SlideShare a Scribd company logo

Information Governance

Lorne Rogers, ECM-M, PMP [Open Networker]
Lorne Rogers, ECM-M, PMP [Open Networker]

A walk-through of the key concepts, approaches, and considerations for Information Governance from the unstructured data (Content) perspective.

TechnologyBusiness
1 of 56
216 – Information Governance THE Key to Success
 atan enterpriselevel  (GARP) 
       
Unpublished content and working documents (sharable but not available across silos)
Information Governance Reference Model (IGRM)
ARMA Maturity Model Information Governance Governance Governance
Scope and Views ARMA Maturity Model
ARMA International Maturity Model for Information Governance Level 2 (In Development) Level 1 (Sub-standard)   Level 3 (Essential)   Level 4 (Proactive)    Level 5 (Transformational) 
GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Accountability A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited. No senior executive (or person of comparable authority) is responsible for the records management program. The records manager role is largely non-existent or is an administrative and/or clerical role distributed among general staff. No senior executive (or person of comparable authority) is involved in or responsible for the records management program. The records manager role is recognized, although he/she is responsible for tactical operation of the existing program. In many cases, the existing program covers paper records only. The information technology function or department is the de facto lead for storing electronic information, but this is not done in a systematic fashion. The records manager is not involved in discussions of electronic systems. The records manager is an officer of the organization and is responsible for the tactical operation of the ongoing program on an organization-wide basis. The records manager is actively engaged in strategic information and record management initiatives with other officers of the organization. Senior management is aware of the program. The organization has defined specific goals related to accountability. The records manager is a senior officer responsible for all tactical and strategic aspects of the program. A stakeholder committee representing all functional areas and chaired by the records manager meets on a periodic basis to review disposition policy and other records management- related issues. Records management activities are fully sponsored by a senior executive. The organization’s senior management and its governing board place great emphasis on the importance of the program. The records management program is directly responsible to an individual in the senior level of management, (e.g., chief risk officer, chief compliance officer, chief information officer) OR, A chief records officer (or similar title) is directly responsible for the records management program and is a member of senior management for the organization. The organization’s stated goals related to accountability have been met. Accountability
GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Integrity A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability. There are no systematic audits or defined processes for showing the origin and authenticity of a record. Various organizational functions use ad hoc methods to demonstrate authenticity and chain of custody, as appropriate, but their trustworthiness cannot easily be guaranteed. Some organizational records are stored with their respective metadata that demonstrate authenticity; however, no formal process is defined for metadata storage and chain of custody. Metadata storage and chain of custody methods are acknowledged to be important, but are left to the different departments to handle as they determine is appropriate. The organization has a formal process to ensure that the required level of authenticity and chain of custody can be applied to its systems and processes. Appropriate data elements to demonstrate compliance with the policy are captured. The organization has defined specific goals related to integrity. There is a clear definition of metadata requirements for all systems, business applications, and paper records that are needed to ensure the authenticity of records. Metadata requirements include security and signature requirements and chain of custody as needed to demonstrate authenticity. The metadata definition process is an integral part of the records management practice in the organization. There is a formal, defined process for introducing new record- generating systems and the capture of their metadata and other authenticity requirements, including chain of custody. This level is easily and regularly audited. The organization’s stated goals related to integrity have been met. The organization can consistently and confidently demonstrate the accuracy and authenticity of its records. Integrity
GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Protection A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity. No consideration is given to record privacy. Records are stored haphazardly, with protection taken by various groups and departments with no centralized access controls. Access controls, if any, are assigned by the author. Some protection of records is exercised. There is a written policy for records that require a level of protection (e.g., personnel records). However, the policy does not give clear and definitive guidelines for all records in all media types. Guidance for employees is not universal or uniform. Employee training is not formalized. The policy does not address how to exchange these records between employees. Access controls are still implemented by individual record owners. The organization has a formal written policy for protecting records and centralized access controls. Confidentiality and privacy are well defined. The importance of chain of custody is defined, when appropriate. Training for employees is available. Records and information audits are only conducted in regulated areas of the business. Audits in other areas may be conducted, but are left to the discretion of each function area. The organization has defined specific goals related to record protection. The organization has implemented systems that provide for the protection of the information. Employee training is formalized and well documented. Auditing of compliance and protection is conducted on a regular basis. Executives and/or senior management and the board place great value in the protection of information. Audit information is regularly examined and continuous improvement is undertaken. The organization’s stated goals related to record protection have been met. Inappropriate or inadvertent information disclosure or loss incidents are rare. Protection
