Chapter 6
Information Governance policy development
Dr. Sandra J. Reeves
ITS 833 – INFORMATION GOVERNANCE
Chapter 6
Information Governance Policy Development
Dr. Sandra J. Reeves
[email protected] J. Reeves 2018
1
1
CHAPTER GOALS AND OBJECTIVES
Know the 8 Generally Accepted Recordkeeping Principles®
What is the IG Reference Model?
What does the IGRM Diagram consist of?
What are the best practice considerations?
What is the benefits and risks of having standards?
What are the key standards relevant to IG
[email protected] J. Reeves 2018
2
2
A Review of the 8 Generally Accepted Recording Keeping Principles®
Accountability
Transparency
Integrity
Protection
Compliance
Availability
Retention
Disposition
So…what is the significance of these principles?
[email protected] J. Reeves 2018
3
3
[email protected] J. Reeves 2018
4
IG REFERENCE MODEL
Who?
ARMA International & CGOC
When?
2012
Where?
As part of the EDRM Project Verson 3.0
Why?
To foster the adoption by facilitating communication and collaboration between IG stakeholder functions, legal, records management, risk management, and business unit stakeholders.
4
HOW TO INTERPRET THE IGRM DIAGRAM
Outter Ring: Complex set of interoperable processes and implementing he procedures and structural element to put them into practice
Requirements:
Understanding of business imperatives
Knowledge of appropriate tools and infrastructure
Sensitivity to legal and regulatory obligations
[email protected] J. Reeves 2018
5
5
HOW TO INTERPRET THE IGRM DIAGRAM…continued
Inner Ring: Depicts a work-flow (life-cycle) diagram. Shows that information management is important at all stages of the lifecycle.
[email protected] J. Reeves 2018
6
6
So….How is the IGRM Diagram related to the Generally Accepted Recordkeeping Principles®?
Support the ARMA Principle by identifying the cross-functional groups of IG stakeholders
Depicts the intersecting objectives of the organization
Depicts the relationship duty, value and information assets
Used by proactive organizations as an introspective lens to facilitate visualization, understanding and discussion concerning how to apple the “Principles” to the organization.
Puts focus on the “Principles”
Provides essential context for the maturity model
[email protected] J. Reeves 2018
7
7
Considerations in IG Policy Formation?
Best Practices?
YES!
Understand that Best Practices will vary per organization
Review 25 generic Best Practices, Pages 75 and 76 of text book
[email protected] J. Reeves 2018
8
Standards?
YES!
Two types to consider
De Jure Standards-Legal standards published by standards setting bodies such as IOS, ANSI, NIST, BTS and others
De Facto Standards – Informal standards regarded by many as actual standards – arising through popular use (Example: Windows in the business world in 2001-2010). May be published by formal standards setting bo ...
1. Chapter 6
Information Governance policy development
Dr. Sandra J. Reeves
ITS 833 – INFORMATION GOVERNANCE
Chapter 6
Information Governance Policy Development
Dr. Sandra J. Reeves
[email protected] J. Reeves 2018
1
1
2. CHAPTER GOALS AND OBJECTIVES
Know the 8 Generally Accepted Recordkeeping Principles®
What is the IG Reference Model?
What does the IGRM Diagram consist of?
What are the best practice considerations?
What is the benefits and risks of having standards?
What are the key standards relevant to IG
[email protected] J. Reeves 2018
2
2
A Review of the 8 Generally Accepted Recording Keeping
Principles®
Accountability
Transparency
Integrity
Protection
Compliance
Availability
3. Retention
Disposition
So…what is the significance of these principles?
[email protected] J. Reeves 2018
3
3
[email protected] J. Reeves 2018
4
IG REFERENCE MODEL
Who?
ARMA International & CGOC
When?
2012
Where?
As part of the EDRM Project Verson 3.0
Why?
To foster the adoption by facilitating communication and
collaboration between IG stakeholder functions, legal, records
4. management, risk management, and business unit stakeholders.
4
HOW TO INTERPRET THE IGRM DIAGRAM
Outter Ring: Complex set of interoperable processes and
implementing he procedures and structural element to put them
into practice
Requirements:
Understanding of business imperatives
Knowledge of appropriate tools and infrastructure
Sensitivity to legal and regulatory obligations
[email protected] J. Reeves 2018
5
5. 5
HOW TO INTERPRET THE IGRM DIAGRAM…continued
Inner Ring: Depicts a work-flow (life-cycle) diagram. Shows
that information management is important at all stages of the
lifecycle.
[email protected] J. Reeves 2018
6
6
6. So….How is the IGRM Diagram related to the Generally
Accepted Recordkeeping Principles®?
Support the ARMA Principle by identifying the cross-functional
groups of IG stakeholders
Depicts the intersecting objectives of the organization
Depicts the relationship duty, value and information assets
Used by proactive organizations as an introspective lens to
facilitate visualization, understanding and discussion
concerning how to apple the “Principles” to the organization.
Puts focus on the “Principles”
Provides essential context for the maturity model
[email protected] J. Reeves 2018
7
7
Considerations in IG Policy Formation?
Best Practices?
YES!
Understand that Best Practices will vary per organization
Review 25 generic Best Practices, Pages 75 and 76 of text book
7. [email protected] J. Reeves 2018
8
Standards?
YES!
