Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presenters: Margaret Hermesmeyer, MLIS, CRMKevin Waldrup, MBA, CRM Chief, Records Management Division Records Management Administrator Office of the Attorney.

Published byConstance Bailey Modified over 8 years ago

Similar presentations

Presentation on theme: "Presenters: Margaret Hermesmeyer, MLIS, CRMKevin Waldrup, MBA, CRM Chief, Records Management Division Records Management Administrator Office of the Attorney."— Presentation transcript:

1 Presenters: Margaret Hermesmeyer, MLIS, CRMKevin Waldrup, MBA, CRM Chief, Records Management Division Records Management Administrator Office of the Attorney General of TexasCity of Austin Health & Human Services Department Maximizing the Value of Information Applying RIM Principles and Technology for Managing Records and Information

2 Upon completion of this seminar, participants will be able to:  Identify how The Generally Accepted Recordkeeping Principles® (the Principles) may be applied to electronic records and information  Identify appropriate information management practices that are compliant with the Principles  Recognize how an organization may improve compliance, efficiency and effectiveness of information management by appropriately applying the Principles and technology  Recognize how an organization may maximize the value of its information by appropriately applying the Principles and technology Learning Objectives

3 The Generally Accepted Recordkeeping Principles ®  The Generally Accepted Recordkeeping Principles® Citation and Copyright Information About ARMA International and the Generally Accepted Recordkeeping Principles® ARMA International (www.arma.org) is a not-for-profit professional association and the authority on information governance. Formed in 1955, ARMA International is the oldest and largest association for the information management profession with a current international membership of more than 10,000. It provides education, publications, and information on the efficient maintenance, retrieval, and preservation of vital information created in public and private organizations in all sectors of the economy. It also publishes Information Management magazine, and the Generally Accepted Recordkeeping Principles®. More information about the Principles can be found at www.arma.org/principles.

4 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  The Principles provide characteristics of an effective information governance program  Information Governance (IG) is defined several ways: Gartner defines IG as: An accountability framework that includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals The Institute for Information Governance defines it as: IG is the policy-based control of information to maximize value and meet legal, regulatory, risk, and business demands

5 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  Records and Information Management (RIM) is a critical part of IG ARMA defines RIM as: The management of recorded information, regardless of medium or characteristics, made or received and retained by an organization in pursuance of legal obligations or in the transaction of business  Examples of other industry accepted principles Generally Accepted Accounting Principles (GAAP) Generally Accepted Privacy Principles (GAPP)  The Generally Accepted Recordkeeping Principles align with ISO 15489 ISO 15489 is the International Standard for Information and Documentation -Records Management: Part 1 is General and Part 2 provides Guidelines

6 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  The Life Cycle of Information and Records Creat e or Recei ve Activ e Phase Freque nt Use & Access Activ e Phase Freque nt Use & Access Inactive Phase Infrequent use & access Need to maintain until records retention period has been met Inactive Phase Infrequent use & access Need to maintain until records retention period has been met Dispos ition Destroy or Transfer (For example, transfer to an archives) Dispos ition Destroy or Transfer (For example, transfer to an archives)

7 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  8 Principles Accountability Integrity Protection Compliance Availability Retention Disposition Transparency

8 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  1) Principle of Accountability An organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program auditability.

9 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  2) Principle of Integrity An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.

10 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  3) Principle of Protection An information governance program shall be constructed to ensure a reasonable level of protection for records and information that are private, confidential, privileged, secret, classified, or essential to business continuity or that otherwise require protection.

11 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  4) Principle of Compliance An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as with the organization’s policies.

12 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  5) Principle of Availability An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

13 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  6) Principle of Retention An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements.

14 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  7) Principle of Disposition An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.

15 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  8) Principle of Transparency An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties.

