ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx

ITS 833 – INFORMATION GOVERNANCE
Chapter 7
Dr. Omar Mohamed
Copyright @ Omar Mohamed 2019
1
1
Chapter Goals and Objectives
What is the difference between structured
What is the difference between unstructured and semi-structured
information?
Why is unstructured data so challenging?
2
Generally, what is full cost accounting (FCA)?
What are the 10 key factors that drive the total cost of
ownership of unstructured data
How can we better manage information?
How would an IG enabled organization look different from one
that is not IG enabled?
2
The Business Case for
Information Governance

Difficult to Justify
Short term return on investment is nonexistent
Long term view is essential
Reduce exposure to risk over time
Improve quality and security of information
Streamlining information retention
Looking at Information Costs differently
3
3
The information environment
Challenges of Unstructured Information
Data volumes are growing
“Unstructured Information” is growing at a dramatic rate
Challenges unique to unstructured information
Horizontal nature
Lack of formality
Management location
Identification of ownership
Classification
4
Calculating Information Costs
Rising Storage Costs (Short sighted thinking)
Labor (particularly knowledge workers)
Overhead costs
Costs of e-discovery and litigation

Opportunity Costs
4
Full Cost Accounting for
Information Models
Total Cost of Ownership (TCO) Model
Return on Investment Model (ROI)
Full Cost Accounting Model (FCA)
Past, Present, Future Costs
Direct Costs
Indirect Costs
Flexible Application
Triple Bottom Line Accounting – Monetary, Environment,
Societal Costs
5
Full Cost Accounting
General and Administrative Costs
Productivity Gains and Losses
Legal and E-discovery costs
Indirect Costs
Up-Front Costs
Future Costs
5
The politics involved

Tools needed to establish facts about the information
environment
SOURCES OF Costs of owning unstructured information, cost
reducers, and cost enhancers
Giving unstructured information value
The IG enabled organization
The End
11
11
Chapter 6
Information Governance policy development
Dr. Omar Mohamed

1
1
CHAPTER GOALS AND OBJECTIVES
Know the 8 Generally Accepted Recordkeeping Principles®
What is the IG Reference Model?
What does the IGRM Diagram consist of?
What are the best practice considerations?
What is the benefits and risks of having standards?
What are the key standards relevant to IG
2
2
A Review of the 8 Generally Accepted
Recording Keeping Principles®
Accountability
Transparency
Integrity
Protection
Compliance
Availability
Retention
Disposition
So…what is the significance of these principles?
3

3
IG REFERENCE MODEL
Who?
ARMA International & CGOC
When?
2012
Where?
As part of the EDRM Project Version 3.0
Why?
To foster the adoption by facilitating communication and
collaboration between IG stakeholder functions, legal, records
management, risk management, and business unit stakeholders.
4
4
HOW TO INTERPRET THE IGRM DIAGRAM
Outer Ring: Complex set of interoperable processes and
implementing he procedures and structural element to put them
into practice
Requirements:
Understanding of business imperatives
Knowledge of appropriate tools and infrastructure
Sensitivity to legal and regulatory obligations
Inner Ring: Depicts a work-flow (life-cycle) diagram. Shows
that information management is important at all stages of the
lifecycle

5
5
How the IGRM Diagram related to the
Generally Accepted Recordkeeping Principles®
Support the ARMA Principle by identifying the cross-functional
groups of IG stakeholders
Depicts the intersecting objectives of the organization
Depicts the relationship duty, value and information assets
Used by proactive organizations as an introspective lens to
facilitate visualization, understanding and discussion
concerning how to apple the “Principles” to the organization.
Puts focus on the “Principles”
Provides essential context for the maturity model
6
6
Considerations in IG Policy Formation
Best Practices?
YES!
Understand that Best Practices will vary per organization
Review 25 generic Best Practices, Pages 75 and 76 of text book
7
Standards?
YES!
Two types to consider

