Table of Contents

PREFACE xv


ACKNOWLEDGMENTS xvii


PART ONE—Information Governance Concepts, Definitions, and Principles 1


CHAPTER 1 The Onslaught of Big Data and the Information Governance Imperative 3


Defining Information Governance 5


IG Is Not a Project, But an Ongoing Program 7


Why IG Is Good Business 7


Failures in Information Governance 8


Form IG Policies, Then Apply Technology for Enforcement 10


Notes 12


CHAPTER 2 Information Governance, IT Governance, Data Governance: What’s the Difference? 15


Data Governance 15


IT Governance 17


Information Governance 20


Impact of a Successful IG Program 20


Summing Up the Differences 21


Notes 22


CHAPTER 3 Information Governance Principles 25


Accountability Is Key 27


Generally Accepted Recordkeeping Principles® 27


Contributed by Charmaine Brooks, CRM Assessment and Improvement Roadmap 34


Who Should Determine IG Policies? 35


Notes 38


PART TWO—Information Governance Risk Assessment and Strategic Planning 41


CHAPTER 4 Information Risk Planning and Management 43


Step 1: Survey and Determine Legal and Regulatory Applicability and Requirements 43


Step 2: Specify IG Requirements to Achieve Compliance 46


Step 3: Create a Risk Profi le 46


Step 4: Perform Risk Analysis and Assessment 48


Step 5: Develop an Information Risk Mitigation Plan 49


Step 6: Develop Metrics and Measure Results 50


Step 7: Execute Your Risk Mitigation Plan 50


Step 8: Audit the Information Risk Mitigation Program 51


Notes 51


CHAPTER 5 Strategic Planning and Best Practices for Information Governance 53


Crucial Executive Sponsor Role 54


Evolving Role of the Executive Sponsor 55


Building Your IG Team 56


Assigning IG Team Roles and Responsibilities 56


Align Your IG Plan with Organizational Strategic Plans 57


Survey and Evaluate External Factors 58


Formulating the IG Strategic Plan 65


Notes 69


CHAPTER 6 Information Governance Policy Development 71


A Brief Review of Generally Accepted Recordkeeping Principles® 71


IG Reference Model 72


Best Practices Considerations 75


Standards Considerations 76


Benefits and Risks of Standards 76


Key Standards Relevant to IG Efforts 77


Major National and Regional ERM Standards 81


Making Your Best Practices and Standards Selections to Inform Your IG Framework 87


Roles and Responsibilities 88


Program Communications and Training 89


Program Controls, Monitoring, Auditing and Enforcement 89


Notes 91


PART THREE—Information Governance Key Impact Areas Based on the IG Reference Model 95


CHAPTER 7 Business Considerations for a Successful IG Program 97


By Barclay T. Blair


Changing Information Environment 97


Calculating Information Costs 99


Big Data Opportunities and Challenges 100


Full Cost Accounting for Information 101


Calculating the Cost of Owning Unstructured Information 102


The Path to Information Value 105


Challenging the Culture 107


New Information Models 107


Future State: What Will the IG-Enabled Organization Look Like? 110


Moving Forward 111


Notes 113


CHAPTER 8 Information Governance and Legal Functions 115


By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy


Introduction to e-Discovery: The Revised 2006 Federal Rules of Civil Procedure Changed Everything 115


Big Data Impact 117


More Details on the Revised FRCP Rules 117


Landmark E-Discovery Case: Zubulake v. UBS Warburg 119


E-Discovery Techniques 119


E-Discovery Reference Model 119


The Intersection of IG and E-Discovery 122


By Barry Murphy


Building on Legal Hold Programs to Launch Defensible Disposition 125


By Barry Murphy


Destructive Retention of E-Mail 126


Newer Technologies That Can Assist in E-Discovery 126


Defensible Disposal: The Only Real Way To Manage Terabytes and Petabytes 130


By Randy Kahn, Esq.


