Information governance

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Information governance, or IG, is the management of information at an organization. Information governance balances the use and security of information. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. An organization can establish a consistent and logical framework for employees to handle data through their information governance policies and procedures. These policies guide proper behavior regarding how organizations and their employees handle electronically stored information (ESI).[1][2][3]

Information governance encompasses more than traditional records management. It incorporates information security and protection, compliance, data governance, electronic discovery, risk management, privacy, data storage and archiving, knowledge management, business operations and management, audit, analytics, IT management, master data management, enterprise architecture, business intelligence, big data, data science, and finance.[4]

History[edit]

Records management[edit]

Backup media was stored in the same location as that of the data server.

Storing the backup media in same location as the database gives rise to a single point of failure and there is a risk of business disruption in case of a facility level disaster.

Management should archive the backup media in a reliable dedicated off-site location

Records management deals with the creation, retention and storage and disposition of records. A record can either be a physical, tangible object, or digital information such as a database, application data, and e-mail. The lifecycle was historically viewed as the point of creation to the eventual disposal of a record. As data generation exploded in recent decades, and regulations and compliance issues increased, traditional records management failed to keep pace. A more comprehensive platform for managing records and information became necessary to address all phases of the lifecycle, which led to the advent of information governance.[5]

In 2003 the Department of Health in England introduced the concept of broad-based information governance into the National Health Service, publishing version 1 of an online performance assessment tool with supporting guidance. The NHS IG Toolkit[6] is now used by over 30,000 NHS and partner organisations, supported by an e-learning platform with some 650,000 users.

In 2008, ARMA International introduced the Generally Accepted Recordkeeping Principles®, or "The Principles"[7] and the subsequent "The Principles" Information Governance Maturity Model.[8] "The Principles" identify the critical hallmarks of information governance. As such, they apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use "The Principles" to establish consistent practices across a variety of business units. ARMA International recognized that a clear statement of "Generally Accepted Recordkeeping Principles®" ("The Principles") would guide:

  • CEOs in determining how to protect their organizations in the use of information assets;
  • Legislators in crafting legislation meant to hold organizations accountable; and
  • Records management professionals in designing comprehensive and effective records management programs.

Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. In electronic discovery, or e-discovery, relevant data in the form of electronically stored information is searched for by attorneys and placed on legal hold. IG includes consideration of how this data is held and controlled for e-discovery, and also provides a platform for defensible disposition and compliance. Additionally, metadata often accompanies electronically stored data and can be of great value to the enterprise if stored and managed correctly.

With all of these additional considerations that go beyond traditional records management, IG emerged as a platform for organizations to define policies at the enterprise level, across multiple jurisdictions. IG then also provides for the enforcement of these policies into the various repositories of information, data, and records.

A coalition of organizations known as Electronic Discovery Reference Model (EDRM), which was founded in 2005 to address issues related to electronic discovery and information governance, subsequently developed, as one of its projects, a resource called the Information Governance Reference Model (IGRM).[9] In 2011, EDRM, in collaboration with ARMA International, published a white paper that describes How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles ("The Principles")[10] The IGRM illustrates the relationship between key stakeholders and the Information Lifecycle and highlights the transparency required to enable effective governance IGRM v3.0 Update: Privacy & Security Officers As Stakeholders.[11]

In 2012, Compliance, Governance and Oversight Council (CGOC) developed the Information Governance Process Maturity Model, or (IGPMM).[12] The model outlines 13 key processes in electronic discovery (e-discovery) and information management. Each process is described in terms of a maturity level from one to four – completely manual and ad hoc to greater degrees of process integration across functions and automation.[13] In 2017, it was updated to include an emphasis on legal, privacy, information security, cloud security issues[14] and evolving data privacy concerns, including the impact of The General Data Protection Regulation (GDPR)(EU).[15]

Organizational structure[edit]

In the past, records managers owned records management, perhaps within a compliance department at an enterprise. In order to address the broader issues surrounding records management, several other key stakeholders must be involved. Legal, IT, and Compliance tend to be the departments that touch information governance the most, though certainly other departments might seek representation. Many enterprises create information governance committees to ensure that all necessary constituents are represented and that all relevant issues are addressed.[16]

Tools[edit]

To address retention and disposition, Records Management and Enterprise Content Management applications were developed. Sometimes detached search engines or homegrown policy definition tools were created. These were often employed at a departmental or divisional level; rarely were tools used across the enterprise. While these tools were used to define policies, they lacked the ability to enforce those policies. Monitoring for compliance with policies was increasingly challenging. Since information governance addresses so much more than traditional records management, several software solutions have emerged to include the vast array of issues facing records managers.

