11. ITS 833 – INFORMATION GOVERNANCE
Chapter 4
Information Risk Planning and Management
Dr. Sandra J. Reeves
[email protected] J. Reeves 2018
1
1
CHAPTER GOALS AND OBJECTIVES
Be able to outline the progressive steps involved in developing
an information risk management plan
Know what is meant by “risk” and a “risk profile”
Know the different ways one would go about creating a risk
profile
Know how one would go about conducting a risk assessment
Know what an information risk mitigation plan is
[email protected] J. Reeves 2018
2
2
What is the purpose of Information Risk Planning”?
Identify potential risks to information
12. Weighing risks against each other
Creating strategic plans for risk mitigation
Creating policies
Develop Metrics
Applying metrics to measure progress
Audit and feedback
[email protected] J. Reeves 2018
3
3
STEPS IN INFORMATION RISK PLANNING AND
MANAGEMENT
Step 1: Survey and Determine Legal and Regulatory
Applicability and Requirements
Step 2: Specify IG Requirements to Achieve Compliance
Step 3: Create a Risk Profile
Step 4: Perform Risk Analysis and Assessment
[email protected] J. Reeves 2018
4
Step 5: Develop an Information Risk Mitigation Plan
Step 6: Develop Metrics and Measure Results
Step 7: Execute The Risk Mitigation Plan
Step 8: Audit the Information Risk Mitigation Program
4
Step 1: Survey and Determine Legal and Regulatory
Applicability and Requirements
Conduct Legislative Research-Legal requirements trump all
other requirements
13. Identify the jurisdictions(s) where the company operates
Federal
Provincial (international)
State
Municipal
[email protected] J. Reeves 2018
5
5
Step 1 Continued
Approaches to legal research for retention, privacy and security
laws:
Records retention citation service (Example: FILELAW®)
Use online Print resources (Example: Code of Federal
Regulations “CFR”)
[email protected] J. Reeves 2018
6
6
Step 2: Specify IG Requirements to Achieve Compliance
Compile list of external compliance requirements
Map data, document, and records to external compliance
requirements
Devise a method of keeping legal and records management staff
apprised of changes in regulations
Reconcile Internal IG retention requirements with external
compliance requirements
[email protected] J. Reeves 2018
7
14. 7
Step 3: Create a Risk Profile
“RISK” – Effect of uncertainty on objectives1
“RISK PROFILE” – Description of a set of risks2
A part of Enterprise Risk Management
Considerations for creating a Risk Profile
Frequency
External Resources
Stakeholders
ISO 31000 2009 Plain English, Risk Management Dictionary”,
www.praxiom.com/iso-31000-terms.htm
Included in Risk Profile
Identification, documentation, assessment and prioritizing risk
that an organization may face in pursuing a business objective
Timeline:
Projections 3 to 5 years into future
Create annually
Updated or reviewed semiannually
[email protected] J. Reeves 2018
8
8
Step 3..Continued
Types of Risk Profile Methodology
Top-10 list-simple listing and ranking of top 10 risks in relation
15. to the objective
Risk Map – Visual tool, easy to grasp, grid depiction of a
likelihood axis and impact axis-Generally rated on a 1 to 5 scale
Heat Map-color coded matrix generated by stakeholders voting
on risk by color (red is highest risk)
[email protected] J. Reeves 2018
9
9
Step 3..Continued
Information Gathering for Risk Profile
Surveys
Person-to-Person Interviews
Give interviewees questions in advance
Schedule interviews at convenient times and places
Keep interviews as short as possible
Include questions about:
Access and Security policies
Policy development
Policy adherence
Retention of email
Legal Hold policies
Record Retention
Record destruction
Training and Communications
Consider key events and changes that will impact risk
Generate a list of risks and categorize (Example: natural
disasters, regulatory, safety , competitive, etc.)
[email protected] J. Reeves 2018
10
16. 10
Step 4: Perform Risk Analysis and Assessment
Five steps for Risk Assessment:
Identify the risks –The output of Risk Profile
Determine Potential Impact-Include calculations for range of
economic impact in dollars where available. Be as specific as
possible
Evaluate Risk Levels and Probabilities and Recommend Action-
Recommendations for new procedures, new processes, new
investments in IT, and other risk mitigation methods
Create a Report with recommendations and implement-include
risk assessment table where available, include written
recommendations – implement
Review periodically-at least annually but as appropriate for
your organization
[email protected] J. Reeves 2018
11
11
Step 5: Develop an Information Risk Mitigation Plan
What is a Risk Mitigation Plan?
