C H A P T E R 8 Information Management and Legal Functions 115 By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy Introduction to e-Discovery: The Revised 2006 Federal Rules of Civil Proceded Changed Everything for business managers and executives in today's environment of big data, increasing information risks, co-loss leaks, and increased compliance and legal demands.
PART ONE
For big data advocates, more data is always better, and there is no perceived downside to accumulating large amounts of data. A big data attack requires the implementation of information governance (IG) to dispose of unnecessary data in a legally secure manner.
Defi ning Information Governance
Practicing good IG is the essential basis for building legally protected disposal practices to discard unnecessary information. IG is “a strategic framework consisting of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization. goals." 20.
IG Is Not a Project, But an Ongoing Program
Further strengthening the definition: “Information governance is the policy-based management of information designed to reduce costs, reduce risk and ensure compliance with legal, regulatory and/or corporate governance standards.”21 IG necessarily involves not only policies, but information technology to audit and enforce those policies. The IG team must be aware of information life cycle issues and be able to implement appropriate retention and disposal policies, including digital preservation where data must be retained for long periods.
Why IG Is Good Business
IG makes sense because it allows organizations to get rid of unnecessary information in a defensible way. IG makes sense because organizations cannot keep everything forever, nor can they throw everything away.
Failures in Information Governance
IG's controls for protecting confidential information assets and protecting privacy cannot rely solely on employee reliability and basic security measures. IG's controls for protecting confidential information assets and protecting privacy cannot rely solely on the reliability of employees and basic security measures.
Notes
Gartner Press Release, "Gartner Says Master Data Management Is Critical to Achieving Effective Information Governance," www.gartner.com/newsroom/id/1898914, January 19, 2012. Laura DuBoisand Vivian Tero, "Practical Governance of Information: Balancing Cost, , and Productivity,” IDC White Paper (August 2010), www.emc.com/collateral/analyst-reports/idc-practical- information-governance-ar.pdf.
Data Governance
Data management uses techniques such as data cleaning and deduplication to improve data quality and reduce redundancy. People must be trained to understand why a data governance program is being implemented and how it will benefit the business.
IT Governance
CobiT (Control Objectives for Information and Related Technology) is an IT management framework based on the T process and represents the consensus of experts worldwide. ITIL is applicable in both the private and public sectors and is "the most widely accepted approach to IT service management in the world".13 As with other IT management frameworks, ITIL provides essential guidance for delivering business value through IT and "provides guidance for organizations on , how to use IT as a tool to facilitate business changes, transformation and growth."14.
Information Governance
Impact of a Successful IG Program
Executives and managers often do not understand the value of IG until a crisis occurs, an expensive legal battle is lost, large fines are imposed for non-compliance, or executives go to jail. First, you need to figure out who accesses what information when and where it goes.
Summing Up the Differences
Clear policies for access and use of information should be established, and those policies should be regularly and clearly communicated to employees. Audit trails should be maintained and monitored to ensure compliance with IG policies to ensure information integrity.
Accountability Is Key
As shown in Table 3.1, the GAAP Maturity Model links characteristics that characterize five levels of recordkeeping capability, ranging from 1 (substandard) to 5 (transformational). An audit process should be developed to cover all aspects of RM in the organization.
Assessment and Improvement Roadmap
Destruction of records must be carried out under controlled, confidential conditions by shredding or permanent disposal. This includes the destruction of confidential microfilm, microfiche, computer cassettes and computer tapes, as well as paper.
Who Should Determine IG Policies?
It is difficult to get information about the organization or its data in a timely manner. 37 The retention process is integrated into the organization's information management and discovery processes for the most critical systems.
PART TWO
- Survey and Determine Legal and Regulatory Applicability and Requirements
- Specify IG Requirements to Achieve Compliance
- Create a Risk Profi le
- Perform Risk Analysis and Assessment
- Develop an Information Risk Mitigation Plan
- Develop Metrics and Measure Results
- Execute Your Risk Mitigation Plan
- Audit the Information Risk Mitigation Program
According to ISO, risk is defined as "the effect of uncertainty on objectives", and a risk profile is "a description of a set of risks".5 Creating a risk profile involves identifying, documenting, assessing, and prioritizing risks that an organization organization may face in pursuit of its business objectives. Determining relevant ways to measure progress allows executives to see progress, as reducing risk is realistically not something everyone can see or feel – the painful realizations are not made until the risk comes home.
Crucial Executive Sponsor Role
A diligent and effective executive sponsor makes all the difference to a project - if the role is properly managed by the PM. This is a difficult relationship, as the PM is always below the executive sponsor in the organization's hierarchy, yet the PM must persuade the superior to undertake certain high-level tasks.
