+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

Information Governance. Concepts, Strategies and Best Practices. Edition No. 2. Wiley CIO

  • Book

  • 544 Pages
  • December 2019
  • John Wiley and Sons Ltd
  • ID: 5838714

The essential guide to effective IG strategy and practice

Information Governance is a highly practical and deeply informative handbook for the implementation of effective Information Governance (IG) procedures and strategies. A critical facet of any mid- to large-sized company, this “super-discipline” has expanded to cover the management and output of information across the entire organization; from email, social media, and cloud computing to electronic records and documents, the IG umbrella now covers nearly every aspect of your business. As more and more everyday business is conducted electronically, the need for robust internal management and compliance grows accordingly. This book offers big-picture guidance on effective IG, with particular emphasis on document and records management best practices.

Step-by-step strategy development guidance is backed by expert insight and crucial advice from a leading authority in the field. This new second edition has been updated to align with the latest practices and regulations, providing an up-to-date understanding of critical IG concepts and practices.

  • Explore the many controls and strategies under the IG umbrella
  • Understand why a dedicated IG function is needed in today’s organizations
  • Adopt accepted best practices that manage risk in the use of electronic documents and data
  • Learn how IG and IT technologies are used to control, monitor, and enforce information access and security policy

IG strategy must cover legal demands and external regulatory requirements as well as internal governance objectives; integrating such a broad spectrum of demands into workable policy requires a deep understanding of key concepts and technologies, as well as a clear familiarity with the most current iterations of various requirements. Information Governance distills the best of IG into a primer for effective action.   

Table of Contents

Preface xvii

Acknowledgments xix

Part One - Information Governance Concepts, Definitions, and Principles 1

Chapter 1 The Information Governance Imperative 3

Early Development of IG 4

Big Data Impact 5

Defining Information Governance 7

IG is Not a Project, But an Ongoing Program 9

Why IG is Good Business 9

Failures in Information Governance 11

Form IG Policies, Then Apply Technology for Enforcement 14

Chapter 2 Information Governance, IT Governance, Data Governance: What’s the Difference? 19

Data Governance 19

Data Governance Strategy Tips 20

IT Governance 21

IT Governance Frameworks 22

Information Governance 25

Impact of a Successful IG Program 25

Summing Up the Differences 26

Chapter 3 Information Governance Principles 29

The Sedona Conference® Commentary on Information Governance 29

Smallwood IG Principles 30

Accountability is Key 34

Generally Accepted Recordkeeping Principles® 35
Contributed by Charmaine Brooks

Assessment and Improvement Roadmap 42

Information Security Principles 45

Privacy Principles 45

Who Should Determine IG Policies? 48

Part Two - Information Governance Risk Assessment and Strategic Planning 53

Chapter 4 Information Asset Risk Planning and Management 55

The Information Risk Planning Process 56

Create a Risk Profile 59

Information Risk Planning and Management Summary 65

Chapter 5 Strategic Planning and Best Practices for Information Governance 69

Crucial Executive Sponsor Role 70

Evolving Role of the Executive Sponsor 71

Building Your IG Team 72

Assigning IG Team Roles and Responsibilities 72

Align Your IG Plan with Organizational Strategic Plans 73

Survey and Evaluate External Factors 75

Formulating the IG Strategic Plan 81

Chapter 6 Information Governance Policy Development 87

The Sedona Conference IG Principles 87

A Brief Review of Generally Accepted Recordkeeping Principles® 88

IG Reference Model 88

Best Practices Considerations 91

Standards Considerations 92

Benefits and Risks of Standards 93

Key Standards Relevant to IG Efforts 93

Major National and Regional ERM Standards 98

Making Your Best Practices and Standards Selections to Inform Your IG Framework 105

Roles and Responsibilities 105

Program Communications and Training 106

Program Controls, Monitoring, Auditing, and Enforcement 107

Part Three - Information Governance Key Impact Areas 113

Chapter 7 Information Governance for Business Units 115

Start with Business Objective Alignment 115

Which Business Units are the Best Candidates to Pilot an IG Program? 117

What is Infonomics? 117

How to Begin an IG Program 118

Business Considerations for an IG Program 119
By Barclay T. Blair

Changing Information Environment 119

Calculating Information Costs 121

Big Data Opportunities and Challenges 122

Full Cost Accounting for Information 123

Calculating the Cost of Owning Unstructured Information 124

The Path to Information Value 127

Challenging the Culture 129

New Information Models 129

Future State: What Will the IG-Enabled Organization Look Like? 130

Moving Forward 132

Chapter 8 Information Governance and Legal Functions 135
Robert Smallwood with Randy Kahn, Esq., and Barry Murphy

Introduction to E-Discovery: The Revised 2006 and 2015 Federal Rules of Civil Procedure Changed Everything 135

Big Data Impact 137

More Details on the Revised FRCP Rules 138

Landmark E-Discovery Case: Zubulake v. UBS Warburg 139

E-Discovery Techniques 140

E-Discovery Reference Model 140

The Intersection of IG and E-Discovery 143
By Barry Murphy

Building on Legal Hold Programs to Launch Defensible Disposition 146
By Barry Murphy

Destructive Retention of E-Mail 147

Newer Technologies That Can Assist in E-Discovery 147

Defensible Disposal: The Only Real Way to Manage Terabytes and Petabytes 151
By Randy Kahn, Esq.