De Jure Standards - Legal standards published by standards
setting bodies such as IOS, ANSI, NIST, BTS and others
De Facto Standards – Informal standards regarded by many as
actual standards – arising through popular use (Example:
Windows in the business world in 2001-2010). May be
published by formal standards setting bodies without having
“Formal” status
7
Benefits and Risks of Standards
Benefits
Quality Assurance Support
Interoperability Support
Implementation Framework and Certification Checklists
Cost Reduction
International Consensus
8
Risks
Possible Decreased Flexibility
Standards Confusion
Real-World Shortcomings to due Theoretical Basis
Cost and Maintenance Involving in Updating Standard
8
KEY STANDARDS RELEVANT TO IG
Risk Management
ISO 31000-2009 – States principles and generic guidelines of
risk management applicable to IG

Provides a structured framework for development and
implementation of risk management strategies and programs
“Risk Management Framework”: Set of two basic components
(foundations and organizational arrangements) that support and
sustain risk management throughout the organization.
9
9
Information Security Management
ISO/IEC 27001:2005- Information Security Management System
Standard that provides guidance in development of security
controls for protection of information assets
Flexible –can be applied to different activities and processes
Includes use of standards by auditors and stakeholders
ISO/IEC 27002:2005-Information Technology-Security
Techniques-Code of Practice for Information Security
Establishes guidelines and general principle for initiating,
implementing, maintaining and improving information security
mgt.
Includes Best Practices of Control Objectives in 11 key areas of
information security management
ISO/IE 38500:2008 –International Standard for high-level
principle and guidance for senior executives and directors, and
advisors for effective and efficient use of IT
Three major sections
Scope, Application and Objectives
Framework for Good Corporate Governance of IT
Guidance for Corporate Governance of IT
10

10
RECORDS AND E-RECORDS MANAGEMENT
ISO 15489-1:2001 and ISO 15489-2:2001– International
Standard for Records Management
Part 1:Provides a framework and high-level overview of RM
core principles
Part 1:Defines RM as “Field of management responsibility for
the efficient and systematic control of creation receipt,
maintenance, use and disposition of records, including
processes for capturing and maintaining evidence of and
information about business activities and transactions in the
form of records”1
Part 2: Technical Specifications and Methodology for
implementing standard
ISO 30300;2011 – Information and Documentation-Management
Systems for Records-Fundamentals and Vocabulary
ISO 30301:2011 – Information and Documentation-Management
Systems for Records – Requirements
1ISO 15489-1:2001 Information and Documentation-Records
Management, Part 1:General Geneva: ISO, 2001), section 3.16.
11
11

NATIONAL, INTERNATIONAL AND REGIONAL ERM
STANDARDS
United States E-Records Standard
U.S. DOD 5015.2 Design Criteria Standard For Electronic
Records Management Software Applications
Developed in 1997
Updated in 2002 and 2007
Canadian Standards
Electronic Records as Documentary Evidence CAN/CGSB-
72.34-2005
Microfilm and Electronic Images as Documentary Evidence
CAN/DGSB-72.11-93
Canadian Legal Considerations
Relies on prime directive-that an organization shall always be
prepared to produce its records as evidence- and its national
standards, for the admissibility of electronic records in court
proceedings
The admissibility of records as evidence is determined under the
business records provisions of the Evidence Act
12
12
NATIONAL, INTERNATIONAL AND REGIONAL ERM
STANDARDS…CONTINUED
United Kingdom
The National Archives
To sets of functions requirements to promote the development
of the electronic records management software market (one in
1999 and one in 2002)
Model Requirements of Electronic Records

MoReq2
MoReq2010
Australian ERM and Records Management Standards
Has consistently been world leader in this area
Adopted all three parts of ISO 16175 as its e-records standard
Australian Government Recordkeeping Metadata Standard
Version 2.0
Australian Government Locator Service
AS 5090:2003 – Work Process Analysis for Recordkeeping
13
13
LONG-TERM DIGITAL PRESERVATION
Referred to as “LTDP”
LTDP is a key area for IG policy development
Frequently not addressed in an IG plan
Should be applied in preserving historical and “vital records”
and in order to maintain its corporate or organizational memory
Key Standards for LTDP:
PDF/A-2 –official standard format for preserving electronic
documents, developed by Adobe.
ISO 19005-1:2005 Document Management is the published
specification requiring PDF format
ISO 14721:2012 – Space Data and Information Transfer
Systems –Open Archival Information Systems
ISO TR 18492(2005) – Long Term Preservation of Electronic
Document Based Information
ISO 16363:2012 – Space Data and Information Transfer
Systems-Audit and Certification of Trustworthy Digital
Repositories

