Information governance

Last updated

Information governance, or IG, is the overall strategy for information at an organization. Information governance balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle information whether it is physically or electronically created (ESI). [1] [2] [3]

Contents

Information governance encompasses more than traditional records management. It incorporates information security and protection, compliance, data quality, data governance, electronic discovery, risk management, privacy, data storage and archiving, knowledge management, business operations and management, audit, analytics, IT management, master data management, enterprise architecture, business intelligence, big data, data science, and finance. [4]

History

Records management

Records management deals with the creation, retention and storage and disposition of records. A record can either be a physical, tangible object, or digital information such as a database, application data, and e-mail. The lifecycle was historically viewed as the point of creation to the eventual disposal of a record. As data generation exploded in recent decades, and regulations and compliance issues increased, traditional records management failed to keep pace. A more comprehensive platform for managing records and information became necessary to address all phases of the lifecycle, which led to the advent of information governance. [5]

In 2003 the Department of Health in England introduced the concept of broad-based information governance into the National Health Service, publishing version 1 of an online performance assessment tool with supporting guidance. The NHS IG Toolkit [6] is now used by over 30,000 NHS and partner organisations, supported by an e-learning platform with some 650,000 users. In 2010 Logan and Lomas took up the theme of IG more holistically, publishing on how different disciplines needed to come together to better manage information. Lomas produced teaching in this domain, with Smallwood later providing a key textbook in this domain.

Professionally, in this context 2008, ARMA International introduced the Generally Accepted Recordkeeping Principles®, or "The Principles" and in 2015 the subsequent "The Principles" Information Governance Maturity Model. [7] "The Principles" identify the critical hallmarks of information governance. As such, they apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use "The Principles" to establish consistent practices across a variety of business units. ARMA International recognized that a clear statement of "Generally Accepted Recordkeeping Principles®" ("The Principles") would guide:

Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. In electronic discovery, or e-discovery, relevant data in the form of electronically stored information is searched for by attorneys and placed on legal hold. IG includes consideration of how this data is held and controlled for e-discovery, and also provides a platform for defensible disposition and compliance. Additionally, metadata often accompanies electronically stored data and can be of great value to the enterprise if stored and managed correctly.

With all of these additional considerations that go beyond traditional records management, IG emerged as a platform for organizations to define policies at the enterprise level, across multiple jurisdictions. IG then also provides for the enforcement of these policies into the various repositories of information, data, and records.

A coalition of organizations known as Electronic Discovery Reference Model (EDRM), which was founded in 2005 to address issues related to electronic discovery and information governance, subsequently developed, as one of its projects, a resource called the Information Governance Reference Model (IGRM). [8] In 2011, EDRM, in collaboration with ARMA International, published a white paper that describes How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles ("The Principles") [9] The IGRM illustrates the relationship between key stakeholders and the Information Lifecycle and highlights the transparency required to enable effective governance IGRM v3.0 Update: Privacy & Security Officers As Stakeholders. [10]

In 2012, Compliance, Governance and Oversight Council (CGOC) developed the Information Governance Process Maturity Model, or (IGPMM). [11] The model outlines 13 key processes in electronic discovery (e-discovery) and information management. Each process is described in terms of a maturity level from one to four – completely manual and ad hoc to greater degrees of process integration across functions and automation. [12] In 2017, it was updated to include an emphasis on legal, privacy, information security, cloud security issues [13] and evolving data privacy concerns, including the impact of The General Data Protection Regulation (GDPR)(EU). [11]

Organizational structure

In the past, records managers owned records management, perhaps within a compliance department at an enterprise. In order to address the broader issues surrounding records management, several other key stakeholders must be involved. Legal, IT, and Compliance tend to be the departments that touch information governance the most, though certainly other departments might seek representation. Many enterprises create information governance committees to ensure that all necessary constituents are represented and that all relevant issues are addressed. [14]

Chief information governance officer

A chief information governance officer (CIGO) is a senior executive of a business, organization or government entity who oversees the management and coordination of all information on an enterprise-wide scale. Unlike a chief marketing officer or chief technology officer, whose roles focus on narrower areas, the CIGO is in charge of implementing, facilitating, and improving information governance strategies across all facets of an organization. The CIGO helps other executives make decisions based on the values, costs, and risks associated with information.

Evolution

In past decades, information governance responsibilities might have fallen under the purview of the chief information officer (CIO). But somewhere along the line, the CIO job description changed to focus solely on the information systems and associated technology that power a company—not the information itself.