Compliance GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Compliance The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies. There is no clear definition of the records the organization is obligated to keep. Records and other business documentation are not systematically managed according to records management principles. Various groups of the organization define this to the best of their ability based on their interpretation of rules and regulations. There is no central oversight and no consistently defensible position. There is no defined or understood process for imposing "holds." The organization has identified the rules and regulations that govern its business and introduced some compliance policies and recordkeeping practices around those policies. Policies are not complete and there is no apparent or well- defined accountability for compliance. There is a hold process, but it is not well-integrated with the organization’s information management and discovery processes. The organization has identified all relevant compliance laws and regulations. Record creation and capture are systematically carried out in accordance with records management principles. The organization has a strong code of business conduct which is integrated into its overall information governance structure and recordkeeping policies. Compliance and the records that demonstrate it are highly valued and measurable. The hold process is integrated into the organization’s information management and discovery processes for the “most critical” systems. The organization has defined specific goals related to compliance. The organization has implemented systems to capture and protect records. Records are linked with the metadata used to demonstrate and measure compliance. Employees are trained appropriately and audits are conducted regularly. Records of the audits and training are available for review. Lack of compliance is remedied through implementation of defined corrective actions. The hold process is well- managed with defined roles and a repeatable process that is integrated into the organization’s information management and discovery processes. The importance of compliance and the role of records and information in it are clearly recognized at the senior management and board levels. Auditing and continuous improvement processes are well-established and monitored by senior management. The roles and processes for information management and discovery are integrated. The organization’s stated goals related to compliance have been met. The organization suffers few or no adverse consequences based on information governance and compliance failures.
GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Availability An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information. Records are not readily available when needed and/or it is unclear who to ask when records need to be produced. It takes time to find the correct version, the signed version, or the final version, if it can be found at all. The records lack finding aides: indices, metadata, and locators. Legal discovery is difficult because it is not clear where information resides or where the final copy of a record is located. Record retrieval mechanisms have been implemented in certain areas of the organization. In those areas with retrieval mechanisms, it is possible to distinguish between official records, duplicates, and non- record materials. There are some policies on where and how to store official records, but a standard is not imposed across the organization. Legal discovery is complicated and costly due to the inconsistent treatment of information. There is a standard for where and how official records and information are stored, protected, and made available. Record retrieval mechanisms are consistent and contribute to timely records retrieval. Most of the time, it is easy to determine where to find the authentic and final version of any record. Legal discovery is a welldefined and systematic business process. The organization has defined specific goals related to availability. There are clearly defined policies regarding storage of records and information. There are clear guidelines and an inventory that identifies and defines the systems and their information assets. Records and information are consistently and readily available when needed. Appropriate systems and controls are in place for legal discovery. Automation is adopted to facilitate the implementation of the hold process. The senior management and board levels provide support to continually upgrade the processes that affect record availability. There is an organized training and continuous improvement program. The organization’s stated goals related to availability have been met. There is a measurable ROI to the business as a result of records availability. Availability
GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Retention An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements. There is no current documented records retention schedule. Rules and regulations that should define retention are not identified or centralized. Retention guidelines are haphazard at best. In the absence of retention schedules, employees either keep everything or dispose of records based on their own business needs, rather than organizational needs. A retention schedule is available, but does not encompass all records, did not go through official review, and is not well known around the organization. The retention schedule is not regularly updated or maintained Education and training about the retention policies are not available. A formal retention schedule that is tied to rules and regulations is consistently applied throughout the organization. The organization’s employees are knowledgeable about the retention schedule and they understand their personal responsibilities for records retention. The organization has defined specific goals related to retention. Employees understand how to classify records appropriately. Retention training is in place. Retention schedules are reviewed on a regular basis, and there is a process to adjust retention schedules as needed. Records retention is a major corporate concern. Retention is an important item at the senior management and board levels. Retention is looked at holistically and is applied to all information in an organization, not just to official records. The organization’s stated goals related to retention have been met. Information is consistently retained for appropriate periods of time. Retention
GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Disposition An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization's policies. There is no documentation of the processes, if any, that are used to guide the transfer or disposition of records. The process for suspending disposition in the event of investigation or litigation is non- existent or is inconsistent across the organization. Preliminary guidelines for disposition are established. There is a realization of the importance of suspending disposition in a consistent manner, repeatable by certain legal groupings. There may or may not be enforcement and auditing of disposition. Official procedures for records disposition and transfer are developed. Official policy and procedures for suspending disposition have been developed. Although policies and procedures exist, they are not standardized across the organization. Individual departments have devised alternative procedures to suit their particular business needs. The organization has defined specific goals related to disposition. Disposition procedures are understood by all and are consistently applied across the enterprise. The process for suspending disposition due to legal holds is defined, understood, and used consistently across the organization. Electronic information is expunged, not just deleted, in accordance with retention policies. The disposition process covers all records and information in all media. Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories. Disposition processes are consistently applied and effective. Processes for disposition are regularly evaluated and improved. The organization's stated goals related to disposition have been met. Disposition
