the life cycle of records. Disposition is not
synonymous with destruction, although destruction may be one disposal
option.

■ Knowledge workers who work with records in any capacity best understand
the nature and value of the records they work with.

■ When forming an information governance steering committee or board, it is
essential to include representatives from cross-functional groups.

■ Organizations without active IG programs should reevaluate IG policies and
their internal processes following any major loss of records, the inability to
produce accurate records in a timely manner, or any document security
breach or theft.

produce accurate records in a timely manner, or any document security breach or theft. If
review boards include a broad section of critical players on the IG committee and
leverage executive sponsorship, theywill better prepare the organization for legal
and regulatory rigors.

Notes

1. Laura DuBois and Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Produc-
tivity,” IDC White Paper, August 2010, www.emc.com/collateral/analyst-reports/idc-practical-infor-
mation-governance-ar

2. Ibid.
3. Debra Logan, “What Is Information Governance? And Why Is It So Hard?” January 11, 2010, http://

blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/ .

http://www.emc.com/collateral/analyst-reports/idc-practical-infor-mation-governance-ar

http://blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/

INFORMATION GOVERNANCE PRINCIPLES 39

4. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/copyright (accessed November 14, 2013).

5. ARMA International,“Information Governance Maturity Model,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles (accessed November 14, 2013).

6. “Governance Overview (SharePoint Server 2010),” http://technet.microsoft.com/en-us/library/
cc263356.aspx (accessed April 19, 2011).

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/copyright

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles

http://technet.microsoft.com/en-us/library/cc263356.aspx

PA RT T W O
Information
Governance
Risk
Assessment
and Strategic
Planning

C H A P T E R 4
Information Risk
Planning and
Management

I
nformation risk planning involves a number of progressive steps: identifying poten-
tial risks to information, weighing those risks, creating strategic plans to mitigate the
risks, and developing those plans into specifi c policies. Then it moves to develop-

ing metrics to measure compliance levels and identifying those who are accountable
for executing the new risk mitigating processes. These processes must be audited and
tested periodically not only to ensure compliance, but also to fi ne tune and improve
the processes.

Depending on the jurisdiction, information is required by specifi c laws and regu-
lations to be retained for specifi ed periods, and to be produced in specifi ed situations.
To determine which laws and regulations apply to your organization’s information, re-
search into the legal and regulatory requirements for information in the jurisdictions
in which your organization operates must be conducted.

Step 1: Survey and Determine Legal and Regulatory
Applicability and Requirements

There are federal, provincial, state, and even municipal laws and regulations that may
apply to the retention of information (data, documents, and records). Organizations
operating in multiple jurisdictions must maintain compliance with laws and regula-
tions that may cross national, state, or provincial boundaries. Legally required pri-
vacy requirements and retention periods must be researched for each jurisdiction (e.g.
county, state, country) in which the business operates, so that it complies with all ap-
plicable laws.

IG, compliance, and records managers must conduct their own legislative research
to apprise themselves of mandatory information retention requirements, as well as
privacy considerations and requirements, especially in regard to personally identifi –
able information (PII). This information must be analyzed and structured and pre-
sented to legal staff for discussion. Then further legal and regulatory research must
be conducted, and fi rm legal opinions must be rendered by legal counsel regarding
information retention, privacy, and security requirements in accordance with laws and
regulations. This is an absolute requirement. In order to arrive at a consensus on records
that have legal value to the organization and to construct an appropriate retention

44 INFORMATION GOVERNANCE

schedule, your legal staff or outside legal counsel should explain the legal hold process,
provide opinions and interpretations of law that apply to your organization, and ex-
plain the value of formal records.

Legal requirements trump all others. The retention period for a particular type of
document or PII data or records series must meet minimum retention, privacy, and
security requirements as mandated by law. Business needs and other considerations are
secondary. So, legal research is required before determining and implementing reten-
tion periods, privacy policies, and security measures.

In order to locate the regulations and citations relating to retention of records,
there are two basic approaches. The fi rst approach is to use a records retention
citation service, which publishes in electronic form all of the retention-related
citations. These services usually are purchased on a subscription basis, as the cita-
tions are updated on an annual or more frequent basis as legislation and regula-
tions change.

Figure 4.1 is an excerpt from a Canadian records retention database product
called FILELAW®. 1 In this case, the act, citation, and retention periods are clearly
identifi ed.

Another approach is to search the laws and regulations directly using online or
print resources. Records retention requirements for corporations operating in the
United States may be found in the Code of Federal Regulations (CFR).

In identifying information requirements and risks, legal requirements trump
all others.

Figure 4.1 Excerpt from Canadian Records Retention Database
Source: Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.

INFORMATION RISK PLANNING AND MANAGEMENT 45

The Code of Federal Regulations (CFR) annual edition is the codifi cation of
the general and permanent rules published in the Federal Register by the de-
partments and agencies of the federal government. It is divided into 50 titles
that represent broad areas subject to federal regulation. The 50 subject matter
titles contain one or more individual volumes, which are updated once each
calendar year, on a staggered basis. The annual update cycle is as follows: titles
1 to 16 are revised as of January 1; titles 17 to 27 are revised as of April 1; titles
28 to 41 are revised as of July 1; and titles 42 to 50 are revised as of October 1.
Each title is divided into chapters, which usually bear the name of the issu-
ing agency. Each chapter is further subdivided into parts that cover specifi c
regulatory areas. Large parts may be subdivided into subparts. All parts are
organized in sections, and most citations to the CFR refer to material at the
section level. 2

There is an up-to-date version that is not yet a part of the offi cial CFR but is
updated daily, the Electronic Code of Federal Regulations (e-CFR) . “It is not an
offi cial legal edition of the CFR. The e-CFR is an editorial compilation of CFR ma-
terial and Federal Register amendments produced by the National Archives and Re-
cords Administration’s Offi ce of the Federal Register . . . and the Government Printing
Offi ce.”3 According to the gpoaccess.gov Web site:

The Administrative Committee of the Federal Register (ACFR) has autho-
rized the National Archives and Records Administration’s (NARA) Offi ce of
the Federal Register (OFR) and the Government Printing Offi ce (GPO) to
develop and maintain the e-CFR as an informational resource pending ACFR
action to grant the e-CFR offi cial legal status. The OFR/GPO partnership is
committed to presenting accurate and reliable regulatory information in the
e-CFR editorial compilation with the objective of establishing it as an ACFR
sanctioned publication in the future. While every effort has been made to en-
sure that the e-CFR on GPO Access is accurate, those relying on it for legal
research should verify their results against the offi cial editions of the CFR,
Federal Register and List of CFR Sections Affected (LSA), all available online
at www.gpoaccess.gov . Until the ACFR grants it offi cial status, the e-CFR
editorial compilation does not provide legal notice to the public or judicial
notice to the courts.

The OFR updates the material in the e-CFR on a daily basis. Generally,
the e-CFR is current within two business days. The current update status is
displayed at the top of all e-CFR web pages.

For governmental agencies, a key consideration is complying with requests for
information as a result of freedom of information laws like the U.S. Freedom of

In the United States the Code of Federal Regulations lists retention require-
ments for businesses, divided into 50 subject matter areas.

http://www.gpoaccess.gov

46 INFORMATION GOVERNANCE

Information Act, Freedom of Information Act 2000 (in the United Kingdom), and
similar legislation in other countries. So the process of governing information is criti-
cal to meeting these requests by the public for governmental records.

Step 2: Specify IG Requirements to Achieve Compliance

Once the legal research has been conducted and a process for keeping updated on laws
and regulations has been established, specifi c external compliance requirements can be
listed and those data, document, and record sets that apply to those external compliance
requirements can be mapped back to applicable holdings of data sets, document col-
lections, and records series. The crucial task is keeping your legal and records manage-
ment staff apprised of changes and updating the policies and processes appropriately.

Internal IG retention policies may be different from the legally mandated minimums. For
instance, an organization that is not operating in a highly regulated industry that wants
to balance defensible disposition with a need to retain corporate memory and develop
knowledge management (KM) content or “knowledge bases” may have the optiont
to dispose of e-mail that is not declared a record or cited for legal hold after 90 days,
but may choose, based on corporate culture and other business factors, to retain e-mail
messages for a year. Similarly, the organization may make legally defensible disposition
decisions that reduce the total amount of information it must manage by using a “last ac-
cessed” rationale, whereby information that has not been accessed for over one year (or
whatever the specifi ed period is) may be destroyed and discarded, as a matter of policy.

Step 3: Create a Risk Profi le

Creating a risk profi le is a basic building block in enterprise risk management (yet t
another ERM acronym), which assists executives in understanding the risks associatedr
with stated business objectives and allocating resources, within a structured evaluation
approach or framework. There are multiple ways to create a risk profi le, and how often
it is done, the external sources consulted, and stakeholders who have input will vary
from organization to organization. 4 A key tenet to bear in mind is that simpler is better and
that sophisticated tools and techniques should not make the process overly complex. According
to the ISO, risk is defi ned as “the effect of uncertainty on objectives,” and a risk profi le
is “a description of a set of risks.”5 Creating a risk profi le involves identifying, docu-
menting, assessing, and prioritizing risks that an organization may face in pursuing its
business objectives. It can be a simple table chart. Those associated risks can then be
evaluated and delineated within a risk or IG framework.

The corporate risk profi le should be an informative tool for executive manage-
ment, the CEO, and the board of directors, so it should refl ect that tone. In other

The risk profi le is a high-level, executive decision input tool.

INFORMATION RISK PLANNING AND MANAGEMENT 47

words, it should be clear, succinct, and simplifi ed. A risk profi le may also serve to in-
form the head of a division or subsidiary, in which case it may contain more detail. The
process can also be applied to public and nonprofi t entities.

The time horizon for a risk profi le varies, but looking out three to fi ve years is a good rule
of thumb . 6 The risk profi le typically will be created annually, although semiannually
would serve the organization better and account for changes in the business and legal
environment. But if an organization is competing in a market sector with rapid busi-
ness cycles or volatility, the risk profi le should be generated more frequently, perhaps
quarterly.

There are different types of risk profi le methodologies; common methodologies
are a top-10 list, a risk map , and a heat map . The top-10 list is a simple identifi cation
and ranking of the 10 greatest risks in relation to business objectives. The risk map is
a visual tool that is easy to grasp, with a grid depicting a likelihood axis and an impact
axis, usually rated on a scale of 1 to 5. In a risk assessment meeting, stakeholders can
weigh in on risks using voting technology to generate a consensus. A heat map is a
color-coded matrix generated by stakeholders voting on risk level by color (e.g., red
being highest).

Information gathering is a fundamental activity in building the risk profi le. Surveys
are good for gathering basic information, but for more detail, a good method to employ
is direct, person-to-person interviews, beginning with executives and risk professionals.7
Select a representative cross section of functional groups to gain a broad view. Depend-
ing on the size of the organization, you may need to conduct 20 to 40 interviews, with
one person asking the questions and probing while another team member takes notes
and asks occasionally for clarifi cation or elaboration. Conduct the interviews in a com-
pressed timeframe—knock them out within one to three weeks and do not drag the
process out, as business conditions and personnel can change over the course of months.

Here are three helpful considerations to conducting successful interviews.

1. Prepare some questions for interviewees in advance and provide them to in-
terviewees so they may prepare and do some of their own research.

2. Schedule the interview close to their offi ces, and at their convenience.
3. Keep the time as short as possible but long enough to get the answers you will

need: approximately 20 to 45 minutes. Be sure to leave some open time be-
tween interviews to collect your thoughts and prepare for the next interview.
And follow up with interviewees after analyzing and distilling your notes to
confi rm you have gained the correct insights.

The information you will be harvesting will vary depending on the interviewee’s
level and function. You will need to look for any hard data or reports that show
performance and trends related to information risk. There may be benchmarking data

A common risk profi le method is to create a prioritized or ranked top-10
list of greatest risks to information.

48 INFORMATION GOVERNANCE

available as well. Delve into information access and security policies, policy devel-
opment, policy adherence, and the like. Ask questions about retention of e-mail and
legal hold processes. Ask about records retention and disposition policies. Ask about
long-term preservation of digital records. Ask about data deletion policies. Ask for
documentation regarding IG-related training and communications. Dig into policies
for access to confi dential data and securing vital records. Try to get a real sense of the
way things are run, what is standard operating procedure, and also how workers might
get around overly restrictive policies, or operate without clear policies. Learn enough
so that you can grasp the management style and corporate culture, and then distill that
information into your fi ndings.

Key events and developments must also be included in the risk profi le. For in-
stance, a major data breach, the loss or potential loss of a major lawsuit, pending regu-
latory changes that could impact your IG policies, or a change in business ownership
or structure must all be accounted for and factored into the information risk profi le.
Even changes in governmental leadership should be considered, if they might impact
IG policies. These types of developments should be tracked on a regular basis and
should continue to feed into the risk equation. 8 Key events should be monitored and
incorporated in developing and subsequently updating the risk profi le.

At this point, it should be possible to generate a list of specifi c potential risks. It
may be useful to group or categorize the potential risks into clusters, such as natural disaster,
regulatory, safety, competitive, and so forth . Armed with this list of risks, you should solicit
input from stakeholders as to the likelihood and timing of the threats or risks. As the
organization matures in its risk identifi cation and handling capabilities, a good practice
is to look at the risks and their ratings from previous years to attempt to gain insights
into change and trends—both external and internal—that affected the risks.

Step 4: Perform Risk Analysis and Assessment

Once you have created a risk profi le and identifi ed key risks, you must conduct an as-
sessment of the likelihood that these risks hold and their resultant impact.

There are fi ve basic steps in conducting a risk assessment: 9

1. Identify the risks. This should be an output of creating a risk profi le, but if con-
ducting an information risk assessment, fi rst identify the major information-
related risks.

2. Determine potential impact. If a calculation of a range of economic impact is
possible (e.g., lose $5 to $10 million in legal damages), then include it. If not,
be as specifi c as possible as to how a negative event related to an identifi ed risk
can impact business objectives.

Once a list of risks is developed, grouping them into basic categories helps
stakeholders grasp them more easily and consider their likelihood and impact.

INFORMATION RISK PLANNING AND MANAGEMENT 49

3. Evaluate risk levels and probabilities and recommend action. This may be in the
form of recommending new procedures or processes, new investments in in-
formation technology (IT), or other actions to mitigate identifi ed risks.

4. Create a report with recommendations and implement. You may want to include a
risk assessment table (see Table 4.1 ) as well as written recommendations, then
implement.

5. Review periodically. Review annually or semiannually, as appropriate for your
organization.

A helpful exercise and visual tool is to draw up a table of top risks, their potential
impacts, actions that have been taken to mitigate the risks, and suggested new risk
countermeasures, as in Table 4.1 .

Step 5: Develop an Information Risk Mitigation Plan

After setting out the risks, their potential impacts, and suggested countermeasures
for mitigation, you must create the information risk mitigation plan , which means
developing options and tasks to reduce the specifi ed risks and improve the odds of
achieving business objectives. 10 Basically, you are putting in writing the information
you have collected and analyzed in creating the risk profi le and risk assessment, and as-
signing specifi cs. The information risk mitigation plan should include a timetable and
milestones for implementation of the recommended risk mitigation measures, includ-
ing IT acquisition and implementation and assigning roles and responsibilities, such
as executive sponsor, project manager (PM), and project team.