14
14
BUSINESS CONTINUITY MANAGEMENT
ISO 22301:2012 – Societal Security – Business Continuity
Management Systems Requirements
Specifies requirements for creating and implementing a
standardized approach to business continuity management -----
this is also known as Disaster Recovery
Benefits of ISO 22301
Threat Identification and Assessment
Threat and Recovery Planning
Mission-critical process protection
Stakeholder Confidence
15
15
THINGS TO REMEMBER IN DEVELOPING THE IG POLICY
Take into account organizational goals
Draw clear lines of authority
Make sure you have an executive sponsor who can garner
executive support for the IG program and policies
IG program must contain communications and training
component
Stakeholders must be made aware of new policies and practices

Make sure you have metrics that are relevant and useful and can
actually be measured
Test and audit
Give feedback to employees based upon metrics, tests and audit
results
Establish and enforce clear penalties for policy violations and
communicate that to employees
Take into account organizational culture
16
16
The End
17
17
Chapter 1 – The Onslaught of Big Data and Information
Governance Imperative
Dr. Omar Mohamed
Copyright Omar Mohamed 2019
1

1
Define or identify what is meant by “Big Data”
What is the practical effects and problems associated with Big
Data
Solution
to the Big Data problem
Defining Information Governance (“IG”)
Why we do not incorporate IG into everyday business
Advantage of IG
Effects of not incorporating IG
General approach to implementing IG
2
2
What is “Big Data”?

It is a business asset capable of being leveraged.
“High-volume, high-velocity and high-variety information that
demands cost-effective innovative forms of information
processing for enhanced insight and decision making”
A combination of both structured and unstructured data that is
so massive that it cannot be processed using today’s database
tools and analytical software techniques.
3
3
What is the practical effect of “Big Data”?
Whether or not a business enterprise will be able to sustain a
competitive advantage will depend on the business’ ability to
manipulate the large amount of data in a way that it to
differentiate itself.
Estimates are that 90% of the data existing today was created
over the pat two years.
Big Data and related technology and services are projected to
grow at a compound annual rate of approximately 27% - leading
to new opportunities for data mining and business intelligence.

4
4
Issues Related to Big Data
Expense –Only about 25% of data stored has real business
value, 5% more is required to be maintained for legal reasons,
1% retained due to litigation hold, leaving about 69% with no
real value.
A great deal of irrelevant information
Increased storage costs
System failures
Legal costs
Conversion costs
5
5

SOLUTION TO BIG DATA PROBLEMS?
Rigid
Enforced
Creates a smaller “information footprint”
Allows business to more easily find what they need and derive
business value from it
6
6
So…What is “Information Governance”?
It is discipline that emerged out of necessity…
Subset of corporate governance
Merged from records management, content management,
information technology, data governance, information security,
data privacy, risk management, litigation readiness, regulatory
compliance, data preservation and business intelligence
It is the way by which an organization manages the totality of
its information

A strategic framework composed of standards, processes, roles,
and metrics that hold organizations and individuals accountable
to create, organize, secure, maintain, use and dispose of
information in ways that align with and contribute to the
organizations goals. (Association of Records Management and
Administrators)Glossary of Records and Information
Management Terms, 4th Ed., 2012, TR 22-2012)
7
7
WHY INCORPORATE “IG”?
We can’t keep everything forever
We can’t throw everything away
E-discovery
Employees want it
It improves information delivery and improves productivity
It does not get easier to do over time
Legal requirements
Helps mitigate information management risk
E-mail

8
8
WHY DON’T WE INCORPORATE “IG”?
Cost
Lack of understanding
Lack of support from top
9
9
FAILURES OF INFORMATION GOVERNANCE?
Theft of valuable information
Inability to protect personal, private information
Breaches in legal requirements
Loss of trade secrets
Public reputation damage

