The essential guide to effective IG strategy and practice
Information Governance is a highly practical and deeply informative handbook for the implementation of effective Information Governance (IG) procedures and strategies. A critical facet of any mid- to large-sized company, this “super-discipline” has expanded to cover the management and output of information across the entire organization; from email, social media, and cloud computing to electronic records and documents, the IG umbrella now covers nearly every aspect of your business. As more and more everyday business is conducted electronically, the need for robust internal management and compliance grows accordingly. This book offers big-picture guidance on effective IG, with particular emphasis on document and records management best practices.
Step-by-step strategy development guidance is backed by expert insight and crucial advice from a leading authority in the field. This new second edition has been updated to align with the latest practices and regulations, providing an up-to-date understanding of critical IG concepts and practices.
- Explore the many controls and strategies under the IG umbrella
- Understand why a dedicated IG function is needed in today’s organizations
- Adopt accepted best practices that manage risk in the use of electronic documents and data
- Learn how IG and IT technologies are used to control, monitor, and enforce information access and security policy
IG strategy must cover legal demands and external regulatory requirements as well as internal governance objectives; integrating such a broad spectrum of demands into workable policy requires a deep understanding of key concepts and technologies, as well as a clear familiarity with the most current iterations of various requirements. Information Governance distills the best of IG into a primer for effective action.
Table of Contents
Preface xvii
Acknowledgments xix
Part One - Information Governance Concepts, Definitions, and Principles 1
Chapter 1 The Information Governance Imperative 3
Early Development of IG 4
Big Data Impact 5
Defining Information Governance 7
IG is Not a Project, But an Ongoing Program 9
Why IG is Good Business 9
Failures in Information Governance 11
Form IG Policies, Then Apply Technology for Enforcement 14
Chapter 2 Information Governance, IT Governance, Data Governance: What’s the Difference? 19
Data Governance 19
Data Governance Strategy Tips 20
IT Governance 21
IT Governance Frameworks 22
Information Governance 25
Impact of a Successful IG Program 25
Summing Up the Differences 26
Chapter 3 Information Governance Principles 29
The Sedona Conference® Commentary on Information Governance 29
Smallwood IG Principles 30
Accountability is Key 34
Generally Accepted Recordkeeping Principles® 35
Contributed by Charmaine Brooks
Assessment and Improvement Roadmap 42
Information Security Principles 45
Privacy Principles 45
Who Should Determine IG Policies? 48
Part Two - Information Governance Risk Assessment and Strategic Planning 53
Chapter 4 Information Asset Risk Planning and Management 55
The Information Risk Planning Process 56
Create a Risk Profile 59
Information Risk Planning and Management Summary 65
Chapter 5 Strategic Planning and Best Practices for Information Governance 69
Crucial Executive Sponsor Role 70
Evolving Role of the Executive Sponsor 71
Building Your IG Team 72
Assigning IG Team Roles and Responsibilities 72
Align Your IG Plan with Organizational Strategic Plans 73
Survey and Evaluate External Factors 75
Formulating the IG Strategic Plan 81
Chapter 6 Information Governance Policy Development 87
The Sedona Conference IG Principles 87
A Brief Review of Generally Accepted Recordkeeping Principles® 88
IG Reference Model 88
Best Practices Considerations 91
Standards Considerations 92
Benefits and Risks of Standards 93
Key Standards Relevant to IG Efforts 93
Major National and Regional ERM Standards 98
Making Your Best Practices and Standards Selections to Inform Your IG Framework 105
Roles and Responsibilities 105
Program Communications and Training 106
Program Controls, Monitoring, Auditing, and Enforcement 107
Part Three - Information Governance Key Impact Areas 113
Chapter 7 Information Governance for Business Units 115
Start with Business Objective Alignment 115
Which Business Units are the Best Candidates to Pilot an IG Program? 117
What is Infonomics? 117
How to Begin an IG Program 118
Business Considerations for an IG Program 119
By Barclay T. Blair
Changing Information Environment 119
Calculating Information Costs 121
Big Data Opportunities and Challenges 122
Full Cost Accounting for Information 123
Calculating the Cost of Owning Unstructured Information 124
The Path to Information Value 127
Challenging the Culture 129
New Information Models 129
Future State: What Will the IG-Enabled Organization Look Like? 130
Moving Forward 132
Chapter 8 Information Governance and Legal Functions 135
Robert Smallwood with Randy Kahn, Esq., and Barry Murphy
Introduction to E-Discovery: The Revised 2006 and 2015 Federal Rules of Civil Procedure Changed Everything 135
Big Data Impact 137
More Details on the Revised FRCP Rules 138
Landmark E-Discovery Case: Zubulake v. UBS Warburg 139
E-Discovery Techniques 140
E-Discovery Reference Model 140
The Intersection of IG and E-Discovery 143
By Barry Murphy
Building on Legal Hold Programs to Launch Defensible Disposition 146
By Barry Murphy
Destructive Retention of E-Mail 147
Newer Technologies That Can Assist in E-Discovery 147
Defensible Disposal: The Only Real Way to Manage Terabytes and Petabytes 151
By Randy Kahn, Esq.