16 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  Key Concept Information and information systems are linked with an organization’s activities:  Include important elements for the function of the organization  Support activities of the organization  Facilitate activities through improved workflows and predictive capabilities  Document and assist in compliance with applicable laws, regulations and standards

17 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  Key Concept Information must be managed to effectively support the organization:  Information life cycle management  Information in all formats and on all media

18 The Principles ARMA International The Generally Accepted Recordkeeping Principles®  Key Concept The Principles are comprehensive and general  Provide the characteristics of an effective IG program  Allow flexibility in application

19 Information Governance Maturity Model ARMA International Information Governance Maturity Model ARMA International

20  What is the Information Governance Maturity Model? The IG Maturity Model defines the characteristics of the Principles at various levels of the IG program The IG Maturity Model consists of 5 levels  Level 1 (Sub-Standard)  Level 2 (In Development)  Level 3 (Essential)  Level 4 (Proactive)  Level 5 (Transformational)

21 Information Governance Maturity Model ARMA International  Level 1 (Sub-Standard) Recordkeeping concerns are either not addressed at all, or are addressed in a very ad hoc manner Organizations that identify primarily with these descriptions should be concerned that their programs will not meet legal or regulatory scrutiny

22 Information Governance Maturity Model ARMA International  Level 2 (In Development) There is a developing recognition that recordkeeping has an impact on the organization, and that the organization may benefit from a more defined information governance program The organization is still vulnerable to legal or regulatory scrutiny since practices are ill-defined and still largely ad hoc in nature

23 Information Governance Maturity Model ARMA International  Level 3 (Essential) The essential or minimum requirements are addressed meeting the organization's legal and regulatory requirements There are defined policies and procedures, and more specific decisions taken to improve recordkeeping May still be missing significant opportunities for streamlining business and controlling costs

24 Information Governance Maturity Model ARMA International  Level 4 (Proactive) This is an organization that is initiating information governance program improvements throughout its business operations Information governance issues and considerations are integrated into business decisions on a routine basis, and the organization easily meets its legal and regulatory requirements Organizations that identify primarily at this level should begin to consider the business benefits of information availability in transforming their organizations globally

25 Information Governance Maturity Model ARMA International  Level 5 (Transformational) The organization has integrated information governance into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine The organization has recognized that effective information governance plays a critical role in cost containment, competitive advantage, and client service

26 Information Governance Maturity Model ARMA International  Applying the Maturity Model Across the Principles Evaluate the organization’s current information practices and the IG program Identify business needs to improve through improved information practices Identify risks that can be reduced with improved information practices Design a realistic improvement strategy

27 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Accountability - An organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program auditability Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

28 Information Governance Maturity Model ARMA International  Principle of Accountability - Level 1 (Sub-Standard) Emphasis is not placed on the importance of IG  No senior executive is responsible for records or information  The Records Manager role is largely non-existent  The records manager role may be a clerical role shared across employees, the chief information governance officer and the records manager Information assets may not be managed, or not managed consistently

29 Information Governance Maturity Model ARMA International  Principle of Accountability - Level 2 (In Development) No senior executive is responsible for records or information Records Manager role is recognized  Role is responsible only for tactical management of records  Role is not responsible for developing policies and procedures for all information assets  Records Manager is not involved in discussions and planning for electronic systems Existing program may only address paper records IT is the assumed lead for electronic records storage Information is not stored in a systematic manner Organization is aware of the need to govern its broader information assets

30 Information Governance Maturity Model ARMA International  Principle of Accountability - Level 3 (Essential ) Senior management is aware of the records management program Records Manager role is recognized within the organization  Responsible for the tactical operation of the established records management program  Responsible for the records management program on an organization-wide basis  Actively engaged in strategic information and records management initiatives with other officers of the organization Organization includes electronic records as part of the records management program Organization envisions a broader-based information governance program to direct various information-driven processes throughout the enterprise Organization has defined specific goals related to accountability

31 Information Governance Maturity Model ARMA International  Principle of Accountability - Level 4 (Proactive) Organization has appointed an IG professional  The Records Management Program is an element of the IG Program  This IG professional is responsible for the IG Program and oversees the Records Management Program The Records Manager is a senior officer responsible for all tactical and strategic aspects of the Records Management Program There is a stakeholder committee  Members of the committee represent all functional areas of the organization  The committee meets periodically to review records management related issues