Evolving Role of the Executive Sponsor
Sometimes a third-party consultant who is an expert in the specific project can drive and support the requests made by the sponsor and provide a strong business case.
Building Your IG Team
Assigning IG Team Roles and Responsibilities
The outcome of the research, consultation and collaboration of the IG team should result in a final draft of the IG strategic plan. More input and development is still needed to align the plan with business objectives, an analysis of internal and external drivers, applicable best practices, competitive analysis, applicable IT trends, an analysis and integration of the organization's culture and other factors.
Align Your IG Plan with Organizational Strategic Plans
The IT strategy may be to convert new acquisitions into the organization's internal financial and accounting systems and to train new employees to use the existing software applications under the umbrella of the IG plan. Is there a budget item for software purchases and training and communication to support the implementation of the IG plan.
Survey and Evaluate External Factors
Trends and conditions in the internal and external business environment must be included in the IG strategic plan. Trends and conditions in the internal and external business environment must be included in the IG strategic plan.
A Brief Review of Generally Accepted Recordkeeping Principles®
IG Reference Model
Starting from the outside of the diagram, successful information management is about designing a complex set of interoperable processes and implementing the procedures and structural elements to make them happen. We have included this component in the diagram to illustrate the fact that information management is important at all stages of the information life cycle – from its creation to its end use.
Best Practices Considerations
Creating standardized metadata terms should be part of an IG effort that enables faster, more complete, and more accurate searches and retrieval of records. Some digital information assets must be permanently preserved as part of an organization's documentary heritage.
Standards Considerations
Destructive email retention helps reduce storage costs and legal risk while improving the "findability" of critical data. Manage social media content according to IG policies and monitor it with controls that ensure the protection of critical information assets and the preservation of business data.
Benefi ts and Risks of Standards
Users have lower maintenance requirements and training and support costs when systems are more uniform. For example, an ISO standard may be theory-based and use different terminology, while regional or national standards are more specific, applicable and understandable than broad international standards.
Key Standards Relevant to IG Efforts
In Module 1 of ICA-Req, principles are presented in a high-level overview; Module 2 contains specifications for electronic document and records management systems (EDRMS) that are "globally harmonised"; and Module 3 contains a requirement statement and "implementation advice for managing records in business systems."22 Module 3 recognizes that digital recordkeeping need not be limited to the EDRMS paradigm - the insight now captured by "Modular" Requirements for Records Systems” (MoReq2010, the European standard released in 2011).23 Parts 1 to 3 of ISO 16175 were fully adopted in 2010–2011 based on the ICA-Req standard. The standard can be purchased at www.ISO.org, and additional information about the Australian initiative can be found at www.adri.gov.au.
Major National and Regional ERM Standards
K. and European Standards
In the United Kingdom, the National Archives (TNA) (formerly the Public Record Office or PRO) "published two sets of functional requirements to encourage the development of the electronic document management software market (1999 and 2002)." Following the approval and release of the AS 4390 standard in In 1996, the international records management community began working on developing an international standard.
Making Your Best Practices and Standards Selections to Inform Your IG Framework
You may have overlooked some key factors that your wider stakeholder group has uncovered and their input needs to be merged into a final draft of your IG framework. It is of the utmost importance to ensure that the alignment of your organizational goals and business objectives is taken into account when developing policies.
Roles and Responsibilities
Instead, you should engage in a deliberative process, using your IG framework as guiding principles and taking into account the views and needs of your cross-functional IG team. For each policy area, ensure that you have considered your stakeholders' input so that they are more willing to buy into and comply with the new policy and that the policy does not conflict with their business needs and requirements. Business processes.
Program Communications and Training
Program Controls, Monitoring, Auditing, and Enforcement
Security Techniques—Code of Practice for Information Security Management,” www.iso.org/iso/catalogue_detail?csnumber=50297 (tilgået 23. juli 2012). International Organization for Standardization, ISO Societal Security—Business Continuity Management Systems—Requirements,” www.iso.org/iso/catalogue_detail?csnumber=50038 (tilganget 21. april 2013).
PART THREE
Let's take a step back and examine the main issues affecting information costing and calculating the real cost of holding information, consider Big Data and e-discovery ramifications, and introduce some new concepts that can help address information costing issues. to frame otherwise for business. managers. Getting a good handle on the true cost of information is essential to properly controlling it, shifting resources to higher-value information, and discarding information that has no discernible business value and carries inherent, avoidable risks.