Table 4.1 Risk Assessment

What Are
the
Risks?

How Might
They Impact
Business
Objectives?

Actions and
Processes
Currently
in Place

Additional
Resources
Needed to
Manage This Risk

Action
by
Whom?

Action by
When? Done

Breach of
confi dential
documents

Compromise
confi dential
information

Compromise
competitive
position

Compromise
business
negotiations

Utilizing ITIL
and CobiT IT
frameworks

Published
security
policies

Semiannual
security
audits

Implement newer
technologies
including
information rights
management

Implement quarterly
audits

IT staff,
security
offi cer

01/10/2016 01/10/2016

The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.

50 INFORMATION GOVERNANCE

Step 6: Develop Metrics and Measure Results

How do you know how well you are doing? Have you made progress in reducing
your organization’s exposure to information risk? To measure conformance and per-
formance of your IG program, you must have an objective way to measure how you
are doing, which means numbers and metrics. Assigning some quantitative measures
that are meaningful and do, in fact, measure progress may take some serious effort and
consultation with stakeholders. Determining relevant ways of measuring progress will
allow executives to see progress, as, realistically, reducing risk is not something anyone
can see or feel—the painful realizations are made only when the risk comes home to
roost. Also, valid metrics help to justify investment in the IG program.

Although the proper metrics will vary from organization to organization, some
specifi c metrics include:

■ Reduce the data lost on stolen or misplaced laptops by 50 percent over the
previous fi scal year.

■ Reduce the number of hacker intrusion events by 75 percent over the previous
fi scal year.

■ Reduce e-discovery costs by 25 percent over the previous fi scal year.
■ Reduce the number of adverse fi ndings in the risk and compliance audit by 50

percent over the previous fi scal year.
■ Provide information risk training to 100 percent of the knowledge-level work-

force

this fi scal year.

■ Roll out the implementation of information rights management software to

protect confi dential e-documents to 50 users this fi scal year.
■ Provide confi dential messaging services for the organization’s 20 top executives

this fi scal year.

Your organization’s metrics should be tailored to address the primary goals of your
IG program and should tie directly to stated business objectives.

Step 7: Execute Your Risk Mitigation Plan

Now that you have the risk mitigation plan, it must be executed. To do so, you must set
up regular project/program team meetings, develop key reports on your information risk
mitigation metrics, and manage the process. This is done using proven project and pro-
gram management tools and techniques, which you may want to supplement with collab-
oration software tools, knowledge management software, or even internal social media.

But most important, execution of the risk mitigation plan involves communicating
clearly and regularly with the IG team on the progress and status of the IG effort to
reduce information risk.

Metrics are required to measure progress in the risk mitigation plan.

INFORMATION RISK PLANNING AND MANAGEMENT 51

Step 8: Audit the Information Risk Mitigation Program

The metrics you have developed to measure risk mitigation effectiveness must also be
used for audit purposes. Put a process in place to separately and independently audit
compliance to risk mitigation measures, to see that they are being implemented. The
result of the audit should be a useful input in improving and fi ne-tuning the program.
It should not be viewed as an opportunity to cite shortfalls and implement punitive
actions. It should be a periodic and regular feedback loop into the IG program.

Notes

1. Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.
2. U.S. Government Printing Offi ce (GPO), “Code of Federal Regulations,” www.gpo.gov/help/index

.html#about_code_of_federal_regulations.htm (accessed April 22, 2012).
3. National Archives and Records Administration, “Electronic Code of Federal Regulations,” http://ecfr

.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl (accessed October 2, 2012).
4. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today’s Leading Research and Best

Practices for Tomorrow’s Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171. s
5. “ISO 31000 2009 Plain English, Risk Management Dictionary,” www.praxiom.com/iso-31000-terms

.htm (accessed March 25, 2013).
6. Fraser and Simkins, p. 172.
7. Ibid.
8. Ibid., p. 179.
9. Health and Safety Executive, “Five Steps to Risk Assessment,” www.hse.gov.uk/risk/fi vesteps.htm

(accessed March 25, 2013).
10. Project Management Institute, A Guide to the Project Management Body of Knowledge ( PMBOK Guide ),

4th ed. (Project Management Institute, 2008), ANSI/PMI 99-001-2008, pp. 273–312.

CHAPTER SUMMARY: KEY POINTS

■ In identifying information requirements and risks, legal requirements trump
all others.

■ In the United States, the Code of Federal Regulations lists information reten-
tion requirements for businesses, divided into 50 subject matter areas.

■ The risk profi le is a high-level, executive decision input tool.

■ A common risk profi le method is to create a prioritized or ranked top-10 list
of greatest risks to information.

■ Once a list of risks is developed, grouping them into basic categories helps stake-
holders to grasp them more easily and consider their likelihood and impact.

■ The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.

■ Metrics are required to measure progress in the risk mitigation plan.

■ The risk mitigation plan must be reviewed and audited regularly and proper
adjustments made.

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl

http://www.praxiom.com/iso-31000-terms.htm

http://www.hse.gov.uk/risk/fivesteps.htm

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl

http://www.praxiom.com/iso-31000-terms.htm

C H A P T E R 5
Strategic Planning
and Best Practices
for Information
Governance

Securing a sponsor at the executive management level is always crucial to projectsand programs, and this is especially true of any strategic planning effort. An gexecutive must be on board and supporting the effort in order to garner the re-
sources needed to develop and execute the strategic plan, and that executive must be
held accountable for the development and execution of the plan. These axioms apply
to the development of an information governance (IG) strategic plan.

Also, resources are needed—time, human capital, and budget money. The fi rst is a
critical element: It is not possible to require managers to take time out of their other
duties to participate in a project if there is no executive edict and consistent follow up,
support, and communication. Executive sponsorship is a best practice and supports the
key principle of accountability of the Generally Accepted Recordkeeping Principles ®
(The Principles)1 (see Chapter 3 for more detail). And, of course, without an allocated
budget, no program can proceed.

The higher your executive sponsor is in the organization, the better. 2 The imple-
mentation of an IG program may be driven by the chief compliance offi cer, chief
information offi cer (CIO), or, ideally, the chief executive offi cer (CEO). With CEO
sponsorship come many of the key elements needed to complete a successful project,
including allocated management time, budget money, and management focus.

It is important to bear in mind that this IG effort is truly a change management
effort, in that it aims to change the structure, guidelines, and rules within which em-
ployees operate. The change must occur at the very core of the organization’s culture. It
must be embedded permanently, and for it to be, the message must be constantly and
consistently reinforced. Achieving this kind of change requires commitment from the
very highest levels of the organization.

Executive sponsorship is critical to project success. There is no substitute.
Without it, a project is at risk of failure.

54 INFORMATION GOVERNANCE

If the CEO is not the sponsor, then another high-level executive must lead the ef-
fort and be accountable for meeting milestones as the program progresses. Programs
with no executive sponsor can lose momentum and focus, especially as competing
projects and programs are evaluated and implemented. Program failure is a great
risk without an executive sponsor. Such a program likely will fade or fi zzle out or
be relegated to the back burner. Without strong high-level leadership, when things
go awry, fi nger pointing and political games may take over, impeding progress and
cooperation.

The executive sponsor must be actively involved, tracking program objectives and
milestones on a regular, scheduled basis and ensuring they are aligned with business
objectives. He or she must be aware of any obstacles or disputes that arise, take an ac-
tive role in resolving them, and push the program forward.

Crucial Executive Sponsor Role

The role of an executive sponsor is high level, requiring periodic and regular atten-
tion to the status of the program, particularly with budget issues, staff resources, and
milestone progress. The role of a program or project manager (PM) is more detailed
and day to day, tracking specifi c tasks that must be executed to make progress toward
milestones. Both roles are essential. The savvy PM brings in the executive sponsor to
push things along when more authority is needed but reserves such project capital for
those issues that absolutely cannot be resolved without executive intervention. It is
best for the PM to keep the executive sponsor fully informed but to ask for assistance
only when absolutely needed.

At the same time, the PM must manage the relationship with the executive spon-
sor, perhaps with some gentle reminders, coaxing, or prodding, to ensure that the
role and tasks of executive sponsorship are being fulfi lled. “[T]he successful Project
Manager knows that if those duties are not being fulfi lled, it’s time to call a timeout
and have a serious conversation with the Executive Sponsor about the viability of the
project.” 3

The executive sponsor serves six key purposes on a project:

1. Budget. The executive sponsor ensures an adequate fi nancial commitment is
made to see the project through and lobbies for additional expenditures when
change orders are made or cost overruns occur.

2. Planning and control. The executive sponsor sets direction and tracks accom-
plishment of specifi c, measureable business objectives.

3. Decision making. The executive sponsor makes or approves crucial decisions
and resolves issues that are escalated for resolution.

4. Expectation Management. The executive sponsor must manage expectation,
since success is quite often a stakeholder perception.

5. Anticipation. Every project that is competing for resources can run into un-
foreseen blockages and objections. Executive sponsors run interference and
provide political might for the PM to lead the project to completion, through
a series of milestones.

6. Approval. The executive sponsor signs off when all milestones and objectives
have been met.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 55

An eager and effective executive sponsor makes all the difference to a project—if
the role is properly managed by the PM. It is a tricky relationship, since the PM is
always below the executive sponsor in the organization’s hierarchy, yet the PM must
coax the superior into tackling certain high-level tasks. Sometimes a third-party con-
sultant who is an expert in the specifi c project can instigate and support requests made
of the sponsor and provide a solid business rationale.

Evolving Role of the Executive Sponsor

The role of the executive sponsor necessarily evolves and changes over the life of the
initial IG program launch, during the implementation phases, and on through the
continued IG program.

To get the program off the ground, the executive sponsor must make the business
case and get adequate budgetary funding. But an effort such as this takes more than
money; it takes time— not just time to develop new policies and implement new tech-—
nologies, but the time of the designated PM, program leaders, and needed program
team members.

In order to get this time set aside, the IG program must be made a top prior-
ity of the organization. It must be recognized, formalized, and aligned with orga-
nizational objectives. All this up-front work is the responsibility of the executive
sponsor.

Once the IG program team is formed, team members must clearly understand
why the new program is important and how it will help the organization meet its busi-
ness objectives. This message must be regularly reinforced by the executive sponsor;
he or she must not only paint the vision of the future state of the organization but
articulate the steps in the path to get there.

When the formal program effort commences, the executive sponsor must remain
visible and accessible. He or she cannot disappear into everyday duties and expect the
program team to carry the effort through. The executive sponsor must be there to help
the team confront and overcome business obstacles as they arise and must praise the
successes along the way. This requires active involvement and a willingness to spend
the time to keep the program on track and focused.

The executive sponsor must be the lighthouse that shows the way even through
cloudy skies and rough waters. This person is the captain who must steer the ship, even
if the fi rst mate (PM) is seasick and the deckhands (program team) are drenched and
tired.

After the program is implemented, the executive sponsor is responsible for main-
taining its effectiveness and relevance. This is done through periodic compliance au-
dits, testing and sampling, and scheduled meetings with the ongoing PM.

While the executive sponsor role is high level, the PM’s role and tasks are more
detailed and involve day-to-day management.

56 INFORMATION GOVERNANCE

Building Your IG Team

Who should make up the IG team? Although there are no set requirements or for-
mulas, the complex nature of IG and the fact that it touches upon a number of spe-
cialized disciplines and functional areas dictates that a cross-functional approach be
taken. So you will need representatives from several departments. There are some
absolutes: you must have a representative from your legal staff or outside counsel,
your information technology (IT) department, a senior records offi cer (SRO) or the
equivalent, a risk management specialist or manager, an executive sponsor, and the IG
program manager. In addition, there may be a need for input from managers of hu-
man resources, company communications, and certain business units. Depending on
the scope of the effort, other possible IG team members might include an IT security
expert, the corporate or agency archivist, business analysts, chief knowledge offi cer or
knowledge management (KM) professional, litigation support head, fi nancial analyst,
business process specialist, project management professional, and other professionals
in functions related to these areas.

Assigning IG Team Roles and Responsibilities

The executive sponsor will need to designate an IG PM. Depending on the focus of
the IG effort, that person could come from several areas, including legal, compliance,
risk management, records management, or IT.

In terms of breaking down the roles and responsibilities of the remainder of the
IG team, the easy decision is to have IG team representatives take responsibility for the
functional areas of their expertise. But there will be overlap, and it is best to have some
pairs or small work groups teamed up to gain the broadest amount of input and optimum
results. This will also facilitate cross training. For instance, inside legal counsel may be
responsible for rendering the fi nal legal opinions, but because they are not expert in
records, document management, or risk management, they could benefi t from input
of others in specialized functional areas, which will inform them and help narrow and
focus their legal research. Basic research into which regulations and laws apply to the

The role of the executive sponsor changes during the inception, planning, and
execution of the IG program.

The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 57

organization regarding security, retention, and preservation of e-mail, e-records, and
personally identifi able information (PII) could be conducted by the SRO or records
management head, in consultation with the corporate archivist and CIO, with the results
of their fi ndings and recommendations drafted and sent to the legal counsel. The draft
report may offer up several alternative approaches that need legal input and decisions.
Then the legal team lead can conduct its own, focused research and make fi nal recom-
mendations regarding the organization’s legal strategy, business objectives, fi nancial po-
sition, and applicable laws and regulations.

The result of the research, consultation, and collaboration of the IG team should
result in a fi nal draft of the IG strategic plan. It will still need more input and devel-
opment to align the plan with business objectives, an analysis of internal and external
drivers, applicable best practices, competitive analysis, applicable IT trends, an analysis
and inclusion of the organization’s culture, and other factors.

Align Your IG Plan with Organizational Strategic Plans

The IG plan must support the achievement of the organization’s business objectives and there-s
fore must be melded into the organization’s overall strategic plan. Integration with the
strategic plan means that the business objectives in the IG plan are consistent with, and
in support of, the enterprise strategic plan.

So, for example, if the corporate strategy includes plans for acquiring smaller com-
petitors and folding them into the organization’s structure as operating divisions, then
the IG plan must assist and contribute to this effort. Plans for standardizing operating
policies and procedures must include a consistent, systematized approach to the com-
ponents of IG, including stakeholder consultation, user training and communications,
and compliance audits. The IG plan should bring a standard approach across the spec-
trum of information use and management within the organization and it must be forged
to accommodate the new technology acquisitions. This means that e-mail policies,
e-discovery policies, mobile device policies, social media policies, cloud collaboration and
storage use, and even nitty-gritty details like report formats, data structures, document
taxonomies, and metadata must be consistent and aligned with the overall strategic plan. In
other words, the goal is to get all employees on the same page and working to support the
business objectives of the strategic plan in everyday small steps within the IG plan.

The IG team must include a cross-functional group of stakeholders from various
departments, including legal, records management, IT, and risk management.

The IG strategic plan must be aligned and synchronized with the organiza-
tion’s overall strategic plans, goals, and business objectives.

58 INFORMATION GOVERNANCE

The organization will also have an IT plan that must be aligned with the strategic
plan to support overall business objectives. The IT strategy may be to convert new
acquisitions to the internal fi nancial and accounting systems of the organization and
to train new employees to use the existing software applications under the umbrella of
the IG plan. Again, the IG plan needs to be integrated with the IT strategy and must
consider the organization’s approach to IT.

