Using guiding principles to drive your information governance (IG) program can help educate stakeholders, focus efforts, and maintain consistency.
The Sedona Conference is a group of mostly legal and technology professionals that meets periodically and develops commentary and guidance on e-discovery, electronic records, privacy, risk, IG, and related issues. They have developed 11 general principles of IG,1 which provide guidance on the expectations and aims of IG programs. These principles can further an IG team's understanding of IG and can be used in an introductory “IG Awareness Training” session in the early stages of your program launch. A good exercise is to have team members rewrite these principles in their own words, and then hold discussions about how each of these principles would apply to their departmental IG efforts, and the overall IG program. The Sedona Conference Commentary on IG, formed as principles, are:
The following 11 IG principles are the result of the author's research and consulting efforts over the past decade or so, where a great deal of practical information on IG program successes, failures, and best practices was synthesized, analyzed, and distilled.
These 11 IG principles must be adhered to as general guidelines for IG programs to succeed:
Using these 11 principles as guidelines will help to communicate with stakeholders and IG steering committee what IG is, why it is needed, what it involves, and how to fashion an IG program that is successful. It is essential to continually reinforce the importance of these principles during the course of an IG program, and measure how well the organization is doing in these 11 critical areas.
There are also other sets of principles that apply to IG efforts and can help provide a more complete understanding of IG programs, especially early in the IG program development process. These IG principles reflect, reinforce, and expand on the previous set.
According to Debra Logan at Gartner Group, none of the proffered definitions of IG include “any notion of coercion, but rather ties governance to accountability [italics added] that is designed to encourage the right behavior…. The word that matters most is accountability” [italics in the original]. The root of many problems with managing information is the “fact that there is no accountability for information as such.”2
Establishing policies, procedures, processes, and controls to ensure the quality, integrity, accuracy, and security of business records are the fundamental steps needed to reduce the organization's risk and cost structure for managing these records. Then, it is essential that IG efforts are supported by information technologies (IT). The auditing, testing, maintenance, and improvement of IG is enhanced by using electronic records management (ERM) software, along with other complementary technology sets such as workflow and business process management system (BPMS) software and digital signatures.
A major part of an IG program is managing formal business records. Although they account for only about 7–9% of the total information that an organization holds, they are the most critically important subset to manage, as there are serious compliance and legal ramifications.
Records and recordkeeping are inextricably linked with any organized business activity. Through the information that an organization uses and records, creates, or receives in the normal course of business, it knows what has been done and by whom. This allows the organization to effectively demonstrate compliance with applicable standards, laws, and regulations, as well as plan what it will do in the future to meet its mission and strategic objectives.
Standards and principles of recordkeeping have been developed by records and information management (RIM) practitioners to establish benchmarks for how organizations of all types and sizes can build and sustain compliant, defensible records management (RM) programs.
In 2009 ARMA International published a set of eight Generally Accepted Recordkeeping Principles®, known as “The Principles”3 (or sometimes “GAR Principles”) to foster awareness of good recordkeeping practices. These principles and associated metrics provide an information governance (IG) framework that can support continuous improvement.
The eight Generally Accepted Recordkeeping Principles are:
The Generally Accepted Recordkeeping Principles apply to all sizes of organizations, in all types of industries, and in both the private and public sectors, and can be used to establish consistent practices across business units. The Principles are an IG maturity model and this is used as a preliminary evaluation of recordkeeping programs and practices.
Interest and the application of The Principles for assessing an organization's recordkeeping practices have steadily increased since its establishment. It is an accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of records and information in support of an organization's goals and business objectives.
As shown in Table 3.1, the Generally Accepted Recordkeeping Principles maturity model associates characteristics that are typical in five levels of recordkeeping capabilities that range from 1 (substandard) to 5 (transformational). The levels are both descriptive and color coded for ease of understanding. The eight principles and levels (metrics) are applied to the current state of an organization's recordkeeping capabilities and can be cross-referenced to the policies and procedures. While it is not unusual for an organization to be at differing levels of maturity in the eight principles, the question “How good is good enough?” must be raised and answered; a rating of less than “transformational” may be acceptable, depending on the organization's tolerance for risk and an analysis of the costs and benefits of moving up each level.
Table 3.1 Generally Accepted Recordkeeping Principles Levels
Source: Based on data from ARMA.