10
10
Approaches to Implementing IG
Form proper IG policies first
Review existing policy…if any
Implement an awareness policy
Develop an approach
Project approach vs. Strategic program
Identify governance body or steering committee
Apply appropriate technologies for enforcement
11
11
Thank You

12
12
ITS 833 – INFORMATION
GOVERNANCE
Chapter 2 – Information Governance, IT Governance, Data
Governance: What’s the Difference?
Dr. Omar Mohamed
1
1

Distinguish between Data Governance, Information Governance
and Information Technology Governance and be able to define
or explain each
How to increase the likelihood of success of a data governance
program
Identify IT Governance Frameworks
Identify the impact of a successful IG program
2
What is “Data Governance”?
Includes processes and controls to ensure that information at the
data level – raw data- is true, accurate and unique.
Involves data cleansing and de-duplication
Focus is on information quality
Hybrid quality control discipline
Data quality
Data management
IG policy development
Business process improvement
Compliance
Risk Management

3
3
How can you improve data governance success ?
Identify a measurable impact
Assign accountability for data quality to a business unit
Recognize the uniqueness of data as an asset
Forget the past-use a forward going strategy
Management the Change
4
WHAT IS INFORMATION TECHNOLOGY GOVERNANCE?
Primary way that stakeholders can ensure that investments in IT
create business value and contribute to business objectives
Function to improve IT performance and deliver optimum
business value and ensure regulatory compliance
Focus is on making IT efficient and effective

5
5
IT Governance Framework(s)
CobiT® - Control Objective for Information and Related
Technology
ValIT®
ITIL
ISO/IEC38500:2008
6
6
CobIT®
Three Basic Organizational Levels/Responsibilities
Board of Directors and Executive Management
IT and Business Management
Line-Level Governance

Divided into four (4) IT Domains
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Includes 34 processes and 210 Control Objectives
ISO 17799
Compatible with IT Infrastructure Library (ITIL)
Process oriented IT governance framework
Codeveloped by IT Governance Institute and ISACA
Focus on:
Business Risks
Control Requirements
Compliance
Technical Issues
Under continuous refinement
7
ValIT®
Value Oriented Framework
Compatible and complimentary with CobiT®

Focus is on leveraging IT investments for maximum value
40 Essential Management Practices (same as CobiT® control
objectives)
Supports three processes:
Value Governance
Portfolio Management
Investment Management
8
8
ITIL – Information Technology Infrastructure Library
Process Oriented
Developed in United Kingdom
Applicable to both public and private sector
Most widely accepted approach to IT service management in the
world
Focus is on providing guidance to organizations on how to use
IT as a tool to facilitate business change, transformation and
growth

Foundation for ISO/IEC 20000
Five Volumes that map IT service cycle as follows:
ITIL Service Strategy
ITIL Service Design
ITIL Service Transition
ITIL Service Operation
ITIL Continual Service Improvement
9
9
ISO/IEC 38500:2008
International Standard
Focus is on high-level principles for senior executives, directors
and advisors of IT
Applies to the governance of management processes that are
performed at the IT service level
Three main sections:
Scope, Application and Objectives

Framework for Good Corporate Governance of IT
Guidance for Corporate Governance of IT
10
10
INFORMATION GOVERNANCE
A part of “Corporate Governance” which is the highest level of
governance of an organization
Processes which are at a higher level than data governance or IT
governance
Contains and includes both data governance and IT governance
Approach focuses on controlling the information that is
generated by IT systems, rather than the detailed IT o data
capture and quality control processes
Goal is to manage and control information assets to lower risk,
ensure compliance with regulations and improve information
quality and accessibility while implementing security measure
to protect and preserve information that has business value
11

IMPACT OF SUCCESSFUL INFORMATION GOVERNANCE
Enable the use of common terms across the enterprise
Development of standard definitions and terms
Map Information creation and usage
Who
Which
When
Where
Information Confidentiality
Integrity
Validity
Accuracy
Quality
Harvest and Leverage Information
12
DIFFERENCES BETWEEN IG, ITG AND DG
Overarching policies and processes to optimize and leverage
information while keeping it secure and meeting legal and
privacy obligations that are consistent with organizational
objectives.