Information
1. ClearVision 2. KeyRolesandResponsibilities 3. DeploymentModel 4. OneSizeDoesNotFitAll 5. Policies 6. GuidingPrinciples 7. LaunchandRoll-out(Adoption)Strategy 8. ContentManagementPlan 9. TrainingPlan 10. GovernancePlanDocument
     Replaceshareddriveswithsearchable, organizedrepositories   Vision: What are some common business goals?
Vision: What are some common business outcomes?     trust  
Roles and Responsibilities     governanceteam 
Enterprise Roles and Responsibilities Role Responsibilities Senior Executive Sponsor Provides executive level sponsorship for enabling and sustaining Information/Content Governance. The primary responsibility of the Senior Executive Sponsor is strategic, positioning governance as a critical mechanism for achieving business value and helping to communicate the value of the solution to all the management levels of the organization. Governance Board/Steering Committee Serves as a governance body with ultimate responsibility for meeting the goals of the governance process. This Board is typically comprised of Director, or managerial, representatives of each of the major lines of business, including Corporate Communications and IT. Business/Service Owner Manages the overall design and functionality integrity of the solution(s) subject to the Governance from a business perspective. Solution Administrator(s) (Technology) Manages the overall design and functionality integrity of the solution from a technology perspective. Works in partnership with the Business/Service Owner. Technology Support Team(s) Ensures the technical integrity of the solution(s). Develops/implements new capabilities and provides support to solution/sites Sponsors/Owners seeking enhancements to their solutions/sites or new uses of the solution.
Site Roles and Responsibilities Role Responsibilities Site Sponsor/Owner Serves as the centralized, primary role for ensuring that content for a particular page/site/solution is properly collected, reviewed, published, and maintained over time. The Sponsor/Owner is an expert in the content that is showcased on the site. Site Steward Manages the site day-to-day by executing the functions required to ensure that the content is accurate and relevant. Monitors security to ensure that the security model for the site/solution matches the goals of the business and Site Sponsor/Owner and support users of the site by serving as the primary identified contact point for the site. Users Uses the solution to access and share information. Users may have different access permissions in different areas of the solution, sometimes acting as a Contributor and other times acting as a Visitor.
Deployment Model
One size does NOT fit all Self-Service Site Creation + Life Cycle Management Semi-Structured Group, Team, Project Sites and Workspaces Central Portal Aggregation & Navigation Line of Business (LOB) Portals Business Process Management LOB News Group Reporting & Scorecards Individual Contributors Blogs, Social Networking Corporate Business Taxonomy With Divisional Stakeholders Provisioned per User
Policies      multiplelayers        
Guiding Principles    
Example Guiding Principles – Design  consistentnaming  minimize training    privacy recordsretention 
Example Guiding Principles – Usage and Content Management       metadataparadigm shift
Launch & Rollout (Adoption) Strategy considerations   time adapt  ensure training  thewaytheyareusedto newbusiness practices   Funandengaging    keepthisup! willrevert
Content Management Plan considerations  what/where/when  automatedprocesses routecontent  managecontentsecurity  customization allowed  policies  change
Training Plan considerations  Nota“onetime”thing   makeitpersonal     HELPDESK!       variety
Governance Plan document  breaking    NOT    TIP: The process of creating the document is the most important part!
Possible Additional Components of a Governance Plan                       
 should       facilitation communications  enabler
How you picture it
The reality
    Effective governance will help you to ensure the hard work that went into an initial design has not been lost. The stages of maintenance and evolution are where many organizations are often failing. You must recognize that once you’ve designed your system and populated it with content/information, your job has just begun. There will always be new or different content and functionality needs to which you must respond. Managing these needs effectively and consistently according to a published and understood set of rules and guidelines will ensure the long- term sustainability of your system(s). Benefits of Governance
           NERDy             Benefits of Governance – by type
 quicklybedegradedwithout  reducesuser’s trust/confidence workarounds  duplicated,inappropriate,orincorrectly Time from Rollout (months) Documents in Directory: 10,000 Folders in Directory: 90 Directory Depth (Levels): 4 Duplicate Content: 0 Documents in Directory: 20,000 Folders in Directory: 150 Directory Depth (Levels): 7 Duplicate Content: 5,000 Documents in Directory: 40,000 Folders in Directory: 250 Directory Depth (Levels): 15 Duplicate Content: 15,000 Governance Sustainability
Governance
              The Keys to Governance
Define the “DNA” of your Information/Content Environment            
policies easily long-termsustainability usability taxonomy content Folders • Empty folders will be immediately deleted or hidden • Folders with less than three documents will be deleted or hidden and their content will be promoted to the next level • No more than 5 folders in any library • No more than 3 subfolders at each level • No acronyms or abbreviations in folder names Content • No duplicate content in the system • No “irregular” security (follow a defined, controlled, verifiable and traceable security model • Content in shared locations must be of value to others • No outdated content (No older versions of current document) Metadata • All metadata values must be powered by standard taxonomies • No acronyms or abbreviations in document names • Do not duplicate information in any fields Policies!
   Procedures (where process and roles meet)
 learn rangeofmeans        two-waycommunications prove  allinput  allfeedbackavailable  viathesystem  Market value notbesufficient Communications, Education, and Marketing
Translating Communications into ACTION
Communicating Performance/Achievements
Focus on the BUSINESS succeeding
Governance
Establish a Steering Committee (SteerCo)  Ensure acrosstheenterprise     charter authorityandresponsibilities  sponsor chairandfacilitator  asneeded investigateissues recommendations  Usability  Identity  Taxonomy  Metadata  Meetonaregular
 toomanystakeholders  buy-in acrosstheenterprise  owns policies enforce compliance  Distribute Ownership
Focus on the end-users  benefiting enduser  better truth  Balance sustainability service  Don’t difficult change  Agree consistentresponse  Talk
  online in-personinterviews  feedback everyscreen  pre-andpost-rolloutsurveys   Identify notbeingused improvements  Alert toomanydocuments  mostpopularcomponents  termsusersaresearchingfor  Identifyinactiveusers Employ Active and Passive Analytics

