To develop overarching information governance (IG) policies, you must inform and frame them with established principles, models, internal and external frameworks, best practices, and standards—those that apply to your organization and the scope of its planned IG program. Best practices within your industry segment are the most relevant, and there may be some that have been established within your organization that can be leveraged.
Your IG policy framework will actually be a collection of linked and consistent policies across multiple areas of the organization.
In this chapter, we first present and discuss key IG frameworks and models and then identify key standards for consideration.
In Chapter 3, we introduced the Sedona Conference IG principles. These can help steer your program and educate program stakeholders, especially in the early stages. A good exercise is to take the 11 principles and have a group rewrite them in their own words, referencing the organization's business objectives and scenario.
The Sedona IG principles state that IG programs should look at information as an organization-wide asset with associated risks that must be managed, while finding value; should maintain independence; should include all information stakeholders; must have an assessment to form strategic objectives; should have the resources and accountability to ensure a reasonable chance at success; must include defensible disposition; should act in good faith in reconciling varying laws and obligations; must preserve long-term digital assets; should leverage new technologies; and should be reviewed periodically to ensure needs and objectives are being met. These principles are quite useful in guiding policy development in IG programs. To review The Sedona Conference Commentary on IG in more detail, please refer to Chapter 3.
In Chapter 3, we also introduced and discussed ARMA International's eight Generally Accepted Recordkeeping Principles, known as the Principles1 (or sometimes as GAR Principles). These Principles and associated metrics provide a framework, particularly applied to records management processes, that can support continuous improvement.
To review, the eight Principles are:
The Principles establish benchmarks for how organizations of all types and sizes can build and sustain compliant, legally defensible records management (RM) programs. Using the maturity model (also presented in Chapter 3), organizations can assess where they are in terms of records management maturity, identify gaps, and take steps to improve across the eight areas the Principles cover.
Although the author and advocate of The Principles, ARMA International, promotes them as IG principles, they were, in fact, designed as the Generally Accepted Recordkeeping Principles®, and are best applied as such.
In late 2012, with the support and collaboration of ARMA International and the Compliance, Governance and Oversight Council (CGOC), the Electronic Discovery Reference Model (EDRM) Project released version 3.0 of its Information Governance Reference Model (IGRM), which added information privacy and security “as primary functions and stakeholders in the effective governance of information.”3 These areas have grown in importance since then. The model is depicted in Figure 6.1.
The IGRM is aimed at fostering IG adoption by facilitating communication and collaboration between disparate (but overlapping) IG stakeholder functions, including information technology (IT), legal, RIM, privacy and security, and business unit stakeholders.4 It is a good tool to use in the early stages of introducing an IG program to stakeholders. The Model also aims to provide a common, practical framework for IG that will foster adoption of IG in the face of new Big Data challenges and increased legal and regulatory demands. It is a clear snapshot of where IG fundamentally “lives” and shows critical interrelationships and unified governance.5 It can help organizations to forge policy in an orchestrated way and embed critical elements of IG policy across functional groups. Ultimately, implementation of IG helps organizations leverage information value, reduce risk, and address legal demands.
The growing CGOC community (3,800-plus members and rising) has widely adopted the IGRM and developed the IG Process Maturity Model (IGPMM) that leverages IGRM v3.0, and assesses organizational IG maturity along 22 key processes.6 The IGPMM is a thorough tool for IG program assessments.
Starting from the outside of the diagram, successful information management is about conceiving a complex set of interoperable processes and implementing the procedures and structural elements to put them into practice. It requires:
For any piece of information you hope to manage, the primary stakeholder is the business user of that information [emphasis added]. We use the term “business” broadly; the same ideas apply to end users of information in organizations whose ultimate goal might not be to generate a profit.
Once the business value is established, you must also understand the legal duty attached to a piece of information. The term “legal” should also be read broadly to refer to a wide range of legal and regulatory constraints and obligations, from e-discovery and government regulation, to contractual obligations such as payment card industry requirements.
Finally, IT organizations must manage the information accordingly, ensuring privacy and security as well as appropriate retention as dictated by both business and legal or regulatory requirements.