Retention Policies and Schedules 137


By Robert Smallwood, edited by Paula Lederman, MLS


Notes 144


CHAPTER 9 Information Governance and Records and Information Management Functions 147


Records Management Business Rationale 149


Why Is Records Management So Challenging? 150


Benefits of Electronic Records Management 152


Additional Intangible Benefits 153


Inventorying E-Records 154


Generally Accepted Recordkeeping Principles® 155


E-Records Inventory Challenges 155


Records Inventory Purposes 156


Records Inventorying Steps 157


Ensuring Adoption and Compliance of RM Policy 168


General Principles of a Retention Scheduling 169


Developing a Records Retention Schedule 170


Why Are Retention Schedules Needed? 171


What Records Do You Have to Schedule? Inventory and Classification 173


Rationale for Records Groupings 174


Records Series Identification and Classification 174


Retention of E-Mail Records 175


How Long Should You Keep Old E-Mails? 176


Destructive Retention of E-Mail 177


Legal Requirements and Compliance Research 178


Event-Based Retention Scheduling for Disposition of E-Records 179


Prerequisites for Event-Based Disposition 180


Final Disposition and Closure Criteria 181


Retaining Transitory Records 182


Implementation of the Retention Schedule and Disposal of Records 182


Ongoing Maintenance of the Retention Schedule 183


Audit to Manage Compliance with the Retention Schedule 183


Notes 186


CHAPTER 10 Information Governance and Information Technology Functions 189


Data Governance 191


Steps to Governing Data Effectively 192


Data Governance Framework 193


Information Management 194


IT Governance 196


IG Best Practices for Database Security and Compliance 202


Tying It All Together 204


Notes 205


CHAPTER 11 Information Governance and Privacy and Security Functions 207


Cyberattacks Proliferate 207


Insider Threat: Malicious or Not 208


Privacy Laws 210


Defense in Depth 212


Controlling Access Using Identity Access Management 212


Enforcing IG: Protect Files with Rules and Permissions 213


Challenge of Securing Confidential E-Documents 213


Apply Better Technology for Better Enforcement in the Extended Enterprise 215


E-Mail Encryption 217


Secure Communications Using Record-Free E-Mail 217


Digital Signatures 218


Document Encryption 219


Data Loss Prevention (DLP) Technology 220


Missing Piece: Information Rights Management (IRM) 222


Embedded Protection 226


Hybrid Approach: Combining DLP and IRM Technologies 227


Securing Trade Secrets after Layoffs and Terminations 228


Persistently Protecting Blueprints and CAD Documents 228


Securing Internal Price Lists 229


Approaches for Securing Data Once It Leaves the Organization 230


Document Labeling 231


Document Analytics 232


Confidential Stream Messaging 233


Notes 236


PART FOUR—Information Governance for Delivery Platforms 239


CHAPTER 12 Information Governance for E-Mail and Instant Messaging 241


Employees Regularly Expose Organizations to E-Mail Risk 242


E-Mail Polices Should Be Realistic and Technology Agnostic 243


E-Record Retention: Fundamentally a Legal Issue 243


Preserve E-Mail Integrity and Admissibility with Automatic Archiving 244


Instant Messaging 247


Best Practices for Business IM Use 247


Technology to Monitor IM 249


Tips for Safer IM 249


Notes 251


CHAPTER 13 Information Governance for Social Media 253


By Patricia Franks, Ph.D, CRM, and Robert Smallwood


Types of Social Media in Web 2.0 253


Additional Social Media Categories 255


Social Media in the Enterprise 256


Key Ways Social Media Is Different from E-Mail and Instant Messaging 257


Biggest Risks of Social Media 257


Legal Risks of Social Media Posts 259


Tools to Archive Social Media 261


IG Considerations for Social Media 262


Key Social Media Policy Guidelines 263


Records Management and Litigation Considerations for Social Media 264