The result of the process of aligning the IG effort with the IT strategy and the
organization’s overall strategic plan will mean, ideally, that employee efforts are more
effi cient and productive since they are consistently moving toward the achievement of the
organization’s overall strategic goals. The organization will be healthier and will have less
dissent and confusion with clear IG policies that leverage the IT strategy and help
employees pursue overall business objectives.

Further considerations must be folded into the IG plan. As every corporate cul-
ture is different and has a real impact on decision-making and operational approaches,
corporate culture must be included in the plan. Corporate culture includes the organi-
zation’s appetite for risk, its use of IT (e.g., forward-thinking fi rst adopter), its capital
investment strategies, and other management actions.

So, if the organization is conservative and risk averse, it may want to hold off
on implementing some emerging e-discovery technologies that can cut costs but
also induce greater risk. Or if it is an aggressive, progressive, risk-taking organi-
zation, it may opt to test and adopt newer e-discovery technologies under the IT
strategy and umbrella of IG policies. An example may be the use of predictive
coding technology in early case assessment (ECA). Predictive coding uses text
auto-classifi cation technology and neural technology with the assistance of human
input to “learn” which e-documents might be relevant in a particular legal matter
and which may not be. Through a series of steps of testing and checking subsets
of the documents, humans can provide input to improve the document sorting
and selection process. The software uses machine learning (artifi cial intelligence
whereby the software can change and improve on a particular task, as its decision
engine is shaped and “trained” by input ) to improve its ability to cull through and
sort documents.

Predictive coding can reduce e-discovery costs, yet there are risks that the ap-
proach can be challenged in court and could, in fact, affect the case adversely. Thus,
a decision on a technology like predictive coding can involve and include elements of
the IG plan, IT strategy, and overall organizational strategic plan.

And there are resource issues to consider: How much management time, or band-
width, is available to pursue the IG plan development and execution? Is there a budget
item to allow for software acquisitions and training and communications to support
the execution of the IG plan? Obviously, without the allocated management time and
budget money, the IG plan cannot be executed.

Survey and Evaluate External Factors

The IG plan is now harmonized and aligned with your organization’s strategic plan
and IT strategy, but you are not fi nished yet, because the plan cannot survive in a
vacuum: Organizations must analyze and consider the external business, legal, and
technological environment and fold their analysis into their plans.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 59

Analyze IT Trends

IG requires IT to support and monitor implementation of polices, so it matters what is s
developing and trending in the IT space. What new technologies are coming online?
Why are they being developed and becoming popular? How do these changes in the
business environment that created opportunities for new technologies to be developed
affect your organization and its ability execute its IG plan? How can new technologies
assist? Which ones are immature and too risky? These are some of the questions that
must be addressed in regard to the changing IT landscape.

Some changes in information and communications technology (ICT) are rathery
obvious, such as the trends toward mobile computing, tablet and smartphone devices,
cloud storage, and social media use. Each one of these major trends that may affect or
assist in implementing IG needs to be considered within the framework of the organiza-
tion’s strategic plan and IT strategy. If the corporate culture is progressive and supportive
of remote work and telecommuting, and if the organizational strategy aims to lower fi xed
costs by reducing the amount of offi ce space for employees and moving to a more mobile
workforce, then trends in tablet and smartphone computing that are relevant to your or-
ganization must be analyzed and considered. Is the organization going to provide mobile
devices or support a bring-your-own-device (BYOD) environment? Which equipment
will you support? Will you support iOS, Android, or both? What is your policy going to
be on phone jacking? What is the IG policy regarding confi dential documents on mobile
devices? Will you use encryption? If so, which software? Is your enterprise moving to the
cloud computing model? Utilizing social media? What about Big Data and analytics ?
Are you going to consider deploying auto-classifi cation and predictive coding technolo-
gies? What are the trends that might affect your organization?

Many, many questions must be addressed, but the evaluation must be narrowed
down to those technology trends that specifi cally might impact the execution of your
IG plan and rollout of new technology.

On a more granular level, you must evaluate even supported fi le and document
formats. It gets that detailed, when you are crafting IG policy. For instance, PDF/A is
the standard format for archiving electronic documents. So your plans must include
long-term digital preservation (LTDP) standards and best practices.

Survey Business Conditions and the Economic Environment

If the economy is on a down cycle, and particularly if your business sector has been nega-
tively affected, resources may be scarcer than in better times. Hence, it may be more dif-
fi cult to get budget approval for necessary program expenses, such as new technologies,
staff, training materials, communications, and so forth. This means your IG plan may
need to be scaled back or its scope reduced. Implementing the plan in a key division rath-
er than attempting an enterprise rollout may be the best tactic in tough economic times.

The IG strategic plan must be informed with an assessment of relevant tech-
nology trends.

60 INFORMATION GOVERNANCE

But if things are booming and the business is growing fast, budget money for in-
vestments in the IG program may be easier to secure, and the goals may be expanded.

IG should be an ongoing program, but it takes time to implement, and it takes
resources to execute, audit, and continue to refi ne. So an executive looking for a quick
and calculable payback on the investment may want to focus on narrower areas. For
instance, the initial focus may be entirely on the legal hold and e-discovery process,
with business objectives that include reducing pretrial costs and attorney fees by a cer-
tain percentage or amount. It is much easier to see concrete results when focusing on
e-discovery, since legal costs are real, and always will be there. The business case may
be more diffi cult to make if the IG effort is broader and improves the ability to or-
ganize and search for information faster and to execute more complete searches to
improve the basis for management decision making. Improved management decision
making will improve the organization’s competitiveness long-term, but it may be dif-
fi cult to cite specifi c examples where costs were saved or revenues were increased as a
result of the “better decisions” that should come about through better IG.

Analyze Relevant Legal, Regulatory, and Political Factors

In consultation with your legal team or lead, the laws and regulations that affect your
industry should be identifi ed. Narrowing the scope of your analysis, those that specifi –
cally could impact your governance of information should be considered and analyzed.
What absolute requirements do they impose? Where there is room for interpretation,
where, legally, does your organization want to position itself? How much legal risk is
acceptable? These are the types of questions you will have to look to your legal and
risk management professionals to make. Again, legal requirements trump all others.

Your decision process must include considerations for the future and anticipated fu-
ture changes. Changes in the legal and regulatory environment happen based on the po-
litical leaders who are in place and any pending legislation. So you must go further and
analyze the current political environment and make some judgments based on the best
information you can gather, the organization’s culture and appetite for risk, management
style, available resources, and other factors. Generally, a more conservative environment
means less regulation, and this analysis must also be folded into your IG strategic plan.

Trends and conditions in the internal and external business environment must
be included in the IG strategic plan.

Laws and regulations relevant to your organization’s management and distri-
bution of information in all jurisdictions must be considered and included in
the IG strategic plan. Legal requirements trump all others.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 61

Survey and Determine Industry Best Practices

IG is a developing hybrid discipline. In a sense, it is a superset of records management
and a subset of governance, risk management, and compliance (GRC), that emerged
to help manage the explosion in the amount of records, documents, and data that must
be managed in today’s increasingly high-volume and velocity business environment and
highly regulated compliance and litigation environment. As such, best practices are still
being formed and added to. This process of testing, proving, and sharing best practices
will continue for some time as the practices are expanded, revised, and refi ned.

The most relevant study of IG best practices is one that is conducted for your
organization and surveys your industry and what some of your more progressive com-
petitors are doing in regard to IG. Often the best way to accomplish such a study is by
engaging a third-party consultant, who can more easily contact, study, and interview
your competitors in regard to their practices. Business peer groups and trade associa-
tions also can provide some consensus as to emerging best practices.

Twenty-fi ve IG best practices covering a number of areas in which IG has an im-
pact or should be a major consideration are listed next.

1. IG is a key underpinning for a successful RM program. Practicing good IG is the
essential foundation for building a legally defensible RM program; it pro-
vides the basis for consistent, reliable methods for managing documents and
records. Having trusted and reliable records, reports, and databases allows
managers to make key decisions with confi dence.4 And accessing that infor-
mation and business intelligence in a timely fashion can yield a long-term
sustainable competitive advantage, creating more agile enterprises.

To implement a successful IG program, enterprises must standardize and
systematize their handling of information, in particular their formal busi-
ness records. They must analyze and optimize how information is accessed,
controlled, managed, shared, stored, preserved, and audited. They must have
complete, current, and relevant policies, processes, and technologies to man-
age and control information, including who is able to access what information ,t
and when , to meet external legal and regulatory demands and internal gover-
nance requirements. This, in short, is IG.

2. IG is not a project but rather an ongoing program that provides an umbrella of rules
and policies, monitored and enforced with the support of IT to manage and
control information output and communications. Since technologies change
so quickly, it is necessary to have overarching technology-agnostic policies that
can manage the various IT platforms that an organization may use.

Compare the IG program to a workplace safety program; every time a new
location, team member, piece of equipment, or toxic substance is acquired
by the organization, the workplace safety program should dictate how that is

Include a best practices review in your IG strategic plan. The most relevant best
practices in IG are those in your industry proven by peers and competitors.

62 INFORMATION GOVERNANCE

handled. If it does not, the workplace safety policies/procedures/training that
are part of the workplace safety program need to be updated. Regular reviews
are conducted to ensure the program is being followed, and adjustments are
made based on the fi ndings. The effort never ends.5

3. Using an IG framework or maturity model is helpful in assessing and guiding IG
programs. Various models are offered, such as The Principles from ARMA
International; the Information Governance Reference Model, which grew
out of the Electronic Discovery Reference Model (found at EDRM.net); 6 or
MIKE2.0, which was developed by the consulting fi rm Bearing Point and
released to the public domain. Another tool that is particularly used in the
Australian market for records management projects is Designing and Imple-
menting Recordkeeping Systems (DIRKS).

4. Defensible deletion of data debris and information that no longer has value is critical
in the era of Big Data. You must have IG polices in place and be able to prove
that you follow them consistently and systematically in order to justify, to the
courts and regulators, deletion of information. With a smaller information
footprint, organizations can more easily fi nd what they need and derive busi-
ness value from it. 7 Data debris must be eliminated regularly and consistently,
and to do this, processes and systems must be in place to cull out valuable
information and discard the data debris. An IG program sets the framework
to accomplish this.

5. IG policies must be developed before enabling technologies are deployed to assist in
enforcement. After the policy-making effort, seek out the proper technology
tools to assist in monitoring, auditing, and enforcement.

6. To provide comprehensive e-document security throughout a document’s life cycle,
documents must be secured upon creation using highly sophisticated technologies, such
as information rights management (IRM) technology. IRM acts as a sort of “secu-
rity wrapper” that denies access without proper credentials. Document access
and use by individuals having proper and current credentials is also tightly
monitored IRM software controls the access, copying, editing, forwarding,
and printing of documents using a policy engine that manages the rights to
view and work on an e-document. Access rights are set by levels or “roles” that
employees are responsible for within an organization.

7. A records retention schedule and legal hold notifi cation (LHN) process are the two
primary elements of a fundamental IG program. These are the basics. Implemen-
tation will require records inventorying, taxonomy development, metadata
normalization and standardization, and a survey of LHN best practices.

8. A cross-functional team is required to implement IG. Since IG contains and
requires elements of a number of established disciplines, representatives
from the key areas must be included in the planning and implantation effort.
At a minimum, you will need team leaders from legal, IT, records manage-
ment, compliance and risk management, human resources, and executive
management. Members from corporate communications, knowledge man-
agement, systems security, fi nance and accounting, and other functional areas
also may be needed. Depending on the circumstances, you may need repre-
sentatives from major business units within the organization.

9. The fi rst step in information risk planning is to consider the applicable laws and
regulations that apply to your organization in the jurisdictions in which it conducts

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 63

business . Federal, provincial, state, and even municipal laws and regulationss
may apply to the retention of data, documents, and records. Organizations
operating in multiple jurisdictions must be compliant with laws and regula-
tions that may cross national, state, or provincial boundaries. Legally required
privacy requirements and retention periods must be researched for each ju-
risdiction (state, country) in which the business operates, so that all applicable
laws are complied with.

10. Developing a risk profi le is a basic building block in enterprise risk management,
which assists executives in understanding the risks associated with stated business
objectives and in allocating resources within a structured evaluation approach or
framework . There are multiple ways to create a risk profi le, and the frequency
with which it is created, the external sources consulted, and stakeholders who
have input will vary from organization to organization. 8 A key tenet to bear
in mind is that simpler is better and that sophisticated tools and techniques
should not make the process overly complex.

11. An information risk mitigation plan is a critical part of the IG planning process. An
information risk mitigation plan helps in developing risk mitigation options
and tasks to reduce the specifi ed risks and improve the odds of achieving busi-
ness objectives. 9

12. Proper metrics are required to measure the conformance and performance of your IG
program. You must have an objective way to measure how you are doing, which
means numbers and metrics. Assigning some quantitative measures that are
meaningful before rolling out the IG program is essential.

13. IG programs must be audited for effectiveness. Periodic audits will tell you how
your organization is doing and where to fi ne-tune your efforts. To keep an IG
program healthy, relevant, and effective, changes and fi ne-tuning will always
be required.

14. An enterprise wide retention schedule is preferable because it eliminates the possibility
that different business units will have confl icting records retention periods. For exam-
ple, if one business unit discards a group of records after 5 years, it would not
make sense for another business unit to keep the same records for 10 years.
Where enterprise-wide retention schedules are not possible, smaller business
units, such as divisions or regions, should operate under a consistent retention
schedule.

15. Senior management must set the tone and lead sponsorship for vital records program
governance and compliance. Although e-records are easier to protect and back-
up, most vital records today are e-records. These are an organization’s most
essential records. Without them, an organization cannot continue operations.

16. Business processes must be redesigned to improve and optimize the management and
security of information and especially the most critical of information, electronic re-
cords, before implementing enabling technologies. For instance, using electronic
records management (ERM) software fundamentally changes the way people
work, and greater effi ciencies can be gained with business process redesign
(versus simply using ERM systems as electronic fi ling cabinets to speed up
poor processes).

17. E-mail messages, both inbound and outbound, should be archived automatically and
(preferably) in real time. This ensures that spoliation (i.e., the loss of proven
authenticity of an e-mail) does not occur. Archiving preserves legal validity

64 INFORMATION GOVERNANCE

and forensic compliance. By policy, most messages will be deleted in a short
timeframe. Additionally, e-mail should be indexed to facilitate the searching
process, and all messages should be secured in a single location (with backups).
With these measures, the authenticity and reliability of e-mail records can be
ensured.

18. Personal archiving of e-mail messages should be disallowed. Although users will
want to save certain e-mail messages for their own reasons, control and man-
agement of e-mail archiving must be at the organization level or as high of a
level as is practical, such as division or region.

19. Destructive retention of e-mail helps to reduce storage costs and legal risk while im-
proving “fi ndability” of critical records. It makes good business sense to have a
policy to, say, destroy all e-mail messages after 90 or 120 days that are not
fl agged as potential records (which, e.g., help document a transaction or a situ-
ation that may come into dispute in the future) or those that have a legal hold.

20. Take a practical approach and limit cloud use to documents that do not have long
retention periods and carry a low litigation risk. Doing this will reduce the risk
of compromising or losing critical documents and e-records. Some duplicate
copies of vital records may be stored securely in the cloud to help the organi-
zation recover in the event of a disaster.

