How do you know how well you are doing? You will need to develop metrics to de- termine the level of employee compliance, its impact on key operational areas, and progress made toward established business objectives.
Testing and auditing the program provides an opportunity to give feedback to employees on how well they are doing and to recommend changes they may make.
But having objective feedback on key metrics also will allow for your executive sponsor to see where progress has been made and where improvements need to focus.
Communications regarding your IG program should be consistent and clear and somewhat customized for various stakeholder groups.
CHAPTER SUMMARY:
KEY POINTS
■ You must inform and frame IG policy with internal and external frameworks, models, best practices, and standards
■ The business user is the primary stakeholder of managed information.
■ Information management is important at all stages of the life cycle.
■ Legal stakeholders usually can mandate the preservation of what is most criti- cal, though often at great cost.
■ The IGRM was developed by the EDRM Project to foster communication among stakeholders and adoption of IG. It complements ARMA’s The Principles.
■ ISO 31000 is a broad risk management standard that applies to all types of businesses.
■ ISO/IEC 27001 and ISO/IEC 27002 are ISMS standards that provide guidance in the development of security controls.
■ ISO 15489 is the international RM standard.
■ The ICA-Req standard was adopted as ISO 16175. It does not contain a test- ing regime for certifi cation.
■ The ISO 30300 series of e-records standards are written for a managerial au- dience and encourage ERM that is aligned to organizational objectives.
■ DoD 5015.2 is the U.S. ERM standard; the European ERM standard is MoReq2010. Australia has adopted all three parts of ISO 16175 as its e-records management standard.
■ LTDP is a key area to which IG policy should be applied.
■ An LTDP strategy that is OAIS compliant (based on ISO 14721) offers the best means available today for preserving the digital heritage of all organizations.
■ ISO 16363 represents the gold standard of audit and certifi cation for trust- worthy digital repositories.
■ ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance.
■ ISO 22301 spells out requirements for creating and implementing a standardized approach to business continuity management.
Clear penalties for policy violations must be communicated to employees so they know the seriousness of the IG program and how important it is in helping the orga- nization pursue its business goals and accomplish stated business objectives.
Notes
1. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally- accepted-br-recordkeeping-principles/copyright (accessed November 25, 2013).
2. ARMA International, “Information Governance Maturity Model,” www.arma.org/r2/generally- accepted-br-recordkeeping-principles/metrics (accessed November 25, 2013).
3. Electronic Discovery, “IGRM v3.0 Update: Privacy & Security Offi cers As Stakeholders – Electronic Discovery,” http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-offi cers-as-stakehold- ers-electronic-discovery/ (accessed April 24, 2013).
4. EDRM, “Information Governance Reference Model (IGRM),” www.edrm.net/projects/igrm (accessed October 9, 2013).
5. Ibid.
6. Ibid.
7. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide ), 4th ed. (Newtown Square, PA, Project Management Institute, 2008), ANSI/PMI 99-001-2008, pp. 273–312.
8. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic Records , p. 34 (London: Facet, 2005).s
9. Marc Fresko, e-mail to author, May 13, 2012.
10. Hofman, “The Use of Standards and Models,” in Julie McLeod and Catherine Hare, eds., Managing Electronic Records , p. 34 (London: Facet, 2005) pp. 20–21. s
11. Ibid.
12. International Organization for Standardization, “ISO 31000:2009 Risk Management—Principles and Guidelines,” www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 (accessed April 22, 2013).
13. Ibid.
14. International Organization for Standardization, ISO/IEC 27001:2005, “Information Technology—
Security Techniques—Information Security Management Systems—Requirements,” www.iso.org/iso/
catalogue_detail?csnumber=42103 (accessed April 22, 2013).
15. International Organization for Standardization, ISO/IEC 27002:2005, “Information Technology—
Security Techniques—Code of Practice for Information Security Management,” www.iso.org/iso/cata- logue_detail?csnumber=50297 (accessed July 23, 2012).