32 Information Governance Maturity Model ARMA International  Principle of Accountability - Level 5 (Transformational) Significant emphasis is placed on information governance Organization has appointed an IG professional  The records manager directs the records management program  The records manager reports directly to the chief information governance officer The chief IG officer and the records manager are essential members of the organization’s governing body The organization’s initial goals related to accountability have been met Goals for accountability are routinely reviewed and revised

33 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Integrity - An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

34 Information Governance Maturity Model ARMA International  Principle of Integrity – Level 1 (Sub-Standard) There are no systematic audits There are no defined processes Various organizational functions use ad hoc methods to demonstrate authenticity and chain of custody

35 Information Governance Maturity Model ARMA International  Principle of Integrity – Level 2 (In Development) Some organizational records and information are stored with their respective metadata that demonstrate authenticity Metadata storage and chain of custody methods are acknowledged to be important  However: No formal process is defined for metadata storage and chain of custody Different departments handle metadata storage and chain of custody as they determine is appropriate

36 Information Governance Maturity Model ARMA International  Principle of Integrity – Level 3 (Essential) The organization has defined specific goals related to integrity There is a formal process to ensure that the required level of authenticity and chain of custody can be applied to information systems and processes Appropriate data elements are captured to demonstrate compliance with the policy

37 Information Governance Maturity Model ARMA International  Principle of Integrity – Level 4 (Proactive) The metadata definition process is an integral part of the records management practice in the organization Metadata requirements are defined for all systems, business applications, and records to ensure the authenticity of records and information Metadata requirements include:  Security and signature requirements and  Chain of custody as needed to demonstrate authenticity

38 Information Governance Maturity Model ARMA International  Principle of Integrity – Level 5 (Transformational) The organization’s initial goals related to integrity have been met, and it has an established process to ensure its goals for integrity are routinely reviewed and revised There is a formal, defined process for introducing new record- generating systems, capturing their metadata, and meeting other authenticity requirements, including chain of custody Integrity controls of records and information are reliably and systematically audited

39 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Protection - An information governance program shall be constructed to ensure a reasonable level of protection for records and information that are private, confidential, privileged, secret, classified, or essential to business continuity or that otherwise require protection Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

40 Information Governance Maturity Model ARMA International  Principle of Protection – Level 1 (Sub-Standard) No consideration is given to information protection Records and information are stored haphazardly Protection of records and information is provided by various groups and departments There are no centralized access controls

41 Information Governance Maturity Model ARMA International  Principle of Protection – Level 2 (In Development) Some protection of information assets is exercised There is a written policy for records and information that require a level of protection, however:  Does not give clear & definitive guidelines for all information in all media types  Does not address how to exchange records and information among internal/external stakeholders Guidance for employees is not uniform or universal  Employee training is not formalized Access controls are implemented by individual content owners

42 Information Governance Maturity Model ARMA International  Principle of Protection – Level 3 (Essential) The organization has a formal written policy for protecting records and information  Confidentiality and privacy considerations are well-defined within the organization  The importance of chain of custody is defined  The organization has defined specific goals related to records and information protection The organization has a formal written policy for centralized access controls Training for employees is available Records and information audits are conducted only in regulated areas of the business  Audits in other areas may be conducted, but they are left to the discretion of each functional area

43 Information Governance Maturity Model ARMA International  Principle of Protection – Level 4 (Proactive) The organization has implemented systems that provide for the protection of the information Employee training is formalized and well-documented Auditing of compliance and protection is conducted on a regular basis

44 Information Governance Maturity Model ARMA International  Principle of Protection – Level 5 (Transformational) Great value is placed on the protection of information by the executives, senior management, and other governing bodies such as the board of directors The organization’s initial goals related to protection have been met There is an established process to ensure the goals for protection are routinely reviewed and revised  Audit information is regularly examined  Continuous improvement is undertaken Inappropriate or inadvertent information disclosure or loss incidents are rare

45 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Compliance - An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as with the organization’s policies Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

