IG consists of the overarching polices and processes to optimize and leverage informa- tion while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives.

IT governance consists of following established frameworks and best practices to gain the most leverage and benefi t out of IT investments and support accomplishment of business objectives.

Data governance consists of the processes, methods, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate.

Notes

1. “New Trends and Best Practices for Data Governance Success,” SeachDataManagement.com eBook, http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB- ook_1104.pdf, accessed March 11, 2013.

2. Ibid.

3. Ibid.

4. M.N. Kooper, R. Maes, and E.E.O. RoosLindgreen, “On the Governance of Information: Introducing a New Concept of Governance to Support the Management of Information,” International Journal of Information Management 31 (2011): 195–120, http://dl.acm.org/citation.cfm?id=2297895 . (accessed t November 14, 2013).

5. Nick Robinson, “The Many Faces of IT Governance: Crafting an IT Governance Architecture,”

ISACA Journal 1 (2007), www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-l of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx

6. Bryn Phillips, “IT Governance for CEOs and Members of the Board,” 2012, p.18.

7. Ibid., p.26.

8. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech- nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance,” http://

www-304.ibm.com/industries/publicsector/fi leserve?contentid=187551(accessed March 11, 2013).

CHAPTER SUMMARY:

KEY POINTS

■ Data governance uses techniques like data cleansing and de-duplication to improve data quality and reduce redundancies.

■ Good data governance ensures that downstream negative effects of poor data are avoided and that subsequent reports, analyses, and conclusions are based on reliable, trusted data.

■ IT governance seeks to align business objectives with IT strategy to deliver business value.

■ CobiT is processoriented and has been widely adopted as an IT governance framework. ValIT is valueoriented and compatible and complementary with CobiT yet focuses on value delivery.

■ The CobiT framework maps to the international information security stan- dard ISO 17799 and is also compatible with ITIL (IT Infrastructure Library).

■ ITIL is the “most widely accepted approach to IT service management in the world.”

■ ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance.

■ Information governance is how an organization maintains security, complies with regulations and laws, and meets ethical standards when managing information.

9. Phillips, “IT Governance for CEOs and Members of the Board.”

10. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech- nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance.”

11. Ibid.

12. Ibid.

13. www.itil-offi cialsite.com/ (accessed March 12, 2013).

14. ITIL, “What Is ITIL?” www.itil-offi cialsite.com/AboutITIL/WhatisITIL.aspx(accessed March 12, 2013).

15. Ibid.

16. Ibid.

17. “ISO/IEC 38500:2008 “Corporate Governance of Information Technology” www.iso.org/iso/

catalogue_detail?csnumber=51639(accessed November 14, 2013).

18. ISO 38500 www.38500.org/ (accessed March 12, 2013).

19. www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/ (accessed November 14, 2013).

20. ARMA International, Glossary of Records and Information Management Terms , 4th ed. TR 22–2012 (from s ARMA.org).

21. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” CTO Edge , March 9, 2011, www.ctoedge .com/content/three-steps-trusting-your-data-2011

25

Information Governance Principles *

C H A P T E R 3

P

rinciples of information governance (IG) are evolving and expanding. Successful IG programs are characterized by ten key principles, which are the basis for best practices and should be designed into the IG approach. They include:

1. Executive sponsorship. No IG effort will survive and be successful if it does not have an accountable, responsible executive sponsor. The sponsor must drive the effort, clear obstacles for the IG team or committee, communicate the goals and business objectives that the IG program addresses, and keep upper management informed on progress.

2. Information policy development and communication. Clear policies must be es- tablished for the access and use of information, and those policies must be communicated regularly and crisply to employees. Policies for the use of e- mail, instant messaging, social media, cloud computing, mobile computing, and posting to blogs and internal sites must be developed in consultation with stakeholders and communicated clearly. This includes letting employees know what the consequences of violating IG policies are, as well as its value.