Higher level approach, incorporating IT Governance and Data
Governance
IT Governance
Following established frameworks and best practices to gain the
most leverage and benefit from IT investments and support
accomplishment of business objectives
Data Governance
Consists of processes methods and techniques to ensure that
data is of high quality, reliable and unique so that its results are
trusted and accurate
13
RELATIONSHIP BETWEEN COROPRATE GOVERNANCE,
INFORMATION GOVERNANCE, IT GOVERNANCE AND
DATA GOVERNANCE
14
IT Governance

Data Governance
Corporate Governance
Thank You
15
15
Chapter 3 – Information Governance Principles

Dr. Omar Mohamed
1
Know the 10 key principles of IG
What are the Generally Accepted Recordkeeping Principles®
What is the difference between disposition and destruction
Who should be involved in the information governance
development process
Know the 8 GAR principle
Know the 5 GAR Principle Levels
Know which of the four area(s) of improvement each of the 8
GAR principles map to
2

10 key principles for the IG approach
Executive Sponsorship
Information Policy Development and Communication
Information Integrity
Information Organization and Classification
Information Security
Information Accessibility
Information Control
Information Governance Monitoring and Auditing
Stakeholder Consultation
Continuous Improvement
3
3
The Key to Information Governance
Accountability
4

Often the root of many problems is that no one is held
accountable
RECORDING KEEPING PRINCIPLES®
Formal Business records account for about 9% of all
information in an organization
Formal record keeping allows the organization to demonstrate
legal compliance, and applicable standards
Generally Accepted Recordkeeping Principles® were developed
in 2009 by ARMA International to foster awareness of good
recordkeeping practices
5
5
Generally Accepted Recordkeeping Principles®
Accountability
Transparency
Integrity
Protection

Compliance
Availability
Retention
Disposition
6
6
GAR Principles Levels
Used to define the characteristics of evolving and maturing
Records Management Programs
1. Standard – whether recordkeeping concerns are being
addressed
2. In Development – developing recognition that recordkeeping
has an impact and benefit from more defined IG program
3. Essential – where defined policies and procedures exist that
address minimum legal and regulatory requirements but more
action is required to improve recordkeeping
4. Proactive – where information governance issues are
integrated into business decisions with organization consistently

meeting its legal and regulatory obligations
5. Transformational – Integrated IG into corporate
infrastructure and business processes to such an extent that
compliance is routine
7
7
RM responsibility at the senior level of executive authority
Understanding of regulatory and legal framework
Responsibility for ensuring that processes, procedures and
governance structures and documentation are developed
Development of organization wide audit process for all aspects
of RM
Reinforce compliance and require accountability
GAR PRINCIPLE 1: ACCOUNTABILITY
8
Practices that document processes and promote an

understanding of the roles and responsibilities of the
stakeholders
Policies are formalized and integrated into business processes
Must be recognized by senior management
Employees must have access to the policies and procedures of
RM
Employee training
Documentation in the form of policies, procedures, guidelines,
instructions, diagrams, flowcharts, system documentation, user
manuals, etc.
GAR PRINCIPLE 2: TRANSPARENCY
9
“Record Integrity”: The records are complete and protected
from being altered
Record generating systems and repositories are required to be
assessed to determine record keeping capabilities.
Here a formalized process is required to be in place for
acquiring or developing new systems, required for lifecycle
management of records.
Record integrity is confirmed by ensuring that records are
created by competent authority based upon established
principles

GAR PRINCIPLE 3:INTEGRITY
10
This is where organizations ensure that the records are unaltered
through loss, tampering or corruption
Applies to both physical and electronic records
GAR PRINCIPLE 4: PROTECTION
11
There should be a process for development and training of the
fundamentals of compliance monitoring
Compliance monitoring involves reviewing and inspecting
different facets or records management
Compliance monitoring is carried out by audits, whether that be
internal audits, external organizations or by records
management and must be performed routinely
GAR PRINCIPLE 5: COMPLIANCE
12