16. International Organization for Standardization, ISO/IEC 38500:2008, www.iso.org/iso/catalogue_
detail?csnumber=51639 (accessed March 12, 2013).
17. ISO 38500 IT Governance Standard, www.38500.org/ (accessed March 12, 2013).
18. International Organization for Standardization, ISO 15489-1: 2001 Information and Documentation—
Records Management. Part 1: General (Geneva: ISO, 2001), section 3.16. l
■ You must take into account your organization’s corporate culture, manage- ment style, and organizational goals when determining which best practices and standards should be selected for your IG framework.
■ Lines of authority, accountability, and responsibility must be clearly drawn for the IG program to succeed.
■ Communications regarding your IG program should be consistent and clear and somewhat customized for various stakeholder groups.
■ IG program audits are an opportunity to improve training and compliance, not to punish employees.
CHAPTER SUMMARY:
KEY POINTS
(Continued)
19. National Archives of Australia, www.naa.gov.au/records-management/publications/DIRKS-manual .aspx (accessed October 15, 2012).
20. International Council on Archives, “ICA-Req: Principles and Functional Requirements for Records in Electronic Offi ce Environments: Guidelines and Training Material,” November 29, 2011, www .ica.org/11696/activities-and-projects/icareq-principles-and-functional-requirements-for-records-in- electronic-offi ce-environments-guidelines-and-training-material.html.
21. Council of Australasian Archives and Records Authorities, www.caara.org.au/ (accessed May 3, 2012).
22. Adrian Cunningham, blog post comment, May 11, 2011. http://thinkingrecords.co.uk/2011/05/06/
how-moreq-2010-differs-from-previous-electronic-records-management-erm-system-specifi cations/.
23. Ibid.
24. “Relationship between the ISO 30300 Series of Standards and Other Products of ISO/TC 46/SC 11: Records Processes and Controls,” White Paper, ISO TC46/SC11- Archives/Records Management (March 2012), www.iso30300.es/wp-content/uploads/2012/03/ISOTC46SC11_White_paper_rela- tionship_30300_technical_standards12032012v6.pdf
25. Ibid.
26. Julie Gable, Information Management Journal, November 1, 2002, www.thefreelibrary.com/Everything- +you+wanted+to+know+about+DoD+5015.2:+the+standard+is+not+a…-a095630076.
27. These standards were developed by the CGSB (Canadian General Standards Board), which is a stan- dards-writing agency within Public Works and Government Services Canada (a department of the federal government). It is accredited by the Standards Council of Canada as a standards development agency. The Council must certify that standards have been developed by the required procedures be- fore it will designate them as being National Standards of Canada. 72.34 incorporates by reference as
“normative references”: (1) many of the standards of the International Organization for Standardiza- tion (ISO) in Geneva, Switzerland. (“ISO,” derived from the Greek word isos (equal) so as to provide s a common acronym for all languages); and (2) several of the standards of the Canadian Standards Association (CSA). The “Normative references” section of 72.34 (p. 2) states that these “referenced documents are indispensable for the application of this document.” 72.11 cites (p. 2, “Applicable Pub- lications”) several standards of the American National Standards Institute/Association for Information and Image Management (ANSI/AIIM) as publications “applicable to this standard.” The process by which the National Standards of Canada are created and maintained is described within the standards themselves (reverse side of the front cover), and on the CGSB’s Web site (see, “Standards Develop- ment”), from which Web site these standards may be obtained; http://www.ongc-cgsb.gc.ca.
28. The Canada Revenue Agency (CRA) informs the public of its policies and procedures by means, among others, of its Information Circularss (IC’s), and GST/HST Memoranda . (GST: goods and services tax; HST:
harmonized sales tax, i.e. , the harmonization of federal and provincial sales taxes into one retail sales tax.) In particular, see: IC05-1 , dated June 2010, entitled, Electronic Record Keeping g , paragraphs 24, 26 and 28.
