Information governance: Blind men, meet your elephant Patrick Cunningham, FAI Senior director, information governance Motorola solutions
Information Governance It’s E-discovery It’s Data Management Information Governance It’s Records Management 2.0 It’s Information Security
Progress? Or buzzword bingo? Records Management Records and Information Management Knowledge Management Strategic Information Management Content Management Information Governance
For every perspective, a different viewpoint Constituencies Functions Records Managers Information Security Lawyers IT Staff Information Security Data Science Electronic Discovery Business Management Compliance Business Intelligence Analytics Records Management Finance Audit Privacy Risk Management IT and Infrastructure Mgmt http://iginitiative.com/mission/
Business drivers Litigation Cost Compliance Risk Security
Gartner on information governance Gartner defines information governance as the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. http://blogs.gartner.com/it-glossary/information-governance/
Edrm and igrm http://www.edrm.net
2014 Annual Report Sneak Peek: Our Definition of Information Governance What is information governance? We are asked this question all the time. After all, we are the “Information Governance” Initiative. We thought it was important to have a clear answer. Today, with the help of our community, we are providing that answer. But first, a word about definitions. Definitions certainly are important – we have to speak the same language to have a conversation. But the words used to define IG are less important than the concepts. And the definition you use is less important than having a common understanding among your IG team. We hope to provide a starting point for that common understanding in the form of a definition that has broad support from the information governance community. Also, keep in mind that you are really asking at least three separate questions when you ask, “What is information governance?” The Concept: What is IG? Impressions regarding the central ideas and organizing principles of IG. To date, most public discussion of IG has happened at this level, which is to be expected given the relative immaturity of IG as a distinguishable pursuit or discipline. The definition we are providing today hits this level. The Market: What do I buy? The conceptualization of IG as a market for products and services. We did not attempt a market sizing as we believe that is a domain well-covered by analyst firms, but we were curious about whether IG is perceived as a market, and if so, what are the dimensions of that market. Our upcoming 2014 Annual Report also hits this level. The Work: What do I do? The dimensions of IG as an activity that is undertaken by organizations. IG as an operational model. What are people doing, and how are they doing it? What are their plans? Our upcoming 2014 Annual Report also hits this level. In any case, we proposed a definition to our community as part of our upcoming 2014 Annual Report, and they overwhelmingly supported it. 93% said they agreed with the definition. Information governance is: The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs. Remarkably, as the graphic shows, there was also incredibly strong agreement among those who provide IG products and services, those who consume them, and those who cover the space. This agreement shows that the IG market is starting to mature and bodes well for IG practitioners. We have already been testing out our definition in some of our advocacy work, which you can see here. If you find value in our definition, then use it. If not, find a way to define IG in your organization that will maximize the chance of IG being taken up as a central concept in the way you manage information. In either case, join us in mapping the way forward. We are excited to be able to release this infographic under a Creative Commons license that enables you to freely use it as you build support for information governance at your organization. In fact, since this graphic will likely end up in your PowerPoint presentations, we have done some of the homework for you and provided a PPT deck that includes the graphic and speaker notes. Stay tuned for more infographics and PPT decks in the coming weeks as we leak key data from our 2014 Annual Report ahead of its official publication in August 2014.
The Sedona conference says… “Information Governance” as used in this Commentary means an organization’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value. As such, Information Governance encompasses and reconciles the various legal and compliance requirements and risks addressed by different information-focused disciplines, such as records and information management (“RIM”), data privacy, information security, and e-discovery. Understanding the objectives of these disciplines allows functional overlap to be leveraged (if synergistic); coordinated (if operating in parallel); or reconciled (if in conflict). The position of The Sedona Conference® is that Information Governance should involve a top- down, overarching framework, informed by the information requirements of all information stakeholders that enable an organization to make decisions about information for the good of the overall organization and consistent with senior management’s strategic directions. The Sedona Conference® Commentary on Information Governance, December 2013
Vendor-centric model (sap) http://scn.sap.com/community/enterprise-information-management/blog/2014/07/08/new-information-governance-model-from-sap
Governance Activities INFORMATION GOVERNANCE AND LEGAL SUPPORT Key Constituents Labor Law Contract Law Litigation OEC Privacy Committee HR Information Authorities Knowledge Champions Internal Audit Finance Law Department Support Compliance Activities Governance Activities Responsibilities IT Sox Audit PCI Audit Records Certification Discovery Investigations Defensive Monitoring Responsibilities iProtect Policy and Controls Records Policy / Retention IPSE & Contract Support Operational Readiness Exceptions MA&D Training Customer Risk Questionnaires Server Decommissioning Responsibilities Application Development Software Engineering Software Architecture Risk Mitigation Reports to: Sr. Director, Information Security Chief Information Officer SVP, IT and Marketing CEO
This model… Very tightly aligned with Legal, IT and Information Security Is control-based and auditable Drives a set of non-functional requirements into new IT systems and tools Understands risk (contractual and technology) Connects IT, InfoSec, Legal, Procurement, and Finance Has limited business connections Has limited records management activity
At the core… Records management principles Understanding the lifecycle Understanding the implications of the “where” “If you don’t know where it is, you can’t protect it.”
Value, value… value? If your commercial records center loses a box, how much do they pay you? The story of the $10 million box of records Compliance, regulatory, litigation value Value in the real world Not reinventing the wheel Finding value in Big Data “Thar be dragans” “If you don’t know where it is, you can’t leverage it.”
Pat’s viewpoint Prevent loss of data that matters. Support legal discovery process Define and manage defensible disposition Drive information to secure, common repositories Identify, locate, and secure sensitive and proprietary information Communicate and train secure behaviors Minimize disruption to the business. Balance controls to risk appetite Deliver simple, effective tools Reduce and mitigate threats Ensure appropriate behaviors Meet compliance requirements
Data that matters? Let’s not get hung up on the term You can use “information” if you like But let’s stay away from “records” Why? Defining a “record” for us is akin to astronomers debating whether Pluto is a major planet or a minor planet (Yes, I know you’re mostly lawyers out there)
Netting it out – information governance is: A system of policies, controls, procedures, and tools Governing the lifecycle of an organization’s data that matters Ensuring appropriate ease of access when needed and defensible disposition when no longer needed Limiting business disruption While maintaining appropriate security Within an auditable framework In line with the organization’s risk appetite and regulatory environment.
Make sense? Information Governance A system of policies, controls, procedures, and tools governing the lifecycle of an organization’s data that matters. This system ensures appropriate ease of access to data when needed and defensible disposition of data when no longer needed. This system limits business disruption, while maintaining appropriate security, within an auditable framework in line with the organization’s risk appetite and regulatory environment.
Thank you!