Process of evaluating how effectively and efficiently records
and information are stored and retrieved using existing
equipment, networks and software of the organization
Intended to identify current and future requirements and
recommendations for new systems where appropriate
GAR PRINCIPLE 6: AVAILABILITY
13
This is the function of preserving and maintaining records for
continuing use
A retention schedule is created to identify actions needed to
fulfill requirements for retention and disposal of records and to
identify and establish authority for employees who will be
responsible for retention, destruction and transfer of records
Must identify the scope of the different jurisdictions that
impose control over record in each location where the company
does business
Includes “records appraisal” – process of assessing the value
and risk of records to determine their retention and destruction
requirements-part of records retention schedule

Record retention period – length of time that records should be
retained and actions taken for them to be destroyed or preserved
Document research performed to identify jurisdictional and
legal requirements for record retention
GAR PRINCIPLE 7: RETENTION
14
Disposition is the last stage in the life cycle of records
When records are required to be retained permanently or on a
long term basis they should be “archived” for preservation
Should be part of record retention schedule
When destroyed, destruction must be in a controlled and secure
manner in accordance with disposal instructions
Document destruction of record
Maintain an audit trail of the destruction of records
Must have someone designated to oversee destruction of records
GAR PRINCIPLE 8: DISPOSITION
15

Disposition of records is not the same as destruction of records.
Destruction may be one of the disposal options
Methods of Disposition
Discard-Standard for non-confidential records
Shred – Confidential and sensitive records
Archive – For records retained permanently or for long-term
periods
Imaging – Conversion from a physical record to digital images
prior to destruction of paper records
Purge – This involves the removal of material based upon
specific criteria. Generally applicable to structured database
records and applications
16
16
Generally Accepted Recordkeeping Principles® maturity model
is used to identify a company’s areas in need of improvement.
Principles are mapped to four (4) improvement areas:
Roles and responsibilities

Policies and Procedure
Communication and Training
Systems and automation
17
17
MAPPING OF IMPROVEMENT AREAS FOR GENERALLY
ACCEPTED RECORDKEEPING PRINCIPELS®
18Improvement Area
AccountabilityTransparencyIntegrityProtectionComplianceAvail
abilityRetentionDispositionRoles and

18
WHO SHOULD DETERMINE THE IG POLICIES?
Steering Committee or Board
Headed by executive sponsor

Include cross-functional groups
Key business units
IT
Finance
Risk
Compliance
Records Management
Legal
Training is essential
Review the Sample Assessment Report and Road Map in Table
3.3, Page 36 and 37 of text book
19
The End
20
20

Chapter 4
Information Risk Planning and Management
Dr. Omar Mohamed
1
1
Be able to outline the progressive steps involved in developing
an information risk management plan
Know what is meant by “risk” and a “risk profile”
Know the different ways one would go about creating a risk
profile
Know how one would go about conducting a risk assessment
Know what an information risk mitigation plan is
2

2
What is the purpose of Information Risk Planning?
Identify potential risks to information
Weighing risks against each other
Creating strategic plans for risk mitigation
Creating policies
Develop Metrics
Applying metrics to measure progress
Audit and feedback
3
3
Steps in Information Risk Planning and Management
Step 1: Survey and Determine Legal and Regulatory
Applicability and Requirements
Step 2: Specify IG Requirements to Achieve Compliance
Step 3: Create a Risk Profile

Step 4: Perform Risk Analysis and Assessment
4
Step 5: Develop an Information Risk Mitigation Plan
Step 6: Develop Metrics and Measure Results
Step 7: Execute The Risk Mitigation Plan
Step 8: Audit the Information Risk Mitigation Program
4
Step 1: Survey and Determine Legal and Regulatory
Applicability and Requirements
Conduct Legislative Research-Legal requirements trump all
other requirements
Identify the jurisdictions(s) where the company operates
Federal
Provincial (international)
State
Municipal
Approaches to legal research for retention, privacy and security
laws:
Records retention citation service (Example: FILELAW®)