In the center of the diagram is a workflow or life cycle diagram. We include this component in the diagram to illustrate the fact that information management is important at all stages of the information life cycle—from its creation through its ultimate disposition. This part of the diagram, once further developed, along with other secondary-level diagrams, will outline concrete, actionable steps that organizations can take in implementing information management programs.
Even the most primitive business creates information in the course of daily operations, and IT departments spring up to manage the logistics; indeed, one of the biggest challenges in modern organizations is trying to stop individuals from excess storing and securing of information. Legal stakeholders can usually mandate the preservation of what is most critical, though often at great cost. However, it takes the coordinated effort of all three groups to defensibly dispose of a piece of information that has outlived its usefulness and retain what is useful in a way that enables accessibility and usability for the business user.
The IGRM supports ARMA International's Principles by identifying the cross-functional groups of key information governance stakeholders and by depicting their intersecting objectives for the organization. This illustration of the relationship among duty, value, and the information asset demonstrates cooperation among stakeholder groups to achieve the desired level of maturity of effective information governance.
Effective IG requires a continuous and comprehensive focus. The IGRM will be used by proactive organizations as an introspective lens to facilitate visualization and discussion about how best to apply the Principles. The IGRM puts into sharp focus the Principles and provides essential context for the maturity model.
IG best practices should also be considered in policy formulation. Best practices in IG are evolving and expanding, and those that apply to organizational scenarios may vary. A best practices review should be conducted, customized for each particular organization.
In Chapter 5, we provided a list of 21 IG best practices with some detail. The IG world is maturing, and additional best practices will evolve and develop. The 21 best practices, summarized below, are fairly generic and widely applicable. Bear in mind that the best practices most applicable to your IG program are those developed within your industry, or, especially, within your organization:
There are two general types of standards: de jure and de facto. De jure (“the law”) standards are those published by recognized standards-setting bodies, such as the International Organization for Standardization (ISO), American National Standards Institute (ANSI), National Institute of Standards and Technology (NIST)—this is what most people refer to it as (they do not know what the acronym stands for), British Standards Institute (BSI), Standards Council of Canada, and Standards Australia. Standards promulgated by authorities such as these have the formal status of standards.
De facto (“the fact”) standards are not formal standards but are regarded by many as if they were. They may arise though popular use (e.g. MS Windows at the business desktop in the 2001–2010 decade) or may be published by other bodies, such as the US National Archives and Records Administration (NARA) or Department of Defense (DoD) for the US military sector. They may also be published by formal standards-setting bodies without having the formal status of a “standard” (such as some technical reports published by ISO).10
Some benefits of developing and promoting standards are:
Some downside considerations are:
Next we introduce and discuss some established standards that should be researched and considered as a foundation for developing IG policy.
ISO 31000:2009 is a broad, industry-agnostic (not specific to vertical markets) risk management standard. It states “principles and generic guidelines” of risk management that can be applied to not only IG but also to a wide range of organizational activities and processes throughout the life of an organization.13 It provides a structured framework within which to develop and implement risk management strategies and programs. ISO 31000 defines a risk management framework as a set of two basic components that “support and sustain risk management throughout an organization.”14 The stated components are: foundations, which are high level and include risk management policy, objectives, and executive edicts; and organizational arrangements, which are more specific and actionable including strategic plans, roles and responsibilities, allocated budget, and business processes that are directed toward managing an organization's risk.
Additional risk management standards may be relevant to your organization's IG policy development efforts, depending on your focus, scope, corporate culture, and demands of your IG program executive sponsor.
ISO/TR 18128:2014 is a risk assessment standard for records processes and systems.15 It can be used to assist organizations in assessing risks to records processes and systems so they can ensure records continue to meet identified business needs as long as required. It presents a method for analyzing and documenting risks related to records processes and their effects. The standard can be used to guide records risk assessments in all types and sizes of organizations.
ISO/IEC 27001:2013 is an information security management system (ISMS standard that provides guidance in the development of security controls to safeguard information assets. Like ISO 31000, the standard is applicable to all types of organizations, irrespective of vertical industry.16 It “specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organization's overall business risks.” ISO/IEC 27001 is flexible enough to be applied to a variety of activities and processes when evaluating and managing information security risks, requirements, and objectives, and compliance with applicable legal and regulatory requirements. This includes use of the standards guidance by internal and external auditors as well as internal and external stakeholders (including customers and potential customers.
