Information Governance - Paper Answers

Discussion Question 1:

In order to interpret the Information Governance Reference Model (IGRM) diagram. It is recommended that we start from the outside of the diagram.

Briefly name three (3) components required to successfully conceive a complex set of inter-operable processes and implementable procedures and structural elements.

Question 2:

In chapter seven (7), we have learned from “The Path to Information Value” that Seventy percent of managers and executives say data are “extremely important” for creating competitive advantage.

In addition, it is implied by the authors that, “The key, of course, is knowing which data matter, who within a company needs them, and finding ways to get that data into users’ hands.”

Looking at the Economist Intelligence Unit report, identify the three (3) phases that led to the yard’s rebirth.

INFORMATION
GOVERNANCE

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in
the United States. With offi ces in North America, Europe, Asia, and Australia, Wiley
is globally committed to developing and marketing print and electronic products and
services for our customers’ professional and personal knowledge and understanding.
The Wiley CIO series provides information, tools, and insights to IT executives
and managers. The products in this series cover a wide range of topics that supply
strategic and implementation guidance on the latest technology trends, leadership, and
emerging best practices.
Titles in the Wiley CIO series include:
The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and
Mobile Computing Are Changing Enterprise IT by Jason BloombergT
Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today’s
Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj
The Chief Information Offi cer’s Body of Knowledge: People, Process, and Technology by
Dean Lane
CIO Best Practices: Enabling Strategic Value with Information Technology (Second
Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill
Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert
The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by
Nicholas R. Colisto
Enterprise Performance Management Done Right: An Operating System for Your
Organization by Ron Dimon
Executive’s Guide to Virtual Worlds: How Avatars Are Transforming Your Business and
Your Brand by Lonnie Bensond
IT Leadership Manual: Roadmap to Becoming a Trusted Business Partner by Alan R. r
Guibord
Managing Electronic Records: Methods, Best Practices, and Technologies by Robert F. s
Smallwood
On Top of the Cloud: How CIOs Leverage New Technologies to Drive Change and Build
Value Across the Enterprise by Hunter Muller
Straight to the Top: CIO Leadership in a Mobile, Social, and Cloud-based World (Second
Edition) by Gregory S. Smith
Strategic IT: Best Practices for Managers and Executives by Arthur M. Langer ands
Lyle Yorks
Transforming IT Culture: How to Use Social Intelligence, Human Factors, and
Collaboration to Create an IT Department That Outperforms by Frank Wanders
Unleashing the Power of IT: Bringing People, Business, and Technology Together by Dan
Roberts
The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save
America’s Future by Gary J. Beach
Information Governance: Concepts, Strategies and Best Practices by Robert F. Smallwoods

Robert F. Smallwood
INFORMATION
GOVERNANCE
CONCEPTS, STRATEGIES AND
BEST PRACTICES

Cover image: © iStockphoto / IgorZh
Cover design: Wiley
Copyright © 2014 by Robert F. Smallwood. All rights reserved.
Chapter 7 © 2014 by Barclay Blair
Portions of Chapter 8 © 2014 by Randolph Kahn
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as
permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior
written permission of the Publisher, or authorization through payment of the appropriate per-copy fee
to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax
(978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should
be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ
07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best
efforts in preparing this book, they make no representations or warranties with respect to the accuracy
or completeness of the contents of this book and specifi cally disclaim any implied warranties of
merchantability or fi tness for a particular purpose. No warranty may be created or extended by sales
representatives or written sales materials. The advice and strategies contained herein may not be suitable
for your situation. You should consult with a professional where appropriate. Neither the publisher nor
author shall be liable for any loss of profi t or any other commercial damages, including but not limited to
special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our
Customer Care Department within the United States at (800) 762-2974, outside the United States at (317)
572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included
with standard print versions of this book may not be included in e-books or in print-on-demand. If this book
refers to media such as a CD or DVD that is not included in the version you purchased, you may download this
material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data:
Smallwood, Robert F., 1959-
Information governance : concepts, strategies, and best practices / Robert F. Smallwood.
pages cm. — (Wiley CIO series)
ISBN 978-1-118-21830-3 (cloth); ISBN 978-1-118-41949-6 (ebk); ISBN 978-1-118-42101-7 (ebk)
1. Information technology—Management. 2. Management information systems. 3. Electronic
records—Management. I. Title.
HD30.2.S617 2014
658.4’038—dc23
2013045072
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1

http://www.copyright.com

http://www.wiley.com/go/permissions

http://booksupport.wiley.com

http://www.wiley.com

For my sons
and the next generation of tech-savvy managers

vii
CONTENTS
PREFACE xv
ACKNOWLEDGMENTS xvii
PA RT O N E — Information Governance Concepts,
Defi nitions, and Principles 1p
C H A P T E R 1 The Onslaught of Big Data and the Information Governance
Imperative 3
Defi ning Information Governance 5
IG Is Not a Project, But an Ongoing Program 7
Why IG Is Good Business 7
Failures in Information Governance 8
Form IG Policies, Then Apply Technology for Enforcement 10
Notes 12
C H A P T E R 2 Information Governance, IT Governance, Data
Governance: What’s the Difference? 15
Data Governance 15
IT Governance 17
Information Governance 20
Impact of a Successful IG Program 20
Summing Up the Differences 21
Notes 22
C H A P T E R 3 Information Governance Principles 25
Accountability Is Key 27
Generally Accepted Recordkeeping Principles® 27
Contributed by Charmaine Brooks, CRM
Assessment and Improvement Roadmap 34
Who Should Determine IG Policies? 35
Notes 38
PA RT T W O — Information Governance Risk Assessment
and Strategic Planning 41g g
C H A P T E R 4 Information Risk Planning and Management 43
Step 1: Survey and Determine Legal and Regulatory Applicability
and Requirements 43

viii CONTENTS
Step 2: Specify IG Requirements to Achieve Compliance 46
Step 3: Create a Risk Profi le 46
Step 4: Perform Risk Analysis and Assessment 48
Step 5: Develop an Information Risk Mitigation Plan 49
Step 6: Develop Metrics and Measure Results 50
Step 7: Execute Your Risk Mitigation Plan 50
Step 8: Audit the Information Risk Mitigation Program 51
Notes 51
C H A P T E R 5 Strategic Planning and Best Practices for
Information Governance 53
Crucial Executive Sponsor Role 54
Evolving Role of the Executive Sponsor 55
Building Your IG Team 56
Assigning IG Team Roles and Responsibilities 56
Align Your IG Plan with Organizational Strategic Plans 57
Survey and Evaluate External Factors 58
Formulating the IG Strategic Plan 65
Notes 69
C H A P T E R 6 Information Governance Policy Development 71
A Brief Review of Generally Accepted Recordkeeping Principles® 71
IG Reference Model 72
Best Practices Considerations 75
Standards Considerations 76
Benefi ts and Risks of Standards 76
Key Standards Relevant to IG Efforts 77
Major National and Regional ERM Standards 81
Making Your Best Practices and Standards Selections to Inform
Your IG Framework 87
Roles and Responsibilities 88
Program Communications and Training 89
Program Controls, Monitoring, Auditing and Enforcement 89
Notes 91
PA RT T H R E E — Information Governance Key
Impact Areas Based on the IG Reference Model 95p
C H A P T E R 7 Business Considerations for a Successful IG Program 97
By Barclay T. Blair
Changing Information Environment 97

CONTENTS ix
Calculating Information Costs 99
Big Data Opportunities and Challenges 100
Full Cost Accounting for Information 101
Calculating the Cost of Owning Unstructured Information 102
The Path to Information Value 105
Challenging the Culture 107
New Information Models 107
Future State: What Will the IG-Enabled Organization Look Like? 110
Moving Forward 111
Notes 113
C H A P T E R 8 Information Governance and Legal Functions 115
By Robert Smallwood with Randy Kahn, Esq., and Barry Murphy
Introduction to e-Discovery: The Revised 2006 Federal Rules of
Civil Procedure Changed Everything 115
Big Data Impact 117
More Details on the Revised FRCP Rules 117
Landmark E-Discovery Case: Zubulake v. UBS Warburg 119
E-Discovery Techniques 119
E-Discovery Reference Model 119
The Intersection of IG and E-Discovery 122
By Barry Murphy
Building on Legal Hold Programs to Launch Defensible Disposition 125
By Barry Murphy
Destructive Retention of E-Mail 126
Newer Technologies That Can Assist in E-Discovery 126
Defensible Disposal: The Only Real Way To Manage Terabytes and Petabytes 130
By Randy Kahn, Esq.
Retention Policies and Schedules 137
By Robert Smallwood, edited by Paula Lederman, MLS
Notes 144
C H A P T E R 9 Information Governance and Records and
Information Management Functions 147
Records Management Business Rationale 149
Why Is Records Management So Challenging? 150
Benefi ts of Electronic Records Management 152
Additional Intangible Benefi ts 153
Inventorying E-Records 154
Generally Accepted Recordkeeping Principles® 155
E-Records Inventory Challenges 155

x CONTENTS
Records Inventory Purposes 156
Records Inventorying Steps 157
Ensuring Adoption and Compliance of RM Policy 168
General Principles of a Retention Scheduling 169
Developing a Records Retention Schedule 170
Why Are Retention Schedules Needed? 171
What Records Do You Have to Schedule? Inventory and Classifi cation 173
Rationale for Records Groupings 174
Records Series Identifi cation and Classifi cation 174
Retention of E-Mail Records 175
How Long Should You Keep Old E-Mails? 176
Destructive Retention of E-Mail 177
Legal Requirements and Compliance Research 178
Event-Based Retention Scheduling for Disposition of E-Records 179
Prerequisites for Event-Based Disposition 180
Final Disposition and Closure Criteria 181
Retaining Transitory Records 182
Implementation of the Retention Schedule and Disposal of Records 182
Ongoing Maintenance of the Retention Schedule 183
Audit to Manage Compliance with the Retention Schedule 183
Notes 186
C H A P T E R 10 Information Governance and Information
Technology Functions 189
Data Governance 191
Steps to Governing Data Effectively 192
Data Governance Framework 193
Information Management 194
IT Governance 196
IG Best Practices for Database Security and Compliance 202
Tying It All Together 204
Notes 205
C H A P T E R 11 Information Governance and Privacy and
Security Functions 207
Cyberattacks Proliferate 207
Insider Threat: Malicious or Not 208
Privacy Laws 210
Defense in Depth 212
Controlling Access Using Identity Access Management 212
Enforcing IG: Protect Files with Rules and Permissions 213

CONTENTS xi
Challenge of Securing Confi dential E-Documents 213
Apply Better Technology for Better Enforcement in the Extended Enterprise 215
E-Mail Encryption 217
Secure Communications Using Record-Free E-Mail 217
Digital Signatures 218
Document Encryption 219
Data Loss Prevention (DLP) Technology 220
Missing Piece: Information Rights Management (IRM) 222
Embedded Protection 226
Hybrid Approach: Combining DLP and IRM Technologies 227
Securing Trade Secrets after Layoffs and Terminations 228
Persistently Protecting Blueprints and CAD Documents 228
Securing Internal Price Lists 229
Approaches for Securing Data Once It Leaves the Organization 230
Document Labeling 231
Document Analytics 232
Confi dential Stream Messaging 233
Notes 236
PA RT F O U R — Information Governance for
Delivery Platforms 239y
C H A P T E R 12 Information Governance for E-Mail and Instant Messaging 241
Employees Regularly Expose Organizations to E-Mail Risk 242
E-Mail Polices Should Be Realistic and Technology Agnostic 243
E-Record Retention: Fundamentally a Legal Issue 243
Preserve E-Mail Integrity and Admissibility with Automatic Archiving 244
Instant Messaging 247
Best Practices for Business IM Use 247
Technology to Monitor IM 249
Tips for Safer IM 249
Notes 251
C H A P T E R 13 Information Governance for Social Media 253
By Patricia Franks, Ph.D, CRM, and Robert Smallwood
Types of Social Media in Web 2.0 253
Additional Social Media Categories 255
Social Media in the Enterprise 256
Key Ways Social Media Is Different from E-Mail and Instant Messaging 257
Biggest Risks of Social Media 257
Legal Risks of Social Media Posts 259

xii CONTENTS
Tools to Archive Social Media 261
IG Considerations for Social Media 262
Key Social Media Policy Guidelines 263
Records Management and Litigation Considerations for Social Media 264
Emerging Best Practices for Managing Social Media Records 267
Notes 269
C H A P T E R 14 Information Governance for Mobile Devices 271
Current Trends in Mobile Computing 273
Security Risks of Mobile Computing 274
Securing Mobile Data 274
Mobile Device Management 275
IG for Mobile Computing 276
Building Security into Mobile Applications 277
Best Practices to Secure Mobile Applications 280
Developing Mobile Device Policies 281
Notes 283
C H A P T E R 15 Information Governance for Cloud Computing 285
By Monica Crocker CRM, PMP, CIP, and Robert Smallwood
Defi ning Cloud Computing 286
Key Characteristics of Cloud Computing 287
What Cloud Computing Really Means 288
Cloud Deployment Models 289
Security Threats with Cloud Computing 290
Benefi ts of the Cloud 298
Managing Documents and Records in the Cloud 299
IG Guidelines for Cloud Computing Solutions 300
Notes 301
C H A P T E R 16 SharePoint Information Governance 303
By Monica Crocker, CRM, PMP, CIP, edited by Robert Smallwood
Process Change, People Change 304
Where to Begin the Planning Process 306
Policy Considerations 310
Roles and Responsibilities 311
Establish Processes 312
Training Plan 313
Communication Plan 313
Note 314

CONTENTS xiii
PA RT F I V E — Long-Term Program Issues 315g g
C H A P T E R 17 Long-Term Digital Preservation 317
By Charles M. Dollar and Lori J. Ashley
Defi ning Long-Term Digital Preservation 317
Key Factors in Long-Term Digital Preservation 318
Threats to Preserving Records 320
Digital Preservation Standards 321
PREMIS Preservation Metadata Standard 328
Recommended Open Standard Technology-Neutral Formats 329
Digital Preservation Requirements 333
Long-Term Digital Preservation Capability Maturity Model® 334
Scope of the Capability Maturity Model 336
Digital Preservation Capability Performance Metrics 341
Digital Preservation Strategies and Techniques 341
Evolving Marketplace 344
Looking Forward 344
Notes 346
C H A P T E R 18 Maintaining an Information Governance Program
and Culture of Compliance 349
Monitoring and Accountability 349
Staffi ng Continuity Plan 350
Continuous Process Improvement 351
Why Continuous Improvement Is Needed 351
Notes 353
A P P E N D I X A Information Organization and Classifi cation:
Taxonomies and Metadata 355
By Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley
Importance of Navigation and Classifi cation 357
When Is a New Taxonomy Needed? 358
Taxonomies Improve Search Results 358
Metadata and Taxonomy 359
Metadata Governance, Standards, and Strategies 360
Types of Metadata 362
Core Metadata Issues 363
International Metadata Standards and Guidance 364
Records Grouping Rationale 368
Business Classifi cation Scheme, File Plans, and Taxonomy 368
Classifi cation and Taxonomy 369

xiv CONTENTS
Prebuilt versus Custom Taxonomies 370
Thesaurus Use in Taxonomies 371
Taxonomy Types 371
Business Process Analysis 377
Taxonomy Testing: A Necessary Step 379
Taxonomy Maintenance 380
Social Tagging and Folksonomies 381
Notes 383
A P P E N D I X B Laws and Major Regulations Related to
Records Management 385
United States 385
Canada 387
By Ken Chasse, J.D., LL.M.
United Kingdom 389
Australia 391
Notes 394
A P P E N D I X C Laws and Major Regulations
Related to Privacy 397
United States 397
Major Privacy Laws Worldwide, by Country 398
Notes 400
GLOSSARY 401
ABOUT THE AUTHOR 417
ABOUT THE MAJOR CONTRIBUTORS 419
INDEX 421

xv
PREFACE
I
nformation governance (IG) has emerged as a key concern for business executives
and managers in today’s environment of Big Data, increasing information risks, co-
lossal leaks, and greater compliance and legal demands. But few seem to have a clear
understanding of what IG is; that is, how you defi ne what it is and is not, and how to
implement it. This book clarifi es and codifi es these defi nitions and provides key in-
sights as to how to implement and gain value from IG programs. Based on exhaustive
research, and with the contributions of a number of industry pioneers and experts, this
book lays out IG as a complete discipline in and of itself for the fi rst time.
IG is a super-discipline that includes components of several key fi elds: law, records
management, information technology (IT), risk management, privacy and security,
and business operations. This unique blend calls for a new breed of information pro-
fessional who is competent across these established and quite complex fi elds. Training
and education are key to IG success, and this book provides the essential underpinning
for organizations to train a new generation of IG professionals.
Those who are practicing professionals in the component fi elds of IG will fi nd
the book useful in expanding their knowledge from traditional fi elds to the emerging
tenets of IG. Attorneys, records and compliance managers, risk managers, IT manag-
ers, and security and privacy professionals will fi nd this book a particularly valuable
resource.
The book strives to offer clear IG concepts, actionable strategies, and proven best
practices in an understandable and digestible way; a concerted effort was made to
simplify language and to offer examples. There are summaries of key points through-
out and at the end of each chapter to help the reader retain major points. The text
is organized into fi ve parts: (1) Information Governance Concepts, Defi nitions, and
Principles; (2) IG Risk Assessment and Strategic Planning; (3) IG Key Impact Areas;
(4) IG for Delivery Platforms; and (5) Long-Term Program Issues. Also included are
appendices with detailed information on taxonomy and metadata design and on re-
cords management and privacy legislation.
One thing that is sure is that the complex fi eld of IG is evolving. It will continue
to change and solidify. But help is here: No other book offers the kind of compre-
hensive coverage of IG contained within these pages. Leveraging the critical advice
provided here will smooth your path to understanding and implementing successful
IG programs.
Robert F. Smallwood

xvii
ACKNOWLEDGMENTS
I
would like to sincerely thank my colleagues for their support and generous contribu-
tion of their expertise and time, which made this pioneering text possible.
Many thanks to Lori Ashley, Barb Blackburn, Barclay Blair, Charmaine Brooks,
Ken Chasse, Monica Crocker, Charles M. Dollar, Seth Earley, Dr. Patricia Franks,
Randy Kahn, Paula Lederman, and Barry Murphy.
I am truly honored to include their work and owe them a great debt of gratitude.

PA RT O N E
Information
Governance
Concepts,
Defi nitions, and
Principles

3
The Onslaught
of Big Data and
the Information
Governance Imperative
C H A P T E R 1
T
he value of information in business is rising, and business leaders are more and
more viewing the ability to govern, manage, and harvest information as critical
to success. Raw data is now being increasingly viewed as an asset that can be
leveraged, just like fi nancial or human capital.1 Some have called this new age of “Big
Data” the “industrial revolution of data.”
According to the research group Gartner, Inc., Big Data is defi ned as “high-volume,
high-velocity and high-variety information assets that demand cost-effective, inno-
vative forms of information processing for enhanced insight and decision making.” 2
A practical defi nition should also include the idea that the amount of data—both struc-
tured (in databases) and unstructured (e.g., e-mail, scanned documents) is so mas-
sive that it cannot be processed using today’s database tools and analytic software
techniques. 3
In today’s information overload era of Big Data—characterized by massive growth
in business data volumes and velocity—the ability to distill key insights from enor-
mous amounts of data is a major business differentiator and source of sustainable com-
petitive advantage. In fact, a recent report by the World Economic Forum stated that
data is a new asset class and personal data is “the new oil.” 4 And we are generating more
than we can manage effectively with current methods and tools.
The Big Data numbers are overwhelming: Estimates and projections vary, but it
has been stated that 90 percent of the data existing worldwide today was created in the
last two years 5 and that every two days more information is generated than was from
the dawn of civilization until 2003. 6 This trend will continue: The global market for
Big Data technology and services is projected to grow at a compound annual rate of
27 percent through 2017, about six times faster than the general information and com-
munications technology (ICT) market. 7
Many more comparisons and statistics are available, and all demonstrate the
incredible and continued growth of data.
Certainly, there are new and emerging opportunities arising from the accu-
mulation and analysis of all that data we are busy generating and collecting. New
enterprises are springing up to capitalize on data mining and business intelligence
opportunities. The U.S. federal government joined in, announcing $200 million in
Big Data research programs in 2012.8

4 INFORMATION GOVERNANCE
Big Data values massive accumulation of data, whereas in business, e-discovery
realities and potential legal liabilities dictate that data be culled to only that
which has clear business value.
But established organizations, especially larger ones, are being crushed by this
onslaught of Big Data: It is just too expensive to keep all the information that is being
generated, and unneeded information is a sort of irrelevant sludge for decision makers
to wade through. They have diffi culty knowing which information is an accurate and
meaningful “wheat” and which is simply irrelevant “chaff.” This means they do not
have the precise information they need to base good business decisions upon.
And all that Big Data piling up has real costs: The burden of massive stores of
information has increased storage management costs dramatically, caused overloaded
systems to fail, and increased legal discovery costs. 9 Further, the longer that data is
kept, the more likely that it will need to be migrated to newer computing platforms,
driving up conversion costs; and legally, there is the risk that somewhere in that
mountain of data an organization stores is a piece of information that represents a
signifi cant legal liability.10
This is where the worlds of Big Data and business collide . For Big Data proponents,
more data is always better, and there is no perceived downside to accumulation of mas-
sive amounts of data. In the business world, though, the realities of legal e-discovery
mean the opposite is true. 11 To reduce risk, liability, and costs, it is critical for unneeded
information to be disposed of in a systematic, methodical, and “legally defensible” (jus-
tifi able in legal proceedings) way, when it no longer has legal, regulatory, or business
value. And there also is the high-value benefi t of basing decisions on better, cleaner
data, which can come about only through rigid, enforced information governance
(IG) policies that reduce information glut.
Organizations are struggling to reduce and right-size their information footprint
by discarding superfl uous and redundant data, e-documents, and information. But the
critical issue is devising policies, methods, and processes and then deploying information technol-
ogy (IT) to sort through which information is valuable and which no longer has business value
and can be discarded.
IT, IG, risk, compliance, and legal representatives in organizations have a clear
sense that most of the information stored is unneeded, raises costs, and poses risks.
According to a survey taken at a recent Compliance, Governance and Oversight
Counsel summit, respondents estimated that approximately 25 percent of information
stored in organizations has real business value, while 5 percent must be kept as busi-
ness records and about 1 percent is retained due to a litigation hold. “This means that
The onslaught of Big Data necessitates that information governance (IG) be
implemented to discard unneeded data in a legally defensible way.

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 5
[about] 69 percent of information in most companies has no business, legal, or regulatory value.
Companies that are able to dispose of this data debris return more profi t to sharehold-
ers, can leverage more of their IT budgets for strategic investments, and can avoid
excess expense in legal and regulatory response” (emphasis added). 12
With a smaller information footprint , organizations can more easily fi nd what they tt
need and derive business value from it.13 They must eliminate the data debris regularly
and consistently, and to do this, processes and systems must be in place to cull valuable
information and discard the data debris daily. An IG program sets the framework to
accomplish this.
The business environment has also underscored the need for IG. According to
Ted Friedman at Gartner, “The recent global fi nancial crisis has put information gov-
ernance in the spotlight. . . . [It] is a priority of IT and business leaders as a result of
various pressures, including regulatory compliance mandates and the urgent need for
improved decision-making.” 14
And IG mastery is critical for executives: Gartner predicts that by 2016, one in fi ve chief
information offi cers in regulated industries will be fi red from their jobs for failed IG initiatives. s 15
Defi ning Information Governance
IG is a sort of super discipline that has emerged as a result of new and tightened legislation
governing businesses, external threats such as hacking and data breaches, and the recog-
nition that multiple overlapping disciplines were needed to address today’s information
management challenges in an increasingly regulated and litigated business environment.16
IG is a subset of corporate governance, and includes key concepts from re-
cords management, content management, IT and data governance, information se-
curity, data privacy, risk management, litigation readiness, regulatory compliance,
long-term digital preservation , and even business intelligence. This also means
that it includes related technology and discipline subcategories, such as document
management, enterprise search, knowledge management, and business continuity/
disaster recovery.
Only about one quarter of information organizations are managing has real
business value.
With a smaller information footprint, it is easier for organizations to fi nd the
information they need and derive business value from it.
IG is a subset of corporate governance.

6 INFORMATION GOVERNANCE
IG is a sort of superdiscipline that encompasses a variety of key concepts from
a variety of related disciplines.
Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information and to secure confi dential in-
formation, which may include trade secrets, strategic plans, price lists, blueprints, or
personally identifi able information (PII) subject to privacy laws; it provides the basis
for consistent, reliable methods for managing data, e-documents, and records.
Having trusted and reliable records, reports, data, and databases enables managers
to make key decisions with confi dence.17 And accessing that information and business
intelligence in a timely fashion can yield a long-term sustainable competitive advan-
tage, creating more agile enterprises.
To do this, organizations must standardize and systematize their handling of in-
formation. They must analyze and optimize how information is accessed, controlled,
managed, shared, stored, preserved, and audited. They must have complete, current,
and relevant policies, processes, and technologies to manage and control information,
including who is able to access what information , and when, to meet external legal
and regulatory demands and internal governance policy requirements. In short, IG is
about information control and compliance.
IG is a subset of corporate governance, which has been around as long as corpora-
tions have existed. IG is a rather new multidisciplinary fi eld that is still being defi ned,
but has gained traction increasingly over the past decade. The focus on IG comes not
only from compliance, legal, and records management functionaries but also from ex-
ecutives who understand they are accountable for the governance of information and
that theft or erosion of information assets has real costs and consequences.
“Information governance” is an all-encompassing term for how an organization
manages the totality of its information.
According to the Association of Records Managers and Administrators
(ARMA), IG is “a strategic framework composed of standards, processes, roles, and
metrics that hold organizations and individuals accountable to create, organize, secure,
maintain, use, and dispose of information in ways that align with and contribute to the
organization’s goals.”18
IG includes the set of policies, processes, and controls to manage information in compliance
with external regulatory requirements and internal governance frameworks . Specifi c policiess
apply to specifi c data and document types, records series, and other business informa-
tion, such as e-mail and reports.
Stated differently, IG is “a quality-control discipline for managing, using, improv-
ing, and protecting information.” 19
Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information.

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 7
IG is “a strategic framework composed of standards, processes, roles, and
metrics, that hold organizations and individuals accountable to create, orga-
nize, secure, maintain, use, and dispose of information in ways that align with
and contribute to the organization’s goals.” 20
Fleshing out the defi nition further: “Information governance is policy-based man-
agement of information designed to lower costs, reduce risk, and ensure compliance
with legal, regulatory standards, and/or corporate governance.”21 IG necessarily in-
corporates not just policies but information technologies to audit and enforce those
policies. The IG team must be cognizant of information lifecycle issues and be able
to apply the proper retention and disposition policies, including digital preservation
where records need to be maintained for long periods.
IG Is Not a Project, But an Ongoing Program
IG is an ongoing program , not a one-time project. IG provides an umbrella to manage
and control information output and communications. Since technologies change so
quickly, it is necessary to have overarching policies that can manage the various IT
platforms that an organization may use.
Compare it to a workplace safety program; every time a new location, team member,
piece of equipment, or toxic substance is acquired by the organization, the workplace
safety program should dictate how that is handled. If it does not, the workplace safety
policies/procedures/training that are part of the workplace safety program need to be
updated. Regular reviews are conducted to ensure the program is being followed and ad-
justments are made based on the fi ndings. The effort never ends. s 22 The same is true for IG.
IG is not only a tactical program to meet regulatory, compliance, and litigation
demands. It can be strategic , in that it is the necessary underpinning for developing a c
management strategy that maximizes knowledge worker productivity while minimiz-
ing risk and costs.
Why IG Is Good Business
IG is a tough sell. It can be diffi cult to make the business case for IG, unless there has been
some major compliance sanction, fi ne, legal loss, or colossal data breach. In fact, the largest
IG is how an organization maintains security, complies with regulations, and
meets ethical standards when managing information.
IG is a multidisciplinary program that requires an ongoing effort.

8 INFORMATION GOVERNANCE
impediment to IG adoption is simply identifying its benefi ts and costs, according to the Economist
Intelligence Unit. Sure, the enterprise needs better control over its information, but how
much better? At what cost? What is the payback period and the return on investment? 23
It is challenging to make the business case for IG, yet making that case is funda-
mental to getting IG efforts off the ground.
Here are eight reasons why IG makes good business sense, from IG thought
leader Barclay Blair:
1. We can’t keep everything forever. IG makes sense because it enables organiza-
tions to get rid of unnecessary information in a defensible manner. Organi-
zations need a sensible way to dispose of information in order to reduce the
cost and complexity of the IT environment. Having unnecessary informa-
tion around only makes it more diffi cult and expensive to harness informa-
tion that has value.
2. We can’t throw everything away. IG makes sense because organizations can’t
keep everything forever, nor can they throw everything away. We need
information—the right information, in the right place, at the right time.
Only IG provides the framework to make good decisions about what infor-
mation to keep.
3. E-discovery. IG makes sense because it reduces the cost and pain of discov-
ery. Proactively managing information reduces the volume of information
exposed to e-discovery and simplifi es the task of fi nding and producing
responsive information.
4. Your employees are screaming for it—just listen. IG makes sense because it
helps knowledge workers separate “signal” from “noise” in their informa-
tion fl ows. By helping organizations focus on the most valuable informa-
tion, IG improves information delivery and improves productivity.
5. It ain’t gonna get any easier. IG makes sense because it is a proven way for
organizations to respond to new laws and technologies that create new re-
quirements and challenges. The problem of IG will not get easier over
time, so organizations should get started now.
6. The courts will come looking for IG. IG makes sense because courts and regu-
lators will closely examine your IG program. Falling short can lead to fi nes,
sanctions, loss of cases, and other outcomes that have negative business and
fi nancial consequences.
7. Manage risk: IG is a big one. Organizations need to do a better job of identi-
fying and managing risk. The risk of information management failures is a
critical risk that IG helps to mitigate.
8. E-mail: Reason enough. IG makes sense because it helps organizations take con-
trol of e-mail. Solving e-mail should be a top priority for every organization. 24
Failures in Information Governance
The failure to implement and enforce IG can lead to vulnerabilities that can have dire
consequences. The theft of confi dential U.S. National Security Agency documents

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 9
by Edward Snowden in 2013 could have been prevented by properly enforced IG.
Also, Ford Motor Company is reported to have suffered a loss estimated at $50 to
$100 million as a result of the theft of confi dential documents by one of its own em-
ployees. A former product engineer who had access to thousands of trade secret docu-
ments and designs sold them to a competing Chinese car manufacturer. A strong IG
program would have controlled and tracked access and prevented the theft while pro-
tecting valuable intellectual property. 25
Law enforcement agencies have also suffered from poor IG. In a rather frivolous
case in 2013 that highlighted the lack of policy enforcement for the mobile environ-
ment, it was reported that U.S. agents from the Federal Bureau of Investigation used
government-issued mobile phones to send explicit text messages and nude photographs
to coworkers. The incidents did not have a serious impact but did compromise the
agency and its integrity, and “adversely affected the daily activities of several squads.” 26
Proper mobile communications policies were obviously not developed and enforced.
IG is also about information security and privacy, and serious thought must be
given when creating policies to safeguard personal, classifi ed or confi dential informa-
tion. Schemes to compromise or steal information can be quite deceptive and devious,
masked by standard operating procedures—if proper IG controls and monitoring are
not in place. To wit: Granting remote access to confi dential information assets for
key personnel is common. Granting medical leave is also common. But a deceptive
and dishonest employee could feign a medical leave while downloading volumes of
confi dential information assets for a competitor—and that is exactly what happened at
Accenture, a global consulting fi rm. During a fraudulent medical leave, an employee
was allowed access to Accenture’s Knowledge Exchange (KX), a detailed knowledge
base containing previous proposals, expert reports, cost-estimating guidelines, and
case studies. This activity could have been prevented by monitoring and analytics that
would have shown an inordinate amount of downloads—especially for an “ailing” em-
ployee. The employee then went to work for a direct competitor and continued to
download the confi dential information from Accenture, estimated to be as many as
1,000 critical documents. While the online access to KX was secure, the use of the
electronic documents could have been restricted even after the documents were down-r
loaded, if IG measures were in place and newer technologies (such as information
rights management [IRM] software) were deployed to secure them directly and main-
tain that security remotely. With IRM, software security protections can be employed
to seal the e-documents and control their use—even after they leave the organization.
More details on IRM technology and its capabilities is presented later in this book.
Other recent high-profi le data and document leakage cases revealing information
security weaknesses that could have been prevented by a robust IG program include:
■ Huawei Technologies, the largest networking and mobile communications
company in China, was sued by U.S.-based Motorola for allegedly conspiring
to steal trade secrets through former Motorola employees.
Ford’s loss from stolen documents in a single case of intellectual property (IP)
theft was estimated at $50 to $100 million.

10 INFORMATION GOVERNANCE
■ MI6, the U.K. equivalent of the U.S. Central Intelligence Agency, learned that
one of its agents in military intelligence attempted to sell confi dential docu-
ments to the intelligence services of the Netherlands for £2 million GBP
($3 million USD).
And breaches of personal information revealing failures in privacy protection
abound; here are just a few:
■ Health information of 1,600 cardiology patients at Texas Children’s Hospital
was compromised when a doctor’s laptop was stolen. The information includ-
ed personal and demographic information about the patients, including their
names, dates of birth, diagnoses, and treatment histories. 27
■ U.K. medics lost the personal records of nearly 12,000 National Health Service
patients in just eight months. Also, a hospital worker was suspended after it was
discovered he had sent a fi le containing pay-slip details for every member of
staff to his home e-mail account. 28
■ Personal information about more than 600 patients of the Fraser Health
Authority in British Columbia, Canada, was stored on a laptop stolen from
Burnaby General Hospital.
■ In December 2013, Target stores in the U.S. reported that as many as 110 million
customer records had been breached in a massive attack that lasted weeks.
The list of breaches and IG failures could go on and on, more than fi lling the
pages of this book. It is clear that it is occurring and that it will continue. IG controls to
safeguard confi dential information assets and protect privacy cannot rely solely on the trustwor-
thiness of employees and basic security measures. Up-to-date IG policies and enforcement
efforts and newer technology sets are needed, with active, consistent monitoring and
program adjustments to continue to improve.
Executives and senior managers can no longer avoid the issue, as it is abundantly
clear that the threat is real and the costs of taking such avoidable risks can be high. A
single security breach is an IG failure and can cost the entire business. According to
Debra Logan of Gartner, “When organizations suffer high-profi le data losses, espe-
cially involving violations of the privacy of citizens or consumers, they suffer serious
reputational damage and often incur fi nes or other sanctions. IT leaders will have to
take at least part of the blame for these incidents.” 29
Form IG Policies, Then Apply Technology for Enforcement
Typically, some policies governing the use and control of information and records
may have been established for fi nancial and compliance reports, and perhaps e-mail,
but they are often incomplete and out-of-date and have not been adjusted for changes
in the business environment, such as new technology platforms (e.g., Web 2.0, social
IG controls to safeguard confi dential information assets and protect privacy can-
not rely solely on the trustworthiness of employees and basic security measures.

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 11
media), changing laws (e.g., U.S. Federal Rules of Civil Procedure 2006 changes), and
additional regulations.
Further adding to the challenge is the rapid proliferation of mobile devices like
tablets, phablets, and smartphones used in business—information can be more easily
lost or stolen—so IG efforts must be made to preserve and protect the enterprise’s
information assets.
Proper IG requires that policies are fl exible enough not to hinder the proper fl ow
of information in the heat of the business battle yet strict enough to control and audit
for misuse, policy violations, or security breaches. This is a continuous iterative policy-
making process that must be monitored and fi ne-tuned. Even with the absolute best
efforts, some policies will miss the mark and need to be reviewed and adjusted.
Getting started with IG awareness is the crucial fi rst step. It may have popped up on an
executive’s radar at one point or another and an effort might have been made, but many
organizations leave these policies on the shelf and do not revise them on a regular basis.
IG is the necessary underpinning for a legally defensible disposition program that
discards data debris and helps narrow the search for meaningful information on which
to base business decisions. IG is also necessary to protect and preserve critical infor-
mation assets. An IG strategy should aim to minimize exposure to risk, at a reasonable
cost level, while maximizing productivity and improving the quality of information
delivered to knowledge users.
But a reactive, tactical project approach is not the way to go about it—haphazardly t
swatting at technological, legal, and regulatory fl ies. A proactive, strategic program,
with a clear, accountable sponsor, an ongoing plan, and regular review process, is the
only way to continuously adjust IG policies to keep them current so that they best
serve the organization’s needs.
Some organizations have created formal governance bodies to establish strat-
egies, policies, and procedures surrounding the distribution of information inside
and outside the enterprise. These governance bodies, steering committees, or teams
should include members from many different functional areas, since proper IG ne-
cessitates input from a variety of stakeholders. Representatives from IT, records man-
agement, corporate or agency archiving, risk management, compliance, operations,
human resources, security, legal, fi nance, and perhaps knowledge management are
typically a part of IG teams. Often these efforts are jump-started and organized by
an executive sponsor who utilizes third-party consulting resources that specialize in
IG efforts, especially considering the newness of IG and its emerging best practices.
So in this era of ever-growing Big Data, leveraging IG policies to focus on re-
taining the information that has real business value, while discarding the majority of
information that has no value and carries associated increased costs and risks, is criti-
cal to success for modern enterprises. This must be accomplished in a systematic,
consistent, and legally defensible manner by implementing a formal IG program.
Other crucial elements of an IG program are the steps taken to secure confi dential
information by enforcing and monitoring policies using the appropriate information
technologies.
Getting started with IG awareness is the crucial fi rst step.

12 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■ The onslaught of Big Data necessitates that IG be implemented to discard
unneeded data in a legally defensible way.
■ Big Data values massive accumulation of data, whereas in business, e-discovery
realities and potential legal liabilities dictate that data be culled to only that
which has clear business value.
■ Only about one quarter of the information organizations are managing has
real business value.
■ With a smaller information footprint, it is easier for organizations to fi nd the
information they need and derive business value from it.
■ IG is a subset of corporate governance and encompasses the policies and
leveraged technologies meant to manage what corporate information is re-
tained, where, and for how long, and also how it is retained.
■ IG is a sort of super discipline that encompasses a variety of key concepts
from a variety of related and overlapping disciplines.
■ Practicing good IG is the essential foundation for building legally defensible
disposition practices to discard unneeded information.
■ According to ARMA, IG is “a strategic framework composed of standards,
processes, roles, and metrics that hold organizations and individuals account-
able to create, organize, secure, maintain, use, and dispose of information in
ways that align with and contribute to the organization’s goals.” 30
■ IG is how an organization maintains security, complies with regulations and
laws, and meets ethical standards when managing information.
■ IG is a multidisciplinary program that requires an ongoing effort and active
participation of a broad cross-section of functional groups and stakeholders.
■ IG controls to safeguard confi dential information assets and protect privacy
cannot rely solely on the trustworthiness of employees and basic security
measures.
■ Getting started with IG awareness is the crucial fi rst step.
Notes
1. The Economist, “Data, Data Everywhere,” February 25, 2010, www.economist.com/node/15557443
2. Gartner, Inc., “IT Glossary: Big Data,” www.gartner.com/it-glossary/big-data/ (accessed April 15, 2013).
3. Webopedia, “Big Data,” www.webopedia.com/TERM/B/big_data.html (accessed April 15, 2013).

http://www.economist.com/node/15557443

http://www.gartner.com/it-glossary/big-data/

http://www.webopedia.com/TERM/B/big_data.html

THE ONSLAUGHT OF BIG DATA AND THE INFORMATION GOVERNANCE IMPERATIVE 13
4. World Economic Forum, “Personal Data:The Emergence of a New Asset Class”(January 2011), http://
www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011
5. Deidra Paknad, “Defensible Disposal: You Can’t Keep All Your Data Forever,” July 17, 2012, www
.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/
6. Susan Karlin, “Earth’s Nervous System: Looking at Humanity Through Big Data,” www.fastcocreate
.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1(accessed March 5,
2013).
7. IDC Press Release, December 18, ,2013, http://www.idc.com/getdoc.jsp?containerId=prUS24542113
New IDC Worldwide Big Data Technology and Services Forecast Shows Market Expected to Grow to
$32.4 Billion in 2017
8. Steve Lohr, “How Big Data Became So Big,” New York Times, August 11, 2012, www.nytimes.
com/2012/08/12/business/how-big-data-became-so-big-unboxed.html?_r=2&smid=tw-share&
9. Kahn Consulting, “Information Governance Brief,” sponsored by IBM, www.delve.us/downloads/
Brief-Defensible-Disposal (accessed March 4, 2013).
10. Barclay T. Blair, “Girding for Battle,” Law Technology News, October 1, 2012, www.law.com/jsp/lawtech-
nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1
11. Ibid.
12. Paknad, “Defensible Disposal.”
13. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, November 28, 2012.
14. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective
Information Governance,” www.gartner.com/newsroom/id/1898914, January 19, 2012
15. Ibid.
16. Monica Crocker, e-mail to author, June 21, 2012.
17. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership/
business-view/future-information-governance.htm (accessed November 14, 2013).
18. ARMA International, Glossary of Records and Information Management Terms , 4th ed., 2012, TR 22–2012.s
19. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” IT Business Edge , posted March 9, 2011,
www.itbusinessedge.com/guest-opinions/three-steps-trusting-your-data-2011 . (accessed November
14, 2013).
20. ARMA International, Glossary of Records and Information Management Terms , 4th ed., 2012, TR 22–2012.s
21. Laura DuBoisand Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Pro-
ductivity,” IDC White Paper (August 2010), www.emc.com/collateral/analyst-reports/idc-practical-
information-governance-ar
22. Monica Crocker, e-mail to author, June 21, 2012.
23. Barclay T. Blair, Making the Case for Information Governance: Ten Reasons IG Makes Sense , ViaLumina
Ltd, 2010. Online at http://barclaytblair.com/making-the-case-for-ig-ebook/ (accessed November 14,
2013).
24. Barclay T. Blair, “8 Reasons Why Information Governance (IG) Makes Sense,” June 29, 2009, www.
digitallandfi ll.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html
25. Peter Abatan, “Corporate and Industrial Espionage to Rise in 2011,” Enterprise Digital Rights Man-
agement, http://enterprisedrm.tumblr.com/post/2742811887/corporate-espionage-to-rise-in-2011 .
(accessed November 14, 2013).
26. BBC News, “FBI Staff Disciplined for Sex Texts and Nude Pictures,” February 22, 2013, www.bbc.
co.uk/news/world-us-canada-21546135
27. Todd Ackerman, “Laptop Theft Puts Texas Children’s Patient Info at Risk,” Houston Chronicle , July 30, 2009, e
www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.
php . (accessed March 2, 2012).
28. Jonny Greatrex, “Bungling West Midlands Medics Lose 12,000 Private Patient Records,” Sunday Mer-
cury, September 5, 2010, www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-
gling-west-midlands-medics-lose-12–000-private-patient-records-66331–27203177/ (accessed March
2, 2012).
29. Gartner Press Release, “Gartner Says Master Data Management Is Critical to Achieving Effective
Information Governance.”
30. ARMA International, Glossary of Records and Information Management Terms. s

http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011

http://www.fastcocreate.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1

http://www.idc.com/getdoc.jsp?containerId=prUS24542113

http://www.nytimes.com/2012/08/12/business/how-big-data-became-so-big-unboxed.html?_r=2&smid=tw-share&

http://www.delve.us/downloads/Brief-Defensible-Disposal

http://www.law.com/jsp/lawtech-nologynews/PubArticleLTN.jsp?id=1202572459732&thepage=1

https://twitter.com/InfoParkingLot/status/273791612172259329

http://www.gartner.com/newsroom/id/1898914

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.itbusinessedge.com/guest-opinions/three-steps-trusting-your-data-2011

http://www.emc.com/collateral/analyst-reports/idc-practical-information-governance-ar

http://barclaytblair.com/making-the-case-for-ig-ebook/

http://www.digitallandfill.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html

http://enterprisedrm.tumblr.com/post/2742811887/corporate-espionage-to-rise-in-2011

http://www.bbc.co.uk/news/world-us-canada-21546135

http://www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.php

http://www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-gling-west-midlands-medics-lose-12%E2%80%93000-private-patient-records-66331%E2%80%9327203177/

http://www.fastcocreate.com/1681986/earth-s-nervous-system-looking-at-humanity-through-big-data#1

http://www.nytimes.com/2012/08/12/business/how-big-data-became-so-big-unboxed.html?_r=2&smid=tw-share&

http://www.delve.us/downloads/Brief-Defensible-Disposal

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.digitallandfill.org/2009/06/8-reasons-why-information-governance-ig-makes-sense.html

http://www.bbc.co.uk/news/world-us-canada-21546135

http://www.chron.com/news/houston-texas/article/Laptop-theft-puts-Texas-Children-s-patient-info-1589473.php

http://www.sundaymercury.net/news/sundaymercuryexclusives/2010/09/05/bun-gling-west-midlands-medics-lose-12%E2%80%93000-private-patient-records-66331%E2%80%9327203177/

http://www.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/

15
Information
Governance,
IT Governance, Data
Governance: What’s
the Difference?
C H A P T E R 2
T
here has been a great deal of confusion around the term information gover-
nance (IG) and how it is distinct from other similar industry terms, such as
information technology (IT) governance and data governance . They are all
a subset of corporate governance, and in the above sequence, become increasingly
more granular in their approach. Data governance is a part of broader IT governance,
which is also a part of even broader information governance. The few texts that exist
have compounded the confusion by offering a limited defi nition of IG, or sometimes
offering a defi nition of IG that is just plain incorrect , often confusing it with simple datat
governance.
So in this chapter we spell out the differences and include examples in hopes of
clarifying what the meaning of each term is and how they are related.
Data Governance
Data governance involves processes and controls to ensure that information at the data
level—raw alphanumeric characters that the organization is gathering and inputting—
is true and accurate, and unique (not redundant). It involves data cleansing ( or data
scrubbing) to strip out corrupted, inaccurate, or extraneous data and gg de-duplication,
to eliminate redundant occurrences of data.
Data governance focuses on information quality from the ground up at the lowest
or root level, so that subsequent reports, analyses, and conclusions are based on clean,
reliable, trusted data (or records) in database tables. Data governance is the most rudi-
mentary level at which to implement information governance. Data governance efforts
seek to ensure that formal management controls—systems, processes, and accountable
employees who are stewards and custodians of the data—are implemented to govern
critical data assets to improve data quality and to avoid negative downstream effects of
poor data. The biggest negative consequence of poor or inaccurate data is poorly and
inaccurately based decisions.

16 INFORMATION GOVERNANCE
Data governance is a newer, hybrid quality control discipline that includes
elements of data quality, data management, IG policy development, business process
improvement, and compliance and risk management.
Data Governance Strategy Tips
Everyone in an organization wants good-quality data to work with. But it is not so
easy to implement a data governance program. First of all, data is at such a low level
that executives and board members are typically unaware of the details of the “smoky
back room” of data collection: cleansing, normalization, and input. So it is diffi cult to
gain an executive sponsor and funding to initiate the effort. 1 And if a data governance
program does move forward, there are challenges in getting business users to adhere
to new policies. This is a crucial point, since much of the data is being generated by
business units. But there are some general guidelines that can help improve a data
governance program’s chances for success:
■ Identify a measureable impact. A data governance program must be able to dem-
onstrate business value, or it will not get the executive sponsorship and funding
it needs to move forward. A readiness assessment should capture the current
state of data quality and whether an enterprise or business unit level effort
is warranted. Other key issues include: Can the organization save hard costs
by implementing data governance? Can it reach more customers or increase
revenue generated from existing customers?2
■ Assign accountability for data quality to business units, not IT. Typically, IT has had
responsibility for data quality, yet it is mostly not under that department’s con-
trol, since most of the data is being generated in the business units. A pointed
effort must be made to push responsibility and ownership for data to the busi-
ness units that create and use the data.
■ Recognize the uniqueness of data as an asset. Unlike other assets, such as people,
factories, equipment, and even cash, data is largely unseen, out of sight, and
intangible. It changes daily. It spreads throughout business units. It is copied
and deleted. Data growth can spiral out of control, obscuring the data that has
true business value. So data has to be treated differently, and its unique qualities
must be considered.
■ Forget the past; implement a going-forward strategy. It is a signifi cantly greater
task to try to improve data governance across the enterprise for existing data.
Remember, you may be trying to fi x decades of bad behavior, mismanagement,
and lack of governance. Taking an incremental approach with an eye to the
future provides for a clean starting point and can substantially reduce the pain
required to implement. A proven best practice is to implement a from-this-
point-on strategy where new data governance policies for handling data are
implemented beginning on a certain date.
Data governance uses techniques like data cleansing and de-duplication to
improve data quality and reduce redundancies.

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 17
Good data governance ensures that downstream negative effects of poor data
are avoided and that subsequent reports, analyses, and conclusions are based
on reliable, trusted data.
■ Manage the change. Educate, educate, educate. People must be trained to under-
stand why the data governance program is being implemented and how it will
benefi t the business. The new policies represent a cultural change, and people
need supportive program messages and training in order to make the shift. 3
IT Governance
IT governance is the primary way that stakeholders can ensure that investments in IT create
business value and contribute toward meeting business objectives.4 This strategic align-
ment of IT with the business is challenging yet essential. IT governance programs
go further and aim to “improve IT performance, deliver optimum business value and
ensure regulatory compliance.” 5
Although the CIO typically has line responsibility for implementing IT gover-
nance, the CEO and board of directors must receive reports and updates to discharge
their responsibilities for IT governance and to see that the program is functioning well
and providing business benefi ts.
Typically, in past decades, board members did not get involved in overseeing IT
governance. But today it is a critical and unavoidable responsibility. According to the
IT Governance Institute’s Board Briefi ng on IT Governance , “IT governance is the re-
sponsibility of the board of directors and executive management. It is an integral part
of enterprise governance and consists of the leadership and organizational structures
and processes that ensure that the organization’s IT sustains and extends the organiza-
tion’s strategies and objectives.” 6
The focus is on the actual software development and maintenance activities of the
IT department or function, and IT governance efforts focus on making IT effi cient
and effective. That means minimizing costs by following proven software develop-
ment methodologies and best practices, principles of data governance and information
quality, and project management best practices while aligning IT efforts with the busi-
ness objectives of the organization.
IT Governance Frameworks
Several IT governance frameworks can be used as a guide to implementing an IT
governance program. (They are introduced in this chapter in a cursory way; detailed
discussions of them are best suited to books focused solely on IT governance.)
IT governance seeks to align business objectives with IT strategy to deliver
business value.

18 INFORMATION GOVERNANCE
Although frameworks and guidance like CobiT® and ITIL have been widely
adopted, there is no absolute standard IT governance framework; the combination
that works best for an organization depends on business factors, corporate culture, IT
maturity, and staffi ng capability. The level of implementation of these frameworks will
also vary by organization.
CobiT®
CobiT (Control Objectives for Information and related Technology) is a process-T
based IT governance framework that represents a consensus of experts worldwide.
Codeveloped by the IT Governance Institute and ISACA (previously known as the
Information Systems Audit and Control Association), CobiT addresses business
risks, control requirements, compliance, and technical issues. 7
CobiT offers IT controls that:
■ Cut IT risks while gaining business value from IT under an umbrella of a glob-
ally accepted framework.
■ Assist in meeting regulatory compliance requirements.
■ Utilize a structured approach for improved reporting and management deci-
sion making.
■ Provide solutions to control assessments and project implementations to im-
prove IT and information asset control. 8
CobiT consists of detailed descriptions of processes required in IT and also tools
to measure progress toward maturity of the IT governance program. It is industry
agnostic and can be applied across all vertical industry sectors, and it continues to be
revised and refi ned. 9
CobiT is broken out into three basic organizational levels and their responsibili-
ties: (1) board of directors and executive management; (2) IT and business manage-
ment; and (3) line-level governance, and security and control knowledge workers. 10
The CobiT model draws on the traditional “plan, build, run, monitor” paradigm of
traditional IT management, only with variations in semantics. The CobiT framework
is divided into four IT domains—(1) plan and organize, (2) acquire and implement, (3)
deliver and support, and (4) monitor and evaluate—which contain 34 IT processes and
210 control objectives. Specifi c goals and metrics are assigned, and responsibilities and
accountabilities are delineated.
The CobiT framework maps to the international information security standard,
ISO 17799, and is also compatible with IT Infrastructure Library (ITIL) and other y
“accepted practices” in IT development and operations.11
ValIT®
ValIT is a newer value-oriented framework that is compatible with and complemen-
tary to CobiT. Its principles and best practices focus is on leveraging IT investments
to gain maximum value. Forty key ValIT essential management practices (analogous to
CobiT’s control objectives) support three main processes: value governance, portfolio
management, and investment management. ValIT and CobiT “provide a full frame-
work and supporting tool set” to help managers develop policies to manage business
risks and deliver business value while addressing technical issues and meeting control
objectives in a structured, methodic way. 12

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 19
ITIL
ITIL (Information Technology Infrastructure Library) is a set of process-oriented
best practices and guidance originally developed in the United Kingdom to standard-
ize delivery of IT service management. ITIL is applicable to both the private and
public sectors and is the “most widely accepted approach to IT service management
in the world.”13 As with other IT governance frameworks, ITIL provides essential
guidance for delivering business value through IT, and it “provides guidance to or-
ganizations on how to use IT as a tool to facilitate business change, transformation
and growth.”14
ITIL best practices form the foundation for ISO/IEC 20000 (previously BS15000),
the International Service Management Standard for organizational certifi cation and
compliance. 15 ITIL 2011 is the latest revision (as of this printing), and it consists of fi ve
core published volumes that map the IT service cycle in a systematic way:
1. ITIL Service Strategy
2. ITIL Service Design
3. ITIL Service Transition
4. ITIL Service Operation
5. ITIL Continual Service Improvement 16
ISO 38500
ISO/IEC 38500:2008 is an international standard that provides high-level principles
and guidance for senior executives and directors, and those advising them, for the
effective and effi cient use of IT. 17 Based primarily on AS 8015, the Australian IT gov-
ernance standard, it “applies to the governance of management processes” that are
performed at the IT service level, but the guidance assists executives in monitoring IT
and ethically discharging their duties with respect to legal and regulatory compliance
of IT activities.
The ISO 38500 standard comprises three main sections:
1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT
CobiT is process-oriented and has been widely adopted as an IT governance
framework. ValIT is value-oriented and compatible and complementary with
CobiT, yet focuses on value delivery.
ITIL is the “most widely accepted approach to IT service management in the
world.”

20 INFORMATION GOVERNANCE
It is largely derived from AS 8015, the guiding principles of which were:
■ Establish responsibilities
■ Plan to best support the organization
■ Acquire validly
■ Ensure performance when required
■ Ensure conformance with rules
■ Ensure respect for human factors
The standard also has relationships with other major ISO standards, and embraces
the same methods and approaches. 18
Information Governance
Corporate governance is the highest level of governance in an organization, and a
key aspect of it is IG. IG processes are higher level than the details of IT governance
and much higher than data governance, but both data and IT governance can be (and
should be) a part of an overall IG program. The IG approach to governance focuses
not on detailed IT or data capture and quality processes but rather on controlling the
information that is generated by IT and offi ce systems. d
IG efforts seek to manage and control information assets to lower risk, ensure com-
pliance with regulations, and improve information quality and accessibility while imple-
menting information security measures to protect and preserve information that has busi-
ness value.19 (See Chapter 1 for more detailed defi nitions.)
Impact of a Successful IG Program
When making the business case for IG and articulating its benefi ts, it is useful to focus
on its central impact. Putting cost-benefi t numbers to this may be diffi cult, unless you
ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.
IG is how an organization maintains security, complies with regulations and
laws, and meets ethical standards when managing information.

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 21
also consider the worst-case scenario of loss or misuse of corporate or agency records.
What is losing the next big lawsuit worth? How much are confi dential merger and
acquisition documents worth? How much are customer records worth? Frequently,
executives and managers do not understand the value of IG until it is a crisis, an ex-
pensive legal battle is lost, heavy fi nes are imposed for noncompliance, or executives
go to jail.
There are some key outputs from implementing an IG program. A successful IG
program should enable organizations to:
■ Use common terms across the enterprise. This means that departments must agree
on how they are going to classify document types, which requires a cross-
functional effort. With common enterprise terms, searches for information
are more productive and complete. This normalization process begins with
developing a standardized corporate taxonomy, which defi nes the terms (and
substitute terms in a custom corporate thesaurus), document types, and their
relationships in a hierarchy.
■ Map information creation and usage. This effort can be buttressed with the use of
technology tools such as data loss prevention , which can be used to discover
the fl ow of information within and outside of the enterprise. You must fi rst
determine who is accessing which information when and where it is going. Then
you can monitor and analyze these information fl ows. The goal is to stop the
erosion or misuse of information assets and to stem data breaches with moni-
toring and security technology.
■ Obtain “information confi dence” —that is, the assurance that information has ”
integrity, validity, accuracy, and quality; this means being able to prove that the
information is reliable and that its access, use, and storage meet compliance and
legal demands.
■ Harvest and leverage information. Using techniques and tools like data min-
ing and business intelligence, new insights may be gained that provide an
enterprise with a sustainable competitive advantage over the long term,
since managers will have more and better information as a basis for busi-
ness decisions.21
Summing Up the Differences
IG consists of the overarching polices and processes to optimize and leverage informa-
tion while keeping it secure and meeting legal and privacy obligations in alignment
with stated organizational business objectives.
IT governance consists of following established frameworks and best practices to
gain the most leverage and benefi t out of IT investments and support accomplishment
of business objectives.
Data governance consists of the processes, methods, and techniques to ensure that
data is of high quality, reliable, and unique (not duplicated), so that downstream uses
in reports and databases are more trusted and accurate.

