A Blueprint for IG Success
Information Governance (IG) is a nascent and developing field that is
still forming and being defined. So there are varied definitions of IG
and some verbose ones but a practical definition our firm uses is that
IG is:
"Policy-based control of information to maximize value and meet legal, regulatory, risk, and business demands.”
Or, in short, “security, control, and optimization of information.”
In
accounting, there are clearly established Generally Accepted Accounting
Principles (GAAP), and chartered accountants and CPAs in the U.S. and
Canada have established the Generally Accepted Privacy Principles (GAPP). For records management, the Association for Records Managers and Administrators (ARMA) International has established the Generally Accepted Recordkeeping Principles. But there are no universally agreed upon principles established for IG.
In the course of conducting consulting engagements and research for the three books I have written on IG, these 10 IG principles bubbled to the top.
They
are the result of synthesizing, analyzing, and distilling a great deal
of information on IG program successes, failures, and Best Practices.
There are 10 IG principles which are a good starting point toward
someday establishing “Generally Accepted IG Principles.” I welcome
comments and discussion which can help revise, sharpen, consolidate,
expand, and improve these IG principles which can help move the field of
IG forward. Here are 10 IG principles that must be addressed and
adhered to for IG programs to succeed:
1) Executive sponsorship.
No IG effort will survive and be successful if it does not have an
accountable, responsible executive sponsor. The sponsor must drive the
effort, clear obstacles for the IG team or steering committee,
communicate the goals and business objectives that the IG program
addresses, and keep upper management informed on progress.
2) Stakeholder consultation. Those
who work most closely to information are the ones who best know why it
is needed and how to manage it, so business units must be consulted in
IG policy development. The IT department understands its capabilities
and technology plans and can best speak to those points. Legal issues
must always be deferred to the in-house council or legal team. The
records management department knows records. Business unit managers and
analysts know their respective operations. A cross-functional
collaboration is needed for IG policies to hit the mark and be
effective. The result is not only more secure information but also
better information to base decisions on and closer adherence to
regulatory and legal demands.
3) Information policy development and communication. Clear
policies must be established for the access and use of information, and
those policies must be communicated regularly and crisply to employees.
For instance, policies for the use of email, instant messaging, social
media, cloud computing, mobile computing, and posting to blogs and
internal sites must be developed in consultation with stakeholders and
communicated clearly. This includes conveying clearly to employees what
the consequences of violating IG policies are.
4) Information integrity.
This area considers the consistency of methods used to create, retain,
preserve, distribute, and track information. Adhering to good IG
practices include data governance techniques and technologies to ensure
quality data. Information integrity means there is the assurance that
information is accurate, correct, and authentic. IG efforts to improve
data quality and information integrity include de-duplicating (removing
redundant data) and maintaining only unique data to reduce risk, storage
costs, and information technology (IT) labor costs while providing
accurate, trusted information for decision makers. Supporting
technologies must enforce policies to meet legal standards of
admissibility and preserve the integrity of information to guard against
claims that it has been altered, tampered with, or deleted (called
“spoliation”). Audit trails must be kept and monitored to ensure
compliance with IG policies to assure information integrity.
5) Information organization and classification. This
means standardizing formats, categorizing all information, and
semantically linking it to related information. It also means creating a
retention and disposition schedule that spells out how long the
Information (e.g. e-mail, e-documents, spreadsheets, reports) and
records should be retained and how they are to be disposed of or
archived. Information, and particularly documents, should be classified
according to a global or corporate taxonomy that considers the business
function and owner of the information, and semantically links related
information. Information must be standardized in form and format. Tools
such as document labeling can assist in identifying and classifying
e-documents. Metadata associated with documents and records must be
standardized and kept up-to-date. Good IG means good metadata management
and utilizing metadata standards that are appropriate to the
organization.
6) Information security and privacy.
This means securing information in its three states: at rest, in
motion, and in use. It deals with means implementing measures to protect
information from damage, theft, or alteration by malicious outsiders
and insiders as well as non-malicious (accidental) actions that may
compromise information. For instance, an employee may lose a laptop with
confidential information, but if proper IG policies are enforced using
security-related information technologies, the information can be
secured. This can be done by access control methods, data or document
encryption, deploying information rights management software, using
remote digital shredding capabilities, and implementing enhanced
auditing procedures. Information privacy is closely related to
information security and is critical when dealing with personally
identifiable information (PII), protected health information (PHI), and
other confidential or sensitive information.
7) Information accessibility.
Accessibility is vital not only in the short term but also over time
using long-term digital preservation (LTDP) techniques when appropriate
(generally if information is needed for over five years). Accessibility
must be balanced with information security concerns. Information
accessibility includes making the information as simple as possible to
locate and access, which involves not only the user interface but also
enterprise search principles, technologies, and tools. It also includes
basic access controls, such as password management, identity and access
management, and delivering information to a variety of hardware devices.
8) Information control.
Document management data management, and report management software
must be deployed to control the access to, creation, updating, and
printing of data, documents and reports. When information is declared a
business record, it must be assigned to the proper retention and
disposition schedule to be retained for as long as the records are
needed to comply with legal retention periods and regulatory
requirements. Also, nonrecord information must be classified and
scheduled. And information that may be needed or requested in legal
proceedings must be preserved and safeguarded through a legal hold
process.
9) Information governance monitoring and auditing. To
ensure that guidelines and policies are being followed and to measure
employee compliance levels, information access and use must be
monitored. To guard against claims of spoliation, use of e-mail, social
media, cloud computing, and report generation should be logged in real
time and maintained as an audit record. Technology tools such as
document analytics can track how many documents or reports users access
and print and how long they spend doing so.
10) Continuous improvement.
IG programs are not one-time projects but rather ongoing programs that
must be reviewed periodically and adjusted to account for gaps or
shortcomings as well as changes in the business environment, technology
usage, or business strategy.
If you are currently planning or
implementing an IG program, these 10 principles would be a good way to
communicate with your stakeholders and IG steering committee what IG is,
how it should be done, and how to fashion IG programs that succeed. You
should continually reinforce the importance of these principles during
the course of your IG program, and measure how well your organization is
doing in these 10 critical areas.
Robert Smallwood is Managing Director of the Institute for IG at IMERGE Consulting, which can be found at www.IGTraining.com.
He teaches comprehensive courses on IG and E-records management for
corporate and public sector clients. He is the author of 3 leading books
on Information Governance: Information Governance: Concepts, Strategies. and Best Practices (Wiley, 2014); Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley, 2013); and Safeguarding Critical E-Documents (Wiley, 2012).
Follow Robert on Twitter @RobertSmallwood and if we are not connected - please feel free to reach out!
#InformationGovernance