Information Governance: Concepts, Strategies, and Best Practices

The first comprehensive approach to Information Governance By now, everyone knows that information can be enormously valuable, but how is that value affected by the huge costs involved in storing and maintaining it? How can organizations separate the irrelevant sludge of information from the real data goldmines? Crucially, how can information be kept, stored, secured, accessed, and when necessary, destroyed in a way that is consistent with legal requirements? Information Governance provides answers to these questions and many more. From broad concepts to the nuts and bolts of implementation, this book is an essential first step in any successful IG program. Information Governance is for CIOs, legal advisors, governance and compliance professionals, records managers, and anyone who is involved in managing content and information at an enterprise level. The field of IG is about more than just transferring traditional records management strategies to new technologies. Readers will learn about: The key components of a successful IG program Risk assessment for information governance Developing and implementing internal IG policies Legally defensible disposal of unneeded data Appraising the value of existing records and documents Electronic document security (EDS) technologies and policies IG for social media, e–mail, mobile devices, and e–records Privacy considerations and regulations With a career of over 25 years in information management concentrating in electronic document technologies, noted authority Robert Smallwood has developed an expert approach to IG that is an important element of long–term program success. Information Governance provides the strategies that organizations need to get and stay ahead in a world of Big Data and increasing compliance and legal demands. Information Governance features major contributions from the following experts in the field: Lori J. Ashley, Barbara Blackburn, CRM, Barclay T. Blair, Charmaine Brooks, CRM, Charles M. Dollar, Patricia Franks, Ph.D., CRM, Randolph Kahn, Esq., Barry Murphy, Monica Crocker, CIP, CRM, PMP

PREFACE xv ACKNOWLEDGMENTS xvii PART ONE—Information Governance Concepts, Definitions, and Principles 1 CHAPTER 1 The Onslaught of Big Data and the Information Governance Imperative 3 Defining Information Governance 5 IG Is Not a Project, But an Ongoing Program 7 Why IG Is Good Business 7 Failures in Information Governance 8 Form IG Policies, Then Apply Technology for Enforcement 10 Notes 12 CHAPTER 2 Information Governance, IT Governance, Data Governance: What’s the Difference? 15 Data Governance 15 IT Governance 17 Information Governance 20 Impact of a Successful IG Program 20 Summing Up the Differences 21 Notes 22 CHAPTER 3 Information Governance Principles 25 Accountability Is Key 27 Generally Accepted Recordkeeping Principles® 27 Contributed by Charmaine Brooks, CRM Assessment and Improvement Roadmap 34 Who Should Determine IG Policies? 35 Notes 38 PART TWO—Information Governance Risk Assessment and Strategic Planning 41 CHAPTER 4 Information Risk Planning and Management 43 Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements 43 Step 2: Specify IG Requirements to Achieve Compliance 46 Step 3: Create a Risk Profi le 46 Step 4: Perform Risk Analysis and Assessment 48 Step 5: Develop an Information Risk Mitigation Plan 49 Step 6: Develop Metrics and Measure Results 50 Step 7: Execute Your Risk Mitigation Plan 50 Step 8: Audit the Information Risk Mitigation Program 51 Notes 51 CHAPTER 5 Strategic Planning and Best Practices for Information Governance 53 Crucial Executive Sponsor Role 54 Evolving Role of the Executive Sponsor 55 Building Your IG Team 56 Assigning IG Team Roles and Responsibilities 56 Align Your IG Plan with Organizational Strategic Plans 57 Survey and Evaluate External Factors 58 Formulating the IG Strategic Plan 65 Notes 69 CHAPTER 6 Information Governance Policy Development 71 A Brief Review of Generally Accepted Recordkeeping Principles® 71 IG Reference Model 72 Best Practices Considerations 75 Standards Considerations 76 Benefits and Risks of Standards 76 Key Standards Relevant to IG Efforts 77 Major National and Regional ERM Standards 81 Making Your Best Practices and Standards Selections to Inform Your IG Framework 87 Roles and Responsibilities 88 Program Communications and Training 89 Program