ISO/IEC 27002:2013, “Information Technology—Security Techniques—Code of Practice for Information Security”17:
establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization and is identical to the previous published standard, ISO 17799. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2013 contains best practices of control objectives and controls in the following areas of information security management:
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development, and maintenance
- Information security incident management
- Business continuity management
- Compliance
The control objectives and controls in ISO/IEC 27002:2013 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 27002:2013 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in interorganizational activities.
ISO/IEC 38500:2008 is an international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effective and efficient use of IT.18 Based primarily on AS8015, the Australian IT governance standard “applies to the governance of management processes” that are performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharging their duties with respect to legal and regulatory compliance of IT activities.
The ISO 38500 standard comprises three main sections:
- Scope, Application and Objectives
- Framework for Good Corporate Governance of IT
- Guidance for Corporate Governance of IT
It is largely derived from AS 8015, the guiding principles of which were:
- Establish responsibilities
- Plan to best support the organization
- Acquire validly
- Ensure performance when required
- Ensure conformance with rules
- Ensure respect for human factors
The standard also has relationships with other major ISO standards, and embraces the same methods and approaches. It is certain to have a major impact upon the IT governance landscape.19
ISO 15489–1:2016 is the international standard for RM. It identifies the elements of RM and provides a framework and high-level overview of RM core principles. RM is defined as the “field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records.”20
The second part of the standard, ISO 15489–2:2001, contains the technical specifications and a methodology for implementing the standard, originally based on early standards work in Australia (Design and Implementation of Recordkeeping Systems—DIRKS). (Note: Although still actively used in Australian states, the National Archives of Australia has not recommended use of DIRKS by Australian national agencies since 2007 and has removed DIRKS from its website.21)
The ISO 15489 standard makes little mention of electronic records, as it is written to address all kinds of records; nonetheless it was widely viewed as the definitive framework of what RM means.
In 2008, the International Council on Archives (ICA) formed a multinational team of experts to develop “Principles and Functional Requirements for Records in Electronic Office Environments,” commonly referred to as ICA-Req.22 The project was cosponsored by the Australasian Digital Recordkeeping Initiative (ADRI), which was undertaken by the Council of Australasian Archives and Records Authorities, which “comprises the heads of the government archives authorities of the Commonwealth of Australia, New Zealand, and each of the Australian States and Territories.”23 The National Archives of Australia presented a training and guidance manual to assist in implementing the principles at the 2012 International Congress on Archives Congress in Brisbane, Australia.
In Module 1 of ICA-Req, principles are presented in a high-level overview; Module 2 contains specifications for electronic document and records management systems (EDRMS) that are “globally harmonized”; and Module 3 contains a requirements set and “implementation advice for managing records in business systems.”24 Module 3 recognizes that digital record keeping does not have to be limited to the EDRMS paradigm—the insight that has now been picked up by “Modular Requirements for Records Systems” (MoReq2010, the European standard released in 2011).25
Parts 1 to 3 of ISO 16175 were fully adopted in 2010–2011 based on the ICA-Req standard. The standard may be purchased at www.ISO.org, and additional information on the Australian initiative may be found at www.adri.gov.au/.
ISO 16175 is guidance, not a standard that can be tested and certified against. This is the criticism by advocates of testable, certifiable standards like U.S. DoD 5015.2 and the European standard, MoReq2010 for e-records management.
In November 2011, ISO issued new standards for ERM, the first two in the ISO 30300 series, which are based on a managerial point of view and targeted at a management-level audience rather than at records managers or technical staff:
The standards apply to management systems for records (MSR), a term that, as of this printing, is not typically used to refer to ERM or RM application [RMA] software in the United States or Europe and is not commonly found in ERM research or literature.
The ISO 30300 series is a systematic approach to the creation and management of records that is “aligned with organizational objectives and strategies.”26
ISO 30300 MSR, Fundamentals and Vocabulary, explains the rationale behind the creation of an MSR and the guiding principles for its successful implementation. It provides the terminology that ensures that it is compatible with other management systems standards.