Level 1 Substandard |
Characterized by an environment where recordkeeping concerns are either not addressed at all or are addressed in an ad hoc manner. |
Level 2 In Development |
Characterized by an environment where there is a developing recognition that recordkeeping has an impact on the organization, and the organization may benefit from a more defined information governance program. |
Level 3 Essential |
Characterized by an environment where defined policies and procedures exist that address the minimum or essential legal and regulatory requirements, but more specific actions need to be taken to improve recordkeeping. |
Level 4 Proactive |
Characterized by an environment where information governance issues and considerations are integrated into business decisions on a routine basis, and the organization consistently meets its legal and regulatory obligations. |
Level 5 Transformational |
Characterized by an environment that has integrated information governance into its corporate infrastructure and business processes to such an extent that compliance with program requirements is routine. |
The maturity levels define the characteristics of evolving and maturing records management programs. The assessment should reflect the current RM environment and practices. The principles and maturity level definitions, along with improvement recommendations (roadmap), outline the tasks required to proactively approach addressing systematic records management practices and reach the next level of maturity for each principle. While the Generally Accepted Recordkeeping Principles are broad in focus, they illustrate the requirements of good records management practices. The Principles Assessment can also be a powerful communication tool to promote cross-functional dialogue and collaboration among business units and staff.
The principle of accountability covers the assigned responsibility for RM at a senior level to ensure effective governance with the appropriate level of authority. A senior-level executive must be high enough in the organizational structure to have sufficient authority to operate the records management program effectively. The primary role of the senior executive is to develop and implement records management policies, procedures and guidance, and to provide advice on all record-keeping issues. The direct responsibility for managing or operating facilities or services may be delegated.
The senior executive must possess an understanding of the business and legislative environment within which the organization operates; business functions and activities; and the required relationships with key external stakeholders. This person must also understand how records management contributes to achieving the corporate mission, aims, and objectives.
It is important for top-level executives to take ownership of the records management issues of the organization identifying corrective actions required for mitigation or ensuring resolution of problems and recordkeeping challenges. An executive sponsor should identify opportunities to raise awareness of the relevance and importance of RM and effectively communicate the benefits of good records management to staff and management.
The regulatory and legal framework for records management must be clearly identified and understood. The senior executive must have a sound knowledge of the organization's information and technological architecture and actively participate in strategic decisions for information technology systems acquisition and implementation.
The senior executive is responsible for ensuring the processes, procedures, governance structures, and related documentation are developed. The policies should identify the roles and responsibilities at all levels of the organization.
An audit process must be developed to cover all aspects of RM within the organization, including substantiating that sufficient levels of accountability have been assigned and accountability deficiencies are identified and remedied. Audit processes should include compliance with the organization policies and procedures for all records, regardless of format or media. Accountability audit requirements for electronic records include employing appropriate technology to audit the information architecture and systems. Accountability structures must be updated and maintained as changes occur in the technology infrastructure.
The audit process must reinforce compliance and hold individuals accountable. The results should be constructive, encourage continuous improvement, but not be used as a means of punishment. The audit should contribute to records program improvements in risk mitigation, control, and governance issues, and have the capacity to support sustainability.
Policies are broad guidelines for the operation of the organization and provide a basic guide to action that prescribes the boundaries within which business activities are to take place. They state the course of action to be followed by the organization, business unit, department, and employees.
Transparency of recordkeeping practices includes documenting processes and promoting an understanding of the roles and responsibilities of all stakeholders. To be effective, policies must be formalized and integrated into business processes. Business rules and recordkeeping requirements need to be communicated and socialized at all levels of the organization.
Senior management must recognize that transparency is fundamental to IG and compliance. Documentation must be consistent, current, and complete. A review and approval process must be established to ensure the introduction of new programs or changes can be implemented and integrated into business processes.
Employees must have ready access to RM policies and procedures. They must receive guidance and training to ensure they understand their roles and requirements for records management. Recordkeeping systems and business processes must be designed and developed to clearly define the records lifecycle.
In addition to policies and procedures, the development of guidelines and operational instructions, diagrams and flowcharts, system documentation, and user manuals must include clear guidance on how records are to be created, retained, stored, and dispositioned. The documentation must be readily available and incorporated in communications and training provided to staff.
Record-generating systems and repositories must be assessed to determine recordkeeping capabilities. A formalized process must be in place for acquiring or developing new systems, including requirements for capturing the metadata required for lifecycle management of records in the systems. In addition, the record must contain all the necessary elements of an official record, including structure, content, and context. Records integrity, reliability, and trustworthiness are confirmed by ensuring that a record was created by a competent authority according to established processes.