Chapter 9 Information Governance and Records and Information Management Functions 161
Records Management Business Rationale 163
Why is Records Management So Challenging? 165
Benefits of Electronic Records Management 166
Additional Intangible Benefits 167
Inventorying E-Records 168
RM Intersection with Data Privacy Management 169
By Teresa Schoch
Generally Accepted Recordkeeping Principles® 171
E-Records Inventory Challenges 172
Records Inventory Purposes 172
Records Inventorying Steps 173
Appraising the Value of Records 184
Ensuring Adoption and Compliance of RM Policy 184
Sample Information Asset Survey Questions 190
General Principles of a Retention Scheduling 191
Developing a Records Retention Schedule 192
Why are Retention Schedules Needed? 193
What Records Do You Have to Schedule? Inventory and Classification 195
Rationale for Records Groupings 196
Records Series Identification and Classification 197
Retention of E-Mail Records 197
How Long Should You Keep Old E-Mails? 199
Destructive Retention of E-Mail 199
Legal Requirements and Compliance Research 200
Event-Based Retention Scheduling for Disposition of E-Records 201
Prerequisites for Event-Based Disposition 202
Final Disposition and Closure Criteria 203
Retaining Transitory Records 204
Implementation of the Retention Schedule and Disposal of Records 204
Ongoing Maintenance of the Retention Schedule 205
Audit to Manage Compliance with the Retention Schedule 206
Chapter 10 Information Governance and Information Technology Functions 211
Data Governance 213
Steps to Governing Data Effectively 214
Data Governance Framework 215
Information Management 216
IT Governance 220
IG Best Practices for Database Security and Compliance 223
Tying It All Together 225
Chapter 11 Information Governance and Privacy and Security Functions 229
Information Privacy 229
By Andrew Ysasi
Generally Accepted Privacy Principles 231
Fair Information Practices (FIPS) 232
OCED Privacy Principles 233
Madrid Resolution 2009 234
EU General Data Protection Regulation 235
GDPR: A Look at Its First Year 237
By Mark Driskill
Privacy Programs 239
Privacy in the United States 240
Privacy Laws 244
Cybersecurity 245
Cyberattacks Proliferate 246
Insider Threat: Malicious or Not 247
Information Security Assessments and Awareness Training 248
By Baird Brueseke
Cybersecurity Considerations and Approaches 253
By Robert Smallwood
Defense in Depth 254
Controlling Access Using Identity Access Management 254
Enforcing IG: Protect Files with Rules and Permissions 255
Challenge of Securing Confidential E-Documents 256
Apply Better Technology for Better Enforcement in the Extended Enterprise 257
E-Mail Encryption 259
Secure Communications Using Record-Free E-Mail 260
Digital Signatures 261
Document Encryption 262
Data Loss Prevention (DLP) Technology 262
Missing Piece: Information Rights Management (IRM) 265
Embedded Protection 268
Hybrid Approach: Combining DLP and IRM Technologies 270
Securing Trade Secrets After Layoffs and Terminations 270
Persistently Protecting Blueprints and CAD Documents 271
Securing Internal Price Lists 272
Approaches for Securing Data Once It Leaves the Organization 272
Document Labeling 274
Document Analytics 275
Confidential Stream Messaging 275
Part Four - Information Governance for Delivery Platforms 283
Chapter 12 Information Governance for E-Mail and Instant Messaging 285
Employees Regularly Expose Organizations to E-Mail Risk 286
E-Mail Polices Should Be Realistic and Technology Agnostic 287
E-Record Retention: Fundamentally a Legal Issue 287
Preserve E-Mail Integrity and Admissibility with Automatic Archiving 288
Instant Messaging 291
Best Practices for Business IM Use 292
Technology to Monitor IM 293
Tips for Safer IM 294
Team and Channel Messaging Solutions Emerge 294
Chapter 13 Information Governance for Social Media 299
Dr. Patricia Franks and Robert Smallwood
Types of Social Media in Web 2.0 299
Additional Social Media Categories 303
Social Media in the Enterprise 304
Key Ways Social Media is Different from E-Mail and Instant Messaging 305
Biggest Risks of Social Media 306
Legal Risks of Social Media Posts 307
Tools to Archive Social Media 309
IG Considerations for Social Media 311
Key Social Media Policy Guidelines 312
Records Management and Litigation Considerations for Social Media 313