Use online Print resources (Example: Code of Federal
Regulations “CFR”)
5
5
Step 2: Specify IG Requirements to Achieve Compliance
Compile list of external compliance requirements
Map data, document, and records to external compliance
requirements
Devise a method of keeping legal and records management staff
apprised of changes in regulations
Reconcile Internal IG retention requirements with external
compliance requirements
6
6

Step 3: Create a Risk Profile
“RISK” – Effect of uncertainty on objectives1
“RISK PROFILE” – Description of a set of risks2
A part of Enterprise Risk Management
Considerations for creating a Risk Profile
Frequency
External Resources
Stakeholders
ISO 31000 2009 Plain English, Risk Management Dictionary”,
www.praxiom.com/iso-31000-terms.htm
Included in Risk Profile
Identification, documentation, assessment and prioritizing risk
that an organization may face in pursuing a business objective
Timeline:
Projections 3 to 5 years into future
Create annually
Updated or reviewed semiannually
7
7

Step 3..Continued
Types of Risk Profile Methodology
Top-10 list-simple listing and ranking of top 10 risks in relation
to the objective
Risk Map – Visual tool, easy to grasp, grid depiction of a
likelihood axis and impact axis-Generally rated on a 1 to 5 scale
Heat Map-color coded matrix generated by stakeholders voting
on risk by color (red is highest risk)
8
8
Step 3..Continued
Information Gathering for Risk Profile
Surveys
Person-to-Person Interviews
Give interviewees questions in advance

Schedule interviews at convenient times and places
Keep interviews as short as possible
Include questions about:
Access and Security policies
Policy development
Policy adherence
Retention of email
Legal Hold policies
Record Retention
Record destruction
Training and Communications
Consider key events and changes that will impact risk
Generate a list of risks and categorize (Example: natural
disasters, regulatory, safety , competitive, etc.)
9
9
Step 4: Perform Risk Analysis and Assessment
Five steps for Risk Assessment:
Identify the risks –The output of Risk Profile
Determine Potential Impact-Include calculations for range of

economic impact in dollars where available. Be as specific as
possible
Evaluate Risk Levels and Probabilities and Recommend Action-
Recommendations for new procedures, new processes, new
investments in IT, and other risk mitigation methods
Create a Report with recommendations and implement-include
risk assessment table where available, include written
recommendations – implement
Review periodically-at least annually but as appropriate for
your organization
10
10
Step 5: Develop an Information Risk Mitigation Plan
What is a Risk Mitigation Plan?
Plan which includes
Options to reduce specific risks and increases likelihood of
achieving objectives
Tasks to reduce specific risks and increases likelihood of
achieving objectives
Timetable implementation of risk mitigation measures

Milestones for implementing risk mitigation measures
Timetable/Milestones for IT acquisitions
Timetable/Milestones for assigning roles and responsibilities
11
11
Step 6: Develop Metrics and Measure Results
Assign quantitative measures that are
Meaningful
Measure progress
What are relevant metrics? – Must be relevant to your
organization. Examples are:
Educe the data lost on stolen or misplaced laptops and mobile
devices by ___ % over the prior year
Reduce the number of hacker intrusion events by ___ over prior
year
Reduce e-discovery costs by __ % over prior year
Reduce the number of adverse findings in the risk and
compliance audit by ___% over last year
Provide information risk training to __%of knowledge level
workers this year

Provide confidential messaging services for the organization’s
top ___ executives this year
12
12
Step 7: Execute Your Risk Mitigation Plan
Set up regular project/program team meetings
Develop Key Reports on key risk mitigation metrics
Manage the process
Use Project management tools and techniques
Clear and concise communication with the IG team on progress
and status
13
13
Step 8: Audit the Information Risk Mitigation Program
Key tools in the audit process?