Changing Information Environment
Unstructured information is much more horizontal, making it difficult to develop and apply business rules. In addition, determining the costs and benefits of owning and managing unstructured information is a unique, but critical, challenge.
Calculating Information Costs
Determining the total cost of owning unstructured information is an essential precursor to managing and monetizing that information while simultaneously reducing information costs - important steps in generating profit for the company. It's the cost of lost opportunity - the lost benefit of information disorganized, created and then forgotten, pushed aside and left to rot.
Big Data Opportunities and Challenges
Most organizations own large pools of information that is effectively "dark": They don't know what it is, where it is, who is responsible for managing it, and whether it is an asset or a liability. It is not classified, indexed or managed according to the organization's own policies.
Full Cost Accounting for Information
Indirect costs, such as accounting, invoicing, office support, contract management, insurance, payroll, procurement and so on. Upfront costs, such as acquiring the system, integration and configuration, and training.
Calculating the Cost of Owning Unstructured Information
Storage and network infrastructure: the cost of the devices, networks, software and labor required to store unstructured information. Policy management and compliance: the costs of developing, implementing, enforcing and maintaining IG policies on unstructured information.
The Path to Information Value
Clean
Build and Maintain
Monetize
For example, McKinsey predicts that the demand for "deep analytical talent in the United States could be 50 to 60 percent greater than its projected supply by 2018." A main reason for this gap is this. For example, the largest distributor of heating oil in the United States sets prices on the fly based on commodity prices and customer retention risks.
Challenging the Culture
17 In a case that grabbed the attention of morning news shows with breathless headlines like "Are Mac Users Paying More?" the online travel company revealed that “Mac users are 40 percent more likely to book four- or five-star hotels. Different parts of your business can reach maturity at different rates, driven by the unique information risks and opportunities they hold.
New Information Models
190 billion a year in additional medical costs resulting from obesity in the United States, greater than the cost of smoking. Cap-and-trade, originally designed as a regulatory approach to combating acid rain in the 1980s, has received renewed attention as a method to curb carbon emissions.
Future State: What Will the IG-Enabled Organization Look Like?
IT efficiency and effectiveness will be improved by using IT frameworks and standards, such as CobiT 5 and ISO/. Implementing document lifecycle security tools such as data loss prevention and information rights management will help secure your confidential information assets and keep them from prying eyes.
Moving Forward
McKinsey Global Institute, "Big Data: The Next Frontier for Innovation, Competitions, and productiviteit", mei 2011. Brooklyn Navy Yard Development Corporation, "The History of Brooklyn Navy Yard", www .brooklynnavyyard.org/history.html ( geraadpleegd op 25 november 2013).
Introduction to e-Discovery: The Revised 2006 Federal Rules of Civil Procedure Changed Everything
The FRCP was amended in 2006 and some of the revisions relate specifically to the retention and discovery of electronic records in court proceedings. These changes have reinforced the importance of IG policies, processes and controls in handling ESI.
Big Data Impact
More Details on the Revised FRCP Rules
Discovery Techniques
Discovery Reference Model
In the e-discovery process, you must perform certain functions to identify and preserve electronically stored (ESI) and meet conditions requirements such as relevancy and privilege. Reduce costs by reducing the amount of ESI that moves to the next stage in the e-discovery process.
The Intersection of IG and E-Discovery
However, it is worth noting that the expectation is that organizations should link the notification process to the actual collection and retention of information in the long term. Yes, one of the primary benefits of advertising that addresses e-discovery via IG is cost reduction, but it is wise to begin measuring all e-discovery initiatives on how they impact the lifecycle of legal matters.
Building on Legal Hold Programs to Launch Defensible Disposition
In organizations that successfully initiate and execute IG projects, many have dedicated IG teams. The lessons learned from these targeted projects can then be applied to other IG initiatives.
Destructive Retention of E-mail
Newer Technologies That Can Assist in E-Discovery
I start making decisions and the system searches for similar articles.” This type of TAR is concerned with conveying or spreading what is known based on a sample set of documents to the rest of the documents in a corpus. For example, using a propagation-based approach with a set of seed documents may have problems when less than 10 percent of the documents in the seed set are positive for significance.
Defensible Disposal: The Only Real Way To Manage Terabytes T T and Petabytes
Accurate performance metrics are important not only at the end of the TAR process, but throughout the process to understand where efforts should be focused in the next cycle or iteration. The solution to unmitigated data proliferation is the defensive removal of business content that no longer has business or legal value to the organization.