Emerging Best Practices for Managing Social Media Records 315
Chapter 14 Information Governance for Mobile Devices 319
Current Trends in Mobile Computing 322
Security Risks of Mobile Computing 323
Securing Mobile Data 324
Mobile Device Management (MDM) 324
IG for Mobile Computing 325
Building Security into Mobile Applications 326
Best Practices to Secure Mobile Applications 330
Developing Mobile Device Policies 330
Chapter 15 Information Governance for Cloud Computing 335
Monica Crocker and Robert Smallwood
Defining Cloud Computing 336
Key Characteristics of Cloud Computing 337
What Cloud Computing Really Means 338
Cloud Deployment Models 339
Benefits of the Cloud 340
Security Threats with Cloud Computing 341
Managing Documents and Records in the Cloud 351
IG Guidelines for Cloud Computing Solutions 351
IG for SharePoint and Office365 352
By Robert Bogue
Chapter 16 Leveraging and Governing Emerging Technologies 357
Data Analytics 357
Descriptive Analytics 358
Diagnostic Analytics 358
Predictive Analytics 358
Prescriptive Analytics 359
Which Type of Analytics is Best? 359
Artificial Intelligence 363
The Role of Artificial Intelligence in IG 363
Blockchain: A New Approach with Clear Advantages 366
By Darra Hoffman
Breaking Down the Definition of Blockchain 366
The Internet of Things: IG Challenges 372
IoT as a System of Contracts 375
IoT Basic Risks and IG Issues 376
IoT E-Discovery Issues 377
Why IoT Trustworthiness is a Journey and Not a Project 380
By Bassam Zarkout
Governing the IoT Data 381
IoT Trustworthiness 382
Information Governance Versus IoT Trustworthiness 384
IoT Trustworthiness Journey 385
Conclusion 386
Part Five - Long-Term Program Issues 391
Chapter 17 Long-Term Digital Preservation 393
Charles M. Dollar and Lori J. Ashley
Defining Long-Term Digital Preservation 393
Key Factors in Long-Term Digital Preservation 394
Threats to Preserving Records 396
Digital Preservation Standards 397
PREMIS Preservation Metadata Standard 404
Recommended Open Standard Technology-Neutral Formats 405
Digital Preservation Requirements 409
Long-Term Digital Preservation Capability Maturity Model® 409
Scope of the Capability Maturity Model 412
Digital Preservation Capability Performance Metrics 416
Digital Preservation Strategies and Techniques 417
Evolving Marketplace 419
Looking Forward 420
Conclusion 421
Chapter 18 Maintaining an Information Governance Program and Culture of Compliance 425
Monitoring and Accountability 425
Change Management - Required 426
By Monica Crocker
Continuous Process Improvement 429
Why Continuous Improvement is Needed 430
Appendix A Information Organization and Classification: Taxonomies and Metadata 433
Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley
Importance of Navigation and Classification 435
When is a New Taxonomy Needed? 435
Taxonomies Improve Search Results 436
Metadata and Taxonomy 437
Metadata Governance, Standards, and Strategies 438
Types of Metadata 440
Core Metadata Issues 441
International Metadata Standards and Guidance 442
Records Grouping Rationale 446
Business Classification Scheme, File Plans, and Taxonomy 446
Classification and Taxonomy 447
Prebuilt Versus Custom Taxonomies 448
Thesaurus Use in Taxonomies 449
Taxonomy Types 449
Business Process Analysis 453
Taxonomy Testing: A Necessary Step 457
Taxonomy Maintenance 457
Social Tagging and Folksonomies 458
Appendix B Laws and Major Regulations Related to Records Management 463
United States 463
Gramm-Leach-Bliley Act 463
Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) 463
PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) 464
Sarbanes-Oxley Act (SOX) 464
SEC Rule 17A-4 464
CFR Title 47, Part 42 - Telecommunications 464
CFR Title 21, Part 11 - Pharmaceuticals 464
US Federal Authority on Archives and Records: National Archives and Records Administration (NARA) 465
US Code of Federal Regulations 465
Canada 466
United Kingdom 468
Australia 469
Identifying Records Management Requirements in Other Legislation 471
Appendix C Laws and Major Regulations Related to Privacy 475
United States 475
European Union General Data Protection Regulation (GDPR) 476
Major Privacy Laws Worldwide, by Country 478
Glossary 481
About the Author 499
About the Major Contributors 501
Index 505