Controls, Monitoring, Auditing and Enforcement 89 Notes 91 PART THREE—Information Governance Key Impact Areas Based on the IG Reference Model 95 CHAPTER 7 Business Considerations for a Successful IG Program 97 By Barclay T. Blair Changing Information Environment 97 Calculating Information Costs 99 Big Data Opportunities and Challenges 100 Full Cost Accounting for Information 101 Calculating the Cost of Owning Unstructured Information 102 The Path to Information Value 105 Challenging the Culture 107 New Information Models 107 Future State: What Will the IG–Enabled Organization Look Like? 110 Moving Forward 111 Notes 113 CHAPTER 8 Information Governance and Legal Functions 115 By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy Introduction to e–Discovery: The Revised 2006 Federal Rules of Civil Procedure Changed Everything 115 Big Data Impact 117 More Details on the Revised FRCP Rules 117 Landmark E–Discovery Case: Zubulake v. UBS Warburg 119 E–Discovery Techniques 119 E–Discovery Reference Model 119 The Intersection of IG and E–Discovery 122 By Barry Murphy Building on Legal Hold Programs to Launch Defensible Disposition 125 By Barry Murphy Destructive Retention of E–Mail 126 Newer Technologies That Can Assist in E–Discovery 126 Defensible Disposal: The Only Real Way To Manage Terabytes and Petabytes 130 By Randy Kahn, Esq. Retention Policies and Schedules 137 By Robert Smallwood, edited by Paula Lederman, MLS Notes 144 CHAPTER 9 Information Governance and Records and Information Management Functions 147 Records Management Business Rationale 149 Why Is Records Management So Challenging? 150 Benefi ts of Electronic Records Management 152 Additional Intangible Benefi ts 153 Inventorying E–Records 154 Generally Accepted Recordkeeping Principles® 155 E–Records Inventory Challenges 155 Records Inventory Purposes 156 Records Inventorying Steps 157 Ensuring Adoption and Compliance of RM Policy 168 General Principles of a Retention Scheduling 169 Developing a Records Retention Schedule 170 Why Are Retention Schedules Needed? 171 What Records Do You Have to Schedule? Inventory and Classification 173 Rationale for Records Groupings 174 Records Series Identification and Classification 174 Retention of E–Mail Records 175 How Long Should You Keep Old E–Mails? 176 Destructive Retention of E–Mail 177 Legal Requirements and Compliance Research 178 Event–Based Retention Scheduling for Disposition of E–Records 179 Prerequisites for Event–Based Disposition 180 Final Disposition and Closure Criteria 181 Retaining Transitory Records 182 Implementation of the Retention Schedule and Disposal of Records 182 Ongoing Maintenance of the Retention Schedule 183 Audit to Manage Compliance with the Retention Schedule 183 Notes 186 CHAPTER 10 Information Governance and Information Technology Functions 189 Data Governance 191 Steps to Governing Data Effectively 192 Data Governance Framework 193 Information Management 194 IT Governance 196 IG Best Practices for Database Security and Compliance 202 Tying It All Together 204 Notes 205 CHAPTER 11 Information Governance and Privacy and Security Functions 207 Cyberattacks Proliferate 207 Insider Threat: Malicious or Not 208 Privacy Laws 210 Defense in Depth 212 Controlling Access Using Identity Access Management 212 Enforcing IG: Protect Files with Rules and Permissions 213 Challenge of Securing Confi dential E–Documents 213 Apply Better Technology for Better Enforcement in the Extended Enterprise 215 E–Mail Encryption 217 Secure Communications Using Record–Free E–Mail 217 Digital Signatures 218 Document Encryption 219 Data Loss Prevention (DLP) Technology 220 Missing Piece: Information Rights Management (IRM) 222 Embedded Protection 226 Hybrid Approach: Combining DLP and IRM Technologies 227 Securing Trade Secrets after Layoffs and Terminations 228 Persistently Protecting Blueprints and CAD Documents 228 Securing Internal Price Lists 229 Approaches for Securing Data Once It Leaves the Organization 230 Document Labeling 231 Document Analytics 232 Confidential Stream Messaging 233 Notes 236 PART FOUR—Information Governance for Delivery Platforms 239 CHAPTER 12 Information Governance for E–Mail and Instant Messaging 241 Employees Regularly Expose Organizations to E–Mail Risk 242 E–Mail Polices Should Be Realistic and Technology Agnostic 243 E–Record Retention: Fundamentally a Legal Issue 243 Preserve E–Mail Integrity and Admissibility with Automatic