Note that use of the National Standard cited in paragraph 26, Microfi lm and Electronic Images as Documen- tary Evidence CAN/CGSB-72.11-93 is mandatory for, “Imaging and microfi lm (including microfi che) reproductions of books of original entry and source documents . . .” Paragraph 24 recommends the use of the newer national standard, Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005, “To ensure the reliability, integrity and authenticity of electronic records.” However, if this newer standard is given the same treatment by CRA as the older standard, it will be made mandatory as well. And similar statements appear in the GST Memoranda, Computerized Records 500-1-2, s Books and Records 500-1. IC05-s 1. Electronic Record Keeping g , concludes with the note, “Most Canada Revenue Agency publications are available on the CRA Web site www.cra.gc.ca under the heading ‘Forms and Publications.’”
29. There are more than 200 specifi c compliance tests that can be applied to determine if the principles of 72.34 are being complied with. The analysts—a combined team of records management and legal expertise—analyze: (1) the nature of the business involved; (2) the uses and value of its records for its various functions; (3) the likelihood and risk of the various types of its records being the subject of legal proceedings, or of their being challenged by some regulating authority; and (4) the consequences of the unavailability of acceptable records—for example, the consequences of its records not being accepted in legal proceedings. Similarly, in regard to the older National Standard of Canada, 72.11, there is a comparable series of more than 50 tests that can be applied to determine the state of compliance with its principles.
30. Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005 (“72.34”), clause 5.4.3 c) at p. 17;
and Microfi lm and Electronic Images as Documentary Evidence CAN/CGSB-72.11-93 (“72.11”), paragraph 4.1.2 at p. 2, supra note 49.
31. 72.34, Clause 5.4.3, ibid.
32. “Admissibility” refers to the procedure by which a presiding judge determines if a record or other proffered evidence is acceptable as evidence according the rules of evidence. “Electronic discovery”
is the compulsory exchange of relevant records by the parties to legal proceedings prior to trial.” As to the admissibility of records as evidence see: Ken Chasse, “The Admissibility of Electronic Business Records” (2010), 8 Canadian Journal of Law and Technology 105; and Ken Chasse, “Electronic Re- cords for Evidence and Disclosure and Discovery” (2011) 57 The Criminal Law Quarterly 284. For the electronic discovery of records see: Ken Chasse, “Electronic Discovery— Sedona Canada is Inadequate on Records Management—Here’s Sedona Canada in Amended Form,” Canadian Journal of Law and Tech- nology 9 (2011): 135; and Ken Chasse, “Electronic Discovery in the Criminal Court System,” Canadian Criminal Law Review 14 (2010): 111. See also note 18 infra , and accompanying text.
33. For the province of Quebec, comparable provisions are contained in Articles 2831-2842, 2859-2862, 2869-2874 of Book 7 “Evidence” of the Civil Code of Quebec, S.Q. 1991, c. C-64, to be read in con- junction with, An Act to Establish a Legal Framework for Information Technology, R.S.Q. 2001, c. C-1.1, ss. 2, 5-8, and 68.
34. For the legislative jurisdiction of the federal and provincial governments in Canada, see The Constitu- tion Act, 1867 (U.K.) 30 & 31 Victoria, c. 3, s. 91 (federal), and s. 92 (provincial), www.canlii.org/en/ca/
laws/stat/30—31-vict-c-3/latest/30—31-vict-c-3.html.
35. The two provinces of Alberta and Newfoundland and Labrador do not have business record provisions in their Evidence Acts. Therefore “admissibility” would be determined in those jurisdictions by way of the court decisions that defi ne the applicable common law rules; such decisions as, Ares v. Vennerr [1970]
S.C.R. 608, 14 D.L.R. (3d) 4 (S.C.C.), and decisions that have applied it.