ISO 30301 MSR, Requirements, specifies the requirements necessary to develop a records policy. It also sets objectives and targets for an organization to implement systemic improvements. This is achieved through designing records processes and systems; estimating the appropriate allocation of resources; and establishing benchmarks to monitor, measure, and evaluate outcomes. These steps help to ensure that corrective action can be taken and continuous improvements are built into the system in order to support an organization in achieving its mandate, mission, strategy, and goals.27
Additional standards related to digital records include:
For great detail on national and regional standards related to ERM, see the book Managing Electronic Records: Methods, Best Practices, and Technologies (John Wiley & Sons, 2013) by Robert F. Smallwood. Following is a short summary.
The US Department of Defense 5015.2, Design Criteria Standard for Electronic Records Management Software Applications, standard was established in 1997 and was endorsed by the leading archival authority, the US National Archives and Records Administration (NARA), in the past. A dated standard, reportedly being updated, it no longer has the impact that it did a decade ago. In fact, NARA did not require adherence to it in a major RM software RFP in the 2015–2016 timeframe. The DoD doesn't even adhere to it. It requires a central repository, which is a dated approach (managing records in-place has become de rigueur), and it has little relevance to RM requirements in other market sectors such as health care and finance, whereas the European ERM standard MoReq2010 does.
There is a testing regime that certifies software vendors on DoD 5015.2 that is administered by JITC. JITC “builds test case procedures, writes detailed and summary final reports on 5015.2-certified products, and performs on-site inspection of software.”28 The DoD standard was built for the defense sector, and logically “reflects its government and archives roots.”
Since its endorsement by NARA, the standard has been the key requirement for ERM system vendors to meet, not only in US public sector bids, but also in the commercial sector.
The 5015.2 standard has since been updated and expanded, in 2002 and 2007, to include requirements for metadata, e-signatures, and Privacy and Freedom of Information Act requirements, and was scheduled for update by 2013, although that process did not begin until the 2017–2018 timeframe.
The National Standards of Canada for electronic records management are: (1) Electronic Records as Documentary Evidence CAN/CGSB-72.34–2017 (“72.34”), published in March 2017. Updates include:
The Canada Revenue Agency has adopted these standards as applicable to records concerning taxation.30
Standard 72.34 deals with these topics: (1) management authorization and accountability; (2) documentation of procedures used to manage records; (3) “reliability testing” of electronic records according to existing legal rules; (4) the procedures manual and the chief records officer; (5) readiness to produce (the “prime directive”); (6) records recorded and stored in accordance with “the usual and ordinary course of business” and “system integrity,” being key phrases from the Evidence Acts in Canada; (7) retention and disposal of electronic records; (8) backup and records system recovery; and (9) security and protection. From these standards practitioners have derived many specific tests for auditing, establishing, and revising electronic records management systems.31
The “prime directive” of these standards states: “An organization shall always be prepared to produce its records as evidence.”32 The duty to establish the “prime directive” falls upon senior management:33
Standard 5.4.3 Senior management, the organization's own internal law-making authority, proclaims throughout the organization the integrity of the organization's records system (and, therefore, the integrity of its electronic records) by establishing and declaring:
Being the “dominant principle” of an organization's electronic records management system, the duty to maintain compliance with the “prime directive” should fall upon its senior management.