Maintaining the integrity of records means that they are complete and protected from being altered. The authenticity of a record is ascertained from internal and external evidence, including the characteristics, structure, content, and context of the record to verify they are genuine and not corrupted or altered. In order to trust that a record is authentic, organizations must ensure that recordkeeping systems that create, capture, and manage electronic records are capable of protecting records from accidental or unauthorized alteration or deletion while the record has value.
Organizations must ensure the protection of records and ensure they are unaltered through loss, tampering, or corruption. This includes technological change or the failure of digital storage media and protecting records against damage or deterioration.
This principle applies equally to physical and electronic records, each having unique requirements and challenges.
Access and security controls need to be established, implemented, monitored, and reviewed to ensure business continuity and minimize business risk. Restrictions on access and disclosure include the methods for protecting personal privacy and proprietary information. Access and security requirements must be integrated into the business systems and processes for the creation, use, and storage of records.
Long-term digital preservation (LTDP) is a series of managed activities required to ensure continued access to digital materials for as long as necessary. Electronic records requiring long-term retention may require conversion to a medium and format suitable to ensure long-term access and readability. Cloud-based services for file conversion and long-term storage have emerged that have simplified the LTDP process and made it more affordable for organizations.
Records management programs include the development and training of the fundamental components, including compliance monitoring to ensure sustainability of the program.
Monitoring for compliance involves reviewing and inspecting the various facets of records management, including ensuring records are being properly created and captured, implementation of user permissions and security procedures, work flow processes through sampling to ensure adherence to policies and procedures, ensuring records are being retained following disposal authorities, and documentation of records destroyed or transferred to determine whether destruction/transfer was authorized in accordance with disposal instructions.
Compliance monitoring can be carried out by an internal audit, external organization, or records management and must be done on a regular basis.
Organizations should evaluate how effectively and efficiently records and information are stored and retrieved using present equipment, networks, and software. The evaluation should identify current and future requirements and recommend new systems as appropriate. Certain factors should be considered before upgrading or implementing new systems. These factors are practicality, cost, and effectiveness of new configurations.
A major challenge for organizations is ensuring that timely and reliable access to and use of information and records are accessible and usable for the entire length of the retention period. Rapid changes and enhancements to both hardware and software compound this challenge.
Retention is the function of preserving and maintaining records for continuing use. The records retention schedule identifies the actions needed to fulfill the requirements for the retention and disposal of records and provides the authority for employees and systems to retain, destroy, or transfer records. The records retention schedule documents the recordkeeping requirements and procedures, identifying how records are to be organized and maintained, what needs to happen to records and when, who is responsible for doing what, and who to contact with questions or guidance.
Organizations must identify the scope of their recordkeeping requirements for documenting business activities based on regulated activities and jurisdictions that impose control over records. This includes business activities regulated by the government for every location or jurisdiction in which you do business. Other considerations for determining retention requirements include operational, legal, fiscal, and historical.
Records appraisal is the process of assessing the value and risk of records to determine their retention and disposition requirements. Legal research is outlined in appraisal reports. This may be accomplished as a part of the process of developing the records retention schedules, as well as conducting a regular review to ensure that citations and requirements are current.
The records retention period is the length of time that records should be retained and the actions taken for them to be destroyed or preserved. The retention periods for different records should be based on legislative or regulatory requirements as well as on administrative and operational requirements. It is important to document the legal research conducted and used to determine whether the law or regulation has been reasonably applied to the recordkeeping practices and provide evidence to regulatory officials or courts that due diligence has been conducted in good faith to comply with all applicable requirements.
Disposition is the last stage in the information life cycle. When the retention requirements have been met and the records no longer serve a useful business purpose, they may be destroyed. Records requiring long-term or permanent retention should be transferred to an archive for preservation. The timing of the transfer of physical or electronic records should be determined through the records retention schedule process. Additional methods are often required to preserve electronic records, which may include migration or conversion.
Records must be destroyed in a controlled and secure manner and in accordance with authorized disposal instructions. The destruction of records must be clearly documented to provide evidence of destruction according to an agreed-on program.
Destruction of records must be undertaken by methods appropriate to the confidentiality of the records and in accordance with disposal instructions in the records retention schedule. An audit trail documenting the destruction of records should be maintained and certificates of destruction obtained for destruction undertaken by third parties. In the event disposal schedules are not in place, the written authorization should be obtained prior to destruction. Procedures should specify who must supervise the destruction of records. Approved methods of destruction must be specified for each media type to ensure that information cannot be reconstructed.
Disposition is not synonymous with destruction, though destruction may be one disposal option. Destruction of records must be carried out under controlled, confidential conditions by shredding or permanent disposition. This includes the destruction of confidential microfilm, microfiche, computer cassettes, and computer tapes, as well as paper.