Metrics used to measure risk mitigation effectiveness
Use Audit results for further redevelopment and fine tuning of
the risk mitigation program
Don’t misuse the audit results-Don’t use it to beat up on people-
Use it for feedback and improvement
14
14
The End
15
15
Chapter 5

Strategic Planning and Best Practices for Information
governance
Dr. Omar Mohamed
1
1
Be able to explain the general steps required in the strategic
planning for an IG Plan
Be able to identify key Best Practices as they relate to strategic
planning for an IG Plan
2
2

First Step in Strategic Planning for Information Governance
Program
Secure commitment/sponsorship of executive management
Resource acquisition
Time
Labor/Manpower
$$$
Accountability
But who??
Suggested: Chief compliance officer, Chief Information
Officer, Chief Executive Officer
3
3
Crucial Roles:
So what is the role of this Executive Sponsor?
Budget
Planning and Control
Decision Making
Expectation Management

Anticipation/Runs Interference for PM
Approval
4
What is the role of the Project Manager?
Keep Executive Sponsor apprised of progress
Implement/oversee daily tasks
Track detailed progress
Involve Executive Management only when necessary to do so
4
EVOVING ROLE OF EXECUTIVE SPONSOR
The Role of the Executive Sponsor will change over the
lifecycle of the IG program implementation
Initial involvement requires greater TIME investment by
executive management
Early Implementation – Visible and Accessible
Post-Implementation – Responsible for maintenance –ongoing

communication with PM
5
5
THE IG TEAM
Who Should Be On Your IG Team?
Take a Cross-Functional Approach
Required:
Executive Sponsor
Legal Department or Outside Attorney
IT Department
Senior Records Officer
Risk Management Specialist
IG Program Manager
Elective:
Human Resources
Analyst
Rep from different business units or departments
6

6
ASSIGNMENT OF ROLES
AND RESPONSIBILITIES
Executive Sponsor – designation of roles for:
Project Manager
Possibly from Legal, Compliance, Risk management, Records
Management or IT
Logically each IG team members take responsibility for their
functional area of expertise
Pair up team members or assign small work groups
Resulting output of team effort: Final Draft of the IT strategic
plan – Should be in a form ready to align with organizational
strategic plan
7
7

ALIGNEMENT OF IG PLAN TO
ORGANIZATIONAL STRATEGIC PLAN
IG Plan MUST support the achievement of the Organization’s
business objectives and its strategic plan
IG Plan MUST be integrated with the IT strategy
Decisions must be made with regard to the use of E-Discovery
techniques like predictive coding technology in early case
assessment and software that uses artificial intelligence
Must take resource allocation into consideration
8
8
SURVEY AND EVALUATE
EXTERNAL FACTORS
What External Factors?
IT Trends – What new is coming online? What new is being
developed? Which are too risky? What is the plan for long term
digital preservation?

Business Conditions and Economic Environment-Where is the
industry/country in the recurring business cycle? What is the
state of business conditions in your industry?
Relevant Legal, Regulatory and Political Factor - Identify
regulation affecting your industry. What is expected of future
and anticipated regulation?
Industry Best Practices-Survey your industry. What is your
more progressive competition doing? Will you use 3rd Party
consultants
See Sample IG Best Practices taken from Different
areas/industries on page 61-64
9
9
FORMULATING THE IG STRAEGIC PLAN
Synthesize Information –
Make the plan relevant to the information . Don’t linger
Develop IG strategy for each critical area
Maintain focus by developing IG strategy without regard to
prioritizing critical areas
Prioritize Strategies and map to organizational goals and

objectives
Develop Actionable Plans to Support Organizational Objectives
and Goals
Develop policies and plans that identify specific tasks and
steps, and define roles and responsibilities
Build checks and audits and other testing methods
Create New IG Programs to Support Business Goals and
Objectives
Launch new “Sub-Programs” within the IG program
Assign specific employee responsibility to specific tasks
Have defined timeframes for subprograms
Piece together subprograms
Draft IG Strategic Plan and Gain Input from Broader Group of
Stakeholders
Get Buy-in and Sign-Off and Execute Plan
Answer questions of top level management
Address concerns
Get them to buy-in to the program and sign off on it
10
10

The end
11
11

ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx

Recommended

Recommended

More Related Content

Similar to ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx

Similar to ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx (20)

More from vrickens

More from vrickens (20)

Recently uploaded

Recently uploaded (20)

ITS 833 – INFORMATION GOVERNANCEChapter 7Dr. Omar Mohamed.docx