3. Information integrity. This area considers the consistency of methods used to create, retain, preserve, distribute, and track information. Adhering to good IG practices include data governance techniques and technologies to ensure quality data. Information integrity means there is the assurance that informa- tion is accurate, correct, and authentic. IG efforts to improve data quality and information integrity include de-duplicating (removing redundant data) and maintaining only unique data to reduce risk, storage costs, and informa- tion technology (IT) labor costs while providing accurate, trusted information for decision makers. Supporting technologies must enforce policies to meet legal standards of admissibility and preserve the integrity of information to guard against claims that it has been altered, tampered with, or deleted (called

“ spoliation ”). Audit trails must be kept and monitored to ensure compliance with IG policies to assure information integrity. ¹

4. Information organization and classifi cation. This means standardizing formats, categorizing all information, and semantically linking it to related information.

It also means creating a retention and disposition schedule that spells out how

*Portions of this chapter are adapted from Chapter 3 of Robert F. Smallwood, Managing Electronic Records: Methods, Best Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc. s

long the information (e.g. e-mail, e-documents, spreadsheets, reports) and records should be retained and how they are to be disposed of or archived.

Information, and particularly documents, should be classifi ed according to a global or corporate taxonomy that considers the business function and owner of the information, and semantically links related information. Information must be standardized in form and format. Tools such as document labeling can assist in identifying and classifying documents. Metadata associated with documents and records must be standardized and kept up-to-date. Good IG means good metadata management and utilizing metadata standards that are appropriate to the organization.

5. Information security. This means securing information in its three states: at rest, in motion, and in use. It means implementing measures to protect information from damage, theft, or alteration by malicious outsiders and insiders as well as nonmalicious (accidental) actions that may compromise information. For instance, an employee may lose a laptop with confi dential information, but if proper IG policies are enforced using security-related information tech- nologies, the information can be secured. This can be done by access control methods, data or document encryption, deploying information rights manage- ment software, using remote digital shredding capabilities, and implement- ing enhanced auditing procedures. Information privacy is closely related to information security and is critical when dealing with personally identifi able information (PII).n

6. Information accessibility. Accessibility is vital not only in the short term but also over time using long-term digital preservation (LTDP) techniques when appropriate (generally if information is needed for over fi ve years). Accessibil- ity must be balanced with information security concerns. Information acces- sibility includes making the information as simple as possible to locate and access, which involves not only the user interface but also enterprise search principles, technologies, and tools. It also includes basic access controls, such as password management, identity and access management , and delivering t information to a variety of hardware devices.

7. Information control. Document management and report management software must be deployed to control the access to, creation, updating, and printing of documents and reports. When documents or reports are declared records, they must be assigned to the proper retention and disposition schedule to be retained for as long as the records are needed to comply with legal retention periods and regulatory requirements. Also, information that may be needed or requested in legal proceedings is safeguarded through a legal hold process.

8. Information governance monitoring and auditing. To ensure that guidelines and policies are being followed and to measure employee compliance levels, in- formation access and use must be monitored. To guard against claims of spo- liation, use of e-mail, social media, cloud computing, and report generation should be logged in real time and maintained as an audit record. Technology tools such as document analytics can track how many documents or reports users access and print and how long they spend doing so.

9. Stakeholder consultation. Those who work most closely to information are the ones who best know why it is needed and how to manage it, so business units must be consulted in IG policy development. The IT department understands

its capabilities and technology plans and can best speak to those points. Le- gal issues must always be deferred to the in-house council or legal team. A cross-functional collaboration is needed for IG policies to hit the mark and be effective. The result is not only more secure information but also better information to base decisions on and closer adherence to regulatory and legal demands. ²

10. Continuous improvement. IG programs are not one-time projects but rather ongoing programs that must be reviewed periodically and adjusted to account for gaps or shortcomings as well as changes in the business environment, tech- nology usage, or business strategy.