46 Information Governance Maturity Model ARMA International  Principle of Compliance– Level 1 (Sub-Standard) There is no central oversight or guidance and no consistently defensible position on information governance There is no clear understanding or definition of the information or records the organization is obligated to maintain Information is not systematically managed Poor compliance practices expose the organization to significant adverse consequences

47 Information Governance Maturity Model ARMA International  Principle of Compliance – Level 2 (In Development) The organization has identified some of the rules and regulations that govern its business The organization has introduced some compliance policies and good information management practices around those policies Policies are not complete There are no structured accountability processes or controls for compliance There is a disposition hold process, however  The disposition hold process is not well-integrated with the organization’s information management and discovery processes  The organization does not have full confidence in the disposition hold process

48 Information Governance Maturity Model ARMA International  Principle of Compliance – Level 3 (Essential) Compliance is highly valued and measurable, and suitable records and information demonstrating the organization’s compliance are maintained  The organization has defined specific goals related to compliance  The organization has identified key compliance laws and regulations The organization has a code of business conduct that is integrated into its overall information governance structure and policies Information creation and capture are in most cases systematically carried out in accordance with information management principles The disposition hold process is integrated into the organization’s information management and discovery processes for the critical systems, and it is generally effective The organization’s exposure to adverse consequences from poor information management and governance practices is reduced

49 Information Governance Maturity Model ARMA International  Principle of Compliance – Level 4 (Proactive) The organization has implemented systems to capture and protect information The legal, audit, and information production processes are well- managed and effective  Roles are defined  Processes are repeatable Records are linked with the metadata used to demonstrate and measure compliance Employees are trained appropriately Audits are conducted regularly Records are available for appropriate review Lack of compliance is consistently remedied The organization is at low risk of adverse consequences from poor information management and governance practices

50 Information Governance Maturity Model ARMA International  Principle of Compliance – Level 5 (Transformational) Compliance is important  Recognized by senior management  Senior management recognizes records and information management’s role in compliance Compliance goals have been met  Goals for compliance are routinely reviewed and revised  The organization has an established process to ensure its goals for compliance are routinely reviewed and revised  The organization suffers few or no adverse consequences based on failures in information governance or compliance Established auditing and continuous improvement processes are in place The roles and processes for information management and discovery are integrated

51 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Availability - An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

52 Information Governance Maturity Model ARMA International  Principle of Availability – Level 1 (Sub-Standard) Records and information are not readily available Difficulty in locating appropriate version There is a lack of finding aids

53 Information Governance Maturity Model ARMA International  Principle of Availability – Level 2 (In Development) Records and information retrieval mechanisms have been implemented in parts of the organization There are some policies for where and how to store official records and information A standard for managing and storing records is not imposed across the organization Inconsistent treatment of information results in increased costs and difficulty responding to legal discovery and information requests

54 Information Governance Maturity Model ARMA Internation al  Principle of Availability – Level 3 (Essential) The organization has defined specific goals related to availability of records and information There are clearly defined policies regarding the management of records and information There is a standard for where and how records and information are:  Stored  Protected  Made available Systems and infrastructure contribute to the availability of records and information

55 Information Governance Maturity Model ARMA International  Principle of Availability – Level 4 (Proactive) Information governance policies have been clearly communicated There are clear guidelines and an inventory that identify and define the systems and their information assets Records and information are consistently and readily available Appropriate systems and controls are in place for legal discovery and information requests Automation is adopted to facilitate the consistent implementation of the hold and information request processes

56 Information Governance Maturity Model ARMA International  Principle of Availability – Level 5 (Transformational) The organization’s goals related to availability have been met There is an organized training and continuous improvement program across the organization There is a measurable return on investment to the organization as a result of records and information availability

57 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Retention - An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

58 Information Governance Maturity Model ARMA International  Principle of Retention – Level 1 (Sub-Standard) There is no current, documented records retention schedule or policy Rules and regulations that should define retention are not identified or centralized Retention guidelines are haphazard Employees either keep everything or dispose of records and information based on their own business needs, rather than organizational needs