Retention Policies and Schedules
Templates and manuals can be used to help develop record retention schemes for your organization, including the International Standard for Records Management, ISO 15489—Parts 1 and 2:2001, “Information and Documentation—Records Management”; the ISO 15489 standard was written to address all kinds of records. The retention policy must take into account a statute of limitations - the length of time after which legal proceedings cannot be brought to court.
Records Management Business Rationale
IG, in short, is a set of rules, policies and business processes used to manage and control the entirety of an organization's information. The focus is on the vital data that is needed to resume operations in the event of a disaster, and the management of this data is part of an overall RM program.
Why Is Records Management So Challenging?
As senior managers become increasingly aware of IG—the rules, policies, and processes that govern and manage information—they are promulgating more reporting and auditing requirements for managing formal business records. Since tracking and auditing the use of formal business records requires IT, and records and compliance departments are typically understaffed, those departments must rely on assistance from the IT department or outsourced IT provider – who often do not have the same perspective and priorities as the departments what they don't have. serve.
Benefi ts of Electronic Records Management
Additional Intangible Benefi ts
Inventorying E-Records
These knowledge workers are your best resource and can be your greatest allies or worst enemies when it comes to gathering accurate inventory data; developing a workable file plan; and ensuring the efficient operation of the application process, storage and removal of records.
Generally Accepted Recordkeeping Principles®
Records Inventory Challenges
They don't sit in a central file room, but may be scattered across servers, shared network drives, or in memory attached to mainframes or minicomputers. There may be additional "shadow" copies of e-records and it may be difficult to determine the true or original copy.15.
Records Inventory Purposes
Records Inventorying Steps
The scope of the inventory should be appropriate for the business goals and objectives it targets. Be sure to link the findings in the final record inventory report to the business goals that launched the effort.
Ensuring Adoption and Compliance of RM Policy
The legal value or utility of records for documenting and defining legally enforceable rights or obligations [of business owners, shareholders or a]. The fiscal value or usefulness of records for managing the current financial obligations of [a company or] agency and for documenting the development and performance of that agency over time.
General Principles of a Retention Scheduling
Series of files with similar characteristics or values should be assigned consistent and appropriate retention periods. Senior management should be able to easily review retention schedules, policy documentation, and audit information to ensure that users are in compliance with the retention schedule.
Developing a Records Retention Schedule
Record retention periods should reflect the business needs of users, the value of the records, and any legal or compliance requirements. A retention schedule allows uniformity in the retention and disposal process, regardless of the medium or location of the documents.
Why Are Retention Schedules Needed?
Review the functions and filing requirements for the [business unit or] agency or organizational component of the agency whose records will be included in the schedule. Instructions for transferring permanent records to the United States National Archives [or corporate archives for companies].
What Records Do You Have to Schedule?
Inventory and Classifi cation
A document type is a term used by many software systems to refer to a group of related records. When the records are all created by similar processes, the document type is the same as the previously mentioned business functions or activities.
Rationale for Records Groupings
A set of records is a group or unit of identical or related records that are commonly used and stored as a unit and can be evaluated for planning purposes as a unit or business function. Retention schedules require record sets to be defined by business function and activity, not record format or display type.
Records Series Identifi cation and Classifi cation
These titles give no insight into the nature of the plate series' function. Examples of case records include personnel files, mortgage loan folders, contract and amendment/addendum records, accident reports, insurance claims, and other records that accumulate and expand over time.
Retention of E-Mail Records
Documents of this type that relate to "routine activities of a [project], program, or service" do not have as much lasting value and must be kept on a schedule for a shorter period of time. All parts or features of the transaction, including who (the parties to it), what, when, how much and the composition of the components are part of the transaction.
How Long Should You Keep Old E-Mails?
The email notification documents other business activities that may be contested in the future, whether or not it ultimately involves litigation. Most business disputes are actually resolved without litigation, provided evidence of your organization's position can be presented.).
Destructive Retention of E-Mail
Many software vendors offer automated software that can move email messages into controlled repositories since they are marked as records. It is important to be familiar with the purpose, principles and special circumstances that affect statutes of limitations and thus record retention.” 44.
Legal Requirements and Compliance Research
A limitation period is the length of time after which a legal action cannot be brought before the courts. Limitation periods are important because they determine how long records must be kept to support court action [including subsequent appeal periods].
Event-Based Retention Scheduling for Disposition of E-Records
But in an effort to meet retention requirements, organizations handle event-based triggers in different ways, ways that are often problematic. In other cases, the organization simply does not have the ERM functionality it needs to manage event-based triggers.
Prerequisites for Event-Based Disposition