22 INFORMATION GOVERNANCE
Notes
1. “New Trends and Best Practices for Data Governance Success,” SeachDataManagement.com eBook,
http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB-
ook_1104 , accessed March 11, 2013.
2. Ibid.
3. Ibid.
4. M.N. Kooper, R. Maes, and E.E.O. RoosLindgreen, “On the Governance of Information: Introducing
a New Concept of Governance to Support the Management of Information,” International Journal of
Information Management 31 (2011): 195–120, http://dl.acm.org/citation.cfm?id=2297895 . (accessed t
November 14, 2013).
5. Nick Robinson, “The Many Faces of IT Governance: Crafting an IT Governance Architecture,”
ISACA Journal 1 (2007), www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-l
of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx
6. Bryn Phillips, “IT Governance for CEOs and Members of the Board,” 2012, p.18.
7. Ibid., p.26.
8. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech-
nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance,” http://
www-304.ibm.com/industries/publicsector/fi leserve?contentid=187551(accessed March 11, 2013).
CHAPTER SUMMARY: KEY POINTS
■ Data governance uses techniques like data cleansing and de-duplication to
improve data quality and reduce redundancies.
■ Good data governance ensures that downstream negative effects of poor
data are avoided and that subsequent reports, analyses, and conclusions are
based on reliable, trusted data.
■ IT governance seeks to align business objectives with IT strategy to deliver
business value.
■ CobiT is processoriented and has been widely adopted as an IT governance
framework. ValIT is valueoriented and compatible and complementary with
CobiT yet focuses on value delivery.
■ The CobiT framework maps to the international information security stan-
dard ISO 17799 and is also compatible with ITIL (IT Infrastructure Library).
■ ITIL is the “most widely accepted approach to IT service management in the
world.”
■ ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.
■ Information governance is how an organization maintains security, complies
with regulations and laws, and meets ethical standards when managing
information.

http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB-ook_1104

http://dl.acm.org/citation.cfm?id=2297895

http://www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx

http://www-304.ibm.com/industries/publicsector/fileserve?contentid=187551

INFORMATION GOVERNANCE, IT GOVERNANCE, DATA GOVERNANCE 23
9. Phillips, “IT Governance for CEOs and Members of the Board.”
10. IBM Global Business Services/Public Sector, “Control Objectives for Information and related Tech-
nology (CobiT®) Internationally Accepted Gold Standard for IT Controls & Governance.”
11. Ibid.
12. Ibid.
13. www.itil-offi cialsite.com/ (accessed March 12, 2013).
14. ITIL, “What Is ITIL?” www.itil-offi cialsite.com/AboutITIL/WhatisITIL.aspx(accessed March 12, 2013).
15. Ibid.
16. Ibid.
17. “ISO/IEC 38500:2008 “Corporate Governance of Information Technology” www.iso.org/iso/
catalogue_detail?csnumber=51639(accessed November 14, 2013).
18. ISO 38500 www.38500.org/ (accessed March 12, 2013).
19. www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/ (accessed November 14,
2013).
20. ARMA International, Glossary of Records and Information Management Terms , 4th ed. TR 22–2012 (from s
ARMA.org).
21. Arvind Krishna, “Three Steps to Trusting Your Data in 2011,” CTO Edge , March 9, 2011, www.ctoedge
.com/content/three-steps-trusting-your-data-2011

http://www.itil-officialsite.com/

http://www.itil-officialsite.com/AboutITIL/WhatisITIL.aspx

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.38500.org/

http://www.naa.gov.au/records-management/agency/digital/digital-continuity/principles/

http://www.ctoedge.com/content/three-steps-trusting-your-data-2011

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.ctoedge.com/content/three-steps-trusting-your-data-2011

25
Information
Governance
Principles *
C H A P T E R 3
P
rinciples of information governance (IG) are evolving and expanding. Successful
IG programs are characterized by ten key principles, which are the basis for best
practices and should be designed into the IG approach. They include:
1. Executive sponsorship. No IG effort will survive and be successful if it does not
have an accountable, responsible executive sponsor. The sponsor must drive
the effort, clear obstacles for the IG team or committee, communicate the
goals and business objectives that the IG program addresses, and keep upper
management informed on progress.
2. Information policy development and communication. Clear policies must be es-
tablished for the access and use of information, and those policies must be
communicated regularly and crisply to employees. Policies for the use of e-
mail, instant messaging, social media, cloud computing, mobile computing,
and posting to blogs and internal sites must be developed in consultation
with stakeholders and communicated clearly. This includes letting employees
know what the consequences of violating IG policies are, as well as its value.
3. Information integrity. This area considers the consistency of methods used to
create, retain, preserve, distribute, and track information. Adhering to good
IG practices include data governance techniques and technologies to ensure
quality data. Information integrity means there is the assurance that informa-
tion is accurate, correct, and authentic. IG efforts to improve data quality
and information integrity include de-duplicating (removing redundant data)
and maintaining only unique data to reduce risk, storage costs, and informa-
tion technology (IT) labor costs while providing accurate, trusted information
for decision makers. Supporting technologies must enforce policies to meet
legal standards of admissibility and preserve the integrity of information to
guard against claims that it has been altered, tampered with, or deleted (called
“ spoliation ”). Audit trails must be kept and monitored to ensure compliance
with IG policies to assure information integrity. 1
4. Information organization and classifi cation. This means standardizing formats,
categorizing all information, and semantically linking it to related information.
It also means creating a retention and disposition schedule that spells out how
* Portions of this chapter are adapted from Chapter 3 of Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc. s

26 INFORMATION GOVERNANCE
long the information (e.g. e-mail, e-documents, spreadsheets, reports) and
records should be retained and how they are to be disposed of or archived.
Information, and particularly documents, should be classifi ed according to a
global or corporate taxonomy that considers the business function and owner
of the information, and semantically links related information. Information
must be standardized in form and format. Tools such as document labeling
can assist in identifying and classifying documents. Metadata associated with
documents and records must be standardized and kept up-to-date. Good IG
means good metadata management and utilizing metadata standards that are
appropriate to the organization.
5. Information security. This means securing information in its three states: at rest,
in motion, and in use. It means implementing measures to protect information
from damage, theft, or alteration by malicious outsiders and insiders as well
as nonmalicious (accidental) actions that may compromise information. For
instance, an employee may lose a laptop with confi dential information, but
if proper IG policies are enforced using security-related information tech-
nologies, the information can be secured. This can be done by access control
methods, data or document encryption, deploying information rights manage-
ment software, using remote digital shredding capabilities, and implement-
ing enhanced auditing procedures. Information privacy is closely related to
information security and is critical when dealing with personally identifi able
information (PII).n
6. Information accessibility. Accessibility is vital not only in the short term but also
over time using long-term digital preservation (LTDP) techniques when
appropriate (generally if information is needed for over fi ve years). Accessibil-
ity must be balanced with information security concerns. Information acces-
sibility includes making the information as simple as possible to locate and
access, which involves not only the user interface but also enterprise search
principles, technologies, and tools. It also includes basic access controls, such
as password management, identity and access management , and delivering t
information to a variety of hardware devices.
7. Information control. Document management and report management software
must be deployed to control the access to, creation, updating, and printing
of documents and reports. When documents or reports are declared records,
they must be assigned to the proper retention and disposition schedule to be
retained for as long as the records are needed to comply with legal retention
periods and regulatory requirements. Also, information that may be needed or
requested in legal proceedings is safeguarded through a legal hold process.
8. Information governance monitoring and auditing. To ensure that guidelines and
policies are being followed and to measure employee compliance levels, in-
formation access and use must be monitored. To guard against claims of spo-
liation, use of e-mail, social media, cloud computing, and report generation
should be logged in real time and maintained as an audit record. Technology
tools such as document analytics can track how many documents or reports
users access and print and how long they spend doing so.
9. Stakeholder consultation. Those who work most closely to information are the
ones who best know why it is needed and how to manage it, so business units
must be consulted in IG policy development. The IT department understands

INFORMATION GOVERNANCE PRINCIPLES 27
its capabilities and technology plans and can best speak to those points. Le-
gal issues must always be deferred to the in-house council or legal team. A
cross-functional collaboration is needed for IG policies to hit the mark and
be effective. The result is not only more secure information but also better
information to base decisions on and closer adherence to regulatory and legal
demands. 2
10. Continuous improvement. IG programs are not one-time projects but rather
ongoing programs that must be reviewed periodically and adjusted to account
for gaps or shortcomings as well as changes in the business environment, tech-
nology usage, or business strategy.
Accountability Is Key
According to Debra Logan at Gartner Group, none of the proffered defi nitions of IG in-
cludes “any notion of coercion, but rather ties governance to accountability [emphasis added]
that is designed to encourage the right behavior. . . . The word that matters most is
accountability .” The root of many problems with managing information is the “fact that
there is no accountability for information as such.” 3
Establishing policies, procedures, processes, and controls to ensure the quality, in-
tegrity, accuracy, and security of business records are the fundamental steps needed to
reduce the organization’s risk and cost structure for managing these records. Then it is
essential that IG efforts are supported by IT. The auditing, testing, maintenance, and im-
provement of IG is enhanced by using electronic records management (ERM) software
along with other complementary technology sets, such as workfl ow and business process
management suite (BPMS) software and digital signatures.
Generally Accepted Recordkeeping Principles ®
Contributed by Charmaine Brooks, CRM
A major part of an IG program is managing formal business records. Although they
account for only about 7 to 9 percent of the total information that an organization
holds, they are the most critically important subset to manage, as there are serious
compliance and legal ramifi cations to not doing so.
Principles of successful IG programs are emerging. They include executive
sponsorship, information classifi cation, integrity, security, accessibility, control,
monitoring, auditing, policy development, and continuous improvement.
Accountability is a key aspect of IG.

28 INFORMATION GOVERNANCE
Records and recordkeeping are inextricably linked with any organized business
activity. Through the information that an organization uses and records, creates, or
receives in the normal course of business, it knows what has been done and by whom.
This allows the organization to effectively demonstrate compliance with applicable
standards, laws, and regulations as well as plan what it will do in the future to meet its
mission and strategic objectives.
Standards and principles of recordkeeping have been developed by records and
information management (RIM) practitioners to establish benchmarks for how or-t
ganizations of all types and sizes can build and sustain compliant, defensible records
management (RM) programs. t
The Principles
In 2009 ARMA International published a set of eight Generally Accepted Recordkeep-
ing Principles,® known as The Principles 4 (or sometimes GAR Principles), to foster
awareness of good recordkeeping practices. These principles and associated metrics
provide an IG framework that can support continuous improvement.
The eight Generally Accepted Recordkeeping Principles are:
1. Accountability. A senior executive (or person of comparable authority) oversees
the recordkeeping program and delegates program responsibility to appro-
priate individuals. The organization adopts policies and procedures to guide
personnel, and ensure the program can be audited.
2. Transparency. The processes and activities of an organization’s recordkeeping
program are documented in a manner that is open and verifi able and is avail-
able to all personnel and appropriate interested parties.
3. Integrity. A recordkeeping program shall be constructed so the records and
information generated or managed by or for the organization have a reason-
able and suitable guarantee of authenticity and reliability.
4. Protection. A recordkeeping program shall be constructed to ensure a reason-
able level of protection to records and information that are private, confi den-
tial, privileged, secret, or essential to business continuity.
5. Compliance. The recordkeeping program shall be constructed to comply with ap-
plicable laws and other binding authorities, as well as the organization’s policies.
6. Availability. An organization shall maintain records in a manner that ensures
timely, effi cient, and accurate retrieval of needed information.
7. Retention. An organization shall maintain its records and information for an
appropriate time, taking into account legal, regulatory, fi scal, operational, and
historical requirements.
8. Disposition. An organization shall provide secure and appropriate disposition
for records that are no longer required to be maintained by applicable laws
and the organization’s policies. 5
The Generally Accepted Recordkeeping Principles consist of eight principles
that provide an IG framework that can support continuous improvement.

INFORMATION GOVERNANCE PRINCIPLES 29
The Principles apply to all sizes of organizations, in all types of industries, in both
the private and public sectors, and can be used to establish consistent practices across
business units. The Principles are an IG maturity model, and it is used as a preliminary
evaluation of recordkeeping programs and practices.
Interest in and the application of The Principles for assessing an organization’s
recordkeeping practices have steadily increased since their establishment in 2009. The
Principles form an accountability framework that includes the processes, roles, stan-
dards, and metrics that ensure the effective and effi cient use of records and informa-
tion in support of an organization’s goals and business objectives.
As shown in Table 3.1 , the Generally Accepted Recordkeeping Principles matu-
rity model associates characteristics that are typical in fi ve levels of recordkeeping
capabilities ranging from 1 (substandard) to 5 (transformational). The levels are both
descriptive and color coded for ease of understanding. The eight principles and levels
(metrics) are applied to the current state of an organization’s recordkeeping capabili-
ties and can be cross-referenced to the policies and procedures. While it is not unusual
for an organization to be at different levels of maturity in the eight principles, the question
“How good is good enough?” must be raised and answered ; a rating of less than “transforma-d
tional” may be acceptable, depending on the organization’s tolerance for risk and an
analysis of the costs and benefi ts of moving up each level.
The maturity levels defi ne the characteristics of evolving and maturing RM programs. The
assessment should refl ect the current RM environment and practices. The principles
and maturity level defi nitions, along with improvement recommendations (roadmap),
outline the tasks required to proactively approach addressing systematic RM practices
and reach the next level of maturity for each principle. While the Generally Accepted
Table 3.1 Generally Accepted Recordkeeping Principles Levels
Level 1
Substandard
Characterized by an environment where recordkeeping concerns are either not
addressed at all or are addressed in an ad hoc manner.
Level 2
In Development
Characterized by an environment where there is a developing recognition that
recordkeeping has an impact on the organization, and the organization may
benefi t from a more defi ned information governance program.
Level 3
Essential
Characterized by an environment where defi ned policies and procedures exist
that address the minimum or essential legal and regulatory requirements, but
more specifi c actions need to be taken to improve recordkeeping.
Level 4
Proactive
Characterized by an environment where information governance issues and
considerations are integrated into business decisions on a routine basis, and
the organization consistently meets its legal and regulatory obligations.
Level 5
Transformational
Characterized by an environment that has integrated information governance
into its corporate infrastructure and business processes to such an extent that
compliance with program requirements is routine.
Source: Used with permission from ARMA.
The Generally Accepted Recordkeeping Principles maturity model measures
recordkeeping maturity in fi ve levels.

30 INFORMATION GOVERNANCE
Recordkeeping Principles are broad in focus, they illustrate the requirements of good
RM practices. The Principles Assessment can also be a powerful communication tool
to promote cross-functional dialogue and collaboration among business units and staff.
Accountability
The principle of accountability covers the assigned responsibility for RM at a seniory
level to ensure effective governance with the appropriate level of authority. A senior-
level executive must be high enough in the organizational structure to have suffi cient
authority to operate the RM program effectively. The primary role of the senior ex-
ecutive is to develop and implement RM policies, procedures, and guidance and to
provide advice on all recordkeeping issues. The direct responsibility for managing or
operating facilities or services may be delegated.
The senior executive must possess an understanding of the business and legislative
environment within which the organization operates, business functions and activities,
and the required relationships with key external stakeholders to understand how RM
contributes to achieving the corporate mission, aims, and objectives.
It is important for top-level executives to take ownership of the RM issues of
the organization and to identify corrective actions required for mitigation or ensure
resolution of problems and recordkeeping challenges. An executive sponsor should
identify opportunities to raise awareness of the relevance and importance of RM and
effectively communicate the benefi ts of good RM to staff and management.
The regulatory and legal framework for RM must be clearly identifi ed and
understood. The senior executive must have a sound knowledge of the organization’s
information and technological architecture and actively participate in strategic deci-
sions for IT systems acquisition and implementation.
The senior executive is responsible for ensuring that the processes, procedures,
governance structures, and related documentation are developed. The policies should
identify the roles and responsibilities at all levels of the organization.
An audit process must be developed to cover all aspects of RM within the organization,
including substantiating that suffi cient levels of accountability have been assigned and
accountability defi ciencies are identifi ed and remedied. Audit processes should include
compliance with the organization policies and procedures for all records, regardless
of format or media. Accountability audit requirements for electronic records include
employing appropriate technology to audit the information architecture and systems.
Accountability structures must be updated and maintained as changes occur in the
technology infrastructure.
The audit process must reinforce compliance and hold individuals accountable.
The results should be constructive, encourage continuous improvement, but not be
used as a means of punishment. The audit should contribute to records program improve-
ments in risk mitigation, control, and governance issues and have the capacity to support
sustainability.
An audit process must be developed to cover all aspects of RM in the
organization.

INFORMATION GOVERNANCE PRINCIPLES 31
Transparency
Policies are broad guidelines for the operation of the organization and provide a basic
guide to action that prescribes the boundaries within which business activities are to
take place. They state the course of action to be followed by the organization, business
unit, department, and employees.
Transparency of recordkeeping practices includes documenting processes and y
promoting an understanding of the roles and responsibilities of all stakeholders. To be
effective, policies must be formalized and integrated into business processes. Business rules and
recordkeeping requirements need to be communicated and installed at all levels of the
organization.
Senior management must recognize that transparency is fundamental to IG and
compliance. Documentation must be consistent, current, and complete. A review and
approval process must be established to ensure that the introduction of new programs
or changes can be implemented and integrated into business processes.
Employees must have ready access to RM policies and procedures. They must re-
ceive guidance and training to ensure they understand their roles and requirements for
RM. Recordkeeping systems and business processes must be designed and developed
to clearly defi ne the records lifecycle.
In addition to policies and procedures, guidelines and operational instructions,
diagrams and fl owcharts, system documentation, and user manuals must include clear
guidance on how records are to be created, retained, stored, and dispositioned. The
documentation must be readily available and incorporated in communications and
training provided to staff.
Integrity
Record generating systems and repositories must be assessed to determine record-
keeping capabilities. A formalized process must be in place for acquiring or developing new
systems, including requirements for capturing the metadata required for lifecycle management
of records in the systems. In addition, the record must contain all the necessary elements
of an offi cial record, including structure, content, and context. Records integrity, y
reliability, and trustworthiness are confi rmed by ensuring that a record was created by
a competent authority according to established processes.
Maintaining the integrity of records means that they are complete and protected from
being altered. The authenticity of a record is ascertained from internal and exter-
nal evidence, including the characteristics, structure, content, and context of the
records, to verify they are genuine and not corrupted or altered. In order to trust
that a record is authentic, organizations must ensure that recordkeeping systems
that create, capture , and manage electronic records are capable of protecting re-
cords from accidental or unauthorized alteration or deletion while the record has
value.
To be effective, policies must be formalized and integrated into business
processes.

32 INFORMATION GOVERNANCE
Protection
Organizations must ensure the protection of records and ensure they are unaltered through
loss, tampering, or corruption. This includes technological change or the failure of digital
storage media and protecting records against damage or deterioration.
This principle applies equally to physical and electronic records, each of which has
unique requirements and challenges.
Access and security controls need to be established, implemented, monitored, and
reviewed to ensure business continuity and minimize business risk. Restrictions on
access and disclosure include the methods for protecting personal privacy and propri-
etary information. Access and security requirements must be integrated into the busi-
ness systems and processes for the creation, use, and storage of records.
LTDP is a series of managed activities required to ensure continued access to digi-
tal materials for as long as necessary. Electronic records requiring long-term retention
may require conversion to a medium and format suitable to ensure long-term access
and readability.
Compliance
RM programs include the development and training of the fundamental components,
including compliance monitoring to ensure sustainability of the program.g
Monitoring for compliance involves reviewing and inspecting the various facets of records
management, including ensuring records are being properly created and captured, im-
plementation of user permissions and security procedures, workfl ow processes through
sampling to ensure adherence to policies and procedures, ensuring records are being
retained following disposal authorization, and documentation of records destroyed or
transferred to determine whether destruction/transfer was authorized in accordance
with disposal instructions.
Compliance monitoring can be carried out by an internal audit, external organiza-
tion, or RM and must be done on a regular basis.
Availability
Organizations should evaluate how effectively and effi ciently records and information are
stored and retrieved using present equipment, networks, and software . The evaluation
should identify current and future requirements and recommend new systems
as appropriate. Certain factors should be considered before upgrading or imple-
menting new systems. These factors are practicality, cost, and effectiveness of new
confi gurations.
A major challenge for organizations is ensuring timely and reliable access to and
use of information and that records are accessible and usable for the entire length of
the retention period. Rapid changes and enhancements to both hardware and software
compound this challenge.
Retention
Retention is the function of preserving and maintaining records for continuing use. The reten-
tion schedule identifi es the actions needed to fulfi ll the requirements for the retention
and disposal of records and provides the authority for employees and systems to retain,
destroy, or transfer records. The records retention schedule documents the record-
keeping requirements and procedures, identifying how records are to be organized

INFORMATION GOVERNANCE PRINCIPLES 33
and maintained, what needs to happen to records and when, who is responsible for
doing what, and whom to contact with questions or guidance.
Organizations must identify the scope of their recordkeeping requirements for
documenting business activities based on regulated activities and jurisdictions that im-
pose control over records. This includes business activities regulated by the govern-
ment for every location or jurisdiction in which the company does business. Other
considerations for determining retention requirements include operational, legal, fi s-
cal, and historical ones.
Records appraisal is the process of assessing the value and risk of records to
determine their retention and disposition requirements. Legal research is outlined in
appraisal reports. This appraisal process may be accomplished as a part of the process
of developing the records retention schedules as well as conducting a regular review to
ensure that citations and requirements are current.
The records retention period is the length of time that records should be retained and d
the actions taken for them to be destroyed or preserved. The retention periods for different
records should be based on legislative or regulatory requirements as well as on admin-
istrative and operational requirements.
It is important to document the legal research conducted and used to determine
whether the law or regulation has been reasonably applied to the recordkeeping prac-
tices and provide evidence to regulatory offi cials or courts that due diligence has been
conducted in good faith to comply with all applicable requirements.
Disposition
Disposition is the last stage in the life cycle of records. When the retention requirements
have been met and the records no longer serve a useful business purpose, records may
be destroyed. Records requiring long-term or permanent retention should be trans-
ferred to an archive for preservation. The timing of the transfer of physical or elec-
tronic records should be determined through the records retention schedule process.
Additional methods, including migration or conversion, are often required to preserve
electronic records.
Records must be destroyed in a controlled and secure manner and in accordance
with authorized disposal instructions. The destruction of records must be clearly doc-
umented to provide evidence of destruction according to an agreed-on program.
Destruction of records must be undertaken by methods appropriate to the con-
fi dentiality of the records and in accordance with disposal instructions in the records
retention schedule. An audit trail documenting the destruction of records should be
maintained, and certifi cates of destruction should be obtained for destruction under-
taken by third parties. In the event disposal schedules are not in place, written autho-
rization should be obtained prior to destruction. Procedures should specify who must
supervise the destruction of records. Approved methods of destruction must be speci-
fi ed for each media type to ensure that information cannot be reconstructed.
Disposition is the last stage in the life cycle of records. Disposition is not syn-
onymous with destruction, although destruction may be one disposal option.

34 INFORMATION GOVERNANCE
Disposition is not synonymous with destruction, although destruction may be one disposal
option. Destruction of records must be carried out under controlled, confi dential
conditions by shredding or permanent disposition. This includes the destruction of
confi dential microfi lm, microfi che, computer cassettes, and computer tapes as well
as paper.
Methods of Disposition
■ Discard. The standard destruction method for nonconfi dential records. If pos-
sible, all records should be shredded prior to recycling. Note that transitory
records can also be shredded.
■ Shred. Confi dential and sensitive records should be processed under strict
security. This may be accomplished internally or by secure on-site shredding
by a third party vendor who provides certifi cates of secure destruction. The
shredded material is then recycled.
■ Archive. This designation is for records requiring long-term or permanent
preservation. Records of enduring legal, fi scal, administrative, or historical
value are retained.
■ Imaging. Physical records converted to digital images, after which the original
paper documents are destroyed.
■ Purge. This special designation is for data, documents, or records sets that need
to be purged by removing material based on specifi ed criteria. This often ap-
plies to structure records in databases and applications.
Assessment and Improvement Roadmap
The Generally Accepted Recordkeeping Principles® maturity model can be lever-
aged to develop a current state assessment of an organization’s recordkeeping prac-
tices and resources, identify gaps and assess risks, and develop priorities for desired
improvements.
The Principles were developed by ARMA International to identify characteristics
of an effective recordkeeping program. Each of the eight principles identifi es issues
and practices that, when evaluated against the unique needs and circumstances of an
organization, can be applied to improvements for a recordkeeping program that meets
recordkeeping requirements. The Principles identify requirements and can be used to
guide incremental improvement in creation, organization, security, maintenance, and
other activities over a period of one to fi ve years. Fundamentally, RM and information
governance are business disciplines that must be tightly integrated with operational
policies, procedures, and infrastructure.
The Principles can be mapped to the four improvement areas in Table 3.2 .
As an accepted industry guidance maturity model, the Principles provide a con-
venient and complete framework for assessing the current state of an organization’s
recordkeeping and developing a roadmap to identify improvements that will bring
the organization into compliance. An assessment/analysis of the current RM practices,
procedures, and capabilities together with current and future state practices provides
two ways of looking at the future requirements of a complete RM (see Table 3.3 ).

INFORMATION GOVERNANCE PRINCIPLES 35
Table 3.2 Improvement Areas for Generally Accepted Recordkeeping Principles
Improvement Area A
cc
o
u
n
ta
b
ili
ty
Tr
an
sp
ar
e
n
cy
In
te
g
ri
ty
P
ro
te
ct
io
n
C
o
m
p
lia
n
ce
A
va
ila
b
ili
ty
R
e
te
n
ti
o
n
D
is
p
o
si
ti
o
n
Roles and responsibilities ◊ ◊ ◊
Policies and procedures ◊ ◊ ◊ ◊ ◊ ◊ ◊ ◊
Communication and training ◊ ◊ ◊ ◊ ◊
Systems and automation ◊ ◊ ◊ ◊ ◊ ◊
Who Should Determine IG Policies?
When forming an IG steering committee or board, it is essential to include represen-
tatives from cross-functional groups and at different levels of the organization. The
committee must be driven by an executive sponsor and include active members from
key business units as well as other departments, including IT, fi nance, risk, compli-
ance, RM, and legal. Then corporate training/education and communications must be
involved to keep employees trained and current on IG policies. This function may be
performed by an outside consulting fi rm if there is no corporate education staff.
Knowledge workers who work with records and sensitive information in any ca-
pacity best understand the nature and value of the records they work with as they
perform their day-to-day functions. IG policies must be developed and communicated
clearly and consistently. Policies are worthless if people do not know or understand them or
how to comply with them . And training is a crucial element that will be examined in any
compliance hearing or litigation that may arise. “Did senior management not only cre-
ate the policies but provide adequate training on them on a consistent basis?” This will
be a key question raised. So a training plan is a necessary piece of IG, and education
should be heavily emphasized. 6
The need for IG is increasing due to increased and tightened regulations, in-
creased litigation, and the increased incidence of theft and misuse of internal docu-
ments and records. Organizations that do not have active IG programs should reevaluate
IG policies and their internal processes following any major loss of records, the inability to
When forming an IG steering committee or board, it is essential to include
representatives from cross-functional groups.
Knowledge workers who work with records in any capacity best understand
the nature and value of the records they work with.

36
T
ab
le
3
.3

A
ss
es
sm
en
t
R
ep
or
t
an
d
R
oa
d
M
ap
.
P
ri
n
ci
p
le
Le
ve
l
Fi
n
d
in
g
s
R
e
q
u
ir
e
m
e
n
ts
t
o
M
o
ve
t
o
t
h
e
N
e
xt
S
te
p
A
cc
o
u
n
ta
b
ili
ty
Le
ve
l 1
Su
b
st
an
d
ar
d
N
o
s
en
io
r
ex
ec
u
ti
ve
(
o
r
p
er
so
n
o
f
co
m
p
ar
ab
le
a
u
th
o
ri
ty
)
is
r
es
p
o
n
si
b
le
f
o
r
th
e
R
M
p
ro
g
ra
m
.
T
h
e
re
co
rd
s
m
an
ag
er
r
o
le
is
la
rg
el
y
n
o
n
ex
is
te
n
t
o
r
is
a
n
a
d
m
in
is
tr
at
iv
e
an
d
/
o
r
cl
er
ic
al
r
o
le
d
is
tr
ib
u
te
d
a
m
o
n
g
g
en
er
al
s
ta
ff
.
1
.
A
ss
ig
n
R
M
r
es
p
o
n
si
b
ili
ti
es
t
o
s
en
io
r
ex
ec
u
ti
ve
.
2
.
H
ir
e
o
r
p
ro
m
o
te
r
ec
o
rd
s
m
an
ag
er
.
Tr
an
s p
ar
en
cy
Le
ve
l 1
Su
b
st
an
d
ar
d
It
is
d
iffi
c
u
lt
t
o
o
b
ta
in
in
fo
rm
at
io
n
a
b
o
u
t
th
e
o
rg
an
iz
at
io
n
o
r
it
s
re
co
rd
s
in
a

ti
m
el
y
fa
sh
io
n
.
N
o
c
le
ar
d
o
cu
m
en
ta
ti
o
n
is
r
ea
d
ily
a
va
ila
b
le
.
T
h
er
e
is
n
o
e
m
p
h
as
is
o
n
t
ra
n
sp
ar
en
cy
.
P
u
b
lic
r
e q
u
es
ts
f
o
r
in
fo
rm
at
io
n
,
d
is
co
ve
ry
f
o
r
lit
ig
at
io
n
,
re
g
u
la
to
ry
r
es
p
o
n
se
s,
o
r
o
th
er
r
eq
u
es
ts
(
e.
g
.,
f
ro
m
p
o
te
n
ti
al
b
u
si
n
es
s
p
ar
tn
er
s,
in
ve
st
o
rs
,
o
r
b
u
ye
rs
)
ca
n
n
o
t
b
e
re
ad
ily
a
cc
o
m
m
o
d
at
ed
.
T
h
e
o
rg
an
iz
at
io
n
h
as
n
o
t
es
ta
b
lis
h
ed
c
o
n
tr
o
ls
t
o
e
n
su
re
t
h
e
co
n
si
st
en
cy
o
f
in
fo
rm
at
io
n
d
is
cl
o
su
re
.
B
u
si
n
es
s
p
ro
ce
ss
es
a
re
n
o
t
w
el
l d
efi
n
ed
.
1
.
D
ev
el
o
p
p
o
lic
ie
s
an
d
p
ro
ce
d
u
re
s.

2
.
D
ev
el
o
p
t
ra
in
in
g
f
o
r
al
l l
ev
el
s
o
f
st
af
f.
3
.
Id
en
ti
fy
r
eq
u
ir
em
en
ts
f
o
r
re
co
rd
s
fi n
d
ab
ili
ty

an
d
a
cc
es
si
b
ili
ty
.
4
.
D
efi
n
e
b
u
si
n
es
s
p
ro
ce
ss
es
.
In
te
g
ri
ty
Le
ve
l 1
Su
b
st
an
d
ar
d
T
h
er
e
ar
e
n
o
s
ys
te
m
at
ic
a
u
d
it
s
o
r
d
efi
n
ed
p
ro
ce
ss
es
f
o
r
sh
o
w
in
g
t
h
e
o
ri
g
in

an
d
a
u
th
en
ti
ci
ty
o
f
a
re
co
rd
.
V
ar
io
u
s
o
rg
an
iz
at
io
n
al
f
u
n
ct
io
n
s
u
se
a
d
h
o
c
m
et
h
o
d
s
to
d
em
o
n
st
ra
te

au
th
en
ti
ci
ty
a
n
d
c
h
ai
n
o
f
cu
st
o
d
y,
a
s
ap
p
ro
p
ri
at
e,
b
u
t
th
ei
r
tr
u
st
w
o
rt
h
in
es
s
ca
n
n
o
t
ea
si
ly
b
e
g
u
ar
an
te
ed
.
1
.
D
ev
el
o
p
a
u
d
it
p
ro
ce
ss
.
2
.
Id
en
ti
fy
b
u
si
n
es
s
ac
ti
vi
ti
es
f
o
r
cr
ea
ti
o
n
a
n
d

st
o
ra
g
e
o
f
re
co
rd
s.

P
ro
te
ct
io
n
Le
ve
l 1
Su
b
st
an
d
ar
d
N
o
c
o
n
si
d
er
at
io
n
is
g
iv
en
t
o
r
ec
o
rd
p
ri
va
cy
.
R
ec
o
rd
s
ar
e
st
o
re
d
h
ap
h
az
ar
d
ly
,
w
it
h
p
ro
te
ct
io
n
t
ak
en
b
y
va
ri
o
u
s
g
ro
u
p
s
an
d

d
ep
ar
tm
en
ts
w
it
h
n
o
c
en
tr
al
iz
ed
a
cc
es
s
co
n
tr
o
ls
.
A
cc
es
s
co
n
tr
o
ls
,
if
an
y,
a
re
a
ss
ig
n
ed
b
y
th
e
au
th
o
r.
1
.
A
ss
es
s
se
cu
ri
t y
a
n
d
a
cc
es
s
co
n
tr
o
ls
.
2
.
D
ev
el
o
p
a
cc
es
s
an
d
s
ec
u
ri
ty
c
o
n
tr
o
l s
ch
em
e.

C
o
m
p
lia
n
ce
Le
ve
l 3
Es
se
n
ti
al
T
h
e
o
rg
an
iz
at
io
n
h
as
id
en
ti
fi e
d
a
ll
re
le
va
n
t
co
m
p
lia
n
ce
la
w
s
an
d
r
eg
u
la
ti
o
n
s.
R
ec
o
rd
c
re
at
io
n
a
n
d
c
ap
tu
re
a
re
s
ys
te
m
at
ic
al
ly
c
ar
ri
ed
o
u
t
in
a
cc
o
rd
an
ce
w
it
h
R
M
p
ri
n
ci
p
le
s.
T
h
e
o
rg
an
iz
at
io
n
h
as
a
s
tr
o
n
g
c
o
d
e
o
f
b
u
si
n
es
s
co
n
d
u
ct
,
w
h
ic
h
is
in
te
g
ra
te
d

in
to
it
s
o
ve
ra
ll
IG
s
tr
u
ct
u
re
a
n
d
r
ec
o
rd
-k
ee
p
in
g
p
o
lic
ie
s.
C
o
m
p
lia
n
ce
a
n
d
t
h
e
re
co
rd
s
th
at
d
em
o
n
st
ra
te
it
a
re
h
ig
h
ly
v
al
u
ed
a
n
d
m
ea
su
ra
b
le
.
1
.
Im
p
le
m
en
t
sy
st
em
s
to
c
ap
tu
re
a
n
d
p
ro
te
ct
re
co
rd
s.
2
.
D
ev
el
o
p
m
et
ad
at
a
sc
h
em
e.
3
.
D
ev
el
o
p
r
em
ed
ia
ti
o
n
p
la
n
a
n
d
im
p
le
m
en
t
co
rr
ec
ti
ve
a
ct
io
n
s.

37
T
h
e
h
o
ld
p
ro
ce
ss
is
in
te
g
ra
te
d
in
to
t
h
e
o
rg
an
iz
at
io
n
’s
in
fo
rm
at
io
n
m
an
ag
em
en
t
an
d
d
is
co
ve
ry
p
ro
ce
ss
es
f
o
r
th
e
m
o
st
c
ri
ti
ca
l s
ys
te
m
s.
T
h
e
o
rg
an
iz
at
io
n
h
as
d
efi
n
ed
s
p
ec
ifi
c
g
o
al
s
re
la
te
d
t
o
c
o
m
p
lia
n
ce
.
A
va
ila
b
ili
ty
Le
ve
l 2
In
D
ev
el
o
p
m
en
t
R
ec
o
rd
r
et
ri
ev
al
m
ec
h
an
is
m
s
h
av
e
b
ee
n
im
p
le
m
en
te
d
in
c
er
ta
in
a
re
as
o
f
th
e
o
rg
an
iz
at
io
n
.
In
t
h
o
se
a
re
as
w
it
h
r
et
ri
ev
al
m
ec
h
an
is
m
s,
it
is
p
o
ss
ib
le
t
o
d
is
ti
n
g
u
is
h
b
et
w
ee
n
o
ffi
c
ia
l r
ec
o
rd
s,
d
u
p
lic
at
es
,
an
d
n
o
n
re
co
rd
m
at
er
ia
ls
.
T
h
er
e
ar
e
so
m
e
p
o
lic
ie
s
o
n
w
h
er
e
an
d
h
o
w
t
o
s
to
re
o
ffi
c
ia
l r
ec
o
rd
s,
b
u
t
a
st
an
d
ar
d
is
n
o
t
im
p
o
se
d
a
cr
o
ss
t
h
e
o
rg
an
iz
at
io
n
.
Le
g
al
d
is
co
ve
ry
is
c
o
m
p
lic
at
ed
a
n
d
c
o
st
ly
d
u
e
to
t
h
e
in
co
n
si
st
en
t
tr
ea
tm
en
t
o
f
in
fo
rm
at
io
n
.
1
.
D
ev
el
o
p
e
n
te
rp
ri
se
c
la
ss
ifi
ca
ti
o
n
s
ch
em
e.
2
.
Id
en
ti
fy
u
se
r
se
ar
ch
a
n
d
r
et
ri
ev
al

re
q
u
ir
em
en
ts
.
3
.
D
ev
el
o
p
s
ta
n
d
ar
d
s
fo
r
m
an
ag
in
g
t
h
e
re
co
rd
s
lif
ec
yc
le
.
R
et
en
ti
o
n
Le
ve
l 2
In
D
ev
el
o
p
m
en
t
A
r
et
en
ti
o
n
s
ch
ed
u
le
is
a
va
ila
b
le
b
u
t
d
o
es
n
o
t
en
co
m
p
as
s
al
l r
ec
o
rd
s,
d
id

n
o
t
g
o
t
h
ro
u
g
h
o
ffi
c
ia
l r
ev
ie
w
,
an
d
is
n
o
t
w
el
l k
n
o
w
n
t
h
ro
u
g
h
o
u
t
th
e
o
rg
an
iz
at
io
n
.
T
h
e
re
te
n
ti
o
n
s
ch
ed
u
le
is
n
o
t
re
g
u
la
rl
y
u
p
d
at
ed
o
r
m
ai
n
ta
in
ed
.
Ed
u
ca
ti
o
n
a
n
d
t
ra
in
in
g
a
b
o
u
t
th
e
re
te
n
ti
o
n
p
o
lic
ie
s
ar
e
n
o
t
av
ai
la
b
le
.
1
.
D
ev
el
o
p
e
n
te
rp
ri
se
-w
id
e
fu
n
ct
io
n
al
r
et
en
ti
o
n

sc
h
ed
u
le
.
2
.
M
ap
r
et
en
ti
o
n
s
ch
ed
u
le
t
o
c
la
ss
ifi
ca
ti
o
n
sc
h
em
e.
3
.
Im
p
le
m
en
t
an
a
n
n
u
al
r
ev
ie
w
p
ro
ce
ss
f
o
r
re
co
rd
s
er
ie
s
an
d
le
g
al
r
es
ea
rc
h
.
4
.
D
ev
el
o
p
t
ra
in
in
g
f
o
r
cl
as
si
fi c
at
io
n
s
ch
em
e
an
d

re
te
n
ti
o
n
s
ch
ed
u
le
.
D
is
p
o
si
ti
o
n
Le
ve
l 2
In
D
ev
el
o
p
m
en
t
P
re
lim
in
ar
y
g
u
id
el
in
es
f
o
r
d
is
p
o
si
ti
o
n
a
re
e
st
ab
lis
h
ed
.
T
h
er
e
is
a
r
ea
liz
at
io
n
o
f
th
e
im
p
o
rt
an
ce
o
f
su
sp
en
d
in
g
d
is
p
o
si
ti
o
n
in
a

co
n
si
st
en
t
m
an
n
er
,
re
p
ea
ta
b
le
b
y
ce
rt
ai
n
le
g
al
g
ro
u
p
in
g
s.
T
h
er
e
m
ay
o
r
m
ay
n
o
t
b
e
en
fo
rc
em
en
t
an
d
a
u
d
it
in
g
o
f
d
is
p
o
si
ti
o
n
.
1
.
D
ev
el
o
p
p
ro
ce
d
u
re
s
fo
r
re
co
rd
s
d
is
p
o
si
ti
o
n
.
2
.
Im
p
le
m
en
t
d
is
p
o
si
ti
o
n
p
ro
ce
ss
es
.
3
.
D
ev
el
o
p
a
u
d
it
t
ra
ils
f
o
r
re
co
rd
s
tr
an
sf
er
s
an
d

d
es
tr
u
ct
io
n
.
O
ve
ra
ll
Le
ve
l 1
Su
b
st
an
d
ar
d

38 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■ Principles of successful IG programs are emerging. They include executive
sponsorship, information classifi cation, integrity, security, accessibility, control,
monitoring, auditing, policy development, and continuous improvement.
■ Accountability is a key aspect of IG.
■ The Generally Accepted Recordkeeping Principles® (“The Principles”) consist
of eight principles that provide an IG framework that can support continuous
improvement.
■ An audit process must be developed to cover all aspects of RM in the
organization.
■ To be effective, policies must be formalized and integrated into business
processes.
■ Disposition is the last stage in the life cycle of records. Disposition is not
synonymous with destruction, although destruction may be one disposal
option.
■ Knowledge workers who work with records in any capacity best understand
the nature and value of the records they work with.
■ When forming an information governance steering committee or board, it is
essential to include representatives from cross-functional groups.
■ Organizations without active IG programs should reevaluate IG policies and
their internal processes following any major loss of records, the inability to
produce accurate records in a timely manner, or any document security
breach or theft.
produce accurate records in a timely manner, or any document security breach or theft. If
review boards include a broad section of critical players on the IG committee and
leverage executive sponsorship, theywill better prepare the organization for legal
and regulatory rigors.
Notes
1. Laura DuBois and Vivian Tero, “Practical Information Governance: Balancing Cost, Risk, and Produc-
tivity,” IDC White Paper, August 2010, www.emc.com/collateral/analyst-reports/idc-practical-infor-
mation-governance-ar
2. Ibid.
3. Debra Logan, “What Is Information Governance? And Why Is It So Hard?” January 11, 2010, http://
blogs.gartner.com/debra_logan/2010/01/11/what-is-information-governance-and-why-is-it-so-hard/ .

http://www.emc.com/collateral/analyst-reports/idc-practical-infor-mation-governance-ar

What is Information Governance? And Why is it So Hard?

INFORMATION GOVERNANCE PRINCIPLES 39
4. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/copyright (accessed November 14, 2013).
5. ARMA International,“Information Governance Maturity Model,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles (accessed November 14, 2013).
6. “Governance Overview (SharePoint Server 2010),” http://technet.microsoft.com/en-us/library/
cc263356.aspx (accessed April 19, 2011).

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/copyright

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles

http://technet.microsoft.com/en-us/library/cc263356.aspx

PA RT T W O
Information
Governance
Risk
Assessment
and Strategic
Planning

43
C H A P T E R 4
Information Risk
Planning and
Management
I
nformation risk planning involves a number of progressive steps: identifying poten-
tial risks to information, weighing those risks, creating strategic plans to mitigate the
risks, and developing those plans into specifi c policies. Then it moves to develop-
ing metrics to measure compliance levels and identifying those who are accountable
for executing the new risk mitigating processes. These processes must be audited and
tested periodically not only to ensure compliance, but also to fi ne tune and improve
the processes.
Depending on the jurisdiction, information is required by specifi c laws and regu-
lations to be retained for specifi ed periods, and to be produced in specifi ed situations.
To determine which laws and regulations apply to your organization’s information, re-
search into the legal and regulatory requirements for information in the jurisdictions
in which your organization operates must be conducted.
Step 1: Survey and Determine Legal and Regulatory
Applicability and Requirements
There are federal, provincial, state, and even municipal laws and regulations that may
apply to the retention of information (data, documents, and records). Organizations
operating in multiple jurisdictions must maintain compliance with laws and regula-
tions that may cross national, state, or provincial boundaries. Legally required pri-
vacy requirements and retention periods must be researched for each jurisdiction (e.g.
county, state, country) in which the business operates, so that it complies with all ap-
plicable laws.
IG, compliance, and records managers must conduct their own legislative research
to apprise themselves of mandatory information retention requirements, as well as
privacy considerations and requirements, especially in regard to personally identifi –
able information (PII). This information must be analyzed and structured and pre-
sented to legal staff for discussion. Then further legal and regulatory research must
be conducted, and fi rm legal opinions must be rendered by legal counsel regarding
information retention, privacy, and security requirements in accordance with laws and
regulations. This is an absolute requirement. In order to arrive at a consensus on records
that have legal value to the organization and to construct an appropriate retention

44 INFORMATION GOVERNANCE
schedule, your legal staff or outside legal counsel should explain the legal hold process,
provide opinions and interpretations of law that apply to your organization, and ex-
plain the value of formal records.
Legal requirements trump all others. The retention period for a particular type of
document or PII data or records series must meet minimum retention, privacy, and
security requirements as mandated by law. Business needs and other considerations are
secondary. So, legal research is required before determining and implementing reten-
tion periods, privacy policies, and security measures.
In order to locate the regulations and citations relating to retention of records,
there are two basic approaches. The fi rst approach is to use a records retention
citation service, which publishes in electronic form all of the retention-related
citations. These services usually are purchased on a subscription basis, as the cita-
tions are updated on an annual or more frequent basis as legislation and regula-
tions change.
Figure 4.1 is an excerpt from a Canadian records retention database product
called FILELAW®. 1 In this case, the act, citation, and retention periods are clearly
identifi ed.
Another approach is to search the laws and regulations directly using online or
print resources. Records retention requirements for corporations operating in the
United States may be found in the Code of Federal Regulations (CFR).
In identifying information requirements and risks, legal requirements trump
all others.
Figure 4.1 Excerpt from Canadian Records Retention Database
Source: Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.

INFORMATION RISK PLANNING AND MANAGEMENT 45
The Code of Federal Regulations (CFR) annual edition is the codifi cation of
the general and permanent rules published in the Federal Register by the de-
partments and agencies of the federal government. It is divided into 50 titles
that represent broad areas subject to federal regulation. The 50 subject matter
titles contain one or more individual volumes, which are updated once each
calendar year, on a staggered basis. The annual update cycle is as follows: titles
1 to 16 are revised as of January 1; titles 17 to 27 are revised as of April 1; titles
28 to 41 are revised as of July 1; and titles 42 to 50 are revised as of October 1.
Each title is divided into chapters, which usually bear the name of the issu-
ing agency. Each chapter is further subdivided into parts that cover specifi c
regulatory areas. Large parts may be subdivided into subparts. All parts are
organized in sections, and most citations to the CFR refer to material at the
section level. 2
There is an up-to-date version that is not yet a part of the offi cial CFR but is
updated daily, the Electronic Code of Federal Regulations (e-CFR) . “It is not an
offi cial legal edition of the CFR. The e-CFR is an editorial compilation of CFR ma-
terial and Federal Register amendments produced by the National Archives and Re-
cords Administration’s Offi ce of the Federal Register . . . and the Government Printing
Offi ce.”3 According to the gpoaccess.gov Web site:
The Administrative Committee of the Federal Register (ACFR) has autho-
rized the National Archives and Records Administration’s (NARA) Offi ce of
the Federal Register (OFR) and the Government Printing Offi ce (GPO) to
develop and maintain the e-CFR as an informational resource pending ACFR
action to grant the e-CFR offi cial legal status. The OFR/GPO partnership is
committed to presenting accurate and reliable regulatory information in the
e-CFR editorial compilation with the objective of establishing it as an ACFR
sanctioned publication in the future. While every effort has been made to en-
sure that the e-CFR on GPO Access is accurate, those relying on it for legal
research should verify their results against the offi cial editions of the CFR,
Federal Register and List of CFR Sections Affected (LSA), all available online
at www.gpoaccess.gov . Until the ACFR grants it offi cial status, the e-CFR
editorial compilation does not provide legal notice to the public or judicial
notice to the courts.
The OFR updates the material in the e-CFR on a daily basis. Generally,
the e-CFR is current within two business days. The current update status is
displayed at the top of all e-CFR web pages.
For governmental agencies, a key consideration is complying with requests for
information as a result of freedom of information laws like the U.S. Freedom of
In the United States the Code of Federal Regulations lists retention require-
ments for businesses, divided into 50 subject matter areas.

http://www.gpoaccess.gov

46 INFORMATION GOVERNANCE
Information Act, Freedom of Information Act 2000 (in the United Kingdom), and
similar legislation in other countries. So the process of governing information is criti-
cal to meeting these requests by the public for governmental records.
Step 2: Specify IG Requirements to Achieve Compliance
Once the legal research has been conducted and a process for keeping updated on laws
and regulations has been established, specifi c external compliance requirements can be
listed and those data, document, and record sets that apply to those external compliance
requirements can be mapped back to applicable holdings of data sets, document col-
lections, and records series. The crucial task is keeping your legal and records manage-
ment staff apprised of changes and updating the policies and processes appropriately.
Internal IG retention policies may be different from the legally mandated minimums. For
instance, an organization that is not operating in a highly regulated industry that wants
to balance defensible disposition with a need to retain corporate memory and develop
knowledge management (KM) content or “knowledge bases” may have the optiont
to dispose of e-mail that is not declared a record or cited for legal hold after 90 days,
but may choose, based on corporate culture and other business factors, to retain e-mail
messages for a year. Similarly, the organization may make legally defensible disposition
decisions that reduce the total amount of information it must manage by using a “last ac-
cessed” rationale, whereby information that has not been accessed for over one year (or
whatever the specifi ed period is) may be destroyed and discarded, as a matter of policy.
Step 3: Create a Risk Profi le
Creating a risk profi le is a basic building block in enterprise risk management (yet t
another ERM acronym), which assists executives in understanding the risks associatedr
with stated business objectives and allocating resources, within a structured evaluation
approach or framework. There are multiple ways to create a risk profi le, and how often
it is done, the external sources consulted, and stakeholders who have input will vary
from organization to organization. 4 A key tenet to bear in mind is that simpler is better and
that sophisticated tools and techniques should not make the process overly complex. According
to the ISO, risk is defi ned as “the effect of uncertainty on objectives,” and a risk profi le
is “a description of a set of risks.”5 Creating a risk profi le involves identifying, docu-
menting, assessing, and prioritizing risks that an organization may face in pursuing its
business objectives. It can be a simple table chart. Those associated risks can then be
evaluated and delineated within a risk or IG framework.
The corporate risk profi le should be an informative tool for executive manage-
ment, the CEO, and the board of directors, so it should refl ect that tone. In other
The risk profi le is a high-level, executive decision input tool.

INFORMATION RISK PLANNING AND MANAGEMENT 47
words, it should be clear, succinct, and simplifi ed. A risk profi le may also serve to in-
form the head of a division or subsidiary, in which case it may contain more detail. The
process can also be applied to public and nonprofi t entities.
The time horizon for a risk profi le varies, but looking out three to fi ve years is a good rule
of thumb . 6 The risk profi le typically will be created annually, although semiannually
would serve the organization better and account for changes in the business and legal
environment. But if an organization is competing in a market sector with rapid busi-
ness cycles or volatility, the risk profi le should be generated more frequently, perhaps
quarterly.
There are different types of risk profi le methodologies; common methodologies
are a top-10 list, a risk map , and a heat map . The top-10 list is a simple identifi cation
and ranking of the 10 greatest risks in relation to business objectives. The risk map is
a visual tool that is easy to grasp, with a grid depicting a likelihood axis and an impact
axis, usually rated on a scale of 1 to 5. In a risk assessment meeting, stakeholders can
weigh in on risks using voting technology to generate a consensus. A heat map is a
color-coded matrix generated by stakeholders voting on risk level by color (e.g., red
being highest).
Information gathering is a fundamental activity in building the risk profi le. Surveys
are good for gathering basic information, but for more detail, a good method to employ
is direct, person-to-person interviews, beginning with executives and risk professionals.7
Select a representative cross section of functional groups to gain a broad view. Depend-
ing on the size of the organization, you may need to conduct 20 to 40 interviews, with
one person asking the questions and probing while another team member takes notes
and asks occasionally for clarifi cation or elaboration. Conduct the interviews in a com-
pressed timeframe—knock them out within one to three weeks and do not drag the
process out, as business conditions and personnel can change over the course of months.
Here are three helpful considerations to conducting successful interviews.
1. Prepare some questions for interviewees in advance and provide them to in-
terviewees so they may prepare and do some of their own research.
2. Schedule the interview close to their offi ces, and at their convenience.
3. Keep the time as short as possible but long enough to get the answers you will
need: approximately 20 to 45 minutes. Be sure to leave some open time be-
tween interviews to collect your thoughts and prepare for the next interview.
And follow up with interviewees after analyzing and distilling your notes to
confi rm you have gained the correct insights.
The information you will be harvesting will vary depending on the interviewee’s
level and function. You will need to look for any hard data or reports that show
performance and trends related to information risk. There may be benchmarking data
A common risk profi le method is to create a prioritized or ranked top-10
list of greatest risks to information.

48 INFORMATION GOVERNANCE
available as well. Delve into information access and security policies, policy devel-
opment, policy adherence, and the like. Ask questions about retention of e-mail and
legal hold processes. Ask about records retention and disposition policies. Ask about
long-term preservation of digital records. Ask about data deletion policies. Ask for
documentation regarding IG-related training and communications. Dig into policies
for access to confi dential data and securing vital records. Try to get a real sense of the
way things are run, what is standard operating procedure, and also how workers might
get around overly restrictive policies, or operate without clear policies. Learn enough
so that you can grasp the management style and corporate culture, and then distill that
information into your fi ndings.
Key events and developments must also be included in the risk profi le. For in-
stance, a major data breach, the loss or potential loss of a major lawsuit, pending regu-
latory changes that could impact your IG policies, or a change in business ownership
or structure must all be accounted for and factored into the information risk profi le.
Even changes in governmental leadership should be considered, if they might impact
IG policies. These types of developments should be tracked on a regular basis and
should continue to feed into the risk equation. 8 Key events should be monitored and
incorporated in developing and subsequently updating the risk profi le.
At this point, it should be possible to generate a list of specifi c potential risks. It
may be useful to group or categorize the potential risks into clusters, such as natural disaster,
regulatory, safety, competitive, and so forth . Armed with this list of risks, you should solicit
input from stakeholders as to the likelihood and timing of the threats or risks. As the
organization matures in its risk identifi cation and handling capabilities, a good practice
is to look at the risks and their ratings from previous years to attempt to gain insights
into change and trends—both external and internal—that affected the risks.
Step 4: Perform Risk Analysis and Assessment
Once you have created a risk profi le and identifi ed key risks, you must conduct an as-
sessment of the likelihood that these risks hold and their resultant impact.
There are fi ve basic steps in conducting a risk assessment: 9
1. Identify the risks. This should be an output of creating a risk profi le, but if con-
ducting an information risk assessment, fi rst identify the major information-
related risks.
2. Determine potential impact. If a calculation of a range of economic impact is
possible (e.g., lose $5 to $10 million in legal damages), then include it. If not,
be as specifi c as possible as to how a negative event related to an identifi ed risk
can impact business objectives.
Once a list of risks is developed, grouping them into basic categories helps
stakeholders grasp them more easily and consider their likelihood and impact.

INFORMATION RISK PLANNING AND MANAGEMENT 49
3. Evaluate risk levels and probabilities and recommend action. This may be in the
form of recommending new procedures or processes, new investments in in-
formation technology (IT), or other actions to mitigate identifi ed risks.
4. Create a report with recommendations and implement. You may want to include a
risk assessment table (see Table 4.1 ) as well as written recommendations, then
implement.
5. Review periodically. Review annually or semiannually, as appropriate for your
organization.
A helpful exercise and visual tool is to draw up a table of top risks, their potential
impacts, actions that have been taken to mitigate the risks, and suggested new risk
countermeasures, as in Table 4.1 .
Step 5: Develop an Information Risk Mitigation Plan
After setting out the risks, their potential impacts, and suggested countermeasures
for mitigation, you must create the information risk mitigation plan , which means
developing options and tasks to reduce the specifi ed risks and improve the odds of
achieving business objectives. 10 Basically, you are putting in writing the information
you have collected and analyzed in creating the risk profi le and risk assessment, and as-
signing specifi cs. The information risk mitigation plan should include a timetable and
milestones for implementation of the recommended risk mitigation measures, includ-
ing IT acquisition and implementation and assigning roles and responsibilities, such
as executive sponsor, project manager (PM), and project team.
Table 4.1 Risk Assessment
What Are
the
Risks?
How Might
They Impact
Business
Objectives?
Actions and
Processes
Currently
in Place
Additional
Resources
Needed to
Manage This Risk
Action
by
Whom?
Action by
When? Done
Breach of
confi dential
documents
Compromise
confi dential
information
Compromise
competitive
position
Compromise
business
negotiations
Utilizing ITIL
and CobiT IT
frameworks
Published
security
policies
Semiannual
security
audits
Implement newer
technologies
including
information rights
management
Implement quarterly
audits
IT staff,
security
offi cer
01/10/2016 01/10/2016
The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.

50 INFORMATION GOVERNANCE
Step 6: Develop Metrics and Measure Results
How do you know how well you are doing? Have you made progress in reducing
your organization’s exposure to information risk? To measure conformance and per-
formance of your IG program, you must have an objective way to measure how you
are doing, which means numbers and metrics. Assigning some quantitative measures
that are meaningful and do, in fact, measure progress may take some serious effort and
consultation with stakeholders. Determining relevant ways of measuring progress will
allow executives to see progress, as, realistically, reducing risk is not something anyone
can see or feel—the painful realizations are made only when the risk comes home to
roost. Also, valid metrics help to justify investment in the IG program.
Although the proper metrics will vary from organization to organization, some
specifi c metrics include:
■ Reduce the data lost on stolen or misplaced laptops by 50 percent over the
previous fi scal year.
■ Reduce the number of hacker intrusion events by 75 percent over the previous
fi scal year.
■ Reduce e-discovery costs by 25 percent over the previous fi scal year.
■ Reduce the number of adverse fi ndings in the risk and compliance audit by 50
percent over the previous fi scal year.
■ Provide information risk training to 100 percent of the knowledge-level work-
force this fi scal year.
■ Roll out the implementation of information rights management software to
protect confi dential e-documents to 50 users this fi scal year.
■ Provide confi dential messaging services for the organization’s 20 top executives
this fi scal year.
Your organization’s metrics should be tailored to address the primary goals of your
IG program and should tie directly to stated business objectives.
Step 7: Execute Your Risk Mitigation Plan
Now that you have the risk mitigation plan, it must be executed. To do so, you must set
up regular project/program team meetings, develop key reports on your information risk
mitigation metrics, and manage the process. This is done using proven project and pro-
gram management tools and techniques, which you may want to supplement with collab-
oration software tools, knowledge management software, or even internal social media.
But most important, execution of the risk mitigation plan involves communicating
clearly and regularly with the IG team on the progress and status of the IG effort to
reduce information risk.
Metrics are required to measure progress in the risk mitigation plan.

INFORMATION RISK PLANNING AND MANAGEMENT 51
Step 8: Audit the Information Risk Mitigation Program
The metrics you have developed to measure risk mitigation effectiveness must also be
used for audit purposes. Put a process in place to separately and independently audit
compliance to risk mitigation measures, to see that they are being implemented. The
result of the audit should be a useful input in improving and fi ne-tuning the program.
It should not be viewed as an opportunity to cite shortfalls and implement punitive
actions. It should be a periodic and regular feedback loop into the IG program.
Notes
1. Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.
2. U.S. Government Printing Offi ce (GPO), “Code of Federal Regulations,” www.gpo.gov/help/index
.html#about_code_of_federal_regulations.htm (accessed April 22, 2012).
3. National Archives and Records Administration, “Electronic Code of Federal Regulations,” http://ecfr
.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl (accessed October 2, 2012).
4. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today’s Leading Research and Best
Practices for Tomorrow’s Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171. s
5. “ISO 31000 2009 Plain English, Risk Management Dictionary,” www.praxiom.com/iso-31000-terms
.htm (accessed March 25, 2013).
6. Fraser and Simkins, p. 172.
7. Ibid.
8. Ibid., p. 179.
9. Health and Safety Executive, “Five Steps to Risk Assessment,” www.hse.gov.uk/risk/fi vesteps.htm
(accessed March 25, 2013).
10. Project Management Institute, A Guide to the Project Management Body of Knowledge ( PMBOK Guide ),
4th ed. (Project Management Institute, 2008), ANSI/PMI 99-001-2008, pp. 273–312.
CHAPTER SUMMARY: KEY POINTS
■ In identifying information requirements and risks, legal requirements trump
all others.
■ In the United States, the Code of Federal Regulations lists information reten-
tion requirements for businesses, divided into 50 subject matter areas.
■ The risk profi le is a high-level, executive decision input tool.
■ A common risk profi le method is to create a prioritized or ranked top-10 list
of greatest risks to information.
■ Once a list of risks is developed, grouping them into basic categories helps stake-
holders to grasp them more easily and consider their likelihood and impact.
■ The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.
■ Metrics are required to measure progress in the risk mitigation plan.
■ The risk mitigation plan must be reviewed and audited regularly and proper
adjustments made.

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl

http://www.praxiom.com/iso-31000-terms.htm

http://www.hse.gov.uk/risk/fivesteps.htm

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl

http://www.praxiom.com/iso-31000-terms.htm

53
C H A P T E R 5
Strategic Planning
and Best Practices
for Information
Governance
Securing a sponsor at the executive management level is always crucial to projectsand programs, and this is especially true of any strategic planning effort. An gexecutive must be on board and supporting the effort in order to garner the re-
sources needed to develop and execute the strategic plan, and that executive must be
held accountable for the development and execution of the plan. These axioms apply
to the development of an information governance (IG) strategic plan.
Also, resources are needed—time, human capital, and budget money. The fi rst is a
critical element: It is not possible to require managers to take time out of their other
duties to participate in a project if there is no executive edict and consistent follow up,
support, and communication. Executive sponsorship is a best practice and supports the
key principle of accountability of the Generally Accepted Recordkeeping Principles ®
(The Principles)1 (see Chapter 3 for more detail). And, of course, without an allocated
budget, no program can proceed.
The higher your executive sponsor is in the organization, the better. 2 The imple-
mentation of an IG program may be driven by the chief compliance offi cer, chief
information offi cer (CIO), or, ideally, the chief executive offi cer (CEO). With CEO
sponsorship come many of the key elements needed to complete a successful project,
including allocated management time, budget money, and management focus.
It is important to bear in mind that this IG effort is truly a change management
effort, in that it aims to change the structure, guidelines, and rules within which em-
ployees operate. The change must occur at the very core of the organization’s culture. It
must be embedded permanently, and for it to be, the message must be constantly and
consistently reinforced. Achieving this kind of change requires commitment from the
very highest levels of the organization.
Executive sponsorship is critical to project success. There is no substitute.
Without it, a project is at risk of failure.