Recommended

What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
Atle Skjekkeland
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
10 Worst Practices in Master Data Management
10 Worst Practices in Master Data Management10 Worst Practices in Master Data Management
10 Worst Practices in Master Data Management
ibi
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)
Sarfaraz Chougule
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model Roadmap
David Sweigert
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 

Recommended

What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
Atle Skjekkeland
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
10 Worst Practices in Master Data Management
10 Worst Practices in Master Data Management10 Worst Practices in Master Data Management
10 Worst Practices in Master Data Management
ibi
 
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - ErykData Loss Prevention (DLP) - Fundamental Concept - Eryk
Data Loss Prevention (DLP) - Fundamental Concept - Eryk
Eryk Budi Pratama
 
Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)Best Practices for Implementing Data Loss Prevention (DLP)
Best Practices for Implementing Data Loss Prevention (DLP)
Sarfaraz Chougule
 
Cyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model RoadmapCyber Table Top Exercise -- Model Roadmap
Cyber Table Top Exercise -- Model Roadmap
David Sweigert
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About Compliance
Dinesh O Bareja
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
Dinesh O Bareja
 
Business Case For IT Asset Management
Business Case For IT Asset ManagementBusiness Case For IT Asset Management
Business Case For IT Asset Management
Samanage
 
Data Leakage Prevention
Data Leakage Prevention Data Leakage Prevention
Data Leakage Prevention
Dhananjay Aloorkar
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
Sylvain Martinez
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
Network Intelligence India
 
Information Security
Information SecurityInformation Security
Information Security
haneefvf1
 
Why data governance is the new buzz?
Why data governance is the new buzz?Why data governance is the new buzz?
Why data governance is the new buzz?
Aachen Data & AI Meetup
 
Data Loss Threats and Mitigations
Data Loss Threats and MitigationsData Loss Threats and Mitigations
Data Loss Threats and Mitigations
April Mardock CISSP
 
Information Management Life Cycle
Information Management Life CycleInformation Management Life Cycle
Information Management Life Cycle
Collabor8now Ltd
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
BOC Group
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
Dam Frank
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak prevention
Ariel Evans
 
Enterprise Data Management Framework Overview
Enterprise Data Management Framework OverviewEnterprise Data Management Framework Overview
Enterprise Data Management Framework Overview
John Bao Vuu
 
How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model
DATUM LLC
 
Data Governance Best Practices
Data Governance Best PracticesData Governance Best Practices
Data Governance Best Practices
DATAVERSITY
 
Data Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayData Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement Today
DATAVERSITY
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification Presentation
Derroylo
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
Ulf Mattsson
 
Principles of Holistic Information Governance
Principles of Holistic Information GovernancePrinciples of Holistic Information Governance
Principles of Holistic Information Governance
PHIGs Information Management Consulting Inc.
 
Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?
John Mancini
 

More Related Content

What's hot

Data Governance Best Practices
Data Governance Best PracticesData Governance Best Practices
Data Governance Best Practices
DATAVERSITY
 
Data Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayData Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement Today
DATAVERSITY
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
Mulyadi Yusuf
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification Presentation
Derroylo
 

What's hot (20)

Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Business Case For IT Asset Management
Business Case For IT Asset ManagementBusiness Case For IT Asset Management
Business Case For IT Asset Management
 
Data Leakage Prevention
Data Leakage Prevention Data Leakage Prevention
Data Leakage Prevention
 
INCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTS
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Information Security
Information SecurityInformation Security
Information Security
 
Why data governance is the new buzz?
Why data governance is the new buzz?Why data governance is the new buzz?
Why data governance is the new buzz?
 
Data Loss Threats and Mitigations
Data Loss Threats and MitigationsData Loss Threats and Mitigations
Data Loss Threats and Mitigations
 
Information Management Life Cycle
Information Management Life CycleInformation Management Life Cycle
Information Management Life Cycle
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
IT Audit - Shadow IT Systems
IT Audit - Shadow IT SystemsIT Audit - Shadow IT Systems
IT Audit - Shadow IT Systems
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak prevention
 
Enterprise Data Management Framework Overview
Enterprise Data Management Framework OverviewEnterprise Data Management Framework Overview
Enterprise Data Management Framework Overview
 
How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model How to Build & Sustain a Data Governance Operating Model
How to Build & Sustain a Data Governance Operating Model
 
Data Governance Best Practices
Data Governance Best PracticesData Governance Best Practices
Data Governance Best Practices
 
Data Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement TodayData Governance Trends and Best Practices To Implement Today
Data Governance Trends and Best Practices To Implement Today
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
Data Classification Presentation
Data Classification PresentationData Classification Presentation
Data Classification Presentation
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 

Viewers also liked

Making the Case for Information Governance: 10 Reasons Information Governance...
Making the Case for Information Governance: 10 Reasons Information Governance...Making the Case for Information Governance: 10 Reasons Information Governance...
Making the Case for Information Governance: 10 Reasons Information Governance...
Barclay T. Blair
 
Information Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsInformation Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and Solutions
IBMGovernmentCA
 
ARMA San Antonio 02 8-2012
ARMA San Antonio 02 8-2012ARMA San Antonio 02 8-2012
ARMA San Antonio 02 8-2012
Mike Alsup
 
EDRMS Pre implementation project plan
EDRMS Pre implementation project planEDRMS Pre implementation project plan
EDRMS Pre implementation project plan
Donna_Maree_Findlay
 

Viewers also liked (20)

Principles of Holistic Information Governance
Principles of Holistic Information GovernancePrinciples of Holistic Information Governance
Principles of Holistic Information Governance
 
Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?
 