21. Manage social media content by IG policies and monitor it with controls that ensure
protection of critical information assets and preservation of business records. Your
organization must state clearly what content and tone is acceptable in social
media use, and it must retain records of that use, which should be captured in
real time.

22. International and national standards provide effective guidance for implementing IG.
Although there are no absolutes, researching and referencing International
Organization for Standardization (ISO) and other standards must be a part of
any IG effort.

23. Creating standardized metadata terms should be part of an IG effort that enables
faster, more complete, and more accurate searches and retrieval of records. This
is important not only in everyday business operations but also when delv-
ing through potentially millions of records during the discovery phase of
litigation. Good metadata management also assists in the maintenance of
corporate memory and in improving accountability in business operations. 10
Using a standardized format and controlled vocabulary provides a “precise
and comprehensible description of content, location, and value.”11 Using a
controlled vocabulary means your organization has standardized a set of terms
used for metadata elements that describe records. This ensures consistency
across a collection and helps with optimizing search and retrieval functions
and records research as well as with meeting e-discovery requests, compliance
demands, and other legal and regulatory requirements.

24. Some digital information assets must be preserved permanently as part of an orga-
nization’s documentary heritage.12 It is critical to identify records that must be
kept long term as early in the process as possible; ideally, these records should
be identifi ed prior to or upon creation. LTDP applies to content that is born
digital as well as content that is converted to digital form. Digital preservation
is defi ned as long-term, error-free storage of digital information, with means
for retrieval and interpretation, for the entire time span that the information

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 65

is required to be retained. Dedicated repositories for historical and cultural
memory, such as libraries, archives, and museums, need to move forward
to put in place trustworthy digital repositories that can match the secu-
rity, environmental controls, and wealth of descriptive metadata that these
institutions have created for analog assets (such as books and paper records).
Digital challenges associated with records management affect all sectors of
society—academic, government, private, and not-for-profi t enterprises—and
ultimately citizens of all developed nations.

25. Executive sponsorship is crucial. Securing an executive sponsor at the senior
management level is key to successful IG programs. It is not possible to
require managers to take time out of their other duties to participate in a
project if there is no executive edict. It is a best practice across industry sec-
tors and technology sets and supports the Accountability principle of The
Principles.13

Formulating the IG Strategic Plan

Now comes the time to make sense of all the data and input your IG team has
gathered and hammer it into a workable IG strategic plan. Doing this will involve
some give-and-take among IG team members, each having their own perspective
and priorities. Everyone will be lobbying for the view of their functional groups. It
is the job of the executive sponsor to set the tone and to emphasize organizational
business objectives so that the effort does not drag out or turn into a competition but
is a well-informed consensus development process that results in a clear, workable
IG strategic plan.

Synthesize Gathered Information and Fuse It into IG Strategy

Your IG team will have gathered a great deal of information, which needs to be ana-
lyzed and distilled into actionable strategies. This process will depend on the expertise
and input of the specialized knowledge your team brings to the table within your
organizational culture. Team members must be able to make decisions and establish
priorities that refl ect organizational business objectives and consider a number of in-
fl uencing factors.

Do not prolong the strategy development process. The longer it lasts, the more key factors
infl uencing it can change. You want to develop a strategic plan that is durable enough to
withstand changes in technology, legislation, and other key infl uencing factors, but it
should be relevant to that snapshot of information that was collected early on. When
all the parts and pieces start changing and require reconsideration, a dated IG plan
does not serve the organization well.

Develop IG strategies for each of the critical areas, including the legal hold pro-
cess, e-discovery action plans, e-mail policy, mobile computing policy, IT acquisition
strategy, confi dential document handling, vital records and disaster planning, social
media policy, and other areas that are important to your organization. To maintain
focus, do this fi rst without regard to the prioritization of these areas.

66 INFORMATION GOVERNANCE

Then you must go through the hard process of prioritizing your strategies and aligning them
to your organizational goal and objectives . This may not be diffi cult in the beginning—fors
instance, your IG strategies for legal holds and e-discovery readiness are likely going
to take higher priority than your social media policy, and protecting vital records is
paramount to any organization. As the process progresses, it will become more chal-
lenging to make trade-offs and establish priorities. Then you must tie these strategies
to overall organizational goals and business objectives.

A good technique to keep goals and objectives in mind may be to post them prom-
inently in the meeting room where these strategy sessions take place. This will help to
keep the IG team focused.

Develop Actionable Plans to Support Organizational
Goals and Objectives

Plans and policies to support your IG efforts must be developed that identify specifi c
tasks and steps and defi ne roles and responsibilities for those who will be held ac-
countable for their implementation. This is where the rubber meets the road. But you
cannot simply create the plan and marching orders: You must build in periodic checks
and audits to test that new IG policies are being followed and that they have hit their
mark. Invariably, there will be adjustments made continually to craft the policies for
maximum effectiveness and continued relevance in the face of changes in external
factors, such as legislation and business competition, and internal changes in manage-
ment style and structure.

Create New IG Driving Programs to Support Business
Goals and Objectives

You have to get things moving and get employees motivated, and launching new sub-
programs within the overall IG program is a good way to start. For instance, a new
“e-discovery readiness” initiative can show almost immediate results if implemented
properly, with the support of key legal and records management team members,
driven by the executive sponsor. You may want to revamp the legal hold process
to make it more complete and verifi able, assigning specifi c employees accountabil-
ity for specifi c tasks. Part of that effort may be evaluating and implementing new
technology-assisted review (TAR) processes and predictive coding technology. So
you will need to bring in the IG team members responsible for IT and perhaps busi-
ness analysis. Working cooperatively on smaller parts of the overall IG program is a
way to show real results within defi ned time frames. Piecing together a series of pro-
gram components is the best way to get started, and it breaks the overall IG program

Fuse the fi ndings of all your analyses of external and internal factors into your
IG strategic plan. Develop strategies and then prioritize them.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 67

down into digestible, doable chunks. A small win early on is crucial to maintain mo-
mentum and executive sponsorship. And e-discovery has real costs: yet progress can
be measured objectively in terms of reducing the cost of activities such as early case
assessment (ECA). Benefi ts can be measured in terms of reduced attorney review
hours, reduced costs, and reduced time to accomplish pretrial tasks.

To be clear, you will need to negotiate and agree on the success metrics the pro-
gram will be measured on in advance.

There are other examples of supporting IG subprograms, such as e-mail manage-
ment and archiving, where storage costs, search times, and information breaches can
be measured in objective terms. Or you may choose to roll out new policies for the use
of mobile devices within your organization, where adherence to policy can be mea-
sured by scanning mobile devices and monitoring their use.

Draft the IG Strategic Plan and Gain Input from a Broader
Group of Stakeholders

Once you have the pieces of the plan drafted and the IG team is in agreement that it
has been harmonized and aligned with overall organizational goals and objectives, you
must test the waters to see if you have hit the mark. It is a good practice to expose a
broader group of stakeholders to the plan to gain their input. Perhaps your IG team
has become myopic or has passed over some points that are important to the broader
stakeholder audience. Solicit and discuss their input, and to the degree that there is a
consensus, refi ne the IG strategic plan one last time before fi nalizing it. But remember,
it is a living document, a work in progress, which will require revisiting and updating
to ensure it is in step with changing external and internal factors. Periodic auditing
and review of the plan will reveal areas that need to be adjusted and revised to keep it
relevant and effective.

Get Buy-in and Sign-off and Execute the Plan

Take the fi nalized plan to executive management, preferably including the CEO, and
present the plan and its intended benefi ts to them. Field their questions and address
any concerns to gain their buy-in and the appropriate signatures. You may have to
make some minor adjustments if there are signifi cant objections, but, if you have ex-
ecuted the stakeholder consultation process properly, you should be very close to the
mark. Then begin the process of implementing your IG strategic plan, including regu-
lar status meetings and updates, steady communication and reassurance of your execu-
tive sponsor, and planned audits of activities.

Create supporting subprograms to jump-start your IG program effort. Smaller
programs should be able to measure real results based on metrics that are
agreed on in advance.

68 INFORMATION GOVERNANCE

CHAPTER SUMMARY: KEY POINTS

■ Engaged and vested executive sponsors are necessary for IG program success.
It is not possible to require managers to take time out of their other duties to
participate in a project if there is no executive edict or allocated budget.

■ The executive sponsor must be: (1) directly tied to the success of the pro-
gram, (2) fully engaged in and aware of the program, and (3) actively elimi-
nating barriers and resolving issues.

■ The role of the executive sponsor evolves over the life of the IG program and
IG program effort. Initially, the focus is on garnering the necessary resources,
but as the program commences, the emphasis is more on supporting the
IG program team and clearing obstacles. Once the program is implement-
ed, the responsibilities shift to maintaining the effectiveness of the program
through testing and audits.

■ While the executive sponsor role is high level, the project manager’s role and
tasks involve more detailed and day-to-day management.

■ The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.

■ The IG team must include a cross-functional group of stakeholders from various
departments, including legal, records management, IT, and risk management.

■ The IG strategic plan must be aligned and synchronized with the organiza-
tion’s overall strategic plans, goals, and business objectives.

■ The IG strategic plan must include an assessment of relevant technology trends.

■ Trends and conditions in the internal and external business environment
must be included in the IG strategic plan.

■ Laws and regulations relevant to your organization’s management and distri-
bution of information in all jurisdictions must be considered and included in
the IG strategic plan. Legal requirements trump all others.

■ Include a best practices review in your IG strategic plan. The most relevant best
practices in IG are those in your industry proven by peers and competitors.
(Twenty-fi ve IG best practices are listed in this chapter for the fi rst time in print.)

■ Fuse the fi ndings of all your analysis of external and internal factors into your
IG strategic plan. Develop strategies and then prioritize them.

■ Creating supporting subprograms to jump-start your IG program effort.
Smaller programs should be able to measure real results based on metrics
that are agreed on in advance.

■ Make sure to get executive sign-off on your IG strategic plan before moving
to execute it.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 69

Notes

1. ARMA International, “How to Cite GARP,” www.arma.org/garp/copyright.cfm (accessed October 9,
2013).

2. Roger Kastner, “Why Projects Succeed—Executive Sponsorship,” February 15, 2011, http://blog
.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/

3. Ibid.
4. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership

/business-view/future-information-governance.htm (accessed October 9, 2013).
5. Monica Crocker, e-mail to author, June 21, 2012.
6. EDRM, “Information Governance Reference Model (IGRM) Guide,” www.edrm.net/resources

/guides/igrm (accessed November 30, 2012).
7. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, Nov. 28, 2012.
8. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today’s Leading Research and Best Prac-

tices for Tomorrow’s Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171. s
9. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide ),

4th ed. (Newtown Square, PA Project Management Institute, 2008), ANSI/PMI 99–001–2008,
pp. 273–312.

10. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic
Records , p. 34 (London: Facet, 2005).s

11. Minnesota State Archives, Electronic Records Management Guidelines, “Metadata,” March 12, 2012,
www.mnhs.org/preserve/records/electronicrecords/ermetadata.html .

12. Charles Dollar and Lori Ashley, e-mail to author, August 10, 2012.
13. ARMA International, “How to Cite GARP.”

http://www.arma.org/garp/copyright.cfm

http://blog.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.edrm.net/resources/guides/igrm

https://twitter.com/InfoParkingLot/status/273791612172259329

http://www.mnhs.org/preserve/records/electronicrecords/ermetadata.html

http://blog.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.edrm.net/resources/guides/igrm

Information
Governance Policy
Development

C H A P T E R 6

To develop an information governance (IG) policy, you must inform and frame the policy with internal and external frameworks, models, best practices, and standards—those that apply to your organization and the scope of its planned IG
program. In this chapter, we fi rst present and discuss major IG frameworks and models
and then identify key standards for consideration.

A Brief Review of Generally Accepted Recordkeeping
Principles®

In Chapter 3 we introduced and discussed ARMA International’s eight Generally
Accepted Recordkeeping Principles ® , known as The Principles 1 (or sometimes GAR
Principles). These Principles and associated metrics provide an IG framework that can
support continuous improvement.

To review, the eight Principles are:

1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition2

The Principles establish benchmarks for how organizations of all types and sizes
can build and sustain compliant, legally defensible records management (RM)t
programs. Using the maturity model (also presented in Chapter 3 ), organizations can
assess where they are in terms of IG, identify gaps, and take steps to improve across the
eight areas The Principles cover.

72 INFORMATION GOVERNANCE

IG Reference Model

In late 2012, with the support and collaboration of ARMA International and the Com-
pliance, Governance and Oversight Council (CGOC), the Electronic Discovery Ref-
erence Model (EDRM) Project released version 3.0 of its Information Governance
Reference Model (IGRM), which added information privacy and security “as pri-y
mary functions and stakeholders in the effective governance of information.” 3 The
model is depicted in Figure 6.1 .

The IGRM is aimed at fostering IG adoption by facilitating communication and
collaboration between disparate (but overlapping) IG stakeholder functions, includ-
ing information technology (IT), legal, RM, risk management, and business unit

Figure 6.1 Information Governance Reference Model
Source: EDRM.net

Linking duty + value to information asset = efficient, effective management

Duty:
Legal obligation

for specific
information

Value:
Utility or business

purpose of specific
information

Asset:
Specific container
of information

VALUE

Create, Use

DUTY ASSET

Dispose

Hold,
Discover

Store,
Secure

Retain
Archive

UN
IFIED G

OVERNANCE

BUSINESS
Profit

IT
Efficiency

LEGAL
Risk

RIM
Risk

PRIVACY
AND

SECURITY
Risk

PROCESS TRAN
SP

AR
EN

POL
ICY INTEGRATION

INFORMATION GOVERNANCE POLICY DEVELOPMENT 73

stakeholders. 4 It also aims to provide a common, practical framework for IG that will
foster adoption of IG in the face of new Big Data challenges and increased legal and
regulatory demands. It is a clear snapshot of where IG touches and shows critical in-
terrelationships and unifi ed governance.5 It can help organizations forge policy in an
orchestrated way and embed critical elements of IG policy across functional groups.
Ultimately, implementation of IG helps organizations leverage information value, re-
duce risk, and address legal demands.

The growing CGOC community (2,000+ members and rising) has widely adopted
the IGRM and developed a process maturity model that accompanies and leverages
IGRM v3.0. 6

Interpreting the IGRM Diagram *

Outer Ring
Starting from the outside of the diagram, successful information management is about
conceiving a complex set of interoperable processes and implementing the procedures
and structural elements to put them into practice. It requires:

■ An understanding of the business imperatives of the enterprise,
■ Knowledge of the appropriate tools and infrastructure for managing informa-

tion, and
■ Sensitivity to the legal and regulatory obligations with which the enterprise

must comply.

For any piece of information you hope to manage, the primary stakeholder is the business
user of that information [emphasis added]. We use the term “business” broadly; the same
ideas apply to end users of information in organizations whose ultimate goal might not
be to generate a profi t.

Once the business value is established, you must also understand the legal duty at-
tached to a piece of information. The term “legal” should also be read broadly to refer
to a wide range of legal and regulatory constraints and obligations, from e-discovery
and government regulation to contractual obligations such as payment card industry
requirements.