54 INFORMATION GOVERNANCE
If the CEO is not the sponsor, then another high-level executive must lead the ef-
fort and be accountable for meeting milestones as the program progresses. Programs
with no executive sponsor can lose momentum and focus, especially as competing
projects and programs are evaluated and implemented. Program failure is a great
risk without an executive sponsor. Such a program likely will fade or fi zzle out or
be relegated to the back burner. Without strong high-level leadership, when things
go awry, fi nger pointing and political games may take over, impeding progress and
cooperation.
The executive sponsor must be actively involved, tracking program objectives and
milestones on a regular, scheduled basis and ensuring they are aligned with business
objectives. He or she must be aware of any obstacles or disputes that arise, take an ac-
tive role in resolving them, and push the program forward.
Crucial Executive Sponsor Role
The role of an executive sponsor is high level, requiring periodic and regular atten-
tion to the status of the program, particularly with budget issues, staff resources, and
milestone progress. The role of a program or project manager (PM) is more detailed
and day to day, tracking specifi c tasks that must be executed to make progress toward
milestones. Both roles are essential. The savvy PM brings in the executive sponsor to
push things along when more authority is needed but reserves such project capital for
those issues that absolutely cannot be resolved without executive intervention. It is
best for the PM to keep the executive sponsor fully informed but to ask for assistance
only when absolutely needed.
At the same time, the PM must manage the relationship with the executive spon-
sor, perhaps with some gentle reminders, coaxing, or prodding, to ensure that the
role and tasks of executive sponsorship are being fulfi lled. “[T]he successful Project
Manager knows that if those duties are not being fulfi lled, it’s time to call a timeout
and have a serious conversation with the Executive Sponsor about the viability of the
project.” 3
The executive sponsor serves six key purposes on a project:
1. Budget. The executive sponsor ensures an adequate fi nancial commitment is
made to see the project through and lobbies for additional expenditures when
change orders are made or cost overruns occur.
2. Planning and control. The executive sponsor sets direction and tracks accom-
plishment of specifi c, measureable business objectives.
3. Decision making. The executive sponsor makes or approves crucial decisions
and resolves issues that are escalated for resolution.
4. Expectation Management. The executive sponsor must manage expectation,
since success is quite often a stakeholder perception.
5. Anticipation. Every project that is competing for resources can run into un-
foreseen blockages and objections. Executive sponsors run interference and
provide political might for the PM to lead the project to completion, through
a series of milestones.
6. Approval. The executive sponsor signs off when all milestones and objectives
have been met.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 55
An eager and effective executive sponsor makes all the difference to a project—if
the role is properly managed by the PM. It is a tricky relationship, since the PM is
always below the executive sponsor in the organization’s hierarchy, yet the PM must
coax the superior into tackling certain high-level tasks. Sometimes a third-party con-
sultant who is an expert in the specifi c project can instigate and support requests made
of the sponsor and provide a solid business rationale.
Evolving Role of the Executive Sponsor
The role of the executive sponsor necessarily evolves and changes over the life of the
initial IG program launch, during the implementation phases, and on through the
continued IG program.
To get the program off the ground, the executive sponsor must make the business
case and get adequate budgetary funding. But an effort such as this takes more than
money; it takes time— not just time to develop new policies and implement new tech-—
nologies, but the time of the designated PM, program leaders, and needed program
team members.
In order to get this time set aside, the IG program must be made a top prior-
ity of the organization. It must be recognized, formalized, and aligned with orga-
nizational objectives. All this up-front work is the responsibility of the executive
sponsor.
Once the IG program team is formed, team members must clearly understand
why the new program is important and how it will help the organization meet its busi-
ness objectives. This message must be regularly reinforced by the executive sponsor;
he or she must not only paint the vision of the future state of the organization but
articulate the steps in the path to get there.
When the formal program effort commences, the executive sponsor must remain
visible and accessible. He or she cannot disappear into everyday duties and expect the
program team to carry the effort through. The executive sponsor must be there to help
the team confront and overcome business obstacles as they arise and must praise the
successes along the way. This requires active involvement and a willingness to spend
the time to keep the program on track and focused.
The executive sponsor must be the lighthouse that shows the way even through
cloudy skies and rough waters. This person is the captain who must steer the ship, even
if the fi rst mate (PM) is seasick and the deckhands (program team) are drenched and
tired.
After the program is implemented, the executive sponsor is responsible for main-
taining its effectiveness and relevance. This is done through periodic compliance au-
dits, testing and sampling, and scheduled meetings with the ongoing PM.
While the executive sponsor role is high level, the PM’s role and tasks are more
detailed and involve day-to-day management.

56 INFORMATION GOVERNANCE
Building Your IG Team
Who should make up the IG team? Although there are no set requirements or for-
mulas, the complex nature of IG and the fact that it touches upon a number of spe-
cialized disciplines and functional areas dictates that a cross-functional approach be
taken. So you will need representatives from several departments. There are some
absolutes: you must have a representative from your legal staff or outside counsel,
your information technology (IT) department, a senior records offi cer (SRO) or the
equivalent, a risk management specialist or manager, an executive sponsor, and the IG
program manager. In addition, there may be a need for input from managers of hu-
man resources, company communications, and certain business units. Depending on
the scope of the effort, other possible IG team members might include an IT security
expert, the corporate or agency archivist, business analysts, chief knowledge offi cer or
knowledge management (KM) professional, litigation support head, fi nancial analyst,
business process specialist, project management professional, and other professionals
in functions related to these areas.
Assigning IG Team Roles and Responsibilities
The executive sponsor will need to designate an IG PM. Depending on the focus of
the IG effort, that person could come from several areas, including legal, compliance,
risk management, records management, or IT.
In terms of breaking down the roles and responsibilities of the remainder of the
IG team, the easy decision is to have IG team representatives take responsibility for the
functional areas of their expertise. But there will be overlap, and it is best to have some
pairs or small work groups teamed up to gain the broadest amount of input and optimum
results. This will also facilitate cross training. For instance, inside legal counsel may be
responsible for rendering the fi nal legal opinions, but because they are not expert in
records, document management, or risk management, they could benefi t from input
of others in specialized functional areas, which will inform them and help narrow and
focus their legal research. Basic research into which regulations and laws apply to the
The role of the executive sponsor changes during the inception, planning, and
execution of the IG program.
The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 57
organization regarding security, retention, and preservation of e-mail, e-records, and
personally identifi able information (PII) could be conducted by the SRO or records
management head, in consultation with the corporate archivist and CIO, with the results
of their fi ndings and recommendations drafted and sent to the legal counsel. The draft
report may offer up several alternative approaches that need legal input and decisions.
Then the legal team lead can conduct its own, focused research and make fi nal recom-
mendations regarding the organization’s legal strategy, business objectives, fi nancial po-
sition, and applicable laws and regulations.
The result of the research, consultation, and collaboration of the IG team should
result in a fi nal draft of the IG strategic plan. It will still need more input and devel-
opment to align the plan with business objectives, an analysis of internal and external
drivers, applicable best practices, competitive analysis, applicable IT trends, an analysis
and inclusion of the organization’s culture, and other factors.
Align Your IG Plan with Organizational Strategic Plans
The IG plan must support the achievement of the organization’s business objectives and there-s
fore must be melded into the organization’s overall strategic plan. Integration with the
strategic plan means that the business objectives in the IG plan are consistent with, and
in support of, the enterprise strategic plan.
So, for example, if the corporate strategy includes plans for acquiring smaller com-
petitors and folding them into the organization’s structure as operating divisions, then
the IG plan must assist and contribute to this effort. Plans for standardizing operating
policies and procedures must include a consistent, systematized approach to the com-
ponents of IG, including stakeholder consultation, user training and communications,
and compliance audits. The IG plan should bring a standard approach across the spec-
trum of information use and management within the organization and it must be forged
to accommodate the new technology acquisitions. This means that e-mail policies,
e-discovery policies, mobile device policies, social media policies, cloud collaboration and
storage use, and even nitty-gritty details like report formats, data structures, document
taxonomies, and metadata must be consistent and aligned with the overall strategic plan. In
other words, the goal is to get all employees on the same page and working to support the
business objectives of the strategic plan in everyday small steps within the IG plan.
The IG team must include a cross-functional group of stakeholders from various
departments, including legal, records management, IT, and risk management.
The IG strategic plan must be aligned and synchronized with the organiza-
tion’s overall strategic plans, goals, and business objectives.

58 INFORMATION GOVERNANCE
The organization will also have an IT plan that must be aligned with the strategic
plan to support overall business objectives. The IT strategy may be to convert new
acquisitions to the internal fi nancial and accounting systems of the organization and
to train new employees to use the existing software applications under the umbrella of
the IG plan. Again, the IG plan needs to be integrated with the IT strategy and must
consider the organization’s approach to IT.
The result of the process of aligning the IG effort with the IT strategy and the
organization’s overall strategic plan will mean, ideally, that employee efforts are more
effi cient and productive since they are consistently moving toward the achievement of the
organization’s overall strategic goals. The organization will be healthier and will have less
dissent and confusion with clear IG policies that leverage the IT strategy and help
employees pursue overall business objectives.
Further considerations must be folded into the IG plan. As every corporate cul-
ture is different and has a real impact on decision-making and operational approaches,
corporate culture must be included in the plan. Corporate culture includes the organi-
zation’s appetite for risk, its use of IT (e.g., forward-thinking fi rst adopter), its capital
investment strategies, and other management actions.
So, if the organization is conservative and risk averse, it may want to hold off
on implementing some emerging e-discovery technologies that can cut costs but
also induce greater risk. Or if it is an aggressive, progressive, risk-taking organi-
zation, it may opt to test and adopt newer e-discovery technologies under the IT
strategy and umbrella of IG policies. An example may be the use of predictive
coding technology in early case assessment (ECA). Predictive coding uses text
auto-classifi cation technology and neural technology with the assistance of human
input to “learn” which e-documents might be relevant in a particular legal matter
and which may not be. Through a series of steps of testing and checking subsets
of the documents, humans can provide input to improve the document sorting
and selection process. The software uses machine learning (artifi cial intelligence
whereby the software can change and improve on a particular task, as its decision
engine is shaped and “trained” by input ) to improve its ability to cull through and
sort documents.
Predictive coding can reduce e-discovery costs, yet there are risks that the ap-
proach can be challenged in court and could, in fact, affect the case adversely. Thus,
a decision on a technology like predictive coding can involve and include elements of
the IG plan, IT strategy, and overall organizational strategic plan.
And there are resource issues to consider: How much management time, or band-
width, is available to pursue the IG plan development and execution? Is there a budget
item to allow for software acquisitions and training and communications to support
the execution of the IG plan? Obviously, without the allocated management time and
budget money, the IG plan cannot be executed.
Survey and Evaluate External Factors
The IG plan is now harmonized and aligned with your organization’s strategic plan
and IT strategy, but you are not fi nished yet, because the plan cannot survive in a
vacuum: Organizations must analyze and consider the external business, legal, and
technological environment and fold their analysis into their plans.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 59
Analyze IT Trends
IG requires IT to support and monitor implementation of polices, so it matters what is s
developing and trending in the IT space. What new technologies are coming online?
Why are they being developed and becoming popular? How do these changes in the
business environment that created opportunities for new technologies to be developed
affect your organization and its ability execute its IG plan? How can new technologies
assist? Which ones are immature and too risky? These are some of the questions that
must be addressed in regard to the changing IT landscape.
Some changes in information and communications technology (ICT) are rathery
obvious, such as the trends toward mobile computing, tablet and smartphone devices,
cloud storage, and social media use. Each one of these major trends that may affect or
assist in implementing IG needs to be considered within the framework of the organiza-
tion’s strategic plan and IT strategy. If the corporate culture is progressive and supportive
of remote work and telecommuting, and if the organizational strategy aims to lower fi xed
costs by reducing the amount of offi ce space for employees and moving to a more mobile
workforce, then trends in tablet and smartphone computing that are relevant to your or-
ganization must be analyzed and considered. Is the organization going to provide mobile
devices or support a bring-your-own-device (BYOD) environment? Which equipment
will you support? Will you support iOS, Android, or both? What is your policy going to
be on phone jacking? What is the IG policy regarding confi dential documents on mobile
devices? Will you use encryption? If so, which software? Is your enterprise moving to the
cloud computing model? Utilizing social media? What about Big Data and analytics ?
Are you going to consider deploying auto-classifi cation and predictive coding technolo-
gies? What are the trends that might affect your organization?
Many, many questions must be addressed, but the evaluation must be narrowed
down to those technology trends that specifi cally might impact the execution of your
IG plan and rollout of new technology.
On a more granular level, you must evaluate even supported fi le and document
formats. It gets that detailed, when you are crafting IG policy. For instance, PDF/A is
the standard format for archiving electronic documents. So your plans must include
long-term digital preservation (LTDP) standards and best practices.
Survey Business Conditions and the Economic Environment
If the economy is on a down cycle, and particularly if your business sector has been nega-
tively affected, resources may be scarcer than in better times. Hence, it may be more dif-
fi cult to get budget approval for necessary program expenses, such as new technologies,
staff, training materials, communications, and so forth. This means your IG plan may
need to be scaled back or its scope reduced. Implementing the plan in a key division rath-
er than attempting an enterprise rollout may be the best tactic in tough economic times.
The IG strategic plan must be informed with an assessment of relevant tech-
nology trends.

60 INFORMATION GOVERNANCE
But if things are booming and the business is growing fast, budget money for in-
vestments in the IG program may be easier to secure, and the goals may be expanded.
IG should be an ongoing program, but it takes time to implement, and it takes
resources to execute, audit, and continue to refi ne. So an executive looking for a quick
and calculable payback on the investment may want to focus on narrower areas. For
instance, the initial focus may be entirely on the legal hold and e-discovery process,
with business objectives that include reducing pretrial costs and attorney fees by a cer-
tain percentage or amount. It is much easier to see concrete results when focusing on
e-discovery, since legal costs are real, and always will be there. The business case may
be more diffi cult to make if the IG effort is broader and improves the ability to or-
ganize and search for information faster and to execute more complete searches to
improve the basis for management decision making. Improved management decision
making will improve the organization’s competitiveness long-term, but it may be dif-
fi cult to cite specifi c examples where costs were saved or revenues were increased as a
result of the “better decisions” that should come about through better IG.
Analyze Relevant Legal, Regulatory, and Political Factors
In consultation with your legal team or lead, the laws and regulations that affect your
industry should be identifi ed. Narrowing the scope of your analysis, those that specifi –
cally could impact your governance of information should be considered and analyzed.
What absolute requirements do they impose? Where there is room for interpretation,
where, legally, does your organization want to position itself? How much legal risk is
acceptable? These are the types of questions you will have to look to your legal and
risk management professionals to make. Again, legal requirements trump all others.
Your decision process must include considerations for the future and anticipated fu-
ture changes. Changes in the legal and regulatory environment happen based on the po-
litical leaders who are in place and any pending legislation. So you must go further and
analyze the current political environment and make some judgments based on the best
information you can gather, the organization’s culture and appetite for risk, management
style, available resources, and other factors. Generally, a more conservative environment
means less regulation, and this analysis must also be folded into your IG strategic plan.
Trends and conditions in the internal and external business environment must
be included in the IG strategic plan.
Laws and regulations relevant to your organization’s management and distri-
bution of information in all jurisdictions must be considered and included in
the IG strategic plan. Legal requirements trump all others.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 61
Survey and Determine Industry Best Practices
IG is a developing hybrid discipline. In a sense, it is a superset of records management
and a subset of governance, risk management, and compliance (GRC), that emerged
to help manage the explosion in the amount of records, documents, and data that must
be managed in today’s increasingly high-volume and velocity business environment and
highly regulated compliance and litigation environment. As such, best practices are still
being formed and added to. This process of testing, proving, and sharing best practices
will continue for some time as the practices are expanded, revised, and refi ned.
The most relevant study of IG best practices is one that is conducted for your
organization and surveys your industry and what some of your more progressive com-
petitors are doing in regard to IG. Often the best way to accomplish such a study is by
engaging a third-party consultant, who can more easily contact, study, and interview
your competitors in regard to their practices. Business peer groups and trade associa-
tions also can provide some consensus as to emerging best practices.
Twenty-fi ve IG best practices covering a number of areas in which IG has an im-
pact or should be a major consideration are listed next.
1. IG is a key underpinning for a successful RM program. Practicing good IG is the
essential foundation for building a legally defensible RM program; it pro-
vides the basis for consistent, reliable methods for managing documents and
records. Having trusted and reliable records, reports, and databases allows
managers to make key decisions with confi dence.4 And accessing that infor-
mation and business intelligence in a timely fashion can yield a long-term
sustainable competitive advantage, creating more agile enterprises.
To implement a successful IG program, enterprises must standardize and
systematize their handling of information, in particular their formal busi-
ness records. They must analyze and optimize how information is accessed,
controlled, managed, shared, stored, preserved, and audited. They must have
complete, current, and relevant policies, processes, and technologies to man-
age and control information, including who is able to access what information ,t
and when , to meet external legal and regulatory demands and internal gover-
nance requirements. This, in short, is IG.
2. IG is not a project but rather an ongoing program that provides an umbrella of rules
and policies, monitored and enforced with the support of IT to manage and
control information output and communications. Since technologies change
so quickly, it is necessary to have overarching technology-agnostic policies that
can manage the various IT platforms that an organization may use.
Compare the IG program to a workplace safety program; every time a new
location, team member, piece of equipment, or toxic substance is acquired
by the organization, the workplace safety program should dictate how that is
Include a best practices review in your IG strategic plan. The most relevant best
practices in IG are those in your industry proven by peers and competitors.

62 INFORMATION GOVERNANCE
handled. If it does not, the workplace safety policies/procedures/training that
are part of the workplace safety program need to be updated. Regular reviews
are conducted to ensure the program is being followed, and adjustments are
made based on the fi ndings. The effort never ends.5
3. Using an IG framework or maturity model is helpful in assessing and guiding IG
programs. Various models are offered, such as The Principles from ARMA
International; the Information Governance Reference Model, which grew
out of the Electronic Discovery Reference Model (found at EDRM.net); 6 or
MIKE2.0, which was developed by the consulting fi rm Bearing Point and
released to the public domain. Another tool that is particularly used in the
Australian market for records management projects is Designing and Imple-
menting Recordkeeping Systems (DIRKS).
4. Defensible deletion of data debris and information that no longer has value is critical
in the era of Big Data. You must have IG polices in place and be able to prove
that you follow them consistently and systematically in order to justify, to the
courts and regulators, deletion of information. With a smaller information
footprint, organizations can more easily fi nd what they need and derive busi-
ness value from it. 7 Data debris must be eliminated regularly and consistently,
and to do this, processes and systems must be in place to cull out valuable
information and discard the data debris. An IG program sets the framework
to accomplish this.
5. IG policies must be developed before enabling technologies are deployed to assist in
enforcement. After the policy-making effort, seek out the proper technology
tools to assist in monitoring, auditing, and enforcement.
6. To provide comprehensive e-document security throughout a document’s life cycle,
documents must be secured upon creation using highly sophisticated technologies, such
as information rights management (IRM) technology. IRM acts as a sort of “secu-
rity wrapper” that denies access without proper credentials. Document access
and use by individuals having proper and current credentials is also tightly
monitored IRM software controls the access, copying, editing, forwarding,
and printing of documents using a policy engine that manages the rights to
view and work on an e-document. Access rights are set by levels or “roles” that
employees are responsible for within an organization.
7. A records retention schedule and legal hold notifi cation (LHN) process are the two
primary elements of a fundamental IG program. These are the basics. Implemen-
tation will require records inventorying, taxonomy development, metadata
normalization and standardization, and a survey of LHN best practices.
8. A cross-functional team is required to implement IG. Since IG contains and
requires elements of a number of established disciplines, representatives
from the key areas must be included in the planning and implantation effort.
At a minimum, you will need team leaders from legal, IT, records manage-
ment, compliance and risk management, human resources, and executive
management. Members from corporate communications, knowledge man-
agement, systems security, fi nance and accounting, and other functional areas
also may be needed. Depending on the circumstances, you may need repre-
sentatives from major business units within the organization.
9. The fi rst step in information risk planning is to consider the applicable laws and
regulations that apply to your organization in the jurisdictions in which it conducts

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 63
business . Federal, provincial, state, and even municipal laws and regulationss
may apply to the retention of data, documents, and records. Organizations
operating in multiple jurisdictions must be compliant with laws and regula-
tions that may cross national, state, or provincial boundaries. Legally required
privacy requirements and retention periods must be researched for each ju-
risdiction (state, country) in which the business operates, so that all applicable
laws are complied with.
10. Developing a risk profi le is a basic building block in enterprise risk management,
which assists executives in understanding the risks associated with stated business
objectives and in allocating resources within a structured evaluation approach or
framework . There are multiple ways to create a risk profi le, and the frequency
with which it is created, the external sources consulted, and stakeholders who
have input will vary from organization to organization. 8 A key tenet to bear
in mind is that simpler is better and that sophisticated tools and techniques
should not make the process overly complex.
11. An information risk mitigation plan is a critical part of the IG planning process. An
information risk mitigation plan helps in developing risk mitigation options
and tasks to reduce the specifi ed risks and improve the odds of achieving busi-
ness objectives. 9
12. Proper metrics are required to measure the conformance and performance of your IG
program. You must have an objective way to measure how you are doing, which
means numbers and metrics. Assigning some quantitative measures that are
meaningful before rolling out the IG program is essential.
13. IG programs must be audited for effectiveness. Periodic audits will tell you how
your organization is doing and where to fi ne-tune your efforts. To keep an IG
program healthy, relevant, and effective, changes and fi ne-tuning will always
be required.
14. An enterprise wide retention schedule is preferable because it eliminates the possibility
that different business units will have confl icting records retention periods. For exam-
ple, if one business unit discards a group of records after 5 years, it would not
make sense for another business unit to keep the same records for 10 years.
Where enterprise-wide retention schedules are not possible, smaller business
units, such as divisions or regions, should operate under a consistent retention
schedule.
15. Senior management must set the tone and lead sponsorship for vital records program
governance and compliance. Although e-records are easier to protect and back-
up, most vital records today are e-records. These are an organization’s most
essential records. Without them, an organization cannot continue operations.
16. Business processes must be redesigned to improve and optimize the management and
security of information and especially the most critical of information, electronic re-
cords, before implementing enabling technologies. For instance, using electronic
records management (ERM) software fundamentally changes the way people
work, and greater effi ciencies can be gained with business process redesign
(versus simply using ERM systems as electronic fi ling cabinets to speed up
poor processes).
17. E-mail messages, both inbound and outbound, should be archived automatically and
(preferably) in real time. This ensures that spoliation (i.e., the loss of proven
authenticity of an e-mail) does not occur. Archiving preserves legal validity

64 INFORMATION GOVERNANCE
and forensic compliance. By policy, most messages will be deleted in a short
timeframe. Additionally, e-mail should be indexed to facilitate the searching
process, and all messages should be secured in a single location (with backups).
With these measures, the authenticity and reliability of e-mail records can be
ensured.
18. Personal archiving of e-mail messages should be disallowed. Although users will
want to save certain e-mail messages for their own reasons, control and man-
agement of e-mail archiving must be at the organization level or as high of a
level as is practical, such as division or region.
19. Destructive retention of e-mail helps to reduce storage costs and legal risk while im-
proving “fi ndability” of critical records. It makes good business sense to have a
policy to, say, destroy all e-mail messages after 90 or 120 days that are not
fl agged as potential records (which, e.g., help document a transaction or a situ-
ation that may come into dispute in the future) or those that have a legal hold.
20. Take a practical approach and limit cloud use to documents that do not have long
retention periods and carry a low litigation risk. Doing this will reduce the risk
of compromising or losing critical documents and e-records. Some duplicate
copies of vital records may be stored securely in the cloud to help the organi-
zation recover in the event of a disaster.
21. Manage social media content by IG policies and monitor it with controls that ensure
protection of critical information assets and preservation of business records. Your
organization must state clearly what content and tone is acceptable in social
media use, and it must retain records of that use, which should be captured in
real time.
22. International and national standards provide effective guidance for implementing IG.
Although there are no absolutes, researching and referencing International
Organization for Standardization (ISO) and other standards must be a part of
any IG effort.
23. Creating standardized metadata terms should be part of an IG effort that enables
faster, more complete, and more accurate searches and retrieval of records. This
is important not only in everyday business operations but also when delv-
ing through potentially millions of records during the discovery phase of
litigation. Good metadata management also assists in the maintenance of
corporate memory and in improving accountability in business operations. 10
Using a standardized format and controlled vocabulary provides a “precise
and comprehensible description of content, location, and value.”11 Using a
controlled vocabulary means your organization has standardized a set of terms
used for metadata elements that describe records. This ensures consistency
across a collection and helps with optimizing search and retrieval functions
and records research as well as with meeting e-discovery requests, compliance
demands, and other legal and regulatory requirements.
24. Some digital information assets must be preserved permanently as part of an orga-
nization’s documentary heritage.12 It is critical to identify records that must be
kept long term as early in the process as possible; ideally, these records should
be identifi ed prior to or upon creation. LTDP applies to content that is born
digital as well as content that is converted to digital form. Digital preservation
is defi ned as long-term, error-free storage of digital information, with means
for retrieval and interpretation, for the entire time span that the information

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 65
is required to be retained. Dedicated repositories for historical and cultural
memory, such as libraries, archives, and museums, need to move forward
to put in place trustworthy digital repositories that can match the secu-
rity, environmental controls, and wealth of descriptive metadata that these
institutions have created for analog assets (such as books and paper records).
Digital challenges associated with records management affect all sectors of
society—academic, government, private, and not-for-profi t enterprises—and
ultimately citizens of all developed nations.
25. Executive sponsorship is crucial. Securing an executive sponsor at the senior
management level is key to successful IG programs. It is not possible to
require managers to take time out of their other duties to participate in a
project if there is no executive edict. It is a best practice across industry sec-
tors and technology sets and supports the Accountability principle of The
Principles.13
Formulating the IG Strategic Plan
Now comes the time to make sense of all the data and input your IG team has
gathered and hammer it into a workable IG strategic plan. Doing this will involve
some give-and-take among IG team members, each having their own perspective
and priorities. Everyone will be lobbying for the view of their functional groups. It
is the job of the executive sponsor to set the tone and to emphasize organizational
business objectives so that the effort does not drag out or turn into a competition but
is a well-informed consensus development process that results in a clear, workable
IG strategic plan.
Synthesize Gathered Information and Fuse It into IG Strategy
Your IG team will have gathered a great deal of information, which needs to be ana-
lyzed and distilled into actionable strategies. This process will depend on the expertise
and input of the specialized knowledge your team brings to the table within your
organizational culture. Team members must be able to make decisions and establish
priorities that refl ect organizational business objectives and consider a number of in-
fl uencing factors.
Do not prolong the strategy development process. The longer it lasts, the more key factors
infl uencing it can change. You want to develop a strategic plan that is durable enough to
withstand changes in technology, legislation, and other key infl uencing factors, but it
should be relevant to that snapshot of information that was collected early on. When
all the parts and pieces start changing and require reconsideration, a dated IG plan
does not serve the organization well.
Develop IG strategies for each of the critical areas, including the legal hold pro-
cess, e-discovery action plans, e-mail policy, mobile computing policy, IT acquisition
strategy, confi dential document handling, vital records and disaster planning, social
media policy, and other areas that are important to your organization. To maintain
focus, do this fi rst without regard to the prioritization of these areas.

66 INFORMATION GOVERNANCE
Then you must go through the hard process of prioritizing your strategies and aligning them
to your organizational goal and objectives . This may not be diffi cult in the beginning—fors
instance, your IG strategies for legal holds and e-discovery readiness are likely going
to take higher priority than your social media policy, and protecting vital records is
paramount to any organization. As the process progresses, it will become more chal-
lenging to make trade-offs and establish priorities. Then you must tie these strategies
to overall organizational goals and business objectives.
A good technique to keep goals and objectives in mind may be to post them prom-
inently in the meeting room where these strategy sessions take place. This will help to
keep the IG team focused.
Develop Actionable Plans to Support Organizational
Goals and Objectives
Plans and policies to support your IG efforts must be developed that identify specifi c
tasks and steps and defi ne roles and responsibilities for those who will be held ac-
countable for their implementation. This is where the rubber meets the road. But you
cannot simply create the plan and marching orders: You must build in periodic checks
and audits to test that new IG policies are being followed and that they have hit their
mark. Invariably, there will be adjustments made continually to craft the policies for
maximum effectiveness and continued relevance in the face of changes in external
factors, such as legislation and business competition, and internal changes in manage-
ment style and structure.
Create New IG Driving Programs to Support Business
Goals and Objectives
You have to get things moving and get employees motivated, and launching new sub-
programs within the overall IG program is a good way to start. For instance, a new
“e-discovery readiness” initiative can show almost immediate results if implemented
properly, with the support of key legal and records management team members,
driven by the executive sponsor. You may want to revamp the legal hold process
to make it more complete and verifi able, assigning specifi c employees accountabil-
ity for specifi c tasks. Part of that effort may be evaluating and implementing new
technology-assisted review (TAR) processes and predictive coding technology. So
you will need to bring in the IG team members responsible for IT and perhaps busi-
ness analysis. Working cooperatively on smaller parts of the overall IG program is a
way to show real results within defi ned time frames. Piecing together a series of pro-
gram components is the best way to get started, and it breaks the overall IG program
Fuse the fi ndings of all your analyses of external and internal factors into your
IG strategic plan. Develop strategies and then prioritize them.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 67
down into digestible, doable chunks. A small win early on is crucial to maintain mo-
mentum and executive sponsorship. And e-discovery has real costs: yet progress can
be measured objectively in terms of reducing the cost of activities such as early case
assessment (ECA). Benefi ts can be measured in terms of reduced attorney review
hours, reduced costs, and reduced time to accomplish pretrial tasks.
To be clear, you will need to negotiate and agree on the success metrics the pro-
gram will be measured on in advance.
There are other examples of supporting IG subprograms, such as e-mail manage-
ment and archiving, where storage costs, search times, and information breaches can
be measured in objective terms. Or you may choose to roll out new policies for the use
of mobile devices within your organization, where adherence to policy can be mea-
sured by scanning mobile devices and monitoring their use.
Draft the IG Strategic Plan and Gain Input from a Broader
Group of Stakeholders
Once you have the pieces of the plan drafted and the IG team is in agreement that it
has been harmonized and aligned with overall organizational goals and objectives, you
must test the waters to see if you have hit the mark. It is a good practice to expose a
broader group of stakeholders to the plan to gain their input. Perhaps your IG team
has become myopic or has passed over some points that are important to the broader
stakeholder audience. Solicit and discuss their input, and to the degree that there is a
consensus, refi ne the IG strategic plan one last time before fi nalizing it. But remember,
it is a living document, a work in progress, which will require revisiting and updating
to ensure it is in step with changing external and internal factors. Periodic auditing
and review of the plan will reveal areas that need to be adjusted and revised to keep it
relevant and effective.
Get Buy-in and Sign-off and Execute the Plan
Take the fi nalized plan to executive management, preferably including the CEO, and
present the plan and its intended benefi ts to them. Field their questions and address
any concerns to gain their buy-in and the appropriate signatures. You may have to
make some minor adjustments if there are signifi cant objections, but, if you have ex-
ecuted the stakeholder consultation process properly, you should be very close to the
mark. Then begin the process of implementing your IG strategic plan, including regu-
lar status meetings and updates, steady communication and reassurance of your execu-
tive sponsor, and planned audits of activities.
Create supporting subprograms to jump-start your IG program effort. Smaller
programs should be able to measure real results based on metrics that are
agreed on in advance.

68 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■ Engaged and vested executive sponsors are necessary for IG program success.
It is not possible to require managers to take time out of their other duties to
participate in a project if there is no executive edict or allocated budget.
■ The executive sponsor must be: (1) directly tied to the success of the pro-
gram, (2) fully engaged in and aware of the program, and (3) actively elimi-
nating barriers and resolving issues.
■ The role of the executive sponsor evolves over the life of the IG program and
IG program effort. Initially, the focus is on garnering the necessary resources,
but as the program commences, the emphasis is more on supporting the
IG program team and clearing obstacles. Once the program is implement-
ed, the responsibilities shift to maintaining the effectiveness of the program
through testing and audits.
■ While the executive sponsor role is high level, the project manager’s role and
tasks involve more detailed and day-to-day management.
■ The risk mitigation plan develops risk reduction options and tasks to reduce
specifi ed risks and improve the odds for achieving business objectives.
■ The IG team must include a cross-functional group of stakeholders from various
departments, including legal, records management, IT, and risk management.
■ The IG strategic plan must be aligned and synchronized with the organiza-
tion’s overall strategic plans, goals, and business objectives.
■ The IG strategic plan must include an assessment of relevant technology trends.
■ Trends and conditions in the internal and external business environment
must be included in the IG strategic plan.
■ Laws and regulations relevant to your organization’s management and distri-
bution of information in all jurisdictions must be considered and included in
the IG strategic plan. Legal requirements trump all others.
■ Include a best practices review in your IG strategic plan. The most relevant best
practices in IG are those in your industry proven by peers and competitors.
(Twenty-fi ve IG best practices are listed in this chapter for the fi rst time in print.)
■ Fuse the fi ndings of all your analysis of external and internal factors into your
IG strategic plan. Develop strategies and then prioritize them.
■ Creating supporting subprograms to jump-start your IG program effort.
Smaller programs should be able to measure real results based on metrics
that are agreed on in advance.
■ Make sure to get executive sign-off on your IG strategic plan before moving
to execute it.

STRATEGIC PLANNING AND BEST PRACTICES FOR INFORMATION GOVERNANCE 69
Notes
1. ARMA International, “How to Cite GARP,” www.arma.org/garp/copyright.cfm (accessed October 9,
2013).
2. Roger Kastner, “Why Projects Succeed—Executive Sponsorship,” February 15, 2011, http://blog
.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/
3. Ibid.
4. Economist Intelligence Unit, “The Future of Information Governance,” www.emc.com/leadership
/business-view/future-information-governance.htm (accessed October 9, 2013).
5. Monica Crocker, e-mail to author, June 21, 2012.
6. EDRM, “Information Governance Reference Model (IGRM) Guide,” www.edrm.net/resources
/guides/igrm (accessed November 30, 2012).
7. Randolph A. Kahn, https://twitter.com/InfoParkingLot/status/273791612172259329, Nov. 28, 2012.
8. John Fraser and Betty Simkins, eds., Enterprise Risk Management: Today’s Leading Research and Best Prac-
tices for Tomorrow’s Executives (Hoboken, NJ: John Wiley & Sons, 2010), p. 171. s
9. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide ),
4th ed. (Newtown Square, PA Project Management Institute, 2008), ANSI/PMI 99–001–2008,
pp. 273–312.
10. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic
Records , p. 34 (London: Facet, 2005).s
11. Minnesota State Archives, Electronic Records Management Guidelines, “Metadata,” March 12, 2012,
www.mnhs.org/preserve/records/electronicrecords/ermetadata.html .
12. Charles Dollar and Lori Ashley, e-mail to author, August 10, 2012.
13. ARMA International, “How to Cite GARP.”

http://www.arma.org/garp/copyright.cfm

http://blog.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.edrm.net/resources/guides/igrm

https://twitter.com/InfoParkingLot/status/273791612172259329

http://www.mnhs.org/preserve/records/electronicrecords/ermetadata.html

http://blog.slalom.com/2011/02/15/why-projects-succeed-%E2%80%93-executive-sponsorship/

http://www.emc.com/leadership/business-view/future-information-governance.htm

http://www.edrm.net/resources/guides/igrm

71
Information
Governance Policy
Development
C H A P T E R 6
To develop an information governance (IG) policy, you must inform and frame the policy with internal and external frameworks, models, best practices, and standards—those that apply to your organization and the scope of its planned IG
program. In this chapter, we fi rst present and discuss major IG frameworks and models
and then identify key standards for consideration.
A Brief Review of Generally Accepted Recordkeeping
Principles®
In Chapter 3 we introduced and discussed ARMA International’s eight Generally
Accepted Recordkeeping Principles ® , known as The Principles 1 (or sometimes GAR
Principles). These Principles and associated metrics provide an IG framework that can
support continuous improvement.
To review, the eight Principles are:
1. Accountability
2. Transparency
3. Integrity
4. Protection
5. Compliance
6. Availability
7. Retention
8. Disposition2
The Principles establish benchmarks for how organizations of all types and sizes
can build and sustain compliant, legally defensible records management (RM)t
programs. Using the maturity model (also presented in Chapter 3 ), organizations can
assess where they are in terms of IG, identify gaps, and take steps to improve across the
eight areas The Principles cover.

72 INFORMATION GOVERNANCE
IG Reference Model
In late 2012, with the support and collaboration of ARMA International and the Com-
pliance, Governance and Oversight Council (CGOC), the Electronic Discovery Ref-
erence Model (EDRM) Project released version 3.0 of its Information Governance
Reference Model (IGRM), which added information privacy and security “as pri-y
mary functions and stakeholders in the effective governance of information.” 3 The
model is depicted in Figure 6.1 .
The IGRM is aimed at fostering IG adoption by facilitating communication and
collaboration between disparate (but overlapping) IG stakeholder functions, includ-
ing information technology (IT), legal, RM, risk management, and business unit
Figure 6.1 Information Governance Reference Model
Source: EDRM.net
Linking duty + value to information asset = efficient, effective management
Duty:
Legal obligation
for specific
information
Value:
Utility or business
purpose of specific
information
Asset:
Specific container
of information
VALUE
Create, Use
DUTY ASSET
Dispose
Hold,
Discover
Store,
Secure
Retain
Archive
UN
IFIED G
OVERNANCE
BUSINESS
Profit
IT
Efficiency
LEGAL
Risk
RIM
Risk
PRIVACY
AND
SECURITY
Risk
PROCESS TRAN
SP
AR
EN
C
Y

POL
ICY INTEGRATION
Information Governance Reference Model / © 2012 / v3.0 / edrm.net

INFORMATION GOVERNANCE POLICY DEVELOPMENT 73
stakeholders. 4 It also aims to provide a common, practical framework for IG that will
foster adoption of IG in the face of new Big Data challenges and increased legal and
regulatory demands. It is a clear snapshot of where IG touches and shows critical in-
terrelationships and unifi ed governance.5 It can help organizations forge policy in an
orchestrated way and embed critical elements of IG policy across functional groups.
Ultimately, implementation of IG helps organizations leverage information value, re-
duce risk, and address legal demands.
The growing CGOC community (2,000+ members and rising) has widely adopted
the IGRM and developed a process maturity model that accompanies and leverages
IGRM v3.0. 6
Interpreting the IGRM Diagram *
Outer Ring
Starting from the outside of the diagram, successful information management is about
conceiving a complex set of interoperable processes and implementing the procedures
and structural elements to put them into practice. It requires:
■ An understanding of the business imperatives of the enterprise,
■ Knowledge of the appropriate tools and infrastructure for managing informa-
tion, and
■ Sensitivity to the legal and regulatory obligations with which the enterprise
must comply.
For any piece of information you hope to manage, the primary stakeholder is the business
user of that information [emphasis added]. We use the term “business” broadly; the same
ideas apply to end users of information in organizations whose ultimate goal might not
be to generate a profi t.
Once the business value is established, you must also understand the legal duty at-
tached to a piece of information. The term “legal” should also be read broadly to refer
to a wide range of legal and regulatory constraints and obligations, from e-discovery
and government regulation to contractual obligations such as payment card industry
requirements.
Finally, IT organizations must manage the information accordingly, ensuring pri-
vacy and security as well as appropriate retention as dictated by both business and legal
or regulatory requirements.
* This section is adapted with permission by EDRM.net, http://www.edrm.net/resources/guides/igrm (accessed
January 24, 2014).
You must inform and frame IG policy with internal and external frameworks,
models, best practices, and standards.

http://www.edrm.net/resources/guides/igrm

74 INFORMATION GOVERNANCE
Center
In the center of the diagram is a work-fl ow or life-cycle diagram. We include this com-
ponent in the diagram to illustrate the fact that information management is important
at all stages of the information life cycle—from its creation through its ultimate disposition.
This part of the diagram, once further developed, along with other secondary-level
diagrams, will outline concrete, actionable steps that organizations can take in imple-
menting information management programs.
Even the most primitive business creates information in the course of daily operations,
and IT departments spring up to manage the logistics; indeed, one of the biggest challeng-
es in modern organizations is trying to stop individuals from excess storing and securing
of information. Legal stakeholders can usually mandate the preservation of what is most
critical, though often at great cost. However, it takes the coordinated effort of all three
groups to defensibly dispose of a piece of information that has outlived its usefulness and
retain what is useful in a way that enables accessibility and usability for the business user. s
How the IGRM Complements the Generally Accepted
Recordkeeping Principles *
The IGRM supports ARMA International’s “Principles” by identifying the cross-
functional groups of key information governance stakeholders and by depicting
their intersecting objectives for the organization. This illustration of the relation-
ship among duty, value, and the information asset demonstrates cooperation among
stakeholder groups to achieve the desired level of maturity of effective information
governance.
Effective IG requires a continuous and comprehensive focus. The IGRM will be
used by proactive organizations as an introspective lens to facilitate visualization and
discussion about how best to apply The Principles. The IGRM puts into sharp focus
The Principles and provides essential context for the maturity model.
* This section is adapted with permission by EDRM.net, http://www.edrm.net/resources/guides/igrm (accessed
January 24, 2014).
The business user is the primary stakeholder of managed information.
Information management is important at all stages of the life cycle.
Legal stakeholders can usually mandate the preservation of what is most criti-
cal, though often at great cost.

http://www.edrm.net/resources/guides/igrm

INFORMATION GOVERNANCE POLICY DEVELOPMENT 75
Best Practices Considerations
IG best practices should also be considered in policy formulation . Best practices in IG are evolv-
ing and expanding, and those that apply to organizational scenarios may vary. A best
practices review should be conducted, customized for each particular organization.
In Chapter 5 , we provided a list of 25 IG best practices, with some detail. The IG
world is maturing, and more best practices will evolve. The 25 best practices, summa-
rized next, are fairly generic and widely applicable.
1. IG is a key underpinning for a successful ERM program.
2. IG is not a project but rather an ongoing program.
3. Using an IG framework or maturity model is helpful in assessing and guiding
IG programs.
4. Defensible deletion of data debris and information that no longer has value is
critical in the era of Big Data.
5. IG policies must be developed before enabling technologies are added to as-
sist in enforcement.
6. To provide comprehensive e-document security throughout a document’s life
cycle, documents must be secured upon creation using highly sophisticated
technologies, such as information rights management (IRM) technology.
7. A records retention schedule and legal hold notifi cation process (LHN) are
the two primary elements of a fundamental IG program.
8. A cross-functional team is required to implement IG.
9. The fi rst step in information risk planning is to consider the applicable laws
and regulations that apply to your organization in the jurisdictions in which it
conducts business.
10. A risk profi le is a basic building block in enterprise risk management, assisting
executives in understanding the risks associated with stated business objec-
tives and in allocating resources within a structured evaluation approach or
framework.
11. An information risk mitigation plan is a critical part of the IG planning
process. An information risk mitigation plan involves developing risk mitiga-
tion options and tasks to reduce the specifi ed risks and improve the odds of
achieving business objectives. 7
12. Proper metrics are required to measure the conformance and performance of
your IG program.
13. IG programs must be audited for effectiveness.
14. An enterprise-wide retention schedule is preferable because it eliminates the
possibility that different business units will have different records retention
periods.
The IGRM was developed by the EDRM Project to foster communication
among stakeholders and adoption of IG. It complements ARMA’s Generally
Accepted Recordkeeping Principles.

76 INFORMATION GOVERNANCE
15. Senior management must set the tone and lead sponsorship for vital records
program governance and compliance.
16. Business processes must be redesigned to improve the management of electron-
ic records or implement an electronic records management (ERM) system. t
17. E-mail messages, both inbound and outbound, should be archived automati-
cally and (preferably) in real time.
18. Personal archiving of e-mail messages should be disallowed.
19. Destructive retention of e-mail helps to reduce storage costs and legal risk
while improving “fi ndability” of critical records.
20. Take a practical approach and limit cloud use to documents that do not have
long retention periods and carry a low litigation risk.
21. Manage social media content by IG policies and monitor it with controls that en-
sure protection of critical information assets and preservation of business records.
22. International and national standards provide effective guidance for imple-
menting IG.
23. Creating standardized metadata terms should be part of an IG effort that
enables faster, more complete, and more accurate searches and retrieval of
records. 8
24. Some digital information assets must be preserved permanently as part of an
organization’s documentary heritage.
25. Executive sponsorship is crucial.
Standards Considerations
Standards must also be considered in policy development. There are two general types
of standards: de jure and de facto. De jure (“the law”) standards are those published by
recognized standards-setting bodies, such as the International Organization for Stan-
dardization (ISO), American National Standards Institute (ANSI), National Institute
of Standards and Technology (NIST—this is how most people refer to it, as they do
not know what the acronym stands for), British Standards Institute (BSI), Standards
Council of Canada, and Standards Australia. Standards promulgated by authorities
such as these have the formal status of standards.
De facto (“the fact”) standards are not formal standards but are regarded by
many as if they were. They may arise though popular use (e.g., Windows at the busi-
ness desktop in the 2001–2010 decade) or may be published by other bodies, such as
the U.S. National Archives and Records Administration (NARA) or Department of
Defense (DoD) for the U.S. military sector. They may also be published by formal
standards-setting bodies without having the formal status of a “standard” (such as
some technical reports published by ISO). 9
Benefi ts and Risks of Standards
Some benefi ts of developing and promoting standards are:
■ Quality assurance support. If a product meets a standard, you can be confi dent of
a certain level of quality.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 77
■ Interoperability support. Some standards are detailed and mature enough to allow
for system interoperability between different vendor platforms.
■ Implementation frameworks and certifi cation checklists. These help to provide
guides for projects and programs to ensure all necessary steps are taken.
■ Cost reduction , due to supporting uniformity of systems. Users have lower main-
tenance requirements and training and support costs when systems are more
uniform.
■ International consensus. Standards can represent “best practice” recommenda-
tions based on global experiences. 10
Some downside considerations are:
■ Possible decreased fl exibility in development or implementation. Standards can, at
times, act as a constraint when they are tied to older technologies or methods,
which can reduce innovation.
■ “Standards confusion” from competing and overlapping standards. For instance, ”
an ISO standard may be theory-based and use different terminology, whereas
regional or national standards are more specifi c, applicable, and understandable
than broad international ones.
■ Real-world shortcomings due to theoretical basis. Standards often are guides based
on theory rather than practice.
■ Changing and updating requires cost and maintenance. There are costs to develop-
ing, maintaining, and publishing standards. 11
Key Standards Relevant to IG Efforts
Below we introduce and discuss some established standards that should be researched
and considered as a foundation for developing IG policy.
Risk Management
ISO 31000:2009 is a broad, industry-agnostic (not specifi c to vertical markets) risk
management standard. It states “principles and generic guidelines” of risk manage-
ment that can be applied to not only IG but also to a wide range of organizational ac-
tivities and processes throughout the life of an organization.12 It provides a structured
framework within which to develop and implement risk management strategies and
programs.
ISO 31000 defi nes a risk management framework as a set of two basic compo-k
nents that “support and sustain risk management throughout an organization.” 13 The
stated components are: foundations, which are high level and include risk management
policy, objectives, and executive edicts; and organizational arrangements, which are
more specifi c and actionable, including strategic plans, roles and responsibilities, al-
located budget, and business processes that are directed toward managing an organiza-
tion’s risk.
Additional risk management standards may be relevant to your organization’s IG
policy development efforts, depending on your focus, scope, corporate culture, and
demands of your IG program executive sponsor.

78 INFORMATION GOVERNANCE
Information Security and Governance
ISO/IEC 27001:2005 is an information security management system (ISMS) stan-
dard that provides guidance in the development of security controls to safeguard
information assets. Like ISO 31000, the standard is applicable to all types of organiza-
tions, irrespective of vertical industry. 14 It “specifi es the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a docu-
mented information security management system within the context of the organiza-
tion’s overall business risks.”
ISO/IEC 27001 is fl exible enough to be applied to a variety of activities and pro-
cesses when evaluating and managing information security risks, requirements, and
objectives, and compliance with applicable legal and regulatory requirements. This
includes use of the standards guidance by internal and external auditors as well as internal and
external stakeholders (including customers and potential customers).
ISO/IEC 27002:2005, “Information Technology—Security Techniques—Code
of Practice for Information Security,” 15
establishes guidelines and general principles for initiating, implementing,
maintaining, and improving information security management in an orga-
nization and is identical to the previous published standard, ISO 17799. The
objectives outlined provide general guidance on the commonly accepted goals
of information security management. ISO/IEC 27002:2005 contains best
practices of control objectives and controls in the following areas of informa-
tion security management:
■ security policy;
■ organization of information security;
■ asset management;
■ human resources security;
■ physical and environmental security;
■ communications and operations management;
■ access control;
■ information systems acquisition, development, and maintenance;
■ information security incident management;
■ business continuity management; and
■ compliance.
The control objectives and controls in ISO/IEC 27002:2005 are intended to
be implemented to meet the requirements identifi ed by a risk assessment. ISO/
IEC 27002:2005 is intended as a common basis and practical guideline for de-
veloping organizational security standards and effective security management
practices, and to help build confi dence in inter-organizational activities.
ISO 31000 is a broad risk management standard that applies to all types of
businesses.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 79
ISO/IEC 38500:2008 is an international standard that provides high-level prin-
ciples and guidance for senior executives and directors, and those advising them, for
the effective and effi cient use of IT.16 Based primarily on AS 8015, the Australian IT
governance standard, it “applies to the governance of management processes” that are
performed at the IT service level, but the guidance assists executives in monitoring IT
and ethically discharging their duties with respect to legal and regulatory compliance
of IT activities.
The ISO 38500 standard comprises three main sections:
1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT
It is largely derived from AS 8015, the guiding principles of which were:
■ Establish responsibilities
■ Plan to best support the organization
■ Acquire validly
■ Ensure performance when required
■ Ensure conformance with rules
■ Ensure respect for human factors
The standard also has relationships with other major ISO standards, and em-
braces the same methods and approaches. It is certain to have a major impact
upon the IT governance landscape. 17
Records and E-Records Management
ISO 15489–1:2001 is the international standard for RM. It identifi es the elements
of RM and provides a framework and high-level overview of RM core principles. RM
is defi ned as the “fi eld of management responsible for the effi cient and systematic
control of the creation, receipt, maintenance, use and disposition of records, including
the processes for capturing and maintaining evidence of and information about busi-
ness activities and transactions in the form of records.”18
ISO/IEC 27001 and ISO/IEC 27002 are information security management
systems standards that provide guidance in the development of security
controls.
ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.

80 INFORMATION GOVERNANCE
The second part of the standard, ISO 15489–2:2001, contains the technical
specifi cations and a methodology for implementing the standard, originally based
on early standards work in Australia ( Design and Implementation of Recordkeeping
Systems—DIRKS ). Note: Although still actively used in Australian states, the
National Archives of Australia has not recommended use of DIRKS by Australian
national agencies since 2007 and has removed DIRKS from its Web site.)19
The ISO 15489 standard makes little mention of electronic records, as it is written to ad-
dress all kinds of records; nonetheless it was widely viewed as the defi nitive framework
of what RM means.
In 2008, the International Council on Archives (ICA) formed a multination-
al team of experts to develop “Principles and Functional Requirements for Records in
Electronic Offi ce Environments,” commonly referred to as ICA-Req. q 20 The project was
cosponsored by the Australasian Digital Recordkeeping Initiative (ADRI), which was
undertaken by the Council of Australasian Archives and Records Authorities, which “com-
prises the heads of the government archives authorities of the Commonwealth of Australia,
New Zealand, and each of the Australian States and Territories.” 21 The National Archives
of Australia presented a training and guidance manual to assist in implementing the prin-
ciples at the 2012 International Congress on Archives Congress in Brisbane, Australia.
In Module 1 of ICA-Req, principles are presented in a high-level overview; Mod-
ule 2 contains specifi cations for electronic document and records management sys-
tems (EDRMS) that are “globally harmonized”; and Module 3 contains a require-
ments set and “implementation advice for managing records in business systems.”22
Module 3 recognizes that digital recordkeeping does not have to be limited to the
EDRMS paradigm—the insight that has now been picked up by “Modular Require-
ments for Records Systems” (MoReq2010, the European standard released in 2011).23
Parts 1 to 3 of ISO 16175 were fully adopted in 2010–2011 based on the ICA-Req
standard. The standard may be purchased at www.ISO.org, and additional information
on the Australian initiative may be found at www.adri.gov.au.
ISO 16175 is guidance, not a standard that can be tested and certifi ed against. This
is the criticism by advocates of testable, certifi able standards like U.S. DoD 5015.2 and
the European standard, MoReq2010.
In November 2011, ISO issued new standards for ERM, the fi rst two in the ISO
30300 series, which are based on a managerial point of view and targeted at a manage-l
ment-level audience rather than at records managers or technical staff:
■ ISO 30300:2011 , “Information and Documentation—Management Systems
for Records—Fundamentals and Vocabulary”
■ ISO 30301:2011 , “Information and Documentation—Management Systems
for Records—Requirements”
ISO 15489 is the international RM standard.
The ICA-Req standard was adopted as ISO 16175. It does not contain a testing
regime for certifi cation.

http://www.ISO.org

http://www.adri.gov.au

INFORMATION GOVERNANCE POLICY DEVELOPMENT 81
The standards apply to “management systems for records ” (MSR), a term that,
as of this printing, is not typically used to refer to ERM or RM application [RMA]
software in the United States or Europe and is not commonly found in ERM research
or literature.
The ISO 30300 series is a systematic approach to the creation and management
of records that is “ aligned with organizational objectives and strategies. ” [italics added] 24
“ISO 30300 MSR ‘Fundamentals and Vocabulary’ explains the rationale behind
the creation of an MSR and the guiding principles for its successful implementation.
and it provides the terminology that ensures that it is compatible with other manage-
ment systems standards.
ISO 30301 MSR ‘Requirements’ specifi es the requirements necessary to develop
a records policy. It also sets objectives and targets for an organization to implement
systemic improvements. This is achieved through designing records processes and
systems; estimating the appropriate allocation of resources; and establishing bench-
marks to monitor, measure, and evaluate outcomes. These steps help to ensure that
corrective action can be taken and continuous improvements are built into the sys-
tem in order to support an organization in achieving its mandate, mission, strategy,
and goals.”25
Major National and Regional ERM Standards
For great detail on national and regional standards related to ERM, see the book l
Managing Electronic Records: Methods, Best Practices, and Technologies (Wiley 2013) by s
Robert F. Smallwood. Below is a short summary:
United States E-Records Standard
The U.S. Department of Defense 5015.2 Design Criteria Standard for Electronic Records
Management Software Applications , standard was established in 1997 and is endorsed by s
the leading archival authority, the U.S. National Archives and Records Administration
(NARA). There is a testing regime that certifi es software vendors that is adminis-
tered by JITC. JITC “builds test case procedures, writes detailed and summary fi nal
reports on 5015.2-certifi ed products, and performs on-site inspection of software.” 26
The DoD standard was built for the defense sector, and logically “refl ects its govern-
ment and archives roots.”
Since its endorsement by NARA, the standard has been the key requirement for
ERM system vendors to meet, not only in U.S. public sector bids, but also in the com-
mercial sector.
The 5015.2 standard has since been updated and expanded, in 2002 and 2007,
to include requirements for metadata, e-signatures and Privacy and Freedom of
Information Act requirements, and, as previously stated, was scheduled for update
by 2013.
The U.S. DoD 5015.2-STD has been the most infl uential worldwide since it
was fi rst introduced in 1997. It best suits military applications.

82 INFORMATION GOVERNANCE
Canadian Standards and Legal Considerations for Electronic
Records Management *
The National Standards of Canada for electronic records management are: (1)
Electronic Records as Documentary Evidence CAN/CGSB-72.34–2005 (“72.34”),
published in December 2005; and, (2) Microfi lm and Electronic Images as Documen-
tary Evidence CAN/CGSB-72.11–93, fi rst published in 1979 and updated to 2000
(“72.11”).27 72.34 incorporates all that 72.11 deals with and is therefore the more
important of the two. Because of its age, 72.11 should not be relied upon for its
“legal” content. However, 72.11 has remained the industry standard for “imaging”
procedures—converting original paper records to electronic storage. The Canada
Revenue Agency has adopted these standards as applicable to records concerning
taxation.28
72.34 deals with these topics: (1) management authorization and accountability;
(2) documentation of procedures used to manage records; (3) “reliability testing” of
electronic records according to existing legal rules; (4) the procedures manual and
the chief records offi cer; (5) readiness to produce (the “prime directive”); (6) records
recorded and stored in accordance with “the usual and ordinary course of business”
and “system integrity,” being key phrases from the Evidence Acts in Canada; (7) re-
tention and disposal of electronic records; (8) backup and records system recovery;
and, (9) security and protection. From these standards practitioners have derived
many specifi c tests for auditing, establishing, and revising electronic records man-
agement systems. 29
The “prime directive” of these standards states: “An organization shall always be
prepared to produce its records as evidence.”30 The duty to establish the “prime directive”
falls upon senior management:31
5.4.3 Senior management, the organization’s own internal law-making author-
ity, proclaims throughout the organization the integrity of the organization’s records
system (and, therefore, the integrity of its electronic records) by establishing and de-
claring:
a. the system’s role in the usual and ordinary course of business;
b. the circumstances under which its records are made; and
c. its prime directive for all RMS [records management system] purposes, i.e.,
an organization shall always be prepared to produce its records as evidence.
This dominant principle applies to all of the organization’s business records,
including electronic, optical, original paper source records, microfi lm, and
other records of equivalent form and content.
* This section was contributed by Ken Chasse J.D., LL.M., a records management attorney and consultant, and mem-
ber of the Law Society of Upper Canada (Ontario) and of the Law Society of British Columbia, Canada.
The 5015.2 standard has been updated to include specifi cations such as those
for e-signatures and FOI requirements.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 83
Being the “dominant principle” of an organization’s electronic records manage-
ment system, the duty to maintain compliance with the “prime directive” should fall
upon its senior management.
Legal Considerations
Because an electronic record is completely dependent upon its ERM system for every-
thing, compliance with these National Standards and their “prime directive” should
be part of the determination of the “admissibility” (acceptability) of evidence and
of electronic discovery in court proceedings (litigation) and in regulatory tribunal
proceedings. 32
There are 14 legal jurisdictions in Canada: 10 provinces, 3 territories, and the
federal jurisdiction of the Government of Canada. Each has an Evidence Act (the Civil
Code in the province of Quebec 33 ), which applies to legal proceedings within its leg-
islative jurisdiction. For example, criminal law and patents and copyrights are within
federal legislative jurisdiction, and most civil litigation comes within provincial legisla-
tive jurisdiction. 34
The admissibility of records as evidence is determined under the “business record” provi-
sions of the Evidence Acts.35 They require proof that a record was made “in the usual and
ordinary course of business,” and of “the circumstances of the making of the record.”
In addition, to obtain admissibility for electronic records, most of the Evidence Acts
contain electronic record provisions, which state that an electronic record is admis-
sible as evidence on proof of the “integrity of the electronic record system in which the
data was recorded or stored.” 36 This is the “system integrity” test for the admissibility
of electronic records. The word “integrity” has yet to be defi ned by the courts. 37
However, by way of sections such as the following, the electronic record provi-
sions of the Evidence Acts make reference to the use of standards such as the National
Standards of Canada:
For the purpose of determining under any rule of law whether an electronic
record is admissible, evidence may be presented in respect of any standard,
procedure, usage or practice on how electronic records are to be recorded or
stored, having regard to the type of business or endeavor that used, recorded,
or stored the electronic record and the nature and purpose of the electronic
record. 38
U.K. and European Standards
In the United Kingdom, The National Archives (TNA) (formerly the Public Record
Offi ce, or PRO) “has published two sets of functional requirements to promote the
development of the electronic records management software market (1999 and 2002).”
It ran a program to evaluate products against the 2002 requirements.39 Initially these
requirements were established in collaboration with the central government, and they
later were utilized by the public sector in general, and also in other nations. The Na-
tional Archives 2002 requirements remain somewhat relevant, although no additional
development has been underway for years. It is clear that the second version of Model
Requirements for Management of Electronic Records, MoReq2, largely supplanted
the UK standard, and subsequently the newer MoReq2010 may further supplant the
UK standard.

84 INFORMATION GOVERNANCE
MoReq2010 “unbundles” some of the core requirements in MoReq2, and sets out
functional requirements in modules. The approach seeks to permit the later creation
of e-records software standards in various vertical industries such as defense, health
care, fi nancial services, and legal services.
MoReq2010 is available free—all 525 pages of it (by comparison, the U.S. DoD
5015.2 standard is less than 120 pages long). For more information on MoReq2010,
visit www.moreq2010.eu. The entire specifi cation may be downloaded at: http://
moreq2010.eu/pdf/moreq2010_vol1_v1_1_en .
MoReq2010
In November 2010, the DLM Forum, a European Commission–supported body, announced the
availability of the fi nal draft of the MoReq2010 specifi cation for electronic records manage-
ment systems (ERMS), following extensive public consultation. The fi nal specifi cation
was published in mid-2011. 40
The DLM Forum explains that “With the growing demand for [electronic] re-
cords management, across a broad spectrum of commercial, not-for-profi t, and gov-
ernment organizations, MoReq2010 provides the fi rst practical specifi cation against
which all organizations can take control of their corporate information. IT software
and services vendors are also able to have their products tested and certifi ed that they
meet the MoReq2010 specifi cation.” 41
MoReq2010 supersedes its predecessor MoReq2 and has the continued support and backing
of the European Commission.
Australian ERM and Records Management Standards
Australia has adopted all three parts of ISO 16175 as its e-records management
standard. 42 (For more detail on this standard go to ISO.org.)
Australia has long led the introduction of highly automated electronic document
management systems and records management standards. Following the approval and
release of the AS 4390 standard in 1996, the international records management com-
munity began work on the development of an International standard. This work used
AS 4390–1996 Records Management as its starting point.
Development of Australian Records Standards
In 2002 Standards Australia published a new Australian Standard on records manage-
ment, AS ISO 15489, based on the ISO 15489 international records management stan-
dard. It differs only in its preface verbiage. 43 AS ISO 15489 carries through all these
main components of AS 4390, but internationalizes the concepts and brings them up
to date. The standards thereby codify Australian best practice but are also progressive
in their recommendations.
Additional Relevant Australian Standards
The Australian Government Recordkeeping Metadata Standard Version 2.0 pro-
vides guidance on metadata elements and subelements for records management. It is a
baseline tool that “describes information about records and the context in which they
are captured and used in Australian Government agencies.” This standard is intended
to help Australian agencies “meet business, accountability and archival requirements

http://www.moreq2010.eu

http://moreq2010.eu/pdf/moreq2010_vol1_v1_1_en

INFORMATION GOVERNANCE POLICY DEVELOPMENT 85
in a systematic and consistent way by maintaining reliable, meaningful and accessible
records.” The standard is written in two parts, the fi rst describing its purpose and
features and the second outlining the specifi c metadata elements and subelements.44
The Australian Government Locator Service , AGLS, is published as AS 5044–
2010, the metadata standard to help fi nd and exchange information online. It updates
the 2002 version, and includes changes made by the Dublin Core Metadata Initiative
(DCMI).
Another standard, AS 5090:2003, “Work Process Analysis for Recordkeep-
ing ,” complements AS ISO 15489 and provides guidance on understanding business g
processes and workfl ow so that recordkeeping requirements may be determined. 45
Long-Term Digital Preservation
Although many organizations shuffl e dealing with digital preservation issues to the
back burner, long-term digital preservation (LTDP) is a key area in which IG policy
should be applied. LTDP methods, best practices, and standards should be applied to
preserve an organization’s historical and vital records ( those without which it cannot
operate or restart operations) and to maintain its corporate or organizational memory.
The key standards that apply to LTDP are listed next.
The offi cial standard format for preserving electronic documents is PDF/A-1, based on
PDF 1.4 originally developed by Adobe. ISO 19005–1:2005, “Document Manage-
ment—Electronic Document File Format for Long-Term Preservation—Part 1: Use
of PDF 1.4 (PDF/A-1),” is the published specifi cation for using PDF 1.4 for LTDP,
which is applicable to e-documents that may contain not only text characters but also
graphics (either raster or vector). 46
ISO 14721:2012 , “Space Data and Information Transfer Systems—Open Archival
Information Systems—Reference Model (OAIS),” is applicable to LTDP. 47 ISO 14271
“specifi es a reference model for an open archival information system (OAIS). The pur-
pose of ISO 14721 is to establish a system for archiving information, both digitalized
and physical, with an organizational scheme composed of people who accept the re-
sponsibility to preserve information and make it available to a designated commu-
nity.” 48 The fragility of digital storage media combined with ongoing and sometimes
rapid changes in computer software and hardware poses a fundamental challenge to
ensuring access to trustworthy and reliable digital content over time. Eventually, ev-
ery digital repository committed to long-term preservation of digital content must
have a strategy to mitigate computer technology obsolescence. Toward this end, the
The ISO 30300 series of e-records standards are written for a managerial audi-
ence and encourage ERM that is aligned to organizational objectives.
LTDP is a key area to which IG policy should be applied.

