Good information governance requires a framework. IBM defines an information governance framework as including the following eleven elements. We have tried to condense down the definitions for each category. Organizational Structures and Awareness – understanding of the need for governance and the roles required to do itStewardship – ownership of the responsibility for governance for given information assetsPolicy – the “what to do”Value Creation – Analysis of the value of the organization’s informationData Risk Management & Compliance – Risk assessment, analysis, and mitigationInformation Security & Privacy – Policies and practices for protecting informationData Architecture – Tools for creating, sharing, and managing informationData Quality Management – Methods to ensure and improve data qualityClassification & Metadata – as the name suggests. Information Lifecycle Management – Policies and processes for collecting, using, and ultimately deleting informationAudit Information, Logging & Reporting – Processes for monitoring the overall governance effort. Source: IBM, http://www.infogovcommunity.com/resources
So for this Tweet, where do any of these elements apply? It’s a personal account, so organizational structures and stewardship aren’t applicable and policy is difficult to enforce, especially in the age of the smart phone. Not a lot of value being created here – and therefore not a lot of concern with data risk management, compliance, information security, or privacy. It’s a hosted service, so not much to do with data architecture. Data quality management and metadata? As long as it’s on Twitter it’s Twitter’s problem; if it were stored locally it would depend on how it was captured to understand what metadata is even available. There certainly isn’t a ready mechanism for classifying it. It’s a pretty ephemeral Tweet from a data lifecycle management perspective – and again, Twitter controls that as long as it’s stored out there. And therefore there isn’t a lot of need for auditing and logging for this Tweet.
On the other hand this one pretty clearly needs some governance attention, at least in most jurisdictions, and offers more things to apply governance against including the stock ticker, the link, and the pricing. The date certainly becomes much more important here as well. And if this comes from an official account or one affiliated with the organization there is definitely a governance issue here. ~In other words, on the one hand governance processes and practices are certainly relevant in the social media era; on the other hand, there are some unique issues based on both the nature of particular tools and on the nature of social media more broadly that warrant some additional considerations. Over the rest of this course we will identify and explore some of those issues and considerations to provide a foundation for the rest of the Social Media Governance Certificate Program.
Consider the following types of content: ~A Facebook like; A Twitter retweet; Geolocational data provided through a service like Foursquare, perhaps with a comment about the quality of the food or service at a particular place; An edit to a wiki article; A comment to a blog post; A video, perhaps with annotation, often with comments, likes, etc.; And all the other “breadcrumbs of attention” that we leave behind as we create, consume, and share content on external sites as well as internal ones. ~All of these have metadata, and many of them have quite a lot of it. But much of this metadata is either not directly visible or accessible or isn’t germane to the way users would look for this type of content in the future. ~And many of them are quite fragmentary – the Facebook Like for example, or a conversation carried on as part of a Twitter stream or other activity stream. They tend to be even more informal and even more ephemeral compared to other types of content. Yet as we’ll see later these issues don’t eliminate the need to manage this content effectively. ~Finally, it should go without saying that volume presents an issue here. More video is uploaded to YouTube every month than the “big 3” U.S. networks (ABC, NBC, CBS) created in their first 60 years of existence combined. Facebook stores more than 100 petabytes of data and receives more than 250 million photos a day, or more than 5 billion photos a month. There simply isn’t an analogue for all but the largest enterprises and database applications.