59 Information Governance Maturity Model ARMA International  Principle of Retention – Level 2 (In Development) A retention schedule and policies are available  But do not encompass all records and information  Did not go through an official review  Are not implemented or well known throughout the organization The retention schedule and policies are not regularly updated or maintained Education and training about the retention policies are not available

60 Information Governance Maturity Model ARMA International  Principle of Retention – Level 3 (Essential) The organization has defined & specific goals related to retention The organization has instituted a policy for records and information retention A formal retention schedule that is compliant with rules and regulations is consistently applied throughout the organization The organization’s employees are knowledgeable about the retention policy The organization’s employees understand their personal responsibilities for records and information retention

61 Information Governance Maturity Model ARMA International  Principle of Retention – Level 4 (Proactive) Records and information retention is a major organizational objective Retention schedules are reviewed on a regular basis, and there is a process to adjust retention schedules, as needed Retention training is in place Employees understand how to classify records and information appropriately

62 Information Governance Maturity Model ARMA International  Principle of Retention – Level 5 (Transformational) Retention is an important item at the senior management and governing body level The organization’s initial goals related to retention have been met The organization has an established process to ensure its goals for retention are routinely reviewed and revised Retention is looked at holistically and is applied to all information in an organization Information is consistently retained for appropriate periods of time

63 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Disposition - An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

64 Information Governance Maturity Model ARMA International  Principle of Disposition – Level 1 (Sub-Standard) There is no documentation of the processes used to guide the:  Transfer of records and information  Disposition of records and information No disposition hold process for suspending disposition in the event of investigation or litigation is non-existent or is inconsistent across the organization

65 Information Governance Maturity Model ARMA International  Principle of Disposition – Level 2 (In Development) Preliminary guidelines for disposition are established There is a realization of the importance of suspending disposition in a consistent manner, when required There may not be enforcement and auditing of disposition

66 Information Governance Maturity Model ARMA International  Principle of Disposition – Level 3 (Essential) Official procedures for records and information disposition and transfer have been developed Official policy and procedures for suspending disposition have been developed Although policies and procedures exist, they may not be standardized across the organization The organization has defined specific goals related to disposition

67 Information Governance Maturity Model ARMA International  Principle of Disposition – Level 4 (Proactive) Disposition procedures are understood by all and are consistently applied across the enterprise The process for suspending disposition is defined, understood, and used consistently across the organization Records and information in all media are disposed of in a manner appropriate to the information content and retention policies

68 Information Governance Maturity Model ARMA International  Principle of Disposition – Level 5 (Transformational) The disposition process covers all records and information in all media Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories Disposition processes are consistently applied and effective Processes for disposition are regularly evaluated and improved The organization’s initial goals related to disposition have been met, and it has an established process to ensure its goals for disposition are routinely reviewed and revised

69 Information Governance Maturity Model ARMA International  Review: The Principle and Maturity Model Levels Principle of Transparency - An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties Maturity Model Levels Level 1 (Sub-Standard) – Recordkeeping concerns are not addressed systematically Level 2 (In Development) – Developing recognition for the benefits of recordkeeping Level 3 (Essential) – Essential or minimum requirements are addressed Level 4 (Proactive) - Initiating IG program improvements across its business operations Level 5 (Transformational) - IG is integrated into its overall corporate infrastructure and business processes to such an extent that compliance with the program requirements is routine

70 Information Governance Maturity Model ARMA International  Principle of Transparency – Level 1 (Sub-Standard) It is difficult to obtain timely information about the organization, its business, or its records management program Business and records and information management processes are not well-defined, and no clear documentation regarding these processes is readily available There is no emphasis on transparency The organization cannot readily accommodate requests for information, discovery for litigation, regulatory responses, freedom of information, or other requests The organization has not established controls to ensure the consistency of information disclosure

71 Information Governance Maturity Model ARMA International  Principle of Transparency– Level 2 (In Development) The organization realizes that some degree of transparency is important in its business processes and records and information management program for business or regulatory needs Although a limited amount of transparency exists in areas where regulations demand it, there is no systematic or organization-wide drive to transparency The organization has begun to document its business and records and information management processes