86 INFORMATION GOVERNANCE
Consultative Committee for Space Data Systems developed the OAIS reference model
to support formal standards for the long-term preservation of space science data and
information assets. OAIS was not designed as an implementation model.
OAIS is the lingua franca of digital preservation, as the international digital pres-
ervation community has embraced it as the framework for viable and technologically
sustainable digital preservation repositories. An LTDP strategy that is OAIS compliant
offers the best means available today for preserving the digital heritage of all organizations,
private and public. (See Chapter 17 .)
ISO TR 18492 (2005) , “ Long-Term Preservation of Electronic Document Based
Information,” provides practical methodological guidance for the long-term preser-
vation and retrieval of authentic electronic document-based information, when the
retention period exceeds the expected life of the technology (hardware and software)
used to create and maintain the information assets. ISO 18492 takes note of the role of
ISO 15489 but does not cover processes for the capture, classifi cation, and disposition
of authentic electronic document-based information.
ISO 16363:2012 , “ Space Data and Information Transfer Systems—Audit and
Certifi cation of Trustworthy Digital Repositories,” “defi nes a recommended prac-
tice for assessing the trustworthiness of digital repositories. It is applicable to the
entire range of digital repositories.”49 It is an audit and certifi cation standard orga-
nized into three broad categories: Organization Infrastructure, Digital Object Man-
agement, and Technical Infrastructure and Security Risk Management. ISO 16363
represents the gold standard of audit and certifi cation for trustworthy digital repositories.
(See Chapter 17 .)
Business Continuity Management
ISO 22301:2012, “Societal Security—Business Continuity Management Systems—
Requirements,” spells out the requirements for creating and implementing a stan-
dardized approach to business continuity management (BCM, also known as di-
saster recovery [DR]), in the event an organization is hit with a disaster or major
business interruption. 50 The guidelines can be applied to any organization regard-
less of vertical industry or size. The specifi cation includes the “requirements to
plan, establish, implement, operate, monitor, review, maintain and continually im-
prove a documented management system to protect against, reduce the likelihood
An LTDP strategy that is OAIS compliant (based on ISO 14721) offers the best
means available today for preserving the digital heritage of all organizations.
ISO 16363 represents the gold standard of audit and certifi cation for trustwor-
thy digital repositories.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 87
of occurrence, prepare for, respond to, and recover from disruptive incidents when
they arise.”
The UK business continuity standard, BS25999-2, which heavily infl uenced the
newer ISO standard, was withdrawn when ISO 22301 was released. 51 The business
rationale is that, with the increasing globalization of business, ISO 22301 will allow
and support more consistency worldwide not only in business continuity planning
and practices but also will promote common terms and help to embed various ISO
management systems standards within organizations. U.S.-based ANSI, Standards
Australia, Standards Singapore, and other standards bodies also contributed to the
development of ISO 22301.
Benefi ts of ISO 22301
■ Threat identifi cation and assessment. Discover, name, and evaluate potential seri-
ous threats to the viability of the business.
■ Threat and recovery planning. so the impact and resultant downtime and recov-
ery from real threats that do become incidents is minimized
■ Mission-critical process protection. Identifying key processes and taking steps to
ensure they continue to operate even during a business interruption.
■ Stakeholder confi dence. Shows prudent management planning and business re-
silience to internal and external stakeholders, including employees, business
units, customers, and suppliers. 52
Making Your Best Practices and Standards Selections to Inform
Your IG Framework
You must take into account your organization’s corporate culture, management style,
and organizational goals when determining which best practices and standards should
receive priority in your IG framework. However, you must step through your business
rationale in discussions with your cross-functional IG team and fully document the
reasons for your approach. Then you must present this approach and your draft IG
ISO 22301 spells out requirements for creating and implementing a standard-
ized approach to business continuity management.
You must take into account your organization’s corporate culture, manage-
ment style, and organizational goals when determining which best practice
and standards should be selected for your IG framework.

88 INFORMATION GOVERNANCE
framework to your key stakeholders and be able to defend your determinations while
allowing for input and adjustments. Perhaps you have overlooked some key factors
that your larger stakeholder group uncovers, and their input should be folded into a
fi nal draft of your IG framework.
Next, you are ready to begin developing IG policies that apply to various aspects
of information use and management, in specifi c terms. You must detail the policies you
expect employees to follow when handling information on various information deliv-
ery platforms (e.g., e-mail, blogs, social media, mobile computing, cloud computing).
It is helpful at this stage to collect and review all your current policies that apply and
to gather some examples of published IG policies, particularly from peer organiza-
tions and competitors (where possible). Of note: You should not just adopt another
organization’s polices and believe that you are done with policy making. Rather, you
must enter into a deliberative process, using your IG framework for guiding principles
and considering the views and needs of your cross-functional IG team. Of paramount
importance is to be sure to incorporate the alignment of your organizational goals and
business objectives when crafting policy.
With each policy area, be sure that you have considered the input of your stake-
holders, so that they will be more willing to buy into and comply with the new policies
and so that the policies do not run counter to their business needs and required busi-
ness processes. Otherwise, stakeholders will skirt, avoid, or halfheartedly follow the
new IG policies, and the IG program risks failure.
Once you have fi nalized your policies, be sure to obtain necessary approvals from
your executive sponsor and key senior managers.
Roles and Responsibilities
Policies will do nothing without people to advocate, support, and enforce them. So
clear lines of authority and accountability must be drawn , and responsibilities must be
assigned.
Overall IG program responsibility resides at the executive sponsor level, but
beneath that, an IG program manager should drive team members toward mile-
stones and business objectives and should shoulder the responsibility for day-to-day
program activities, including implementing and monitoring key IG policy tasks.
These tasks should be approved by executive stakeholders and assigned as appropri-
ate to an employee’s functional area of expertise. For instance, the IG team member
from legal may be assigned the responsibility for researching and determining legal
requirements for retention of business records, perhaps working in conjunction
with the IG team member from RM, who can provide additional input based on
interviews with representatives from business units and additional RM research
into best practices.
Lines of authority, accountability, and responsibility must be clearly drawn for
the IG program to succeed.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 89
Program Communications and Training
Your IG program must contain a communications and training component, as a stan-
dard function. Your stakeholder audience must be made aware of the new policies and
practices that are to be followed and how this new approach contributes toward the
organization’s goals and business objectives.
The fi rst step in your communications plan is to identify and segment your stake-
holder audiences and to customize or modify your message to the degree that is neces-
sary to be effective. Communications to your IT team can have a more technical slant,
and communications to your legal team can have some legal jargon and emphasize le-
gal issues. The more forethought you put into crafting your communications strategy,
the more effective it will be.
That is not to say that all messages must have several versions: Some core concepts l
and goals should be emphasized in communications to all employees.
How should you communicate? The more ways you can get your IG message
to your core stakeholder audiences, the more effective and lasting the message will
be. So posters, newsletters, e-mail, text messages, internal blog or intranet posts,
and company meetings should all be a part of the communications mix. Remember,
the IG program requires not only training but re training, and the aim should be
to create a compliance culture that is so prominent and expected that employees
adopt the new practices and policies and integrate them into their daily activities.
Ideally, employees will provide valuable input to help fi ne-tune and improve the
IG program.
Training should take multiple avenues as well. Some can be classroom instruc-
tion, some online learning, and you may want to create a series of training videos.
But the training effort must be consistent and ongoing to maintain high levels of IG
effectiveness. Certainly, this means you will need to add to your new hire training pro-
gram for employees joining or transferring to your organization.
Program Controls, Monitoring, Auditing, and Enforcement
How do you know how well you are doing? You will need to develop metrics to de-
termine the level of employee compliance, its impact on key operational areas, and
progress made toward established business objectives.
Testing and auditing the program provides an opportunity to give feedback to
employees on how well they are doing and to recommend changes they may make.
But having objective feedback on key metrics also will allow for your executive
sponsor to see where progress has been made and where improvements need to
focus.
Communications regarding your IG program should be consistent and clear
and somewhat customized for various stakeholder groups.

90 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■ You must inform and frame IG policy with internal and external frameworks,
models, best practices, and standards
■ The business user is the primary stakeholder of managed information.
■ Information management is important at all stages of the life cycle.
■ Legal stakeholders usually can mandate the preservation of what is most criti-
cal, though often at great cost.
■ The IGRM was developed by the EDRM Project to foster communication
among stakeholders and adoption of IG. It complements ARMA’s The
Principles.
■ ISO 31000 is a broad risk management standard that applies to all types of
businesses.
■ ISO/IEC 27001 and ISO/IEC 27002 are ISMS standards that provide guidance
in the development of security controls.
■ ISO 15489 is the international RM standard.
■ The ICA-Req standard was adopted as ISO 16175. It does not contain a test-
ing regime for certifi cation.
■ The ISO 30300 series of e-records standards are written for a managerial au-
dience and encourage ERM that is aligned to organizational objectives.
■ DoD 5015.2 is the U.S. ERM standard; the European ERM standard is
MoReq2010. Australia has adopted all three parts of ISO 16175 as its
e-records management standard.
■ LTDP is a key area to which IG policy should be applied.
■ An LTDP strategy that is OAIS compliant (based on ISO 14721) offers the best
means available today for preserving the digital heritage of all organizations.
■ ISO 16363 represents the gold standard of audit and certifi cation for trust-
worthy digital repositories.
■ ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.
■ ISO 22301 spells out requirements for creating and implementing a
standardized approach to business continuity management.
Clear penalties for policy violations must be communicated to employees so they
know the seriousness of the IG program and how important it is in helping the orga-
nization pursue its business goals and accomplish stated business objectives.

INFORMATION GOVERNANCE POLICY DEVELOPMENT 91
Notes
1. ARMA International, “Generally Accepted Recordkeeping Principles,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/copyright (accessed November 25, 2013).
2. ARMA International, “Information Governance Maturity Model,” www.arma.org/r2/generally-
accepted-br-recordkeeping-principles/metrics (accessed November 25, 2013).
3. Electronic Discovery, “IGRM v3.0 Update: Privacy & Security Offi cers As Stakeholders – Electronic
Discovery,” http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-offi cers-as-stakehold-
ers-electronic-discovery/ (accessed April 24, 2013).
4. EDRM, “Information Governance Reference Model (IGRM),” www.edrm.net/projects/igrm (accessed
October 9, 2013).
5. Ibid.
6. Ibid.
7. Project Management Institute, A Guide to the Project Management Body of Knowledge (PMBOK Guide ),
4th ed. (Newtown Square, PA, Project Management Institute, 2008), ANSI/PMI 99-001-2008,
pp. 273–312.
8. Kate Cumming, “Metadata Matters,” in Julie McLeod and Catherine Hare, eds., Managing Electronic
Records , p. 34 (London: Facet, 2005).s
9. Marc Fresko, e-mail to author, May 13, 2012.
10. Hofman, “The Use of Standards and Models,” in Julie McLeod and Catherine Hare, eds., Managing
Electronic Records , p. 34 (London: Facet, 2005) pp. 20–21. s
11. Ibid.
12. International Organization for Standardization, “ISO 31000:2009 Risk Management—Principles and
Guidelines,” www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170 (accessed
April 22, 2013).
13. Ibid.
14. International Organization for Standardization, ISO/IEC 27001:2005, “Information Technology—
Security Techniques—Information Security Management Systems—Requirements,” www.iso.org/iso/
catalogue_detail?csnumber=42103 (accessed April 22, 2013).
15. International Organization for Standardization, ISO/IEC 27002:2005, “Information Technology—
Security Techniques—Code of Practice for Information Security Management,” www.iso.org/iso/cata-
logue_detail?csnumber=50297 (accessed July 23, 2012).
16. International Organization for Standardization, ISO/IEC 38500:2008, www.iso.org/iso/catalogue_
detail?csnumber=51639 (accessed March 12, 2013).
17. ISO 38500 IT Governance Standard, www.38500.org/ (accessed March 12, 2013).
18. International Organization for Standardization, ISO 15489-1: 2001 Information and Documentation—
Records Management. Part 1: General (Geneva: ISO, 2001), section 3.16. l
■ You must take into account your organization’s corporate culture, manage-
ment style, and organizational goals when determining which best practices
and standards should be selected for your IG framework.
■ Lines of authority, accountability, and responsibility must be clearly drawn for
the IG program to succeed.
■ Communications regarding your IG program should be consistent and clear
and somewhat customized for various stakeholder groups.
■ IG program audits are an opportunity to improve training and compliance,
not to punish employees.
CHAPTER SUMMARY: KEY POINTS (Continued )

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/copyright

http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metrics

http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-officers-as-stakeholders-electronic-discovery/

http://www.edrm.net/projects/igrm

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=43170

http://www.iso.org/iso/catalogue_detail?csnumber=42103

http://www.iso.org/iso/cata-logue_detail?csnumber=50297

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.38500.org/

http://electronicdiscovery.info/igrm-v3-0-update-privacy-security-officers-as-stakeholders-electronic-discovery/

http://www.iso.org/iso/catalogue_detail?csnumber=42103

http://www.iso.org/iso/catalogue_detail?csnumber=51639

92 INFORMATION GOVERNANCE
19. National Archives of Australia, www.naa.gov.au/records-management/publications/DIRKS-manual
.aspx (accessed October 15, 2012).
20. International Council on Archives, “ICA-Req: Principles and Functional Requirements for Records
in Electronic Offi ce Environments: Guidelines and Training Material,” November 29, 2011, www
.ica.org/11696/activities-and-projects/icareq-principles-and-functional-requirements-for-records-in-
electronic-offi ce-environments-guidelines-and-training-material.html.
21. Council of Australasian Archives and Records Authorities, www.caara.org.au/ (accessed May 3, 2012).
22. Adrian Cunningham, blog post comment, May 11, 2011. http://thinkingrecords.co.uk/2011/05/06/
how-moreq-2010-differs-from-previous-electronic-records-management-erm-system-specifi cations/.
23. Ibid.
24. “Relationship between the ISO 30300 Series of Standards and Other Products of ISO/TC 46/SC
11: Records Processes and Controls,” White Paper, ISO TC46/SC11- Archives/Records Management
(March 2012), www.iso30300.es/wp-content/uploads/2012/03/ISOTC46SC11_White_paper_rela-
tionship_30300_technical_standards12032012v6
25. Ibid.
26. Julie Gable, Information Management Journal, November 1, 2002, www.thefreelibrary.com/Everything-
+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+not+a…-a095630076.
27. These standards were developed by the CGSB (Canadian General Standards Board), which is a stan-
dards-writing agency within Public Works and Government Services Canada (a department of the
federal government). It is accredited by the Standards Council of Canada as a standards development
agency. The Council must certify that standards have been developed by the required procedures be-
fore it will designate them as being National Standards of Canada. 72.34 incorporates by reference as
“normative references”: (1) many of the standards of the International Organization for Standardiza-
tion (ISO) in Geneva, Switzerland. (“ISO,” derived from the Greek word isos (equal) so as to provide s
a common acronym for all languages); and (2) several of the standards of the Canadian Standards
Association (CSA). The “Normative references” section of 72.34 (p. 2) states that these “referenced
documents are indispensable for the application of this document.” 72.11 cites (p. 2, “Applicable Pub-
lications”) several standards of the American National Standards Institute/Association for Information
and Image Management (ANSI/AIIM) as publications “applicable to this standard.” The process by
which the National Standards of Canada are created and maintained is described within the standards
themselves (reverse side of the front cover), and on the CGSB’s Web site (see, “Standards Develop-
ment”), from which Web site these standards may be obtained; http://www.ongc-cgsb.gc.ca.
28. The Canada Revenue Agency (CRA) informs the public of its policies and procedures by means, among
others, of its Information Circulars (IC’s), and s GST/HST Memoranda . (GST: goods and services tax; HST:
harmonized sales tax, i.e. , the harmonization of federal and provincial sales taxes into one retail sales tax.)
In particular, see: IC05-1 , dated June 2010, entitled, Electronic Record Keeping , paragraphs 24, 26 and 28.g
Note that use of the National Standard cited in paragraph 26, Microfi lm and Electronic Images as Documen-
tary Evidence CAN/CGSB-72.11-93 is mandatory for, “Imaging and microfi lm (including microfi che)
reproductions of books of original entry and source documents . . .” Paragraph 24 recommends the use
of the newer national standard, Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005, “To
ensure the reliability, integrity and authenticity of electronic records.” However, if this newer standard is
given the same treatment by CRA as the older standard, it will be made mandatory as well. And similar
statements appear in the GST Memoranda, Computerized Records 500-1-2, s Books and Records 500-1. IC05-s
1. Electronic Record Keeping , concludes with the note, “Most Canada Revenue Agency publications areg
available on the CRA Web site www.cra.gc.ca under the heading ‘Forms and Publications.’”
29. There are more than 200 specifi c compliance tests that can be applied to determine if the principles
of 72.34 are being complied with. The analysts—a combined team of records management and legal
expertise—analyze: (1) the nature of the business involved; (2) the uses and value of its records for its
various functions; (3) the likelihood and risk of the various types of its records being the subject of legal
proceedings, or of their being challenged by some regulating authority; and (4) the consequences of the
unavailability of acceptable records—for example, the consequences of its records not being accepted
in legal proceedings. Similarly, in regard to the older National Standard of Canada, 72.11, there is a
comparable series of more than 50 tests that can be applied to determine the state of compliance with
its principles.
30. Electronic Records as Documentary Evidence CAN/CGSB-72.34-2005 (“72.34”), clause 5.4.3 c) at p. 17;
and Microfi lm and Electronic Images as Documentary Evidence CAN/CGSB-72.11-93 (“72.11”), paragraph
4.1.2 at p. 2, supra note 49.
31. 72.34, Clause 5.4.3, ibid.
32. “Admissibility” refers to the procedure by which a presiding judge determines if a record or other
proffered evidence is acceptable as evidence according the rules of evidence. “Electronic discovery”

http://www.naa.gov.au/records-management/publications/DIRKS-manual.aspx

http://www.caara.org.au/

How MoReq 2010 differs from previous electronic records management (ERM) system specifications

http://www.iso30300.es/wp-content/uploads/2012/03/ISOTC46SC11_White_paper_rela-tionship_30300_technical_standards12032012v6

http://www.thefreelibrary.com/Everything-+you+wanted+to+know+about+DoD+5015.2:+the+standard+is+not+a%E2%80%A6-a095630076

http://www.ongc-cgsb.gc.ca

http://www.cra.gc.ca

http://www.naa.gov.au/records-management/publications/DIRKS-manual.aspx

How MoReq 2010 differs from previous electronic records management (ERM) system specifications

http://www.ica.org/11696/activities-and-projects/icareq-principles-and-functional-requirements-for-records-in-electronic-office-environments-guidelines-and-training-material.html

INFORMATION GOVERNANCE POLICY DEVELOPMENT 93
is the compulsory exchange of relevant records by the parties to legal proceedings prior to trial.” As
to the admissibility of records as evidence see: Ken Chasse, “The Admissibility of Electronic Business
Records” (2010), 8 Canadian Journal of Law and Technology 105; and Ken Chasse, “Electronic Re-
cords for Evidence and Disclosure and Discovery” (2011) 57 The Criminal Law Quarterly 284. For the
electronic discovery of records see: Ken Chasse, “Electronic Discovery— Sedona Canada is Inadequate
on Records Management—Here’s Sedona Canada in Amended Form,” Canadian Journal of Law and Tech-
nology 9 (2011): 135; and Ken Chasse, “Electronic Discovery in the Criminal Court System,” Canadian
Criminal Law Review 14 (2010): 111. See also note 18 infra , and accompanying text.
33. For the province of Quebec, comparable provisions are contained in Articles 2831-2842, 2859-2862,
2869-2874 of Book 7 “Evidence” of the Civil Code of Quebec, S.Q. 1991, c. C-64, to be read in con-
junction with, An Act to Establish a Legal Framework for Information Technology, R.S.Q. 2001,
c. C-1.1, ss. 2, 5-8, and 68.
34. For the legislative jurisdiction of the federal and provincial governments in Canada, see The Constitu-
tion Act, 1867 (U.K.) 30 & 31 Victoria, c. 3, s. 91 (federal), and s. 92 (provincial), www.canlii.org/en/ca/
laws/stat/30—31-vict-c-3/latest/30—31-vict-c-3.html.
35. The two provinces of Alberta and Newfoundland and Labrador do not have business record provisions
in their Evidence Acts. Therefore “admissibility” would be determined in those jurisdictions by way of
the court decisions that defi ne the applicable common law rules; such decisions as, Ares v. Venner [1970]r
S.C.R. 608, 14 D.L.R. (3d) 4 (S.C.C.), and decisions that have applied it.
36. See for example, the Canada Evidence Act, R.S.C. 1985, c. C-5, ss. 31.1-31.8; Alberta Evidence Act,
R.S.A. 2000, c. A-18, ss. 41.1-41.8; (Ontario) Evidence Act, R.S.O. 1990, c. E.23, s. 34.1; and the (Nova
Scotia) Evidence Act, R.S.N.S. 1989, c. 154, ss. 23A-23G. The Evidence Acts of the two provinces
of British Columbia and Newfoundland and Labrador do not contain electronic record provisions.
However, because an electronic record is no better than the quality of the record system in which it is
recorded or stored, its “integrity” (reliability, credibility) will have to be determined under the other
provincial laws that determine the admissibility of records as evidence.
37. The electronic record provisions have been in the Evidence Acts in Canada since 2000. They have been
applied to admit electronic records into evidence, but they have not yet received any detailed analysis
by the courts.
38. This is the wording used in, for example, s. 41.6 of the Alberta Evidence Act, s. 34.1(8) of the (Ontario)
Evidence Act; and s. 23F of the (Nova Scotia) Evidence Act, supra note 10. Section 31.5 of the Canada
Evidence Act, supra note 58, uses the same wording, the only signifi cant difference being that the word
“document” is used instead of “record.” For the province of Quebec, see sections 12 and 68 of, An Act
to Establish a Legal Framework for Information Technology, R.S.Q., chapter C-1.1.
39. “Giving Value: Funding Priorities for UK Archives 2005–2010, a key new report launched by the Na-
tional Council on Archives (NCA) in November 2005,” www.nationalarchives.gov.uk/documents/stan-
dards_guidance (accessed October 15, 2012).
40. DLM Forum Foundation, MoReq2010 ® : Modular Requirements for Records Systems—Volume 1: Core Ser-
vices & Plug-in Modules, 2011, http://moreq2010.eu/ (accessed May 7, 2012, published in paper form ass
ISBN 978-92-79-18519-9 by the Publications Offi ce of the European Communities, Luxembourg.
41. DLM Forum, Information Governance across Europe, www.dlmforum.eu/ (accessed December 14,
2010).
42. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au
/records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).
43. E-mail to author from Marc Fresko, May 13, 2012.
44. National Archives of Australia, “Australian Government Recordkeeping Metadata Standard,” 2012,
www.naa.gov.au/records-management/publications/agrk-metadata-standard.aspx (accessed July 16,
2012).
45. National Archives of Australia, “Australian and International Standards,” 2012, www.naa.gov.au
/records-management/strategic-information/standards/ASISOstandards.aspx (accessed July 16, 2012).
46. International Organization for Standardization, ISO 19005-1:2005, “Document Management—
Electronic Document File Format for Long-Term Preservation—Part 1: Use of PDF 1.4 (PDF/A-1),”
www.iso.org/iso/catalogue_detail?csnumber=38920 (accessed July 23, 2012).
47. International Organization for Standardization, ISO 14721:2012, “Space Data and Information Trans-
fer Systems Open Archival Information System—Reference Model,” www.iso.org/iso/iso_catalogue/
catalogue_ics/catalogue_detail_ics.htm?csnumber=57284 (accessed November 25, 2013).
48. Ibid.
49. International Organization for Standardization, ISO 16363:2012, “Space Data and Information
Transfer Systems—Audit and Certifi cation of Trustworthy Digital Repositories,” www.iso.org/iso/
iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510 (accessed July 23, 2012).

http://www.canlii.org/en/ca/laws/stat/30%E2%80%9431-vict-c-3/latest/30%E2%80%9431-vict-c-3.html

http://www.nationalarchives.gov.uk/documents/stan-dards_guidance

http://moreq2010.eu/

http://www.dlmforum.eu/

http://www.naa.gov.au/records-management/strategic-information/standards/ASISOstandards.aspx

http://www.naa.gov.au/records-management/publications/agrk-metadata-standard.aspx

http://www.naa.gov.au/records-management/strategic-information/standards/ASISOstandards.aspx

http://www.iso.org/iso/catalogue_detail?csnumber=38920

http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=57284

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510

http://www.canlii.org/en/ca/laws/stat/30%E2%80%9431-vict-c-3/latest/30%E2%80%9431-vict-c-3.html

http://www.naa.gov.au/records-management/strategic-information/standards/ASISOstandards.aspx

http://www.iso.org/iso/iso_catalogue/catalogue_ics/catalogue_detail_ics.htm?csnumber=57284

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=56510

94 INFORMATION GOVERNANCE
50. International Organization for Standardization, ISO 22301:2012 “Societal Security—Business Conti-
nuity Management Systems—Requirements,” www.iso.org/iso/catalogue_detail?csnumber=50038 (ac-
cessed April 21, 2013).
51. International Organization for Standardization, “ISO Business Continuity Standard 22301 to Replace
BS 25999-2,” www.continuityforum.org/content/news/165318/iso-business-continuity-standard-22301-
replace-bs-25999-2 (accessed April 21, 2013).
52. BSI, “ISO 22301 Business Continuity Management,” www.bsigroup.com/en-GB/iso-22301-business-
continuity (accessed April 21, 2013).

http://www.iso.org/iso/catalogue_detail?csnumber=50038

http://www.continuityforum.org/content/news/165318/iso-business-continuity-standard-22301-replace-bs-25999-2

http://www.bsigroup.com/en-GB/iso-22301-business-continuity

PA RT T H R E E
Information
Governance
Key Impact
Areas Based
on the IG
Reference
Model

97
Business
Considerations for
a Successful IG
Program
C H A P T E R 7
By Barclay T. Blair
T
he business case for information governance (IG) programs has historically
been diffi cult to justify. It is hard to apply a strict, short-term return on invest-
ment (ROI) calculation. A lot of time, effort, and expense is involved before true
economic benefi ts can be realized. So a commitment to the long view and an un-
derstanding of the many areas where an organization will improve as a result of a
successful IG program are needed. But the bottom line is that reducing exposure to
business risk, improving the quality and security of data and e-documents, cutting out
unneeded stored information, and streamlining information technology (IT) develop-
ment while focusing on business results add up to better organizational health and
viability and, ultimately, an improved bottom line.
Let us take a step back and examine the major issues affecting information costing
and calculating the real cost of holding information, consider Big Data and e-discov-
ery ramifi cations, and introduce some new concepts that may help frame information
costing issues differently for business managers. Getting a good handle on the true
cost of information is essential to governing it properly, shifting resources to higher-
value information, and discarding information that has no discernible business value
and carries inherent, avoidable risks.
Changing Information Environment
The information environment is changing. Data volumes are growing, but unstructured
information (such as e-mail, word processing documents, social media posts) is grow-
ing faster than our ability to manage it. Some unstructured information has more
structure than others containing some identifi able metadata (e.g., e-mail messages all
have a header, subject line, time/date stamp, and message body). This is often termed
as semistructured information, but for purposes of this book, we use the term “unstruc-d
tured information” to include semistructured information as well.
The volume of unstructured information is growing dramatically. Analysts estimate
that, over the next decade, the amount of data worldwide will grow by 44 times (from
.8 zettabytes to 35 zettabytes: 1 zettabyte = 1 trillion gigabytes). 1 However, the volume

98 INFORMATION GOVERNANCE
of unstructured information will actually grow 50 percent faster than structured data.
Analysts also estimate that fully 90 percent of unstructured information will require
formal governance and management by 2020. In other words, the problem of unstruc-
tured IG is growing faster than the problem of data volume itself.
What makes unstructured information so challenging? There are several factors,
including
■ Horizontal versus vertical. Unstructured information is typically not clearly at-
tached to a department or a business function. Unlike the vertical focus of an
enterprise resource planning (ERP) database, for example, an e-mail system
serves multiple business functions—from employee communication to fi ling
with regulators—for all parts of the business. Unstructured information is
much more horizontal, making it diffi cult to develop and apply business rules.
■ Formality. The tools and applications used to create unstructured information
often engender informality and the sharing of opinions that can be problematic
in litigation, investigations, and audits—as has been repeatedly demonstrated
in front-page stories over the past decade. This problem is not likely to get any
easier as social media technologies and mobile devices become more common
in the enterprise.
■ Management location. Unstructured information does not have a single, obvious
home. Although e-mail systems rely on central messaging servers, e-mail is just
as likely to be found on a fi le share, mobile device, or laptop hard drive. This
makes the application of management rules more diffi cult than the application
of the same rules in structured systems, where there is a close marriage between
the application and the database.
■ “Ownership” issues. Employees do not think that they “own” data in an accounts
receivable system like they “own” their e-mail or documents stored on their
hard drive. Although such information generally has a single owner (i.e., the
organization itself), this non-ownership mind-set can make the imposition of
management rules for unstructured information more challenging than for
structured data.
■ Classifi cation. The business purpose of a database is generally determined prior
to its design. Unlike structured information, the business purpose of unstruc-
tured information is diffi cult to infer from the application that created or stores
the information. A word processing fi le stored in a collaboration environment
could be a multimillion-dollar contract or a lunch menu. As such, classifi ca-
tion of unstructured content is more complex and expensive than structured
information.
Taken together, these factors reveal a simple truth: Managing unstructured infor-
mation is a separate and distinct discipline from managing databases. It requires different
The problem of unstructured IG is growing faster than the problem of data
volume itself.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 99
methods and tools. Moreover, determining the costs and benefi ts of owning and man-
aging unstructured information is a unique—but critical—challenge.
The governance of unstructured information creates enormous complexity and
risk for business managers to consider while making it diffi cult for organizations to
generate real value from all this information. Despite the looming crisis, most organi-
zations have limited ability to quantify the real cost of owning and managing unstruc-
tured information. Determining the total cost of owning unstructured information
is an essential precursor to managing and monetizing that information while cutting
information costs—key steps in driving profi t for the enterprise.
Storing things is cheap . . . I’ve tended to take the attitude, “Don’t throw elec-
tronic things away.”
—Data scientist quoted in Anne Eisenberg, “What 23 Years of E-Mail May
Say About You,” New York Times, ” April 7, 2012
The company spent $900,000 to produce an amount of data that would con-
sume less than one-quarter of the available capacity of an ordinary DVD.
— Nicholas M. Pace and Laura Zakaras, “Where the Money Goes:
Understanding Litigant Expenditures for Producing Electronic
Discovery,” RAND Institute for Civil Justice, 2012
Calculating Information Costs
We are not very good at fi guring out what information costs— truly costs. Many orga-
nizations act as if storage is an infi nitely renewable resource and the only cost of in-
formation. But, somehow, enterprise storage spending rises each year and IT support
costs rise, even as the root commodity (disk drives) grows ever cheaper and denser.
Obviously, they are not considering labor and overhead costs incurred with managing
information, and the additional knowledge worker time wasted sifting through moun-
tains of information to fi nd what they need.
Some of this myopic focus on disk storage cost is simple ignorance. The executive
who concludes that a terabyte costs less than a nice meal at a restaurant after browsing
storage drives on the shelves of a favorite big-box retailer on the weekend is of little
help.
Rising information storage costs cannot be dismissed. Each year the billions that or-
ganizations worldwide spend on storage grows, even though the cost of a hard drive
is less than 1 percent of what it was about a decade ago. We have treated storage as a
resource that has no cost to the organization outside of the initial capital outlay and
basic operational costs. This is shortsighted and outdated.
Some of the reason that managers and executives have diffi culty comprehending
the true cost of information is old-fashioned miscommunication. IT departments do
not see (or pay for) the full cost of e-discovery and litigation. Even when IT “part-
ners” with litigators, what IT learn rarely drives strategic IT decisions. Conversely,
law departments (and outside fi rms) rarely own and pay for the IT consequences of
their litigation strategies. It is as if when the litigation fi re needs to be put out, nobody
calculates the cost of gasoline and water for the fi re trucks.

100 INFORMATION GOVERNANCE
But calculating the cost of information—especially information that does not sit
neatly in the rows and columns of enterprise database “systems of record”—is complex.
It is more art than science. And it is more politics than art. There is no Aristotelian
Golden Mean for information.
The true cost of mismanaging information is much more profound than simply
calculating storage unit costs. It is the cost of opportunity lost—the lost benefi t of in-
formation that is disorganized, created and then forgotten, cast aside and left to rot.
It is the cost of information that cannot be brought to market. Organizations that realize
this, and invest in managing and leveraging their unstructured information, will be the
winners of the next decade.
Most organizations own vast pools of information that is effectively “dark”: They
do not know what it is, where it is, who is responsible for managing it, or whether it
is an asset or a liability. It is not classifi ed, indexed, or managed according to the or-
ganization’s own policies. It sits in shared drives, mobile devices, abandoned content
systems, single-purpose cloud repositories, legacy systems, and outdated archives.
And when the light is fi nally fl icked on for the fi rst time by an intensive hunt for
information during e-discovery, this dark information can turn out to be a liability. An
e-mail message about “paying off fat people who are a little afraid of some silly lung
problem” might seem innocent—until it is placed in front of a jury as evidence that a
drug company did not care that its diet drug was allegedly killing people. 2
The importance of understanding the total cost of owning unstructured informa-
tion is growing. We are at the beginning of a “seismic economic shift” in the informa-
tion landscape, one that promises to not only “reinvent society,” (according to an MIT
data scientist) but also to create “the new oil . . . a new asset class touching all aspects
of society.” 3
Big Data Opportunities and Challenges
We are entering the epoch of Big Data—an era of Internet-scale enterprise infrastruc-
ture, powerful analytical tools, and massive data sets from which we can potentially
wring profound new insights about business, society, and ourselves. It is an epoch that,
according to the consulting fi rm McKinsey, promises to save the European Union
public sector billions of euros, increase retailer margins by 60 percent, and reduce U.S.
national health care spending by 8 percent, while creating hundreds of thousands of
jobs. 4 Sounds great, right?
However, the early days of this epoch are unfolding in almost total ignorance
of the true cost of information. In the near nirvana contemplated by some Big Data
Smart leaders across industries will see using big data for what it is: a manage-
ment revolution.
—Andrew McAfee and Erik Brynjolfsson, “Big Data: The Management
Revolution,” Harvard Business Review ” (October 2012)

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 101
proponents, all data is good, and more data is better . Yet it would be an exaggeration to r
say that there is no awareness of potential Big Data downsides. A recent study by the
Pew Research Center was positive overall but did note concerns about privacy, social
control, misinformation, civil rights abuses, and the possibility of simply being over-
whelmed by the deluge of information. 5
But the real-world burdens of managing, protecting, searching, classifying, retain-
ing, producing, and migrating unstructured information are foreign to many Big Data
cheerleaders. This may be because the Big Data hype cycle 6 is not yet in the “trough
of disillusionment” where the reality of corporate culture and complex legal require-
ments sets in. But set in it will, and when it does, the demand for intelligent analysis of
costs and benefi ts will be high.
IG professionals must be ready for these new challenges and opportunities—ready
with new models for thinking about unstructured information. Models that calculate
the risks of keeping too much of the wrong information as well as the s benefi ts of clean,s
reliable, and accessible pools of the right information. Models that drive desirable
behavior in the enterprise, and position organizations to succeed on the “next frontier
for innovation, competition, and productivity.”7
Full Cost Accounting for Information
It is diffi cult for organizations to make educated decisions about unstructured infor-
mation without knowing its full cost. Models like total cost of ownership (TCO) and
ROI are designed for this purpose and have much in common with full cost account-
ing (FCA) models. FCA seeks to create a complete picture of costs that includes past, g
future, direct, and indirect costs rather than direct cash outlays alone.
FCA has been used for many purposes, including the decidedly earthbound task
of determining what it costs to take out the garbage and the loftier task of calculating
how much the International Space Station really costs. A closely related concept, often
called triple bottom line, has gained traction in the world of environmental account-
ing, positing that organizations must take into account societal and environmental
costs as well as monetary costs.
The U.S. Environmental Protection Agency promotes the use of FCA for mu-
nicipal waste management, and several states have adopted laws requiring its use. It
is fascinating—and no accident—that this accounting model has been widely used to
calculate the full cost of managing an unwanted by-product of modern life. The anal-
ogy to outdated, duplicate, and unmanaged unstructured information is clear.
Applying the principles of FCA to information can increase cost transparency
and drive better management decisions. In municipal garbage systems where citizens
do not see a separate bill for taking out the garbage, it is more diffi cult to get new
IG professionals must be ready with new models that calculate the risks of stor-
ing too much of the wrong information and also the benefi ts of clean, reliable,
accessible information.

102 INFORMATION GOVERNANCE
spending on waste management approved. 8 Without visibility into the true cost, how
can citizens—or CEOs—make informed decisions?
Responsible, innovative managers and executives should investigate FCA models for
calculating the total cost of owning unstructured information. Consider costs such as:
■ General and administrative costs, such as cost of IT operations and personnel,
facilities, and technical support.
■ Productivity gains or losses related to the information. s
■ Legal and e-discovery costs associated with the information and information systems. y
■ Indirect costs, such as the accounting, billing, clerical support, contract manage-
ment, insurance, payroll, purchasing, and so on.
■ Up-front costs, such as the acquisition of the system, integration and confi gura-
tion, and training. This should include the depreciation of capital outlays.
■ Future costs, such as maintenance, migration, and decommissioning of informa-
tion systems. Future outlays should be amortized.
Calculating the Cost of Owning Unstructured Information
Any system designed to calculate the cost or benefi t of a business strategy is inher-
ently political. That is, it is an argument designed to convince an t audience. Well-known
models like TCO and ROI are primarily decision tools designed to help organizations
predict the economic consequences of a decision. While there are certainly objective
truths about the information environment, human decision making is a complex and
imperfect process. There are plenty of excellent guides on how to create a standard
TCO or ROI. That is not our purpose here. Rather, we want to inspire creative think-
ing about how to calculate the cost of owning unstructured information and help or-
ganizations minimize the risk—and maximize the value—of unstructured information.
Any economic model for calculating the cost of unstructured information depends
on reliable facts. But facts can be hard to come by. A client recently went in search of an
accurate number for the annual cost per terabyte of Tier 1 storage in her company. The
company’s storage environment was completely outsourced, leading her to believe that
the number would be transparent and easy to fi nd. However, after days spent poring over
the massive contract, she was no closer to the truth. Although there was a line item for
storage costs, the true costs were buried in “complexity fees” and other opaque terms.
Organizations need tools that help them establish facts about their unstructured
information environment. The business case for better management depends on these
facts. Look for tools that can help you:
■ Find unstructured information wherever it resides across the enterprise, including s
e-mail systems, shared network drives, legacy content management systems,
and archives.
Organizations can learn from accounting models used by cities to calculate the
total cost of managing municipal waste and apply them to the IG problem.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 103
■ Enable fast and intuitive access to basic metrics , such as size, date of last access,s
and fi le type.
■ Provide sophisticated analysis of the nature of the content itself to drive classifi ca-s
tion and information life cycle decisions.
■ Deliver visibility into the environment through dashboards that are easy to fors
nonspecialists to confi gure and use.
Sources of Cost
Unstructured information is ubiquitous. It is typically not the product of a single-pur-
pose business application. It often has no clearly defi ned owner. It is endlessly duplicat-
ed and transmitted across the organization. Determining where and how unstructured
information generates cost is diffi cult.
However, doing so is possible. Our research shows that at least 10 key factors that s
drive the total cost of owning unstructured information. These 10 factors identify
where organizations typically spend money throughout the life cycle of managing un-
structured information. These factors are listed in Figure 7.1 , along with examples of
elements that typically increase cost (“Cost Drivers,” on the left side) and elements that
typically reduce costs (“Cost Reducers,” on the right side).
1. E-discovery: fi nding, processing, and producing information to support law-
suits, investigations, and audits. Unstructured information is typically the
most common target in e-discovery, and a poorly managed information
environment can add millions of dollars in cost to large lawsuits. Simply
reviewing a gigabyte of information for litigation can cost $14,000 or
more. 9
2. Disposition: getting rid of information that no longer has value because it
is duplicate, out of date, or has no value to the business. In poorly man-
aged information environments, separating the wheat from the chaff can
cost large organizations millions of dollars. For enterprises with frequent
litigation, the risk of throwing away the wrong piece of information only
increases risk and cost. Better management and smart IG tools drive costs
down.
3. Classifi cation and organization: keeping unstructured information organized so
that employees can use it. It also is necessary so management rules supporting
privacy, privilege, confi dentiality, retention, and other requirements can be
applied.
4. Digitization and automation. Many business processes continue to be a combi-
nation of digital, automated steps and paper-based, manual steps. Automating
Identifying and building consensus on the sources of cost for unstructured
information is critical to any TCO or ROI calculation. It is critical that all stake-
holders agree on these sources, or they will not incorporate the output of the
calculation in their strategy and planning.

104 INFORMATION GOVERNANCE
and digitizing these processes requires investment but also can drive signifi –
cant returns. For example, studies have shown that automating accounts pay-
able “can reduce invoice processing costs by 90 percent.”10
5. Storage and network infrastructure: the cost of the devices, networks, software,
and labor required to store unstructured information. Although the cost of
the baseline commodity (i.e., a gigabyte of storage space) continues to fall, for
most organizations overall volume growth and complexity means that storage
budgets go up each year. For example, between 2000 and 2010, organization
more than doubled the amount they spent on storage-related software even
though the cost of raw hard drive space dropped by almost 100 times. 11
6. Information search, access, and collaboration: the cost of hardware, software, and
services designed to ensure that information is available to those who need
it, when they need it. This typically includes enterprise content management
systems, enterprise search, case management, and the infrastructure necessary
to support employee access and use of these systems.
7. Migration: the cost of moving unstructured information from outdated sys-
tems to current systems. In poorly managed information environments, the
cost of migration can be very high—so high that some organizations maintain
legacy systems long after they are no longer supported by the vendor just to
avoid (more likely, simply to defer ) the migration cost and complexity.rr
8. Policy management and compliance: the cost of developing, implementing,
enforcing, and maintaining IG policies on unstructured information. Good
policies, consistently enforced, will drive down the total cost of owning un-
structured information.
9. Discovering and structuring business processes: the cost of identifying, improv-
ing, and systematizing or “routinizing” business processes that are currently
ad hoc and disorganized. Typical examples include contract management and
Cost Drivers: Examples
Outdoted, unenforced policies
Poorly defined information
ownership and governance
Open loop, reactive
e-discovery processes
Uncontrolled information
respositiories
Modernist, paper-focused
information rules
Ad hoc, unstructured
business processes
Disconnected governance
programs
Formal, communicated, and
enforced policies
Automated classification and
organization
Defensible deletion and selective
content migration
Data maps
Proactive, repeatable
e-discovery procedures
Clear corporate governance
Managed and structured
repositories
Cost Reducers: Examples
1
2
3
4
5
6
7
8
9
10
E-Discovery
Disposition
Classification and Organization
Digitization and Automation
Storage and Network Infrastructure
Information Search, Access, Collaboration
Migration
Policy Management and Compliance
Discovering and Structuring Business Processes
Knowledge Capture and Transfer
Figure 7.1 Key Factors Driving Cost
Source: Barclay T. Blair

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 105
accounts receivable as well as revenue-related activities, such as sales and cus-
tomer support. Moving from informal e-mail and document-based processes
to fi xed work fl ows drives down cost.
10. Knowledge capture and transfer: the cost of capturing critical business knowl-
edge held at the department and employee level and putting that information
in a form that enables other employees and parts of the organization to ben-
efi t from it. Examples include intranets and their more contemporary cousins
such as wikis, blogs, and enterprise social media platforms.
The Path to Information Value
At its peak during World War II, the Brooklyn Navy Yard had 70,000 people coming
to work every day. The site was once America’s premier shipbuilding facility, build-
ing the steam-powered Ohio in 1820 and the aircraft carrier USS Independence in the
1950s. But the site fell apart after it was decommissioned in the 1960s. Today, an
“Admiral’s Row” of Second Empire–style mansions once occupied by naval offi cers
are an extraordinary sight, with gnarled oak trees pushing through the rotting
mansard roofs. 12
Seventy percent of managers and executives say data are “extremely impor-
tant” for creating competitive advantage. “The key, of course, is knowing
which data matter, who within a company needs them, and fi nding ways to
get that data into users’ hands.”
— The Economist Intelligence Unit, “Levelling the Playing Field: How
Companies Use Data to Create Advantage” (January 2011)
However, after decades of decay, the Navy Yard is being reborn as the home of YY
hundreds of businesses—from major movie studios to artisanal whisky makers—taking
advantage of abundant space and a desirable location. There were three phases in the
yard’s rebirth:
1. Clean. Survey the site to determine what had value and what did not. Dispose
of toxic waste and rotting buildings, and modernize the infrastructure.
2. Build and maintain. Implement a plan to continuously improve, upgrade, and
maintain the facility.
3. Monetize. Lease the space.
Most organizations face a similar problem. However, our Navy Yards are the vast YY
piles of unstructured information that were created with little thought to how and
when the pile might go away. They are records management programs built for a dif-
ferent era—like an automobile with a metal dashboard, six ashtrays, and no seat belts.
Our Navy Yards are information environments no longer fi t for purpose in the Big YY
Data era, overwhelmed by volume and complexity.
We are doing a bad job at managing information. McKinsey estimates that in some
circumstances, companies are using up to 80 percent of their infrastructure to store
duplicate data.13 Nearly half of respondents in a survey ViaLumina recently conducted

106 INFORMATION GOVERNANCE
said that at least 50 percent of the information in their organization is duplicate, out-
dated, or unnecessary. 14 We can do better.
1. Clean
We should put the Navy Yard’s blueprint to work, fi rst by identifying our piles of rot-YY
ting unstructured information. Duplicate information. Information that has not been
accessed in years. Information that no longer supports a business process and has little
value. Information that we have no legal obligation to keep. The economics of such
“defensible deletion” projects can be compelling simply on the basis of recovering the
storage space and thus reallocating capital that would have been spent on the annual storage
purchase.
2. Build and Maintain
Cleaning up the Navy Yard is only the fi rst step. We cannot repeat the past mistakes.YY
We avoid this by building and maintaining an IG program that establishes our infor-
mation constitution (why), laws (what), and regulations (how). We need a corporate
governance, compliance, and audit plan that gives the program teeth, and a technology
infrastructure that makes it real. It must be a defensible program to ensure we comply
with the law and manage regulatory risk.
3. Monetize
IG is a means to an end, and that end is value creation. IG also mitigates risk and drives
down cost. But extracting value is the key. Although monetization and value creation
often are associated with structured data, new tools and techniques create exciting new
opportunities for value creation from unstructured information.
For example, what if an organization could use sophisticated analytics on the e-
mail account of their top salesperson (the more years of e-mail the better), look for
markers of success, then train and hire salespeople based on that template? What is
the pattern of a salesperson’s communications with customers and prospects in her
territory? What is the substance of the communications? What is the tone? When do
successful salespeople communicate? How are the patterns different between suc-
cessful deals and failed deals? What knowledge and insight resides in the thousands
of messages and gigabytes of content? The tools and techniques of Big Data applied
to e-mail can bring powerful business insights. However, we have to know what
questions to ask. According to Computerworld , “the hardest part of using big data is
trying to get business people to sit down and defi ne what they want out of the huge
amount of unstructured and semi-structured data that is available to enterprises
these days.”15
Key steps in driving information value are: (1) clean; (2) build and maintain;
and (3) monetize.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 107
The analytics challenges of Big Data create opportunities. For example, McKinsey pre-
dicts that demand for “deep analytical talent in the United States could be 50 to 60
percent greater than its projected supply by 2018.” A chief reason for this gap is that
“this type of talent is diffi cult to produce, taking years of training in the case of some-
one with intrinsic mathematical abilities.” However, the more profound opportunity
is for the “1.5 million extra additional managers and analysts in the United States
who can ask the right questions and consume the results of the analysis of big data
effectively.” 16
Some companies are using analytics to set prices. For example, the largest dis-
tributor of heating oil in the United States sets prices on the fl y, based on commodity
prices and customer retention risks. 17 In a case that caught the attention of morning
news shows, with breathless headlines like “Are Mac Users Paying More?” an online
travel company revealed that “Mac users are 40 percent more likely to book four or
fi ve-star hotels . . . compared to PC users.”18 Despite the headlines, the company was
not charging Mac users more. Rather, computer brand was a variable used to deter-
mine which products were highlighted.
The path to information value is not necessarily linear. Different parts of your
business may achieve maturity at different rates, driven by the unique risks and op-
portunities of the information they possess.
Challenging the Culture
The best models for calculating the total cost of owning unstructured are those that
information professionals can use to challenge and change organizational culture.
Much of the unstructured information that represents the greatest cost and risk to
organizations is created, communicated, and managed directly by employees—that is,
by human beings. As such, better IG relies in part on improving the way those human
beings use and manage information.
New Information Models
The “information calorie” and “information cap-and-trade,” explored next, are two
new models designed to help with the challenge of governing information.
Table 7.1 Key Steps in the IG Process
1. Clean 2. Build and Maintain 3. Monetize
Information inventory IG policies and procedures Create value through
information, e.g., drive sales and
improve customer satisfaction
Defensible deletion Corporate governance,
compliance and audit
Business insights
Records retention and legal hold Technology Increase margins
Source: Barclay T. Blair

108 INFORMATION GOVERNANCE
Information Calorie
The Western world is suffering from an embarrassment of riches when it comes to
calories. The calorie has been weaponized in the form of tasty, cheap, and fast food
loaded with sugar and fat. Even a cup of “coffee” can contain as much as 800 calories.19
We have gotten very, very good at maximizing available calories, at a staggering cost:
$190 billion per year in additional medical spending as a result of obesity in the United
States, greater than the cost of smoking. 20
Governments are taking action. A new national health care law in the United
States requires restaurant chains to disclose calorie counts for the food they sell by
2013, building on similar state laws.21 Calories are not inherently bad. We would liter-
ally die without them. But too many calories make us sick.
The analogy to information is clear. Information is the “lifeblood” of our organi-
zations and is central to our survival. But too much unmanaged unstructured informa-
tion leaves us fat, slow, and coughing and wheezing at the back of the pack.
In 2012, New York City initially passed a controversial law limiting the size of
soft drinks that can be sold at movie theaters and convenience stores (later chal-
lenged in court). The “Bloomberg soda ban” was based on the premise that humans
need help making good choices. There is some basis for this approach, with studies
showing that, for example, the size of the candy scoop determines how much free
candy we eat.22 Under the new law, it was still possible in New York to buy two
smaller cups of soda, but it was hoped that inconvenience (and cost) will reduce
overconsumption.
A new study . . . examined consumer behavior before and after calorie counts
were posted, and determined that when restaurants post calories on menu
boards, there is a reduction in calories per transaction.
—Bryan Bollinger, Phillip Leslie, Alan Sorensen, “Calorie Posting in Chain
Restaurants,” Stanford University, January 2010
Thinking about information as calories at your organization can improve aware-
ness of its costs and drive change. The goal is not to add friction to desirable behaviors,
like collaboration and mobile work, but rather to make it more diffi cult to create and
consume empty information calories.
Here are some tips to get started:
■ Educate executives and employees about the cost of information mismanagement s
through anecdotes, case studies, and facts.
■ Show employees their information footprint by regularly exposing them to the t
amount of data storage they are using in e-mail, shared drives, content man-
agement systems, and other environments they work with. With a little creative
programming, you can post “information calories” on your menus.
■ Design systems to minimize information calories. Examples include: preventing
employees from exporting e-mail to .pst fi les; turning off the ability to store
documents on desktop hard drives to encourage the use of managed collabo-
ration environment; and requiring employees to send links to shared content
rather than creating yet another e-mail attachment. Clever technology and
social engineering, like the soda ban, can drive healthy information behavior.

