Information governance

Information governance, or IG, is the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level, supporting an organization's immediate and future regulatory, legal, risk, environmental and operational requirements.^[1]^[2]^[3]^[4]

IG encompasses more than traditional records management. It incorporates privacy attributes, electronic discovery requirements, storage optimization, and metadata management.

History

Records Management and Information Governance

Records management deals with the creation, retention and storage and disposition of records. A record can either be a physical, tangible object, or digital information such as a database, application data, and e-mail. The lifecycle was historically viewed as the point of creation to the eventual disposal of a record. As data generation exploded in recent decades, and regulations and compliance issues increased, traditional records management failed to keep pace. A more comprehensive platform for managing records and information became necessary to address all phases of the lifecycle, which led to the advent of information governance.^[5]

In 2003 the Department of Health in England introduced the concept of broad based information governance into the National Health Service, publishing version 1 of an online performance assessment tool with supporting guidance. The NHS IG Toolkit^[6] is now used by over 30,000 NHS and partner organisations, supported by an e-learning platform with some 650,000 users.

In 2008, ARMA International introduced the Generally Accepted Recordkeeping Principles®, or "The Principles" ^[7] and the subsequent "The Principles" Information Governance Maturity Model.^[8] "The Principles" identify the critical hallmarks of information governance. As such, they apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use "The Principles" to establish consistent practices across a variety of business units. ARMA International recognized that a clear statement of "Generally Accepted Recordkeeping Principles®" ("The Principles") would guide:

CEOs in determining how to protect their organizations in the use of information assets;
Legislators in crafting legislation meant to hold organizations accountable; and
Records management professionals in designing comprehensive and effective records management programs.

Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. In electronic discovery, or e-discovery, electronically stored information is searched for relevant data by attorneys and placed on legal hold. IG includes consideration of how this data is held and controlled for e-discovery, and also provides a platform for defensible disposition and compliance. Additionally, metadata often accompanies electronically stored data and can be of great value to the enterprise if stored and managed correctly.^[9]

In 2011, the Electronic Discovery Reference Model (EDRM) — in collaboration with ARMA International — published a white paper that describes How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles ("The Principles") ^[10] The IGRM illustrates the relationship between key stakeholders and the Information Lifecycle and highlights the transparency required to enable effective governance. IGRM v3.0 Update: Privacy & Security Officers As Stakeholders

With all of these additional considerations that go beyond traditional records management, IG emerged as a platform for organizations to define policies at the enterprise level, across multiple jurisdictions. IG then also provides for the enforcement of these policies into the various repositories of information, data, and records.

Organizational structure

In the past, records managers owned records management, perhaps within a compliance department at an enterprise. In order to address the broader issues surrounding records management, several other key stakeholders must be involved. Legal, IT, and Compliance tend to be the departments that touch information governance the most, though certainly other departments might seek representation. Many enterprises create information governance committees to ensure that all necessary constituents are represented and that all relevant issues are addressed.^[11]

Tools

To address retention and disposition, Records Management and Enterprise Content Management applications were developed. Sometimes detached search engines or homegrown policy definition tools were created. These were often employed at a departmental or divisional level; rarely were tools used across the enterprise. While these tools were used to define policies, they lacked the ability to enforce those policies. Monitoring for compliance with policies was increasingly challenging.

Because information governance addresses so much more than traditional records management, several software solutions have emerged to include the vast array of issues facing records managers. Some of these vendors include Symantec's Clearwell and Enterprise Vault, Collibra, Open Text Corporation, RSD, HP’s Autonomy, EMC Corporation, IBM, Nuix, Feith Systems' RMA iQ, and Active Navigation.

One of the most widely used tools is the NHS Information Governance Toolkit used by over 30,000 organisations in England.

Laws and Regulations

Key to IG are the regulations and laws that help to define corporate policies. Some of these regulations include:

The Foreign Account Tax Compliance Act, or FATCA ^[12]
Payment Card Industry Data Security Standard, or PCI Compliance ^[13]

Guidelines

MoReq2 ^[14]
MoReq2010 ^[15]
DoD 5015.2, or Design Criteria Standard for Electronic Records Management Software Applications ^[16]

References

^ Gartner definition
^ http://www.rsd.com/en/products/rsd-glass RSD information governance definition
^ IBM Survey Report
^ [Kooper, M., Maes, R., and Roos Lindgreen, E. (2011). On the governance of information: Introducing a new concept of governance to support the management of information. International Journal of Information Management, 31(3), 195-200]
^ http://www.arma.org/pdf/WhatIsRIM.pdf
^ http://www.igt.connectingforhealth.NHS.uk/
^ http://www.arma.org/garp
^ http://www.arma.org/garp/metrics.cfm
^ http://www.arma.org/erecords/index.cfm
^ White Paper (2011). Ledergerber, Marcus (ed.). How the Information Governance Reference Model (IGRM)Complements ARMA International’s Generally Accepted Recordkeeping Principles) (PDF). EDRM and ARMA International. p. 15.
^ ALM IG Overview
^ http://www.irs.gov/businesses/corporations/article/0,,id=236667,00.html
^ https://www.pcisecuritystandards.org/
^ http://www.moreq2.eu/
^ http://moreq2010.eu/
^ http://www.archives.gov/records-mgmt/initiatives/dod-standard-5015-2.html

External links

[1] Gartner definition

[2] ttp://www.rsd.com/en/products/rsd-glass RSD information governance definition

[3] IBM Survey Report

[4] [Kooper, M., Maes, R., and Roos Lindgreen, E. (2011). On the governance of information: Introducing a new concept of governance to support the management of information. International Journal of Information Management, 31(3), 195-200]

[5] ttp://www.arma.org/pdf/WhatIsRIM.pdf

[6] ttp://www.igt.connectingforhealth.NHS.uk/

[7] ttp://www.arma.org/garp

[8] ttp://www.arma.org/garp/metrics.cfm

[9] ttp://www.arma.org/erecords/index.cfm

[10] White Paper (2011). Ledergerber, Marcus (ed.). How the Information Governance Reference Model (IGRM)Complements ARMA International’s Generally Accepted Recordkeeping Principles) (PDF). EDRM and ARMA International. p. 15.

[11] ALM IG Overview

[12] ttp://www.irs.gov/businesses/corporations/article/0,,id=236667,00.html

[13] ttps://www.pcisecuritystandards.org/

[14] ttp://www.moreq2.eu/

[15] ttp://moreq2010.eu/

[16] ttp://www.archives.gov/records-mgmt/initiatives/dod-standard-5015-2.html

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]