Plan which includes
Options to reduce specific risks and increases likelihood of
achieving objectives
Tasks to reduce specific risks and increases likelihood of
achieving objectives
Timetable implementation of risk mitigation measures
Milestones for implementing risk mitigation measures
Timetable/Milestones for IT acquisitions
Timetable/Milestones for assigning roles and responsibilities
17. [email protected] J. Reeves 2018
12
12
Step 6: Develop Metrics and Measure Results
Assign quantitative measures that are
Meaningful
Measure progress
What are relevant metrics? – Must be relevant to your
organization. Examples are:
Educe the data lost on stolen or misplaced laptops and mobile
devices by ___ % over the prior year
Reduce the number of hacker intrusion events by ___ over prior
year
Reduce e-discovery costs by __ % over prior year
Reduce the number of adverse findings in the risk and
compliance audit by ___% over last year
Provide information risk training to __%of knowledge level
workers this year
Provide confidential messaging services for the organization’s
top ___ executives this year
[email protected] J. Reeves 2018
13
13
Step 7: Execute Your Risk Mitigation Plan
Set up regular project/program team meetings
Develop Key Reports on key risk mitigation metrics
Manage the process
Use Project management tools and techniques
18. Clear and concise communication with the IG team on progress
and status
[email protected] J. Reeves 2018
14
14
Step 8: Audit the Information Risk Mitigation Program
Key tools in the audit process?
Metrics used to measure risk mitigation effectiveness
Use Audit results for further redevelopment and fine tuning of
the risk mitigation program
Don’t misuse the audit results-Don’t use it to beat up on people-
Use it for feedback and improvement
[email protected] J. Reeves 2018
15
15
The End
[email protected] J. Reeves 2018
16
16
ITS 833 – INFORMATION GOVERNANCE
Chapter 5
19. Strategic Planning and Best Practices for Information
governance
Dr. Sandra J. Reeves
[email protected] J. Reeves 2018
1
1
CHAPTER GOALS AND OBJECTIVES
Be able to explain the general steps required in the strategic
planning for an IG Plan
Be able to identify key Best Practices as they relate to strategic
planning for an IG Plan
[email protected] J. Reeves 2018
2
2
First Step in Strategic Planning for Information Governance
Program
Secure commitment/sponsorship of executive management
Resource acquisition
Time
Labor/Manpower
$$$
Accountability
But who??
Suggested: Chief compliance officer, Chief Information
Officer, Chief Executive Officer
20. [email protected] J. Reeves 2018
3
3
Crucial Roles:
So what is the role of this Executive Sponsor?
Budget
Planning and Control
Decision Making
Expectation Management
Anticipation/Runs Interference for PM
Approval
[email protected] J. Reeves 2018
4
What is the role of the Project Manager?
Keep Executive Sponsor apprised of progress
Implement/oversee daily tasks
Track detailed progress
Involve Executive Management only when necessary to do so
4
EVOVING ROLE OF EXECUTIVE SPONSOR
The Role of the Executive Sponsor will change over the
lifecycle of the IG program implementation
Initial involvement requires greater TIME investment by
21. executive management
Early Implementation – Visible and Accessible
Post-Implementation – Responsible for maintenance –ongoing
communication with PM
[email protected] J. Reeves 2018
5
5
THE IG TEAM
Who Should Be On Your IG Team?
Take a Cross-Functional Approach
Required:
Executive Sponsor
Legal Department or Outside Attorney
IT Department
Senior Records Officer
Risk Management Specialist
IG Program Manager
Elective:
Human Resources
Analyst
Rep from different business units or departments
[email protected] J. Reeves 2018
6
6
ASSIGNMENT OF ROLES AND RESPONSIBILITIES
Executive Sponsor – designation of roles for
Project Manager
22. Possibly from Legal, Compliance, Risk management, Records
Management or IT
Logically each IG team members take responsibility for their
functional area of expertise
Pair up team members or assign small work groups
Resulting output of team effort: Final Draft of the IT strategic
plan – Should be in a form ready to align with organizational
strategic plan
[email protected] J. Reeves 2018
7
7
ALIGMENT OF IG PLAN TO ORGANIZATIONAL
STRATEGIC PLAN
IG Plan MUST support the achievement of the Organization’s
business objectives and its strategic plan
IG Plan MUST be integrated with the IT strategy
Decisions must be made with regard to the use of E-Discovery
techniques like predictive coding technology in early case
assessment and software that uses artificial intelligence
Must take resource allocation into consideration
[email protected] J. Reeves 2018
23. 8
8
SURVEY AND EVALUATE EXTERNAL FACTORS
What External Factors?