72 Information Governance Maturity Model ARMA International  Principle of Transparency – Level 3 (Essential) Transparency in business and records and information management is taken seriously, and information is readily and systematically available when needed There is a written policy regarding transparency in business and records and information management Employees are educated on the importance of transparency and the specifics of the organization’s commitment to transparency The organization has defined specific goals related to information governance transparency Business and records and information management processes are documented The organization can accommodate most requests for information, discovery for litigation, regulatory responses, freedom of information, or other requests

73 Information Governance Maturity Model ARMA International  Principle of Transparency– Level 4 (Proactive) Transparency is an essential part of the corporate culture and is emphasized in training The organization monitors compliance on a regular basis Business and records and information management process documentation is monitored and updated consistently Requests for information, discovery for litigation, regulatory responses, freedom of information, or other requests (e.g., from potential business partners, investors, or buyers) are managed through routine business processes

74 Information Governance Maturity Model ARMA International  Principle of Transparency– Level 5 (Transformational) The organization’s senior management considers transparency as a key component of information governance The software tools that are in place assist in transparency Requestors, courts, and other legitimately interested parties are consistently satisfied with the transparency of the processes and the organization’s responses The organization’s initial goals related to transparency have been met, and it has an established process to ensure its goals for transparency are routinely reviewed and revised

75 Using Technology to Maximize Information Value Applying Technology With The Principles

76 “Technology” Defined… “T he collection of techniques, methods or processes used in the production of goods or services or in the accomplishment of objectives, such as scientific investigation. Technology can be the knowledge of techniques, processes, etc. or it can be embedded in machines, computers, devices and factories, which can be operated by individuals without detailed knowledge of the workings of such things.” – Wikipedia “ The use of science in industry, engineering, etc., to invent useful things or to solve problems.” OR “A machine, piece of equipment, method, etc., that is created by technology.” – www.merriam- webster.com/dictionarywww.merriam- webster.com/dictionary

77 Applying Technology With The Principles  Principle of Accountability - An organization shall assign a senior executive who will oversee a recordkeeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel, and ensure program auditability  Ideally there is a senior management position, such as an IG Officer, responsible for ensuring technology decisions are aligned with the organization’s goals  Technology resource decisions are aligned with the organization’s goals  Technology resource allocations are reviewed regularly with appropriate approvals for revision  Technology resources align with compliance requirements and demonstrate compliance

78 Applying Technology With The Principles  Principle of Accountability (Continued)  Clearly define responsibilities for “Technology Team”  Determine how and where to apply technology  Consider the needs of the end users  Develop scope and business case for technology  Document requirements and purpose

79 Applying Technology With The Principles  Principle of Accountability (Continued)  Building strategic partnerships  Writing Effective Policies and Procedures  Collaborative effort  Obtain approvals  Communication  Train Staff  Revise, Retrain, etc. as needed  Evaluate for increased organizational Efficiencies

80 Applying Technology With The Principles  Principle of Integrity - An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability  Assess the system mechanisms involved in information capture  These information capture systems should capture information accurately and make it reliably retrievable  Consider the types of information capture technologies, indexing strategies, capture planning, and interoperability

81 Applying Technology With The Principles  Principle of Integrity (Continued)  Assess information controls  Information security controls  Information security procedures  Standardized metadata  Maintenance and backups (Continuity of Operations)  Upgrades of software and hardware – the processes and how often  Planned and managed data and system migrations

82 Applying Technology With The Principles  Principle of Integrity (Continued)  Controlling user account information  Role-Based access  Have good documentation  Content and format  Include not only current but also future systems, processes, roles, etc.  Plans for updates, upgrades, decommissions, etc.