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 109
Information Cap-and-Trade
Originally designed as a regulatory approach for fi ghting acid rain in the 1980s,
cap-and-trade has gained new attention as a method of curbing carbon emissions.
Cap-and-trade systems differ from command-and-control regulatory approaches that
mandate, rather than economically encourage, a course of action. In other words,
rather than forcing companies to install scrubbers on power plant exhausts (command
and control), cap-and-trade provides companies with an emissions quota, which they
can hit as they see fi t, and even profi t from. Companies with unused room on their
quota can sell those “credits” on specialized markets.
Consider a cap-and-trade system for information. Do not limit the creation and
storage of useful information—that defeats the purpose of investing in IT in the fi rst l
place. Rather, design a cap-and-trade system that controls the amount of information
pollution and rewards innovation and management discipline.
While there is no objective “right amount” of information for every organization
or department, we can certainly do better than “as much as you want, junk or not.”
After all, “nearly all sectors in the US economy had at least an average of 200 terabytes
of stored data . . . and many sectors had more than 1 petabyte in mean stored data per
company.” 23 Moreover, up to 50 percent of that information is easily identifi able as
data pollution. 24 So, we have a reasonable starting point.
Here are some tips for creating an information cap-and-trade system:
■ Baseline the desired amount of information per system, department, and/or type t
of user. How much information do you currently have? How much has value?
How much should you have? These are not easy questions to answer, but even
rough calculations can make a big difference.
■ Create information volume targets or quotas, and allocate them by business unit,
system, or user. This is the “cap” part of the system.
■ Calculate the fully loaded cost of a unit of information , and adopt it as a baseline
metric for the “trade” part of the system. Consider whether annual e-discovery
costs can be allocated to this unit in a reasonable way.
■ Create an internal accounting system for tracking and trading information units, s
or credits within the organization. Innovative departments will be rewarded,
laggards will be motivated.
■ Get creative in what the credits can purchase. New revenue-generating software?
Headcount?
“There’s not a person in a business anywhere who gets up in the morning and
says, ‘Gee, I want to race into the offi ce to follow some regulation.’ On the
other hand, if you say, ‘There’s an upside potential here, you’re going to make
money,’ people do get up early and do drive hard around the possibility of
fi nding themselves winners on this.”
—Dan Etsy, environmental policy professor at Yale University, quoted
in Richard Conniff, “The Political History of Cap and Trade,”
Smithsonian Magazine (August 2009)

110 INFORMATION GOVERNANCE
Future State: What Will the IG-Enabled Organization Look Like?
When an organization is IG enabled, or “IG mature”—meaning IG is infused into op-
erations throughout the enterprise and coordinated on an organization-wide level—it
will look signifi cantly different from most organizations today. Not only will the or-
ganization have a solid handle on the total cost of information; not only will it have
shifted resources to capitalize on the opportunities of Big Data; not only will it be
managing the deluge in a systematic, business-oriented way by cutting out data debris
and leveraging information value; it will also look signifi cantly different in key opera-
tional areas including legal, records and information management (RIM), and IT.
In legal matters, the mature IG-enabled organization will be better suited to ad-
dress litigation in a more effi cient way through a standardized legal hold notifi cation
(LHN) process. Legal risk is reduced through improved IG, which will manage infor-
mation privacy in accordance with applicable laws and regulations. During litigation,
your legal team will be able to sort through information more rapidly and effi ciently,
improving your legal posture, cutting e-discovery costs, and allowing for attorney time
to be focused on strategy and to zero in on key issues. This means attorneys should
have the technology tools to be more effective. Adherence to retention schedules
means that records and documents can be discarded at the earliest possible time, which
reduces the chances that some information could pose a legal risk. Hard costs can be
saved by eliminating that approximately 69 percent of stored information that no lon-
ger has business value. That cost savings may be the primary rationale for the initial
IG program effort. By leveraging advanced technologies such as predictive coding, the
organization can reduce the costs of e-discovery and better utilize attorney time.
Your RIM functions will operate with more effi ciency and in compliance with
laws and regulations. Appropriate retention periods will be applied and enforced, and
authentic, original copies of business records will be easily identifi able, so that manag-
ers are using current and accurate information on which to base their decisions. Over
the long term, valuable information from projects, product development, marketing
programs, and strategic initiatives will be retained in corporate memory, reducing the
impact of turnover and providing distilled information and knowledge to contribute to
a knowledge management (KM) program. KM programs can facilitate innovation int
organizations, as a knowledge base is built, retained, expanded, and leveraged.
In your IT operations, a focus on how IT can contribute to business objectives will
bring about a new perspective. Using more of a business lens to view IT projects will
help IT to contribute toward the achievement of business objectives. IT will be work-
ing more closely with legal, RIM, risk, and other business units, which should help
these groups to have their needs and issues better addressed by IT solutions. Having a
standardized data governance program in place means cleaning up corrupted or dupli-
cated data and providing users with clean, accurate data as a basis for line-of-business
software applications and for decision support analytics in business intelligence (BI)
applications. Better data is the basis for improved insights, which can be gained by
leveraging BI and will improve management decision-making capabilities and help
to provide better customer service, which can impact customer retention. It costs a
lot more to gain a new customer than to retain an existing one, and with better data
quality, the opportunities to cross-sell and upsell customers are improved. This can
provide a sustainable competitive advantage. Standardizing the use of business terms
will facilitate improved communications between IT and other business units, which

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 111
should lead to improved software applications that address user needs. Adhering to
information life cycle management principles will help the organization to apply the
proper level of IT resources to its high-value information while decreasing costs by
managing information of declining value appropriately. IT effectiveness and effi ciency
will be improved by using IT frameworks and standards, such as CobiT 5 and ISO/
IEC 38500:2008, the international standard that provides high-level principles and
guidance for senior executives and directors, and those advising them, for the effec-
tive and effi cient governance of IT. 25 Implementing a master data management pro-
gram will help larger organizations with complex IT operations to ensure that they are
working with consistent data from a single source. Improved database security through
data masking, database activity monitoring, database auditing, and other tools will help
guard the organization’s critical databases against the risk of rogue attacks by hackers.
Deploying document life cycle security tools such as data loss prevention and informa-
tion rights management will help secure your confi dential information assets and keep
them from prying eyes. This helps to secure the organization’s competitive position
and protect its valuable intellectual property.
By securing your electronic documents and data, not only within the organization
but also for mobile use, and by monitoring and complying with applicable privacy
laws, your confi dential information assets will be safeguarded, your brand will be bet-
ter protected, and your employees will be able to be productive without sacrifi cing the
security of your information assets.
Moving Forward
We are not very good at fi guring out what unstructured information costs. The Big
Data deluge is upon us. If we hope to manage—and, more important, to monetize—
this deluge, we must form cross-functional teams and challenge the way our organi-
zations think about unstructured information. The fi rst and most important step is
developing the ability to convincingly calculate what unstructured information really
costs and then to discover ways we can recue those costs and drive value. These are
foundational skills for information professionals in the new era of Big Data. In this era,
information is currency—but a currency that has value only when IG professionals
drive innovation and management rigor in the unstructured information environment.
CHAPTER SUMMARY: KEY POINTS
■ The business case for IG programs has historically been diffi cult to justify.
■ It takes a commitment to the long view to develop a successful IG program.
■ The problem of unstructured IG is growing faster than the problem of data
volume itself.
■ IG professionals must be ready with new models that calculate the risks of
storing too much of the wrong information and also the benefi ts of clean,
reliable, accessible information.
(continued)dd

112 INFORMATION GOVERNANCE
■ Key steps in driving information value are: (1) clean; (2) build and maintain;
and (3) monetize.
■ The information calorie approach and information cap-and-trade are two
new models for assisting in IG.
■ Legal risk is reduced through improved IG, and legal costs are reduced.
■ Leveraging newer technologies like predictive coding can improve the ef-
fi ciency of legal teams.
■ Adherence to retention schedules means that records and documents can
be discarded at the earliest possible time, which reduces costs by eliminating
unneeded information that no longer has business value.
■ RIM functions will operate with more effi ciency and in compliance with laws
and regulations under a successful IG program.
■ A compliant RIM program helps to build the organization’s corporate memo-
ry of essential “lessons learned,” which can foster a KM program.
■ KM programs can facilitate innovation in organizations.
■ Focusing on business impact and customizing your IG approach to meet
business objectives are key best practices for IG in the IT department.
■ Effective data governance can yield bottom-line benefi ts derived from new
insights, especially with the use of business intelligence software.
■ IT governance seeks to align business objectives with IT strategy to deliver
business value.
■ Using IT frameworks like CobiT 5 can improve the ability of senior manage-
ment to monitor IT value and processes.
■ Identifying sensitive information in your databases and implementing data-
base security best practices help reduce organizational risk and the cost of
compliance.
■ By securing your electronic documents and data, your information assets will
be safeguarded and your organization can more easily comply with privacy
laws and regulations.
■ We are not very good at fi guring out what unstructured information costs. To
thrive in the era of Big Data requires challenging the way we think about the
cost of managing unstructured information.
CHAPTER SUMMARY: KEY POINTS (Continued )

BUSINESS CONSIDERATIONS FOR A SUCCESSFUL IG PROGRAM 113
Notes
1. International Data Corporation, “The 2011 Digital Universe Study,” June 2011. www.emc.com/
leadership/programs/digital-universe.htm (accessed November 25, 2013).
2. Richard B. Schmidt, “The Cyber Suit: How Computers Aided Lawyers In Diet-Pill Case,” Wall Street
Journal , October 8, 1999. http://webreprints.djreprints.com/00000000000000000012559001.htmll
3. Nick Bilton, “At Davos, Discussions of a Global Data Deluge,” New York Times , January 25, 2012,s
http://bits.blogs.nytimes.com/2012/01/25/at-davos-discussions-of-a-global-data-deluge/; Alex Pent-
land, quoted by Edge.org in “Reinventing Society in the Wake of Big Data,” August 8, 2012, www
.edge.org/conversation/reinventing-society-in-the-wake-of-big-data; World Economic Forum, “Per-
sonal Data: The Emergence of a New Asset Class” (January 2011), http://www3.weforum.org/docs/
WEF_ITTC_PersonalDataNewAsset_Report_2011
4. James Manyika et al., “Big Data: The Next Frontier for Innovation, Competitions, and Productivity,”
McKinsey Global Institute, May 2011, www.mckinsey.com/insights/business_technology/big_data_
the_next_frontier_for_innovation
5. Janna Quitney Anderson and Lee Ranie, “Future of the Internet: Big Data,” Pew Internet and American
Life Project, July 20, 2012, http://pewinternet.org/~/media//Files/Reports/2012/PIP_Future_of_
Internet_2012_Big_Data
6. Louis Columbus, “Roundup of Big Data Forecasts and Market Estimates, 2012,” Forbes , August 16, s
2012, www.forbes.com/sites/louiscolumbus/2012/08/16/roundup-of-big-data-forecasts-and-market-
estimates-2012/
7. McKinsey Global Institute, “Big Data: The Next Frontier for Innovation, Competitions, and produc-
tivity,” May 2011.
8. U.S. EPA, “Making Solid Waste Decisions with Full Cost Accounting,” n.d., www.epa.gov/osw/
conserve/tools/fca/docs/primer (accessed November 25, 2013).
9. Nicholas M. Pace and Laura Zakaras, “Where the Money Goes: Understanding Litigant Expenditures
for Producing Electronic Discovery,” RAND Institute for Civil Justice, 2012. www.rand.org/content/
dam/rand/pubs/monographs/2012/RAND_MG1208 (accessed November 25, 2013).
10. Accounts Payable Network, “A Detailed Guide to Imaging and Workfl ow ROI,” 2010.
11. Various sources. See, for example: Barclay T. Blair, “Today’s PowerPoint Slide: The Origins of Informa-
tion Governance by the Numbers,” October 28, 2010. http://barclaytblair.com/origins-of-information-
governance-powerpoint/ (accessed November 25, 2013).
12. Brooklyn Navy Yard Development Corporation, “The History of Brooklyn Navy Yard,” www
.brooklynnavyyard.org/history.html (accessed November 25, 2013).
13. James Manyika et al., “Big Data.”
14. Barclay Blair and Barry Murphy, “Defi ning Information Governance: Theory or Action? Results of the
2011 Information Governance Survey,” ViaLumina, eDiscovery Journal (September 2011).l
15. Jaikumar Vijayan, “Finding the Business Value in Big Data Is a Big Problem,” Computerworld , Septemberd
12, 2012, www.computerworld.com/s/article/9231224/Finding_the_business_value_in_big_data_is_a_
big_problem
16. James Manyika et al., “Big Data.”
17. Economist Intelligence Unit, “Leveling the Playing Field: How Companies Use Data to Create
Advantage” (January 2011), http://blogs.sap.com/wp-content/blogs.dir/15/fi les/2012/02/EIU_
Levelling_The_Playing_Field_1
18. Genevieve Shaw Brown, “Mac Users My See Pricier Options on Orbitz,” ABC Good Morn-
ing America , June 25, 2012, http://abcnews.go.com/Travel/mac-users-higher-hotel-prices-orbitz/
story?id=16650014#.UDlkVBqe7oV
19. “Health Care Bill Requires Calories on Menus at Chain Restaurants,” USA Today , March 23, 2010,
http://usatoday30.usatoday.com/news/health/weightloss/2010-03-23-calories-menus_N.htm
20. Sharon Beley, “As America’s Waistline Expands, Cost Soar,” Reuters, April 30, 2012, www.reuters
.com/article/2012/04/30/us-obesity-idUSBRE83T0C820120430
21. Stephanie Rosenbloom, “Calorie Data to Be Posted at Most Chains,” New York Times , March 23, 2010,s
www.nytimes.com/2010/03/24/business/24menu.html
22. James Surowiecki, “Downsizing Supersize,” New Yorker , August 13, 2012, www.newyorker.com/talk/r
fi nancial/2012/08/13/120813ta_talk_surowiecki
23. Manyika et al., “Big Data.”
24. Blair and Murphy, “Defi ning Information Governance.”
25. International Organization for Standardization, ISO/IEC 38500:2008, Corporate governance of infor-
mation technology. www.iso.org/iso/catalogue_detail?csnumber=51639 (accessed November 25, 2013).

http://www.emc.com/leadership/programs/digital-universe.htm

http://webreprints.djreprints.com/00000000000000000012559001.html

http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011

http://www.mckinsey.com/insights/business_technology/big_data_the_next_frontier_for_innovation

http://pewinternet.org/~/media//Files/Reports/2012/PIP_Future_of_Internet_2012_Big_Data

http://www.forbes.com/sites/louiscolumbus/2012/08/16/roundup-of-big-data-forecasts-and-market-estimates-2012/

http://www.epa.gov/osw/conserve/tools/fca/docs/primer

http://www.rand.org/content/dam/rand/pubs/monographs/2012/RAND_MG1208

http://barclaytblair.com/origins-of-information-governance-powerpoint/

http://www.computerworld.com/s/article/9231224/Finding_the_business_value_in_big_data_is_a_big_problem

http://blogs.sap.com/wp-content/blogs.dir/15/files/2012/02/EIU_Levelling_The_Playing_Field_1

http://abcnews.go.com/Travel/mac-users-higher-hotel-prices-orbitz/story?id=16650014#.UDlkVBqe7oV

http://usatoday30.usatoday.com/news/health/weightloss/2010-03-23-calories-menus_N.htm

http://www.reuters.com/article/2012/04/30/us-obesity-idUSBRE83T0C820120430

http://www.nytimes.com/2010/03/24/business/24menu.html

http://www.newyorker.com/talk/financial/2012/08/13/120813ta_talk_surowiecki

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.emc.com/leadership/programs/digital-universe.htm

http://www.edge.org/conversation/reinventing-society-in-the-wake-of-big-data

http://www3.weforum.org/docs/WEF_ITTC_PersonalDataNewAsset_Report_2011

http://www.mckinsey.com/insights/business_technology/big_data_the_next_frontier_for_innovation

http://pewinternet.org/~/media//Files/Reports/2012/PIP_Future_of_Internet_2012_Big_Data

http://www.epa.gov/osw/conserve/tools/fca/docs/primer

http://www.rand.org/content/dam/rand/pubs/monographs/2012/RAND_MG1208

http://www.computerworld.com/s/article/9231224/Finding_the_business_value_in_big_data_is_a_big_problem

http://blogs.sap.com/wp-content/blogs.dir/15/files/2012/02/EIU_Levelling_The_Playing_Field_1

http://abcnews.go.com/Travel/mac-users-higher-hotel-prices-orbitz/story?id=16650014#.UDlkVBqe7oV

http://www.reuters.com/article/2012/04/30/us-obesity-idUSBRE83T0C820120430

http://www.newyorker.com/talk/financial/2012/08/13/120813ta_talk_surowiecki

http://www.brooklynnavyyard.org/history.html

115
By Robert Smallwood with Randy Kahn,
Esq. , and Barry Murphy
Information
Governance and Legal
Functions
C H A P T E R 8
P
erhaps the key functional area that information governance (IG) impacts most is
legal functions, since legal requirements are paramount. Failure to meet them can
literally put an organization out of business or land executives in prison. Privacy,
security, records management, information technology (IT), and business manage-
ment functions are important—very important—but the most signifi cant aspect of all
of these functions relates to legality and regulatory compliance.
Key legal processes include electronic discovery (e-discovery) readiness and as-
sociated business processes, information and record retention policies, the legal hold
notifi cation (LHN) process, and legally defensible disposition practices.
Some newer technologies have become viable to assist organizations in imple-
menting their IG efforts, namely, predictive coding and g technology-assisted review
(TAR; also known as computer-assisted review ). In this chapter we explore the need ww
for leveraging IT in IG efforts aimed at defensible disposition, the intersection be-
tween IG processes and legal functions, policy implications, and some key enabling
technologies.
Introduction to e-Discovery: The Revised 2006 Federal Rules of
Civil Procedure Changed Everything
Since 1938, the Federal Rules of Civil Procedure (FRCP) “have governed the
discovery of evidence in lawsuits and other civil cases.” 1 In law, discovery is an early y
phase of civil litigation where plaintiffs and defendants investigate and exchange
evidence and testimony to better understand the facts of a case and to make early
determinations of the strength of arguments on either side. Each side must produce
evidence requested by the opposition or show the court why it is unreasonable to pro-
duce the information.
The FRCP apply to U.S. district courts, which are the trial courts of the fed-
eral court system. The district courts have jurisdiction (within limits set by Congress
and the Constitution) to hear nearly all categories of federal cases, including civil and
criminal matters. 2

116 INFORMATION GOVERNANCE
The FRCP were amended in 2006, and some of the revisions apply specifi cally to
the preservation and discovery of electronic records in the litigation process. 3 These
changes were a long time coming, refl ecting the lag between the state of technology
and the courts’ ability to catch up to the realities of electronically generated and stored
information.
After years of applying traditional paper-based discovery rules to e-discovery,
amendments to the FRCP were made to accommodate the modern practice of discov-
ery of electronically stored information (ESI). ESI is any information that is created
or stored in electronic format. The goal of the 2006 FRCP amendments was to recog-
nize the importance of ESI and to respond to the increasingly prohibitive costs of
document review and protection of privileged documents. These amendments rein-
forced the importance of IG policies, processes, and controls in the handling of ESI. 4
Organizations must produce requested ESI reasonably quickly, and failure to do so, or
failure to do so within the prescribed time frame, can result in sanctions. This require-
ment dictates that organizations put in place IG policies and procedures to be able to
produce ESI accurately and in a timely fashion. 5
All types of litigation are covered under the FRCP, and all types of e-documents—
most especially e-mail—are included, which can be created, accessed, or stored in a
wide variety of methods, and on a wide variety of devices beyond hard drives. The
FRCP apply to ESI held on all types of storage and communications devices: thumb
drives, CDs/DVDs, smartphones, tablets, personal digital assistants (PDAs), personal
computers, servers, zip drives, fl oppy disks, backup tapes, and other storage media. ESI
content can include information from e-mail, reports, blogs, social media posts (e.g.,
Twitter posts), voicemails, wikis, websites (internal and external), word processing
documents, and spreadsheets, and includes the metadata associated with the content
itself, which provides descriptive information. 6
Under the FRCP amendments, corporations must proactively manage the
e-discovery process to avoid sanctions, unfavorable rulings, and a loss of public trust.
Corporations must be prepared for early discussions on e-discovery with all depart-
ments. Topics should include the form of production of ESI and the methods for pres-
ervation of information. Records management and IT departments must have made
available all relevant ESI for attorney review. 7
This new era of ESI preservation and production demands the need for cross-
functional collaboration: records management, IT, and legal teams particularly need to
work closely together. Legal teams, with assistance and input of records management
staff, must identify relevant ESI, and IT teams must be mindful of preserving and pro-
tecting the ESI to maintain its legal integrity and prove its authenticity.
Legal functions are the most important area of IG impact.
ESI is any information that is created or stored in electronic format.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 117
Big Data Impact
Now throw in the Big Data effect: The average employee creates roughly one giga-
byte of data annually (and growing), and data volumes are expected to increase over
the next decade not 10-fold, or even 20-fold, but as much as 40 to 50 times what it
is today! 8 This underscores the fact that organizations must meet legal requirements
while paring down the mountain of data debris they are holding to reduce costs and
potential liabilities hidden in that monstrous amount of information. There are also
costs associated with dark data— unknown or useless data, such as old log fi les, that
takes up space and continues to grow and needs to be cleaned up.
Some data is important and relevant, but distinctions must be made by IG policy
to classify, prioritize, and schedule data for disposition and to dispose of the majority of
it in a systematic, legally defensible way. If organizations do not accomplish these critical
IG tasks they will be overburdened with storage and data handling costs and will be
unable to meet legal obligations.
According to a recent survey, approximately 25 percent of information stored in
organizations has real business value, while 5 percent must be kept as business records
and about 1 percent is retained due to a litigation hold. 9 “This means that [about] 69 per-
cent of information in most companies has no business, legal, or regulatory value. Companies
that are able to [identify and] dispose of this debris return more profi t to sharehold-
ers, can use more of their IT budgets for strategic investments, and can avoid excess
expense in legal and regulatory response” (emphasis added).
If organizations are not able to draw clear distinctions between that roughly 30
percent of “high-value” business data, records, and that which is on legal hold, their IT
department are tasked with the impossible job of managing all data as if it is high value.
This “overmanaging” of information is a signifi cant waste of IT resources. 10
More Details on the Revised FRCP Rules
Here we present a synopsis of the key points in FRCP rules that apply to e-discovery.
FRCP 1—Scope and Purpose. This rule is simple and clear; its aim is to “secure the
just, speedy, and inexpensive determination of every action.”11 Your discovery
effort and responses must be executed in a timely manner.
The amended FRCP reinforce the importance of IG. Only about 25 percent of
business information has real value, and 5 percent are business records.
The goal of the FRCP amendments is to recognize the importance of ESI and
to respond to the increasingly prohibitive costs of document review and pro-
tection of privileged documents.

118 INFORMATION GOVERNANCE
FRCP 16—Pretrial Conferences; Scheduling; Management . This rule provides guide-t
lines for preparing for and managing the e-discovery process; the court expects
IT and network literacy on both sides, so that pretrial conferences regarding
discoverable evidence are productive.
FRCP 26—Duty to Disclose; General Provisions Governing Discovery. This rule pro-
tects litigants from costly and burdensome discovery requests, given certain
guidelines.
FRCP 26(a)(1)(C): Requires that you make initial disclosures no later than 14
days after the Rule 26(f) meet and confer, unless an objection or another time
is set by stipulation or court order. If you have an objection, now is the time
to voice it.
Rule 26(b)(2)(B): Introduced the concept of not reasonably accessible ESI.
The concept of not reasonably accessible paper had not existed. This rule pro-r
vides procedures for shifting the cost of accessing not reasonably accessible
ESI to the requesting party.
FRCP 26(b)(5)(B): Gives courts a clear procedure for settling claims
when you hand over ESI to the requesting party that you shouldn’t have.
Rule 26(f): This is the meet and confer rule. This rule requires all par-
ties to meet within 99 days of the lawsuit’s fi ling and at least 21 days before a
scheduled conference.
Rule 26(g): Requires an attorney to sign every e-discovery request, re-
sponse, or objection.
FRCP 33—Interrogatories to Parties . This rule provides a defi nition of business e-s
records that are discoverable and the right of opposing parties to request and
access them.
FRCP 34—Producing Documents, Electronically Stored Information, and Tangible
Things, or Entering onto Land, for Inspection and Other Purposes . In disputes overs
document production, this rule outlines ways to resolve and move forward.
Specifi cally, FRCP 34(b) addresses the format for requests and requires that
e-records be accessible without undue diffi culty (i.e., the records must be orga-
nized and identifi ed). The requesting party chooses the preferred format, which
are usually native fi les (which also should contain metadata). The key point is
that electronic fi les must be accessible, readable, and in a standard format.
FRCP 37—Sanctions . Rule 37(e) is known as the safe harbor rule. In principle, it s
keeps the court from imposing sanctions when ESI is damaged or lost through
routine, “good faith” operations, although this has proven to be a high standard
to meet. This rule underscores the need for a legally defensible document man-
agement program under the umbrella of clear IG policies.
The Big Data trend underscores the need for defensible deletion of data debris.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 119
Landmark E-Discovery Case: Zubulake v. UBS Warburg
A landmark case in e-discovery arose from the opinions rendered in Zubulake v. U.B.S.
Warburg , an employment discrimination case where the plaintiff, Laura Zubulake, g
sought access to e-mail messages involving or naming her. Although UBS produced
over 100 pages of evidence, it was shown that employees intentionally deleted some
relevant e-mail messages. 12 The plaintiffs requested copies of e-mail from backup
tapes, and the defendants refused to provide them, claiming it would be too expensive
and burdensome to do so.
The judge ruled that U.B.S. had not taken proper care in preserving the e-mail
evidence, and the judge ordered an adverse inference (assumption that the evidence
was damaging) instruction against U.B.S. Ultimately, the jury awarded Zubulake over
$29 million in total compensatory and punitive damages. “The court looked at the
proportionality test of Rule 26(b)(2) of the Federal Rules of Civil Procedure and
applied it to the electronic communication at issue. Any electronic data that is as ac-
cessible as other documentation should have traditional discovery rules applied.” 13
Although Zubulake’s award was later overturned on appeal, it is clear the stakes are
huge in e-discovery and preservation of ESI.
E-Discovery Techniques
Current e-discovery techniques include online review, e-mail message archive review,
and cyberforensics. Any and all other methods of seeking or searching for ESI may be
employed in e-discovery. Expect capabilities for searching, retrieving, and translating
ESI to improve, expanding the types of ESI that are discoverable. Consider this
potential when evaluating and developing ESI management practices and policies.14
E-Discovery Reference Model
The E-Discovery Reference Model is a visual planning tool created by EDRM.net
to assist in identifying and clarifying the stages of the e-discovery process. Figure 8.1
is the graphic depiction with accompanying detail on the process steps.
Information Management. Getting your electronic house in order to miti-
gate risk and expenses should e-discovery become an issue, from initial cre-
ation of electronically stored information through its fi nal disposition
Identifi cation. Locating potential sources of ESI and determining their
scope, breadth, and depth
In the landmark case Zubulake v. U.B.S. Warburg , the defendants were severelyg
punished by an adverse inference for deleting key e-mails and not producing
copies on backup tapes.

120 INFORMATION GOVERNANCE
Preservation. Ensuring that ESI is protected against inappropriate altera-
tion or destruction
Collection. Gathering ESI for further use in the e-discovery process (pro-
cessing, review, etc.)
Processing. Reducing the volume of ESI and converting it, if necessary, to
forms more suitable for review and analysis
Review. Evaluating ESI for relevance and privilege
Analysis. Evaluating ESI for content and context, including key patterns,
topics, people, and discussion
Production. Delivering ESI to others in appropriate forms, and using ap-
propriate delivery mechanisms
SEVEN STEPS OF THE E-DISCOVERY PROCESS
In the e-discovery process, you must perform certain functions for identifying
and preserving electronically stored (ESI), and meet requirements regarding
conditions such as relevancy and privilege. Typically, you follow this e-disco-
very process:
1. Create and retain ESI according to an enforceable electronic records reten-
tion policy and electronic records management (ERM) program. Enforce
the policy, and monitor compliance with it and the ERM program.
2. Identify the relevant ESI, preserve any so it cannot be altered or destroyed,
and collect all ESI for further review.
3. Process and fi lter the ESI to remove the excess and duplicates. You reduce
costs by reducing the volume of ESI that moves to the next stage in the
e-discovery process.
4. Review and analyze the fi ltered ESI for privilege because privileged ESI is
not discoverable, unless some exception kicks in.
5. Produce the remaining ESI, after fi ltering out what’s irrelevant, duplicated,
or privileged. Producing ESI in native format is common.
6. Clawback the ESI that you disclosed to the opposing party that you should
have fi ltered out, but did not. Clawback is not unusual, but you have to
work at getting clawback approved, and the court may deny it.
7. Present at trial if your case hasn’t settled. Judges have little to no patience
with lawyers who appear before them not understanding e-discovery and
the ESI of their clients or the opposing side.
Source: Linda Volonino and Ian Redpath, e -Discovery for Dummies (Hoboken, NJ: John Wiley s
& Sons, 2010), http://www.dummies.com/how-to/content/ediscovery-for-dummies-cheat-
sheet.html (accessed May 22, 2013). Used with permission.

http://www.dummies.com/how-to/content/ediscovery-for-dummies-cheat-sheet.html

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 121
Presentation. Displaying ESI before audiences (at depositions, hearings,
trials, etc.), especially in native and near-native forms, to elicit further infor-
mation, validate existing facts or positions, or persuade an audience15
The Electronic Discovery Reference Model can assist organizations in focusing
and segmenting their efforts when planning e-discovery initiatives.
Guidelines for E-Discovery Planning
1. Implement an IG program. The highest impact area to focus are your legal
processes, particularly e-discovery. From risk assessment to processes, com-
munications, training, controls, and auditing, fully implement IG to improve
and measure compliance capabilities.
2. Inventory your ESI. File scanning and e-mail archiving software can assist you.
You also will want to observe fi les and data fl ows by doing a walk-through
beginning with centralized servers in the computer room and moving out into
business areas. Then, using a prepared inventory form, you should interview
users to fi nd out more detail. Be sure to inventory ESI based on computer
systems or applications, and diagram it out.
3. Create and implement a comprehensive records retention policy, and also include
an e-mail retention policy and retention schedules for major ESI areas. This is
required since all things are potentially discoverable. You must devise a
comprehensive retention and disposition policy that is legally defensible.
Figure 8.1 Electronic Discovery Reference Model
Source: EDRM (edrm.net)
Information
Management
VOLUME RELEVANCE
Identification
Preservation
Processing
Review Production Presentation
Analysis
Electronic Discovery Reference Model/©2009/v2.0/edrm.net
Collection
The E-Discovery Reference Model is in a planning tool that presents key
e-discovery process steps.

122 INFORMATION GOVERNANCE
So, for instance, if your policy is to destroy all e-mail messages that do
not have a legal hold (or are expected to) after 90 days and you apply that
policy uniformly, you will be able to defend the practice in court. Also,
implementing the retention policy reduces your storage burden and costs
while cutting the risk of liability that might be buried in obscure e-mail
messages.
4. As an extension of your retention policy, implement a legal hold policy that is
enforceable, auditable, and legally defensible. Be sure to include all potentially
discoverable ESI XE “litigation:e-discovery”. We discuss legal holds in more
depth later in this chapter, but be sure to cast a wide net when developing
retention policies so that you include all relevant electronic records, such
as e-mail, e-documents and scanned documents, storage discs, and backup
tapes.
5. Leverage technology. Bolster your e-discovery planning and execution efforts
by deploying enabling technologies, such as e-mail archiving, advanced enter-
prise search, TAR, and predictive coding.
6. Develop and execute your e-discovery plan. You may want to begin from this point
forward with new cases, and bear in mind that starting small and piloting is
usually the best course of action.
The Intersection of IG and E-Discovery
By Barry Murphy
Effective IG programs can alleviate e-discovery headaches by reducing the amount
of information to process and review, allowing legal teams to get to the facts of a case
quickly and effi ciently, and can even result in better case outcomes. Table 8.1 shows the
impact of IG on e-discovery, by function.
Legal Hold Process
The legal hold process is a foundational element of IG.16 The way the legal hold process
is supposed to work is that a formal system of polices, processes, and controls is put
in place to notify key employees of a civil lawsuit (or impending one) and the set of
documents that must put on legal hold. These documents, e-mail messages, and other
relevant ESI must be preserved in place and no longer edited or altered so that they
may be reviewed by attorneys during the discovery phase of the litigation. But, in prac-
tice, this is not always what takes place. In fact, the opposite can take place —employees
can quickly edit or even delete relevant e-documents that may raise questions or even
Implementing IG, inventorying ESI, and leveraging technology to implement
records retention and LHN policies are key steps in e-discovery planning.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 123
implicate them. This is possible only if proper IG controls are not in place, monitored,
enforced, and audited.
Many organizations start with Legal Hold Notifi cation (LHN) management as
a very discrete IG project. LHN management is arguably the absolute minimum an orga-
nization should be doing in order to meet the guidelines provided by court rules, com-g
mon law, and case law precedent. It is worth noting, though, that the expectation is
that organizations should connect the notifi cation process to the actual collection and
preservation of information in the long term.
Table 8.1 IG Impact on E-Discovery
Impact Function
Cost reduction Reduce downstream costs of processing and review by
defensibly disposing of data according to corporate retention
policies
Reduce cost of collection by centralizing collection interface to
save time
Keep review costs down by prioritizing documents and
assigning to the right level associates (better resource utilization)
Reduce cost of review by culling information with advanced
analytics
Risk management Reduce risk of sanctions by managing the process of LHN
and the collection and preservation of potentially responsive
information
Better litigation win rates Optimize decision making (e.g., settling cases that can’t
be won) quickly with advanced analytics that prioritize hot
documents
Quickly fi nd the necessary information to win cases with
advanced searches and prioritized review
Strategic planning for matters
based on merit
Determine the merits of a matter quickly and decide if it is a
winnable case
Quickly route prioritized documents to the right reviewers via
advanced analytics (e.g., clustering)
Strategic planning for matters
based on cost
Quickly determine how much litigation will cost via early access
to amount of potentially responsive information and prioritized
review to make decisions based on the economics of the matter
(e.g., settle for less than the cost of litigation)
Litigation budget optimization Minimize litigation budget by only pursuing winnable cases
Minimize litigation budget by utilizing the lowest cost resources
possible while putting high-cost resource on only the necessary
documents
Source: Barry Murphy, eDiscovery Journal http://ediscoveryjournal.com/l
LHN management is the absolute minimum an organization should imple-
ment to meet the guidelines, rules, and precedents.

HOME

124 INFORMATION GOVERNANCE
How to Kick-Start Legal Hold Notifi cation
Implementing an LHN program attacks some of the lower-hanging fruit within an or-
ganization’s overall IG position. This part of the e-discovery life cycle must not be outsourced. d
Retained counsel provides input, but the mechanics of LHN are managed and owned
by internal corporate resources.
In preparing for a LHN implementation project, it is important to fi rst lose the
perception that LHN tools are expensive and diffi cult to deploy. It is true that some of
these tools cost considerably more than others and can be complex to deploy; however,
that is because the tools in question go far beyond simple LHN and reach into enter-
prise systems and also handle data mapping, collection, and workfl ow processes. Other
options include Web-based hosted solutions, custom-developed solutions, or process-
es using tools already in the toolbox (e.g., e-mail, spreadsheets, word processing).
The most effective approach involves three basic steps:
1. Defi ne requirements.
2. Defi ne the ideal process.
3. Select the technology.
Defi ning both LHN requirements and processes should include input from key
stakeholders—at a minimum—in legal, records management, and IT. Be sure to take
into consideration the organization’s litigation profi le, corporate culture, and available
resources as part of the requirements and process defi ning exercise. Managing steps
1 and 2 thoroughly makes tool selection easier because defi ning requirements and
processes creates the confi dence of knowing exactly what the tool must accomplish.
IG and E-Discovery Readiness
Having a solid IG underpinning means that your organization will be better prepared to
respond and execute key tasks when litigation and the e-discovery process proceed. Your
policies will have supporting business processes, and clear lines of responsibility and
accountability are drawn. The policies must be reviewed and fi ne-tuned periodically, and
business processes must be streamlined and continue to aim for improvement over time.
In order for legal hold or defensible deletion (discussed in detail in the next
section—disposing of unneeded data, e-documents, and reports based on set policy)
projects to deliver the promised benefi t to e-discovery, it is important to avoid the very
real roadblocks that exist in most organization. To get the light to turn green at the
intersection of e-discovery and IG, it is critical to:
■ Establish a culture that both values information and recognizes the risks inherent in
it. Every organization must evolve its culture from one of keeping everything
to one of information compliance. This kind of change requires high-level ex-
ecutive support. It also requires constant training of employees about how to
create, classify, and store information. While this advice may seem trite, many
managers in leading organizations say that without this kind of culture change,
IG projects tend to be dead on arrival.
■ Create a truly cross-functional IG team. Culture change is not easy, but it can be
even harder if the organization does not bring all stakeholders together when
setting requirements for IG. Stakeholders include: legal; security and ethics; IT;

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 125
records management; internal audit; corporate governance; human resources;
compliance; and business units and employees. That is a lot of stakeholders. In
organizations that are successfully launching and executing IG projects, many
have dedicated IG teams. Some of those IG teams are the next generation of
records management departments, while others are newly formed. The stake-
holders can be categorized into three areas: legal/risk, IT, and the business.
The IG team can bring those areas together to ensure that any projects meet
requirements of all stakeholders.
■ Use e-discovery as an IG proof of concept . Targeted programs like e-discovery,t
compliance, and archiving have a history of return on investment (ROI)
and an ability to get budget. These projects are also challenging, but more
straightforward to implement and can address sub-sets of information in ear-
ly phases (e.g., only those information assets that are reasonable to account
for). The lessons learned from these targeted projects can then be applied to
other IG initiatives.
■ Measure ROI on more than just cost savings . Yes, one of the primary benefi ts of ad-s
dressing e-discovery via IG is cost reduction, but it is wise to begin measuring
all e-discovery initiatives on how they impact the life cycle of legal matters. The
effi ciencies gained in collecting information, for example, have benefi ts that go
way beyond reduced cost; the IT time not wasted on reactive collection is more
time available for innovative projects that drive revenue for companies. And a
better litigation win rate will make any legal team happier.
Building on Legal Hold Programs to Launch Defensible
Disposition
By Barry Murphy
Defensible deletion programs can build on legal hold programs, because legal hold
management is a necessary fi rst step before defensibly deleting anything. The standard
is “reasonable effort” rather than “perfection.” Third-party consultants or auditors can
support the diligence and reasonableness of these efforts.
Next, prioritize what information to delete and what information the organiza-
tion is capably able to delete in a defensible manner. Very few organizations are deleting
information across all systems. It can be overly daunting to try to apply deletion to all en-
terprise information. Choosing the most important information sources—e-mail, for
example—and attacking those fi rst may make for a reasonable and tenable approach.
For most organizations, e-mail is the most common information source to begin deleting. Why
e-mail? It is fairly easy for companies to put systematic rules on e-mail because the
technology is already available to manage e-mail in a sophisticated manner. Because
e-mail is such a critical data system, e-mail providers and e-mail archiving providers
early on provided for systematic deletion or application of retention rules. However, in
IG serves as the underpinning for effi cient e-discovery processes.

126 INFORMATION GOVERNANCE
non–e-mail systems, the retention and deletion features are less sophisticated; there-
fore, organizations do not systematically delete across all systems.
Once e-mail is under control, the organization can begin to apply lessons learned
to other information sources and eventually have better IG policies and processes that
treat information consistently based on content rather than on the repository.
Destructive Retention of E-mail
A destructive retention program is an approach to e-mail archiving where e-mail
messages are retained for a limited time (say, 90 days), followed by the permanent
manual or automatic deletion of the messages from the organization network, so long
as there is no litigation hold or the e-mail has not been declared a record.
E-mail retention periods can vary from 90 days to as long as seven years:
■ Osterman Research reports that “nearly one-quarter of companies delete e-
mail after 90 days.” 17
■ Heavily regulated industries, including energy, technology, communications,
and real estate, favor archiving for one year or more, according to Fulbright
and Jaworski research.
■ The most common e-mail retention period traditionally has been seven years;
however, some organizations are taking a hard-line approach and stating that
e-mails will be kept for only 90 days or six months, unless it is declared as
a record, classifi ed, and identifi ed with a classifi cation/retention category and
tagged or moved to a repository where the integrity of the record is protected
(i.e., the record cannot be altered and an audit trail on the history of the re-
cord’s usage is maintained).
Newer Technologies That Can Assist in E-Discovery
Few newer technologies are viable for speeding the document review process and im-
proving the ability to be responsive to court-mandated requests. Here we introduce pre-
dictive coding and technology-assisted review (also known as computer-assisted review),
the most signifi cant of new technology developments that can assist in e-discovery.
For most organizations, e-mail is the most common information source to
begin deleting according to established retention policies.
Destructive retention of e-mail is a method whereby e-mail messages are re-
tained for a limited period and then destroyed.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 127
Predictive Coding
During the early case assessment (ECA) phase of e-discovery, t predictive coding is ag
“court-endorsed process” 18 utilized to perform document review. It uses human exper-
tise and IT to facilitate analysis and sorting of documents. Predictive coding software
leverages human analysis when experts review a subset of documents to “teach” the
software what to look for, so it can apply this logic to the full set of documents, 19 mak-
ing the sorting and culling process faster and more accurate than solely using human
review or automated review.
Predictive coding uses a blend of several technologies that work in concert:20 soft-
ware that performs machine learning (a type of g artifi cial intelligence software that
“learns” and improves its accuracy, fostered by guidance from human input and pro-
gressive ingestion of data sets—in this case documents); 21 workfl ow software, which w
routes the documents through a series of work steps to be processed; and text analyt-
ics software, used to perform functions such as searching for keywords (e.g., “asbestos”
in a case involving asbestos exposure). Then using keyword search capabilities, or con-
cepts using s pattern search or meaning-based search, and sifting through and sorting
documents into basic groups using fi ltering technologies, based on document content,g
and sampling a portion of documents to fi nd patterns and to review the accuracy of g
fi ltering and keyword search functions.
The goal of using predictive coding technology is to reduce the total group of
documents a legal team needs to review manually (viewing and analyzing them one
by one) by fi nding that gross set of documents that is most likely to be relevant or
responsive (in legalese) to the case at hand. It does this by automating, speeding up,
and improving the accuracy of the document review process to locate and “digitally
categorize” documents that are responsive to a discovery request. 22 Predictive coding,
when deployed properly, also reduces billable attorney and paralegal time and there-
fore the costs of ECA. Faster and more accurate completion of ECA can provide valu-
able time for legal teams to develop insights and strategies, improving their odds for
success. Skeptics claim that the technology is not yet mature enough to render more
accurate results than human review.
The fi rst state court ruling allowing the use of predictive coding technology in-
stead of human review to cull through approximately 2 million documents to “execute
a fi rst-pass review” was made in April 2012 by a Virginia state judge.23 This was the
fi rst time a judge was asked to grant permission without the two opposing sides fi rst
coming to an agreement. The case, Global Aerospace, Inc., et al. v. Landow Aviation, LP,
et al., stemmed from an accident at Dulles Jet Center.
In an exhaustive 156-page memorandum, which included dozens of pages
of legal analysis, the defendants made their case for the reliability, cost-
effectiveness, and legal merits of predictive coding. At the core of the memo
Predictive coding software leverages human analysis when experts review a
subset of documents to “teach” the software what to look for, so it can apply
this logic to the full set of documents.

128 INFORMATION GOVERNANCE
was the argument that predictive coding “is capable of locating upwards of
seventy-fi ve percent of the potentially relevant documents and can be effec-
tively implemented at a fraction of the cost and in a fraction of the time of
linear review and keyword searching.”24
This was the fi rst big legal win for predictive coding use in e-discovery.
Basic Components of Predictive Coding
Here is a summary of the main foundational components of predictive coding.
■ Human review. Human review is used to determine which types of document
content will be legally responsive based on a case expert’s review of a sampling
of documents. These sample documents are fed into the system to provide a
seed set of examples. 25
■ Text analytics. This involves the ability to apply “keyword-agnostic” (through a
thesaurus capability based on contextual meaning, not just keywords) to locate
responsive documents and build create seed document sets.
■ Workfl ow. Software to route e-documents through the processing steps auto-
matically to improve statistical reliability and streamlined processing.
■ Machine learning. The software “learns” what it is looking for and improves its
capabilities along the way through multiple, iterative passes.
■ Sampling. Sampling is best applied if it is integrated so that testing for accuracy
is an ongoing process. This improves statistical reliability and therefore defen-
sibility of the process in court.
Predictive Coding Is the Engine; Humans Are the Fuel
Predictive coding sounds wonderful, but it does not replace the expertise of an attorney;
it merely helps leverage that knowledge and speed the review process. It “takes all the
documents related to an issue, ranks and tags them so that a human reviewer can look
over the documents to confi rm relevance.” So it cannot work without human input to
let the software know what documents to keep and which ones to discard, but it is an
emerging technology tool that will play an increasingly important role in e-discovery.26
Technology-Assisted Review
TAR, also known as computer-assisted review, is not predictive coding. TAR includest
aspects of the nonlinear review process, such as culling, clustering and de-duplication,
but it does not meet the requirements for comprehensive predictive coding.
Many technologies can help in making incremental reductions in e-discovery
costs. Only fully integrated predictive coding, however, can completely transform the economics
of e-discovery .
Mechanisms of Technology-Assisted Review
There are three main mechanisms, or methods, for using technology to make legal
review faster, less costly, and generally smarter. 27
1. Rules driven. “I know what I am looking for and how to profi le it.” In this sce-
nario, a case team creates a set of criteria, or rules, for document review and

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 129
builds what is essentially a coding manual. The rules are fed into the tool for
execution on the document set. For example, one rule might be to “redact for
privilege any time XYZ term appears and add the term ‘redacted’ where the
data was removed.” This rule-driven approach requires iteration to truly be
effective. The case team will likely have rules changes and improvements as
the case goes on and more is learned about strategy and merit. This approach
assumes that the case team knows the document set well and can apply very
specifi c rules to the corpus in a reasonable fashion.
2. Facet driven. “I let the system show me the profi le groups fi rst.” In this sce-
nario, a tool analyzes documents for potential items of interest or groups
potentially similar items together so that reviewers can begin applying
decisions. Reviewers typically utilize visual analytics that guide them through
the process and take them to prioritized documents. This mechanism can also
be called present and direct.
3. Propagation based. “I start making decisions and the system looks for similar-
related items.” This type of TAR is about passing along, or propagating, what
is known based on a sample set of documents to the rest of the documents in
a corpus. In the market, this is often referred to as predictive coding because
the system predicts whether documents will be responsive or privileged based
on how other documents were coded by the review team. Propagation-based
TAR comes in different fl avors, but all involve an element of machine learning.
In some scenarios, a review team will have access to a seed set of documents
that the team codes and then feeds into the system. The system then mimics
the action of the review team as it codes the remainder of the corpus. In other
scenarios, there is not a seed set; rather, the systems give reviewers random
documents for coding and then create a model for relevance and nonrelevance.
It is important to note that propagation-based TAR goes beyond simple
mimicry; it is about creating a linguistic mathematical model for what
relevance looks like.
These TAR mechanisms are not mutually exclusive. In fact, combining the mecha-
nisms can help overcome the limitations of individual approaches. For example, if a doc-
ument corpus is not rich (e.g., does not have a high enough percentage of relevant documents), it
can be hard to create a seed set that will be a good training set for the propagation-based system.
However, it is possible to use facet-based TAR—for example, concept searching—to
more quickly fi nd the documents that are relevant so as to create a model for relevance
that the propagation-based system can leverage. 28
It is important to be aware that these approaches require more than just technology.
It is critical to have the right people in place to support the technology and the work-
fl ow required to conduct TAR. Organizations looking to exercise these mechanisms
of TAR will need:
■ Experts in the right tools and information retrieval. Software is an important part
of TAR. The team executing TAR will need someone that can program the tool
set with the rules necessary for the system to intelligently mark documents.
Furthermore, information retrieval is a science unto itself, blending linguistics,
statistics, and computer science. Anyone practicing TAR will need the right
team of experts to ensure a defensible and measurable process.

130 INFORMATION GOVERNANCE
■ Legal review team . While much of the chatter around TAR centers on its ability
to cut lawyers out of the review process, the reality is that the legal review team
will become more important than ever. The quality and consistency of the deci-
sions this team makes will determine the effectiveness that any tool can have in
applying those decisions to a document set.
■ Auditor. Much of the defensibility and acceptability of TAR mechanisms will
rely on the statistics behind how certain the organization can be that the out-
put of the TAR system matches the input specifi cation. Accurate measures of
performance are important not only at the end of the TAR process, but also
throughout the process in order to understand where efforts need to be focused
in the next cycle or iteration. Anyone involved in setting or performing mea-
surements should be trained in statistics.
For an organization to use a propagated approach, in addition to people it may need
a “seed” set of known documents. Some systems use random samples to create seed
sets while others enable users to supply small sets from the early case investigations.
These documents are reviewed by the legal review team and marked as relevant, privi-
leged, and the like. Then, the solution can learn from the seed set and apply what it
learns to a larger collection of documents. Often this seed set is not available, or the
seed set does not have enough positive data to be statistically useful.
Professionals using TAR state that the practice has value, but it requires a sophisticated
team of users (with expertise in information retrieval, statistics, and law) who understand
the potential limitations and danger of false confi dence that can arise from improper use. For
example, using a propagation-based approach with a seed set of documents can have
issues when less than 10 percent of the seed set documents are positive for relevance.
In contrast, rules driven and other systems can result in false negative decisions when
based on narrow custodian example sets.
However TAR approaches and tools are used, they will only be effective if usage
is anchored in a thought out, methodically sound process. This requires a defi nition of
what to look for, searching for items that meet that defi nition, measuring results, and
then refi ning those results on the basis of the measured results. Such an end-to-end
plan will help to decide what methods and tools should be used in a given case. 29
Defensible Disposal: The Only Real Way To Manage Terabytes TT
and Petabytes
By Randy Kahn, Esq.
Records and information management (RIM) is not working. At least, it is not working
well. Information growth and management complexity has meant that the old records l
retention rules and the ways businesses apply them are no longer able to address the
lifecycle of information. So the mountains of information grow and grow and grow,
often unfettered.
Too much data has outlived its usefulness, and no one seems to know how or is
willing to get rid of it. While most organizations need to right-size their information
footprint by cleaning out the digital data debris, they are stymied by the complexity
and enormity of the challenge.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 131
Growth of Information
According to International Data Corporation (IDC), from now until 2020, the digital
universe is expected by expand to more than 14 times its current size. 30 One exabyte
is the data equivalent of about 50,000 years of DVD movies running continuously.
With about 1,800 exabytes of new data created in 2011, 2840 exabytes in 2012, and
a predicted 6,120 exabytes in 2014, the volumes are truly staggering. While the data
footprint grows signifi cantly each year, that says nothing of what has already been cre-
ated and stored.
Contrary to what many say (especially hardware salespeople) storage is not cheap.t
In fact, it is really becomes quite expensive when you add up not only the hard-
ware costs but also maintenance, air conditioning and space overhead, and the highly
skilled labor needed to keep it running. Many large companies spend tens if not hun-
dreds of millions of dollars per year just to store data. This is money that could go
straight to the bottom line if the unneeded data could be discarded. When you con-
sider that most organizations’ information footprints are growing at between 20 and
50 percent per year and the cost of storage is declining by a few percentage points
per year, in real terms they are spending way more this year than last to simply house
information.
Volumes Now Impact Effectiveness
The law of diminishing returns applies to information growth. Assuming information
is an asset, at some point when there is so much data, its value starts to decline. That is
not because the intrinsic value goes down (although many would argue there is a lot of
idle chatter in the various communications technologies). Rather the decline is related
to the inability to expeditiously fi nd or have access to needed business information.
According the Council of Information Auto-Classifi cation “Information Explosion”
Survey, there is now so much information that nearly 50 percent of companies need
to re-create business records to run their business and protect their legal interests
because they cannot fi nd the original retained record.31 It is a poor business practice
to spend resources to retain information and then, when it cannot be found, to spend
more to reconstitute it.
There is increasing regulatory pressure, enforcement, and public scrutiny on all
of an organization’s data storage activities. Record sanctions and fi nes, new regula-
tions, and stunning court decisions have converged to mandate heightened controls
and accountability from government regulators, industry and standards groups as well
as the public. When combined with the volume of data, information privacy, security,
protection of trade secrets, and records compliance become complex and critical, high-
risk business issues that only executive management can truly fi x. However, executives
typical view records and information management (RIM) as a low-importance cost
center activity, which means that the real problem does not get solved.
In most companies, there is no clear path to classify electronic records, to for-
mally manage offi cial records, or to ensure the ultimate destruction of these records.
Vast stores of legacy data are unclassifi ed, and most data is never touched again
shortly after creation. Further, traditional records retention rules are too voluminous,
too complex, and too granular and do not work well with the technology needed to
manage records.

132 INFORMATION GOVERNANCE
Finally, it is clear that employees can no longer be expected to pull the oars to
cut through the information ocean, let alone boil it down into meaningful chunks of
good information. Increasingly, technology has to play a more central role in manag-
ing information. Better use of technology will create business value by reducing risk,
driving improvements in productivity, and facilitating the exploitation and protection
of ungoverned corporate knowledge.
How Did This Happen?
Over the past several years, organizations have come to realize that the exposure posed
by uncontrolled data growth requires emergency, reactive action, as seemingly no oth-
er viable approach exists. Faced with massive amounts of unknown unstructured data,
many organizations have chosen to adopt a risk-averse save-everything policy. This
approach has brought with it immediate repercussions:
■ Inability to quickly locate needed business content buried in ill-managed fi le
systems.
■ Sharply increased storage costs, with some companies refusing to allocate any
more storage to the business. The users’ reaction, out of necessity, is to store
data wherever they can fi nd a place for it. (Do not buy the argument that stor-t
age is cheap—everyone is spending more on storing unnecessary data, even if
the per-gigabyte media cost has gone down).
■ Soaring litigation and discovery costs, as organizations have lost track of what
is where, who owns it, and how to collect, sort, and process it.
■ Buried intellectual property, trade secrets, personally identifi able information,
and regulated content, which are subject to leakage and unauthorized deletion,
and are a clear target for opposing counsel—or anyone who can access them.
■ Lack of centralized policies and systems for the storage of records, which re-
sults in hard-to-manage record sites spread throughout the organization.
■ The lack of a clear strategy for managing records that have long-term, rather
than short-term, business, legal, and research value.
Information Glut in Organizations
■ 71 percent of organizations surveyed have no idea of the content in their stored
data.
■ 58 percent of organizations are keeping information indefi nitely.
■ 79 percent of organizations say too much time and effort is spent manually
searching and disposing information.
■ 58 percent of organizations still rely on employees to decide how to apply cor-
porate policies. 32
What Is Defensible Disposition, and How Will It Help?
A solution to the unmitigated data sprawl is to defensibly dispose of the business con-
tent that no longer has business or legal value to the organization. In the old days
of records management, it was clear that courts and regulators alike understood that
records came into being and eventually were destroyed in the ordinary course of
business. It is good business practice to destroy unneeded content, provided that the

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 133
rules on which those decisions are made consider legal requirements and business
needs. Today, however, the good business practice of cleaning house of old records has
somehow become taboo for some businesses. Now it needs to start again.
An understanding of how technology can help defensibly dispose and how meth-
odology and process help an organization achieve a thinner information footprint is
critical for all companies overrun with outdated records that do not know where to
start to address the issue. While no single approach is right for every organization, re-
cords and legal teams need to take an informed approach, looking at corporate culture,
risk tolerance, and litigation profi le.
A defensible disposition framework is an ecosystem of technology, policies, proce-
dures, and management controls designed to ensure that records are created, managed,
and disposed at the end of their life cycle.
New Technologies—New Information Custodians
Responsibility for records management and IG have changed dramatically over time.
In the past, the responsibility rested primarily with the records manager. However, the
nature of electronic information is such that its governance today requires the partici-
pation of IT, which frequently has custody, control, or access to such data, along with
guidance from the legal department. As a result, IT personnel with no real connection
or ownership of the data may be responsible for the accuracy and completeness of the
business-critical information being managed. See the problem?
For many organizations, advances in technology mixed with an explosive growth
of data forced a reevaluation of core records management processes. Many organi-
zations have deployed archiving, litigation, and e-discovery point solutions with the
intent of providing record retention compliance and responsiveness to litigation. Such
systems may be tactically useful but fail to strategically address the heart of the matter:
too much information, poorly managed over years and years—if not decades.
A better approach is for organizations to move away from a reactive keep-
everything strategy to a proactive strategy that allows the reasonable and reliable
identifi cation and deletion of records when retention requirements are reached, absent
a preservation obligation. Companies develop retention schedules and processes pre-
cisely for this reason; it is not misguided to apply them.
Why Users Cannot, Will Not—and Should Not—Make the Hard Choices
Employees usually are not suffi ciently trained on records management principles and
methods and have little incentive (or downside) to properly manage or dispose of records.
Further, many companies today see that requiring users to properly declare or man-
age records places an undue burden on them. The employees not only do not provide a
A defensible disposition framework is an ecosystem of technology, policies,
procedures, and management controls designed to ensure that records are
created, managed, and disposed at the end of their life cycle.

134 INFORMATION GOVERNANCE
reasonable solution to the huge data pile (which for some companies may be petabytes of
data) but contribute to its growth by using more unsanctioned technologies and parking
company information in unsanctioned locations. So the digital landfi ll continues to grow.
Most organizations have programs that address paper records, but these same
organizations commonly fail to develop similar programs for electronic records and
other digital content.
Technology Is Essential to Manage Digital Records Properly
Having it all—but not being able to fi nd it—is like not having it at all. t
While the content of a paper document is obvious, viewing the content of an electron-
ic document depends on software and hardware. Further, the content of electronic storage
media cannot be easily accessed without some clue as to its structure and format. Conse-
quently, the proper indexing of digital content is fundamental to its utility. Without an index,
retrieving electronic content is expensive and time consuming, if it can be retrieved at all.
Search tools have become more robust, but they do not provide a panacea for
fi nding electronic records when needed because there is too much information spread
out across way too many information parking lots. Without taxonomies and common
business terminology, accessing the one needed business record may be akin to fi nding
the needle in a stadium-size haystack.
Technological advances can help solve the challenges corporations face and ad-
dress the issues and burdens for legal, compliance, and information governance. When
faced with hundreds of terabytes to petabytes of information, no amount of user inter-
vention will begin to make sense of the information tsunami.
Auto-Classifi cation and Analytics Technologies
Increasingly companies are turning to new analytics and classifi cation technologies
that can analyze information faster, better, and cheaper. These technologies should
be considered essential for helping with defensible disposition, but do not make the
mistake of underestimating their expense or complexity.
As discussed in the previous section by Barry Murphy, machine learning tech-
nologies mean that software can “learn” and improve at the tasks of clustering fi les
and assigning information (e.g., records, documents) to different preselected topical
categories based on a statistical analysis of the data characteristics. In essence,
classifi cation technology evaluates a set of data with known classifi cation mappings
and attempts to map newly encountered data within the existing classifi cations. This
type of technology should be on the list of considerations when approaching defen-
sible disposition in large, uncontrolled data environments.
Can Technology Classify Information?
What is clear is that IT is better and faster than people in classifying information. Period.
A better approach is for organizations to move away from a reactive keep-
everything strategy to a proactive strategy of defensible deletion.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 135
Increasingly studies and court decisions make clear that, when appropriate, com-
panies should not fear using enabling technologies to help manage information.
For example, in the recent Da Silva Moore v. Publicis Groupe case, Judge Andrew
Peck stated:
Computer-assisted review appears to be better than the available alternatives,
and thus should be used in appropriate cases. While this Court recognizes that
computer-assisted review is not perfect, the Federal Rules of Civil Procedure
do not require perfection. . . . Counsel no longer have to worry about being
the “fi rst” or “guinea pig” for judicial acceptance of computer assisted review.
This work presents evidence supporting the contrary position: that a
technology-assisted process, in which only a small fraction of the document
collection is ever examined by humans, can yield higher recall and/or preci-
sion than an exhaustive manual review process, in which the entire document
collection is examined and coded by humans. 33
Moving Ahead by Cleaning Up the Past
Organizations can improve disposition and IG programs with a systemized, repeatable,
and defensible approach that enables them to retain and dispose of all data types in
compliance with the business and statutory rules governing the business’s operations.
Generally, an organization is under no legal obligation to retain every piece of in-
formation it generates in the course of its business. Its records management process is
there to clean up the information junk in a consistent, reasonable way. That said, what
should companies do if they have not been following disposal rules, so information has
piled up and continues unabated? They need to clean up old data. But how?
Manual intervention (by employees) will likely not work, due to the sheer volumes
of data involved. Executives will not and should not have employees abdicate their
regular jobs in favor of classifying and disposing of hundreds of millions of old stored
fi les. (Many companies have billions of old fi les.) This buildup necessitates leveraging tech-
nology, specifi cally, technologies that can discern the meaning of stored unstructured content, in
a variety of formats, regardless of where it is stored.
Here is a starting point: Most likely, fi le shares, legacy e-mail systems, and other
large repositories will prove the most target-rich environments, while better-managed
document management, records management, or archival systems will be in less need
of remediation. A good time to undertake a cleanup exercise is when litigation will not
prevent action or when migrating to a new IT platform. (Trying to conduct a compre-
hensive, document-level inventory and disposition is neither reasonable nor practical.
In most cases, it will create limited results and even further frustration.)
Technology choices should be able to withstand legal challenges in court.
Sophisticated technologies available today should also look beyond mere keyword
searches (as their defensibility may be called into question) and should look to
Organizations can improve disposition and IG programs with a systemized,
repeatable, and defensible approach.

136 INFORMATION GOVERNANCE
advanced techniques such as automatic text classifi cation (auto-classifi cation), concept
search, contextual analysis, and automated clustering. While technology is imperfect,
it is better than what employees can do and will never be able to accomplish—to man-
age terabytes of stored information and clean up big piles of dead data.
Defensibility Is the Desired End State; Perfection Is Not
Defensible disposition is a way to take on huge piles of information without personally
cracking each one open and evaluating it. Perhaps it is, in essence, operationalizing a
retention schedule that is no longer viable in the electronic age. Defensible disposition
is a must because most big companies have hundreds of millions or billions of fi les,
which makes their individualized management all but impossible.
As the list of eight steps to defensible disposition makes clear, different chunks of data
will require different diligence and analysis levels. If you have 100,000 backup tapes from
20 years ago, minimal or cursory review may be required before the whole lot of tapes can
be comfortably discarded. If, however, you have an active shared drive with records and
information that is needed for ongoing litigation, there will need to be deeper analysis
with analytics and/or classifi cation technologies that have become much more powerful
and useful. In other words, the facts surrounding the information will help inform if the
information can be properly disposed with minimal analysis or if it requires deep diligence.
Kahn’s Eight Essential Steps to Defensible Disposition
1. Defi ne a reasonable diligence process to assess the business needs and legal
requirements for continued information retention and/or preservation, based
on the information at issue.
2. Select a practical information assessment and/or classifi cation approach, given
information volumes, available resources, and risk profi le.
3. Develop and document the essential aspects of the disposition program to
ensure quality, effi cacy, repeatability, auditability, and integrity.
4. Develop a mechanism to modify, alter, or terminate components of the dispo-
sition process when required for business or legal reasons.
5. Assess content for eligibility for disposition, based on business need, record
retention requirements, and/or legal preservation obligations.
6. Test, validate, and refi ne as necessary the effi cacy of content assessment and
disposition capability methods with actual data until desired results have been
attained.
7. Apply disposition methodology to content as necessary, understanding that
some content can be disposed with suffi cient diligence without classifi cation.
8. On an ongoing basis, verify and document the effi cacy and results of the dis-
position program and modify and/or augment the process as necessary.
Source: “Chucking Daises: Ten Rules for Taking Control of Your Organization’s Digital
Debris,” Randy Kahn, Esq., and Galena Datskovsky Ph.D., CRM (ARMA International,
2013), Overland Park, KS.
Business Case around Defensible Disposition
What is clear is that defensible disposition can have signifi cant ROI impact to a com-
pany’s fi nancial picture. This author has clients for whom we have built the defensible

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 137
disposition business case, which saves them tens of millions of dollars on a net basis but
also makes them a more effi cient business, reduces litigation cost and risks, mitigates
the information security and privacy risk profi les, and makes their work force more
productive, and so on.
However, remember auto-classifi cation technology is neither simple nor inexpen-
sive, so be realistic and conservative when building the business case. Often it is easiest
to simply use only hardware storage cost savings to make the case because it is a hard
number and provides a conservative approach to justifying the activities. Then you
can add on the additional benefi ts, which are more diffi cult to calculate, and also the
intangible benefi ts of giving your employees a cleaner information stack to search and
base decisions on.
Defensible Disposition Summary
Defensible disposition is a way to bring your records management program into to-
day’s business reality—information growth makes management at the record level all
but impossible. Defensible disposition should be about taking simplifi ed retention
rules and applying them to both structured and unstructured content with the least
amount of human involvement possible. While it can be a daunting challenge, it is also
an opportunity to establish and promote operational excellence through better IG
and to signifi cantly enhance an organization’s business performance and competitive
advantage.
Retention Policies and Schedules
By Robert Smallwood, edited by Paula Lederman, MLS
With limited resources, today’s legal counsel, compliance managers, and records man-
ager are faced with an onslaught of increasingly pressing and complex compliance
and legal demands. At the core of these demands is the ability of the organization to
demonstrate that it has legally defensible records management practices that can hold
up in court.
Organizations can legally destroy records—but will have a greater legal defensi-
bility if:
■ The authority to destroy the records is identifi ed on a retention schedule.
■ The retention requirements have been met.
■ The records are slated for destruction in the normal course of business.
■ There are no existing legal or fi nancial holds.
■ Al records of the same type are treated consistently and systematically.
The foundation of legally defensible records management practices is a solid IG
underpinning, where policies and processes, supported and enforced by IT, help the
organization meet its externally mandated legal requirements and internally mandated
IG requirements for handling and controlling information.
A complete, current, and documented records retention program reduces stor-
age and handling costs and improves searchability for records by making records

138 INFORMATION GOVERNANCE
easier and faster to fi nd. This reduced search time and more complete search
capability improves knowledge worker productivity. It also reduces legal risk by
improving the ability to meet compliance demands while also reducing e-discovery
costs and improving the ability to more effi ciently respond to discovery requests
during litigation.
Most large organizations maintain records retention schedules by business
unit, department, or functional area. Some organizations, particularly smaller
ones, may establish organization-wide IG programs that call for the developing,
updating, and improvement of an enterprise or master retention schedule. This is
a tall order and is almost never accomplished—but it is possible with a determined,
sustained effort. Developing enterprise-wide records retention schedules requires
consultation with stakeholder groups that have valuable input to contribute to the
overall development of the IG effort and to specifi c schedules for retaining record
collections and their planned disposition. Consultation by the records manage-
ment department, senior records offi cer , or records team must take place with
representatives from the business units that create and own the records as well
as with legal, compliance, risk management, IT, and other relevant stakeholder
groups.
Meeting Legal Limitation Periods
A key consideration in developing retention schedules is researching and determin-
ing the minimum time required to keep records that may be demanded in legal
actions. “A limitation period is the length of time after which a legal action cannot
be brought before the courts. Limitation periods are important because they de-
termine the length of time records must be kept to support court action [including
subsequent appeal periods]. It is important to be familiar with the purpose, prin-
ciples, and special circumstances that affect limitation periods and therefore records
retention.”34
Legal Requirements and Compliance Research
As stated at the beginning of this chapter, legal requirements trump all others. The reten-
tion period for a particular records series must meet minimum retention requirements
as mandated by law. Business needs and other considerations are secondary. So, legal
research is required before determining retention periods. Legally required retention
periods must be researched for each jurisdiction (state, country) in which the business
operates, so that it complies with all applicable laws.
A limitation period is the length of time after which a legal action cannot
be brought before the courts. Such a period must be factored into retention
policies.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 139
In order to locate the regulations and citations relating to retention of records,
there are two basic approaches. The fi rst approach is to use a records retention citation
service, which publishes in electronic form all of the retention-related citations. These
services usually are bought on a subscription basis, as citations are updated on an an-
nual or more frequent basis as legislation and regulations change.
Another approach is to search the laws and regulations directly using online or
print resources. Records retention requirements for corporations operating in the
United States may be found in the Code of Federal Regulations (CFR), the annual
edition of which:
is the codifi cation of the general and permanent rules published in the Fed-
eral Register by the departments and agencies of the federal government. It is
divided into 50 titles that represent broad areas subject to federal regulation.
The 50 subject matter titles contain one or more individual volumes, which
are updated once each calendar year, on a staggered basis. The annual update
cycle is as follows: titles 1 to 16 are revised as of January 1; titles 17 to 27 are
revised as of April 1; titles 28 to 41 are revised as of July 1, and titles 42 to 50
are revised as of October 1. Each title is divided into chapters, which usually
bear the name of the issuing agency. Each chapter is further subdivided into
parts that cover specifi c regulatory areas. Large parts may be subdivided into
subparts. All parts are organized in sections, and most citations to the CFR
refer to material at the section level. 35
There is an up-to-date version that is not yet a part of the offi cial CFR but is
updated daily, the Electronic Code of Federal Regulations (e-CFR) . “It is not an
offi cial legal edition of the CFR. The e-CFR is an editorial compilation of CFR mate-
rial and Federal Register amendments produced by the National Archives and Records
Administration’s Offi ce of the Federal Register (OFR) and the Government Printing
Offi ce.”36 According to the gpoaccess.gov Web site:
The Administrative Committee of the Federal Register (ACFR) has authorized
the National Archives and Records Administration’s (NARA) Offi ce of the Fed-
eral Register (OFR) and the Government Printing Offi ce (GPO) to develop
and maintain the e-CFR as an informational resource pending ACFR action to
grant the e-CFR offi cial legal status. The OFR/GPO partnership is committed
to presenting accurate and reliable regulatory information in the e-CFR edito-
rial compilation with the objective of establishing it as an ACFR sanctioned
publication in the future. While every effort has been made to ensure that the
e-CFR on GPO Access is accurate, those relying on it for legal research should
verify their results against the offi cial editions of the CFR, Federal Register and
List of CFR Sections Affected (LSA), all available online at www.gpoaccess.gov.
Until the ACFR grants it offi cial status, the e-CFR editorial compilation does
not provide legal notice to the public or judicial notice to the courts.
The OFR updates the material in the e-CFR on a daily basis. Generally,
the e-CFR is current within two business days. The current update status is
displayed at the top of all e-CFR web pages.

http://www.gpoaccess.gov

140 INFORMATION GOVERNANCE
What Is a Records Retention Schedule?
A records retention schedule delineates how long a (business) record series is
to be retained, and its disposition after its life cycle is complete (e.g., destruc-
tion, transfer, archiving); the schedule also contains “lists of records by name or
type that authorize the disposition of records.”37 Retention schedules apply to all
records regardless of their format or media (e.g., physical or electronic). Retention
schedules are developed for records not individually but rather by records series, categories,
functions, or systems. Ideally, they include all of the record series in an organization,
although they may be broken down into smaller subset schedules, such as by busi-
ness unit.
Retention schedules may be maintained separately for electronic records, or they
may be included in a combined schedule that includes both e-records and paper or
other physical records.
Corporate records retention schedules are increasingly being maintained online,
where users and also IT, legal, risk, and records management personnel can view and
reference them. Electronic data and documents can easily reference these schedules
and initiate a process based on a trigger event so that the life cycle of the electronic
document can be automated and managed in a consistent manner. Retention schedules
are basic tools that allow an organization to prove that it has a legally defensible basis
on which to dispose records.
Retention schedules in large organizations typically are broken down and by
business function. A functional retention schedule groups record series based on
business functions, such as fi nancial, legal, product management, or sales. Each func-
tion or grouping also is used for classifi cation. Rather than detail every sequence of
records, these larger functional groups are less numerous and are easier for users to
understand.
Some organizations are able to reach the ultimate retention goal: to keep an
enterprise-wide master retention schedule, which includes the retention and
Retention schedules are developed by records series, category, function, or
system—not for individual records.
Retention schedules are basic tools that allow an organization to prove that it
has a legally defensible basis on which to dispose records.
A complete, current, and documented records retention program reduces
storage and handling costs and improves searchability for records by making
records easier and faster to fi nd.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 141
disposition requirements for records series that cross business unit boundaries.
The master retention schedule contains all records series in the entire enterprise.
An enterprise-wide retention schedule is preferable because it eliminates the
possibility that different business units will follow confl icting records retention
periods. For example, if one business unit is discarding a group of records after
5 years, it would not make sense for another business unit to keep the same records
for 10 years.
Benefi ts of a Retention Schedule
According to the U.S. National Archives and Records Administration, developing and
maintaining a records retention schedule provides the following benefi ts. The reten-
tion schedule: 38
1. Reduces legal risk and legal liability exposure.
2. Supports a legally defensible records management program.
3. Improves IG by enforcing uniformity and standardization.
4. Improves search quality and reduces search time.
5. Provides higher-quality records information to improve decision support for
knowledge workers.
6. Prevents inadvertent, malicious, or premature destruction of records.
7. Improves accountability for life cycle management of records on an enter-
prise-wide basis.
8. Improves security for confi dential records assets. 39
9. Reduces and minimizes costs for maintaining records.
10. Determines which records have historic value.
11. Saves hardware, utility, and labor costs by deleting records after their life
span.
12. Optimizes use of online storage and access resources.
A formal approach to records management has been around since the mid-1900s,
so a great deal of guidance is available before embarking on developing or updating
your records retention program. Models and guides can be used to assist in the devel-
opment of records retention schedules for your organization, including the interna-
tional standard for records management, ISO 15489—Part 1 and 2:2001, “Information
and Documentation—Records Management”; the ISO 15489 standard was written
to address all kinds of records. Additional guidance may be obtained by referencing
national standards, such as those in Canada, Europe, Australia, and other countries. 40
Often, in the public sector, retention guidelines are published by an authority such as
the offi ce of the national, state, or provincial archivist. Some additional insights may
be gleaned from ISO 16175–1:2010, “Information and Documentation—Principles
and Functional Requirements for Records in Electronic Offi ce Environments—Part
1: Overview and Statement of Principles,” which establishes fundamental principles
and functional requirements for software used to create and manage digital records in
offi ce environments. 41
A records retention schedule is an essential part of an overall IG program. Due
to the fact that a concerted IG program standardizes and enforces uniformity and

142 INFORMATION GOVERNANCE
control, the entire organization benefi ts in terms of productivity, reduced risk, and
improved compliance and e-discovery processes. These overarching goals and benefi ts
should be championed by senior management in words and deeds. This means making
the IG effort visible and providing the proper budgetary resources in terms of money
and employee time to achieve its aims.
More detail on retention schedules can be found in Chapter 9 on IG and RIM
functions.
The master retention schedule contains all records series in the entire enterprise.
CHAPTER SUMMARY: KEY POINTS
■ Legal functions are the most important area of IG impact.
■ IG serves as the underpinning for effi cient e-discovery processes.
■ ESI is any information that is created or stored in electronic format.
■ The goal of the FRCP amendments is to recognize the importance of ESI and
to respond to the increasingly prohibitive costs of document review and pro-
tection of privileged documents.
■ The amended FRCP reinforce the importance of IG. Only about 25 percent of
business information has real value and 5 percent are business records.
■ The Big Data trend underscores the need for defensible deletion of data
debris.
■ In the landmark case Zubulake v. U.B.S. Warburg, the defendants were se-g
verely punished by an adverse inference for deleting key e-mails and not
producing copies on backup tapes.
■ The E-Discovery Reference Model is a planning tool that depicts key
e-discovery process steps.
■ Implementing IG, inventorying ESI, and leveraging technology to implement
records retention and LHN policies are key steps in e-discovery planning.
■ LHN management is the absolute minimum an organization should imple-
ment to meet the guidelines, rules, and precedents.
■ Predictive coding software leverages human analysis when experts review a
subset of documents to “teach” the software what to look for, so it can apply
this logic to the full set of documents.