In today's age of big data, organizations have more information under their control than ever before. [15] To extract the maximum value from that data while simultaneously protecting an organization from its associated risks, business leaders have turned toward the CIGO because of the role's independence from other departments. CIGOs are tasked with neutrally balancing the needs of all departments with respect to an entire organization's top priorities. [16]

Though the position is an emerging one, support for the CIGO continues to rise as business leaders increasingly understand the implications of information governance (and more importantly, the lack thereof). While many organizations have information governance projects in place, such initiatives are much more likely to succeed with top-down management. [17]

Responsibilities

Since the CIGO is a relatively new position, the role's responsibilities are not set in stone and continue to evolve. For the most part, today's CIGOs:

Tools

To address retention and disposition, Records Management and Enterprise Content Management applications were developed. Sometimes detached search engines or homegrown policy definition tools were created. These were often employed at a departmental or divisional level; rarely were tools used across the enterprise. While these tools were used to define policies, they lacked the ability to enforce those policies. Monitoring for compliance with policies was increasingly challenging. Since information governance addresses so much more than traditional records management, several software solutions have emerged to include the vast array of issues facing records managers.

Other available tools include:

Laws and regulations

Key to IG are the regulations and laws that help to define corporate policies. Some of these regulations include:

United States

European Union

United Kingdom

ISO Regulation

Guidelines

Events

Information Governance Initiative

On May 20–21, 2015, the hosted the first annual CIGO Summit in Chicago, Illinois.

Compliance Governance Oversight Council (CGOC) Regional Meetings
Regional meetings are held twice a year throughout USA and in Europe for legal, IT, records and CIGO professionals. [35]

Notable CIGO examples

See also

Related Research Articles

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Records management, also known as records and information management, is an organizational function devoted to the management of information in an organization throughout its life cycle, from the time of creation or receipt to its eventual disposition. This includes identifying, classifying, storing, securing, retrieving, tracking and destroying or permanently preserving records. The ISO 15489-1: 2001 standard defines records management as "[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records".

In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Compliance has traditionally been explained by reference to the deterrence theory, according to which punishing a behavior will decrease the violations both by the wrongdoer and by others. This view has been supported by economic theory, which has framed punishment in terms of costs and has explained compliance in terms of a cost-benefit equilibrium. However, psychological research on motivation provides an alternative view: granting rewards or imposing fines for a certain behavior is a form of extrinsic motivation that weakens intrinsic motivation and ultimately undermines compliance.

Micro Focus Content Manager is an electronic document and records management system (EDRMS) marketed by Micro Focus.

Information lifecycle management (ILM) refers to strategies for administering storage systems on computing devices.

Electronic discovery refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format. Electronic discovery is subject to rules of civil procedure and agreed-upon processes, often involving review for privilege and relevance before data are turned over to the requesting party.

Governance, risk management and compliance (GRC) is the term covering an organization's approach across these three practices: governance, risk management, and compliance.

SOA Governance is a set of processes used for activities related to exercising control over services in a service-oriented architecture (SOA). One viewpoint, from IBM and others, is that SOA governance is an extension (subset) of IT governance which itself is an extension of corporate governance. The implicit assumption in this view is that services created using SOA are just one more type of IT asset in need of governance, with the corollary that SOA governance does not apply to IT assets that are "not SOA". A contrasting viewpoint, expressed by blogger Dave Oliver and others, is that service orientation provides a broad organising principle for all aspects of IT in an organisation — including IT governance. Hence SOA governance is nothing but IT governance informed by SOA principles.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

Email archiving is the act of preserving and making searchable all email to/from an individual. Email archiving solutions capture email content either directly from the email application itself or during transport. The messages are typically then stored on magnetic disk storage and indexed to simplify future searches. In addition to simply accumulating email messages, these applications index and provide quick, searchable access to archived messages independent of the users of the system using a couple of different technical methods of implementation. The reasons a company may opt to implement an email archiving solution include protection of mission critical data, to meet retention and supervision requirements of applicable regulations, and for e-discovery purposes. It is predicted that the email archiving market will grow from nearly $2.1 billion in 2009 to over $5.1 billion in 2013.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Electronic document and records management system (EDRMS) is a type of content management system and refers to the combined technologies of document management and records management systems as an integrated system.

HP Information Management Software is a software from the HP Software Division, used to organize, protect, retrieve, acquire, manage and maintain information. The HP Software Division also offers information analytics software. The amount of data that companies have to deal with has grown tremendously over the past decade, making the management of this information more difficult. The University of California at Berkeley claims the amount of information produced globally increases by 30 percent annually. An April 2010 Information Management article cited a survey in which nearly 90 percent of businesses blame poor performance on data growth. The survey concluded that for many businesses their applications and databases are growing by 50 percent or more annually, making it difficult to manage the rapid expansion of information.

The Generally Accepted Recordkeeping Principles were created by ARMA International as a common set of principles that describe the conditions under which business records and related information should be maintained.

Privacy by design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design calls for privacy to be taken into account throughout the whole engineering process. The concept is an example of value sensitive design, i.e., taking human values into account in a well-defined manner throughout the process.