83 Applying Technology With The Principles  Principle of Protection - An information governance program shall be constructed to ensure a reasonable level of protection for records and information that are private, confidential, privileged, secret, classified, or essential to business continuity or that otherwise require protection  Assess the information in the organization’s technology systems  What information is stored and where – cloud storage, server  How is the information used  What happens to the information when it is no longer needed

84 Applying Technology With The Principles  Principle of Protection (Continued)  Assess the information security system protocols  Firewalls  Compliancy monitoring systems  Business continuity planning and testing  Backup and recovery procedures  System maintenance

85 Applying Technology With The Principles  Principle of Protection (Continued)  Quality control measures are vital to protection  Protection methods will vary based on…  Record Media  Hardware  Software  Limit ability to access and manipulate information based on users’ role (need to know)

86 Applying Technology With The Principles  Principle of Compliance - An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as with the organization’s policies  Align technology system requirements with requirements for compliance with laws and regulations  Documentation of system processes as needed for compliance  Employee training addressing information compliance responsibilities and procedures  Standardize workflows for all information lifecycle stages

87 Applying Technology With The Principles  Principle of Compliance (Continued)  Organizations that produce relevant Standards  ISO  ANSI  AIIM/ARMA  IEEE  Specific Records and Information Standards  DOD5015  ISO 15489

88 Applying Technology With The Principles  Principle of Availability - An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information  Identify the information created and maintained by the organization  Classify the organization’s information and implement indexing capability  Have effective procedures, workflows, and controls  Train users  Implement proper technology solutions to meet information needs

89 Applying Technology With The Principles  Principle of Availability (Continued)  Employ effective information technology maintenance processes  Records Series/file plan  Taxonomies

90 Applying Technology With The Principles  Principle of Retention - An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements  Determine appropriate and compliant records retention classifications  Document in the Records Retention Schedule  Develop records retention compliant workflows within the information systems  Train employees about appropriate records retention and the organization’s Records Retention Schedule

91 Applying Technology With The Principles  Principle of Retention (Continued)  Document strategies, results, decisions, and efforts associated with legacy systems  Implement appropriate documentation for electronic records disposition  Apply Retention to all records regardless of format, media, or location  Paper vs. Electronic  Onsite vs Offsite  Consider special steps needed to retain records for long retention periods or for permanent retention

92 Applying Technology With The Principles  Principle of Disposition - An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies  Disposition includes destruction and transfer to a historical digital archives  Systems should ensure appropriate security of records during the full disposition process  Includes disposition approval process  Includes disposition hold processes  Includes transfer of information to a historical digital archives

93 Applying Technology With The Principles  Principle of Disposition (Continued)  Appropriate and compliant methods of information storage and disposition should be implemented  Includes appropriate and compliant methods for destruction  Includes appropriate and compliant methods for historical preservation  Retention Schedule should guide the disposition process  Destruction methods used are based on properties, media, and security  Media: Shredding, Recycling, and pulverization  Digital: Erasing, overwriting, or digital shredding

94 Applying Technology With The Principles  Principle of Transparency - An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties  System documentation including:  Documentation of the records management polices and processes the system provides  Defined digital records creation processes  Metadata standards employed in the system  Documented clear workflows  Documentation of the system’s digital records disposition and disposition hold processes

95 Scenario Group Exercise  Scenario A midsized company is expanding. They have identified a need to develop an Information Governance program. Your consulting team has been hired to develop recommended functional areas and the roles and responsibilities for the Information Governance program. The Board of Directors expects to see your consulting team’s full report with each functional area listed and the justification/reason for each area. Your consulting team has been told by the Board that they want to ensure that their information is managed appropriately and that the organization gets the most value from its information. Remember that the Board is expecting you to address all records across all media.  Group Exercise You and your group members are the consulting team that has been hired by the company in the scenario above. In your individual groups, document the different areas of the Information Governance program to be presented to the Board of Directors. Be sure to also include your team’s recommended roles and responsibilities of the Information Governance program. Keep in mind that the Board is concerned about maximizing the value of the company’s information. Your group should identify what of type of company (communications, transportation, manufacturing, etc.) that you’ve been hired by because that might determine some of your recommendations for the Information Governance program. Feel free to give the company a name.  Select a spokesperson for your group The group’s spokesperson will share the group’s recommendations for the solution with the all of us.