Chapter 9 Information Governance and Records and Information Management Functions 161

Records Management Business Rationale 163

Why is Records Management So Challenging? 165

Benefits of Electronic Records Management 166

Additional Intangible Benefits 167

Inventorying E-Records 168

RM Intersection with Data Privacy Management 169
By Teresa Schoch

Generally Accepted Recordkeeping Principles® 171

E-Records Inventory Challenges 172

Records Inventory Purposes 172

Records Inventorying Steps 173

Appraising the Value of Records 184

Ensuring Adoption and Compliance of RM Policy 184

Sample Information Asset Survey Questions 190

General Principles of a Retention Scheduling 191

Developing a Records Retention Schedule 192

Why are Retention Schedules Needed? 193

What Records Do You Have to Schedule? Inventory and Classification 195

Rationale for Records Groupings 196

Records Series Identification and Classification 197

Retention of E-Mail Records 197

How Long Should You Keep Old E-Mails? 199

Destructive Retention of E-Mail 199

Legal Requirements and Compliance Research 200

Event-Based Retention Scheduling for Disposition of E-Records 201

Prerequisites for Event-Based Disposition 202

Final Disposition and Closure Criteria 203

Retaining Transitory Records 204

Implementation of the Retention Schedule and Disposal of Records 204

Ongoing Maintenance of the Retention Schedule 205

Audit to Manage Compliance with the Retention Schedule 206

Chapter 10 Information Governance and Information Technology Functions 211

Data Governance 213

Steps to Governing Data Effectively 214

Data Governance Framework 215

Information Management 216

IT Governance 220

IG Best Practices for Database Security and Compliance 223

Tying It All Together 225

Chapter 11 Information Governance and Privacy and Security Functions 229

Information Privacy 229
By Andrew Ysasi

Generally Accepted Privacy Principles 231

Fair Information Practices (FIPS) 232

OCED Privacy Principles 233

Madrid Resolution 2009 234

EU General Data Protection Regulation 235

GDPR: A Look at Its First Year 237
By Mark Driskill

Privacy Programs 239

Privacy in the United States 240

Privacy Laws 244

Cybersecurity 245

Cyberattacks Proliferate 246

Insider Threat: Malicious or Not 247

Information Security Assessments and Awareness Training 248
By Baird Brueseke

Cybersecurity Considerations and Approaches 253
By Robert Smallwood

Defense in Depth 254

Controlling Access Using Identity Access Management 254

Enforcing IG: Protect Files with Rules and Permissions 255

Challenge of Securing Confidential E-Documents 256

Apply Better Technology for Better Enforcement in the Extended Enterprise 257

E-Mail Encryption 259

Secure Communications Using Record-Free E-Mail 260

Digital Signatures 261

Document Encryption 262

Data Loss Prevention (DLP) Technology 262

Missing Piece: Information Rights Management (IRM) 265

Embedded Protection 268

Hybrid Approach: Combining DLP and IRM Technologies 270

Securing Trade Secrets After Layoffs and Terminations 270

Persistently Protecting Blueprints and CAD Documents 271

Securing Internal Price Lists 272

Approaches for Securing Data Once It Leaves the Organization 272

Document Labeling 274

Document Analytics 275

Confidential Stream Messaging 275

Part Four - Information Governance for Delivery Platforms 283

Chapter 12 Information Governance for E-Mail and Instant Messaging 285

Employees Regularly Expose Organizations to E-Mail Risk 286

E-Mail Polices Should Be Realistic and Technology Agnostic 287

E-Record Retention: Fundamentally a Legal Issue 287

Preserve E-Mail Integrity and Admissibility with Automatic Archiving 288

Instant Messaging 291

Best Practices for Business IM Use 292

Technology to Monitor IM 293

Tips for Safer IM 294

Team and Channel Messaging Solutions Emerge 294

Chapter 13 Information Governance for Social Media 299
Dr. Patricia Franks and Robert Smallwood