Finally, IT organizations must manage the information accordingly, ensuring pri-
vacy and security as well as appropriate retention as dictated by both business and legal
or regulatory requirements.

* This section is adapted with permission by EDRM.net, http://www.edrm.net/resources/guides/igrm (accessed
January 24, 2014).

You must inform and frame IG policy with internal and external frameworks,
models, best practices, and standards.

http://www.edrm.net/resources/guides/igrm

74 INFORMATION GOVERNANCE

Center

In the center of the diagram is a work-fl ow or life-cycle diagram. We include this com-
ponent in the diagram to illustrate the fact that information management is important
at all stages of the information life cycle—from its creation through its ultimate disposition.
This part of the diagram, once further developed, along with other secondary-level
diagrams, will outline concrete, actionable steps that organizations can take in imple-
menting information management programs.

Even the most primitive business creates information in the course of daily operations,
and IT departments spring up to manage the logistics; indeed, one of the biggest challeng-
es in modern organizations is trying to stop individuals from excess storing and securing
of information. Legal stakeholders can usually mandate the preservation of what is most
critical, though often at great cost. However, it takes the coordinated effort of all three
groups to defensibly dispose of a piece of information that has outlived its usefulness and
retain what is useful in a way that enables accessibility and usability for the business user. s

How the IGRM Complements the Generally Accepted
Recordkeeping Principles *

The IGRM supports ARMA International’s “Principles” by identifying the cross-
functional groups of key information governance stakeholders and by depicting
their intersecting objectives for the organization. This illustration of the relation-
ship among duty, value, and the information asset demonstrates cooperation among
stakeholder groups to achieve the desired level of maturity of effective information
governance.

Effective IG requires a continuous and comprehensive focus. The IGRM will be
used by proactive organizations as an introspective lens to facilitate visualization and
discussion about how best to apply The Principles. The IGRM puts into sharp focus
The Principles and provides essential context for the maturity model.

* This section is adapted with permission by EDRM.net, http://www.edrm.net/resources/guides/igrm (accessed
January 24, 2014).

The business user is the primary stakeholder of managed information.

Information management is important at all stages of the life cycle.

Legal stakeholders can usually mandate the preservation of what is most criti-
cal, though often at great cost.

http://www.edrm.net/resources/guides/igrm

INFORMATION GOVERNANCE POLICY DEVELOPMENT 75

Best Practices Considerations

IG best practices should also be considered in policy formulation . Best practices in IG are evolv-
ing and expanding, and those that apply to organizational scenarios may vary. A best
practices review should be conducted, customized for each particular organization.

In Chapter 5 , we provided a list of 25 IG best practices, with some detail. The IG
world is maturing, and more best practices will evolve. The 25 best practices, summa-
rized next, are fairly generic and widely applicable.

1. IG is a key underpinning for a successful ERM program.
2. IG is not a project but rather an ongoing program.
3. Using an IG framework or maturity model is helpful in assessing and guiding

IG programs.
4. Defensible deletion of data debris and information that no longer has value is

critical in the era of Big Data.
5. IG policies must be developed before enabling technologies are added to as-

sist in enforcement.
6. To provide comprehensive e-document security throughout a document’s life

cycle, documents must be secured upon creation using highly sophisticated
technologies, such as information rights management (IRM) technology.

7. A records retention schedule and legal hold notifi cation process (LHN) are
the two primary elements of a fundamental IG program.

8. A cross-functional team is required to implement IG.
9. The fi rst step in information risk planning is to consider the applicable laws

and regulations that apply to your organization in the jurisdictions in which it
conducts business.

10. A risk profi le is a basic building block in enterprise risk management, assisting
executives in understanding the risks associated with stated business objec-
tives and in allocating resources within a structured evaluation approach or
framework.

11. An information risk mitigation plan is a critical part of the IG planning
process. An information risk mitigation plan involves developing risk mitiga-
tion options and tasks to reduce the specifi ed risks and improve the odds of
achieving business objectives. 7

12. Proper metrics are required to measure the conformance and performance of
your IG program.

13. IG programs must be audited for effectiveness.
14. An enterprise-wide retention schedule is preferable because it eliminates the

possibility that different business units will have different records retention
periods.

The IGRM was developed by the EDRM Project to foster communication
among stakeholders and adoption of IG. It complements ARMA’s Generally
Accepted Recordkeeping Principles.

76 INFORMATION GOVERNANCE

15. Senior management must set the tone and lead sponsorship for vital records
program governance and compliance.

16. Business processes must be redesigned to improve the management of electron-
ic records or implement an electronic records management (ERM) system. t

17. E-mail messages, both inbound and outbound, should be archived automati-
cally and (preferably) in real time.

18. Personal archiving of e-mail messages should be disallowed.
19. Destructive retention of e-mail helps to reduce storage costs and legal risk

while improving “fi ndability” of critical records.
20. Take a practical approach and limit cloud use to documents that do not have

long retention periods and carry a low litigation risk.
21. Manage social media content by IG policies and monitor it with controls that en-

sure protection of critical information assets and preservation of business records.
22. International and national standards provide effective guidance for imple-

menting IG.
23. Creating standardized metadata terms should be part of an IG effort that

enables faster, more complete, and more accurate searches and retrieval of
records. 8

24. Some digital information assets must be preserved permanently as part of an
organization’s documentary heritage.

25. Executive sponsorship is crucial.

Standards Considerations

Standards must also be considered in policy development. There are two general types
of standards: de jure and de facto. De jure (“the law”) standards are those published by
recognized standards-setting bodies, such as the International Organization for Stan-
dardization (ISO), American National Standards Institute (ANSI), National Institute
of Standards and Technology (NIST—this is how most people refer to it, as they do
not know what the acronym stands for), British Standards Institute (BSI), Standards
Council of Canada, and Standards Australia. Standards promulgated by authorities
such as these have the formal status of standards.

De facto (“the fact”) standards are not formal standards but are regarded by
many as if they were. They may arise though popular use (e.g., Windows at the busi-
ness desktop in the 2001–2010 decade) or may be published by other bodies, such as
the U.S. National Archives and Records Administration (NARA) or Department of
Defense (DoD) for the U.S. military sector. They may also be published by formal
standards-setting bodies without having the formal status of a “standard” (such as
some technical reports published by ISO). 9

Benefi ts and Risks of Standards

Some benefi ts of developing and promoting standards are:

■ Quality assurance support. If a product meets a standard, you can be confi dent of
a certain level of quality.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 77

■ Interoperability support. Some standards are detailed and mature enough to allow
for system interoperability between different vendor platforms.

■ Implementation frameworks and certifi cation checklists. These help to provide
guides for projects and programs to ensure all necessary steps are taken.

■ Cost reduction , due to supporting uniformity of systems. Users have lower main-
tenance requirements and training and support costs when systems are more
uniform.

■ International consensus. Standards can represent “best practice” recommenda-
tions based on global experiences. 10

Some downside considerations are:

■ Possible decreased fl exibility in development or implementation. Standards can, at
times, act as a constraint when they are tied to older technologies or methods,
which can reduce innovation.

■ “Standards confusion” from competing and overlapping standards. For instance, ”
an ISO standard may be theory-based and use different terminology, whereas
regional or national standards are more specifi c, applicable, and understandable
than broad international ones.

■ Real-world shortcomings due to theoretical basis. Standards often are guides based
on theory rather than practice.

■ Changing and updating requires cost and maintenance. There are costs to develop-
ing, maintaining, and publishing standards. 11

Key Standards Relevant to IG Efforts

Below we introduce and discuss some established standards that should be researched
and considered as a foundation for developing IG policy.

Risk Management

ISO 31000:2009 is a broad, industry-agnostic (not specifi c to vertical markets) risk
management standard. It states “principles and generic guidelines” of risk manage-
ment that can be applied to not only IG but also to a wide range of organizational ac-
tivities and processes throughout the life of an organization.12 It provides a structured
framework within which to develop and implement risk management strategies and
programs.

ISO 31000 defi nes a risk management framework as a set of two basic compo-k
nents that “support and sustain risk management throughout an organization.” 13 The
stated components are: foundations, which are high level and include risk management
policy, objectives, and executive edicts; and organizational arrangements, which are
more specifi c and actionable, including strategic plans, roles and responsibilities, al-
located budget, and business processes that are directed toward managing an organiza-
tion’s risk.

Additional risk management standards may be relevant to your organization’s IG
policy development efforts, depending on your focus, scope, corporate culture, and
demands of your IG program executive sponsor.

78 INFORMATION GOVERNANCE

Information Security and Governance

ISO/IEC 27001:2005 is an information security management system (ISMS) stan-
dard that provides guidance in the development of security controls to safeguard
information assets. Like ISO 31000, the standard is applicable to all types of organiza-
tions, irrespective of vertical industry. 14 It “specifi es the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a docu-
mented information security management system within the context of the organiza-
tion’s overall business risks.”

ISO/IEC 27001 is fl exible enough to be applied to a variety of activities and pro-
cesses when evaluating and managing information security risks, requirements, and
objectives, and compliance with applicable legal and regulatory requirements. This
includes use of the standards guidance by internal and external auditors as well as internal and
external stakeholders (including customers and potential customers).

ISO/IEC 27002:2005, “Information Technology—Security Techniques—Code
of Practice for Information Security,” 15

establishes guidelines and general principles for initiating, implementing,
maintaining, and improving information security management in an orga-
nization and is identical to the previous published standard, ISO 17799. The
objectives outlined provide general guidance on the commonly accepted goals
of information security management. ISO/IEC 27002:2005 contains best
practices of control objectives and controls in the following areas of informa-
tion security management:

■ security policy;
■ organization of information security;
■ asset management;
■ human resources security;
■ physical and environmental security;
■ communications and operations management;
■ access control;
■ information systems acquisition, development, and maintenance;
■ information security incident management;
■ business continuity management; and
■ compliance.

The control objectives and controls in ISO/IEC 27002:2005 are intended to
be implemented to meet the requirements identifi ed by a risk assessment. ISO/
IEC 27002:2005 is intended as a common basis and practical guideline for de-
veloping organizational security standards and effective security management
practices, and to help build confi dence in inter-organizational activities.

ISO 31000 is a broad risk management standard that applies to all types of
businesses.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 79

ISO/IEC 38500:2008 is an international standard that provides high-level prin-
ciples and guidance for senior executives and directors, and those advising them, for
the effective and effi cient use of IT.16 Based primarily on AS 8015, the Australian IT
governance standard, it “applies to the governance of management processes” that are
performed at the IT service level, but the guidance assists executives in monitoring IT
and ethically discharging their duties with respect to legal and regulatory compliance
of IT activities.

The ISO 38500 standard comprises three main sections:
1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT

It is largely derived from AS 8015, the guiding principles of which were:

The standard also has relationships with other major ISO standards, and em-
braces the same methods and approaches. It is certain to have a major impact
upon the IT governance landscape. 17

Records and E-Records Management

ISO 15489–1:2001 is the international standard for RM. It identifi es the elements
of RM and provides a framework and high-level overview of RM core principles. RM
is defi ned as the “fi eld of management responsible for the effi cient and systematic
control of the creation, receipt, maintenance, use and disposition of records, including
the processes for capturing and maintaining evidence of and information about busi-
ness activities and transactions in the form of records.”18

ISO/IEC 27001 and ISO/IEC 27002 are information security management
systems standards that provide guidance in the development of security
controls.

ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.

80 INFORMATION GOVERNANCE

The second part of the standard, ISO 15489–2:2001, contains the technical
specifi cations and a methodology for implementing the standard, originally based
on early standards work in Australia ( Design and Implementation of Recordkeeping
Systems—DIRKS ). Note: Although still actively used in Australian states, the
National Archives of Australia has not recommended use of DIRKS by Australian
national agencies since 2007 and has removed DIRKS from its Web site.)19

The ISO 15489 standard makes little mention of electronic records, as it is written to ad-
dress all kinds of records; nonetheless it was widely viewed as the defi nitive framework
of what RM means.

In 2008, the International Council on Archives (ICA) formed a multination-
al team of experts to develop “Principles and Functional Requirements for Records in
Electronic Offi ce Environments,” commonly referred to as ICA-Req. q 20 The project was
cosponsored by the Australasian Digital Recordkeeping Initiative (ADRI), which was
undertaken by the Council of Australasian Archives and Records Authorities, which “com-
prises the heads of the government archives authorities of the Commonwealth of Australia,
New Zealand, and each of the Australian States and Territories.” 21 The National Archives
of Australia presented a training and guidance manual to assist in implementing the prin-
ciples at the 2012 International Congress on Archives Congress in Brisbane, Australia.

In Module 1 of ICA-Req, principles are presented in a high-level overview; Mod-
ule 2 contains specifi cations for electronic document and records management sys-
tems (EDRMS) that are “globally harmonized”; and Module 3 contains a require-
ments set and “implementation advice for managing records in business systems.”22
Module 3 recognizes that digital recordkeeping does not have to be limited to the
EDRMS paradigm—the insight that has now been picked up by “Modular Require-
ments for Records Systems” (MoReq2010, the European standard released in 2011).23

Parts 1 to 3 of ISO 16175 were fully adopted in 2010–2011 based on the ICA-Req
standard. The standard may be purchased at www.ISO.org, and additional information
on the Australian initiative may be found at www.adri.gov.au.

ISO 16175 is guidance, not a standard that can be tested and certifi ed against. This
is the criticism by advocates of testable, certifi able standards like U.S. DoD 5015.2 and
the European standard, MoReq2010.

In November 2011, ISO issued new standards for ERM, the fi rst two in the ISO
30300 series, which are based on a managerial point of view and targeted at a manage-l
ment-level audience rather than at records managers or technical staff:

■ ISO 30300:2011 , “Information and Documentation—Management Systems
for Records—Fundamentals and Vocabulary”

■ ISO 30301:2011 , “Information and Documentation—Management Systems
for Records—Requirements”

ISO 15489 is the international RM standard.

The ICA-Req standard was adopted as ISO 16175. It does not contain a testing
regime for certifi cation.

http://www.ISO.org

http://www.adri.gov.au

INFORMATION GOVERNANCE POLICY DEVELOPMENT 81

The standards apply to “management systems for records ” (MSR), a term that,
as of this printing, is not typically used to refer to ERM or RM application [RMA]
software in the United States or Europe and is not commonly found in ERM research
or literature.

The ISO 30300 series is a systematic approach to the creation and management
of records that is “ aligned with organizational objectives and strategies. ” [italics added] 24

“ISO 30300 MSR ‘Fundamentals and Vocabulary’ explains the rationale behind
the creation of an MSR and the guiding principles for its successful implementation.
and it provides the terminology that ensures that it is compatible with other manage-
ment systems standards.

ISO 30301 MSR ‘Requirements’ specifi es the requirements necessary to develop
a records policy. It also sets objectives and targets for an organization to implement
systemic improvements. This is achieved through designing records processes and
systems; estimating the appropriate allocation of resources; and establishing bench-
marks to monitor, measure, and evaluate outcomes. These steps help to ensure that
corrective action can be taken and continuous improvements are built into the sys-
tem in order to support an organization in achieving its mandate, mission, strategy,
and goals.”25

Major National and Regional ERM Standards

For great detail on national and regional standards related to ERM, see the book l
Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley 2013) by s
Robert F. Smallwood. Below is a short summary:

United States E-Records Standard

The U.S. Department of Defense 5015.2 Design Criteria Standard for Electronic Records
Management Software Applications , standard was established in 1997 and is endorsed by s
the leading archival authority, the U.S. National Archives and Records Administration
(NARA). There is a testing regime that certifi es software vendors that is adminis-
tered by JITC. JITC “builds test case procedures, writes detailed and summary fi nal
reports on 5015.2-certifi ed products, and performs on-site inspection of software.” 26
The DoD standard was built for the defense sector, and logically “refl ects its govern-
ment and archives roots.”