Much of this content is being created and consumed on new types of devices. It’s not simply that the devices are mobile; we’ve had laptops for 20 years. Rather, it’s the amazing proliferation of types and sizes of devices: smart phones with more computing power than most desktop PCs 5 years ago. In fact the iPad2 would have been one of the top ten supercomputers in the country as recently as 1994. ~It’s mobile devices with digital cameras capable of capturing, annotating, and sending very high quality digital photos and video; and it’s devices with easy and inexpensive access to software tools that can be used to create and publish high-quality and compelling rich media content. ~~Source for supercomputer quote: http://www.tuaw.com/2011/05/09/ipad-2-would-have-bested-1990s-era-supercomputers/
Closely related to this is the trend towards the consumerization of IT. In the past technology innovation happened in the enterprise, then moved to small- and medium-sized organizations, and eventually made its way into consumers’ hands. But today this is turned on its head. It is in the consumer technology space where we are seeing new and interesting technology innovations – from transistor-based flash drives ten years ago to the proliferation of the devices we talked about just now. And certainly the entire social media space has been driven by end users and consumers and enterprises are only just starting to pay any attention to it. ~One more point about those devices – as of 2012 the devices employees use are often devices they purchased, and which are more powerful than what they have at work. This trend, often referred to as “bring your own device” or BYOD, is becoming a tidal wave as devices get cheaper and more powerful. And as we noted they come in a wide variety of shapes, sizes, operating systems, and configurations.~At the same time, these devices come with their own “app stores” filled with free to relatively cheap software that is available to users to download on their dime and according to their interests. ~This makes it challenging for IT to support – or prohibit – these devices and applications. Sure, IT can prevent the devices from accessing network resources, but part of the reason these devices are so prevalent lies in their ability to circumvent many IT restrictions. A user can’t get a license for project management software or design software? She can pull out her iPad2, go to the App Store, and download either or both for less than $10 each and simply route around IT. Don’t want to put these devices on the enterprise Wi-Fi? Many of them are 3G- or 4G-enabled. ~From a governance perspective the combination of BYOD and app stores means that IT needs to rethink some things around support, security, etc. IT can choose to support certain types of functionality, or restrict certain information repositories to devices that meet certain requirements, but attempting to completely restrict them is almost certainly an exercise in futility both technologically and politically. After all, how many CIOs are willing to tell the CEO that she can’t connect her tablet to the network?
Another significant difference in the way content is created today is how much of it is done by third parties. For most organizations most of their content is created internally; where there is substantial interaction with outside parties it’s often in the form of fairly standardized things like invoices, checks, and the like. ~But social media is, well, social. A wiki with one author is just Microsoft Word with a bad user interface. Social tools work when and because they provide a mechanism to interact with other content creators. In many cases this is through the same tool or page – your wiki with their edits, your Twitter stream when they include you by mention, your blog and their comments. But it’s not always so – someone could comment on your blog post with a post of their own on their own blog (and with comments at neither, one, or both).
And all of this content creation happens on a website that in all likelihood is not under your control. That is, you can set up your Facebook page, and decide whether to allow comments to your blog; but the content is stored outside the firewall in a datacenter that might not be in the same country you are. ~This has profound information governance implications. If Facebook decides to keep everything posted to it forever, disposition policies become somewhat of a moot point. On the other hand, if Facebook decides to keep content posted for only 30 days, retention becomes a critical issue. ~It also complicates the ability to demonstrate compliance with regulatory requirements and requests to produce information in response to litigation or audits – what is “native format” for Twitter? It’s *not* screenshots, at least in most jurisdictions. How do you authenticate the content outside of Twitter.com or a Twitter client? And so forth.
All of this also contributes to a blurring of professional and personal lives. Consider two cases. First, Rick Sanchez was a journalist working for CNN. As part of his professional life he developed contacts and created and developed a pretty impressive Twitter presence, @ricksanchezcnn, with some 140,000 followers at one point. He was subsequently fired, which raises some interesting governance questions: Who owns the account? It says CNN in the title, but Twitter, like most social media sites, assigns ownership of the account and all content related to it to the individual who created the account. Who owns the contacts? The individual followers can’t be forced to stop following Rick’s account (since renamed to @ricksancheznews); if this were a Facebook account could Rick be forced to stop following other people? Who owns the content? The internet doesn’t forget….~Now consider another case. An individual employee gets a smart phone paid for by the organization and is expected to be available after hours. The organization is smart and allows flexible working hours. The employee uses the smart phone to check into a bar at 11 am (but through his personal Foursquare account) and then uses his personal iPad and the bar’s Wi-Fi to log into Facebook and post some unflattering remarks about the bar, the meal, and his (unspecified) job. Some of the questions raised: Could his remarks reflect badly on the organization, or even contradict its acceptable usage policy? Is that policy applicable to any, some, or all of the content he created? If the bar decides to sue, is there any liability for the organization? And probably lots more. ~The broader point here is that as the lines between professional and personal lives continue to blur and overlap, so do many of the elements of the governane framework so carefully crafted and implemented in many organizations. It’s not always easy to tell who has the right to speak on behalf of the organization. And many commercial social media services forbid users from creating multiple accounts (such as a personal and professional account). ~Organizations have to be smart and balance the legitimate concerns of the organization with those of the individual employees and take into account how the tools actually work.
The first step many organizations take to manage Web 2.0 is to try to block them. This is unrealistic for a number of reasons.