Making the Case for Information Governance: 10 Reasons Information Governance...
Making the Case for Information Governance: 10 Reasons Information Governance...Making the Case for Information Governance: 10 Reasons Information Governance...
Making the Case for Information Governance: 10 Reasons Information Governance...
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
Mike2.0 Information Governance Overview
Mike2.0 Information Governance OverviewMike2.0 Information Governance Overview
Mike2.0 Information Governance Overview
 
Records and Information Governance: where is Records Management going?
Records and Information Governance: where is Records Management going?Records and Information Governance: where is Records Management going?
Records and Information Governance: where is Records Management going?
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
 
IG - Overview
IG - OverviewIG - Overview
IG - Overview
 
Information Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and SolutionsInformation Governance for Smarter Government Strategy and Solutions
Information Governance for Smarter Government Strategy and Solutions
 
ARMA San Antonio 02 8-2012
ARMA San Antonio 02 8-2012ARMA San Antonio 02 8-2012
ARMA San Antonio 02 8-2012
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation Readiness
 
Building the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyBuilding the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your Company
 
BSI British Standards Information Governance Workshop Presentation
BSI British Standards Information Governance Workshop Presentation BSI British Standards Information Governance Workshop Presentation
BSI British Standards Information Governance Workshop Presentation
 
The CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information SecurityThe CIA Triad - Assurance on Information Security
The CIA Triad - Assurance on Information Security
 
Project Plan For The Implementation Of An Iso9001 2000
Project Plan For The Implementation Of An Iso9001 2000Project Plan For The Implementation Of An Iso9001 2000
Project Plan For The Implementation Of An Iso9001 2000
 
Cia security model
Cia security modelCia security model
Cia security model
 
EDRMS Pre implementation project plan
EDRMS Pre implementation project planEDRMS Pre implementation project plan
EDRMS Pre implementation project plan
 
03. Business Information Requirements Template
03. Business Information Requirements Template03. Business Information Requirements Template
03. Business Information Requirements Template
 
ISO 9001 IMPLEMENTATION METHODOLOGY
ISO 9001 IMPLEMENTATION METHODOLOGYISO 9001 IMPLEMENTATION METHODOLOGY
ISO 9001 IMPLEMENTATION METHODOLOGY
 
How to implement Electronic Records Management?
How to implement Electronic Records Management?How to implement Electronic Records Management?
How to implement Electronic Records Management?
 

Similar to Information Governance

2010.04.07.Garp Maturity Model
2010.04.07.Garp Maturity Model2010.04.07.Garp Maturity Model
2010.04.07.Garp Maturity Model
NDeLaurentis
 
theprinciplesmaturitymodel
theprinciplesmaturitymodeltheprinciplesmaturitymodel
theprinciplesmaturitymodel
David Vickers
 
Management systems
Management systemsManagement systems
Management systems
melynch
 
My Vision
My VisionMy Vision
My Vision
melynch
 
· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx
odiliagilby
 

Similar to Information Governance (20)

Access Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptxAccess Controls Capability Maturity Model (CMM).pptx
Access Controls Capability Maturity Model (CMM).pptx
 
2010.04.07.Garp Maturity Model
2010.04.07.Garp Maturity Model2010.04.07.Garp Maturity Model
2010.04.07.Garp Maturity Model
 
theprinciplesmaturitymodel
theprinciplesmaturitymodeltheprinciplesmaturitymodel
theprinciplesmaturitymodel
 
Checklist gestión de registros en el gobierno. cómo hacerlo bien en 12 pasos?
Checklist gestión de registros en el gobierno. cómo hacerlo bien en 12 pasos?Checklist gestión de registros en el gobierno. cómo hacerlo bien en 12 pasos?
Checklist gestión de registros en el gobierno. cómo hacerlo bien en 12 pasos?
 
The Maturing of an Industry: Information Governance (#InfoGov14 Keynote)
The Maturing of an Industry: Information Governance (#InfoGov14 Keynote)The Maturing of an Industry: Information Governance (#InfoGov14 Keynote)
The Maturing of an Industry: Information Governance (#InfoGov14 Keynote)
 
Nick Inglis - The Maturing Of An Industry: Information Governance (Opening Ke...
Nick Inglis - The Maturing Of An Industry: Information Governance (Opening Ke...Nick Inglis - The Maturing Of An Industry: Information Governance (Opening Ke...
Nick Inglis - The Maturing Of An Industry: Information Governance (Opening Ke...
 
Privacy KPIs.pdf
Privacy KPIs.pdfPrivacy KPIs.pdf
Privacy KPIs.pdf
 
Management systems
Management systemsManagement systems
Management systems
 
Enterprise Data World Webinars: Information Management Principles
Enterprise Data World Webinars: Information Management PrinciplesEnterprise Data World Webinars: Information Management Principles
Enterprise Data World Webinars: Information Management Principles
 
Data Governance Maturity Levels
Data Governance Maturity LevelsData Governance Maturity Levels
Data Governance Maturity Levels
 
Cor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popiCor concepts information governance-protection-of-personal-information-act-popi
Cor concepts information governance-protection-of-personal-information-act-popi
 
Practical Guide to Data Governance Success
Practical Guide to Data Governance SuccessPractical Guide to Data Governance Success
Practical Guide to Data Governance Success
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013Hanrick Curran Audit Training - Internal Controls - March 2013
Hanrick Curran Audit Training - Internal Controls - March 2013
 
CLE-Unit-III.ppt
CLE-Unit-III.pptCLE-Unit-III.ppt
CLE-Unit-III.ppt
 
Maintenance Planning and Scheduling Maturity Matrix #2 of 2
Maintenance Planning and Scheduling Maturity Matrix #2 of 2Maintenance Planning and Scheduling Maturity Matrix #2 of 2
Maintenance Planning and Scheduling Maturity Matrix #2 of 2
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance Program
 
James Owens Resume 2018
James Owens Resume 2018James Owens Resume 2018
James Owens Resume 2018
 
My Vision
My VisionMy Vision
My Vision
 
· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx· Recommend strategies to lead organizational change· Justify pl.docx
· Recommend strategies to lead organizational change· Justify pl.docx
 
Information Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesInformation Governance Maturity for Financial Services
Information Governance Maturity for Financial Services
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Recently uploaded (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Information Governance