Because an electronic record is completely dependent upon its ERM system for everything, compliance with these National Standards and their “prime directive” should be part of the determination of the “admissibility” (acceptability) of evidence and of electronic discovery in court proceedings (litigation) and in regulatory tribunal proceedings.34
There are 14 legal jurisdictions in Canada: 10 provinces, 3 territories, and the federal jurisdiction of the Government of Canada. Each has an Evidence Act (the Civil Code in the province of Quebec35), which applies to legal proceedings within its legislative jurisdiction. For example, criminal law and patents and copyrights are within federal legislative jurisdiction, and most civil litigation comes within provincial legislative jurisdiction.36
The admissibility of records as evidence is determined under the “business record” provisions of the Evidence Acts.37 They require proof that a record was made “in the usual and ordinary course of business,” and of “the circumstances of the making of the record.” In addition, to obtain admissibility for electronic records, most of the Evidence Acts contain electronic record provisions, which state that an electronic record is admissible as evidence on proof of the “integrity of the electronic record system in which the data was recorded or stored.”38 This is the “system integrity” test for the admissibility of electronic records. The word “integrity” has yet to be defined by the courts.39
However, by way of sections such as the following, the electronic record provisions of the Evidence Acts make reference to the use of standards such as the National Standards of Canada:
For the purpose of determining under any rule of law whether an electronic record is admissible, evidence may be presented in respect of any standard, procedure, usage or practice on how electronic records are to be recorded or stored, having regard to the type of business or endeavour that used, recorded, or stored the electronic record and the nature and purpose of the electronic record.40
In the United Kingdom, The National Archives (TNA) (formerly the Public Record Office, or PRO) “has published two sets of functional requirements to promote the development of the electronic records management software market (1999 and 2002).” It ran a program to evaluate products against the 2002 requirements.41 Initially these requirements were established in collaboration with the central government, and they later were utilized by the public sector in general, and also in other nations. The National Archives 2002 requirements remain somewhat relevant, although no additional development has been underway for years. It is clear that the second version of Model Requirements for Management of Electronic Records, MoReq2, largely supplanted the UK standard, and subsequently the newer MoReq2010 further supplants the UK standard.
MoReq2010 “unbundled” some of the core requirements in MoReq2, and sets out functional requirements in modules. The approach seeks to permit the later creation of e-records software standards in various vertical industries, such as defense, health care, financial services, and legal services.
MoReq2010 is available free—all 500-plus pages of it (by comparison, the U.S. DoD 5015.2 standard is less than 120 pages long). For more information on MoReq2010, visit https://www.moreq.info/. The entire specification may be downloaded from https://www.moreq.info/specification.
In November 2010, the DLM Forum, a European Commission supported body, announced the availability of the final draft of the MoReq2010 specification for electronic records management systems (ERMS), following extensive public consultation. The final specification was published in mid-2011.42
The DLM Forum explains that “With the growing demand for [electronic] records management, across a broad spectrum of commercial, not-for-profit, and government organizations, MoReq2010 provides the first practical specification against which all organizations can take control of their corporate information. IT software and services vendors are also able to have their products tested and certified that they meet the MoReq2010 specification.”43
MoReq2010 supersedes its predecessor MoReq2 and has the continued support and backing of the European Commission.
Australia has adopted all three parts of ISO 16175 as its e-records management standard.44 (For more detail on this standard, go to ISO.org.)
Australia has long led the introduction of highly automated electronic document management systems and records management standards. Following the approval and release of the AS 4390 standard in 1996, the international records management community began work on the development of an International standard. This work used AS 4390–1996 Records Management as its starting point.
In 2002 Standards Australia published a new Australian Standard on records management, AS ISO 15489, based on the ISO 15489 international records management standard. It differs only in its preface verbiage.45 AS ISO 15489 carries through all these main components of AS 4390, but internationalizes the concepts and brings them up to date. The standards thereby codify Australian best practice but are also progressive in their recommendations.
The Australian Government Recordkeeping Metadata Standard Version 2.0 provides guidance on metadata elements and sub-elements for records management. It is a baseline tool that “describes information about records and the context in which they are captured and used in Australian Government agencies.” This standard is intended to help Australian agencies “meet business, accountability and archival requirements in a systematic and consistent way by maintaining reliable, meaningful and accessible records.” The standard is written in two parts, the first describing its purpose and features and the second outlining the specific metadata elements and subelements.46
The Australian Government Locator Service, AGLS, is published as AS 5044–2010, the metadata standard to help find and exchange information online. It updates the 2002 version and includes changes made by the Dublin Core Metadata Initiative (DCMI).
Another standard, AS 5090:2003, “Work Process Analysis for Recordkeeping,” complements AS ISO 15489, and provides guidance on understanding business processes and workflow, so that recordkeeping requirements may be determined.47
Although many organizations shuffle dealing with digital preservation issues to the back burner, long-term digital preservation (LTDP) is a key area in which IG policy should be applied. LTDP methods, best practices, and standards should be applied to preserve an organization's historical and vital records (those without which it cannot operate or restart operations) and to maintain its corporate or organizational memory. The key standards that apply to LTDP are listed next.