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 143
■ Many technologies assist in making incremental reductions in e-discovery
costs, but only fully integrated predictive coding is able to completely trans-
form the economics of e-discovery.
■ TAR, also known as computer-assisted review, speeds the review process by
leveraging IT tools.
■ In TAR, there are three main ways to use technology to make legal review
faster, less costly, and generally smarter: rules driven, facet driven, and propa-
gation based.
■ It is important to have the right people in place to support the technology
and the work fl ow required to conduct TAR.
■ A defensible disposition framework is an ecosystem of technology, policies,
procedures, and management controls designed to ensure that records are
created, managed, and disposed of at the end of their life cycle.
■ A better approach is for organizations to move away from a reactive “keep-
everything” strategy to a proactive strategy of defensible deletion.y
■ Organizations can improve disposition and IG programs with a systemized,
repeatable, and defensible approach.
■ A limitation period—the length of time after which a legal action cannot be
brought before the courts—must be factored into retention policies.
■ A complete, current, and documented records retention program reduces
storage and handling costs and improves searchability for records by making
records easier and faster to fi nd.
■ Retention schedules are developed by records series, not for individual records.
■ Retention schedules are basic tools that allow an organization to prove that it
has a legally defensible basis on which to dispose of records.
■ The master retention schedule contains all records series in the entire
enterprise.
■ “Records retention” defi nes the length of time that records are to be kept
and considers legal, regulatory, operational, and historical requirements.
■ Disposition means not just destruction but can also mean archiving and a
change in ownership and responsibility for the records.
■ For most organizations, e-mail is the most common information source to
begin deleting according to established retention policies.
CHAPTER SUMMARY: KEY POINTS (Continued )

144 INFORMATION GOVERNANCE
Notes
1. Linda Volonino and Ian Redpath, e-Discovery for Dummies (Hoboken, NJ: John Wiley & Sons, 2010),s
p. 9. This material is reproduced with permission from John Wiley & Sons, Inc.
2. “New Fed. Rules to Civil Procedure,” www.uscourts.gov/FederalCourts/UnderstandingtheFederalCourts/
DistrictCourts.aspx; (accessed November 26, 2013).
3. Ibid.
4. Ibid.
5. Volonino and Redpath, e-Discovery for Dummies, p. 13.s
6. Ibid., p. 11.
7. “New Fed. Rules to Civil Procedure.” www.uscourts.gov/FederalCourts/UnderstandingtheFederalCourts/
DistrictCourts.aspx; (accessed November 26, 2013).
8. “The Digital Universe Decade—Are You Ready?” IDC iView (May 2010).
9. Deidra Paknad, “Defensible Disposal: You Can’t Keep All Your Data Forever,” July 17, 2012, www.forbes
.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/
10. Sunil Soares, Selling Information Governance to the Business (MC Press Online, Ketchum, ID, 2011), p. 229. s
11. All quotations from the FRCP are from Volonino and Redpath, e-Discovery for Dummies , www.dummiess
.com/how-to/content/ediscovery-for-dummies-cheat-sheet.html (accessed May 22, 2013).
12. Linda Volonino and Ian Redpath, e-Discovery for Dummies (Hoboken, NJ: John Wiley & Sons, 2010), p. 13. s
13. Case Briefs, LLC, “Zubulake v. UBS Warburg LLC,” www.casebriefs.com/blog/law/civil-procedure/
civil-procedure-keyed-to-friedenthal/pretrial-devices-of-obtaining-information-depositions-and-dis-
covery-civil-procedure-keyed-to-friedenthal-civil-procedure-law/zubulake-v-ubs-warburg-llc/2/ (ac-
cessed May 21, 2013).
14. Amy Girst, “E-discovery for Lawyers,” IMERGE Consulting Report, 2008.
15. ECM2, “15-Minute Guide to eDiscovery and Early Case Assessment,” www.emc.com/collateral/
15-min-guide/h9781-15-min-guide-ediscovery-eca-gde (accessed May 21, 2013
16. Barry Murphy, telephone interview with author, April 12, 2013.
17. Email to author August 16, 2012.
18. Recommind, “What Is Predictive Coding?” www.recommind.com/predictive-coding (accessed
May 7, 2013).
19. Michael LoPresti, “What Is Predictive Coding?: Including eDiscovery Applications,” KMWorld,
January 14, 2013, www.kmworld.com/Articles/Editorial/What-Is-…/What-is-Predictive-Coding-Including-
eDiscovery-Applications-87108.aspx
20. “Predictive Coding,” TechTarget.com, http://searchcompliance.techtarget.com/defi nition/predictive-
coding, August 31, 2012 (accessed May 7, 2013).
21. “Machine Learning,” TechTarget.com http://whatis.techtarget.com/defi nition/machine-learning,
accessed May 7, 2013.
22. “Predictive Coding.”
23. LoPresti, “What Is Predictive Coding?”
24. Ibid.
25. “What Does Predictive Coding Require?” Recommind Corp., www.recommind.com/predictive-coding
(accessed May 24, 2013).
26. Ibid.
27. Barry Murphy, e-mail to author, May 10, 2013.
28. Ibid.
29. Ibid.
30. “The digital universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Grow in the Far East,”
www.emc.com/collateral/analyst-reports/idc-the-digital-universe-in-2020 (accessed November 26,
2013).
31. Council of Information Auto-Classifi cation, “Information Explosion” survey, http://infoautoclassifi cation
.org/survey.php (accessed November 26, 2013).
32. Ibid.
33. Maura R. Grossman and Gordon V. Cormack, “Technology-Assisted Review in E-Discovery Can Be
More Effective and More Effi cient Than Exhaustive Manual Review.” http://delve.us/downloads/Tech-
nology-Assisted-Review-In-Ediscovery (accesssed November 26, 2013).
34. Government of Alberta, “Developing Retention and Disposition Schedules,” July 2004, p. 122, www
.rimp.gov.ab.ca/publications/pdf/SchedulingGuide
35. U.S. Government Printing Offi ce (GPO), “Code of Federal Regulations,” www.gpo.gov/help/index
.html#about_code_of_federal_regulations.htm (accessed April 22, 2012).

http://www.uscourts.gov/FederalCourts/UnderstandingtheFederalCourts/DistrictCourts.aspx

http://www.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/

http://www.dummies.com/how-to/content/ediscovery-for-dummies-cheat-sheet.html

Zubulake v. UBS Warburg LLC

http://www.emc.com/collateral/15-min-guide/h9781-15-min-guide-ediscovery-eca-gde

http://www.recommind.com/predictive-coding

http://www.kmworld.com/Articles/Editorial/What-Is-%E2%80%A6/What-is-Predictive-Coding-Including-eDiscovery-Applications-87108.aspx

http://searchcompliance.techtarget.com/definition/predictive-coding

http://whatis.techtarget.com/definition/machine-learning

http://www.recommind.com/predictive-coding

http://www.emc.com/collateral/analyst-reports/idc-the-digital-universe-in-2020

http://infoautoclassification.org/survey.php

http://delve.us/downloads/Tech-nology-Assisted-Review-In-Ediscovery

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

http://www.uscourts.gov/FederalCourts/UnderstandingtheFederalCourts/DistrictCourts.aspx

http://www.forbes.com/sites/ciocentral/2012/07/17/defensible-disposal-you-cant-keep-all-your-data-forever/

http://www.dummies.com/how-to/content/ediscovery-for-dummies-cheat-sheet.html

Zubulake v. UBS Warburg LLC

http://www.emc.com/collateral/15-min-guide/h9781-15-min-guide-ediscovery-eca-gde

http://infoautoclassification.org/survey.php

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

http://searchcompliance.techtarget.com/definition/predictive-coding

http://www.rimp.gov.ab.ca/publications/pdf/SchedulingGuide

INFORMATION GOVERNANCE AND LEGAL FUNCTIONS 145
36. National Archives and Records Administration, “Electronic Code of Federal Regulations,” October 2, 2012
http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl
37. U.S. Department of Energy, Records Retention Schedule Defi nition, https://commons.lbl.gov/display/
aro/Records+Retention+Schedule+Defi nition (accessed July 30, 2012).
38. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition,” updated
June 6, 2005, www.archives.gov/records-mgmt/faqs/scheduling.html#whysched
39. Government of Alberta, “Developing Retention and Disposition Schedules.”
40. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition.”
41. International Organization for Standardization, ISO 16175-1:2010, “Information and Documentation—
Principles and Functional Requirements for Records in Electronic Offi ce Environments—Part 1:
Overview and Statement of Principles,” www.iso.org/iso/catalogue_detail.htm?csnumber=55790
(accessed July 30, 2012).

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl

https://commons.lbl.gov/display/aro/Records+Retention+Schedule+Definition

http://www.archives.gov/records-mgmt/faqs/scheduling.html#whysched

http://www.iso.org/iso/catalogue_detail.htm?csnumber=55790

https://commons.lbl.gov/display/aro/Records+Retention+Schedule+Definition

147
R
ecords management (RM) is a key impact area of t information governance
(IG)—so much so that in the RM space, IG is often thought of as synonymous
with or a simple superset of RM. But IG is much more than that. We delve into
the details of RM here—a sort of crash course on how to identify and inventory re-
cords, conduct the necessary legal research, develop retention and disposition sched-
ules, and more. Also, we identify the relationship and impact of IG on the RM function
in an organization in this chapter.
The International Organization for Standardization (ISO) defi nes (business)
records as “information created, received, and maintained as evidence and informa-
tion by an organization or person, in pursuance of legal obligations or in the transac-
tion of business.” 1 It further defi nes RM as “[the] fi eld of management responsible
for the effi cient and systematic control of the creation, receipt, maintenance, use, and
disposition of records, including the processes for capturing and maintaining evidence
of and information about business activities and transactions in the form of records.” 2
The U.S.-based Association of Records Managers and Administrators (ARMA)
defi nes records as “evidence of what an organization does. They capture its business
activities and transactions, such as contract negotiations, business correspondence,
personnel fi les, and fi nancial statements.” 3
Records and information management (RIM) extends beyond RM (although t
the terms are often used interchangeably) to include information—that is, information
such as data, electronic documents, and reports. For this reason, RIM professionals
must expand their reach and responsibilities to include policies for retention and dis-
position of all legally discoverable forms of information, such as e-mail, social media
posts, mobile data and documents held on portable devices, cloud storage and applica-
tions, and other enterprise data and information.
Electronic records management (ERM) has moved to the forefront of busi-t
ness issues with the increasing automation of business processes and the vast growth
in the volume of electronic documents and records that organizations create. These
Portions of this chapter are adapted from Chapters 1 , 5 , and 7 of Robert F. Smallwood, Managing Electronic Records:
Methods, Best Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley s
& Sons, Inc.
C H A P T E R 9
Information Governance
and Records and
Information
Management Functions

148 INFORMATION GOVERNANCE
factors, coupled with expanded and tightened reporting laws and compliance regula-
tions, have made ERM essential for most enterprises—especially highly regulated and
public ones.
ERM follows generally the same principles as traditional paper-based records
management: There are classifi cation and taxonomy needs to group and organize y
the records, and there are retention and disposition schedules to govern the length
of time a record is kept and its ultimate disposition (destruction, transfer, or long-term
archiving) destruction or long-term archiving. Yet e-records must be handled differ-
ently, and they contain more detailed data about their contents and characteristics,
known as metadata. (For more detail on these topics see Appendix A. )
E-records are also subject to changes in information technology (IT) that may y
make them diffi cult to retrieve and view and therefore render them obsolete. These is-
sues can be addressed through a sound ERM program that includes long-term digital
preservation (LTDP) methods and technologies.
ERM is primarily the organization, management, control, monitoring, and auditing
of formal business records that exist in electronic form. But automated ERM systems also
track paper-based and other physical records. So ERM goes beyond simply managing elec-
tronic records; it is the management of electronic records and the electronic management of non-
electronic records (e.g., paper, CD/DVDs, magnetic tape, audio-visual, and other physical records).
Most electronic records, or e-records, originally had an equivalent in paper form,
such as memos (now e-mail), accounting documents (e.g., purchase orders, invoices),
personnel documents (e.g., job applications, resumes, tax documents), contractual
documents, line-of-business documents (e.g., loan applications, insurance claim forms,
health records), and required regulatory documents (e.g., material safety data sheets).
Before e-document and e-record software began to mature in the 1990s, many of these
documents were fi rst archived to microfi lm or microform/microfi che.
Not all documents rise to the level of being declared a formal business record that
needs to be retained; that defi nition depends on the specifi c regulatory and legal re-
quirements imposed on the organization and the internal defi nitions and requirements
the organization imposes on itself, through internal IG measures and business policies.
IG is the policies, processes, and technologies used to manage and control information through-
out the enterprise to meet internal business requirements and external legal and compliance
demands.
E-records management has become much more critical to enterprises with in-
creased compliance legislation and massively increasing volumes of electronic
information.
ERM follows the same basic principles as paper-based records management.

INFORMATION GOVERNANCE AND RECORDS 149
ERM is a component of enterprise content management (ECM), just as document
management, Web content management, digital asset management, enterprise report
management, and several other technology sets are components. ECM encompasses
all an organization’s unstructured digital content, which means it excludes structured l
data (i.e., databases). ECM includes the vast majority—over 90 percent—of an organi-
zation’s overall information that must be governed and managed.
ERM extends ECM to provide control and to manage records through their life
cycle—from creation to destruction. ERM is used to complete the life cycle manage-
ment of information, documents, and records.
ERM adds the functionality to complete the management of information and records by
applying business rules to manage the maintenance, preservation, and disposition of records.
Both ERM and ECM systems aid in locating and managing the records and infor-
mation needed to conduct business effi ciently, to comply with legal and regulatory
requirements, and to effectively destroy (paper) and delete (digital) records that have
met their retention policy time frame requirement, freeing up valuable physical and
digital space and eliminating records that could be a liability if kept.
Records Management Business Rationale
Historically, highly regulated industries, such as banking, energy, and pharmaceuticals,
have had the greatest need to implement RM programs, due to their compliance and
reporting requirements. 4 However, over the past decade or so, increased regulation
and changes to legal statutes and rules have made RM a business necessity for nearly
every enterprise (beyond very small businesses).
Notable industry drivers include:
■ Increased government oversight and industry regulation. Government regulations
that require enhanced reporting and accountability were early business drivers
that fueled the implementation of formal RM programs. This is true at the
federal and state or provincial level. In the United States, the Sarbanes–Oxley
Act of 2002 (SOX) created and enhanced standards of fi nancial reporting and
transparency for the boards and executive management of public corporations
and accounting fi rms. It also addressed auditor independence and corporate
governance concerns. SOX imposes fi nes or imprisonment penalties for non-
compliance and requires that senior offi cers sign off on the veracity of fi nancial
statements. It states clearly that pertinent business records cannot be destroyed
during litigation or compliance investigations. Since SOX was enacted, Japan,
Australia, Germany, France, and India also have adopted stricter “SOX-like”
governance and fi nancial reporting standards.
ERM includes the management of electronic and nonelectronic records, such
as paper and other physical records.

150 INFORMATION GOVERNANCE
■ Changes in legal procedures and requirements during civil litigation. In 2006, the
need to amend the U.S. Federal Rules of Civil Procedure (FRCP) to contain
specifi c rules for handling electronically generated evidence was addressed.
The changes included processes and requirements for legal discovery of elec-
tronically stored information (ESI) during civil litigation. Today, e-mail is the
leading form of evidence requested in civil trials. The changes to the U.S. FRCP
had a pervasive impact on American enterprises and required them to gain
control over their ESI and implement formal RM and electronic discovery
(e-discovery) programs to meet new requirements. Although they have been
ahead of the United States in their development and maturity of RM practic-
es, Canadian, British, and Australian law is closely tracking that of the United
States in legal discovery. The United States is a more litigious society, so this
is not unexpected.
■ IG awareness. IG, in short, is the set of rules, policies, and business process-
es used to manage and control the totality of an organization’s information.
Monitoring technologies are required to enforce and audit IG compliance.
Beginning with SOX in 2002 and continuing with the massive U.S. FRCP
changes in 2006, enterprises have become more IG aware and have ramped up
efforts to control, manage, and secure their information. A signifi cant component
of any IG program is implementing an RM program that specifi es the retention periods
and disposition (e.g., destruction, transfer, archive) of formal business records. This
program, for instance, allows enterprises to destroy records once their required
retention period (based on external regulations, legal requirements, and inter-
nal IG policies) has been met and allows them to legally destroy records with
no negative impact or lingering liability.
■ Business continuity concerns. In the face of real disasters, such as the 9/11 terror-
ist attacks, Hurricane Katrina, and Superstorm Sandy, executives now realize that
disaster recovery and business resumption must be planned and prepared for.
Disasters really happen, and businesses that are not well prepared really go under.
The focus is on vital records that are necessary to resume operations in the event
of a disaster, and managing those records is part of an overall RM program.
Why Is Records Management So Challenging?
With these changes in the business environment and in regulatory, legal, and IG infl u-
ences comes increased attention to RM as a driver for corporate compliance. For
most organizations, a lack of defi ned policies and the enormous and growing volumes
A number of factors provide the business rationale for ERM, including
facilitating compliance, supporting IG, and providing backup capabilities in
the event of a disaster.

INFORMATION GOVERNANCE AND RECORDS 151
of documents (e.g., e-mail messages) make implementing a formal RM program chal-
lenging and costly. Some reasons for this include:
■ Changing and increasing regulations. Just when records and compliance managers
have sorted through the compliance requirements of federal regulations, new
ones at the state or provincial level are created or tightened down.
■ Maturing IG requirements within the organization. As senior managers become
increasingly aware of IG—the rules, policies, and processes that control and
manage information—they promulgate more reporting and auditing require-
ments for the management of formal business records.
■ Managing multiple retention and disposition schedules. Depending on the type of record,
retention requirements vary, and they may vary for the same type of record based
on state and federal regulations. Further, internal information governance policies
may extend retention periods and may fl uctuate with management changes.5
■ Compliance costs and requirements with limited staff. RM and compliance depart-
ments are notoriously understaffed, since they do not generate revenue. De-
partments responsible for executing and proving compliance with new and
increasing regulatory requirements must do so expediently, often with only
skeletal staffs. This leads to expensive outsourcing solutions or staff increases.
The cost of compliance must be balanced with the risk of maintaining a mini-
mum level of compliance.
■ Changing information delivery platforms. With cloud computing, mobile com-
puting, Web 2.0, social media, and other changes to information delivery and
storage platforms, records and compliance managers must stay apprised of the
latest IT trends and provide records on multiple platforms all while maintain-
ing the security and integrity of organizational records.
■ Security concerns. Protecting and preserving corporate records is of paramount
importance, yet users must have reasonable access to offi cial records to conduct
everyday business. “Organizations are struggling to balance the need to provide
accessibility to critical corporate information with the need to protect the in-
tegrity of corporate records.” 6
■ Dependence on the IT department or provider. Since tracking and auditing use of
formal business records requires IT, and records and compliance departments
typically are understaffed, those departments must rely on assistance from the
IT department or outsourced IT provider—which often does not have the
same perspective and priorities as the departments they serve.
■ User assistance and compliance. Users often go their own way with regard to records,
ignoring directives from records managers to stop storing shadow fi les of records
on their desktop (for their own convenience) and inconsistently following directives
to classify records as they are created. Getting users across a range of departments
in the enterprise to adhere uniformly with records and compliance requirements is
a daunting and unending task that requires constant attention and reinforcement. 7
Implementing ERM is challenging because it requires user support and com-
pliance, adherence to changing laws, and support for new information deliv-
ery platforms, such as mobile and cloud computing.

152 INFORMATION GOVERNANCE
Benefi ts of Electronic Records Management
A number of business drivers and benefi ts combine to create a strong case for imple-
menting an enterprise ERM program. Most are tactical, such as cost savings, time
savings, and building space savings. But some drivers can be thought of as strategic , in that c
they proactively give the enterprise an advantage. One example may be the advantages
gained in litigation by having more control and ready access to complete business
records, which yields more accurate results and more time for corporate attorneys to
develop strategies while the opposition is wading through reams of information, never
knowing if it has found the complete set of records it needs. Another example is more
complete and better information for managers to base decisions on.
Implementing ERM represents a signifi cant investment. An investment in ERM is
an investment in business process automation and yields document control, document integrity,
and security benefi ts. The volume of records in organizations often exceeds employees’
ability to manage them. ERM systems do for the information age what the assembly
line did for the industrial age. The cost/benefi t justifi cation for ERM is sometimes
diffi cult to determine, although there are real labor and cost savings. Also, many of the
benefi ts are intangible or diffi cult to calculate but help to justify the capital investment.
There are many ways in which an organization can gain signifi cant business benefi ts
with ERM.
More detail on business benefi ts is provided in Chapter 7 , but hard, calculable
benefi ts (when compared to storing paper fi les) include offi ce space savings, offi ce
supplies savings, cutting wasted search time, and reduced offi ce automation costs (e.g.,
fewer printers, copiers, cutting automated fi ling cabinets).
In addition, implementing ERM will provide the organization with:
■ Improved capabilities for enforcing IG over business documents and records
■ Improved, more complete, and more accurate searches
■ Improved knowledge worker productivity
■ Reduced risk of compliance actions or legal consequences
■ Improved records security
■ Improved ability to demonstrate legally defensible RM practices
■ Increased working confi dence in making searches, which should improve deci-
sion making
An investment in ERM is an investment in business process automation and
yields document control, document integrity, and security benefi ts.
ERM benefi ts are both tangible and intangible or diffi cult to calculate.

INFORMATION GOVERNANCE AND RECORDS 153
Additional Intangible Benefi ts
The U.S. Environmental Protection Agency (EPA), a pioneer and leader in e-records im-
plementation in the federal sector, lists some additional benefi ts of implementing ERM:
1. To control the creation and growth of records. Despite decades of using vari-
ous nonpaper storage media, the amount of paper in our offi ces continues
to escalate. An effective records management program addresses both cre-
ation control (limits the generation of records or copies not required to
operate the business) and records retention (a system for destroying useless
records or retiring inactive records), thus stabilizing the growth of records
in all formats.
2. To assimilate new records management technologies. A good records manage-
ment program provides an organization with the capability to assimilate
new technologies and take advantage of their many benefi ts. Investments
in new computer systems don’t solve fi ling problems unless current manual
record-keeping systems are analyzed (and occasionally, overhauled) before
automation is applied.
3. To safeguard vital information. Every organization, public or private, needs
a comprehensive program for protecting its vital records and information
from catastrophe or disaster, because every organization is vulnerable to
loss. Operated as part of the overall records management program, vital
records programs preserve the integrity and confi dentiality of the most
important records and safeguard the vital information assets according to a
“plan” to protect the records.
4. To preserve the corporate memory. An organization’s fi les contain its institu-
tional memory, an irreplaceable asset that is often overlooked. Every busi-
ness day, you create the records that could become background data for
future management decisions and planning. These records document the
activities of the agency that future scholars may use to research the work-
ings of the Environmental Protection Agency.
5. To foster professionalism in running the business. A business offi ce with fi les askew,
stacked on top of fi le cabinets and in boxes everywhere, creates a poor working
environment. The perceptions of customers and the public, and “image” and
“morale” of the staff, though hard to quantify in cost-benefi t terms, may be
among the best reasons to establish a good records management program.8
Thus, there are a variety of tangible and intangible benefi ts derived from ERM
programs, and the business rationale that fi ts for your organization depends on its
specifi c needs and business objectives.
Improved professionalism, preserving corporate memory, and support for bet-
ter decision making are key intangible benefi ts of ERM.

154 INFORMATION GOVERNANCE
Inventorying E-Records
According to the U.S. National Archives and Records Administration (NARA), “In
records management, an t inventory is a descriptive listing of each record series ory
system, together with an indication of location and other pertinent data. It is not a list
of each document or each folder but rather of each series or system ”9 (emphasis added).
Conducting an inventory of electronic records is more challenging than perform-
ing a physical records inventory, but the purposes are the same: to ferret out RM
problems and to use the inventory as the basis for developing the retention schedule.
Some of the RM problems that may be uncovered
include inadequate documentation of offi cial actions, improper applications
of record-keeping technology, defi cient fi ling systems and maintenance prac-
tices, poor management of nonrecord materials, insuffi cient identifi cation of
vital records, and inadequate records security practices. When completed, the
inventory should include all offi ces, all records, and all nonrecord materials.
An inventory that is incomplete or haphazard can only result in an inadequate
schedule and loss of control over records. 10
The fi rst step in gaining control over an organization’s records and imple-
menting IG measures to control and manage them is to complete an inventory of
all groupings of business records, including electronic records, 11 at the system or fi le
series level.
The focus of this book is on IG and more granually e-records, and when it comes
to e-records, NARA has a specifi c recommendation: Inventory at the computer systems
level. This differs from advice given by experts in the past.
The records inventory is the basis for developing a records retention schedule
that spells out how long different types of records are to be held and how they will
be archived or disposed of at the end of their life cycle. But fi rst you must determine
where business records reside, how they are stored, how many exist, and how they are
used in the normal course of business.
There are a few things to keep in mind when approaching the e-records invento-
rying process:
■ Those who create and work with the records themselves are the best source
of information about how the records are used. They are your most critical
resource in the inventorying process.
■ RM is something that everyone wants done but no one wants to do (although
everyone will have an opinion on how to do it).
■ The people working in business units are touchy about their records. It will
take some work to get them to trust a new RM approach. 12
NARA recommends that electronic records are inventoried by information sys-
tem, not by record series.

INFORMATION GOVERNANCE AND RECORDS 155
These knowledge workers are your best resource and can be your greatest allies or
worst enemies when it comes to gathering accurate inventory data; developing a workable
fi le plan; and keeping the records declaration, retention, and disposition process operating
effi ciently. A sound RM program will keep the records inventory accurate and up to date.
Generally Accepted Recordkeeping Principles®
See Chapter 3 for more detail on applicable principles in IG. To summarize: It may be useful
to use a model or framework to guide your records inventorying efforts. Such frameworks
could be the D.I.R.K.S. (Designing and Implementing Recordkeeping Systems) used in
Australia or the Generally Accepted Recordkeeping Principles® (or “the Principles”) that
originated in the United States at ARMA International. The Principles are a “framework
for managing records in a way that supports an organization’s immediate and future regulatory,
legal, risk mitigation, environmental, and operational requirements. ” 13
Special attention should be given to creating an accountable, open inventorying
process that can demonstrate integrity. The result of the inventory should help the or-
ganization adhere to records retention, disposition, availability, protection, and com-
pliance aspects of The Principles.
The Generally Accepted Recordkeeping Principles were created with the as-
sistance of ARMA International and legal and IT professionals who reviewed
and distilled global best practice resources. These included the international
records management standard ISO15489–1 from the American National
Standards Institute and court case law. The principles were vetted through a
public call-for-comment process involving the professional records informa-
tion management . . . community. 14
E-Records Inventory Challenges
If your organization has received a legal summons for e-records, and you do not have
an accurate inventory, the organization is already in a compromising position: You do
not know where the requested records might be, how many copies there might be, or
the process and cost of producing them. Inventorying must be done sooner rather than
later and proactively rather than reactively.
E-records present challenges beyond those of paper of microfi lmed records due to their (elec-
tronic) nature :
1. You cannot see or touch them without searching online, as opposed to simply
thumbing through a fi ling cabinet or scrolling through a roll of microfi lm.
What are The Principles? They are guidelines for information management and
governance of record creation, organization, security, maintenance, and other
activities used to effectively support the recordkeeping of an organization.

156 INFORMATION GOVERNANCE
2. They are not sitting in a central fi le room but rather may be scattered about
on servers, shared network drives, or on storage attached to mainframe or
minicomputers.
3. They have metadata attached to them that may distinguish very similar-
looking records.
4. Additional “shadow” copies of the e-records may exist, and it is diffi cult to
determine the true or original copy.15
Records Inventory Purposes
The completed records inventory contributes toward the pursuit of an organization’s IG ob-
jectives in a number of ways : It supports the ownership, management, and control of s
records; helps to organize and prepare for the discovery process in litigation; reduces
exposure to business risk; and provides the foundation for a disaster recovery/business
continuity plan.
Completing the records inventory offers at least eight additional benefi ts:
1. It identifi es records ownership and sharing relationships, both internal and
external.
2. It determines which records are physical, electronic, or a combination of both.
3. It provides the basis for retention and disposition schedule development.
4. It improves compliance capabilities.
5. It supports training objectives for those handling records.
6. It identifi es vital and sensitive records needing added security and backup
measures.
7. It assesses the state of records storage, its quality and appropriateness.
8. It supports the release of information for Freedom of Information Act (FOIA),
Data Protection Act, and other mandated information release requirements
for governmental agencies. 16
With respect to e-records, the purpose of the records inventory should include the
following objectives:
■ Provide a survey of the existing electronic records situation.
■ Locate and describe the organization’s electronic record holdings.
■ Identify obsolete electronic records.
■ Determine storage needs for active and inactive electronic records.
■ Identify vital and archival electronic records, indicating need for their on-
going care.
■ Raise awareness within the organization of the importance of electronic
records management.
■ Lead to electronic record keeping improvements that increase effi ciency.
■ Lead to the development of a needs assessment for future actions.
■ Provide the foundation of a written records management plan with a de-
termination of priorities and stages of actions, ensuring the continuing im-
provement of records management practices. 17

INFORMATION GOVERNANCE AND RECORDS 157
Records Inventorying Steps
NARA’s guidance on how to approach a records inventory applies to both physical and
e-records.
The steps in the records inventory process are:
1. Defi ne the inventory’s goals. While the main goal is gathering information for
scheduling purposes, other goals may include preparing for conversion to
other media, or identifying particular records management problems.
2. Defi ne the scope of the inventory; it should include all records and other
materials.
3. Obtain top management’s support , preferably in the form of a directive, and t
keep management and staff informed at every stage of the inventory.
4. Decide on the information to be collected (the elements of the inventory). Ma-d
terials should be located, described, and evaluated in terms of use.
5. Prepare an inventory form , or use an existing one.
6. Decide who will conduct the inventory, and train them properly.
7. Learn where the agency’s [or business’s] s fi les are located , both physically and d
organizationally.
8. Conduct the inventory.
9. Verify and analyze the results. s 18
Goals of the Inventory Project
The goals of the inventorying project must be set and conveyed to all stakeholders. At a
basic level, the primary goal can be simply to generate a complete inventory for compli-
ance and reporting purposes. It may focus on a certain business area or functional group or
on the enterprise as a whole. An enterprise approach requires segmenting the effort into
smaller, logically sequenced work efforts, such as by business unit. Perhaps the organization
has a handle on its paper and microfi lmed records but e-records have been growing exponentially
and spiraling out of control, without good policy guidelines or IG controls. So a complete inventory
of records and e-records by system is needed, which may include e-records generated by
application systems, residing in e-mail, created in offi ce documents and spreadsheets, or
other potential business records. This is a tactical approach that is limited in scope.
The goal of the inventorying process may be more ambitious: to lay the ground-
work for the acquisition and implementation of an ERM system that will manage
the retention, disposition, search, and retrieval of records. It requires more business
The completed records inventory contributes toward the pursuit of an organi-
zation’s IG objectives in a number of ways.

158 INFORMATION GOVERNANCE
process analysis and redesign, some rethinking of business classifi cation schemes or fi le
plans, and development of an enterprise-wide taxonomy. This redesign will allow for
more sharing of information and records; faster, easier, and more complete retrievals;
and a common language and approach for knowledge professionals across the enter-
prise to declare, capture, and retrieve business records.
The plan may be still much greater in scope and involve more challenging goals: That
is, the inventorying of records may be the fi rst step in the process of implementing an orga-
nization-wide IG program to manage and control information by rolling out ERM and IG
systems and new processes; to improve litigation readiness and stand ready for e-discovery
requests; and to demonstrate compliance adherence with business agility and confi dence.
Doing this involves an entire cultural shift in the organization and a long-term approach.
Whatever the business goals for the inventorying effort, they must be conveyed to all stake-
holders, and that message must be reinforced periodically and consistently, and through multiple
means. It must be clearly spelled out in communications and presented in meetings as
the overarching goal that will help the organization meet its business objectives. The
scope of the inventory must be appropriate for the business goals and objectives it targets.
Scoping the Inventory
“With senior-level support, the records manager must decide on the scope of the re-
cords inventory. A single inventory could not describe every electronic record in an
organization; an appropriate scope might enumerate the records of a single program or divi-
sion, several functional series across divisions, or records that fall within a certain time frame. ”
[emphasis added.] 19 Most organizations have not deployed an enterprise-wide records
management system, which makes the e-records inventorying process arduous and
time-consuming. It is not easy to fi nd where all the electronic records reside—they
are scattered all over the place, and on different media. But impending (and inevitable)
litigation and compliance demands require that it be done. And, again, sooner has
been proven to be better than later. Since courts have ruled that if lawsuits have been
fi led against your competitors over a certain (industry-specifi c) issue, your organiza-
tion should anticipate and prepare for litigation—which means conducting records
inventories and placing a litigation hold on documents that might be relevant. Simply
doing nothing and waiting on a subpoena is an avoidable business risk.
Whatever the business goals for the inventorying effort are, they must be con-
veyed to all stakeholders, and that message must be reinforced periodically
and consistently, and through multiple means.
An appropriate scope might enumerate the records of a single program or
division, several functional series across divisions, or records that fall within a
certain time frame.

INFORMATION GOVERNANCE AND RECORDS 159
A methodical, step-by-step approach must be taken—it is the only way to ac-
complish the task. A plan that divides up the inventorying tasks into smaller, ac-
complishable pieces is the only one that will work. It has been said, “How do you
eat an elephant?” And the answer is “One bite at a time.” So scope the inventorying
process into segments, such as a business unit, division, or information system/
application.
Management Support: Executive Sponsor
It is crucial to have management support to drive the inventory process to completion.
There is no substitute for an executive sponsor. Asking employees to take time out
for yet another survey or administrative task without having an executive sponsor will
likely not work. Employees are more time-pressed than ever, and they will need a clear
directive from above, along with an understanding of what role the inventorying pro-
cess plays in achieving a business goal for the enterprise, if they are to take the time to
properly participate and contribute meaningfully to the effort.
Information/Elements for Collection
During the inventory you should collect the following information at a
minimum:
■ What kind of record it is—contracts, fi nancial reports, memoranda, etc.
■ What department owns it
■ What departments access it
■ What application created the record (e-mail, MS Word, Acrobat PDF)
■ Where it is stored, both physically (tape, server) and logically (network
share, folder)
■ Date created
■ Date last changed
■ Whether it is a vital record (mission-critical to the organization)
■ Whether there are other forms of the record (for example, a document
stored as a Word document, a PDF, and a paper copy) and which of them
is considered the offi cial record
Removable media should have a unique identifi er and the inventory r
should include a list of records on the particular volume as well as the
characteristics of the volume, e.g., the brand, the recording format, the
capacity and volume used, and the date of manufacture and date of last
update.20 (Emphasis added.)
Additional information not included in inventories of physical records must be
collected in any inventory of e-records.

160 INFORMATION GOVERNANCE
IT Network Diagram
Laying out the overall topology of the IT infrastructure in the form of a network
diagram is an exercise that is helpful in understanding where to target efforts and to
map information fl ows. Creating this map of the IT infrastructure is a crucial step in
inventorying e-records. It graphically depicts how and where computers are connected
to each other and the software operating environments of various applications that are
in use. This high-level diagram does not need to include every device; rather, it should
indicate each type of device and how it is used.
The IT staff usually has a network diagram that can be used as a reference; per-
haps after some simplifi cation it can be put into use as the underpinning for inventory-
ing e-records. It does not need great detail, such as where network bridges and routers
are located, but it should show which applications are utilizing the cloud or hosted
applications to store and/or process documents and records.
In diagramming the IT infrastructure for purposes of the inventory, it is easiest to
start in the central computer room where any mainframe or other centralized servers
are located and then follow the connections out into the departments and business unit
areas, where there may be multiple shared servers and drives supported a network of
desktop personal computers or workstations.
Microsoft’s SharePoint® is a prevalent document and RM portal platform, and
many organizations have SharePoint servers to house and process e-documents and
records. Some utilities and tools may be available to assist in the inventorying process
on SharePoint systems.
Mobile devices (e.g., tablets, smartphones, and other portable devices) that are
processing documents and records should also be represented. And any e-records re-
siding in cloud storage should also be included.
Creating a Records Inventory Survey Form
The record inventory survey form must suit its purpose. Do not collect data that is ir-
relevant, but, in conducting the survey, be sure to collect all the needed data elements.
You can use a standard form, but some customization is recommended. The sample
records survey form in Figure 9.1 is wide ranging yet succinct and has been used suc-
cessfully in practice.
If conducting the e-records portion of the inventory, the sample form may be
somewhat modifi ed, as shown in Figure 9.2 .
Who Should Conduct the Inventory?
Typically, a RM project team is formed to conduct the survey, often assisted by re-
sources outside of the business units. These may be RM and IT staff members, business
analysts, members of the legal staff, outside specialized consultants, or a combination
of these groups. The greater the cross-section from the organization, the better, and
the more expertise brought to bear on the project, the more likely it will be completed
thoroughly and on time.
Critical to the effort is that those conducting the inventory are trained in the
survey methods and analysis, so that when challenging issues arise, they will have the
resources and know-how to continue the effort and get the job done.

INFORMATION GOVERNANCE AND RECORDS 161
Department Information
1. What is the reporting structure of the department?
2. Who is the department liaison for the records inventory?
3. Who is the IT or business analyst liaison?
Record Requirements
4. Are there any external agencies that impose guidelines, standards or other requirements?
5. Are there specifi c legislative requirements for creating or maintaining records? Please provide a copy.
6. Is there a departmental records retention schedule?
7. What are the business considerations that drive recordkeeping? Regulatory requirements? Legal
requirements?
8. Does the department have an existing records management policy? Guidelines? Procedures?
Please provide a copy.
9. Does the department provide guidance to employees on what records are to be created?
10. How are policies, procedures and guidance disseminated to the employees?
11. What is the current level of employees’ awareness of their responsibilities for records
management?
12. How are nonrecords managed?
13. What is the process for ensuring compliance with policies, procedures, and guidelines?
When an employee changes jobs/roles or is terminated?
14. Does the department have a classifi cation or fi le plans?
15. Are any records in the department confi dential or sensitive?
16. What information security controls does the department have for confi dential or sensitive
records?
17. Does the department have records in sizes other than letter (8½×11)?
18. What is the cutoff date for the records?
Fiscal Year Calendar Year Other
19. Have department vital records been identifi ed?
20. Is there an existing business or disaster recovery policy?
21. Is the department subject to audits? Internal? External? Who conducts the audits?
22. Where and how are records stored?
Online? Near Line? Offl ine? On-site? Off-site? One location? Multiple locations?
23. How does the department ensure that records will remain accessible, readable, and useable
throughout their scheduled retention period?
Technology and Tools
24. Are any tools used to track active records? Spreadsheets, word documents, databases, and so
forth?
25. Are any tools used to track inactive records? Spreadsheets, word documents, databases, and so
forth?
26. Does the department use imaging, document management, and so forth?
Disposition
27. Are there guidelines for destroying obsolete records?
Figure 9.1 Records Inventory Survey Form
(continued )

162 INFORMATION GOVERNANCE
Identifying Information
1. Name of system.
2. Program or legal authority for system.
3. System identifi cation or control number.
4. Person responsible for administering the system. Include e-mail, offi ce address, and phone
contact info.
5. Date system put in service.
6. Business unit or agency supported by system.
7. Description of system (what does the application software do?).
8. Purpose of system.
System Inputs/Outputs
9. Primary sources of data inputs.
10. Major outputs of system (e.g., specifi c reports).
11. Informational content (all applicable): Description of data; applicability of data (people, places,
things); geographic information; time span; update cycle; applications the system supports; how
data are manipulated; key unit analysis for each fi le; public use or not?
12. Hardware confi guration.
13. Software environment, including revision levels, operating system, database, and so forth.
14. Indices or any classifi cation scheme/fi le plan that is in place?
15. Duplicate records? Location and volume of any other records containing the same information.
Record Requirements
16. Are there any external agencies that impose guidelines, standards, or other requirements?
17. Are their specifi c legislative requirements for creating or maintaining records? Please provide a copy.
18. Is there a departmental records retention schedule?
19. What are the business considerations that drive recordkeeping? Regulatory requirements? Legal
requirements?
20. Does the department have an existing records management policy? Guidelines? Procedures? If
so, please provide a copy.
28. What disposition methods are authorized or required?
29. How does disposition occur? Paper? Electronic? Other?
30. What extent does the department rely on each individual to destroy records? Paper? Electronic?
Other?
Records Holds
31. What principles govern decisions for determining the scope of records that must be held or
frozen for an audit or investigations?
32. How is the hold or freeze communicated to employees?
33. How are records placed on hold protected?
Figure 9.2 Electronic Records Inventory Survey Form
Figure 9.1 (continued )
Source: Charmain Brooks, IMERGE Consulting, e-mail to author, March 20, 2012.

INFORMATION GOVERNANCE AND RECORDS 163
Determine Where Records Are Located
The inventory process is, in fact, a surveying process, and it involves going physically
out into the units where the records are created, used, and stored. Mapping out where
the records are geographically is a basic necessity. Which buildings are they located in?
Which offi ce locations? Computer rooms?
Also, the inventory team must look organizationally at where the records reside (i.e., de-y
termine which departments and business units to target and prioritize in the survey process).
Conduct the Inventory
Several approaches can be taken to conduct the inventory, including three basic methods:
1. Distributing and collecting surveys
2. Conducting in-person interviews
3. Direct observation
21. How are nonrecords managed?
22. Are any records in the department confi dential or sensitive? How are they indicated or set apart?
23. What information security controls does the department have for confi dential or sensitive
records?
24. What is the cutoff date for the records?
Fiscal Year Calendar Year Other
25. Have department vital records been identifi ed?
26. Is there an existing business or disaster recovery policy?
27. Is the department subject to audits? Internal? External? Who conducts the audits?
28. Where and how are records stored?
Online? Near line? Offl ine? On-site? Off-site? One location? Multiple locations?
29. How does the department ensure that records will remain accessible, readable, and useable
throughout their scheduled retention period?
Disposition
30. Are there guidelines for destroying obsolete records?
31. What disposition methods are authorized or required?
32. How does disposition occur? Are electronic deletions verifi ed?
33. What extent does the department rely on each individual to destroy e-records?
Records Holds
34. What principles govern decisions for determining the scope of records that must be held or
frozen for an audit or investigations?
35. How is the hold or freeze communicated to employees?
36. How are records placed on hold protected?
Figure 9.2 (continued )
Source: Adapted from: www.archives.gov/records-mgmt/faqs/inventories.html and Charmaine
Brooks, IMERGE Consulting.

http://www.archives.gov/records-mgmt/faqs/inventories.html

164 INFORMATION GOVERNANCE
Creating and distributing a survey form is traditional and proven way to collect
e-records inventory data. This is a relatively fast and inexpensive way to gather the
inventory data. The challenge is getting the surveys completed in a consistent fashion.
This is where a strong executive sponsor can assist. The sponsor can make the survey a
priority and tie it to business objectives, making the survey completion compulsory. The
survey is a good tool, and it can be used to cover more ground in the data collection pro-
cess. If following up with interviews, the survey form is a good starting point; responses
can be verifi ed and clarifi ed, and more detail can be gathered.
Some issues may not be entirely clear initially, so following up with scheduled in-
person interviews can dig deeper into the business processes where formal records are
create and used. A good approach is to have users walk you through their typical day
and how they access, use, and create records—but be sure to interview managers too,
as managers and users have differing needs and uses for records. 21
You will need some direction to conduct formal observation, likely from IT staff
or business analysts familiar with the recordkeeping systems and associated business
processes. They will need to show you where business documents and records are
created and stored. If there is an existing ERM system or other automated search and
retrieval tools available, you may use them to speed the inventorying process.
When observing and inventorying e-records, starting in the server room and
working outward toward the end user is a logical approach. Begin by enumerating the
e-records created by enterprise software applications (such as accounting, enterprise
resource planning, or customer relationship management systems), and work your way
to the departmental or business unit applications, on to shared network servers, then
fi nally out to individual desktop and laptop PCs and other mobile devices. With to-
day’s smartphones, this can be a tricky area, due to the variety of platforms, operating
systems, and capabilities. In a bring-your-own-device environment, records should not
be stored on personal devices, but if they must be, they should be protected with tech-
nologies like encryption or information rights management.
There are always going to be thorny areas when attempting to inventory e-records to
determine what fi les series exist in the organization. Mobile devices and removable media
may contain business records. These must be identifi ed and isolated, and any records on
these media must be recorded for the inventory. Particularly troublesome are thumb or
fl ash drives, which are compact yet can store 20 gigabytes of data or more. If your IG
measures call for excluding these types of media, the ports they use can be blocked on PCs,
tablets, smartphones, and other mobile computing devices. A sound IG program will con-
sider the proper use of removable media and the potential impact on your RM program.22
The best approach for conducting the inventory is to combine the available inventorying
methods, where possible. Begin by observing, distribute surveys, collect and analyze them,
and then target key personnel for follow-up interviews and walk-throughs. Utilize
whatever automated tools are available along the way. This approach is the most com-
plete. Bear in mind that the focus is not on individual electronic fi les but rather, the fi le series
level for physical records and the fi le series or system level for e-records (preferably the latter).
There are three ways to conduct the inventory: surveys, interviews, and
observation. Combining these methods yields the best results.

INFORMATION GOVERNANCE AND RECORDS 165
Interviewing Programs/Service Staff
Interviews are a very good source of records inventory information. Talking with actual
users will help the records lead or inventory team to better understand how documents
and records are created and used in everyday operations. Users can also report why they
are needed—an exercise that can uncover some obsolete or unnecessary processes and
practices. This is helpful in determining where e-records reside and how they are grouped
in records series or by system and ultimately, the proper length of their retention period
and whether they should be archived or destroyed at the end of their useful life. 23
Since interviewing is a time-intensive task, it is crucial that some time is spent in
determining the key people to interview: Interviews not only take your time but oth-
ers’ as well, and the surest way to lose momentum on an inventorying project is to have
stakeholders believe you are wasting their time.
You need to interview representatives from all functional areas and levels of
the program or service, including:
■ managers
■ supervisors
■ professional/technical staff
■ clerical/support staff
The people who work with the records can best describe to you their use.
They will likely know where the records came from, whether copies exist,
who needs the records, any computer systems that are used, how long the
records are needed and other important information that you need to know
to schedule the records.
Selecting Interviewees
As stated earlier, it is wise to include a cross-section of staff, managers and frontline
employees to get a rounded view of how records are created and used. Managers have
a different perspective and may not know how workers utilize electronic records in
their everyday operations.
A good lens to use is to focus on those who make decisions based on informa-
tion contained in the electronic records and to follow those decision-based processes
through to completion, observing and interviewing at each level.
For example, an application is received (mail room logs date and time), checked
(clerk checks the application for completeness and enters into a computer sys-
tem), verifi ed (clerk verifi es that the information on the application is correct),
and approved (supervisor makes the decision to accept the application). These
staff members may only be looking at specifi c pieces of the record and making
decisions on those pieces.
Interview Scheduling and Tips
One rule to consider is this: Be considerate of other people’s work time. Since they
are probably not getting compensated for participating in the records inventory, the
time you take to interview them is time taken away from compensated tasks they are

166 INFORMATION GOVERNANCE
evaluated on. So, once the interviewees are identifi ed, provide as much advance notice
as possible, follow up to confi rm appointments, and stay within the scheduled time.
Interviews should be kept to 20 to 60 minutes. Most of all—never be late!
Before starting any interviews, be sure to restate the goals and objectives of the
inventorying process and how the resulting output will benefi t people in their jobs.
In some cases, it may be advisable to conduct interviews in small groups, not only
to save time but to generate a discussion of how records are created, used, and stored.
Some new insights may be gained.
Try to schedule interviews that are as convenient as possible for participants. That
means providing participants with questions in advance and holding the interviews as
close to their work area as possible. Do not schedule interviews back to back with no
time for a break between. You will need time to consolidate your thoughts and notes,
and, at times, interviews may exceed their planned time if a particularly enlightening
line of questioning takes place.
If you have some analysis from the initial collection of surveys, share that with the
interviewees so they can validate or help clarify the preliminary results. Provide it in
advance, so they have some time to think about it and discuss it with their peers.
Sample Interview Questionnaire
You’ll need a guide to structure the interview process. A good starting point is the
sample questions presented in the questionnaire shown in Figure 9.3 . It is a useful tool
that has been used successfully in actual records inventory projects.
Analyze and Verify the Results
Once collected, some follow-up will be required to verify and clarify responses. Often
this can be done over the telephone. For particularly complex and important areas, a
follow-up in person visit can clarify the responses and gather insights.
Once the inventory draft is completed, a good practice is to go out into the
business units and/or system areas and verify what the fi ndings of the survey are.
Once presented with fi ndings in black and white, key stakeholders may have ad-
ditional insights that are relevant to consider before fi nalizing the report. Do not
miss out on the opportunity to allow power users and other key parties to provide
valuable input.
Be sure to tie the fi ndings in the fi nal report of the records inventory to the business goals
that launched the effort. This helps to underscore the purpose and importance of the
effort, and will help in getting that fi nal signoff from the executive sponsor that states
the project is complete and there is no more work to do.
Depending on the magnitude of the project, it may (and should ) turn into a dd
formal IG program that methodically manages records in a consistent fashion in
accordance with internal governance guidelines and external compliance and legal
demands.
Be sure to tie the fi ndings in the fi nal report of the records inventory to the
business goals that launched the effort.

INFORMATION GOVERNANCE AND RECORDS 167
What is the mandate of the offi ce?
What is the reporting structure of the department?
Who is the department liaison for the records inventory?
Are there any external agencies that impose guidelines, standards, or other requirements?
Is there a departmental records retention schedule?
Are there specifi c legislative requirements for creating or maintaining records? Please provide a copy.
What are the business considerations that drives record keeping? Regulatory requirements? Legal
requirements?
Does the department have an existing records management policy? Guidelines? Procedures?
Please provide a copy.
Does the department provide guidance to employees on what records are to be created?
What is the current level of awareness of employees their responsibilities for records management?
How are nonrecords managed?
Does the department have a classifi cation or fi le plans?
What are the business drivers for creating and maintaining records?
Where are records stored? Onsite? Offsite? One location? Multiple locations?
Does the department have records in sizes other than letter (8 ½×11)?
What is the cutoff date for the records?
Fiscal Year Calendar Year Other
Are any tools used to track active records? Excel, Access, and so forth?
Does the department use imaging, document management, and so forth?
Is the department subject to audits? Internal? External? Who conducts the audits?
Are any records in the department confi dential or sensitive?
Are their guidelines for destroying obsolete records?
What disposition methods are authorized or required?
How does disposition occur? Paper? Electronic? Other?
What extent does the department rely on each individual to destroy records?
Paper Electronic Other
What principles govern decisions for determining the scope of records that must be held or frozen for
an audit or investigations?
How is the hold or freeze communicated to employees?
Figure 9.3 Sample Interview Questionnaire
Appraising the Value of Records
Part of the process of determining the retention and disposition schedule of records
is to appraise their value. Records can have value in different ways, which affects
retention decisions.
Records appraisal is an analysis of all records within an agency [or business]
to determine their administrative, fi scal, historical, legal, or other archival value.
The purpose of this process is to determine for how long, in what format, and
Source: Charmaine Brooks, IMERGE Consulting, e-mail to author, March 20, 2012.

168 INFORMATION GOVERNANCE
under what conditions a record series ought to be preserved. Records appraisal is
based upon the information contained in the records inventory. Records series shall be
either preserved permanently or disposed of when no longer required for the
current operations of an agency or department, depending upon:
■ Historical value or the usefulness of the records for historical research, in-
cluding records that show an agency [or business] origin, administrative
development, and present organizational structure.
■ Administrative value or the usefulness of the records for carrying on [a busi-
ness or] an agency’s current and future work, and to document the develop-
ment and operation of that agency over time.
■ Regulatory and statutory [value to meet] requirements.
■ Legal value or the usefulness of the records to document and defi ne legally
enforceable rights or obligations of [business owners, shareholders, or a]
government and/or citizens.
■ Fiscal value or the usefulness of the records to the administration of [a busi-
ness or] an agency’s current fi nancial obligations, and to document the de-
velopment and operation of that agency over time
■ Other archival value as determined by the State [or corporate] Archivist. 24
(Emphasis added.)
Ensuring Adoption and Compliance of RM Policy
The inventorying process in not a one-shot deal: It is useful only if the records inven-
tory is kept up to date, so it should be reviewed, at least annually. A process should be
put in place so that business unit or agency heads notify the RM head/lead if a new fi le
series or system has been put in place and new records collections are created. 25
[Five] tips can help ensure that a records management program achieves its goals:
1. Records management is everyone’s role. The volume and diversity of business
records, from e-mails to reports to tweets, means that the person who cre-
ates or receives a record is in the best [position] to classify it. Everyone in
the organization needs to adopt the records management program.
2. Don’t micro-classify. Having hundreds, or possibly thousands, of records clas-
sifi cation categories may seem like a logical way to organize the multitude
of different records in a company. However, the average information
worker, whose available resources are already under pressure, does not
want to spend any more time than necessary classifying records. Having a
few broad classifi cations makes the decision process simpler and faster.
Records appraisal is based on the information contained in the records
inventory.

INFORMATION GOVERNANCE AND RECORDS 169
3. Talk the talk from the top on down. A culture of compliance starts at the top.
Businesses should establish a senior-level steering committee comprised
of executives from legal, compliance, and information technology (IT). A
committee like this signals the company’s commitment to compliant re-
cords management and ensures enterprise adoption.
4. Walk the walk, consistently. For compliance to become second nature, it
needs to be clearly communicated to everyone in the organization, and
policies and procedures must be accessible. Training should be rigorous
and easily available, and organizations may consider rewarding compliance
through fi nancial incentives, promotions and corporate-wide recognition.
5. Measure the measurable. The ability to measure adherence to policy and
adoption of procedures should be included in core business operations and
audits. Conduct a compliance assessment, including a gap analysis, at least
once a year, and prepare an action plan to close any identifi ed holes.
The growth of data challenges a company’s ability to use and store its records
in a compliant and cost-effective manner. Contrary to current practices, the
solution is not to hire more vendors or to adopt multiple technologies. The
key to compliance is consistency, with a unifi ed enterprise-wide approach for
managing all records, regardless of their format or location. 26
So a steady and consistent IG approach that includes controls, audits, and clear
communication is key to maintaining an accurate and current records inventory.
General Principles of a Retention Scheduling
We discussed records retention briefl y in Chapter 8 , mostly as it relates to legal research
and determining retention and limitation periods. In this section we go more in depth.
A series of principles is common to all retention schedules: 27
■ The retention schedule must include all records.
■ Records scheduling includes all records, regardless of media or location.28
■ All legal and regulatory requirements for records must be refl ected in the records
scheduling process. For public entities, retention scheduling fosters and enables
the agency to comply with information requests (e.g., FOIA in the United States,
Freedom of Information Act 2000 in the United Kingdom, Freedom of Informa-
tion and Protection of Privacy Act and the Health Information Act in Canada,
and Freedom of Information Amendment [Reform] Act 2010 in Australia).
■ Records scheduling is a “proactive” planning process, where schedules are set
in place and standardized in advance.
■ Periodic review of the retention schedule must take place when signifi cant leg-
islation, technology acquisitions, or other changes are being considered; but in
any case this should be at least annually or biannually.
■ Records scheduling is a continuous process that needs updating and amending,
based on legal, technology, or business changes over time.
■ Classifi cation and records scheduling are inextricably linked.