Since its endorsement by NARA, the standard has been the key requirement for
ERM system vendors to meet, not only in U.S. public sector bids, but also in the com-
mercial sector.

The 5015.2 standard has since been updated and expanded, in 2002 and 2007,
to include requirements for metadata, e-signatures and Privacy and Freedom of
Information Act requirements, and, as previously stated, was scheduled for update
by 2013.

The U.S. DoD 5015.2-STD has been the most infl uential worldwide since it
was fi rst introduced in 1997. It best suits military applications.

82 INFORMATION GOVERNANCE

Canadian Standards and Legal Considerations for Electronic
Records Management *

The National Standards of Canada for electronic records management are: (1)
Electronic Records as Documentary Evidence CAN/CGSB-72.34–2005 (“72.34”),
published in December 2005; and, (2) Microfi lm and Electronic Images as Documen-
tary Evidence CAN/CGSB-72.11–93, fi rst published in 1979 and updated to 2000
(“72.11”).27 72.34 incorporates all that 72.11 deals with and is therefore the more
important of the two. Because of its age, 72.11 should not be relied upon for its
“legal” content. However, 72.11 has remained the industry standard for “imaging”
procedures—converting original paper records to electronic storage. The Canada
Revenue Agency has adopted these standards as applicable to records concerning
taxation.28

72.34 deals with these topics: (1) management authorization and accountability;
(2) documentation of procedures used to manage records; (3) “reliability testing” of
electronic records according to existing legal rules; (4) the procedures manual and
the chief records offi cer; (5) readiness to produce (the “prime directive”); (6) records
recorded and stored in accordance with “the usual and ordinary course of business”
and “system integrity,” being key phrases from the Evidence Acts in Canada; (7) re-
tention and disposal of electronic records; (8) backup and records system recovery;
and, (9) security and protection. From these standards practitioners have derived
many specifi c tests for auditing, establishing, and revising electronic records man-
agement systems. 29

The “prime directive” of these standards states: “An organization shall always be
prepared to produce its records as evidence.”30 The duty to establish the “prime directive”
falls upon senior management:31

5.4.3 Senior management, the organization’s own internal law-making author-
ity, proclaims throughout the organization the integrity of the organization’s records
system (and, therefore, the integrity of its electronic records) by establishing and de-
claring:

a. the system’s role in the usual and ordinary course of business;
b. the circumstances under which its records are made; and
c. its prime directive for all RMS [records management system] purposes, i.e.,

an organization shall always be prepared to produce its records as evidence.
This dominant principle applies to all of the organization’s business records,
including electronic, optical, original paper source records, microfi lm, and
other records of equivalent form and content.

* This section was contributed by Ken Chasse J.D., LL.M., a records management attorney and consultant, and mem-
ber of the Law Society of Upper Canada (Ontario) and of the Law Society of British Columbia, Canada.

The 5015.2 standard has been updated to include specifi cations such as those
for e-signatures and FOI requirements.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 83

Being the “dominant principle” of an organization’s electronic records manage-
ment system, the duty to maintain compliance with the “prime directive” should fall
upon its senior management.

Legal Considerations
Because an electronic record is completely dependent upon its ERM system for every-
thing, compliance with these National Standards and their “prime directive” should
be part of the determination of the “admissibility” (acceptability) of evidence and
of electronic discovery in court proceedings (litigation) and in regulatory tribunal
proceedings. 32

There are 14 legal jurisdictions in Canada: 10 provinces, 3 territories, and the
federal jurisdiction of the Government of Canada. Each has an Evidence Act (the Civil
Code in the province of Quebec 33 ), which applies to legal proceedings within its leg-
islative jurisdiction. For example, criminal law and patents and copyrights are within
federal legislative jurisdiction, and most civil litigation comes within provincial legisla-
tive jurisdiction. 34

The admissibility of records as evidence is determined under the “business record” provi-
sions of the Evidence Acts.35 They require proof that a record was made “in the usual and
ordinary course of business,” and of “the circumstances of the making of the record.”
In addition, to obtain admissibility for electronic records, most of the Evidence Acts
contain electronic record provisions, which state that an electronic record is admis-
sible as evidence on proof of the “integrity of the electronic record system in which the
data was recorded or stored.” 36 This is the “system integrity” test for the admissibility
of electronic records. The word “integrity” has yet to be defi ned by the courts. 37

However, by way of sections such as the following, the electronic record provi-
sions of the Evidence Acts make reference to the use of standards such as the National
Standards of Canada:

For the purpose of determining under any rule of law whether an electronic
record is admissible, evidence may be presented in respect of any standard,
procedure, usage or practice on how electronic records are to be recorded or
stored, having regard to the type of business or endeavor that used, recorded,
or stored the electronic record and the nature and purpose of the electronic
record. 38

U.K. and European Standards

In the United Kingdom, The National Archives (TNA) (formerly the Public Record
Offi ce, or PRO) “has published two sets of functional requirements to promote the
development of the electronic records management software market (1999 and 2002).”
It ran a program to evaluate products against the 2002 requirements.39 Initially these
requirements were established in collaboration with the central government, and they
later were utilized by the public sector in general, and also in other nations. The Na-
tional Archives 2002 requirements remain somewhat relevant, although no additional
development has been underway for years. It is clear that the second version of Model
Requirements for Management of Electronic Records, MoReq2, largely supplanted
the UK standard, and subsequently the newer MoReq2010 may further supplant the
UK standard.

84 INFORMATION GOVERNANCE

MoReq2010 “unbundles” some of the core requirements in MoReq2, and sets out
functional requirements in modules. The approach seeks to permit the later creation
of e-records software standards in various vertical industries such as defense, health
care, fi nancial services, and legal services.

MoReq2010 is available free—all 525 pages of it (by comparison, the U.S. DoD
5015.2 standard is less than 120 pages long). For more information on MoReq2010,
visit www.moreq2010.eu. The entire specifi cation may be downloaded at: http://
moreq2010.eu/pdf/moreq2010_vol1_v1_1_en .

MoReq2010
In November 2010, the DLM Forum, a European Commission–supported body, announced the
availability of the fi nal draft of the MoReq2010 specifi cation for electronic records manage-
ment systems (ERMS), following extensive public consultation. The fi nal specifi cation
was published in mid-2011. 40

The DLM Forum explains that “With the growing demand for [electronic] re-
cords management, across a broad spectrum of commercial, not-for-profi t, and gov-
ernment organizations, MoReq2010 provides the fi rst practical specifi cation against
which all organizations can take control of their corporate information. IT software
and services vendors are also able to have their products tested and certifi ed that they
meet the MoReq2010 specifi cation.” 41

MoReq2010 supersedes its predecessor MoReq2 and has the continued support and backing
of the European Commission.

Australian ERM and Records Management Standards

Australia has adopted all three parts of ISO 16175 as its e-records management
standard. 42 (For more detail on this standard go to ISO.org.)

Australia has long led the introduction of highly automated electronic document
management systems and records management standards. Following the approval and
release of the AS 4390 standard in 1996, the international records management com-
munity began work on the development of an International standard. This work used
AS 4390–1996 Records Management as its starting point.

Development of Australian Records Standards
In 2002 Standards Australia published a new Australian Standard on records manage-
ment, AS ISO 15489, based on the ISO 15489 international records management stan-
dard. It differs only in its preface verbiage. 43 AS ISO 15489 carries through all these
main components of AS 4390, but internationalizes the concepts and brings them up
to date. The standards thereby codify Australian best practice but are also progressive
in their recommendations.

Additional Relevant Australian Standards
The Australian Government Recordkeeping Metadata Standard Version 2.0 pro-
vides guidance on metadata elements and subelements for records management. It is a
baseline tool that “describes information about records and the context in which they
are captured and used in Australian Government agencies.” This standard is intended
to help Australian agencies “meet business, accountability and archival requirements

http://www.moreq2010.eu

http://moreq2010.eu/pdf/moreq2010_vol1_v1_1_en

INFORMATION GOVERNANCE POLICY DEVELOPMENT 85

in a systematic and consistent way by maintaining reliable, meaningful and accessible
records.” The standard is written in two parts, the fi rst describing its purpose and
features and the second outlining the specifi c metadata elements and subelements.44

The Australian Government Locator Service , AGLS, is published as AS 5044–
2010, the metadata standard to help fi nd and exchange information online. It updates
the 2002 version, and includes changes made by the Dublin Core Metadata Initiative
(DCMI).

Another standard, AS 5090:2003, “Work Process Analysis for Recordkeep-
ing ,” complements AS ISO 15489 and provides guidance on understanding business g
processes and workfl ow so that recordkeeping requirements may be determined. 45

Long-Term Digital Preservation

Although many organizations shuffl e dealing with digital preservation issues to the
back burner, long-term digital preservation (LTDP) is a key area in which IG policy
should be applied. LTDP methods, best practices, and standards should be applied to
preserve an organization’s historical and vital records ( those without which it cannot
operate or restart operations) and to maintain its corporate or organizational memory.
The key standards that apply to LTDP are listed next.

The offi cial standard format for preserving electronic documents is PDF/A-1, based on
PDF 1.4 originally developed by Adobe. ISO 19005–1:2005, “Document Manage-
ment—Electronic Document File Format for Long-Term Preservation—Part 1: Use
of PDF 1.4 (PDF/A-1),” is the published specifi cation for using PDF 1.4 for LTDP,
which is applicable to e-documents that may contain not only text characters but also
graphics (either raster or vector). 46

ISO 14721:2012 , “Space Data and Information Transfer Systems—Open Archival
Information Systems—Reference Model (OAIS),” is applicable to LTDP. 47 ISO 14271
“specifi es a reference model for an open archival information system (OAIS). The pur-
pose of ISO 14721 is to establish a system for archiving information, both digitalized
and physical, with an organizational scheme composed of people who accept the re-
sponsibility to preserve information and make it available to a designated commu-
nity.” 48 The fragility of digital storage media combined with ongoing and sometimes
rapid changes in computer software and hardware poses a fundamental challenge to
ensuring access to trustworthy and reliable digital content over time. Eventually, ev-
ery digital repository committed to long-term preservation of digital content must
have a strategy to mitigate computer technology obsolescence. Toward this end, the

The ISO 30300 series of e-records standards are written for a managerial audi-
ence and encourage ERM that is aligned to organizational objectives.

LTDP is a key area to which IG policy should be applied.

86 INFORMATION GOVERNANCE

Consultative Committee for Space Data Systems developed the OAIS reference model
to support formal standards for the long-term preservation of space science data and
information assets. OAIS was not designed as an implementation model.

OAIS is the lingua franca of digital preservation, as the international digital pres-
ervation community has embraced it as the framework for viable and technologically
sustainable digital preservation repositories. An LTDP strategy that is OAIS compliant
offers the best means available today for preserving the digital heritage of all organizations,
private and public. (See Chapter 17 .)

ISO TR 18492 (2005) , “ Long-Term Preservation of Electronic Document Based
Information,” provides practical methodological guidance for the long-term preser-
vation and retrieval of authentic electronic document-based information, when the
retention period exceeds the expected life of the technology (hardware and software)
used to create and maintain the information assets. ISO 18492 takes note of the role of
ISO 15489 but does not cover processes for the capture, classifi cation, and disposition
of authentic electronic document-based information.

ISO 16363:2012 , “ Space Data and Information Transfer Systems—Audit and
Certifi cation of Trustworthy Digital Repositories,” “defi nes a recommended prac-
tice for assessing the trustworthiness of digital repositories. It is applicable to the
entire range of digital repositories.”49 It is an audit and certifi cation standard orga-
nized into three broad categories: Organization Infrastructure, Digital Object Man-
agement, and Technical Infrastructure and Security Risk Management. ISO 16363
represents the gold standard of audit and certifi cation for trustworthy digital repositories.
(See Chapter 17 .)

Business Continuity Management

ISO 22301:2012, “Societal Security—Business Continuity Management Systems—
Requirements,” spells out the requirements for creating and implementing a stan-
dardized approach to business continuity management (BCM, also known as di-
saster recovery [DR]), in the event an organization is hit with a disaster or major
business interruption. 50 The guidelines can be applied to any organization regard-
less of vertical industry or size. The specifi cation includes the “requirements to
plan, establish, implement, operate, monitor, review, maintain and continually im-
prove a documented management system to protect against, reduce the likelihood

An LTDP strategy that is OAIS compliant (based on ISO 14721) offers the best
means available today for preserving the digital heritage of all organizations.

ISO 16363 represents the gold standard of audit and certifi cation for trustwor-
thy digital repositories.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 87

of occurrence, prepare for, respond to, and recover from disruptive incidents when
they arise.”

The UK business continuity standard, BS25999-2, which heavily infl uenced the
newer ISO standard, was withdrawn when ISO 22301 was released. 51 The business
rationale is that, with the increasing globalization of business, ISO 22301 will allow
and support more consistency worldwide not only in business continuity planning
and practices but also will promote common terms and help to embed various ISO
management systems standards within organizations. U.S.-based ANSI, Standards
Australia, Standards Singapore, and other standards bodies also contributed to the
development of ISO 22301.

Benefi ts of ISO 22301

■ Threat identifi cation and assessment. Discover, name, and evaluate potential seri-
ous threats to the viability of the business.

■ Threat and recovery planning. so the impact and resultant downtime and recov-
ery from real threats that do become incidents is minimized

■ Mission-critical process protection. Identifying key processes and taking steps to
ensure they continue to operate even during a business interruption.

■ Stakeholder confi dence. Shows prudent management planning and business re-
silience to internal and external stakeholders, including employees, business
units, customers, and suppliers. 52

Making Your Best Practices and Standards Selections to Inform
Your IG Framework

You must take into account your organization’s corporate culture, management style,
and organizational goals when determining which best practices and standards should
receive priority in your IG framework. However, you must step through your business
rationale in discussions with your cross-functional IG team and fully document the
reasons for your approach. Then you must present this approach and your draft IG

ISO 22301 spells out requirements for creating and implementing a standard-
ized approach to business continuity management.

You must take into account your organization’s corporate culture, manage-
ment style, and organizational goals when determining which best practice
and standards should be selected for your IG framework.

88 INFORMATION GOVERNANCE

framework to your key stakeholders and be able to defend your determinations while
allowing for input and adjustments. Perhaps you have overlooked some key factors
that your larger stakeholder group uncovers, and their input should be folded into a
fi nal draft of your IG framework.

Next, you are ready to begin developing IG policies that apply to various aspects
of information use and management, in specifi c terms. You must detail the policies you
expect employees to follow when handling information on various information deliv-
ery platforms (e.g., e-mail, blogs, social media, mobile computing, cloud computing).
It is helpful at this stage to collect and review all your current policies that apply and
to gather some examples of published IG policies, particularly from peer organiza-
tions and competitors (where possible). Of note: You should not just adopt another
organization’s polices and believe that you are done with policy making. Rather, you
must enter into a deliberative process, using your IG framework for guiding principles
and considering the views and needs of your cross-functional IG team. Of paramount
importance is to be sure to incorporate the alignment of your organizational goals and
business objectives when crafting policy.