36. See for example, the Canada Evidence Act, R.S.C. 1985, c. C-5, ss. 31.1-31.8; Alberta Evidence Act, R.S.A. 2000, c. A-18, ss. 41.1-41.8; (Ontario) Evidence Act, R.S.O. 1990, c. E.23, s. 34.1; and the (Nova Scotia) Evidence Act, R.S.N.S. 1989, c. 154, ss. 23A-23G. The Evidence Acts of the two provinces of British Columbia and Newfoundland and Labrador do not contain electronic record provisions.
However, because an electronic record is no better than the quality of the record system in which it is recorded or stored, its “integrity” (reliability, credibility) will have to be determined under the other provincial laws that determine the admissibility of records as evidence.
37. The electronic record provisions have been in the Evidence Acts in Canada since 2000. They have been applied to admit electronic records into evidence, but they have not yet received any detailed analysis by the courts.
38. This is the wording used in, for example, s. 41.6 of the Alberta Evidence Act, s. 34.1(8) of the (Ontario) Evidence Act; and s. 23F of the (Nova Scotia) Evidence Act, supra note 10. Section 31.5 of the Canada Evidence Act, supra note 58, uses the same wording, the only signifi cant difference being that the word
“document” is used instead of “record.” For the province of Quebec, see sections 12 and 68 of, An Act to Establish a Legal Framework for Information Technology, R.S.Q., chapter C-1.1.
39. “Giving Value: Funding Priorities for UK Archives 2005–2010, a key new report launched by the Na- tional Council on Archives (NCA) in November 2005,” www.nationalarchives.gov.uk/documents/stan- dards_guidance.pdf (accessed October 15, 2012).
40. DLM Forum Foundation, MoReq2010 ® : Modular Requirements for Records Systems—Volume 1: Core Ser- vices & Plug-in Modules, 2011, http://moreq2010.eu/ (accessed May 7, 2012, published in paper form ass ISBN 978-92-79-18519-9 by the Publications Offi ce of the European Communities, Luxembourg.
41. DLM Forum, Information Governance across Europe, www.dlmforum.eu/ (accessed December 14, 2010).
42. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au /records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).
43. E-mail to author from Marc Fresko, May 13, 2012.
44. National Archives of Australia, “Australian Government Recordkeeping Metadata Standard,” 2012, www.naa.gov.au/records-management/publications/agrk-metadata-standard.aspx (accessed July 16, 2012).
45. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au /records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).
46. International Organization for Standardization, ISO 19005-1:2005, “Document Management—
Electronic Document File Format for Long-Term Preservation—Part 1: Use of PDF 1.4 (PDF/A-1),”
www.iso.org/iso/catalogue_detail?csnumber=38920 (accessed July 23, 2012).
47. International Organization for Standardization, ISO 14721:2012, “Space Data and Information Trans- fer Systems Open Archival Information System—Reference Model,” www.iso.org/iso/iso_catalogue/
catalogue_ics/catalogue_detail_ics.htm?csnumber=57284 (accessed November 25, 2013).
48. Ibid.
49. International Organization for Standardization, ISO 16363:2012, “Space Data and Information Transfer Systems—Audit and Certifi cation of Trustworthy Digital Repositories,” www.iso.org/iso/
iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510 (accessed July 23, 2012).
50. International Organization for Standardization, ISO 22301:2012 “Societal Security—Business Conti- nuity Management Systems—Requirements,” www.iso.org/iso/catalogue_detail?csnumber=50038 (ac- cessed April 21, 2013).
51. International Organization for Standardization, “ISO Business Continuity Standard 22301 to Replace BS 25999-2,” www.continuityforum.org/content/news/165318/iso-business-continuity-standard-22301- replace-bs-25999-2 (accessed April 21, 2013).
52. BSI, “ISO 22301 Business Continuity Management,” www.bsigroup.com/en-GB/iso-22301-business- continuity (accessed April 21, 2013).