170 INFORMATION GOVERNANCE
Records retention defi nes the length of time that records are to be kept and
considers legal, regulatory, operational, and historical requirements. 31
■ File series with similar characteristics or value should be assigned consistent
and appropriate retention periods.
■ Records of historical value must be preserved.
■ Records retention periods should refl ect the business needs of users, the value
of the records, and any legal or compliance requirements. The best way to
make these determinations is with a team that includes cross-functional rep-
resentatives from RM, legal, risk, compliance, IT and business unit representa-
tives, headed by an executive sponsor.
■ RM resource use is optimized, and costs are minimized by keeping records a
minimum amount of time under a planned and controlled set of processes.
■ Records must be retained in a repository (fi le room or software system)
where the record is protected (e.g., made read-only and monitored with an
audit trail) so that the integrity of the record is maintained in a manner that
meets all evidence and legal admissibility standards if or when litigation is
encountered.
■ Senior management must approve of and sign off on the retention schedule and
will be legally accountable for compliance with the schedule.
■ Senior management must be able to readily review retention schedules, policy
documentation, and audit information to ensure users are in compliance with
the retention schedule.
■ Complete documentation of scheduling requirements and activities must take
place so that future users and archivists can view and track changes to the reten-
tion schedule. 29
Developing a Records Retention Schedule
A records retention schedule defi nes the length of time that records are to be kept and
considers legal, regulatory, operational, and historical requirements. 30 The retention schedule
also includes direction as to how the length of time is calculated (i.e., the event or
trigger that starts the clock [e.g., two years from completion of contract]). Legal re-
search and opinions are required, along with consultation with owners and users of
the records. Users typically overestimate the time they need to keep records, as they
confuse the legal requirements with their own personal wishes. Some hard question-
ing has to take place, since having these records or copies of records lying around the
organization on hard drives, thumb drives, or in fi le cabinets may create liabilities for
the organization.
Disposition means not just destruction but also can mean archiving and trans-
fer and a change in ownership and responsibility for the records. The processes of
archiving and preserving are an example where records may be handed over to a his-
torical recordkeeping unit. At this time, the records may be sampled and only selective
parts of the group of records may be retained.

INFORMATION GOVERNANCE AND RECORDS 171
A retention schedule allows for uniformity in the retention and disposition
process, regardless of the media or location of the records.
Disposition means not just destruction but can also mean archiving and a
change in ownership and responsibility for the records.
Why Are Retention Schedules Needed?
A retention schedule allows for uniformity in the retention and disposition process, regardless of
the media or location of the records. Further, it tracks, enforces, and audits the retention and
disposition of records while optimizing the amount of records kept to legal minimums,
which saves on capital and labor costs, and reduces liability (by discarding unneeded re-
cords that carry legal risk). 32 The Generally Accepted Recordkeeping Principles® state
the critical importance of having a retention schedule (see the section “Generally Accepted
Recordkeeping Principles” in Chapter 3 for more details) and provide guidelines for open
collaboration in developing one. In the public sector, holding records that have passed
their legally required retention period also can have negative ramifi cations and liabilities
in meeting information service requests made during litigation, compliance actions, or, for
example, under the U.S. FOIA, or similar acts in other countries.
Information Included on Retention Schedules
A retention schedule consists of these components:
■ Title of the record series
■ Descriptions of the records seriess
■ Offi ce responsible for the retention of the record (default is usually the offi ce of origin)e
■ Disposal decision —destroy, transfer to the archives, or, in exceptional circum-
stances, reconsider at a later (specifi ed) date
■ Timing of disposal —a minimum period for which the records should be retainedll
in the offi ce or in an off-site store before disposal action is undertaken
■ Event that triggers the disposal actions
■ Dates on which the schedule was agreed , signed, or modifi ed d
■ Legal citations or a link to a citation that reference the retention requirements of
that group of records
A sample of a simple records retention schedule is shown in Figure 9.4 .
Steps in Developing a Records Retention Schedule
If you already have existing retention schedules but are revising and updating them,
there may be useful information in those schedules that can serve as a good reference

172 INFORMATION GOVERNANCE
point—but be wary, as they may be out of date and may not consider current legal
requirements and business needs.
According to the U.S. National Archives, some key steps are involved in develop-
ing retention schedules:
1. Review the functions and recordkeeping requirements for the [business unit
or] agency or the organizational component of the agency whose records will
be included on the schedule
2. Inventory the records.
3. Determine the period of time the records are needed for conducting [business
or] agency operations and meeting legal obligations
4. Draft disposition instructions including:
■ File cutoffs or fi le breaks (convenient points within a fi ling plan/system
(end of a letter of the alphabet, end of year or month, etc.) at which fi les
are separated for purposes of storage and/or disposition)
■ Retention periods for temporary records
■ Instructions for transferring permanent records to the National Archives
of the United States [or corporate archive for businesses]
■ Instructions for sending inactive records to off-site storage
■ Organize the schedule and clear it internally
■ Obtain approval from [your corporate archivist or] NARA [for federal
agencies], as well as from GAO if required by Title 8 of the GAO, “Policy
and Procedures Manual for the Guidance of Federal Agencies.” 33
Records Retention Schedule ENVIRONMENTAL HEALTH AND
SAFETY
December 10, 2015
Record Type Responsible
Department
Event Retention
Period
Accident/Injury Reports
Employee Medical Files
Includes:
Accidents
Diagnosis (Accident or Injury)
First aid reports
Injuries
Medical reviews
Occupational Health Incident
Treatment and Progress (Accident or Injury)
Work related accidents
Workers health information
Workers Compensation Claims
Includes:
Audiology
Lung Function
Return to Work Authorization
Related to:
Employee Files (Active)
Health and Safety Programs
Includes:
Health and Safety Committee
Health and Safety Reports
HR Date of Incident E+30
HR Termination E+30
Health and
Safety
CY+10
Figure 9.4 Sample Records Retention Schedule
Source: IMERGE Consulting, Inc.

INFORMATION GOVERNANCE AND RECORDS 173
What Records Do You Have to Schedule?
Inventory and Classifi cation
Inventory and classifi cation are prerequisites for compiling a retention schedule. Be-
fore starting work, develop an information map that shows where information is cre-
ated, where it resides, and the path it takes. What records are created, who uses them,
and how is their disposition handled? Questions like these will provide key insights in
the development of the retention schedule. 34 Confi rm that the information map covers
all the uses of the records by all parts of the organization, including use for account-
ability, audit, and reference purposes.
In the absence of a formal information map, at a minimum you must compile a list of
all the different types of records in each business area. This list should include information
about who created them and what they are used for (or record provenance ), which
parts of the organization have used them subsequently and for what purpose (its us-
age), and the actual content.t
In the absence of any existing documentation or records inventory, you will need to conduct
a records inventory or survey to fi nd out what records the business unit (or organization)
holds. Tools are available to scan e-records folders to expedite the inventory process. A
retention schedule developed in this way will have a shorter serviceable life than one
based on an information map because it will be based on existing structures rather than
functions and will remain usable only as long as the organizational structure remains
unchanged.
Once a records inventory or survey is complete, building a records retention
schedule begins with classifi cation of records. 35
This basic classifi cation can be grouped into three areas:
1. Business functions and activities
2. Records series
3. Document types
Business functions are basic business units such as accounting, legal, human re-
sources, and purchasing. (See Appendix A, Information Organization and Classifi cation:
Taxonomies and Metadata, for details on the process of developing classifi cations.) It
basically answers this question: What were you doing when you created the record?
Tools are available to scan e-records folders to expedite the inventory process.
An information map is a critical fi rst step in developing a records retention
schedule. It shows where information is created, where it resides, and who
uses it.

174 INFORMATION GOVERNANCE
Business activities are the tasks performed to accomplish the business function. d
Several activities may be associated with each function.
A records series is a group or unit of identical or related records that are normally used
and fi led as a unit and that can be evaluated as a unit or business function for scheduling t
purposes. 36
A document type is a term used by many software systems to refer to a group-
ing of related records. When the records are all created by similar processes, then
the document type is equivalent to the business functions or activities mentioned
previously. However, “document type” often refers to the format of the record (e.g.,
presentation, meeting minutes). In this case, there is not enough information to
determine a retention period because it is ambiguous regarding what type of work
was being done when that document was created. Retention schedules require that
record series be defi ned by business function and activity, not by record format or
display type.
Rationale for Records Groupings
Records are grouped together for fundamental reasons to improve information orga-
nization and access. These reasons include:
■ Grouping by “similar theme” for improved completeness
■ Improving information search speed and completeness
■ Increasing organizational knowledge and memory by providing the “context”
within which individual documents were grouped
■ Clearly identifying who the record owner or creator is and assigning and track-
ing responsibility for a group of records
■ Grouping records with the same retention requirements for consistent applica-
tion of disposition processes to records
Records Series Identifi cation and Classifi cation
After completing a records inventory including characterizing, descriptive informa-
tion about the records such as their contents, use, fi le size, and projected growth vol-
umes, you will need to interview staff in those target areas you are working with to
determine more information about the specifi c organizational structure, its business
functions, services, programs, and plans. 37
In the course of business, there are several different types of records series. There
are case records , for example, which are characterized as having a beginning and
After completing an inventory, developing a retention schedule begins with
records classifi cation.

INFORMATION GOVERNANCE AND RECORDS 175
an end but are added to over time. Case records generally have titles that include
names, dates, numbers, or places. These titles do not provide insight into the nature
of the function of the record series. Examples of case records include personnel fi les,
mortgage loan folders, contract and amendment/addendum records, accident reports,
insurance claims, and other records that accumulate and expand over time. Although
the contents of case fi les may be similar, you should break out each type of case record
under a unique title.
Subject records (also referred to as topic or function records ) “contain infor-
mation relating to specifi c or general topics and that are arranged according to their
informational content or by the function/activity/transaction they pertain to.”38 These
types of records accumulate information on a particular topic or function to be added
to the organization’s memory and make it easier for knowledge workers to fi nd infor-
mation based on subject matter, topics, or business functions. Records such as those on
the progression of relevant laws and statutes, policies, standard operating procedures,
education and training have long-term reference value and should be kept until they
are no longer relevant or are displaced by more current and relevant records. In a
record retention schedule, the trigger event often is defi ned as “superseded or obsolete.”
Records of this type that relate to “routine operations of a [project], program or ser-
vice” do not have as much enduring value and should be scheduled to be kept for a
shorter period.
Retention of E-Mail Records
Are e-mail messages records? This question has been debated for years. The short an-
swer is no, not all e-mail messages constitute a record. But how do you determine whether
certain messages are a business record or not? The general answer is that a record
documents a transaction or business-related event that may have legal ramifi cations
or historic value. Most important are business activities that may relate to compliance
requirements or those that could possibly come into dispute in litigation. Particular
consideration should be given to fi nancial transactions of any type.
Certainly evidence that required governance oversight or compliance activities
have been completed needs to be documented and becomes a business record. Also,
business transactions, where there is an exchange of money or the equivalent in
goods or services is documented are also business records. Today, these transactions
are often documented by a quick e-mail. And, of course, any contracts (and any pro-
gressively developed or edited versions) that are exchanged through e-mail become
business records.
The form or format of a potential record is irrelevant in determining whether
it should be classifi ed as a business record. For instance, if a meeting of the board of
directors is recorded by a digital video recorder and saved to DVD, it constitutes a
Not all e-mail messages are records; those that document a business transac-
tion or progress toward it are clearly records and require retention.

176 INFORMATION GOVERNANCE
record. If photographs are taken of a ground-breaking ceremony for a new manufac-
turing plant, the photos are records too. If the company’s founders tape-recorded a
message to future generations of management on reel-to-reel tape, it is a record also,
since it has historical value. But most records are going to be in the form of paper,
microfi lm, or an electronic document.
Here are three guidelines for determining whether an e-mail message should be
considered a business record:
1. The e-mail documents a transaction or the progress toward an ultimate transaction
where anything of value is exchanged between two or more parties. All parts or char-
acteristics of the transaction, including who (the parties to it), what, when, how
much, and the composition of its components are parts of the transaction. Often
seemingly minor parts of a transaction are found buried within an e-mail mes-
sage. One example would be a last-minute discount offered by a supplier based
on an order being placed or delivery being made within a specifi ed time frame.
2. The e-mail documents or provides support of a business activity occurring that pertains
to internal corporate governance policies or compliance to externally mandated
regulations.
3. The e-mail message documents other business activities that may possibly be disputed
in the future, whether it ultimately involves litigation or not. (Most business
disputes actually are resolved without litigation, provided that proof of your
organization’s position can be shown.) For instance, your supplier may dispute
the discount you take that was offered in an e-mail message and, once you
forward the e-mail thread to the supplier, it acquiesces.
Managing e-mail business records is challenging, even for technology professionals.
According to an AIIM and ARMA survey, fully two-thirds of records managers doubt that
their IT departments really understand the concept of electronic records life cycle management.
That is despite the fact that 70 percent of companies rely on IT professionals alone to manage
their electronic records.
Although the signifi cance of e-mail in civil litigation cannot be overstated (it is the
leading piece of evidence requested at civil trials today), one-third of IT managers state
that they would be incapable of locating and retrieving e-mails that are more than one year old, d
according to Osterman Research. 39
How Long Should You Keep Old E-Mails?
There are different schools of thought on e-mail retention periods and retention schedules.
The retention and deletion of your electronic business records may be governed by laws or
regulations. Unless your organization’s e-mail and ESI records are governed by law or regulations,
E-mail messages that document business activities, especially those that may
be disputed in the future, should be retained as records.

INFORMATION GOVERNANCE AND RECORDS 177
your organization is free to determine the retention periods and deletion schedules that are most
appropriate for your organization.40 If your organization’s e-mail retention periods are not
specifi ed by law or regulation, consider keeping them for at least as long as you retain
paper records. Many software providers provide automated software that allows e-mail
messages to be moved to controlled repositories as they are declared to be records.
Destructive Retention of E-Mail
(We repeat this short section from Chapter 8 for those who are more focused on RIM
than on legal functions.)
A destructive retention program is an approach to e-mail archiving where e-mail
messages are retained for a limited time (say, 90 days), followed by the permanent
manual or automatic deletion of the messages from the organization network, so long
as there is no litigation hold or the e-mail has not been declared a record.
E-mail retention periods can vary from 90 days to as long as seven years:
■ Osterman Research reports that “nearly one-quarter of companies delete e-
mail after 90 days.” 41
■ Heavily regulated industries, including energy, technology, communications,
and real estate, favor archiving for one year or more, according to Fulbright
and Jaworski research. 42
■ The most common e-mail retention period traditionally has been seven years; how-
ever, some organizations are taking a hard-line approach and stating that e-mails
will be kept for only 90 days or six months, unless it is declared as a record, classi-
fi ed, and identifi ed with a classifi cation/retention category and tagged or moved to
a repository where the integrity of the record is protected (i.e., the record cannot be
altered and an audit trail on the history of the record’s usage is maintained)
Long-Term Archival Records
Inactive records that are have historical value or are essential for maintaining corporate
memory must be kept the longest. Although they are not needed for present operations,
they still have some value to the organization and must be preserved. When it comes to
preserving electronic records, this process can be complex and technical. (See Chapter
17 for details.) If you have a corporate or agency archivist, his or her input is critical.43
Meeting Legal Limitation Periods
(This short section is repeated from Chapter 8 for those who are more focused on
RIM than on legal functions.)
Destructive retention of e-mail is a method whereby e-mail messages are re-
tained for a limited period and then destroyed.

178 INFORMATION GOVERNANCE
A key consideration in developing retention schedules is researching and deter-
mining the minimum time required to keep records that may be demanded in legal
actions. “A limitation period is the length of time after which a legal action cannot be
brought before the courts. Limitation periods are important because they determine
the length of time records must be kept to support court action [including subsequent
appeal periods]. It is important to be familiar with the purpose, principles, and special
circumstances that affect limitation periods and therefore records retention.” 44
Legal Requirements and Compliance Research
(Note: This section also appears in Chapter 8 but is included here for completeness.)
Legal requirements trump all others. The retention period for a particular records
series must meet minimum retention requirements as mandated by law. Business needs
and other considerations are secondary. So, legal research is required before determin-
ing retention periods. Legally required retention periods must be researched for each
jurisdiction (state, country) in which the business operates, so that it complies with all
applicable laws.
In order to locate the regulations and citations relating to retention of records,
there are two basic approaches. The fi rst approach is to use a records retention citation
service, which publishes in electronic form all of the retention-related citations. These
services usually are bought on a subscription basis, as citations are updated on an an-
nual or more frequent basis as legislation and regulations change.
Figure 9.5 is an excerpt from a Canadian records retention database product called
FILELAW®. In this case, the act, citation, and retention periods are clearly identifi ed.
Another approach is to search the laws and regulations directly using online or
print resources. Records retention requirements for corporations operating in the
United States may be found in the Code of Federal Regulations (CFR), the annual RR
edition of which
is the codifi cation of the general and permanent rules published in the Fed-
eral Register by the departments and agencies of the federal government. It is
divided into 50 titles that represent broad areas subject to federal regulation.
The 50 subject matter titles contain one or more individual volumes, which
are updated once each calendar year, on a staggered basis. The annual update
cycle is as follows: titles 1 to 16 are revised as of January 1; titles 17 to 27 are
revised as of April 1; titles 28 to 41 are revised as of July 1, and titles 42 to 50
are revised as of October 1. Each title is divided into chapters, which usually
bear the name of the issuing agency. Each chapter is further subdivided into
parts that cover specifi c regulatory areas. Large parts may be subdivided into
subparts. All parts are organized in sections, and most citations to the CFR
refer to material at the section level. 45
There is an up-to-date version that is not yet a part of the offi cial CFR but is up-
dated daily, the Electronic Code of Federal Regulations (e-CFR) . “It is not an offi cial
legal edition of the CFR. The e-CFR is an editorial compilation of CFR material and
Federal Register amendments produced by the National Archives and Records Admin-
istration’s Offi ce of the Federal Register (OFR) and the Government Printing Offi ce.” 46

INFORMATION GOVERNANCE AND RECORDS 179
Event-Based Retention Scheduling for Disposition of E-Records
Event-based disposition is kicked off with the passage of an event, such as hiring or
fi ring an employee, the end of a project, or the initiation of a lawsuit.
Event-based disposition can have an associated retention schedule, and the clock
starts running once the event occurs. The required retention period begins only af-
ter the triggering event occurs. The length of the retention period may be regulated
by law, or it may be determined by IG guidelines set internally by the organization.
So, when an employee is terminated, and personnel fi les are destroyed after (say) fi ve
years, the retention schedule entry would be “Termination + 5 years.”
One other defi nition of event-based disposition comes from the U.S. e-records
standard, Department of Defense 5015.2, which states that a disposition instruction
in which a record is eligible for the specifi ed disposition (transfer or destroy) upon or
immediately after the specifi ed event occurs. No retention period is applied and there
is no fi xed waiting period, as with “timed” or combination “timed-event” dispositions.
Example: “Destroy when no longer needed for current operations.” 47
Some hardware vendors, such as IBM and EMC, provide solutions that assist in
executing event-based disposition with assistance from fi rmware (fi xed instructions
on a microchip). The fi rmware-assisted solution should be considered if your RM
or IG team aims to perform a complete and thorough retention solution analysis.
These hardware-based solutions can potentially streamline the event-based disposi-
tion process. 48
Event-based disposition begins with the passage of a triggering event.
Figure 9.5 Excerpt from Canadian Records Retention Database
Source: Ontario, Electricity Act, FILELAW database, Thomson Publishers, May 2012.

180 INFORMATION GOVERNANCE
Triggering events may be record-related, “such as supersession or obsolescence.”
This is common to a policy statement. For example, if a group of policies are to be
destroyed fi ve years after superseded or obsolete, the old policy would be held for fi ve
years after the new policy has been created.
Sounds simple. But in an attempt to meet retention requirements, organizations
handle event-based triggers in different ways, ways that often are problematic. For in-
stance, the trigger events often are not captured electronically and fed directly into the
retention scheduling software or records repository to start the clock running, or the
event itself is not well documented in the retention schedule so it is not consistently
being applied and tracked. In other cases, the organization simply does not have the
ERM functionality it needs to manage event-based triggers.
This causes many organizations to simply over-retain and keep the records indefi –
nitely, or until disk storage is full, which means that those records are retained for an
incorrect—and indefensible—time. The period is either too long or possibly too short,
but it always is always inconsistent. s And inconsistent means legally indefensible.
The only prudent and defensible approach is to implement the proper IG policies
to manage and control the implementation of event-based disposition.
Prerequisites for Event-Based Disposition
Three key prerequisite tasks must be completed before event-based disposition can be
implemented:
1. Clarify trigger events. Not all of the events that can trigger the beginning of a
retention period are as clear as the date an employee is terminated. For instance,
“contract completion date” could be the day a vendor fi nishes work, when a fi nal
invoice is rendered, when the invoice is paid, or some other period, such as 30
days following the payment of the fi nal invoice. These defi nitions, depending on
the record series in question, may be regulated by law or governed by IG policies.
What is needed is an agreement as to what the defi nition is, so that the re-
tention period will be uniform among the record series in question, providing
a defensible policy.
To gain this agreement on these blurry areas, the RM lead/manager or team
will need to work with the relevant business unit representatives, IT, compli-
ance, risk management, and any other stakeholders.
The event triggers must be clear and agreed on so that they may kick off a
retention period and disposition process.
In a number of cases, the answer to these questions will rely on trigger
points, such as one year after completion or four months after the board of di-
rectors’ meeting. It is important to choose a trigger point that you can implement.
For example, there is no point in saying that records should be kept until an
individual dies, if you have no reliable way of knowing the person is alive.
Instead, choose a trigger point based on the information you have about the
individual; in this case, the 100th birthday might be a suitable trigger point.
2. Automated capture of agreed-on trigger events must be performed and sent to the
ERM. It is easy to know an employee’s termination date—most human re-
sources management systems or payroll systems can supply it—but other

INFORMATION GOVERNANCE AND RECORDS 181
types of events are not so easily captured and may require some customiza-
tion in order that this information is fed into an ERM. The metadata about
the event must be seamlessly entered into the ERM so that it may launch the
beginning of the retention period. If systems external to the ERM need to be
interfaced, a common locator (e.g., contract number) can link the two.
3. The ERM systems must have complete retention and disposition capabilities. In order
for the retention to start properly and run to fi nal disposition, this tracking ca-
pability must be an inherent feature of the software. (In some cases, organiza-
tions may use specialized retention and disposition software that can perform
this task minimally without complete ERM functionality, but it falls short of
the type of richness that a robust ERM system provides. What is needed is the
ability to include the details or retention rules beyond simple date calculations
(i.e., to store descriptive data or scope notes, and records series code in addi-
tion to retention requirements, which are automatically associated with the
retention rule, and to have a records hold and release capability). If destruc-
tion is the fi nal disposition, then the system must be able to perform a deletion
of the record (so long as there is no preservation or legal hold) with no traces
that can allow reconstruction of it, and this process must be verifi able.
To accomplish clarity and agreement on event-based triggers requires close
consultation and collaboration among RM staff, business units, IT, legal, com-
pliance, risk management, and other stakeholders, as relevant.
Final Disposition and Closure Criteria
After completing the records values analysis and legislative and legal research, you must
determine the closure criteria and fi nal disposition (e.g., destroy, transfer, archive) for each
records series. To minimize costs and litigation risk, retention periods should be kept as
short as possible while meeting all applicable regulatory, legal, and business requirements.49
Retention Periods: Online versus Offl ine
For e-records, retention periods may be segmented into active and inactive, or online and
offl ine. Offl ine may be segmented further into on-site and off-site or archival storage.
Going back and combing through records retrieval requests and usage logs may
provide helpful insights as to the needs of records users—but bear in mind that these
logs may be misleading as users may have (in the past, before a formal IG program was
implemented) kept shadow copies of fi les on their local hard drives or backed up to
fl ash drives or other storage devices.
Closure Dates
A clear closure start date is required to kick off a retention period for any record,
whether the retention is scheduled for on- or off-site. Calendar or fi scal year-ends are
typical and practical closure dates for subject or topical records. The date used to indi-
cate the start year is usually the date the fi le closed or the date of last use or update. In a
university setting, school year-end may be more logical. Still, a reasoned analysis is re-
quired to determine the best closure start date for subject records in your organization.

182 INFORMATION GOVERNANCE
Case records are different; logically, their closure date is set when a case record is
completed (e.g., the date when an employee resigns, retires, or is terminated).
Future dates may be used, such as an employee promotion date, student gradua-
tion, or project completion. After consulting those who create and handle the records
series you are analyzing, apply good business judgment and common sense when de-
termining closure dates. 50
Retaining Records Indefi nitely
There may be some vital, historical, or other critical records that, in the best interests
of the organization, need to be retained permanently. This is rare, and storing records
long term must be scrutinized heavily. If certain electronic records are to be retained
indefi nitely or permanently, then LTDP policies and techniques must be used. (See
Chapter 17 for more details.)
Retaining Transitory Records
Transitory documents usually do not rise to the level of becoming a record; they are
temporary and are useful only in the short term, such as direct mail or e-mail adver-
tising (brochures, price lists, etc.), draft documents (although not all are transitory,
and some may need longer retention periods, such as draft contracts) and work in
progress, duplicates, external publications (e.g., magazines, journals, newspapers, etc.),
and temporary notices (e.g., company picnic, holiday party, or football pool). You must
consider transitory records in your master records retention schedule.
Implementation of the Retention Schedule
and Disposal of Records
Automated programs that interpret these retention periods are the best way to ensure
that records are disposed of at the correct time and that an audit trail of the disposition
is maintained.
Getting Acceptance and Formal Sign-off of the Retention Schedule
Upon completion of the records retention schedule, project management best prac-
tices dictate that it be signed off by an executive or project sponsor, to indicate it has
been completed and there is no more work to be done on that phase of the project. In
addition, you may want to gain the sign-off and acceptance by other key stakehold-
ers, such as senior representatives from legal, IT, the board of directors or executive
committee, and perhaps audit and information governance. The schedule should be
updated when new record types are introduced and, in any case, at least annually.
Disposition Timing: Records Disposal
It is much easier to time or schedule the disposal of e-records than of paper or physical
records, but true and complete destruction of all traces of a record cannot be done

INFORMATION GOVERNANCE AND RECORDS 183
by hitting a simple “delete” key. There must be a process in place to verify the total
destruction of all copies of the record. (See Chapter 17 for more details.) Records
destruction can occur daily, routinely, or be scheduled at intervals (i.e., monthly or
quarterly).
Automating Retention/Disposal Actions
ERM systems typically are capable of automatically executing a record deletion when
a record has reached the end of its life cycle. Often these systems have a safety fea-
ture that allows an operator who has the authority to review deletions before they are
performed.
Disposal Date Changes
To make a retention schedule change, such as extending the life of a record series, IG
controls must be in place. So, usually, ERM systems require that a person of higher
authority than the system operator make these approvals. Every subsequent delay in
destroying the records often requires an escalation in approval period to extend the
time that records are kept past the destruction date.
Proving Record Destruction
In some environments, especially in the public sector, a certifi cate of destruction or
other documentation is required to prove that a record and all its copies have been
completely deleted (including its metadata—although at times it is benefi cial to retain
metadata longer than the record itself; see Appendix A, “Information Organization
and Classifi cation,” for more details). ERM systems can be confi gured to keep an audit
trail and prove that destruction has occurred.
Ongoing Maintenance of the Retention Schedule
Records series are not static; they change, are added to, and are amended. New record
functions emerge, based on changes in business, acquisitions, and divestitures. So it
is necessary for organizations to review and update—at least annually—their records
retention schedule.
In addition, retention requirements change as legislation changes, lawsuits are
fi led, and the organization refi nes and improves its IG policies. Development of a re-
cords retention schedule is not a one-time project; it requires attention, maintenance,
and updating on a regular schedule, and using a controlled change process.
Audit to Manage Compliance with the Retention Schedule
Once your organization establishes records retention schedules for business units, or a
master retention schedule, there must be IG policies in place to audit and ensure that
policies are being followed. This is a key requirement of maintaining a legally defensible
retention schedule that will hold up to legal challenges.

184 INFORMATION GOVERNANCE
CHAPTER SUMMARY: KEY POINTS
■ According to ISO, a record is “information created, received, and maintained
as evidence and information by an organization or person, in pursuance of
legal obligations or in the transaction of business.”
■ RM is “[the] fi eld of management responsible for the effi cient and system-
atic control of the creation, receipt, maintenance, use, and disposition
of records, including the processes for capturing and maintaining evidence
of and information about business activities and transactions in the form of
records.”
■ ERM includes the management of electronic and nonelectronic records, such
as paper and other physical records.
■ ERM has become much more critical to enterprises with increased compli-
ance legislation and massively increasing volumes of electronic information.
■ ERM follows the same basic principles as paper-based records management.
■ A number of factors provide the business rationale for ERM, including facilitat-
ing compliance, supporting IG, and providing backup capabilities in the event
of a disaster.
■ Implementing ERM is challenging since it requires user support and compli-
ance, adherence to changing laws, and support for new information delivery
platforms like mobile and cloud computing.
■ ERM benefi ts are both tangible and intangible or diffi cult to calculate.
■ Improved professionalism, preserving corporate memory, support for better
decision making, and safeguarding vital records are key intangible benefi ts
of ERM.
■ NARA recommends that e-records are inventoried by information system
rather than fi le series, which is the traditional approach for physical records.
■ Generally Accepted Recordkeeping Principles® are “information management
and governance of record creation, organization, security, maintenance and
other activities used to effectively support recordkeeping of an organization.”
■ It may be helpful to use a record-keeping methodology such as the Principles
or D.I.R.K.S. to guide inventorying efforts.
■ Perhaps the organization has a handle on their paper and microfi lmed records,
but e-records have been growing exponentially and spiraling out of control.
■ Whatever the business goals for the inventorying effort are, they must be con-
veyed to all stakeholders, and that message must be reinforced periodically
and consistently, and through multiple means.

INFORMATION GOVERNANCE AND RECORDS 185
■ An appropriate scope might enumerate the records of a single program or
division, several functional series across divisions, or records that fall within a
certain time frame versus an entire enterprise.
■ The completed records inventory contributes toward the pursuit of an orga-
nization’s IG objectives in a number of ways.
■ There are basic three ways to conduct the inventory: surveys, interviews, and
observation. Combining these methods yields the best results.
■ Additional information not included in inventories of physical records must
be collected in any inventory of e-records.
■ Be sure to tie the fi ndings in the fi nal report of the records inventory to the
business goals that launched the effort.
■ Records appraisal is based on the information contained in the records inventory.
■ Records can have different types of value to organizations: historical, ad-
ministrative, regulatory and statutory, legal, fi scal, or other archival value as
determined by an archivist.
■ Consistency in managing records across an enterprise, regardless of media,
format, or location, is the key to compliance.
■ A complete, current, and documented records retention program reduces
storage and handling costs and improves searchability for records by making
records easier and faster to fi nd.
■ Retention schedules are developed by records series—not for individual records.
■ Retention schedules are basic tools that allow an organization to prove that it
has a legally defensible basis on which to dispose records.
■ The master retention schedule contains all records series in the entire enterprise.
■ Records retention defi nes the length of time that records are to be kept and
considers legal, regulatory, operational, and historical requirements.
■ “Disposition” means not just destruction but can also mean archiving and a
change in ownership and responsibility for the records.
■ An information map is a critical fi rst step in developing a records retention sched-
ule. It shows where information is created, where it resides, and who uses it.
■ After inventorying, developing a retention schedule begins with records
classifi cation.
■ All e-mail messages are not records; those that document a business transac-
tion, or progress toward it, are clearly records and require retention.
■ E-mail messages that document business activities, especially those that may
be disputed in the future, should be retained as records.
CHAPTER SUMMARY: KEY POINTS (Continued )
(continued)dd

186 INFORMATION GOVERNANCE
■ Destructive retention of e-mail is a method whereby e-mail messages are
retained for a limited period and then destroyed.
■ Tools are available to scan e-records folders to expedite the inventorying
process.
■ Assessing the relative value of records is key to determining their retention
periods and disposition path.
■ Records have different types of value, such as fi nancial, legal, technical, and
administrative/operational.
■ Event-based disposition begins with a triggering event.
■ Retention schedules, once established, must be maintained and updated to
add new records series, as appropriate, and to comply with new or changed
legislation and regulatory requirements.
■ Auditing to ensure compliance with established retention policies is key to
maintaining a legally defensible records retention program.
CHAPTER SUMMARY: KEY POINTS (Continued )
Notes
1. International Organization for Standardization, ISO 15489-1: 2001 Information and Documentation—
Records Management. Part 1: General (Geneva: ISO, 2001), section 3.15. l
2. Ibid., section 3.16
3. ARMA.org, “What Is Records Management?” 2009, www.arma.org/pdf/WhatIsRIM . (accessed
December 2, 2013).
4. Microsoft White Paper, “Records Management with Offi ce SharePoint Server,” 2007, www.microsoft
.com/en-us/download/details.aspx?id=15932, Used with permission from Microsoft. (accessed
December 2, 2013).
5. Ibid.
6. Ibid.
7. Ibid.
8. U.S. Environmental Protection Agency, “Why Records Management? Ten Business Reasons,” updated
March 8, 2012, www.epa.gov/records/what/quest1.htm.
9. U.S. National Archives and Records Administration ,Disposition of Federal Records: A Records Management
Handbook , 2000, Web edition, www.archives.gov/records-mgmt/publications/disposition-of-federal-
records/chapter-3.html.
10. Ibid.
11. State and Consumer Services Agency Department of General Services, Electronic Records Management
Handbook , State of California Records Management Program (February 2002), www uments.dgs
.ca.gov/osp/recs/ermhbkall .
12. U.S. Environmental Protection Agency, “Six Steps to Better Files,” updated March 8, 2012, www.epa
.gov/records/tools/toolkits/6step/6step-02.htm .
13. Margaret Rouse, “Generally Accepted Recordkeeping Principles,” updated March 2011, http://
searchcompliance.techtarget.com/defi nition/Generally-Accepted-Recordkeeping-Principles-GARP
(accessed March 19, 2012).

http://www.arma.org/pdf/WhatIsRIM

http://www.microsoft.com/en-us/download/details.aspx?id=15932

http://www.epa.gov/records/what/quest1.htm

http://www.archives.gov/records-mgmt/publications/disposition-of-federal-records/chapter-3.html

http://www uments.dgs.ca.gov/osp/recs/ermhbkall

http://www.epa.gov/records/tools/toolkits/6step/6step-02.htm

http://searchcompliance.techtarget.com/definition/Generally-Accepted-Recordkeeping-Principles-GARP

http://www.microsoft.com/en-us/download/details.aspx?id=15932

http://www uments.dgs.ca.gov/osp/recs/ermhbkall

http://www.epa.gov/records/tools/toolkits/6step/6step-02.htm

http://searchcompliance.techtarget.com/definition/Generally-Accepted-Recordkeeping-Principles-GARP

INFORMATION GOVERNANCE AND RECORDS 187
14. Ibid.
15. Ibid.
16. Public Record Offi ce, “ Guidance for an Inventory of Electronic Record Collections: A Toolkit,”
September 2000, www.humanrightsinitiative.org/programs/ai/rti/implementation/general/guidance_
for_inventory_elect_rec_collection , pp. 5–6.
17. Ibid. (accessed December 2, 2013).
18. National Archives, “Frequently Asked Questions about Records Inventories,” updated October 27, 2000,
www.archives.gov/records-mgmt/faqs/inventories.html .
19. William Saffady, “Managing Electronic Records, 4th ed.,” Journal of the Medical Library Association , 2009,
www.ncbi.nlm.nih.gov/pmc/articles/PMC2947138/ .
20. Jesse Wilkins, “The First Step: Inventory Your Electronic Records,” http://pr1vacy.blogspot
.mx/2005/11/fi rst-step-inventory-your-electronic.html (accessed October 11, 2012).
21. Ibid.
22. Ibid.
23. Quotes in this section are from Government of Alberta, Records and Information Management, www
.im.gov.ab.ca/index.cfm?page=imtopics/Records.html. (accessed December 2, 2013).
24. Maryland State Archives, “Retention Schedule Preparation,” June 1, 2012, www.msa.md.gov/msa/
intromsa/html/record_mgmt/retention_schedule.html .
25. National Health Service, “Connecting for Health,” www.connectingforhealth.nhs.uk/ (accessed
April 10, 2012).
26. Wortzman Nickle Professional Corporation, “Effective Records Management—Part 4—Ensuring
Adoption and Compliance of RM Policy,” 2009, www.wortzmannickle.com/ediscovery-blog/2011/12/14/
rmpart4/ (accessed April 12, 2012).
27. Government of Alberta, “Developing Retention and Disposition Schedules.”
28. National Archives, “Disposition of Federal Records.”
29. Government of Alberta, “Developing Retention and Disposition Schedules.”
30. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition.”
31. Ibid.
32. University of Edinburgh, Records Management Section, July 5, 2012, www.recordsmanagement.ed.ac
.uk/InfoStaff/RMstaff/Retention/Retention.htm.
33. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition.” http://
www.archives.gov/records-mgmt/faqs/scheduling.html#steps accessed December 2, 2013.
34. University of Edinburgh, Records Management Section.
35. National Archives, “Frequently Asked Questions about Records Scheduling and Disposition.”
36. University of Toronto Archives, “Glossary,” www.library.utoronto.ca/utarms/info/glossary.html
(accessed September 10, 2012).
37. Government of Alberta, “Developing Retention and Disposition Schedules.”
38. Ibid.
39. Marty Foltyn, “Getting Up to Speed on FRCP,” June 29, 2007, www.enterprisestorageforum.com/
continuity/features/article.php/3686491/Getting-Up-To-Speed-On-FRCP.htm.
40. Nancy Flynn, The E-Policy Handbook (New York: AMACOM, 2009), pp. 24–25.
41. ArcMail Blog http://arcmail.com/blog/archiving-rules-the-dangers-of-destructive-retention/ (accessed
Dec. 2, 2013).
42. Mary Flood, “Survey: They see a more litigious future,” October 18, 2010, http://blog.chron.com/
houstonlegal/2010/10/survey-they-see-a-more-litigious-future/ (accessed Dec. 2, 2013).
43. Ibid., pp. 127.
44. Government of Alberta, “Developing Retention and Disposition Schedules,” p. 122.
45. U.S. Government Printing Offi ce, Code of Federal Regulations , www.gpo.gov/help/index.html#about_s
code_of_federal_regulations.htm (accessed April 22, 2012).
46. U.S. National Archives and Records Administration, “Electronic Code of Federal Regulations,”
October 2, 2012, http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl.
47. Department of Defense, “Design Criteria Standard for Electronic Records Management Software
Applications,” July 19, 2002, http://jitc.fhu.disa.mil/cgi/rma/downloads/p50152s2 .
48. Craig Rhinehart, IBM, e-mail to author, July 30, 2012.
49. Government of Alberta, “Records and Information Management.”
50. Ibid., p. 125.

http://www.humanrightsinitiative.org/programs/ai/rti/implementation/general/guidance_for_inventory_elect_rec_collection

http://www.archives.gov/records-mgmt/faqs/inventories.html

http://www.ncbi.nlm.nih.gov/pmc/articles/PMC2947138/

http://pr1vacy.blogspot.mx/2005/11/first-step-inventory-your-electronic.html

http://www.msa.md.gov/msa/intromsa/html/record_mgmt/retention_schedule.html

http://www.connectingforhealth.nhs.uk/

http://www.wortzmannickle.com/ediscovery-blog/2011/12/14/rmpart4/

http://www.recordsmanagement.ed.ac.uk/InfoStaff/RMstaff/Retention/Retention.htm

http://www.archives.gov/records-mgmt/faqs/scheduling.html#steps

http://www.library.utoronto.ca/utarms/info/glossary.html

http://www.enterprisestorageforum.com/continuity/features/article.php/3686491/Getting-Up-To-Speed-On-FRCP.htm

http://arcmail.com/blog/archiving-rules-the-dangers-of-destructive-retention/

http://blog.chron.com/houstonlegal/2010/10/survey-they-see-a-more-litigious-future/

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&tpl=%2Findex.tpl

http://jitc.fhu.disa.mil/cgi/rma/downloads/p50152s2

http://www.humanrightsinitiative.org/programs/ai/rti/implementation/general/guidance_for_inventory_elect_rec_collection

http://pr1vacy.blogspot.mx/2005/11/first-step-inventory-your-electronic.html

http://www.im.gov.ab.ca/index.cfm?page=imtopics/Records.html

http://www.msa.md.gov/msa/intromsa/html/record_mgmt/retention_schedule.html

http://www.wortzmannickle.com/ediscovery-blog/2011/12/14/rmpart4/

http://www.recordsmanagement.ed.ac.uk/InfoStaff/RMstaff/Retention/Retention.htm

http://www.enterprisestorageforum.com/continuity/features/article.php/3686491/Getting-Up-To-Speed-On-FRCP.htm

http://blog.chron.com/houstonlegal/2010/10/survey-they-see-a-more-litigious-future/

http://www.gpo.gov/help/index.html#about_code_of_federal_regulations.htm

189
C H A P T E R 10
Information
Governance and
Information Technology
Functions
I
nformation technology (IT) is a core function impacted by information gover-y
nance (IG) efforts. IT departments typically have been charged with keeping the
“plumbing” of IT intact—the network, servers, applications, and data—but although
the output of IT is in their custody, they have not been held to account for it; that
is, the information, reports, and databases they generate have long been held to be
owned by users in business units. This has left a gap of responsibility for governing
the information that is being generated and managing it in accordance with legal and
regulatory requirements, standards, and best practices.
Certainly, on the IT side, shared responsibility for IG means the IT department
itself must take a closer look at IT processes and activities with an eye to IG. A
focus on improving IT effi ciency, software development processes, and data quality
will help contribute to the overall IG program effort. IT is an integral piece of the
program.
Debra Logan, vice president and distinguished analyst at Gartner, states:
Information governance is the only way to comply with regulations, both cur-
rent and future, and responsibility for it lies with the CIO and the chief legal
offi cer. When organizations suffer high-profi le data losses, especially involv-
ing violations of the privacy of citizens or consumers, they suffer serious repu-
tational damage and often incur fi nes or other sanctions. IT leaders will have
to take at least part of the blame for these incidents. 1
Gartner predicts that the need to implement IG is so critical that, by 2016, fully
one in fi ve chief information offi cers (CIOs) will be terminated for their inability to
implement IG successfully.
Aaron Zornes, chief research offi cer at the MDM (Master Data Management)
Institute, stated: “While most organizations’ information governance efforts have fo-
cused on IT metrics and mechanics such as duplicate merge/purge rates, they tend to
ignore the industry- and business-metrics orientation that is required to ensure the
economic success of their programs.” 2

190 INFORMATION GOVERNANCE
Four IG best practices in this area can help CIOs and IT leaders to be successful
in delivering business value as a result of IG efforts:
1. Don’t focus on technology, focus on business impact
Technology often enthralls those in IT—to the point of obfuscating the
reason that technologies are leveraged in the fi rst place: to deliver business
benefi t. So IT needs to reorient its language, its vernacular, its very focus
when implementing IG programs. IT needs to become more business savvy,
more businesslike, more focused on delivering business benefi ts that can help
the organization to meet its business goals and achieve its business objectives.
“Business leaders want to know why they should invest in an information gov-
ernance program based on the potential resulting business outcomes, which
manifest as increased revenues, lower costs and reduced risk.” 3
2. Customize your IG approach for your specifi c business, folding in any industry-specifi c
best practices possible.
You cannot simply take a boilerplate IG plan, implement it in your orga-
nization, and expect it to be successful. Sure, there are components that are
common to all industries, but tailoring your approach to your organization is
the only way to deliver real business value and results. That means embarking
on an earnest effort to develop and sharpen your business goals, establish-
ing business objectives that consider your current state and capabilities and
external business environment and legal factors unique to your organization.
It also means developing a communications and training plan that fi ts with
your corporate culture. And it means developing meaningful metrics to mea-
sure your progress and the impact of the IG program, to allow for continued
refi nement and improvement.
3. Make the business case for IG by tying it to business objectives
To garner the resources and time needed to implement an IG program, you
must develop a business case in real, measureable terms. The business case
must be presented in order to gain executive sponsorship, which is an essential
component of any IG effort. Without executive sponsorship, the IG effort will
fail. Making the business case and having metrics to measure progress and
success toward meeting business objectives are absolute musts.
4. Standardize use of business terms
IG requires a cross-functional effort, so you must be speaking the same
language, which means the business terms you use in your organization must
be standardized. This is the very minimum to get the conversation started.
But IG efforts will delve much more deeply into information organization and
seek to standardize the taxonomy for organizing documents and records and
even the metadata fi elds that describe in detail those document and records
across the enterprise.
Overall, being able to articulate the business benefi ts of your planned IG program
will help you recruit an executive sponsor, help the program gain traction and support,
and help you implement the program successfully. 4
Several key foundational programs should support your IG effort in IT, includ-
ing data governance, master data management (MDM), and implementing accepted
IT standards and best practices. We will now delve into these concepts in more detail.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 191
Data Governance
We touched on data governance in Chapter 2 . Data is big, data is growing, data is valu-
able, and the insights that can be gained by analyzing clean, reliable data with the latest
analytic tools are a sort of new currency. There are nuggets of gold in those mountains
of data. And leveraging those discoveries can provide a sustainable competitive advan-
tage in areas such as customer acquisition, customer retention, and customer service.
The challenge is largely in garnering control over data and in cleaning, secur-
ing and protecting it; doing so requires effective data governance strategies. But data
governance is not only about cleaning and securing data; it is also about delivering
it to the right people at the right time (sometimes this means in realtime) to provide
strategic insights and opportunities. If a data governance program is successful, it can
add profi ts directly to the bottom line. 5
Data governance involves processes and controls to ensure that information at
the data level—raw data that the organization is gathering and inputting—is true and
accurate, and unique (not redundant). It involves data cleansing ( or data scrubbing) gg
to strip out corrupted, inaccurate, or extraneous data and de-duplication to eliminate
redundant occurrences of data.
Data governance focuses on information quality from the ground up (at the low-y
est or root level), so that subsequent reports, analyses and conclusions are based on
clean, reliable, trusted data (or records) in database tables. Data governance is the most
fundamental level at which to implement IG. Data governance efforts seek to ensure
that formal management controls—systems, processes, and accountable employees
who are stewards and custodians of the data—are implemented to govern critical data
assets to improve data quality and to avoid negative downstream effects of poor data.
Data governance is a newer, hybrid quality control discipline that includes elements
of data quality, data management, IG policy development, business process improve-
ment, and compliance and risk management.
Good data governance programs should extend beyond the enterprise to include
external stakeholders (suppliers, customers) so an organization has its fi nger on the
pulse of its extended operations. In other words, enforcing data governance at the ear-
liest possible point of entry—even external to the organization—can yield signifi cant
effi ciencies and business benefi ts downstream. And combining data governance with
real-time analytics and business intelligence (BI) software not only can yield insights
into signifi cant and emerging trends but also can provide solid information for deci-
sion makers to use in times of crisis—or opportunity.
Focusing on business impact and customizing your IG approach to meet
business objectives are key best practices for IG in the IT department.
Effective data governance can yield bottom-line benefi ts derived from new
insights.

192 INFORMATION GOVERNANCE
Steps to Governing Data Effectively
Nine key steps you can take to govern data effectively are listed next. The fi rst fi ve are
based on recommendations by Steven Adler in CIO Magazine:
1. Recruit a strong executive sponsor. As in broader IG efforts, data governance re-
quires cross-functional collaboration with a variety of stakeholders. To drive
and facilitate this sometimes contentious conversation, a strong executive
sponsor is required. This is not an easy task since executives generally do not
want to deal with the minutia at the data level. You must focus on the realiz-
able business benefi ts of improved data governance (i.e., specifi c applications
that can assist in customer retention, revenue generation, and cost cutting).
2. Assess your current state. Survey the organization to see where the data reposi-
tories or silos of data are, what problems related to data exist, and where some
opportunities to improve lie. Document where your data governance program
stands today and then map out your road to improvement in fundamental steps.
3. Set the ideal state vision and strategy. Create a realistic vision of where your
organization wants to go in its data governance efforts, and clearly articulate
the business benefi ts of getting there. Articulate a measureable impact. Track
your progress with metrics and milestones.
4. Compute the value of your data. Try to put some hard numbers to it. Calculate
some internal numbers on how much value data—good data—can add to
specifi c business units. Data is unlike other assets that you can see or touch
(cash, buildings, equipment, etc.), and it changes daily, but it has real value.
5. Assess risks. What is the likelihood and potential cost of a data breach? A
major breach? What factors come into play and how might you combat these
potential threats? Perform a risk assessment to rank and prioritize threats and
assign probabilities to those threats so you may fashion appropriate strategies
to counter them.
6. Implement a going-forward strategy. It is a signifi cantly greater task to try to
improve data governance across the enterprise for existing data, versus a
smaller business unit. 6 Remember, you may be trying to fi x years if not decades
of bad behavior, mismanagement, and lack of governance. Taking an “incre-
mental approach with an eye to the future” provides for a clean starting point
and can substantially reduce the pain required to implement. A strategy where
new data governance policies for handling data are implemented beginning
on a certain future date is a proven best practice.
7. Assign accountability for data quality to business units, not IT. Typically, IT has
had responsibility for data quality, yet the data generation is mostly not under
that department’s control, since most is created out in the business units. A
pointed effort must be made to push responsibility and ownership for data to
the business units that create and use the data.
8. Manage the change. Educate, educate, educate. People must be trained to
understand why the data governance program is being implemented and how
it will benefi t the business. The new policies represent a cultural change, and
supportive program messages and training are required to make the shift.
9. Monitor your data governance program. See where shortfalls might be, and con-
tinue to fi ne-tune the program. 7

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 193
From a risk management perspective, data governance is a critical activity that
supports decision makers and can mean the difference between retaining a customer
and losing one. Protecting your data is protecting the lifeblood of your business, and
improving the quality of the data will improve decision making, foster compliance
efforts, and yield competitive advantages.
Data Governance Framework
The Data Governance Institute has created a data governance framework, a visualk
model to help guide planning efforts and a “logical structure for classifying, organiz-
ing, and communicating complex activities involved in making decisions about and
taking action on enterprise data.” 8 (See Figure 10.1 .) The framework applies more to
Good data governance ensures that downstream negative effects of poor data
are avoided and that subsequent reports, analyses, and conclusions are based
on reliable, trusted data.
Figure 10.1 DGI Data Governance Framework™
Source: The Data Governance Institute (datagovernance.com).

194 INFORMATION GOVERNANCE
larger organizations, which have greater complexity, greater internal requirements,
and greater, more complex regulatory demands. It allows for a conceptual look at data
governance processes, rules, and people requirements.
Information Management
Information management is a principal function of IT. It is complex and spans a t
number of subdisciplines but can be defi ned as the “application of management tech-
niques to collect information, communicate it within and outside the organization,
and process it to enable managers to make quicker and better decisions.” 9 It is about
managing information, which is more than just collecting and processing data from
varying sources and distributing it to various user audiences. It includes a number of
subcomponent tasks, including these four:
1. Master data management (MDM) is a key process for IG success in the IT de-t
partment, which extends to involved business units. An emerging discipline,
MDM came into prominence around 2010 to 2012, coinciding with the Big
Data trend. The goal of MDM is to ensure that reliable, accurate data from a
single source is leveraged across business units. That is, a key aim is to establish
a “single version of the truth”10 and eliminate multiple, inconsistent versions
of data sets, which are more common than most might think, especially in
larger organizations with physically distributed operations and large numbers
of servers and databases. 11 MDM gets to the core of data integrity issues, es-y
sentially asking “Is this data true and accurate? Is this the best and only, fi nal
version?” MDM grew from the need to create a standardized, “discrete disci-
pline” to ensure there was a single version to base BI analyses on and to base
decisions on. 12 According to Gartner, MDM is a technology-enabled disci-
pline in which business and IT work together to ensure the uniformity, accu-
racy, stewardship, semantic consistency and accountability of the enterprise’s
offi cial shared master data assets. Master data is the consistent and uniform set
of identifi ers and extended attributes that describes the core entities of the en-
terprise, including customers, prospects, citizens, suppliers, sites, hierarchies
and chart of accounts. 13
What is the business impact? How are operations enhanced and how
does that contribute to business goals? One set of reliable, clean data is
critical to delivering quality customer service, reducing redundant efforts
and therefore operational costs, improving decision making, and even po-
tentially lowering product and marketing costs. “A unifi ed view of custom-
ers, products, or other data elements is critical to turning these business
goals into reality.” 14
Again, the larger the organization, the greater the need for MDM.
Master data management is a key IG process in IT.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 195
2. Information lifecycle management (ILM) is managing information appropriately t
and optimally at different stages of its useful life, from creation through
distribution and use, including meeting legal and regulatory requirements,
and through its fi nal disposition, which can be destruction, archiving, or
transfer to another entity. Organizations historically over-retain informa-
tion; however, studies show that information quickly loses its value and that
once data has aged 10 to 15 days, the likelihood it will be used again is around
1 percent. 15 Based on its use characteristics, differing storage management
strategies are appropriate. It defi es business logic to manage information
that has little value with as much IT resource as information that is high
value. Doing so is a misuse of resources . To execute ILM properly, the value of s
certain data sets and records must be appraised and policies must be formed
to manage it, recognizing that information value changes over the life cycle,
which requires varying strategies and resource levels.16 ILM conceptually
includes and can begin with MDM and is linked to compliance require-
ments and capabilities.
3. Data architecture refers to the “design of structured and unstructured infor-
mation systems” 17 in an effort to optimize data fl ow between applications
and systems so that they are able to process data effi ciently. Further, data
architecture uses data modeling, standards, IG policies, and rules for gov-
erning data and how it populates databases and how those databases and
applications are structured.18 Some key issues to uncover when researching
data architecture and design include data structure, or schema , which da-
tabases are used (e.g., Oracle Database 11g, DB2, SQL Server), methods of
query and access (e.g., SQL), the operating systems the databases operate
on, and even their hardware (which can affect data architecture features and
capabilities).
4. Data modeling can be complex, yet it is an important step in overall IG for g
the IT department. It “illustrates the relationships between data.” Data
modeling is an application software design process whereby data processes
and fl ows between applications are diagrammed graphically in a type of
fl owchart that formally depicts where data is stored, which applications
share it, where it moves, and the interactions regarding data movement
between applications. “Data modeling techniques and tools capture and
translate complex system designs into easily understood representations of
the data fl ows and processes, creating a blueprint for construction and/
or re-engineering.” 19 Good data models allow for troubleshooting before
applications are written and implemented.
The importance of data modeling as a foundation for the application devel-
opment process is depicted in Figure 10.2 .
Once the data model is developed, business rules and logic can be applied
through application development. A user interface is constructed for the appli-
cation, followed by movement of data or e-documents through work steps us-
ing work fl ow capabilities, and then integration with existing applications (e.g.,
enterprise resource planning or customer relationship management systems).
Typically this is accomplished through an application programming inter-
face, a sort of connector that allows interaction with other applications and
databases.

196 INFORMATION GOVERNANCE
There are six approaches to data modeling:
1. Conceptual. The conceptual approach merely diagrams data relationships at
the “highest level” 20 showing the storage, warehousing, and movement of data
between applications.
2. Enterprise. The enterprise approach is a more business-oriented version of
conceptual data modeling that includes specifi c requirements for an enter-
prise or business unit.
3. Logical. Pertinent to the design and architecture of physical storage, logical
data modeling “illustrates the specifi c entities, attributes and relationships in-
volved in a business function.”
4. Physical. The physical approach depicts the “implementation of a logical data
model” relative to a specifi c application and database system.
5. Data integration. This approach is just what it says; it involves merging
data from two or more sources, processing the data, and moving it into a
database. “This category includes Extract, Transform, and Load (ETL)
capabilities.” 21
6. Reference data management. This approach often is confused with MDM,
although they do have interdependencies. Reference data is a way to refer to
data in categories (e.g., having lookup tables— standard industry classifi cation
or SIC codes) to insert values, 22 and is used only to “categorize other data
found in a database, or solely for relating data in a database to information
beyond the boundaries of the enterprise.” 23 So reference data is not your
actual data itself but a reference to categorize data.
Figure 10.3 shows different categories of data.
IT Governance
As introduced in Chapter 2 , IT governance is about effi ciency and value creation.
IT governance is the primary way that stakeholders can ensure that investments in IT create
Figure 10.2 Key Steps from Data Modeling to Integration
Source: Reproduced from Orangescape.com ( www.orangescape.com/wp-content/uploads/2010/10/
Application-Development-Lifecycle-OrangeScape ).
Data Model Business Logic
User Interface
Work Flows Integration

http://www.orangescape.com/wp-content/uploads/2010/10/Application-Development-Lifecycle-OrangeScape

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 197
business value and contribute toward meeting business objectives.24 This strategic align-
ment of IT with the business is challenging yet essential. IT governance programs
go further and aim to “improve IT performance, deliver optimum business value and
ensure regulatory compliance.” 25
Although the CIO typically has line responsibility for implementing IT gover-
nance, the chief executive offi cer and board of directors must receive reports and up-
dates to discharge their responsibilities for IT governance and to see that the program
is functioning well and providing business benefi ts.
The focus of governance in IT is on the actual software development and mainte-
nance activities of the IT department or function, and IT governance efforts focus on
making IT effi cient and effective. That means minimizing costs by following proven
software development methodologies and best practices, principles of data governance
and information quality, and project management best practices while aligning IT
efforts with the business objectives of the organization.
IT Governance Frameworks
Several IT governance frameworks can be used as a guide to implementing an IT
governance program.
Although frameworks and guidance like CobiT® and T ITIL have been widely
adopted, there is no absolute standard IT governance framework; the combination
that works best for your organization depends on business factors, corporate culture,
IT maturity, and staffi ng capability. The level of implementation of these frameworks
will also vary by organization.
Figure 10.3 Categories of Data
Source: http://www.information-management.com/issues/20060401/1051002-1.html?zkPrintable
=1&nopagination=1
Increasing:
DATABASE
Semantic content Metadata
Most relevant
to design
Most relevant
to outside world
Most relevant
to business
Most relevant
to technology
Reference Data
Master Data
Enterprise Structure Data
Transaction Activity Data
Transaction Audit Data
Data quality importance
Volume of data
Rates of update
Population later in time
Shorter life span
IT governance seeks to align business objectives with IT strategy to deliver
business value.

http://www.information-management.com/issues/20060401/1051002-1.html?zkPrintable=1&nopagination=1

198 INFORMATION GOVERNANCE
CobiT®
CobiT (Control Objectives for Information and related Technology) is a process-T
based IT governance framework that represents a consensus of experts worldwide. It
was codeveloped by the IT Governance Institute and ISACA. CobiT addresses busi-
ness risks, control requirements, compliance, and technical issues.26
CobiT offers IT controls that:
■ Cut IT risks while gaining business value from IT under an umbrella of a glob-
ally accepted framework.
■ Assist in meeting regulatory compliance requirements.
■ Utilize a structured approach for improved reporting and management deci-
sion making.
■ Provide solutions to control assessments and project implementations to
improve IT and information asset control. 27
CobiT consists of detailed descriptions of processes required in IT and tools to
measure progress toward maturity of the IT governance program. It is industry agnos-
tic and can be applied across all vertical industry sectors, and it continues to be revised
and refi ned. 28
CobiT is broken into three basic organizational levels and their responsibilities:
(1) board of directors and executive management; (2) IT and business management;
and (3) line-level governance, security, and control knowledge workers.29
The CobiT model draws on the traditional “plan, build, run, monitor” paradigm
of traditional IT management, only with variations in semantics. There are four IT
domains in the COBIT framework, which contain 34 IT processes and 210 control
objectives that map to the four specifi c IT processes of:
1. Plan and organize.
2. Acquire and implement.
3. Deliver and support.
4. Monitor and evaluate.
Specifi c goals and metrics are assigned, and responsibilities and accountabilities are
delineated.
The CobiT framework maps to ISO 17799 of the International Organization for
Standardization and is compatible with Information Technology Infrastructure
Library (ITIL) and other accepted practices in IT development and operations. 30
COBIT 5
Released in 2012, CobiT 5 is the latest version of the business framework for the gov-
ernance of IT from ISACA. CobiT 5
builds and expands on COBIT 4.1 by integrating other major frameworks,
standards and resources, including ISACA’s Val IT and Risk IT, Information
Technology Infrastructure Library (ITIL®) and related standards from the
International Organization for Standardization (ISO). 31

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 199
Key Principles and Enablers
“CobiT 5 is based on fi ve key principles for governance and management of
enterprise IT:
■ Principle 1: Meeting Stakeholder Needs
■ Principle 2: Covering the Enterprise End-to- End
■ Principle 3: Applying a Single, Integrated Framework
■ Principle 4: Enabling a Holistic Approach
■ Principle 5: Separating Governance From Management
The CobiT 5 framework describes seven categories of enablers:
■ Principles, policies and frameworks are the vehicle to translate the desired
behavior into practical guidance for day-to-day management.
■ Processes describe an organized set of practices and activities to achieve cer-
tain objectives and produce a set of outputs in support of achieving overall
IT-related goals.
■ Organizational structures are the key decision-making entities in an
enterprise.
■ Culture, ethics and behavior of individuals and of the enterprise are very oftenr
underestimated as a success factor in governance and management activities.
■ Information is required for keeping the organization running and well gov-
erned, but at the operational level, information is very often the key product of
the enterprise itself.
■ Services, infrastructure and applications include the infrastructure, technol-
ogy and applications that provide the enterprise with information technology
processing and services.
People, skills and competencies are required for successful completion of all activi-
ties, and for making correct decisions and taking corrective actions.” 32
ValIT®
ValIT is a newer value-oriented framework that is compatible with and complemen-
tary to CobiT. Its principles and best practices focus is on leveraging IT investments
to gain maximum value. Forty key ValIT essential management practices (analogous
to CobiT’s control objectives) support three main processes: value governance, port-
folio management, and investment management. ValIT and CobiT “provide a full
framework and supporting tool set to help managers develop policies to manage
CobiT 5 is the latest version of the business framework for the governance of
IT. It has just fi ve principles and seven enablers.