The official standard format for preserving electronic documents is PDF/A-1, based on PDF 1.4, originally developed by Adobe. ISO 19005–1:2005, “Document Management—Electronic Document File Format for Long-Term Preservation—Part 1: Use of PDF 1.4 (PDF/A-1),” is the published specification for using PDF 1.4 for LTDP, which is applicable to e-documents that may contain not only text characters but also graphics (either raster or vector).48
ISO 14721:2012, “Space Data and Information Transfer Systems—Open Archival Information Systems—Reference Model (OAIS),” is applicable to LTDP.49 ISO 14271 “specifies a reference model for an open archival information system (OAIS). The purpose of ISO 14721 is to establish a system for archiving information, both digitalized and physical, with an organizational scheme composed of people who accept the responsibility to preserve information and make it available to a designated community.”50 The fragility of digital storage media combined with ongoing and sometimes rapid changes in computer software and hardware poses a fundamental challenge to ensuring access to trustworthy and reliable digital content over time. Eventually, every digital repository committed to long-term preservation of digital content must have a strategy to mitigate computer technology obsolescence. Toward this end, the Consultative Committee for Space Data Systems developed the OAIS reference model to support formal standards for the long-term preservation of space science data and information assets. OAIS was not designed as an implementation model.
OAIS is the lingua franca of digital preservation as the international digital preservation community has embraced it as the framework for viable and technologically sustainable digital preservation repositories. An LTDP strategy that is OAIS compliant offers the best means available today for preserving the digital heritage of all organizations, private and public. (See Chapter 17.)
ISO TR 18492 (2005), “Long-Term Preservation of Electronic Document Based Information,” provides practical methodological guidance for the long-term preservation and retrieval of authentic electronic document-based information, when the retention period exceeds the expected life of the technology (hardware and software) used to create and maintain the information assets. ISO 18492 takes note of the role of ISO 15489 but does not cover processes for the capture, classification, and disposition of authentic electronic document-based information.
ISO 16363:2012, “Space Data and Information Transfer Systems—Audit and Certification of Trustworthy Digital Repositories,” “defines a recommended practice for assessing the trustworthiness of digital repositories. It is applicable to the entire range of digital repositories.”51 It is an audit and certification standard organized into three broad categories: Organization Infrastructure, Digital Object Management, and Technical Infrastructure and Security Risk Management. ISO 16363 represents the gold standard of audit and certification for trustworthy digital repositories. (See Chapter 17.)
Of note is that newer cloud-based approaches for digital preservation greatly simplify the process of adhering to technology-neutral standards and maintaining digital records in the cloud. This new breed of services supplier provides everything from document conversion to ongoing maintenance. Five or six copies of the records are stored in different parts of the globe using major cloud providers like Microsoft and Amazon. A checksum algorithm is used to periodically scan the stored digital records for any degradation or corruption, which can then be corrected using the undamaged copies.
ISO 22301:2012, “Societal Security—Business Continuity Management Systems—Requirements,” spells out the requirements for creating and implementing a standardized approach to business continuity management (BCM, also known as disaster recovery [DR]), in the event an organization is hit with a disaster or major business interruption.52 The guidelines can be applied to any organization regardless of vertical industry or size. The specification includes the “requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.”
The UK business continuity standard, BS25999-2, which heavily influenced the newer ISO standard, was withdrawn when ISO 22301 was released.53 The business rationale is that, with the increasing globalization of business, ISO 22301 will allow and support more consistency worldwide not only in business continuity planning and practices but will also promote common terms and help to embed various ISO management systems standards within organizations. U.S.-based ANSI, Standards Australia, Standards Singapore, and other standards bodies also contributed to the development of ISO 22301.
Benefits of ISO 22301
You must take into account your organization's corporate culture, appetite for risk, management style, and organizational goals when determining which best practices and standards should receive priority in your IG framework. However, you must step through your business rationale in discussions with your cross-functional IG team and fully document the reasons for your approach. Then you must present this approach and your draft IG framework to your key stakeholders and be able to defend your determinations while allowing for input and adjustments. Perhaps you have overlooked some key factors that your larger stakeholder group uncovers, and their input should be folded into a final draft of your IG framework.
Next, you are ready to begin developing IG policies that apply to various aspects of information use and management in specific terms. You must detail the policies you expect employees to follow when handling information on various information delivery platforms (e.g. e-mail, blogs, social media, mobile computing, cloud computing).