Two types to consider
De Jure Standards-Legal standards published by standards
setting bodies such as IOS, ANSI, NIST, BTS and others
De Facto Standards – Informal standards regarded by many as
actual standards – arising through popular use (Example:
Windows in the business world in 2001-2010). May be
published by formal standards setting bodies without having
“Formal” status
8
Benefits and Risks of Standards
Benefits
Quality Assurance Support
Interoperability Support
Implementation Framework and Certification Checklists
Cost Reduction
International Consensus
8. [email protected] J. Reeves 2018
9
Risks
Possible Decreased Flexibility
Standards Confusion
Real-World Shortcomings to due Theoretical Basis
Cost and Maintenance Involving in Updating Standard
9
KEY STANDARDS RELEVANT TO IG
Risk Management
ISO 31000-2009 – States principles and generic guidelines of
risk management applicable to IG
Provides a structured framework for development and
implementation of risk management strategies and programs
“Risk Management Framework”: Set of two basic components
(foundations and organizational arrangements) that support and
sustain risk management throughout the organization.
[email protected] J. Reeves 2018
9. 10
10
KEY STANDARDS RELEVANT TO IG…continued
Information Security Management
ISO/IEC 27001:2005- Information Security Management System
Standard that provides guidance in development of security
controls for protection of information assets
Flexible –can be applied to different activities and processes
Includes use of standards by auditors and stakeholders
ISO/IEC 27002:2005-Information Technology-Security
Techniques-Code of Practice for Information Security
Establishes guidelines and general principle for initiating,
implementing, maintaining and improving information security
mgt.
Includes Best Practices of Control Objectives in 11 key areas of
information security management
ISO/IE 38500:2008 –International Standard for high-level
principle and guidance for senior executives and directors, and
advisors for effective and efficient use of IT
10. Three major sections
Scope, Application and Objectives
Framework for Good Corporate Governance of IT
Guidance for Corporate Governance of IT
[email protected] J. Reeves 2018
11
11
KEY STANDARDS RELEVANT TO IG…continued
RECORDS AND E-RECORDS MANAGEMENT
ISO 15489-1:2001 and ISO 15489-2:2001– International
Standard for Records Management
Part 1:Provides a framework and high-level overview of RM
core principles
Part 1:Defines RM as “Field of management responsibility for
the efficient and systematic control of creation receipt,
maintenance, use and disposition of records, including
processes for capturing and maintaining evidence of and
information about business activities and transactions in the
form of records”1
11. Part 2: Technical Specifications and Methodology for
implementing standard
ISO 30300;2011 – Information and Documentation-Management
Systems for Records-Fundamentals and Vocabulary
ISO 30301:2011 – Information and Documentation-Management
Systems for Records – Requirments
1ISO 15489-1:2001 Information and Documentation-Records
Management, Part 1:General Geneva: ISO, 2001), section 3.16.
[email protected] J. Reeves 2018
12
12
NATIONAL, INTERNATIONAL AND REGIONAL ERM
12. STANDARDS
United States E-Records Standard
U.S. DOD 5015.2 Design Criteria Standard For Electronic
Records Management Software Applications
Developed in 1997
Updated in 2002 and 2007
Canadian Standards
Electronic Records as Documentary Evidence CAN/CGSB-
72.34-2005
Microfilm and Electronic Images as Documentary Evidence
CAN/DGSB-72.11-93
Canadian Legal Considerations
Relies on prime directive-that an organization shall always be
prepared to produce its records as evidence- and its national
standards, for the admissibility of electronic records in court
proceedings
The admissibility of records as evidence is determined under the
business records provisions of the Evidence Act
[email protected] J. Reeves 2018
13
13. 13
NATIONAL, INTERNATIONAL AND REGIONAL ERM
STANDARDS…CONTINUED
United Kingdom
The National Archives
To sets of functions requirements to promote the development
of the electronic records management software market (one in
1999 and one in 2002)
Model Requirements of Electronic Records
MoReq2
MoReq2010
[email protected] J. Reeves 2018
14
Australian ERM and Records Management Standards
Has consistently been world leader in this area
Adopted all three parts of ISO 16175 as its e-records standard
Australian Government Recordkeeping Metadata Standard
Version 2.0
Australian Government Locator Service
AS 5090:2003 – Work Process Analysis for Recordkeeping
14. 14
LONG-TERM DIGITAL PRESERVATION
Referred to as “LTDP”
LTDP is a key area for IG policy development
Frequently not addressed in an IG plan
Should be applied in preserving historical and “vital records”
and in order to maintain its corporate or organizational memory
Key Standards for LTDP:
PDF/A-2 –official standard format for preserving electronic
documents, developed by Adobe.
ISO 19005-1:2005 Document Management is the published
specification requiring PDF format
ISO 14721:2012 – Space Data and Information Transfer
Systems –Open Archival Information Systems
ISO TR 18492(2005) – Long Term Preservation of Electronic
Document Based Information
ISO 16363:2012 – Space Data and Information Transfer
Systems-Audit and Certification of Trustworthy Digital
Repositories
[email protected] J. Reeves 2018
15
15. 15
BUSINESS CONTINUITY MANAGEMENT
ISO 22301:2012 – Societal Security – Business Continuity
Management Systems Requirements
Specifies requirements for creating and implementing a
standardized approach to business continuity management -----
this is also known as Disaster Recovery
Benefits of ISO 22301
Threat Identification and Assessment
Threat and Recovery Planning
Mission-critical process protection
Stakeholder Confidence
[email protected] J. Reeves 2018
16
16
16. THINGS TO REMEMBER IN DEVELOPING THE IG POLICY
Take into account organizational goals
Draw clear lines of authority
Make sure you have an executive sponsor who can garner
executive support for the IG program and policies
IG program must contain communications and training
component
Stakeholders must be made aware of new policies and practices
Make sure you have metrics that are relevant and useful and can
actually be measured
Test and audit
Give feedback to employees based upon metrics, tests and audit
results
Establish and enforce clear penalties for policy violations and
communicate that to employees
Take into account organizational culture
[email protected] J. Reeves 2018
17
17