IT Trends – What new is coming online? What new is being
developed? Which are too risky? What is the plan for long term
digital preservation?
Business Conditions and Economic Environment-Where is the
industry/country in the recurring business cycle? What is the
state of business conditions in your industry?
Relevant Legal, Regulatory and Political Factors-Identify
regulation affecting your industry. What is expected of future
and anticipated regulation?
Industry Best Practices-Survey your industry. What is your
more progressive competition doing? Will you use 3rd Party
consultants
See Sample IG Best Practices taken from Different
areas/industries on page 61-64
[email protected] J. Reeves 2018
9
9
FORMULATING THE IG STRAEGIC PLAN
Synthesize Information –
Make the plan relevant to the information . Don’t linger
Develop IG strategy for each critical area
Maintain focus by developing IG strategy without regard to
prioritizing critical areas
Prioritize Strategies and map to organizational goals and
24. objectives
Develop Actionable Plans to Support Organizational Objectives
and Goals
Develop policies and plans that identify specific tasks and
steps, and define roles and responsibilities
Build checks and audits and other testing methods
Create New IG Programs to Support Business Goals and
Objectives
Launch new “Sub-Programs” within the IG program
Assign specific employee responsibility to specific tasks
Have defined timeframes for subprograms
Piece together subprograms
Draft IG Strategic Plan and Gain Input from Broader Group of
Stakeholders
Get Buy-in and Sign-Off and Execute Plan
Answer questions of top level management
Address concerns
Get them to buy-in to the program and sign off on it
[email protected] J. Reeves 2018
10
10
The end
[email protected] J. Reeves 2018
11
11
25. Case Discussion Rubric
Page 1 of 2
Outstanding
100 points
Good
85 points
Average
75 points
Limited
65 points
Flawed
55 points
Demonstrates
Careful Reading
and Inquiry into
Subject
Discussion Post
26. • Shows serious
contemplation of
readings.
• Shows original
thought that goes
far beyond the
obvious.
Discussion Post
• Indicates
reading was
completed.
• Addresses some
of the questions
obvious answers.
Discussion Post
27. • Relies primarily
on case summary
Discussion Post
• Suggests case
scanned but not
read carefully
• Rehashes ideas
from other posts
Discussion post
• Gives little
indication that the
case was read and
assignment
completed.
• The Post was not
relevant to the case
questions or current
29. integrated into
the discussion
• Properly
punctuated
Quotes used:
• support writer’s
point (“proves” it)
• are somewhat
predictable
• are not well
integrated into
discussion
• some mechanical
and/or
documentation
errors
Some quotes are
used, but:
30. • There are too
few examples;
relies mostly on
generalization s
• Some quotes do
not effectively
support writer’s
point
• quotes are poorly
integrated
• citation errors
• Diction is
ordinary
Some quotes are
used, but:
• Paraphrase
dominates
• quotes used are
31. not integrated
• Quotes do not
make sense as
support
• Quoted
material is out
of context
• Fails to use
capital letters or
punctuation
No quotes are used;
textual evidence
(even paraphrased
evidence) is flimsy
and/or
inappropriate
• Citations are
32. missing
Case Discussion Rubric
Page 2 of 2
• Quotes are
properly cited.
• Contains multiple
documentation errors
Outstanding
100 points
Good
85 points
Average
75 points
Limited
65 points
Flawed
33. 55 points
Engagement with
Others
• Shows concerted
and honest effort
to engage
with others
• Responds to
ideas in a way
that advances
discussion
beyond the
obvious
• Interacts
easily &
accurately
with other
posts in the
thread
34. Responds in the
way highlighted
above at least 5
times.
• Shows attention
to other posts in
the thread
• Incorporate s and
acknowledges
ideas
of others in
attempt to
advance the
discussion
(perhaps
in predictable ways)
35. Responds the way
described above 3-4
times.
• Offers little
interaction
with other
posts in the
thread
• Mostly
summarizes
what others
have said
without adding
to discussion
Responds in the
way described
above 1-2 times.
• Does not