It is helpful at this stage to collect and review all your current policies that apply and to gather some examples of published IG policies, particularly from peer organizations and competitors (where possible). Of note: You should not just adopt another organization's polices and believe that you are done with policy making. Rather, you must enter into a deliberative process, using your IG framework for guiding principles and considering the views and needs of your cross-functional IG team. Of paramount importance is to be sure to incorporate the alignment of your organizational goals and business objectives when crafting policy.
With each policy area, be sure that you have considered the input of your stakeholders, so that they will be more willing to comply with the new policies and so that the policies do not run counter to their business needs and required business processes. Otherwise, stakeholders will skirt, avoid, or halfheartedly follow the new IG policies, and the IG program risks failure.
Once you have finalized your policies, be sure to obtain necessary approvals from your executive sponsor and key senior managers.
Policies will do nothing without people to advocate, support, and enforce them. So clear lines of authority and accountability must be drawn, and responsibilities must be assigned.
You may find it useful to develp a responsibility assignment matrix, also known as a RACI matrix, which delineates the parties who are responsible, accountable, consulted, and informed.
Overall IG program responsibility resides at the executive sponsor level, but beneath that, an IG program manager or program lead—perhaps even a formal Chief Information Governance Officer (CIGO)—should drive team members toward milestones and business objectives and should shoulder the responsibility for day-to-day program activities, including implementing and monitoring key IG policy tasks. These tasks should be approved by executive stakeholders and assigned as appropriate to an employee's functional area of expertise. For instance, the IG team member from legal may be assigned the responsibility for researching and determining legal requirements for retention of business records, perhaps working in conjunction with the IG team member from RM, who can provide additional input based on interviews with representatives from business units and additional RM research into best practices. However, it is important that the IG program team is cross-trained to improve communications and effectiveness. Essentially, key stakeholders must be able to understand the various viewpoints and “speak each other's language.”
Your IG program must contain a communications and training component, as a standard function. This is critical, as IG programs require a change management component. Your stakeholder audience must be made aware of the new policies and practices that are to be followed and how this new approach contributes toward the organization's goals and business objectives. Further, key concepts must be reinforced continually to drive cultural change at the core of the organization.
The first step in your communications plan is to identify and segment your stakeholder audiences and to customize or modify your message to the degree that is necessary to be effective. Communications to your IT team can have a more technical slant, and communications to your legal team can have some legal jargon and emphasize legal issues. The more forethought you put into crafting your communications strategy, the more effective it will be.
That is not to say that all messages must have several versions: some key concepts and goals should be emphasized in communications to all employees.
How should you communicate? The more ways you can get your IG message to your core stakeholder audiences, the more effective and lasting the message will be. So posters, newsletters, e-mail, text messages, internal blog or intranet posts, and company meetings should all be a part of the communications mix. You can even make it fun, perhaps creating an IG program mascot, or gamifying IG training to encourage healthy competition.
Remember, the IG program requires not only training but retraining, and the aim should be to create a compliance culture that is so prominent and expected that employees adopt the new practices and policies and integrate them into their daily activities. Ideally, employees will provide valuable input to help fine-tune and improve the IG program.
Training should take multiple avenues as well. Some can be classroom instruction, some online learning, and you may want to create a series of training videos. You may also want to deploy a privacy awareness training (PAT) or security awareness training (SAT) series, which is an effective way to reduce information risk on an ongoing basis. But the training effort must be consistent and ongoing to maintain high levels of IG effectiveness. Certainly, this means you will need to add to your new hire onboarding program for employees joining or transferring to your organization.
How do you know how well you are doing? You will need to develop metrics to determine the level of employee compliance, its impact on key operational areas, and progress made toward established business objectives. Relevant and valid metrics can only be developed through stakeholder consultation.
Testing and auditing the program provides an opportunity to give feedback to employees on how well they are doing and to recommend changes they may make. But having objective feedback on key metrics also will allow for your executive sponsor to see where progress has been made and where improvements need to focus.
Eventually, clear penalties for policy violations must be communicated to employees so they know the seriousness of the IG program and how important it is in helping the organization pursue its business goals and accomplish stated business objectives.
18.118.150.80