  • 1. 216 – Information Governance THE Key to Success
  • 3.
  • 5. Unpublished content and working documents (sharable but not available across silos)
  • 7.
  • 9. Scope and Views ARMA Maturity Model
  • 10. ARMA International Maturity Model for Information Governance Level 2 (In Development) Level 1 (Sub-standard)   Level 3 (Essential)   Level 4 (Proactive)    Level 5 (Transformational) 
  • 11. GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Accountability A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited. No senior executive (or person of comparable authority) is responsible for the records management program. The records manager role is largely non-existent or is an administrative and/or clerical role distributed among general staff. No senior executive (or person of comparable authority) is involved in or responsible for the records management program. The records manager role is recognized, although he/she is responsible for tactical operation of the existing program. In many cases, the existing program covers paper records only. The information technology function or department is the de facto lead for storing electronic information, but this is not done in a systematic fashion. The records manager is not involved in discussions of electronic systems. The records manager is an officer of the organization and is responsible for the tactical operation of the ongoing program on an organization-wide basis. The records manager is actively engaged in strategic information and record management initiatives with other officers of the organization. Senior management is aware of the program. The organization has defined specific goals related to accountability. The records manager is a senior officer responsible for all tactical and strategic aspects of the program. A stakeholder committee representing all functional areas and chaired by the records manager meets on a periodic basis to review disposition policy and other records management- related issues. Records management activities are fully sponsored by a senior executive. The organization’s senior management and its governing board place great emphasis on the importance of the program. The records management program is directly responsible to an individual in the senior level of management, (e.g., chief risk officer, chief compliance officer, chief information officer) OR, A chief records officer (or similar title) is directly responsible for the records management program and is a member of senior management for the organization. The organization’s stated goals related to accountability have been met. Accountability
  • 12. GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Integrity A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability. There are no systematic audits or defined processes for showing the origin and authenticity of a record. Various organizational functions use ad hoc methods to demonstrate authenticity and chain of custody, as appropriate, but their trustworthiness cannot easily be guaranteed. Some organizational records are stored with their respective metadata that demonstrate authenticity; however, no formal process is defined for metadata storage and chain of custody. Metadata storage and chain of custody methods are acknowledged to be important, but are left to the different departments to handle as they determine is appropriate. The organization has a formal process to ensure that the required level of authenticity and chain of custody can be applied to its systems and processes. Appropriate data elements to demonstrate compliance with the policy are captured. The organization has defined specific goals related to integrity. There is a clear definition of metadata requirements for all systems, business applications, and paper records that are needed to ensure the authenticity of records. Metadata requirements include security and signature requirements and chain of custody as needed to demonstrate authenticity. The metadata definition process is an integral part of the records management practice in the organization. There is a formal, defined process for introducing new record- generating systems and the capture of their metadata and other authenticity requirements, including chain of custody. This level is easily and regularly audited. The organization’s stated goals related to integrity have been met. The organization can consistently and confidently demonstrate the accuracy and authenticity of its records. Integrity
  • 13. GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Protection A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity. No consideration is given to record privacy. Records are stored haphazardly, with protection taken by various groups and departments with no centralized access controls. Access controls, if any, are assigned by the author. Some protection of records is exercised. There is a written policy for records that require a level of protection (e.g., personnel records). However, the policy does not give clear and definitive guidelines for all records in all media types. Guidance for employees is not universal or uniform. Employee training is not formalized. The policy does not address how to exchange these records between employees. Access controls are still implemented by individual record owners. The organization has a formal written policy for protecting records and centralized access controls. Confidentiality and privacy are well defined. The importance of chain of custody is defined, when appropriate. Training for employees is available. Records and information audits are only conducted in regulated areas of the business. Audits in other areas may be conducted, but are left to the discretion of each function area. The organization has defined specific goals related to record protection. The organization has implemented systems that provide for the protection of the information. Employee training is formalized and well documented. Auditing of compliance and protection is conducted on a regular basis. Executives and/or senior management and the board place great value in the protection of information. Audit information is regularly examined and continuous improvement is undertaken. The organization’s stated goals related to record protection have been met. Inappropriate or inadvertent information disclosure or loss incidents are rare. Protection
  • 14. Compliance GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Compliance The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies. There is no clear definition of the records the organization is obligated to keep. Records and other business documentation are not systematically managed according to records management principles. Various groups of the organization define this to the best of their ability based on their interpretation of rules and regulations. There is no central oversight and no consistently defensible position. There is no defined or understood process for imposing "holds." The organization has identified the rules and regulations that govern its business and introduced some compliance policies and recordkeeping practices around those policies. Policies are not complete and there is no apparent or well- defined accountability for compliance. There is a hold process, but it is not well-integrated with the organization’s information management and discovery processes. The organization has identified all relevant compliance laws and regulations. Record creation and capture are systematically carried out in accordance with records management principles. The organization has a strong code of business conduct which is integrated into its overall information governance structure and recordkeeping policies. Compliance and the