With each policy area, be sure that you have considered the input of your stake-
holders, so that they will be more willing to buy into and comply with the new policies
and so that the policies do not run counter to their business needs and required busi-
ness processes. Otherwise, stakeholders will skirt, avoid, or halfheartedly follow the
new IG policies, and the IG program risks failure.

Once you have fi nalized your policies, be sure to obtain necessary approvals from
your executive sponsor and key senior managers.

Roles and Responsibilities

Policies will do nothing without people to advocate, support, and enforce them. So
clear lines of authority and accountability must be drawn , and responsibilities must be
assigned.

Overall IG program responsibility resides at the executive sponsor level, but
beneath that, an IG program manager should drive team members toward mile-
stones and business objectives and should shoulder the responsibility for day-to-day
program activities, including implementing and monitoring key IG policy tasks.
These tasks should be approved by executive stakeholders and assigned as appropri-
ate to an employee’s functional area of expertise. For instance, the IG team member
from legal may be assigned the responsibility for researching and determining legal
requirements for retention of business records, perhaps working in conjunction
with the IG team member from RM, who can provide additional input based on
interviews with representatives from business units and additional RM research
into best practices.

Lines of authority, accountability, and responsibility must be clearly drawn for
the IG program to succeed.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 89

Program Communications and Training

Your IG program must contain a communications and training component, as a stan-
dard function. Your stakeholder audience must be made aware of the new policies and
practices that are to be followed and how this new approach contributes toward the
organization’s goals and business objectives.

The fi rst step in your communications plan is to identify and segment your stake-
holder audiences and to customize or modify your message to the degree that is neces-
sary to be effective. Communications to your IT team can have a more technical slant,
and communications to your legal team can have some legal jargon and emphasize le-
gal issues. The more forethought you put into crafting your communications strategy,
the more effective it will be.

That is not to say that all messages must have several versions: Some core concepts l
and goals should be emphasized in communications to all employees.

How should you communicate? The more ways you can get your IG message
to your core stakeholder audiences, the more effective and lasting the message will
be. So posters, newsletters, e-mail, text messages, internal blog or intranet posts,
and company meetings should all be a part of the communications mix. Remember,
the IG program requires not only training but re training, and the aim should be
to create a compliance culture that is so prominent and expected that employees
adopt the new practices and policies and integrate them into their daily activities.
Ideally, employees will provide valuable input to help fi ne-tune and improve the
IG program.

Training should take multiple avenues as well. Some can be classroom instruc-
tion, some online learning, and you may want to create a series of training videos.
But the training effort must be consistent and ongoing to maintain high levels of IG
effectiveness. Certainly, this means you will need to add to your new hire training pro-
gram for employees joining or transferring to your organization.

Program Controls, Monitoring, Auditing, and Enforcement

How do you know how well you are doing? You will need to develop metrics to de-
termine the level of employee compliance, its impact on key operational areas, and
progress made toward established business objectives.

Testing and auditing the program provides an opportunity to give feedback to
employees on how well they are doing and to recommend changes they may make.
But having objective feedback on key metrics also will allow for your executive
sponsor to see where progress has been made and where improvements need to
focus.

Communications regarding your IG program should be consistent and clear
and somewhat customized for various stakeholder groups.

90 INFORMATION GOVERNANCE

CHAPTER SUMMARY: KEY POINTS

■ You must inform and frame IG policy with internal and external frameworks,
models, best practices, and standards

■ The business user is the primary stakeholder of managed information.

■ Information management is important at all stages of the life cycle.

■ Legal stakeholders usually can mandate the preservation of what is most criti-
cal, though often at great cost.

■ The IGRM was developed by the EDRM Project to foster communication
among stakeholders and adoption of IG. It complements ARMA’s The
Principles.

■ ISO 31000 is a broad risk management standard that applies to all types of
businesses.

■ ISO/IEC 27001 and ISO/IEC 27002 are ISMS standards that provide guidance
in the development of security controls.

■ ISO 15489 is the international RM standard.

■ The ICA-Req standard was adopted as ISO 16175. It does not contain a test-
ing regime for certifi cation.

■ The ISO 30300 series of e-records standards are written for a managerial au-
dience and encourage ERM that is aligned to organizational objectives.

■ DoD 5015.2 is the U.S. ERM standard; the European ERM standard is
MoReq2010. Australia has adopted all three parts of ISO 16175 as its
e-records management standard.

■ LTDP is a key area to which IG policy should be applied.

■ An LTDP strategy that is OAIS compliant (based on ISO 14721) offers the best
means available today for preserving the digital heritage of all organizations.

■ ISO 16363 represents the gold standard of audit and certifi cation for trust-
worthy digital repositories.

■ ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.

■ ISO 22301 spells out requirements for creating and implementing a
standardized approach to business continuity management.

Clear penalties for policy violations must be communicated to employees so they
know the seriousness of the IG program and how important it is in helping the orga-
nization pursue its business goals and accomplish stated business objectives.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 91

Notes

1. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/copyright (accessed November 25, 2013).

2. ARMA International, “Information Governance Maturity Model,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/metrics (accessed November 25, 2013).

3. Electronic Discovery, “IGRM v3.0 Update: Privacy & Security Offi cers As Stakeholders – Electronic
Discovery,” http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-offi cers-as-stakehold-
ers-electronic-discovery/ (accessed April 24, 2013).

4. EDRM, “Information Governance Reference Model (IGRM),” www.edrm.net/projects/igrm (accessed
October 9, 2013).

5. Ibid.
6. Ibid.
7. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide ),

4th ed. (Newtown Square, PA, Project Management Institute, 2008), ANSI/PMI 99-001-2008,
pp. 273–312.

8. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic
Records , p. 34 (London: Facet, 2005).s

9. Marc Fresko, e-mail to author, May 13, 2012.
10. Hofman, “The Use of Standards and Models,” in Julie McLeod and Catherine Hare, eds., Managing

Electronic Records , p. 34 (London: Facet, 2005) pp. 20–21. s
11. Ibid.
12. International Organization for Standardization, “ISO 31000:2009 Risk Management—Principles and

Guidelines,” www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 (accessed
April 22, 2013).

13. Ibid.
14. International Organization for Standardization, ISO/IEC 27001:2005, “Information Technology—

Security Techniques—Information Security Management Systems—Requirements,” www.iso.org/iso/
catalogue_detail?csnumber=42103 (accessed April 22, 2013).

15. International Organization for Standardization, ISO/IEC 27002:2005, “Information Technology—
Security Techniques—Code of Practice for Information Security Management,” www.iso.org/iso/cata-
logue_detail?csnumber=50297 (accessed July 23, 2012).

16. International Organization for Standardization, ISO/IEC 38500:2008, www.iso.org/iso/catalogue_
detail?csnumber=51639 (accessed March 12, 2013).

17. ISO 38500 IT Governance Standard, www.38500.org/ (accessed March 12, 2013).
18. International Organization for Standardization, ISO 15489-1: 2001 Information and Documentation—

Records Management. Part 1: General (Geneva: ISO, 2001), section 3.16. l

■ You must take into account your organization’s corporate culture, manage-
ment style, and organizational goals when determining which best practices
and standards should be selected for your IG framework.

■ Lines of authority, accountability, and responsibility must be clearly drawn for
the IG program to succeed.

■ Communications regarding your IG program should be consistent and clear
and somewhat customized for various stakeholder groups.

■ IG program audits are an opportunity to improve training and compliance,
not to punish employees.

CHAPTER SUMMARY: KEY POINTS (Continued )

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/copyright

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics

http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-officers-as-stakeholders-electronic-discovery/

http://www.edrm.net/projects/igrm

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170

http://www.iso.org/iso/catalogue_detail?csnumber=42103

http://www.iso.org/iso/cata-logue_detail?csnumber=50297

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.38500.org/

http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-officers-as-stakeholders-electronic-discovery/

http://www.iso.org/iso/catalogue_detail?csnumber=42103

http://www.iso.org/iso/catalogue_detail?csnumber=51639

92 INFORMATION GOVERNANCE

19. National Archives of Australia, www.naa.gov.au/records-management/publications/DIRKS-manual
.aspx (accessed October 15, 2012).

20. International Council on Archives, “ICA-Req: Principles and Functional Requirements for Records
in Electronic Offi ce Environments: Guidelines and Training Material,” November 29, 2011, www
.ica.org/11696/activities-and-projects/icareq-principles-and-functional-requirements-for-records-in-
electronic-offi ce-environments-guidelines-and-training-material.html.

21. Council of Australasian Archives and Records Authorities, www.caara.org.au/ (accessed May 3, 2012).
22. Adrian Cunningham, blog post comment, May 11, 2011. http://thinkingrecords.co.uk/2011/05/06/

how-moreq-2010-differs-from-previous-electronic-records-management-erm-system-specifi cations/.
23. Ibid.
24. “Relationship between the ISO 30300 Series of Standards and Other Products of ISO/TC 46/SC

11: Records Processes and Controls,” White Paper, ISO TC46/SC11- Archives/Records Management
(March 2012), www.iso30300.es/wp-content/uploads/2012/03/ISOTC46SC11_White_paper_rela-
tionship_30300_technical_standards12032012v6

25. Ibid.
26. Julie Gable, Information Management Journal, November 1, 2002, www.thefreelibrary.com/Everything-

+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+not+a…-a095630076.
27. These standards were developed by the CGSB (Canadian General Standards Board), which is a stan-

dards-writing agency within Public Works and Government Services Canada (a department of the
federal government). It is accredited by the Standards Council of Canada as a standards development
agency. The Council must certify that standards have been developed by the required procedures be-
fore it will designate them as being National Standards of Canada. 72.34 incorporates by reference as
“normative references”: (1) many of the standards of the International Organization for Standardiza-
tion (ISO) in Geneva, Switzerland. (“ISO,” derived from the Greek word isos (equal) so as to provide s
a common acronym for all languages); and (2) several of the standards of the Canadian Standards
Association (CSA). The “Normative references” section of 72.34 (p. 2) states that these “referenced
documents are indispensable for the application of this document.” 72.11 cites (p. 2, “Applicable Pub-
lications”) several standards of the American National Standards Institute/Association for Information
and Image Management (ANSI/AIIM) as publications “applicable to this standard.” The process by
which the National Standards of Canada are created and maintained is described within the standards
themselves (reverse side of the front cover), and on the CGSB’s Web site (see, “Standards Develop-
ment”), from which Web site these standards may be obtained; http://www.ongc-cgsb.gc.ca.

28. The Canada Revenue Agency (CRA) informs the public of its policies and procedures by means, among
others, of its Information Circulars (IC’s), and s GST/HST Memoranda . (GST: goods and services tax; HST:
harmonized sales tax, i.e. , the harmonization of federal and provincial sales taxes into one retail sales tax.)
In particular, see: IC05-1 , dated June 2010, entitled, Electronic Record Keeping , paragraphs 24, 26 and 28.g
Note that use of the National Standard cited in paragraph 26, Microfi lm and Electronic Images as Documen-
tary Evidence CAN/CGSB-72.11-93 is mandatory for, “Imaging and microfi lm (including microfi che)
reproductions of books of original entry and source documents . . .” Paragraph 24 recommends the use
of the newer national standard, Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005, “To
ensure the reliability, integrity and authenticity of electronic records.” However, if this newer standard is
given the same treatment by CRA as the older standard, it will be made mandatory as well. And similar
statements appear in the GST Memoranda, Computerized Records 500-1-2, s Books and Records 500-1. IC05-s
1. Electronic Record Keeping , concludes with the note, “Most Canada Revenue Agency publications areg
available on the CRA Web site www.cra.gc.ca under the heading ‘Forms and Publications.’”

29. There are more than 200 specifi c compliance tests that can be applied to determine if the principles
of 72.34 are being complied with. The analysts—a combined team of records management and legal
expertise—analyze: (1) the nature of the business involved; (2) the uses and value of its records for its
various functions; (3) the likelihood and risk of the various types of its records being the subject of legal
proceedings, or of their being challenged by some regulating authority; and (4) the consequences of the
unavailability of acceptable records—for example, the consequences of its records not being accepted
in legal proceedings. Similarly, in regard to the older National Standard of Canada, 72.11, there is a
comparable series of more than 50 tests that can be applied to determine the state of compliance with
its principles.

30. Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005 (“72.34”), clause 5.4.3 c) at p. 17;
and Microfi lm and Electronic Images as Documentary Evidence CAN/CGSB-72.11-93 (“72.11”), paragraph
4.1.2 at p. 2, supra note 49.

31. 72.34, Clause 5.4.3, ibid.
32. “Admissibility” refers to the procedure by which a presiding judge determines if a record or other

proffered evidence is acceptable as evidence according the rules of evidence. “Electronic discovery”

http://www.naa.gov.au/records-management/publications/DIRKS-manual.aspx

Homepage

How MoReq 2010 differs from previous electronic records management (ERM) system specifications

http://www.iso30300.es/wp-content/uploads/2012/03/ISOTC46SC11_White_paper_rela-tionship_30300_technical_standards12032012v6

http://www.thefreelibrary.com/Everything-+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+not+a%E2%80%A6-a095630076

http://www.ongc-cgsb.gc.ca

http://www.cra.gc.ca

http://www.naa.gov.au/records-management/publications/DIRKS-manual.aspx

How MoReq 2010 differs from previous electronic records management (ERM) system specifications

http://www.ica.org/11696/activities-and-projects/icareq-principles-and-functional-requirements-for-records-in-electronic-office-environments-guidelines-and-training-material.html

INFORMATION GOVERNANCE POLICY DEVELOPMENT 93

is the compulsory exchange of relevant records by the parties to legal proceedings prior to trial.” As
to the admissibility of records as evidence see: Ken Chasse, “The Admissibility of Electronic Business
Records” (2010), 8 Canadian Journal of Law and Technology 105; and Ken Chasse, “Electronic Re-
cords for Evidence and Disclosure and Discovery” (2011) 57 The Criminal Law Quarterly 284. For the
electronic discovery of records see: Ken Chasse, “Electronic Discovery— Sedona Canada is Inadequate
on Records Management—Here’s Sedona Canada in Amended Form,” Canadian Journal of Law and Tech-
nology 9 (2011): 135; and Ken Chasse, “Electronic Discovery in the Criminal Court System,” Canadian
Criminal Law Review 14 (2010): 111. See also note 18 infra , and accompanying text.

33. For the province of Quebec, comparable provisions are contained in Articles 2831-2842, 2859-2862,
2869-2874 of Book 7 “Evidence” of the Civil Code of Quebec, S.Q. 1991, c. C-64, to be read in con-
junction with, An Act to Establish a Legal Framework for Information Technology, R.S.Q. 2001,
c. C-1.1, ss. 2, 5-8, and 68.

34. For the legislative jurisdiction of the federal and provincial governments in Canada, see The Constitu-
tion Act, 1867 (U.K.) 30 & 31 Victoria, c. 3, s. 91 (federal), and s. 92 (provincial), www.canlii.org/en/ca/
laws/stat/30—31-vict-c-3/latest/30—31-vict-c-3.html.