<span class="mw-page-title-main">IASME</span>

IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

Global Information Governance Day (GIGD) is a day that occurs on the third Thursday in February. The purpose of Global Information Governance Day is to raise the awareness of information governance. The annual observance was started by Garth Landers, Tamir Sigal, and Barclay T. Blair in 2012.

The International Research on Permanent Authentic Records in Electronic Systems is a "major international research initiative in which archival scholars, computer engineering scholars, national archival institutions and private industry representatives are collaborating to develop the theoretical and methodological knowledge required for the permanent preservation of authentic records created in electronic systems." As a global consortia that works to develop preservation strategies, the project focuses on "developing the knowledge essential to the long-term preservation of authentic records created and/or maintained in digital form and providing the basis for standards, policies, strategies and plans of action capable of ensuring the longevity of such material and the ability of its users to trust its authenticity."

References

  1. "What is Information Governance? And Why is it So Hard? - Debra Logan". 11 January 2010.
  2. [ Elizabeth Lomas, (2010) "Information governance: information security and access within a UK context", Records Management Journal, Vol. 20 Issue: 2, pp.182-198, https://doi.org/10.1108/09565691011064322 . Available to download at http://discovery.ucl.ac.uk/1543932/]
  3. [Kooper, M., Maes, R., and Roos Lindgreen, E. (2011). On the governance of information: Introducing a new concept of governance to support the management of information. International Journal of Information Management, 31(3), 195-200]
  4. "IGI PUBLISHES 2014 ANNUAL REPORT - Information Governance Initiative". 11 August 2014. Archived from the original on 26 May 2022. Retrieved 27 October 2015.
  5. "Archived copy" (PDF). Archived from the original (PDF) on 2009-11-19. Retrieved 2011-12-28.{{cite web}}: CS1 maint: archived copy as title (link)
  6. "Home". Archived from the original on 2014-06-02. Retrieved 2014-06-03.
  7. "The Principles". ARMA International. Retrieved 25 March 2023.
  8. EDRM. "About EDRM". Archived from the original on 2015-02-12. Retrieved 2015-01-21.
  9. White Paper (2011). Ledergerber, Marcus (ed.). How the Information Governance Reference Model (IGRM)Complements ARMA International's Generally Accepted Recordkeeping Principles (PDF). EDRM and ARMA International. p. 15.
  10. "IGRM v3.0 Update: Privacy & Security Officers As Stakeholders" (PDF). Archived from the original (PDF) on 2013-09-21. Retrieved 2013-09-20.
  11. 1 2 "New IGPMM Essential in Confronting Data Challenges - Corporate Compliance Insights". Corporate Compliance Insights. 2017-03-03. Retrieved 2018-07-12.
  12. "Using the IGRM Model". www.edrm.net. Retrieved 2018-07-12.
  13. "Hospitals, Health Plans Should Treat Information as a Prime Asset | HFMA". www.hfma.org. Archived from the original on 2018-07-12. Retrieved 2018-07-12.
  14. "From the Experts: Information Governance and Its Impact on Litigation". Corporate Counsel.
  15. Peterson, Andrea (2015-01-07). "Companies have more data than ever. That's risky". Washington Post. ISSN   0190-8286 . Retrieved 2022-04-29.
  16. "Commentary on Information Governance". The Sedona Conference. Retrieved 2022-04-29.
  17. "Why information governance needs top-down leadership". May 2015.
  18. ARMA International, Information Governance Implementation Model, ARMA International
  19. ARMA International, "The Principles" Archived 2013-07-31 at the Wayback Machine , ARMA International
  20. "CGOC: Information Governance Process Maturity Model". CGOC - Compliance, Governance and Oversight Council. Archived from the original on 2017-08-09. Retrieved 2017-08-08.
  21. EDRM, "Information Governance Reference Model", EDRM
  22. NHS, "NHS Information Governance Toolkit" Archived 2014-06-02 at the Wayback Machine , NHS
  23. "Foreign Account Tax Compliance Act".
  24. "Official PCI Security Standards Council Site". PCI Security Standards Council.
  25. "Health Information Privacy". 26 August 2015.
  26. "S.900 - Gramm-Leach-Bliley Act". 12 November 1999.
  27. "The Laws That Govern the Securities Industry | Investor.gov". www.investor.gov.
  28. "How to Prepare for the CCPA – Here Are the Resources You Need". CGOC. 2019-10-01. Archived from the original on 2019-10-09. Retrieved 2019-11-21.
  29. "FTC". Federal Trade Commission.
  30. "NIS introduction".
  31. "Moreq2.eu". www.moreq2.eu.
  32. "Account Suspended". Archived from the original on 2012-02-23.
  33. "ISO 15489-1:2001". ISO.
  34. "DoD Standard 5015.2". 15 August 2016. Archived from the original on 16 May 2021. Retrieved 1 September 2017.
  35. "CGOC Regional Meetings". CGOC The Council. 2019-09-26. Retrieved 2019-09-26.