Other available tools include:

  • ARMA International Next Level Information Governance Assessment ( Based upon the Generally Accepted Recordkeeping Principles)
  • ARMA Generally Accepted Recordkeeping Principles[17]
  • EDRM Information Governance Reference Model[18]
  • Information Coalition Information Governance Model[19]
  • NHS Information Governance Toolkit[20]
  • CGOC Information Governance Reference Model (IGRM) [21]

Laws and regulations[edit]

Key to IG are the regulations and laws that help to define corporate policies. Some of these regulations include:

Guidelines[edit]

IT Security and governance policies and procedures to meet the business requirement was not defined and documented.

1. IT organization structure with documented roles and responsibilities

2. IT Security and operation policy

3. Backup and recovery

4. Change and Incident Management

5. User Access Management

6. Password Management

7. Patch Management

8. Physical and environment security

9. Anti-Virus/Malware Management

10. Log Management

11. SOP for Toll Management system

12. IT Risk Assessment

13. Business Continuity Plan

Absence of well-defined and approved policies and procedures there is a risk that Management's intended level of protection may not be clearly communicated and understood by system administrators and users.

Management should define and document procedures for IT management which include version control, approval and maintenance.

See also[edit]

References[edit]

  1. ^ "What is Information Governance? And Why is it So Hard? - Debra Logan". 11 January 2010. 
  2. ^ [ Elizabeth Lomas, (2010) "Information governance: information security and access within a UK context", Records Management Journal, Vol. 20 Issue: 2, pp.182-198, https://doi.org/10.1108/09565691011064322 . Available to download at http://discovery.ucl.ac.uk/1543932/]
  3. ^ [Kooper, M., Maes, R., and Roos Lindgreen, E. (2011). On the governance of information: Introducing a new concept of governance to support the management of information. International Journal of Information Management, 31(3), 195-200]
  4. ^ "IGI PUBLISHES 2014 ANNUAL REPORT - Information Governance Initiative". 11 August 2014. 
  5. ^ http://www.arma.org/pdf/WhatIsRIM.pdf
  6. ^ "Home". 
  7. ^ "Generally Accepted Recordkeeping Principles". 
  8. ^ http://www.arma.org/principles/metrics.cfm
  9. ^ EDRM. "About EDRM". Retrieved 2015-01-21. 
  10. ^ White Paper (2011). Ledergerber, Marcus, ed. How the Information Governance Reference Model (IGRM)Complements ARMA International’s Generally Accepted Recordkeeping Principles (PDF). EDRM and ARMA International. p. 15. 
  11. ^ IGRM v3.0 Update: Privacy & Security Officers As Stakeholders
  12. ^ "New IGPMM Essential in Confronting Data Challenges - Corporate Compliance Insights". Corporate Compliance Insights. 2017-03-03. Retrieved 2018-07-12. 
  13. ^ "Using the IGRM Model". www.edrm.net. Retrieved 2018-07-12. 
  14. ^ "Hospitals, Health Plans Should Treat Information as a Prime Asset | HFMA". www.hfma.org. Retrieved 2018-07-12. 
  15. ^ "New IGPMM Essential in Confronting Data Challenges - Corporate Compliance Insights". Corporate Compliance Insights. 2017-03-03. Retrieved 2018-07-12. 
  16. ^ "From the Experts: Information Governance and Its Impact on Litigation". 
  17. ^ ARMA International, "The Principles", ARMA International
  18. ^ EDRM, "Information Governance Reference Model", EDRM
  19. ^ Information Coalition, "The Information Governance Model", Information Coalition
  20. ^ NHS, "NHS Information Governance Toolkit", NHS
  21. ^ "CGOC: Information Governance Process Maturity Model". CGOC - Compliance, Governance and Oversight Council. Retrieved 2017-08-08. 
  22. ^ "Foreign Account Tax Compliance Act". 
  23. ^ "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". 
  24. ^ "Health Information Privacy". 26 August 2015. 
  25. ^ "S.900 - Gramm-Leach-Bliley Act". 
  26. ^ "Sarbanes–Oxley Act of 2002" (PDF). 
  27. ^ "Home - MoReq2". 
  28. ^ "Account Suspended". Archived from the original on 2012-02-23. 
  29. ^ "ISO 15489-1:2001 - Information and documentation -- Records management -- Part 1: General". 
  30. ^ "DoD Standard 5015.2". 

External links[edit]