Moving into mainstream
Roles and responsibilities are still required to manage social content in the context of the governance program – whether in the enterprise or using commercial services. Proliferation of SharePoint collaboration sites or uncoordinated Twitter accounts is no better for the organization than proliferation of file shares or content repositories. ~In other words, employees still need training on governance concerns. If using enterprise solutions IT still has to deploy and maintain them. For any business use of social media records, legal, compliance, risk, etc. should be involved. HR needs to consider how employment law affects the use of social media services for hiring – and for disciplinary actions. Senior management needs to consider how to measure the effectiveness of the organization’s usage of social media, which services best support its goals, and whether to use commercial sites or enterprise solutions.
Technology changes much faster than the law or policies can keep up with. That’s why it’s better to use a comprehensive policy that can cover new technologies as they appear.
Governance exists but needs to be tweaked. Apply what can be applied: roles & responsibilities (inc. new ones); general policy framework; training as we discuss shortlyExtrapolate from what has worked: job aids & guidelines; managing wikis instead of email for collab and the relative ease of managing wikis for compliance; use the tools appropriately (e.g. not for business if can’t manage it)Create new stuff where required: classification, declaring as record (managing in place?), etc.
The dell model we already mentioned; demographic considerations (it will be used), SM 101, how to use the tools, how to use the tools well, how to use the tools in support of the business, how to keep the business safe
Finally, there are enterprise versions of every Web 2.0 application. These enterprise versions are often available to be hosted inside the firewall, meaning that security is much more robust. Access can be secured to them much more effectively. They can be integrated into the organization’s identity infrastructure – whether Active Directory or something else – such that any change, post, comment, edit, update, etc. can all be tracked and, more importantly, tracked to a specific named user. No anonymous postings here. Of course, you have to pay for an enterprise version, but what you’re really paying for is a level of peace of mind. And you still get many of the same benefits – ease of use, familiarity with the type of tool, rapid and agile collaboration across geographical and time boundaries, etc. You’re just getting a more secure and robust version of it. [twitter]Consider implementing enterprise versions. FB is FB, but internal tools might be more appropriate.[/twitter]
At this point I’d be pleased to entertain your questions.
Government of Alberta Information Management Conference 2013 IM and Social Media
The Global Community of Information Professionals
and Social Media
Jesse Wilkins, CIP, CRM
26 November , 2013
"Despite the euphoria of Internet
enthusiasts and the hyped-up selling
palaver of some web services
providers, we remain uncertain as to
the long-run substantive benefits the
Internet will bring to businesses and
to individual users.…until the
webmeisters persuade us
otherwise, we'll hang on to our CDs
and floppies, along with the aperture
cards and other imaging artifacts that
have served our corporate and
personal purposes so cost-effectively
in the past."
1,330+ years worth of time spent every day on
1.1B Facebook users.
50% log in on any day.
300M photos uploaded per day.
Twitter and LinkedIn and Pinterest and
Google+ and Tumblr and Flickr and Instagram
and Myspace(!) and Livejournal and Orkut and
Yammer and blogs and millions of private
Information governance and social media
The social media governance framework
Using social media safely and effectively
The Global Community of Information Professionals
Information governance and social
Information governance defined
“…Specification of decision rights and an
accountability framework to encourage
desirable behavior in the
valuation, creation, storage, use, archival and
deletion of information.”
Data risk management &
Information security &
information, logging &
“A new class of company is
emerging—one that uses
collaborative Web 2.0 technologies
intensively to connect the internal
efforts of employees and to extend
the organization’s reach to
customers, partners, and suppliers.
We call this new kind of company
the networked enterprise.”
Why a governance framework?
Ensures that employees know what is
expected of them
Provides guidelines for being more effective
Reduces risk of someone posting
Addresses legal and operational concerns
The governance framework
Strategic roles and responsibilities
Groups and structures required to manage
Policy and procedures
Processes and standards for managing
Roles and responsibilities
The social media policy
Social content is just another form of content
Policy should provide a framework applicable
to most or all social media tools – and to other
DON’T write a Facebook policy, a Twitter
Identify security issues
Privacy and confidentiality
Other sensitive topics or resources
What to keep?
Determine whether social media content
needs to be kept:
Is it legally required?
Is it business-related?
Does it add value?
Is it unique?
How should it be kept?
In the native service
Archived/captured on the fly
Captured prior to publication
Social media migration
When a service shuts down
The Global Community of Information Professionals
Using Social Media
Safely and Effectively
For more information
Jesse Wilkins, CIP, CRM, IGP
Director, Research and Development
+1 (720) 232-9638 direct