records that demonstrate it are highly valued and measurable. The hold process is integrated into the organization’s information management and discovery processes for the “most critical” systems. The organization has defined specific goals related to compliance. The organization has implemented systems to capture and protect records. Records are linked with the metadata used to demonstrate and measure compliance. Employees are trained appropriately and audits are conducted regularly. Records of the audits and training are available for review. Lack of compliance is remedied through implementation of defined corrective actions. The hold process is well- managed with defined roles and a repeatable process that is integrated into the organization’s information management and discovery processes. The importance of compliance and the role of records and information in it are clearly recognized at the senior management and board levels. Auditing and continuous improvement processes are well-established and monitored by senior management. The roles and processes for information management and discovery are integrated. The organization’s stated goals related to compliance have been met. The organization suffers few or no adverse consequences based on information governance and compliance failures.
  • 15. GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Availability An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information. Records are not readily available when needed and/or it is unclear who to ask when records need to be produced. It takes time to find the correct version, the signed version, or the final version, if it can be found at all. The records lack finding aides: indices, metadata, and locators. Legal discovery is difficult because it is not clear where information resides or where the final copy of a record is located. Record retrieval mechanisms have been implemented in certain areas of the organization. In those areas with retrieval mechanisms, it is possible to distinguish between official records, duplicates, and non- record materials. There are some policies on where and how to store official records, but a standard is not imposed across the organization. Legal discovery is complicated and costly due to the inconsistent treatment of information. There is a standard for where and how official records and information are stored, protected, and made available. Record retrieval mechanisms are consistent and contribute to timely records retrieval. Most of the time, it is easy to determine where to find the authentic and final version of any record. Legal discovery is a welldefined and systematic business process. The organization has defined specific goals related to availability. There are clearly defined policies regarding storage of records and information. There are clear guidelines and an inventory that identifies and defines the systems and their information assets. Records and information are consistently and readily available when needed. Appropriate systems and controls are in place for legal discovery. Automation is adopted to facilitate the implementation of the hold process. The senior management and board levels provide support to continually upgrade the processes that affect record availability. There is an organized training and continuous improvement program. The organization’s stated goals related to availability have been met. There is a measurable ROI to the business as a result of records availability. Availability
  • 16. GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Retention An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements. There is no current documented records retention schedule. Rules and regulations that should define retention are not identified or centralized. Retention guidelines are haphazard at best. In the absence of retention schedules, employees either keep everything or dispose of records based on their own business needs, rather than organizational needs. A retention schedule is available, but does not encompass all records, did not go through official review, and is not well known around the organization. The retention schedule is not regularly updated or maintained Education and training about the retention policies are not available. A formal retention schedule that is tied to rules and regulations is consistently applied throughout the organization. The organization’s employees are knowledgeable about the retention schedule and they understand their personal responsibilities for records retention. The organization has defined specific goals related to retention. Employees understand how to classify records appropriately. Retention training is in place. Retention schedules are reviewed on a regular basis, and there is a process to adjust retention schedules as needed. Records retention is a major corporate concern. Retention is an important item at the senior management and board levels. Retention is looked at holistically and is applied to all information in an organization, not just to official records. The organization’s stated goals related to retention have been met. Information is consistently retained for appropriate periods of time. Retention
  • 17. GARP ® Principle Level 1 (Sub-Standard) Level 2 (In Development) Level 3 (Essential) Level 4 (Proactive) Level 5 (Transformational) Disposition An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization's policies. There is no documentation of the processes, if any, that are used to guide the transfer or disposition of records. The process for suspending disposition in the event of investigation or litigation is non- existent or is inconsistent across the organization. Preliminary guidelines for disposition are established. There is a realization of the importance of suspending disposition in a consistent manner, repeatable by certain legal groupings. There may or may not be enforcement and auditing of disposition. Official procedures for records disposition and transfer are developed. Official policy and procedures for suspending disposition have been developed. Although policies and procedures exist, they are not standardized across the organization. Individual departments have devised alternative procedures to suit their particular business needs. The organization has defined specific goals related to disposition. Disposition procedures are understood by all and are consistently applied across the enterprise. The process for suspending disposition due to legal holds is defined, understood, and used consistently across the organization. Electronic information is expunged, not just deleted, in accordance with retention policies. The disposition process covers all records and information in all media. Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories. Disposition processes are consistently applied and effective. Processes for disposition are regularly evaluated and improved. The organization's stated goals related to disposition have been met. Disposition
  • 19. 1. ClearVision 2. KeyRolesandResponsibilities 3. DeploymentModel 4. OneSizeDoesNotFitAll 5. Policies 6. GuidingPrinciples 7. LaunchandRoll-out(Adoption)Strategy 8. ContentManagementPlan 9. TrainingPlan 10. GovernancePlanDocument
  • 21. Vision: What are some common business outcomes?     trust  