Methods of Disposition
The Generally Accepted Recordkeeping Principles maturity model can be leveraged to develop a current state assessment of an organization's recordkeeping practices and resources, identify gaps and assess risks, and develop priorities for desired improvements.
The Principles were developed by ARMA International to identify characteristics of an effective recordkeeping program. Each of the eight principles identifies issues and practices that, when evaluated against the unique needs and circumstances of an organization, can be applied to improvements for a recordkeeping program that meets recordkeeping requirements. The principles identify requirements and can be used to guide the incremental improvement in the management and governance of the creation, organization, security, maintenance, and other activities over a one- to five-year period. Fundamentally, records management and information governance are business disciplines that must be tightly integrated with operational policies, procedures, and infrastructure.
The Principles can be mapped to the four improvement areas in Table 3.2.
As an accepted industry guidance maturity model, The Principles provide a convenient and complete framework for assessing the current state of an organization's recordkeeping and developing a roadmap to identify improvements that will bring the organization into compliance. An assessment/analysis of the current record management practices, procedures, and capabilities together with current and future state practices provides two ways of looking at the future requirements of a complete RM (see Table 3.3).
Table 3.2 Improvement Areas for Generally Accepted Recordkeeping Principles
Improvement Area | Accountability | Transparency | Integrity | Protection | Compliance | Availability | Retention | Disposition |
Roles and responsibilities | ◊ | ◊ | ◊ | |||||
Policies and procedures | ◊ | ◊ | ◊ | ◊ | ◊ | ◊ | ◊ | ◊ |
Communication and training | ◊ | ◊ | ◊ | ◊ | ◊ | |||
Systems and automation | ◊ | ◊ | ◊ | ◊ | ◊ | ◊ |
Table 3.3 Assessment Report and Roadmap
Principle | Level | Findings | Requirements to Move to the Next Step |
Accountability | Level 1 Substandard |
|
|
Transparency | Level 1 Substandard |
|
|
Integrity | Level 1 Substandard |
|
|
Protection | Level 1 Substandard |
|
|
Compliance | Level 3 Essential |
|
|
Availability | Level 2 In Development |
|
|
Retention | Level 2 In Development |
|
|
Disposition | Level 2 In Development |
|
|
Overall | Level 1 Substandard |
The information security aspects of your IG program should be guided by established principles.
The Principle of Least Privilege (POLP) is an important cybersecurity maxim that means users should only be given access to the bare minimum permissions and information needed to do their job.5 Under POLP, users are only given access to the files needed to perform their job function. POLP should be used to control who has access to which information, on which devices, and when.
The CIA triad (sometimes referred to as the AIC triad to avoid confusion with the US government spy agency) depicts the three “most crucial components” of information security.6
Confidentiality (roughly equivalent to Generally Accepted Recordkeeping Principle® #4, Protection) means that access to private and sensitive is tightly controlled so that only authorized personnel have access to it. Integrity (the same as GAR Principle® #3) means that information has a reasonable assurance of being accurate, reliable, and trusted, throughout its lifecycle. Availability (the same as GAR Principle® #6) is the concept that information can be reliably and consistently accessed and retrieved by authorized employees, which requires software patches and updates are implemented in a timely way, and that hardware is maintained regularly.
The Generally Accepted Privacy Principles (GAPP) were developed jointly by the Canadian Institute of Chartered Accountants (CICA) and the American Institute of Certified Public Accountants (AICPA) through the AICPA/CICA Privacy Task Force. These principles can be used to guide the privacy aspects of an IG program. The field of information privacy is rapidly changing, and the International Association of Privacy Professionals (IAPP) is quite active globally with conferences, workshops, and training. IAPP's membership exploded in 2017–2018, when GDPR came into effect. Nevertheless, the 10 Generally Accepted Privacy Principles have been accepted by the privacy profession. The 10 Generally Accepted Privacy Principles and their criteria are:7
- Management
- The organization defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
- Criteria:
- Privacy policies define and document all 10 GAPP.
- Review and approval of changes to privacy policies are conducted by management.
- Risk assessment process is in place to establish a risk baseline and regularly identify new or changing risks to personal data.
- Infrastructure and systems management take into consideration impacts on personal privacy.
- Privacy awareness training
- Notice
- The organization provides notice of its privacy policies and procedures. The organization identifies the purposes for which personal information is collected, used, and retained.
- Criteria:
- Communication to individuals
- Provision of notice
- Use of clear and conspicuous language
- Choice and consent
- The organization describes the choices available to the individual. The organization secures implicit or explicit consent regarding the collection, use, and disclosure of the personal data.