Types of Social Media in Web 2.0 299

Additional Social Media Categories 303

Social Media in the Enterprise 304

Key Ways Social Media is Different from E-Mail and Instant Messaging 305

Biggest Risks of Social Media 306

Legal Risks of Social Media Posts 307

Tools to Archive Social Media 309

IG Considerations for Social Media 311

Key Social Media Policy Guidelines 312

Records Management and Litigation Considerations for Social Media 313

Emerging Best Practices for Managing Social Media Records 315

Chapter 14 Information Governance for Mobile Devices 319

Current Trends in Mobile Computing 322

Security Risks of Mobile Computing 323

Securing Mobile Data 324

Mobile Device Management (MDM) 324

IG for Mobile Computing 325

Building Security into Mobile Applications 326

Best Practices to Secure Mobile Applications 330

Developing Mobile Device Policies 330

Chapter 15 Information Governance for Cloud Computing 335
Monica Crocker and Robert Smallwood

Defining Cloud Computing 336

Key Characteristics of Cloud Computing 337

What Cloud Computing Really Means 338

Cloud Deployment Models 339

Benefits of the Cloud 340

Security Threats with Cloud Computing 341

Managing Documents and Records in the Cloud 351

IG Guidelines for Cloud Computing Solutions 351

IG for SharePoint and Office365 352
By Robert Bogue

Chapter 16 Leveraging and Governing Emerging Technologies 357

Data Analytics 357

Descriptive Analytics 358

Diagnostic Analytics 358

Predictive Analytics 358

Prescriptive Analytics 359

Which Type of Analytics is Best? 359

Artificial Intelligence 363

The Role of Artificial Intelligence in IG 363

Blockchain: A New Approach with Clear Advantages 366
By Darra Hoffman

Breaking Down the Definition of Blockchain 366

The Internet of Things: IG Challenges 372

IoT as a System of Contracts 375

IoT Basic Risks and IG Issues 376

IoT E-Discovery Issues 377

Why IoT Trustworthiness is a Journey and Not a Project 380
By Bassam Zarkout

Governing the IoT Data 381

IoT Trustworthiness 382

Information Governance Versus IoT Trustworthiness 384

IoT Trustworthiness Journey 385

Conclusion 386

Part Five - Long-Term Program Issues 391

Chapter 17 Long-Term Digital Preservation 393
Charles M. Dollar and Lori J. Ashley

Defining Long-Term Digital Preservation 393

Key Factors in Long-Term Digital Preservation 394

Threats to Preserving Records 396

Digital Preservation Standards 397

PREMIS Preservation Metadata Standard 404

Recommended Open Standard Technology-Neutral Formats 405

Digital Preservation Requirements 409

Long-Term Digital Preservation Capability Maturity Model® 409

Scope of the Capability Maturity Model 412

Digital Preservation Capability Performance Metrics 416

Digital Preservation Strategies and Techniques 417

Evolving Marketplace 419

Looking Forward 420

Conclusion 421

Chapter 18 Maintaining an Information Governance Program and Culture of Compliance 425

Monitoring and Accountability 425

Change Management - Required 426
By Monica Crocker

Continuous Process Improvement 429

Why Continuous Improvement is Needed 430

Appendix A Information Organization and Classification: Taxonomies and Metadata 433
Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley

Importance of Navigation and Classification 435

When is a New Taxonomy Needed? 435

Taxonomies Improve Search Results 436

Metadata and Taxonomy 437

Metadata Governance, Standards, and Strategies 438

Types of Metadata 440

Core Metadata Issues 441

International Metadata Standards and Guidance 442

Records Grouping Rationale 446

Business Classification Scheme, File Plans, and Taxonomy 446

Classification and Taxonomy 447

Prebuilt Versus Custom Taxonomies 448

Thesaurus Use in Taxonomies 449

Taxonomy Types 449

Business Process Analysis 453

Taxonomy Testing: A Necessary Step 457

Taxonomy Maintenance 457

Social Tagging and Folksonomies 458

Appendix B Laws and Major Regulations Related to Records Management 463

United States 463

Gramm-Leach-Bliley Act 463

Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) 463

PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) 464

Sarbanes-Oxley Act (SOX) 464

SEC Rule 17A-4 464

CFR Title 47, Part 42 - Telecommunications 464

CFR Title 21, Part 11 - Pharmaceuticals 464

US Federal Authority on Archives and Records: National Archives and Records Administration (NARA) 465

US Code of Federal Regulations 465

Canada 466

United Kingdom 468

Australia 469

Identifying Records Management Requirements in Other Legislation 471

Appendix C Laws and Major Regulations Related to Privacy 475

United States 475

European Union General Data Protection Regulation (GDPR) 476

Major Privacy Laws Worldwide, by Country 478

Glossary 481

About the Author 499

About the Major Contributors 501

Index 505

Authors

Robert F. Smallwood