  • 23. Enterprise Roles and Responsibilities Role Responsibilities Senior Executive Sponsor Provides executive level sponsorship for enabling and sustaining Information/Content Governance. The primary responsibility of the Senior Executive Sponsor is strategic, positioning governance as a critical mechanism for achieving business value and helping to communicate the value of the solution to all the management levels of the organization. Governance Board/Steering Committee Serves as a governance body with ultimate responsibility for meeting the goals of the governance process. This Board is typically comprised of Director, or managerial, representatives of each of the major lines of business, including Corporate Communications and IT. Business/Service Owner Manages the overall design and functionality integrity of the solution(s) subject to the Governance from a business perspective. Solution Administrator(s) (Technology) Manages the overall design and functionality integrity of the solution from a technology perspective. Works in partnership with the Business/Service Owner. Technology Support Team(s) Ensures the technical integrity of the solution(s). Develops/implements new capabilities and provides support to solution/sites Sponsors/Owners seeking enhancements to their solutions/sites or new uses of the solution.
  • 24. Site Roles and Responsibilities Role Responsibilities Site Sponsor/Owner Serves as the centralized, primary role for ensuring that content for a particular page/site/solution is properly collected, reviewed, published, and maintained over time. The Sponsor/Owner is an expert in the content that is showcased on the site. Site Steward Manages the site day-to-day by executing the functions required to ensure that the content is accurate and relevant. Monitors security to ensure that the security model for the site/solution matches the goals of the business and Site Sponsor/Owner and support users of the site by serving as the primary identified contact point for the site. Users Uses the solution to access and share information. Users may have different access permissions in different areas of the solution, sometimes acting as a Contributor and other times acting as a Visitor.
  • 26. One size does NOT fit all Self-Service Site Creation + Life Cycle Management Semi-Structured Group, Team, Project Sites and Workspaces Central Portal Aggregation & Navigation Line of Business (LOB) Portals Business Process Management LOB News Group Reporting & Scorecards Individual Contributors Blogs, Social Networking Corporate Business Taxonomy With Divisional Stakeholders Provisioned per User
  • 29. Example Guiding Principles – Design  consistentnaming  minimize training    privacy recordsretention 
  • 30. Example Guiding Principles – Usage and Content Management       metadataparadigm shift
  • 31. Launch & Rollout (Adoption) Strategy considerations   time adapt  ensure training  thewaytheyareusedto newbusiness practices   Funandengaging    keepthisup! willrevert
  • 32. Content Management Plan considerations  what/where/when  automatedprocesses routecontent  managecontentsecurity  customization allowed  policies  change
  • 33. Training Plan considerations  Nota“onetime”thing   makeitpersonal     HELPDESK!       variety
  • 34. Governance Plan document  breaking    NOT    TIP: The process of creating the document is the most important part!
  • 35. Possible Additional Components of a Governance Plan                       
  • 36.
  • 40.     Effective governance will help you to ensure the hard work that went into an initial design has not been lost. The stages of maintenance and evolution are where many organizations are often failing. You must recognize that once you’ve designed your system and populated it with content/information, your job has just begun. There will always be new or different content and functionality needs to which you must respond. Managing these needs effectively and consistently according to a published and understood set of rules and guidelines will ensure the long- term sustainability of your system(s). Benefits of Governance
  • 42.  quicklybedegradedwithout  reducesuser’s trust/confidence workarounds  duplicated,inappropriate,orincorrectly Time from Rollout (months) Documents in Directory: 10,000 Folders in Directory: 90 Directory Depth (Levels): 4 Duplicate Content: 0 Documents in Directory: 20,000 Folders in Directory: 150 Directory Depth (Levels): 7 Duplicate Content: 5,000 Documents in Directory: 40,000 Folders in Directory: 250 Directory Depth (Levels): 15 Duplicate Content: 15,000 Governance Sustainability
  • 45. Define the “DNA” of your Information/Content Environment            
  • 46. policies easily long-termsustainability usability taxonomy content Folders • Empty folders will be immediately deleted or hidden • Folders with less than three documents will be deleted or hidden and their content will be promoted to the next level • No more than 5 folders in any library • No more than 3 subfolders at each level • No acronyms or abbreviations in folder names Content • No duplicate content in the system • No “irregular” security (follow a defined, controlled, verifiable and traceable security model • Content in shared locations must be of value to others • No outdated content (No older versions of current document) Metadata • All metadata values must be powered by standard taxonomies • No acronyms or abbreviations in document names • Do not duplicate information in any fields Policies!
  • 48.  learn rangeofmeans        two-waycommunications prove  allinput  allfeedbackavailable  viathesystem  Market value notbesufficient Communications, Education, and Marketing
  • 51. Focus on the BUSINESS succeeding
  • 53. Establish a Steering Committee (SteerCo)  Ensure acrosstheenterprise     charter authorityandresponsibilities  sponsor chairandfacilitator  asneeded investigateissues recommendations  Usability  Identity  Taxonomy  Metadata  Meetonaregular
  • 54.  toomanystakeholders  buy-in acrosstheenterprise  owns policies enforce compliance  Distribute Ownership
  • 55. Focus on the end-users  benefiting enduser  better truth  Balance sustainability service  Don’t difficult change  Agree consistentresponse  Talk
  • 56.   online in-personinterviews  feedback everyscreen  pre-andpost-rolloutsurveys   Identify notbeingused improvements  Alert toomanydocuments  mostpopularcomponents  termsusersaresearchingfor  Identifyinactiveusers Employ Active and Passive Analytics

Editor's Notes

  1. To successfully implement and maintain an information management technology, you must ensure the content within it will initially be, and continue to be, NERDy (New, Essential, Reliable, Dynamic).  Users need New content, meaning as information is generated, they must have access to it immediately.  Users need Essential content, meaning they must be able to find what need to do their jobs or complete their missions.  Users need Reliable content, meaning they must be able to trust what they are seeing as accurate and up-to-date information.  And users need Dynamic information, meaning as the business changes, the information available to them must keep pace.  If these four simple criteria can be met (along with a host of design criteria), information system projects stand a good chance of success. Many organizations mistakenly attempt to place any piece of content, that has ever existed within the organization, within their information management systems.  Most of that content, however, exists on a very long and very thin tail that will most likely never be sought after or useful to the users of the system.  As a result, it will serve no purpose but to be a burden to maintaining the NERDiness of content and, worse yet, a diluting factor to the ability to find the content users need most.  A simple rule when designing your information management system and the accompanying governance plan and content migration strategy is to first understand the level of effort around truly maintaining content.  Only populate your systems with content that is truly NERDy and you will find you are meeting the needs of your users in a way that is truly sustainable and efficient.