Emerging Best Practices for Managing Social Media Records 267


Notes 269


CHAPTER 14 Information Governance for Mobile Devices 271


Current Trends in Mobile Computing 273


Security Risks of Mobile Computing 274


Securing Mobile Data 274


Mobile Device Management 275


IG for Mobile Computing 276


Building Security into Mobile Applications 277


Best Practices to Secure Mobile Applications 280


Developing Mobile Device Policies 281


Notes 283


CHAPTER 15 Information Governance for Cloud Computing 285


By Monica Crocker CRM, PMP, CIP, and Robert Smallwood


Defining Cloud Computing 286


Key Characteristics of Cloud Computing 287


What Cloud Computing Really Means 288


Cloud Deployment Models 289


Security Threats with Cloud Computing 290


Benefits of the Cloud 298


Managing Documents and Records in the Cloud 299


IG Guidelines for Cloud Computing Solutions 300


Notes 301


CHAPTER 16 SharePoint Information Governance 303


By Monica Crocker, CRM, PMP, CIP, edited by Robert Smallwood


Process Change, People Change 304


Where to Begin the Planning Process 306


Policy Considerations 310


Roles and Responsibilities 311


Establish Processes 312


Training Plan 313


Communication Plan 313


Note 314


PART FIVE—Long-Term Program Issues 315


CHAPTER 17 Long-Term Digital Preservation 317


By Charles M. Dollar and Lori J. Ashley


Defining Long-Term Digital Preservation 317


Key Factors in Long-Term Digital Preservation 318


Threats to Preserving Records 320


Digital Preservation Standards 321


PREMIS Preservation Metadata Standard 328


Recommended Open Standard Technology-Neutral Formats 329


Digital Preservation Requirements 333


Long-Term Digital Preservation Capability Maturity Model® 334


Scope of the Capability Maturity Model 336


Digital Preservation Capability Performance Metrics 341


Digital Preservation Strategies and Techniques 341


Evolving Marketplace 344


Looking Forward 344


Notes 346


CHAPTER 18 Maintaining an Information Governance Program and Culture of Compliance 349


Monitoring and Accountability 349


Staffing Continuity Plan 350


Continuous Process Improvement 351


Why Continuous Improvement Is Needed 351


Notes 353


APPENDIX A Information Organization and Classification: Taxonomies and Metadata 355


By Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley


Importance of Navigation and Classification 357


When Is a New Taxonomy Needed? 358


Taxonomies Improve Search Results 358


Metadata and Taxonomy 359


Metadata Governance, Standards, and Strategies 360


Types of Metadata 362


Core Metadata Issues 363


International Metadata Standards and Guidance 364


Records Grouping Rationale 368


Business Classification Scheme, File Plans, and Taxonomy 368


Classification and Taxonomy 369


Prebuilt versus Custom Taxonomies 370


Thesaurus Use in Taxonomies 371


Taxonomy Types 371


Business Process Analysis 377


Taxonomy Testing: A Necessary Step 379


Taxonomy Maintenance 380


Social Tagging and Folksonomies 381


Notes 383


APPENDIX B Laws and Major Regulations Related to


Records Management 385


United States 385


Canada 387


By Ken Chasse, J.D., LL.M.


United Kingdom 389


Australia 391


Notes 394


APPENDIX C Laws and Major Regulations


Related to Privacy 397


United States 397


Major Privacy Laws Worldwide, by Country 398


Notes 400


GLOSSARY 401


ABOUT THE AUTHOR 417


ABOUT THE MAJOR CONTRIBUTORS 419


INDEX 421

About the Author

ROBERT F. SMALLWOOD is Partner and Executive Director of the Information Governance Institute at IMERGE Consulting. Mr. Smallwood is a widely recognized and published authority in IG, with special expertise in e-records management and e-document security. He has been quoted in the Wall Street Journal, Washington Post, New York Times, and appeared on C-SPAN, BBC, and a number of network news programs. Go to www.information-governance-training.com for IG education options.