96 Benefits and Advantages of Maximizing Value  Value of Information Business purpose of the information  Document the actions of the organization  Document compliancy of the organization  Process information according to the needs and purpose of the organization Information can support the purpose of the organization  Predictive analytics and modeling  Visualization  Customer experience analysis  Fraud prevention analysis Efficient information processes yield value  Enhance decision making  Improve customer targeting and improve customer experience  Enhance protection of sensitive information

97 Benefits and Advantages of Maximizing Value  Examples of Data Visualization Treemapping of Soft Drink Preferences Across a Group of People

98 Benefits and Advantages of Maximizing Value  Examples of Data Visualization Treemapping of Countries by Geographic Size with Darker Colors Indicating More Population Density

99 Benefits and Advantages of Maximizing Value  Examples of Data Visualization A streamgraph showing an individual’s music listening habits

100 Benefits and Advantages of Maximizing Value  Examples of Data Visualization Data visualization of Facebook relationships by the third-party app MyFnetwork "Kencf0618FacebookNetwork" by Kencf0618 - Own work. Licensed under CC BY-SA 3.0 via Wikimedia Commons - http://commons.wikimedia.org/wiki/File:Kencf0618FacebookNetwork.jpg#/media/File:Kencf0618FacebookNetwork.jpg

101 Benefits and Advantages of Maximizing Value  Appropriate IG Reduces Risk Compliance with information laws and regulations reduces risk of fines and other results of non-compliance Appropriate Business Continuity Planning reduces the down time an organization could experience in the face of a disaster Appropriate and defensible disposition reduce the volume of information that could otherwise be subject to discovery or information requests

102 Benefits and Advantages of Maximizing Value  Appropriate IG Helps Contain Costs More efficient information processes – Automated Classification Enhance decision making processes – Data Analytics Information storage efficiencies – Tier and Cloud Storage/ Offsite Collaborative sites - Reduce Copies Better search technologies – Reduce researcher time

103 Benefits and Advantages of Maximizing Value

104  IG provides a framework for comprehensive management of the organization’s information assets with a collaborative approach  The Principles provide the characteristics an IG program should achieve  The IG Maturity Model is an assessment tool that provides characteristics of the Principles at various levels of maturity within an organization  The IGRM depicts a framework for IG within an organization by key stakeholders

105 Benefits and Advantages of Maximizing Value  IG helps an organization optimize the value of information by: Reducing risks Ensuring compliance Lowering costs Improving information access and security Improving workflows Using big data and data analytics Supporting improved decision making

106 Q & A  Contact Information Margaret Hermesmeyer, MLIS, CRM (512) 463-2154 Margaret.Hermesmeyer@texasattorneygeneral.gov Kevin Waldrup, MBA, CRM (512) 972-5108 Kevin.Waldrup@austintexas.gov

Download ppt "Presenters: Margaret Hermesmeyer, MLIS, CRMKevin Waldrup, MBA, CRM Chief, Records Management Division Records Management Administrator Office of the Attorney."

Similar presentations

The Impact of Auditing on Records Management Risk and Compliance Susan B. Whitmire, CRM, FAI Manager, Enterprise Records and Information Management BlueCross.

The Impact of Auditing on Records Management Risk and Compliance Susan B. Whitmire, CRM, FAI Manager, Enterprise Records and Information Management BlueCross.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.

1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.

Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.
Alaska Chapter of ARMA International Presented by: Dawn Kewan, ARMA Board Member & Treasurer February 6, 2014 Based on Generally Accepted Recordkeeping.

Alaska Chapter of ARMA International Presented by: Dawn Kewan, ARMA Board Member & Treasurer February 6, 2014 Based on Generally Accepted Recordkeeping.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.

Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Certified Business Process Professional (CBPP®)

Certified Business Process Professional (CBPP®)
Purpose of the Standards

Purpose of the Standards
RECORDS MANAGEMENT City of Oregon City “ That was then… this is now!”

RECORDS MANAGEMENT City of Oregon City “ That was then… this is now!”
Department of Commerce Records Management Training.

Department of Commerce Records Management Training.
Opportunities & Implications for Turkish Organisations & Projects

Opportunities & Implications for Turkish Organisations & Projects
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models

Similar presentations

Ads by Google