- Criteria:
- Communicating the consequences of denying/withdrawing consent
- Consent for new purposes/uses of the personal data
- Explicit consent for sensitive data
- Consent for online data transfer
- Collection
- Personal information is only collected for the purposes identified in the notice (see #2).
- Criteria:
- Document and describe types of information collected and methods of collection
- Collection of information by fair and lawful means, including collection from third parties
- Inform individuals if information is developed or additional information is acquired
- Use, retention, and disposal
- The personal information is limited to the purposes identified in the notice the individual consented to. The organization retains the personal information only for as long as needed to fulfill the purposes, or as required by law. After this period, the information is disposed of appropriately.
- Criteria:
- Systems and procedures in place to ensure personal information is used, retained, and disposed appropriately
- Access
- The organization provides individuals with access to their personal information for review or update.
- Criteria:
- Confirmation of individual's identity before access is given to personal information
- Personal information presented in understandable format
- Access provided in reasonable time frame and at a reasonable cost
- Statement of disagreement; the reason for denial should be explained to individuals in writing
- Disclosure to third parties
- Personal information is disclosed to third parties only for the identified purposes and with implicit or explicit consent of the individual.
- Criteria:
- Communication with third parties should be made known to the individual.
- Information should only be disclosed to third parties that have equivalent agreements to protect personal information.
- Individuals should be aware of any new uses/purposes for the information
- The organization should take remedial action in response to misuse of personal information by a third party.
- Security for privacy
- Personal information is protected against both physical and logical unauthorized access.
- Criteria:
- Privacy policies must address the security of personal information.
- Information security programs must include administrative, technical, and physical safeguards.
- Logical access controls in place
- Restrictions on physical access
- Environmental safeguards
- Personal information is protected when being transmitted (e.g. mail, Internet, public, or other nonsecure networks).
- Security safeguards should be tested for effectiveness at least once annually.
- Quality
- The organization maintains accurate, complete, and relevant personal information that is necessary for the purposes identified.
- Criteria:
- Personal information should be relevant for the purposes it is being used.
- Monitoring and enforcement
- The organization monitors compliance with its privacy policies and procedures. It also has procedures in place to address privacy-related complaints and disputes.
- Criteria:
- Individuals should be informed on how to contact the organization with inquiries, complaints, and disputes.
- Formal process is in place for inquires, complaints, or disputes.
- Each complaint is addressed and the resolution is documented for the individual.
- Compliance with privacy policies, procedures, commitments, and legislation is reviewed, documented, and reported to management.
Source: American Institute of Certified Public Accountants, https://www.aicpa.org/InterestAreas/InformationTechnology/Resources/PRIVACY/DownloadableDocuments/10252-346_Records%20Management-PRO.pdf.
These 10 privacy principles can be applied by organizations to establish and maintain the privacy aspects of their IG programs.
Utilizing the various sets of complementary IG principles to help educate stakeholders and guide the IG program will help to keep the scope of the program focused by providing some guidelines to keep it on track that help assure the success of the program.
When forming an IG steering committee or board, it is essential to include representatives from cross-functional groups, and at differing levels of the organization. It must be driven by an executive sponsor (see later chapter on securing and managing executive sponsorship), and include active members from key business units, as well as other departments or functions including privacy, cybersecurity, IT, legal, risk management, compliance, records management, and possibly finance. Then, corporate training/education and communications must be involved to keep employees trained and current on IG policies. This function may be performed by an outside consulting firm if there is no corporate education staff.
Knowledge workers, those who work with records and sensitive information in any capacity, best understand the nature and value of the records they work with as they perform their day-to-day functions. IG policies must be developed and also communicated clearly and consistently. Policies are worthless if people do not know or understand them, or how to comply. And training is a crucial element that will be examined in any compliance hearing or litigation that may arise. “Did senior management not only create the policies, but provide adequate training on them, on a consistent basis?” This will be a key question raised. For these reasons, a training plan is a necessary piece of IG, and education should be heavily emphasized.8
The need for IG is increasing due to increased and tightened regulations, increased litigation, increased data volumes, and the increased incidence of theft and misuse of internal documents and records. Organizations that do not have active IG programs should reevaluate IG policies and their internal processes following any major loss of records, the inability to produce accurate records in a timely manner, or any document security breach or theft. If IG teams include a broad cross-section of critical players on the IG committee, and strong executive sponsorship, they will be better preparing the organization for legal and regulatory rigors, as well as unlocking new value in their information.
13.59.218.147