Archiving 244 Instant Messaging 247 Best Practices for Business IM Use 247 Technology to Monitor IM 249 Tips for Safer IM 249 Notes 251 CHAPTER 13 Information Governance for Social Media 253 By Patricia Franks, Ph.D, CRM, and Robert Smallwood Types of Social Media in Web 2.0 253 Additional Social Media Categories 255 Social Media in the Enterprise 256 Key Ways Social Media Is Different from E–Mail and Instant Messaging 257 Biggest Risks of Social Media 257 Legal Risks of Social Media Posts 259 Tools to Archive Social Media 261 IG Considerations for Social Media 262 Key Social Media Policy Guidelines 263 Records Management and Litigation Considerations for Social Media 264 Emerging Best Practices for Managing Social Media Records 267 Notes 269 CHAPTER 14 Information Governance for Mobile Devices 271 Current Trends in Mobile Computing 273 Security Risks of Mobile Computing 274 Securing Mobile Data 274 Mobile Device Management 275 IG for Mobile Computing 276 Building Security into Mobile Applications 277 Best Practices to Secure Mobile Applications 280 Developing Mobile Device Policies 281 Notes 283 CHAPTER 15 Information Governance for Cloud Computing 285 By Monica Crocker CRM, PMP, CIP, and Robert Smallwood Defining Cloud Computing 286 Key Characteristics of Cloud Computing 287 What Cloud Computing Really Means 288 Cloud Deployment Models 289 Security Threats with Cloud Computing 290 Benefits of the Cloud 298 Managing Documents and Records in the Cloud 299 IG Guidelines for Cloud Computing Solutions 300 Notes 301 CHAPTER 16 SharePoint Information Governance 303 By Monica Crocker, CRM, PMP, CIP, edited by Robert Smallwood Process Change, People Change 304 Where to Begin the Planning Process 306 Policy Considerations 310 Roles and Responsibilities 311 Establish Processes 312 Training Plan 313 Communication Plan 313 Note 314 PART FIVE—Long–Term Program Issues 315 CHAPTER 17 Long–Term Digital Preservation 317 By Charles M. Dollar and Lori J. Ashley Defi ning Long–Term Digital Preservation 317 Key Factors in Long–Term Digital Preservation 318 Threats to Preserving Records 320 Digital Preservation Standards 321 PREMIS Preservation Metadata Standard 328 Recommended Open Standard Technology–Neutral Formats 329 Digital Preservation Requirements 333 Long–Term Digital Preservation Capability Maturity Model® 334 Scope of the Capability Maturity Model 336 Digital Preservation Capability Performance Metrics 341 Digital Preservation Strategies and Techniques 341 Evolving Marketplace 344 Looking Forward 344 Notes 346 CHAPTER 18 Maintaining an Information Governance Program and Culture of Compliance 349 Monitoring and Accountability 349 Staffing Continuity Plan 350 Continuous Process Improvement 351 Why Continuous Improvement Is Needed 351 Notes 353 APPENDIX A Information Organization and Classification: Taxonomies and Metadata 355 By Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley Importance of Navigation and Classification 357 When Is a New Taxonomy Needed? 358 Taxonomies Improve Search Results 358 Metadata and Taxonomy 359 Metadata Governance, Standards, and Strategies 360 Types of Metadata 362 Core Metadata Issues 363 International Metadata Standards and Guidance 364 Records Grouping Rationale 368 Business Classification Scheme, File Plans, and Taxonomy 368 Classification and Taxonomy 369 Prebuilt versus Custom Taxonomies 370 Thesaurus Use in Taxonomies 371 Taxonomy Types 371 Business Process Analysis 377 Taxonomy Testing: A Necessary Step 379 Taxonomy Maintenance 380 Social Tagging and Folksonomies 381 Notes 383 APPENDIX B Laws and Major Regulations Related to Records Management 385 United States 385 Canada 387 By Ken Chasse, J.D., LL.M. United Kingdom 389 Australia 391 Notes 394 APPENDIX C Laws and Major Regulations Related to Privacy 397 United States 397 Major Privacy Laws Worldwide, by Country 398 Notes 400 GLOSSARY 401 ABOUT THE AUTHOR 417 ABOUT THE MAJOR CONTRIBUTORS 419 INDEX 421

ROBERT F. SMALLWOOD is Partner and Executive Director of the Information Governance Institute at IMERGE Consulting. Mr. Smallwood is a widely recognized and published authority in IG, with special expertise in e–records management and e–document security. He has been quoted in the Wall Street Journal, Washington Post, New York Times, and appeared on C–SPAN, BBC, and a number of network news programs. Go to www.information–governance–training.com for IG education options.