35. The two provinces of Alberta and Newfoundland and Labrador do not have business record provisions
in their Evidence Acts. Therefore “admissibility” would be determined in those jurisdictions by way of
the court decisions that defi ne the applicable common law rules; such decisions as, Ares v. Venner [1970]r
S.C.R. 608, 14 D.L.R. (3d) 4 (S.C.C.), and decisions that have applied it.

36. See for example, the Canada Evidence Act, R.S.C. 1985, c. C-5, ss. 31.1-31.8; Alberta Evidence Act,
R.S.A. 2000, c. A-18, ss. 41.1-41.8; (Ontario) Evidence Act, R.S.O. 1990, c. E.23, s. 34.1; and the (Nova
Scotia) Evidence Act, R.S.N.S. 1989, c. 154, ss. 23A-23G. The Evidence Acts of the two provinces
of British Columbia and Newfoundland and Labrador do not contain electronic record provisions.
However, because an electronic record is no better than the quality of the record system in which it is
recorded or stored, its “integrity” (reliability, credibility) will have to be determined under the other
provincial laws that determine the admissibility of records as evidence.

37. The electronic record provisions have been in the Evidence Acts in Canada since 2000. They have been
applied to admit electronic records into evidence, but they have not yet received any detailed analysis
by the courts.

38. This is the wording used in, for example, s. 41.6 of the Alberta Evidence Act, s. 34.1(8) of the (Ontario)
Evidence Act; and s. 23F of the (Nova Scotia) Evidence Act, supra note 10. Section 31.5 of the Canada
Evidence Act, supra note 58, uses the same wording, the only signifi cant difference being that the word
“document” is used instead of “record.” For the province of Quebec, see sections 12 and 68 of, An Act
to Establish a Legal Framework for Information Technology, R.S.Q., chapter C-1.1.

39. “Giving Value: Funding Priorities for UK Archives 2005–2010, a key new report launched by the Na-
tional Council on Archives (NCA) in November 2005,” www.nationalarchives.gov.uk/documents/stan-
dards_guidance (accessed October 15, 2012).

40. DLM Forum Foundation, MoReq2010 ® : Modular Requirements for Records Systems—Volume 1: Core Ser-
vices & Plug-in Modules, 2011, http://moreq2010.eu/ (accessed May 7, 2012, published in paper form ass
ISBN 978-92-79-18519-9 by the Publications Offi ce of the European Communities, Luxembourg.

41. DLM Forum, Information Governance across Europe, www.dlmforum.eu/ (accessed December 14,
2010).

42. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au
/records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).

43. E-mail to author from Marc Fresko, May 13, 2012.
44. National Archives of Australia, “Australian Government Recordkeeping Metadata Standard,” 2012,

www.naa.gov.au/records-management/publications/agrk-metadata-standard.aspx (accessed July 16,
2012).

45. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au
/records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).

46. International Organization for Standardization, ISO 19005-1:2005, “Document Management—
Electronic Document File Format for Long-Term Preservation—Part 1: Use of PDF 1.4 (PDF/A-1),”
www.iso.org/iso/catalogue_detail?csnumber=38920 (accessed July 23, 2012).

47. International Organization for Standardization, ISO 14721:2012, “Space Data and Information Trans-
fer Systems Open Archival Information System—Reference Model,” www.iso.org/iso/iso_catalogue/
catalogue_ics/catalogue_detail_ics.htm?csnumber=57284 (accessed November 25, 2013).

48. Ibid.
49. International Organization for Standardization, ISO 16363:2012, “Space Data and Information

Transfer Systems—Audit and Certifi cation of Trustworthy Digital Repositories,” www.iso.org/iso/
iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510 (accessed July 23, 2012).

http://www.canlii.org/en/ca/laws/stat/30%E2%80%9431-vict-c-3/latest/30%E2%80%9431-vict-c-3.html

http://www.nationalarchives.gov.uk/documents/stan-dards_guidance

http://moreq2010.eu/

http://www.dlmforum.eu/

http://www.naa.gov.au/records-management/strategic-information/standards/ASISOstandards.aspx

http://www.naa.gov.au/records-management/publications/agrk-metadata-standard.aspx

http://www.naa.gov.au/records-management/strategic-information/standards/ASISOstandards.aspx

http://www.iso.org/iso/catalogue_detail?csnumber=38920

http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=57284

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510

http://www.canlii.org/en/ca/laws/stat/30%E2%80%9431-vict-c-3/latest/30%E2%80%9431-vict-c-3.html

http://www.naa.gov.au/records-management/strategic-information/standards/ASISOstandards.aspx

http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=57284

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510

94 INFORMATION GOVERNANCE

50. International Organization for Standardization, ISO 22301:2012 “Societal Security—Business Conti-
nuity Management Systems—Requirements,” www.iso.org/iso/catalogue_detail?csnumber=50038 (ac-
cessed April 21, 2013).

51. International Organization for Standardization, “ISO Business Continuity Standard 22301 to Replace
BS 25999-2,” www.continuityforum.org/content/news/165318/iso-business-continuity-standard-22301-
replace-bs-25999-2 (accessed April 21, 2013).

52. BSI, “ISO 22301 Business Continuity Management,” www.bsigroup.com/en-GB/iso-22301-business-
continuity (accessed April 21, 2013).

http://www.iso.org/iso/catalogue_detail?csnumber=50038

http://www.continuityforum.org/content/news/165318/iso-business-continuity-standard-22301-replace-bs-25999-2

http://www.bsigroup.com/en-GB/iso-22301-business-continuity

PA RT T H R E E
Information
Governance
Key Impact
Areas Based
on the IG
Reference
Model

Business
Considerations for
a Successful IG
Program

C H A P T E R 7

By Barclay T. Blair

T
he business case for information governance (IG) programs has historically
been diffi cult to justify. It is hard to apply a strict, short-term return on invest-
ment (ROI) calculation. A lot of time, effort, and expense is involved before true

economic benefi ts can be realized. So a commitment to the long view and an un-
derstanding of the many areas where an organization will improve as a result of a
successful IG program are needed. But the bottom line is that reducing exposure to
business risk, improving the quality and security of data and e-documents, cutting out
unneeded stored information, and streamlining information technology (IT) develop-
ment while focusing on business results add up to better organizational health and
viability and, ultimately, an improved bottom line.

Let us take a step back and examine the major issues affecting information costing
and calculating the real cost of holding information, consider Big Data and e-discov-
ery ramifi cations, and introduce some new concepts that may help frame information
costing issues differently for business managers. Getting a good handle on the true
cost of information is essential to governing it properly, shifting resources to higher-
value information, and discarding information that has no discernible business value
and carries inherent, avoidable risks.

Changing Information Environment

The information environment is changing. Data volumes are growing, but unstructured
information (such as e-mail, word processing documents, social media posts) is grow-
ing faster than our ability to manage it. Some unstructured information has more
structure than others containing some identifi able metadata (e.g., e-mail messages all
have a header, subject line, time/date stamp, and message body). This is often termed
as semistructured information, but for purposes of this book, we use the term “unstruc-d
tured information” to include semistructured information as well.

The volume of unstructured information is growing dramatically. Analysts estimate
that, over the next decade, the amount of data worldwide will grow by 44 times (from
.8 zettabytes to 35 zettabytes: 1 zettabyte = 1 trillion gigabytes). 1 However, the volume

98 INFORMATION GOVERNANCE

of unstructured information will actually grow 50 percent faster than structured data.
Analysts also estimate that fully 90 percent of unstructured information will require
formal governance and management by 2020. In other words, the problem of unstruc-
tured IG is growing faster than the problem of data volume itself.

What makes unstructured information so challenging? There are several factors,
including

■ Horizontal versus vertical. Unstructured information is typically not clearly at-
tached to a department or a business function. Unlike the vertical focus of an
enterprise resource planning (ERP) database, for example, an e-mail system
serves multiple business functions—from employee communication to fi ling
with regulators—for all parts of the business. Unstructured information is
much more horizontal, making it diffi cult to develop and apply business rules.

■ Formality. The tools and applications used to create unstructured information
often engender informality and the sharing of opinions that can be problematic
in litigation, investigations, and audits—as has been repeatedly demonstrated
in front-page stories over the past decade. This problem is not likely to get any
easier as social media technologies and mobile devices become more common
in the enterprise.

■ Management location. Unstructured information does not have a single, obvious
home. Although e-mail systems rely on central messaging servers, e-mail is just
as likely to be found on a fi le share, mobile device, or laptop hard drive. This
makes the application of management rules more diffi cult than the application
of the same rules in structured systems, where there is a close marriage between
the application and the database.

■ “Ownership” issues. Employees do not think that they “own” data in an accounts
receivable system like they “own” their e-mail or documents stored on their
hard drive. Although such information generally has a single owner (i.e., the
organization itself), this non-ownership mind-set can make the imposition of
management rules for unstructured information more challenging than for
structured data.

■ Classifi cation. The business purpose of a database is generally determined prior
to its design. Unlike structured information, the business purpose of unstruc-
tured information is diffi cult to infer from the application that created or stores
the information. A word processing fi le stored in a collaboration environment
could be a multimillion-dollar contract or a lunch menu. As such, classifi ca-
tion of unstructured content is more complex and expensive than structured
information.

Taken together, these factors reveal a simple truth: Managing unstructured infor-
mation is a separate and distinct discipline from managing databases. It requires different

The problem of unstructured IG is growing faster than the problem of data
volume itself.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 99

methods and tools. Moreover, determining the costs and benefi ts of owning and man-
aging unstructured information is a unique—but critical—challenge.

The governance of unstructured information creates enormous complexity and
risk for business managers to consider while making it diffi cult for organizations to
generate real value from all this information. Despite the looming crisis, most organi-
zations have limited ability to quantify the real cost of owning and managing unstruc-
tured information. Determining the total cost of owning unstructured information
is an essential precursor to managing and monetizing that information while cutting
information costs—key steps in driving profi t for the enterprise.

Storing things is cheap . . . I’ve tended to take the attitude, “Don’t throw elec-
tronic things away.”

—Data scientist quoted in Anne Eisenberg, “What 23 Years of E-Mail May
Say About You,” New York Times, ” April 7, 2012

The company spent $900,000 to produce an amount of data

What Will You Get?

We provide professional writing services to help you score straight A’s by submitting custom written assignments that mirror your guidelines.

Premium Quality

Get result-oriented writing and never worry about grades anymore. We follow the highest quality standards to make sure that you get perfect assignments.

Experienced Writers

Our writers have experience in dealing with papers of every educational level. You can surely rely on the expertise of our qualified professionals.

On-Time Delivery

Your deadline is our threshold for success and we take it very seriously. We make sure you receive your papers before your predefined time.

24/7 Customer Support

Someone from our customer support team is always here to respond to your questions. So, hit us up if you have got any ambiguity or concern.

Complete Confidentiality

Sit back and relax while we help you out with writing your papers. We have an ultimate policy for keeping your personal and order-related details a secret.

Authentic Sources

We assure you that your document will be thoroughly checked for plagiarism and grammatical errors as we use highly authentic and licit sources.

Moneyback Guarantee

Still reluctant about placing an order? Our 100% Moneyback Guarantee backs you up on rare occasions where you aren’t satisfied with the writing.

Order Tracking

You don’t have to wait for an update for hours; you can track the progress of your order any time you want. We share the status after each step.

Order Now Talk to Us

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Trusted Partner of 9650+ Students for Writing

From brainstorming your paper's outline to perfecting its grammar, we perform every step carefully to make your paper worthy of A grade.

Preferred Writer

Hire your preferred writer anytime. Simply specify if you want your preferred expert to write your paper and we’ll make that happen.

Grammar Check Report

Get an elaborate and authentic grammar check report with your work to have the grammar goodness sealed in your document.

One Page Summary

You can purchase this feature if you want our writers to sum up your paper in the form of a concise and well-articulated summary.

Plagiarism Report

You don’t have to worry about plagiarism anymore. Get a plagiarism report to certify the uniqueness of your work.

Free Features $66FREE

Most Qualified Writer $10FREE
Plagiarism Scan Report $10FREE
Unlimited Revisions $08FREE
Paper Formatting $05FREE
Cover Page $05FREE
Referencing & Bibliography $10FREE
Dedicated User Area $08FREE
24/7 Order Tracking $05FREE
Periodic Email Alerts $05FREE

Our Services

Join us for the best experience while seeking writing assistance in your college life. A good grade is all you need to boost up your academic excellence and we are all about it.

On-time Delivery
24/7 Order Tracking
Access to Authentic Sources

Academic Writing

We create perfect papers according to the guidelines.

Professional Editing

We seamlessly edit out errors from your papers.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

Delegate Your Challenging Writing Tasks to Experienced Professionals

Work with ultimate peace of mind because we ensure that your academic work is our responsibility and your grades are a top concern for us!

Check Out Our Sample Work

Dedication. Quality. Commitment. Punctuality

It May Not Be Much, but It’s Honest Work!

Here is what we have achieved so far. These numbers are evidence that we go the extra mile to make your college journey successful.

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate

Process as Fine as Brewed Coffee

We have the most intuitive and minimalistic process so that you can easily place an order. Just follow a few steps to unlock success.

Call Us +1 (877) 657-8180 Discuss Order Details Now

See How We Helped 9000+ Students Achieve Success

We Analyze Your Problem and Offer Customized Writing

We understand your guidelines first before delivering any writing service. You can discuss your writing needs and we will have them evaluated by our dedicated team.

Clear elicitation of your requirements.
Customized writing as per your needs.

We Mirror Your Guidelines to Deliver Quality Services

We write your papers in a standardized way. We complete your work in such a way that it turns out to be a perfect description of your guidelines.

Proactive analysis of your writing.
Active communication to understand requirements.

We Handle Your Writing Tasks to Ensure Excellent Grades

We promise you excellent grades and academic excellence that you always longed for. Our writers stay in touch with you via email.

Thorough research and analysis for every order.
Deliverance of reliable writing service to improve your grades.

Place an Order Start Chat Now

Information Governance Essay: 500 word, APA, 2 references & Intext citation

What Will You Get?

Premium Quality

Experienced Writers

On-Time Delivery

24/7 Customer Support

Complete Confidentiality

Authentic Sources

Moneyback Guarantee

Order Tracking

Areas of Expertise

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Areas of Expertise

Essay

Thesis

Presentation

Dissertation

Term Paper

Research Paper

Book Review

Assignment

Report

Case Study

Letter

Article

Coursework

Speech

Q & A

Critical Thinking

Trusted Partner of 9650+ Students for Writing

Preferred Writer

Grammar Check Report

One Page Summary

Plagiarism Report

Free Features $66FREE

Our Services

Academic Writing

Professional Editing

Thorough Proofreading

Thorough Proofreading

Delegate Your Challenging Writing Tasks to Experienced Professionals

Check Out Our Sample Work

It May Not Be Much, but It’s Honest Work!

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate

Process as Fine as Brewed Coffee

Share Your Requirements

Place Order & Deposit Funds

Release Payment to Your Writer

See How We Helped 9000+ Students Achieve Success

We Analyze Your Problem and Offer Customized Writing

We Mirror Your Guidelines to Deliver Quality Services

We Handle Your Writing Tasks to Ensure Excellent Grades