200 INFORMATION GOVERNANCE
business risks and deliver business value while addressing technical issues and meeting
control objectives in a structured, methodic way.” 33
ValIT Integrated with CobiT 5
The ValIT framework has been folded into the CobiT 5 framework. 34 For more de-
tails, you may download free or acquire publications and operational tools on this and
related topics at isaca.org.
Key functions of ValIT include:
■ Defi ne the relationship between IT and the business and those functions in
the organization with governance responsibilities;
■ Manage an organization’s portfolio of IT-enabled business investments;
■ Maximize the quality of business cases for IT-enabled business investments
with particular emphasis on the defi nition of key fi nancial indicators, the
quantifi cation of “soft” benefi ts and the comprehensive appraisal of the
downside risk.
Val IT addresses assumptions, costs, risks and outcomes related to a balanced
portfolio of IT-enabled business investments. It also provides benchmarking
capability and allows enterprises to exchange experiences on best practices for
value management. 35
ITIL
ITIL is a set of process-oriented best practices and guidance originally developed
in the United Kingdom to standardize delivery of IT service management. ITIL is
applicable to both the private and public sectors and is the “most widely accepted ap-
proach to IT service management in the world.” 36 As with other IT governance frame-
works, ITIL provides essential guidance for delivering business value through IT, and
it “provides guidance to organizations on how to use IT as a tool to facilitate business
change, transformation and growth.” 37
ITIL best practices form the foundation for ISO/IEC 20000 (previously
BS 15000), the International Service Management Standard for organizational
certifi cation and compliance. 38 ITIL 2011 is the latest revision (as of this writing).
CobiT is process-oriented and has been widely adopted as an IT governance
framework. ValIT is value-oriented and compatible and complementary with
CobiT yet focuses on value delivery.
The Val IT framework has been folded into the COBIT 5 framework.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 201
It consists of fi ve core published volumes that map the IT service cycle in a
systematic way:
1. ITIL Service Strategy
2. ITIL Service Design
3. ITIL Service Transition
4. ITIL Service Operation
5. ITIL Continual Service Improvement
ISO 38500
ISO/IEC 38500:2008 is an international standard that provides high-level principles
and guidance for senior executives and directors, and those advising them, for the effec-
tive and effi cient use of IT. 39 Based primarily on AS 8015, the Australian IT governance
standard, it “applies to the governance of management processes” performed at the IT
service level, but the guidance assists executives in monitoring IT and ethically discharg-
ing their duties with respect to legal and regulatory compliance of IT activities.
The ISO 38500 standard comprises three main sections:
1. Scope, Application and Objectives
2. Framework for Good Corporate Governance of IT
3. Guidance for Corporate Governance of IT
It is largely derived from AS 8015, the guiding principles of which were:
■ Establish responsibilities
■ Plan to best support the organization
■ Acquire validly
■ Ensure performance when required
■ Ensure conformance with rules
■ Ensure respect for human factors
The standard also has relationships with other major ISO standards, and em-
braces the same methods and approaches.40
CobiT is process oriented and has been widely adopted as an IT governance
framework. ValIT is value oriented and compatible and complementary with
CobiT yet focuses on value delivery.
ITIL is the “most widely accepted approach to IT service management in the
world.”

202 INFORMATION GOVERNANCE
IG Best Practices for Database Security and Compliance
Although security is a topic primarily for Chapter 11 , it is a technical topic that we
address here as well. Best practices have been developed over the past few years and
can prevent leakage of structured data from databases and Web services due to SQL
injections (where hackers attack SQL databases) and other types of attacks.
An organization and its data needs to be connected to its stakeholders—employees,
customers, suppliers, and strategic partners. In this interconnected world that keeps ex-
panding (e.g., cloud, mobile devices) proprietary data is exposed to a variety of threats.
It is critical to protect the sensitive information assets that reside in your databases. 41
Perimeter security often is easily penetrated. Web apps are vulnerable to attacks
such as SQL injection (a favorite among malicious approaches). Hackers also can gain
access by spear phishing (very specifi c phishing attacks that include personal informa-
tion) to glean employee login credentials in order to get access to databases.
Streamlining your approach to database security by implementing a uniform set
of policies and processes helps in compliance efforts and reduces costs. Here are some
proven database security best practices:
■ Inventory and document. You must fi rst identify where your sensitive data and
databases reside in order to secure them. So a discovery and mapping process
must take place. You can begin with staff interviews but also use tools such
as data loss prevention to map out data fl ows. Include all locations, includ-
ing legacy applications, and intellectual property such as price lists, marketing
and strategic plans, product designs, and the like. This inventorying/discovery
process must be done on a regular basis with the assistance of automated tools,
since the location of data can migrate and change.
■ Assess exposure/weaknesses. Look for security holes, missing updates and patches,
and any irregularities on a regular basis, using
standard checklists such as the CIS Database Server Benchmarks and
the DISA Security Technical Implementation Guides (STIGs). Do not
forget to check OS-level parameters such as fi le privileges for database
confi guration fi les and database confi guration options such as roles and
permissions, or how many failed logins result in a locked account (these
types of database-specifi c checks are typically not performed by network
vulnerability assessment scanners).
■ Shore up the database. Based on your evaluation of potential vulnerabilities, take
proper steps and also be sure to that used database functions are disabled.
■ Monitor. On a regular basis, monitor and document any confi guration changes,
and make sure the “gold” confi guration is stable and unchanged. “Use change
auditing tools that compare confi guration snapshots and immediately alert
whenever a change is made that affects your security posture.” 42
ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 203
■ Deploy monitoring/auditing tools . Deploy these tools to immediately detect
intrusions or suspicious activity, use your database’s database activity
monitoring (DAM) and database auditing tools continuously and in real
time. Note any anomalies, such as usually large numbers of records being
downloaded even by authorized users—this could indicate, for instance, a
rogue employee gathering information. But also higher-level “privileged
users—such as database administrators (DBAs), developers and outsourced
personnel” must be monitored to comply with certain regulations. Watch
for attackers who have gained access through authorized credentials. DAM
creates an audit trail generated in real time that can be the forensic smoking
gun in investigations after attacks have occurred. Also, monitor the applica-
tion layer, as
well-designed DAM solutions associate specifi c database transactions
performed by the application with specifi c end-user IDs, in order to
deterministically identify individuals violating corporate policies. In ad-
dition, combining database auditing information with OS [operating
system] and network logs via a security information and event manage-
ment . . . system to see everything that a user has done can also provide
critical information for forensic investigations.
■ Verify privileged access . In your audit process, periodically review the list of privi-s
leged users and entitlement reports to ensure that superusers and those with
access to sensitive information are still authorized.
■ Protect sensitive data . Known sensitive data should be encrypted, so that even
if attackers gain access, it is unreadable. “File-level encryption at the OS lay-
er, combined with granular real-time monitoring and access control at the
database layer, is typically accepted as a practical alternative to column-level
encryption and a compensating control for Requirement 3.3 of PCI-DSS.” 43
■ Deploy masking. Hide your live production data by masking test data. “Masking
is a key database security technology that de-identifi es live production data,
replacing it with realistic but fi ctional data that can then be used for testing,
training and development purposes, because it is contextually appropriate to
the production data it has replaced.”
■ Integrate and automate standardized security processes. To pass compliance audits,
you need to show that processes and system are in place to reduce risks and
detect potential intrusions, attacks, and unauthorized use. Standardizing and
automating these tasks as much as possible helps minimize compliance costs
while protecting the organization’s data.
Implementing these best practices will help keep sensitive data in your databases
secure.
Identifying sensitive information in your databases and implementing database
security best practices help reduce organizational risk and the cost of compliance.

204 INFORMATION GOVERNANCE
Tying It All Together
Multiple frameworks and standards can be applied to the IT process to more effectively
govern it and focus the processes on business impact. Beginning with a robust data
governance program, organizations can ensure, at the more fundamental level, that
the information they are using to base decisions on is clean, reliable, and accurate.
Implementing an MDM program will help larger organizations with complex IT
operations ensure that they are working with consistent data from a single source.
Implementing the CobiT 5 business framework for delivering IT results will help
support a more effi cient IT operation and include other major frameworks, standards,
and best practices. Leveraging the use of the ISO 38500 standard will help senior
executives to better manage and govern IT operations, and employing database
security best practices will help guard against outside threats.
■ Focusing on business impact and customizing your IG approach to meet
business objectives are key best practices for IG in the IT department.
■ Effective data governance can yield bottom-line benefi ts derived from new
insights.
■ Good data governance ensures that downstream negative effects of poor
data are avoided and that subsequent reports, analyses, and conclusions are
based on reliable, trusted data.
■ Master data management is a key IG process in IT.
■ IT governance seeks to align business objectives with IT strategy to deliver
business value.
■ CobiT 5 is the latest version of the business framework for the governance of
IT. It has just fi ve principles and seven enablers.
■ CobiT is process oriented and has been widely adopted as an IT governance
framework. ValIT is value oriented and compatible and complementary with
CobiT yet focuses on value delivery.
■ ValIT is a framework that focuses on delivering IT vale. It is folded into CobiT 5.
■ ITIL is the “most widely accepted approach to IT service management in the
world.”
■ ISO 38500 is an international standard that provides high-level principles and
guidance for senior executives and directors responsible for IT governance
■ Identifying sensitive information in your databases and implementing data-
base security best practices help reduce organizational risk and the cost of
compliance.
CHAPTER SUMMARY: KEY POINTS

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 205
Notes
1. Ibid. Gartner Says Master Data Management Is Critical to Achieving Effective Information Gover-
nance, www.gartner.com/newsroom/id/1898914 (accessed on January 19, 2012).
2. IBM, “Selling Information Governance to Business Leaders,” www.information-management.com/
newsletters/governance-ROI-BI-business-rules-GRC-10021663-1.html (accessed June 3, 2013).
3. Ibid.
4. Ibid.
5. Steven Adler, “Six Steps to Data Governance Success,” May 31, 2007, www.cio.com/article/114750/Six_
Steps_to_Data_Governance_Success .
6. “New Trends and Best Practices for Data Governance Success,” SeachDataManagement.com e-book,
http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB-
ook_1104 (accessed March 11, 2013).
7. Ibid.
8. “The DGI Data Governance Framework,” DataGovernance.com, www.datagovernance.com/fw_the_
DGI_data_governance_framework.html (accessed June 4, 2013).
9. “Information Management,” BusinessDictionary.com, www.businessdictionary.com/definition/
information-management.html (accessed June 4, 2013).
10. Sunil Soares, Selling Information Governance to the Business (Ketcham, ID: MC Press, 2011), p. 4. s
11. Daniel Teachey, “The Year of Master Data Management,” May 1, 2012, http://tdwi.org/articles/2012/05/01/
lesson-2012-the-year-of-master-data-management.aspx .
12. Andrew White, “We Are Only Half Pregnant with MDM,” April 17, 2013, http://blogs.gartner.com/
andrew_white/2013/04/17/we-are-only-half-pregnant-with-master-data-management/
13. Gartner IT Glossary, “Master Data Management,” www.gartner.com/it-glossary/master-data-management-
mdm/ (accessed June 11, 2013).
14. Teachey, “Year of Master Data Management.”
15. Bill Tolson, “Information Governance 101,” May 21, 2013, http://informationgovernance101.
com/2013/05/21/the-lifecycle-of-information/.
16. Gartner IT Glossary, “Information Lifecycle Management,” www.gartner.com/it-glossary/information-
life-cycle-management-ilm (accessed June 11, 2013).
17. Soares, Selling Information Governance to the Business. s
18. “Data Architecture,” BusinessDictionary.com, www.businessdictionary.com/defi nition/data-architecture
.html (accessed June 11, 2013).
19. “Data Modeling,” TechTarget, http://searchdatamanagement.techtarget.com/defi nition/data-model-
ing (accessed June 11, 2013).Ibid.
20. Ibid .
21. Soares, Selling Information Governance to the Business. s
22. Ibid.
23. Malcolm Chisholm, “Master Data Versus Reference Data,” Information Management , April 1, 2006, t
www.information-management.com/issues/20060401/1051002-1.html .
24. M. N. Kooper, R. Maes, and E.E.O. Roos Lindgreen, “On the Governance of Information: Introducing a
New Concept of Governance to Support the Management of Information,” International Journal of Information
Management 31 (2011): 195–20, www.sciencedirect.com/science/article/pii/S0268401210000708 .t
25. Nick Robinson, “The Many Faces of IT Governance: Crafting an IT Governance Architecture,”
ISACA Journal 1 (2007), www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-l
of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx.
26. Bryn Phillips, “IT Governance for CEOs and Members of the Board,” 2012, p. 26.
27. IBM Global Business Services—Public Sector, “Control Objectives for Information and related Technol-
ogy (CobiT®) Internationally Accepted Gold Standard for IT Controls and Governance,” 2008, http://
www-304.ibm.com/industries/publicsector/fi leserve?contentid=187551 (accessed March 11, 2013).
28. Phillips, “IT Governance for CEOs and Members of the Board.”
29. IBM Global Business Services—Public Sector, “CobiT®.”
30. Ibid.
31. “COBIT 5: A Business Framework for the Governance and Management of Enterprise IT,” www.isaca
.org/COBIT/Pages/default.aspx (accessed December 8, 2013).
32. Ibid.
33. IBM Global Business Services—Public Sector, “CobiT®.”
34. IASCA, “Val IT Framework for Business Technology Management,” www.isaca.org/Knowledge-Center/
Val-IT-IT-Value-Delivery-/Pages/Val-IT1.aspx?utm_source=multiple&utm_medium=multiple&utm_
content=friendly&utm_campaign=valit (accessed June 12, 2013).

http://www.gartner.com/newsroom/id/1898914

http://www.information-management.com/newsletters/governance-ROI-BI-business-rules-GRC-10021663-1.html

http://www.cio.com/article/114750/Six_Steps_to_Data_Governance_Success

http://viewer.media.bitpipe.com/1216309501_94/1288990195_946/Talend_sDM_SO_32247_EB-ook_1104

http://www.datagovernance.com/fw_the_DGI_data_governance_framework.html

http://www.businessdictionary.com/definition/information-management.html

http://tdwi.org/articles/2012/05/01/lesson-2012-the-year-of-master-data-management.aspx

We are only Half Pregnant with Master Data Management

http://www.gartner.com/it-glossary/master-data-management-mdm/

The lifecycle of information

http://www.gartner.com/it-glossary/information-life-cycle-management-ilm

http://www.businessdictionary.com/definition/data-architecture.html

http://searchdatamanagement.techtarget.com/definition/data-modeling

http://www.information-management.com/issues/20060401/1051002-1.html

http://www.sciencedirect.com/science/article/pii/S0268401210000708

http://www-304.ibm.com/industries/publicsector/fileserve?contentid=187551

http://www.isaca.org/COBIT/Pages/default.aspx

http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Pages/Val-IT1.aspx?utm_source=multiple&utm_medium=multiple&utm_content=friendly&utm_campaign=valit

http://www.information-management.com/newsletters/governance-ROI-BI-business-rules-GRC-10021663-1.html

http://www.cio.com/article/114750/Six_Steps_to_Data_Governance_Success

http://www.datagovernance.com/fw_the_DGI_data_governance_framework.html

http://www.businessdictionary.com/definition/information-management.html

http://tdwi.org/articles/2012/05/01/lesson-2012-the-year-of-master-data-management.aspx

We are only Half Pregnant with Master Data Management

The lifecycle of information

http://www.businessdictionary.com/definition/data-architecture.html

http://searchdatamanagement.techtarget.com/definition/data-modeling

http://www.isaca.org/Journal/Past-Issues/2007/Volume-1/Pages/The-Many-Faces-of-IT-Governance-Crafting-an-IT-Governance-Architecture.aspx

http://www.isaca.org/COBIT/Pages/default.aspx

http://www.isaca.org/Knowledge-Center/Val-IT-IT-Value-Delivery-/Pages/Val-IT1.aspx?utm_source=multiple&utm_medium=multiple&utm_content=friendly&utm_campaign=valit

206 INFORMATION GOVERNANCE
35. Ibid.
36. ITIL, “Welcome to the Official ITIL® Website,” www.itil-officialsite.com/ (accessed
March 12, 2013).
37. ITIL, “What Is ITIL?” www.itil-offi cialsite.com/AboutITIL/WhatisITIL.aspx (accessed March 12,
2013).
38. Ibid.
39. ISO, “ISO/IEC 38500:2008: Corporate Governance of Information Technology,” www.iso.org/iso/
catalogue_detail?csnumber=51639 (accessed March 12, 2013).
40. “ISO 38500 IT Governance Standard” (2008), www.38500.org/ (accessed March 12, 2013).
41. The following discussion and quotes are from Phil Neray, “Beating the Breach: 10 Best Practices
for Database Security and Compliance,” November 3, 2011, http://datasafestorage.wordpress
.com/2011/11/15/beating-the-breach-10-best-practices-for-database-security-and-compliance/.
42. Ibid
43. Ibid

http://www.itil-officialsite.com/

http://www.itil-officialsite.com/AboutITIL/WhatisITIL.aspx

http://www.iso.org/iso/catalogue_detail?csnumber=51639

http://www.38500.org/

Beating the Breach: 10 Best Practices for Database Security and Compliance

http://www.iso.org/iso/catalogue_detail?csnumber=51639

Beating the Breach: 10 Best Practices for Database Security and Compliance

207
P
rivacy and security go hand in hand. Privacy cannot be protected without imple-
menting proper security controls and technologies. Organization must make not
only reasonable efforts to protect privacy of data, but they must go much further
as privacy breaches are damaging to its customers, reputation, and potentially, could
put the company out of business.
Breaches are increasingly being carried out by malicious attacks, but also a sig-
nifi cant source of breaches is internal mistakes caused by poor information gover-
nance (IG) practices, software bugs, and carelessness. The average cost of a data breach
in 2013 was over $5 million dollars, according to the Ponemon Institute, 1 but some
spectacular breaches have occurred, such as the $45 million in fraudulent automated
teller machine cash withdrawals in New York City within hours in early 2013, and the
110 million customer records breached at giant retailer Target in late 2013. Millions
of breaches occur each year: There were an estimated 354 million privacy breaches
between 2005 and 2010 in the United States alone.
Cyberattacks Proliferate
Online attacks and snooping continue at an increasing rate. Organizations must be
vigilant about securing their internal, confi dential documents and e-mail messages. In
2011, security experts at Intel/McAfee “discovered an unprecedented series of cyber
attacks on the networks of 72 organizations globally, including the United Nations,
governments and corporations, over a fi ve-year period.” 2 Dmitri Alperovitch of
McAfee described the incident as “ the biggest transfer of wealth in terms of intellectual“
property in history.”3 The level of intrusion is ominous.
The targeted victims included governments, including the United States, Canada,
India, and others; corporations, including high-tech companies and defense contrac-
tors; the International Olympic Committee; and the United Nations. “In the case of
the United Nations, the hackers broke into the computer system of its secretariat in
Information
Governance and
Privacy and Security
Functions
C H A P T E R 11
Portions of this chapter are adapted from Chapters 11 and 12, Robert F. Smallwood, Safeguarding Critical E-Documents:
Implementing a Program for Securing Confi dential Information Assets , © John Wiley & Sons, Inc., 2012. Reproduced with s
permission of John Wiley & Sons, Inc.

208 INFORMATION GOVERNANCE
Geneva in 2008, hid there for nearly two years, and quietly combed through reams
of secret data, according to McAfee.” 4 Attacks can be occurring in organizations for years
before they are uncovered—if they are discovered at all. This means that an organization
may be covertly monitored by criminals or competitors for extended periods of time.
And they are not the only ones spying—look no further than the U.S. National
Security Agency (NSA) scandal of 2013. With Edward Snowden’s revelations, it is clear
that governments are accessing, monitoring, and storing massive amounts of private data.
Where this stolen information is going and how it will be used is yet to be
determined. But it is clear that possessing this competitive intelligence could give a
government or company a huge advantage economically, competitively, diplomatically,
and militarily.
The information assets of companies and government agencies are at risk
globally. Some are invaded and eroded daily, without detection. The victims are losing
economic advantage and national secrets to unscrupulous rivals, so it is imperative that
IG policies are formed, followed, enforced, tested, and audited. It is also imperative to
use the best available technology to counter or avoid such attacks. 5
Insider Threat: Malicious or Not
Ibas, a global supplier of data recovery and computer forensics, conducted a survey of
400 business professionals about their attitudes toward intellectual property (IP) theft:
■ Nearly 70 percent of employees have engaged in IP theft, taking corporate
property upon (voluntary or involuntary) termination.
■ Almost one-third have taken valuable customer contact information, databases,
or other client data.
■ Most employees send e-documents to their personal e-mail accounts when pil-
fering the information.
■ Almost 60 percent of surveyed employees believe such actions are acceptable.
■ Those who steal IP often feel that they are entitled to partial ownership rights,
especially if they had a hand in creating the fi les. 6
These survey statistics are alarming, and by all accounts the trend continuing to worsen
today. Clearly, organizations have serious cultural challenges to combat prevailing
attitudes toward IP theft. A strong and continuous program of IG aimed at secur-
ing confi dential information assets can educate employees, raise their IP security
Attacks can continue in organizations for years before they are uncovered—if
they are discovered at all.
The average cost of a data breach in 2013 was over $5 million.

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 209
awareness, and train them on techniques to help secure valuable IP. And the change
needs to be driven from the top: from the CEO and boardroom. However, the mag-
nitude of the problem in any organization cannot be accurately known or measured.
Without the necessary IG monitoring and enforcement tools, executives cannot know
the extent of the erosion of information assets and the real cost in cash and intangible
terms over the long term.
Countering the Insider Threat
Frequently ignored, the insider has increasingly become the main threat—more than
the external threats outside of the perimeter. Insider threat breaches can be more costly
than outsider breaches. Most of the insider incidents go unnoticed or unreported.7
Companies have been spending a lot of time and effort protecting their perimeters
from outside attacks. In recent years, most companies have realized that the insider
threat is something that needs to be taken more seriously.
Malicious Insider
Malicious insiders and saboteurs comprise a very small minority of employees. A dis-
gruntled employee or sometimes an outright spy can cause a lot of damage. Malicious
insiders have many methods at their disposal to harm the organization by destroying
equipment, gaining unsanctioned access to IP, or removing sensitive information by
USB drive, e-mail, or other methods.
Nonmalicious Insider
Fifty-eight percent of Wall Street workers say they would take data from their company
if they were terminated, and believed they could get away with it, according to a recent
survey by security fi rm CyberArk.8 Frequently, they do this without malice. The majority
of users indicated having sent out documents accidentally via e-mail. So, clearly it is easy
to leak documents without meaning to do any harm, and that is the cause of most leaks.
Solution
Trust and regulation are not enough. In the case of a nonmalicious user, companies
should invest in security, risk education, and IG training. A solid IG program can
reduce IP leaks through education, training, monitoring, and enforcement.
Security professionals state that insider threat breaches are often more costly
than outsider ones.
Information assets are invaded and eroded daily, often without detection. This
compromises competitive position and has real fi nancial impact.

210 INFORMATION GOVERNANCE
In the case of the malicious user, companies need to take a hard look and see
whether they have any effective IG enforcement and document life cycle security
(DLS) technology such as information rights management (IRM) in place. Most often,
the answer is no. 9
Privacy Laws
The protection of personally identifi able information (PII) is a core focus of IG efforts.
PII is any information that can identify an individual, such as name, Social Security
number, medical record number, credit card number, and so on. Various privacy laws
have been enacted in an effort to protect privacy. You must consult your legal counsel
to determine which laws and regulation apply to your organization and its data and
documents.
In the United States, the Federal Wiretap Act “prohibits the unauthorized inter-
ception and disclosure of wire, oral, or electronic communications.” The Electronic
Communications Privacy Act (ECPA) of 1986 amended the Federal Wiretap Act sig-
nifi cantly and included specifi c on e-mail privacy. 10 The Stored Communications and
Transactional Records Act (SCTRA) was created as a part of ECPA and is “sometimes
useful for protecting the privacy of e-mail and other Internet communications when
discovery is sought.” The Computer Fraud and Abuse Act makes it a crime to in-
tentionally breach a “protected computer” (one used by a fi nancial institution or for
interstate commerce).
Also relevant for public entities is the Freedom of Information Act, which allows
U.S. citizens to request government documents that have not previously been released,
although sometime sensitive information is redacted (blacked out), and specifi es the
steps for disclosure as well as the exemptions. In the United Kingdom, the Freedom of
Information Act 2000 provides for similar disclosure requirements and mandatory steps.
In the United Kingdom, privacy laws and regulations include these:
■ Data Protection Act 1998
■ Freedom of Information Act 2000
■ Public Records Act 1958
■ Common law duty of confi dentiality
■ Confi dentiality National Health Service (NHS) Code of Practice
■ NHS Care Record Guarantee for England
■ Social Care Record Guarantee for England
■ Information Security NHS Code of Practice
■ Records Management NHS Code of Practice
Also, the international information security standard ISO/IEC 27002: 2005 comes
into play when implementing security.
Redaction
Redaction is the process of blocking out sensitive fi elds of information. In a paper
environment, this was done with a black marking pen; however, privacy software can
redact certain fi elds in digital documents, making them unreadable. Redaction is used

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 211
for confi dential patient information in medical records as well as other confi dential
document types, such as birth certifi cates, fi nancial documents, property deeds, and
other unstructured information that is managed.
A complete audit trail should be enabled that shows when specifi c users accessed
or printed specifi c confi dential information.
Limitations of Perimeter Security
Traditionally, central computer system security has been primarily perimeter
security—securing the fi rewalls and perimeters within which e-documents are stored
and attempting to keep intruders out—rather than securing e-documents directly
upon their creation. The basic access security mechanisms implemented, such as passwords,
two-factor authentication, and identity verifi cation, are rendered totally ineffective once the
confi dential e-documents or records are legitimately accessed by an authorized employee. The
documents are usually bare and unsecured. This poses tremendous challenges if the
employee is suddenly terminated, if the person is a rogue intent on doing harm, or if
outside hackers are able to penetrate the secured perimeter. And, of course, it is com-
mon knowledge that they do it all the time. The focus should be on securing the documents
themselves, directly.
Restricting access is the goal of conventional perimeter security, but it does not
directly protect the information inside. Perimeter security protects information the
same way a safe protects valuables; if safecrackers get in, the contents are theirs. There
are no protections once the safe is opened. Similarly, if hackers penetrate the perimeter
security, they have complete access to the information inside, which they can steal,
alter, or misuse. 11 The perimeter security approach has four fundamental limitations:
1. Limited effectiveness. Perimeter protection stops dead at the fi rewall, even
though sensitive information is sent past it and circulates around the Web,
unsecured. Today’s extended computing model and the trend toward global
business means that business enterprises and government agencies frequently
share sensitive information externally with other stakeholders, including busi-
ness partners, customers, suppliers, and constituents.
2. Haphazard protections. In the normal course of business, knowledge workers
send, work on, and store copies of the same information outside the organi-
zation’s established perimeter. Even if the information’s new digital environ-
ment is secured by other perimeters, each one utilizes different access controls
or sometimes no access control at all (e.g., copying a price list from a sales
folder to a marketing folder; an attorney copying a case brief or litigation
strategy document from a paralegal’s case folder).
3. Too complex. With this multi-perimeter scenario, there are simply too many pe-
rimeters to manage, and often they are out of the organization’s direct control.
4. No direct protections. Attempts to create boundaries or portals protected by pe-
rimeter security within which stakeholders (partners, suppliers, shareholders,
or customers) can share information causes more complexity and administra-
tive overhead while it fails to protect the e-documents and data directly. 12
Despite the current investment in e-document security, it is astounding that once
information is shared today, it is largely unknown who will be accessing it tomorrow.

212 INFORMATION GOVERNANCE
Defense in Depth
Defense in depth is an approach that uses multiple layers of security mechanisms to
protect information assets and reduce the likelihood that rogue attacks can succeed.13
The idea is based on military principles that an enemy is stymied by complex layers
and approaches compared to a single line. That is, hackers may be able to penetrate
one or two of the defense layers, but multiple security layers increase the chances
of catching the attack before it gets too far. Defense in depth includes a fi rewall as a
fi rst line of defense and also antivirus and anti-spyware software, identity and access
management (IAM), hierarchical passwords, intrusion detection, and biometric t
verifi cation. Also, as a part of an overall IG program, physical security measures are
deployed, such as smartcard or even biometric access to facilities and intensive IG
training and auditing.
Controlling Access Using Identity Access Management
IAM software can provide an important piece of the security solution. It aims to pre-
vent unauthorized people from accessing a system and to ensure that only authorized
individuals engage with information, including confi dential e-documents.
Today’s business environment operates in a more extended and mobile model,
often including stakeholders outside of the organization. With this more complex and
fl uctuating group of users accessing information management applications, the idea of
identity management has gained increased importance.
The response to the growing number of software applications using inconsistent
or incompatible security models is strong identity management enforcement software.
These scattered applications offer opportunities not only for identity theft but also
for identity drag , where the maintenance of identities does not keep up with changing g
identities, especially in organizations with a large workforce. This can result in theft of
confi dential information assets by unauthorized or out-of-date access and even failure
to meet regulatory compliance, which can result in fi nes and imprisonment.14
IAM—along with sharp IG policies—“manages and governs user access to infor-
mation through an automated, continuous process.” 15 Implemented properly, good
IAM does keep access limited to authorized users while increasing security, reducing
IT complexity, and increasing operating effi ciencies.
Critically, “IAM addresses ‘access creep’ where employees move to a different department
of business unit and their rights to access information fail to get updated” (emphasis added).” 16
In France in 2007, a rogue stock trader at Société Générale had in-depth knowl-
edge of the bank’s access control procedures from his job at the home offi ce. 17 He
used that information to defraud the bank and its clients out of over €7 billion (over
$10 billion). If the bank had implemented an IAM solution, the crime might not have
been possible.
“IAM addresses ‘access creep’ where employees move to a different depart-
ment of business unit and their rights to access information fail to get updated.”

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 213
A robust and effective IAM solution provides for:
■ Auditing . Detailed audit trails of g who attempted to access which information , and
when . Stolen identities can be uncovered if, for instance, an authorized user
attempts to log in from more than one computer at a time.
■ Constant updating. Regular reviews of access rights assigned to individuals, in-
cluding review and certifi cation for user access, an automated recertifi cation
process ( attestation ), and enforcement of IG access policies that govern the way
users access information in respect to segregation of duties.
■ Evolving roles. Role life cycle management should be maintained on a continuous
basis, to mine and manage roles and their associated access rights and policies.
■ Risk reduction. Remediation regarding access to critical documents and
information.
Enforcing IG: Protect Files with Rules and Permissions
One of the fi rst tasks often needed when developing an IG program that secures confi –
dential information assets is to defi ne roles and responsibilities for those charged with
implementing, maintaining, and enforcing IG policies. Corollaries that spring from
that effort get down to the nitty-gritty of controlling information access by rules and
permissions.
Rules and permissions specify who (by roles) is allowed access to which documents
and information, and even contextually from where (offi ce, home, travel) and at what
times (work hours, or extended hours). Using the old policy of the s need-to-know basis
is a good rule of thumb to apply when setting up these access policies (i.e., only those
who are at a certain level of the organization or are directly involved in certain projects
are allowed access to confi dential and sensitive information). The roles are relatively
easy to defi ne in a traditional hierarchical structure, but today’s fl atter and more col-
laborative enterprises present challenges.
To effectively wall off and secure information by management level, many compa-
nies and governments have put in place an information security framework—a model
that delineates which levels of the organization have access to specifi c documents and
databases as a part of implemented IG policy. This framework shows a hierarchy of
the company’s management distributed across a range of defi ned levels of information
access. The U.S. Government Protection Profi le for Authorization Server for Basic
Robustness Environments is an example of such a framework.
Challenge of Securing Confi dential E-Documents
Today’s various document and content management systems were not initially designed
to allow for secure document sharing and collaboration while also preventing docu-
ment leakage. These software applications were mostly designed before the invention
and adoption of newer business technologies that have extended the computing
environment. The introduction of cloud computing, mobile PC devices, smartphones,
social media, and online collaboration tools all came after most of today’s document and
content management systems were developed and brought to market.

214 INFORMATION GOVERNANCE
Thus, vulnerabilities have arisen that need to be addressed with other, comple-
mentary technologies. We need to look no further than the WikiLeaks incident and
the myriad of other major security breaches resulting in document and data leakage
to see that there are serious information security issues in both the public and private
sectors.
Technology is the tool, but without proper IG policies and a culture of compli-
ance that supports the knowledge workers following IG policies, any effort to secure
confi dential information assets will fail. An old IT adage is that even perfect technology
will fail without user commitment.
Protecting Confi dential E-Documents: Limitations of
Repository-Based Approaches
Organizations invest billions of dollars in IT solutions that manage e-documents and
records in terms of security, auditing, search, records retention and disposition, version
control, and so on. These information management solutions are predominantly re-
pository-based, including enterprise content management (ECM) systems and collab-
orative workspaces (for unstructured information, such as e-documents). With content
or document repositories, the focus has always been on perimeter security—keeping
intruders out of the network. But that provides only partial protection. Once intrud-
ers are in, they are in and have full access to confi dential e-documents. For those who
are authorized to access the content, there are no protections, so they may freely copy,
forward, print, or even edit and alter the information. 18
The glaring vulnerability in the security architecture of ECM systems is that few protec-
tions exist once the information is legitimately accessed.
These confi dential information assets, which may include military plans, price
lists, patented designs, blueprints, drawings, and fi nancial reports, often can be printed,
e-mailed, or faxed to unauthorized parties without any security attached. 19
Also, in the course of their normal work processes, knowledge workers tend to
keep an extra copy of the electronic documents they are working on stored at their
desktop, or they download and copy them to a tablet or laptop to work at home or
while traveling. This creates a situation where multiple copies of these e-documents are scat-
tered about on various devices and media, which creates a security problem, since they are out-
side of the repository and no longer secured, managed, controlled, or audited.
The glaring vulnerability in the security architecture of ECM systems is that few
protections exist once the information is legitimately accessed.
Technologies like fi rewalls, access controls, and gateway fi lters can grant or deny
access but cannot provide granular enforcement of acceptable use policies that
defi ne what users can and cannot do with confi dential data and documents.

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 215
It also creates records management issues in terms of the various versions that
might be out there and determining which one is the offi cial business record.
Apply Better Technology for Better Enforcement in the
Extended Enterprise
Protecting E-Documents in the Extended Enterprise
Sharing e-documents and collaborating are essential in today’s increasingly mobile
and global world. Businesses are operating in a more distributed model than ever be-
fore, and they are increasingly sharing and collaborating not only with coworkers but
also with suppliers, customers, and even at times competitors (e.g., in pharmaceutical
research). This reality presents a challenge to organizations dealing in sensitive and
confi dential information.20
Basic Security for the Microsoft Windows Offi ce Desktop
The fi rst level of protection for e-documents begins with basic protections at the
desktop level. Microsoft Offi ce provides ways to password-protect Microsoft Offi ce
fi les, such as those created in Word and Excel, quickly and easily. Many corporations
and government agencies around the world use these basic protections. A key fl aw
or caveat is that passwords used in protecting documents cannot be retrieved if they are
forgotten or lost.
Where Do Deleted Files Go?
When you delete a fi le it is gone, right? Actually, it is not (with the possible exception
of solid state hard drives). For example, after a fi le is deleted in Windows, a simple
undelete DOS command can bring back the fi le, if it has not been overwritten. That is
because when fi les are deleted, they are not really deleted; rather, the space where they
reside is marked for reuse and can be overwritten. If it is not yet overwritten, the fi le is
still there. The same process occurs as drafts of documents are created and temp (for
temporary ) fi les are stored. The portions of a hard drive where deleted or temp fi les are
stored can be overwritten. This is called unallocated space. Most users are unaware that
deleted fi les and fragments of documents and drafts are stored temporarily on their computer’s
unallocated space. So it must be wiped clean and completely erased to ensure that any
confi dential documents or drafts are completely removed from the hard drive.
IG programs include the highest security measures, which means that an organi-
zation must have a policy that includes deleting sensitive materials from a computer’s
unallocated space and tests that verify such deletion actions are successful periodically.
Lock Down: Stop All External Access to Confi dential E-Documents
Organizations are taking other approaches to stop document and data leakage: physi-
cally restricting access to a computer by disconnecting it from any network con-
nections and forbidding or even blocking use of any ports. Although cumbersome,
these methods are effective in highly classifi ed or restricted areas where confi dential

216 INFORMATION GOVERNANCE
e-documents are held. Access is controlled by utilizing multiple advanced identity ver-
ifi cation methods, such as biometric means.
Secure Printing
Organizations normally expend a good amount of effort making sure that computers,
documents, and private information are protected and secure. However, if your com-
puter is hooked up to a network printer (shared by multiple knowledge workers), all of
that effort might have been wasted. 21
Some basic measures can be taken to protect confi dential documents from being
compromised as they are printed. You simply invoke some standard Microsoft Offi ce
protections, which allow you to print the documents once you arrive in the copy room
or at the networked printer. This process varies slightly, depending on the printer’s
manufacturer. (Refer to the documentation for the printer for details.)
In Microsoft Offi ce, there is an option in the Print Dialog Box for delayed print-
ing of documents (when you physically arrive at the printer).
Serious Security Issues with Large Print Files of Confi dential Data
According to Canadian output and print technology expert William Broddy, in a
company’s data center, a print fi le of, for instance, investment account statements or
bank statements contains all the rich information that a hacker or malicious insider
needs. It is information distilled to the most important core data about customers, and has
been referred to as data syrup since it has been boiled down and contains no mountains of
extraneous data, only the culled, cleaned, essential data that gives criminals exactly what they
need.d 22
What most managers are not aware of is that entire print fi les and sometimes
remnants of them stay on the hard drives of high-speed printers and are vulnerable to
security breaches. Data center security personnel closely monitor calls to their data-
base. To extract as much data as is contained in print fi les, a hacker requires hundreds
or even thousands of calls to the database, which sets off alerts by system monitor-
ing tools. But retrieving a print fi le takes only one intrusion, and it may go entirely
unnoticed. The fi les are sitting there; a rogue service technician or fi eld engineer can
retrieve them on a routine service call.
To help secure print fi les, specialized hardware devices designed to sit between the
print server and the network and cloak server print fi les are visible only to those who
have a cloaking device on the other end.
Organizations must practice good IG and have specifi c procedures to erase
sensitive print fi les once they have been utilized. For instance, in the example of
preparing statements to mail to clients, fi les are exposed to possible intrusions in at
least six points in the process (starting with print fi le preparation and ending with the
actual mailing). These points must be tightly monitored and controlled. Typically, an
A print fi le contains all the distilled customer information a hacker might want.
Retrieving a print fi le takes only one intrusion and may go entirely unnoticed.

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 217
organization retains a print fi le for about 14 days, though some keep fi les long enough
for customers to receive statements in the mail and review them. Organizations must
make sure that print fi les or their remnants are secured and then completely erased when the
printing job is fi nished.
E-Mail Encryption
Encrypting (scrambling using advanced algorithms) sensitive e-mail messages is an
effective step to securing confi dential information assets while in transit. Encryption
can also be applied to desktop folders and fi les and even entire disk drives (full disk en-
cryption, or FDE). All confi dential or sensitive data and e-documents that are exposed
to third parties or transferred over public networks should be secured with fi le-level
encryption, at a minimum. 23
Secure Communications Using Record-Free E-Mail
What types of tools can you use to encourage the free fl ow of ideas in collaborative
efforts without compromising your confi dential information assets or risking litigation
or compliance sanctions?
Stream messaging is an innovation that became commercially viable around 2006.
It is similar in impact to IRM software, which limits the recipients’ ability to forward,
print, or alter data in an e-mail message (or reports, spreadsheets, etc.) but goes further
by leaving no record on any computer or server.r
Stream messaging is a simple, safe, secure electronic communications system ideal
for ensuring that sensitive internal information is kept confi dential and not publicly
released. Stream messaging is not intended to be a replacement for enterprise e-mail
but is a complement to it. If you need an electronic record, e-mail it; if not, use stream
messaging. 24
What makes stream messaging unique is its recordlessness. Streamed messages
cannot be forwarded, edited, or saved. A copy cannot be printed as is possible with
e-mail. That is because stream messaging separates the sender’s and receiver’s names and the
date from the body of the message, never allowing them to be seen together. Even if the sender
or receiver were to attempt to make a copy using the print-screen function, these ele-
ments are never captured together.25
Files are exposed to possible intrusions in at least six points between print fi le
preparation and fi nal hard-copy mailing.
With stream messaging, no record or trace of communication is left.

218 INFORMATION GOVERNANCE
The instant a stream message is sent, it is placed in a temporary storage buffer
space. When the recipient logs in to read the message, it is removed from the buffer
space. By the time the recipient opens it, the complete stream message no longer exists
on the server or any other computer.
This communications approach is Web based, meaning that no hardware or soft-
ware purchases are required. It also works with existing e-mail systems and e-mail
addresses and is completely immune to spam and viruses. Other solutions (both past
and present) have been offered, but these have taken the approach of encrypting e-mail
or generating e-mail that disappears after a preset time. Neither of these approaches
is truly recordless.
Stream messaging is unique because its technology effectively eliminates the ability
to print, cut, paste, forward, or save a message. It may be the only electronic commu-
nications system that separates the header information—date, name of sender, name
of recipient—from the body of the message. This eliminates a traceable record of the
communication. Soon many other renditions of secure messaging will be developed.
In addition, stream messaging offers the added protection of being an indiscrimi-
nate Web-based service, meaning that the messages and headers are never hosted on
the subscribing companies’ networks. This eliminates the risk that employers, com-
petitors, or hackers could intercept stream messages, which is a great security benefi t
for end users. 26
Digital Signatures
Digital signatures are more than just digitized autographs—they carry detailed audit
information used to “detect unauthorized modifi cations” to e-documents and to
“authenticate the identity of the signatory.” 27
Online transactions can be conducted with full trust that they are legal, proper, and
binding. They prove that the person whose signature is on the e-document did, in fact,
authorize it. A digital signature provides evidence in demonstrating to a third party
that the signature was genuine, true, and authentic, which is known as nonrepudiation .
To repudiate is to dispute, and with digital signatures, a signatory is unable to claim
that the signature is forged.
Digital signatures can be implemented a variety of ways—not just through soft-
ware but also through fi rmware (programmed microchips), computer hardware, or a
combination of the three. Generally, hardware- and fi rmware-based implementations
are more diffi cult to hack, since their instructions are hardwired.
Here is a key point: For those who are unfamiliar with the technology, there is a big
difference between electronic signatures and digital signatures. 28
An “electronic signature is likely to be a bit-map image, either from a scanned
image, a fax copy or a picture of someone’s signature, or may even be a typed
acknowledgement or acceptance.” A digital signature contains “extra data appended to
There is a big difference between digital and electronic signatures. Digital
signatures contain additional authenticating information.

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 219
a message which identifi es and authenticates the sender and message data using public-key
encryption.”29”
So digital signatures are the only ones that offer any real security advantages.
Digital signatures are verifi ed by the combination of applying a signatory’s private
signing key and the public key that comes from the signatory’s personal ID certifi –
cate. After that, only the public key ID certifi cate is required for future verifi cations.
“In addition, a checksum mechanism confi rms that there have been no modifi cations to the
content .” t 30
A formal, trusted certifi cate authority (CA) issues the certifi cate associated with
the public-private key. It is possible to generate self-certifi ed public keys, but these
do not verify and authenticate the recipient’s identity and are therefore fl awed from a
security standpoint. The interchange of verifi ed signatures is possible on a global scale,
as “digital signature standards are mature and converging internationally.” 31
After more than 30 years of predictions, the paperless offi ce is almost here.
Business process cycles have been reduced, and great effi ciencies have been gained
since the majority of documents today are created digitally and spend most of their life
cycle in digital form, and they can be routed through work steps using business process
management (BPM) and work fl ow software. However, the requirement for a physical
signature frequently disrupts and holds up these business processes . Documents have to bes
printed out, physically routed, and physically signed—and often they are scanned back
into a document or records management (or contract management) system, which
defeats the effi ciencies sought.
Often multiple signatures are required in an approval process, and some organiza-
tions require each page to be initialed, which makes the process slow and cumbersome
when it is executed without the benefi t of digital signatures. Also, multiple copies are
generated—as many as 20—so digital signature capability injected into a business pro-
cess can account for signifi cant time and cost savings. 32
Document Encryption
There is some overlap and sometimes confusion between digital signatures and document
encryption. Suffi ce it to say that they work differently, in that document encryption
secures a document for those who share a secret key, and digital signatures prove that
the document has not been altered and the signature is authentic.
There are e-records management implications of employing document
encryption:
Unless it is absolutely essential, full document encryption is often advised
against for use within electronic records management systems as it prevents
full-text indexing, and requires that the decryption keys (and application) are
available for any future access. Furthermore, if the decryption key is lost or
Requiring a physical signature can disrupt and slow business processes. Digital
signatures speed that up and add a layer of security.

220 INFORMATION GOVERNANCE
an employee leaves without passing it on, encrypted documents and records
will in effect be electronically shredded as no one will be able to read them.
Correctly certifi ed digital signatures do not prevent unauthorized per-
sons reading a document nor are they intended to. They do confi rm that the
person who signed it is who they say they are, and that the document has not
been altered since they signed it. Within a records management system a digi-
tal signature is often considered to be an important part of the metadata of a
document, confi rming both its heritage and its integrity.33
Data Loss Prevention (DLP) Technology
The aforementioned document security challenges have given rise to an emerging
but critical set of capabilities by a new breed of IT companies that provide data loss
prevention (DLP) (also called data leak prevention). DLP providers create software
and hardware appliances that thoroughly inspect all e-documents and e-mail messages
before they leave the organization’s perimeter and attempt to stop sensitive data from
exiting the fi rewall.
This fi ltering is based on several factors, but mostly using specifi ed critical content
keywords that are fl agged by the implementing organization. DLP can also stop the
exit of information assets by document types, origin, time of day, and other factors.
DLP systems are designed to detect and prevent unauthorized use and transmission
of confi dential information.34 In more detail, DLP is a computer security term referring
to systems that identify, monitor, and protect data/documents in all three states: (1) in use
(endpoint actions), (2) in motion (network actions), and (3) at rest (data/document stor-t
age). DLP accomplishes this by deep content inspection and contextual security analysis
of transaction data (e.g., attributes of the originator, the data object, medium, timing,
recipient/destination, etc.) with a centralized management framework.
Promise of DLP
Gartner reports that the DLP market reached an estimated $670 million in 2013, up
from $425 million in 2011, and “with adoption of DLP technologies moving quickly
down to the small to medium enterprise, DLP is no longer an unknown quantity.” 35
Although the DLP market has matured, it suffers from confusion about how DLP
best fi ts into the new mix of security approaches, how it is best utilized (endpoint or
gateway), and even the defi nition of DLP itself. 36
Data loss is very much on managers’ and executives’ minds today. The series of
WikiLeaks incidents exposed hundreds of thousands of sensitive government and mili-
tary documents. According to the Ponemon Institute (as reported by DLP Experts),
data leaks continue to increase annually. Billions of dollars are lost every year as a
result of data leaks, with the cost of each breach ranging from an average of $700,000
to $31 million. Some interesting statistics from the study include:
■ Almost half of breaches happen while an enterprise’s data was in the hands of
a third party.
■ Over one-third of breaches involved lost or stolen mobile devices.

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 221
■ The cost per stolen record is approximately $200 to $225.
■ One-quarter of breaches were conducted by criminals or with malicious intent.
■ More than 80 percent of breaches compromised over 1,000 records. 37
What DLP Does Well (and Not So Well)
DLP has been deployed successfully as a tool used to map the fl ow of data inside
and exiting the organization to determine the paths that content takes, so that more
sophisticated information mapping, monitoring, and content security can take place.
This use as a traffi c monitor for analysis purposes has been much more successful than
relying on DLP as the sole enforcement tool for compliance and to secure information assets. s
Today’s technology is simply not fast enough to catch everything. It catches many
e-mail messages and documents that users are authorized to send, which slows the
network and the business down. This also adds unnecessary overhead, as someone
has to go back and release each and every one of the e-mails or documents that were
wrongly stopped.
Another downside: Since DLP relies on content inspection, it cannot detect and monitor
encrypted e-mail or documents.
Basic DLP Methods
DLP solutions typically apply one of three methods:
1. Scanning traffi c for keywords or regular expressions, such as customer credit
card or Social Security numbers.
2. Classifying documents and content based on a predefi ned set to determine
what is likely to be confi dential and what is not.
3. Tainting (in the case of agent-based solutions), whereby documents are tagged
and then monitored to determine how to classify derivative documents. For
example, if someone copies a portion of a sensitive document into a different
document, this document receives the same security clearance as the original
document. 38
All these methods involve the network administrator setting up a policy clearly
defi ning what is allowed to be sent out and what should be kept in confi dence. This
policy creating effort is extremely diffi cult: Defi ning a policy that is too broad means ac-d
cidentally letting sensitive information get out, and defi ning a policy that is too narrow
means getting a signifi cant amount of false positives and stopping the fl ow of normal
business communications.
Although network security management is well established, defi ning these types
of IG policies is extremely diffi cult for a network administrator. Leaving this job to
network administrators means there will be no collaboration with business units, no
standardization, and no real forethought. As a result, many installations are plagued
with false positives that are fl agged and stopped, which can stifl e and frustrate knowl-
edge workers. The majority of DLP deployments simply use DLP for monitoring and audit-
ing purposes.
Examining the issue of the dissolving perimeter more closely, a deeper problem is
revealed: DLP is binary; it is black or white. Either a certain e-document or e-mail can

222 INFORMATION GOVERNANCE
leave the organization’s boundaries or it cannot. This process has been referred to as
outbound content compliance.
But this is not how the real world works today. Now there is an increasing need
for collaboration and for information to be shared or reside outside the organization
on mobile devices or in the cloud.
Most of today’s DLP technology cannot address these complex issues on its own.
Often additional technology layers are needed.
Data Loss Prevention: Limitations
DLP has been hyped in the past few years, and major security players have made sev-
eral large acquisitions—especially those in the IRM market. Much like fi rewalls, DLP
started in the form of network gateways that searched e-mail, Web traffi c, and other
forms of information traveling out of the organization for data that was defi ned as
internal. When it found such data, the DLP blocked transmission or monitored its use.
Soon agent-based solutions were introduced, performing the same actions locally
on users’ computers. The next step brought a consolidation of many agent- and net-
work-based solutions to offer a comprehensive solution.
IG policy issues are key. What is the policy? All these methods depend on manage-
ment setting up a policy that clearly defi nes what is acceptable to send out and what
should be kept in confi dence.
With DLP, a certain document can either leave the organization’s boundaries or it
can’t. But this is not how the real world works. In today’s world there is an increasing
need for information to be shared or reside outside the organization on mobile devices
or in the cloud. Simply put, DLP is not capable of addressing this issue on its own, but it is a
helpful piece of the overall technology solution.
Missing Piece: Information Rights Management (IRM)
Another technology tool for securing information assets is information rights manage-
ment (IRM) software (also referred to as enterprise rights management [ERM] and
previously as enterprise digital rights management [e-DRM].) For purposes of this book,
we use the term “IRM” when referring to this technology set, so as not to be confused with elec-
tronic records management. Major software companies also use the term “IRM.”
IRM technology provides a sort of security wrapper around documents and pro-
tects sensitive information assets from unauthorized access. 39 We know that DLP can
search for key terms and stop the exit of sensitive data from the organization by in-
specting its content. But it can also prevent confi dential data from being copied to
external media or sent by e-mail if the person is not authorized to do so. If IRM is
deployed, fi les and documents are protected wherever they may be, with persistent
security. The ability to apply security to an e-document in any state (in use, in motion, and at
rest), across media types, inside or outside of the organization, is called persistent security .
The ability to secure data at any time, in any state, is called persistent protection.

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 223
This is a key characteristic of IRM technology, and it is all done transparently without
user intervention. 40
IRM has the ability to protect e-documents and data wherever they may reside,
however they may be used, and in all three data states (at rest, in use, and in transit). 41
IRM allows for e-documents to be remote controlled , meaning that security protectionsd
can be enforced even if the document leaves the perimeter of the organization. This
means that e-documents (and their control mechanisms) can be separately created,
viewed, edited, and distributed.
IRM provides persistent, ever-present security and manages access to sensitive
e-documents and data. IRM provides embedded fi le-level protections that travel with
the document or data, regardless of media type.42 These protections and prevent un-
authorized viewing, editing, printing, copying, forwarding, or faxing. So, even if fi les
are somehow copied to a thumb drive and taken out of the organization, e-document
protections and usage are still controlled.
The major applications for IRM services include cross-protection of e-mails and
attachments, dynamic content protection on Web portals, secure Web-based training,
secure Web publishing, and secure content storage and e-mail repositories all while
meeting compliance requirements of Sarbanes–Oxley, the Health Insurance Portabil-
ity and Accountability Act, and others. Organizations can comply with regulations for
securing and maintaining the integrity of digital records, and IRM will restrict and
track access to spreadsheets and other fi nancial data too.
In investment banking, research communications must be monitored, according
to National Association of Securities Dealers rule (NASD) 2711, and IRM can help
support compliance efforts. In consumer fi nance, personal fi nancial information col-
lected on paper forms and transmitted by fax (e.g., auto dealers faxing credit applica-
tions) or other low-security media can be secured using IRM, directly from a scanner
or copier. Importers and exporters can use IRM to ensure data security and prevent the
loss of cargo from theft or even terrorist activities, and they also can comply with U.S.
Customs and trade regulations by deploying IRM software. Public sector data security
needs are numerous, including intelligence gathering and distribution, espionage, and
Homeland Security initiatives. Firms that generate intellectual property IP, such as re-
search and consulting groups, can control and protect access to IP with it. In the highly
collaborative pharmaceutical industry, IRM can secure research and testing data.
IRM protections can be added to nearly all e-document types including e-mail,
word processing fi les, spreadsheets, graphic presentations, computer-aided design
(CAD) plans, and blueprints. This security can be enforced globally on all documents
or granularly down to the smallest level, protecting sensitive fi elds of information from
prying eyes. This is true even if there are multiple copies of the e-documents scattered
about on servers in varying geographic locations. Also, the protections can be applied
permanently or within controlled time frames. For instance, a person may be granted
access to a secure e-document for a day, a week, or a year.
Key IRM Characteristics
Three requirements are recommended to ensure effective IRM:
1. Security is foremost; documents, communications, and licenses should be en-
crypted, and documents should require authorization before being altered.

224 INFORMATION GOVERNANCE
2. The system can’t be any harder to use than working with unprotected documents.
3. It must be easy to deploy and manage , scale to enterprise proportions, and work
with a variety of common desktop applications. 43
IRM software enforces and manages document access policies and use rights (view, edit,
print, copy, e-mail forward) of electronic documents and data. Controlled information can
be text documents, spreadsheets, fi nancial statements, e-mail messages, policy and pro-
cedure manuals, research, customer and project data, personnel fi les, medical records,
intranet pages, and other sensitive information. IRM provides persistent enforcement
of IG and access policies to allow an organization to control access to information that
needs to be secured for privacy, competitive, or compliance reasons. Persistent content
security is a necessary part of an end-to-end enterprise security architecture.
Well, it sounds like fabulous technology, but is IRM really so new? No, it has been
has been around for a decade or more, and continues to mature and improve. It has es-
sentially entered the mainstream around 2004/2005 (when this author began tracking
its development and publishing researched articles on the topic).
IRM software currently is used for persistent fi le protection by thousands of or-
ganizations throughout the world. Its success depends on the quality and consistency
of the deployment, which includes detailed policy-making efforts. Diffi culties in policy
maintenance and lack of real support for external sharing and mobile devices have kept fi rst-
wave IRM deployments from becoming widespread, but this aspect is being addressed by a second
wave of new IRM technology companies.
Other Key Characteristics of IRM
Policy Creation and Management
IRM allows for the creation and enforcement of policies governing access and use of
sensitive or confi dential e-documents. The organization’s IG team sets the policies for
access based on role and organizational level, determining what employees can and
cannot do with the secured e-documents. 44 The IG policy defi ned for a document type
includes these following controls:
1. Viewing
2. Editing
3. Copy/Paste (including screen capture)
4. Printing
5. Forwarding e-mail containing secured e-documents
Access to sensitive e-documents may be revoked at any time, no matter where they
are located or what media they are on, since each time a user tries to access a document,
access rights are verifi ed with a server or cloud IRM application. This can be done
remotely—that is, when an attempt is made to open the document, an authorization
must take place. In cloud-based implementations, it is a matter of simply denying access.
Decentralized Administration
One of the key challenges of e-document security traditionally is that a system
administrator had access to documents and reports that were meant only for

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 225
executives and senior managers. With IRM, the e-document owner administers
the security of the data, which considerably reduces the risk of a document theft,
alteration, or misuse.
Auditing
Auditing provides the smoking-gun evidence in the event of a true security breach.
Good IRM software provides an audit trail of how all documents secured by it are
used. Some go further, providing more detailed document analytics of usage.
Integration
To be viable, IRM must integrate with other enterprise-wide systems, such as
ECM, customer relationship management, product life cycle management, enter-
prise resource planning, e-mail management, message archiving, e-discovery, and
a myriad of cloud-based systems. This is a characteristic of today’s newer wave of
IRM software.
This ability to integrate with enterprise-based systems does not mean that IRM
has to be deployed at an enterprise level. The best approach is to target one critical depart-
ment or area with a strong business need and to keep the scope of the project narrow to gain an
early success before expanding the implementation into other departments.
IRM embeds protection into the data (using encryption technology), allowing fi les to pro-
tect themselves. IRM may be the best available security technology for the new mobile
computing world of the permeable perimeter. 45
With IRM technology, a document owner can selectively prevent others from
viewing, editing, copying, or printing it. Despite its promise, most enterprises do not
use IRM, and if they do, they do not use it on an enterprisewide basis. This is due to
the high complexity, rigidity, and cost of legacy IRM solutions.
It is clearly more diffi cult to use documents protected with IRM—especially when
policy making and maintenance is not designed by role but rather by individual. Some
early implementations of IRM by fi rst-to-market software development fi rms had as
many as 200,000 different policies to maintain (for 200,000 employees). These have
since been replaced by newer, second-wave IRM vendors, who have reduced that num-
ber to a mere 200 policies, which is much more manageable. Older IRM installations
require intrusive plug-in installation; they are limited in the platforms they support,
and they largely prevent the use of newer platforms, such as smartphones, iPads, and
other tablets. This is a real problem in a world where almost all executives carry a
smartphone and use of tablets (especially the iPad) is growing.
Moreover, due to their basic design, fi rst-wave or legacy IRM is not a good fi t for organiza-
tions aiming to protect documents shared outside company boundaries. These outdated IRM
solutions were designed and developed in a world where organizations were more
concerned with keeping information inside the perimeter than protecting information
beyond the perimeter.
IRM technology protects e-documents and data directly rather than relying on
perimeter security.

226 INFORMATION GOVERNANCE
Most initial providers of IRM focused on internal sharing and are heavily depen-
dent on Microsoft Active Directory (AD) and lightweight directory access protocol
(LDAP) for authentication. Also, the delivery model of older IRM solutions involves
the deployment and management of multiple servers, SQL databases, AD/LDAP
integration, and a great deal of confi guration. This makes them expensive and cum-
bersome to implement and maintain. Furthermore, these older IRM solutions do not
take advantage of or operate well in a cloud computing environment.
Although encryption and legacy IRM solutions have certain benefi ts, they are
extremely unwieldy and complex and offer limited benefi ts in today’s technical and
business environment. Newer IRM solutions are needed to provide more complete
DLS.
Embedded Protection
IRM embeds protection into the data (using encryption technology), allowing fi les to protect
themselves. IRM may be the best available security technology for the new mobile com-
puting world of the permeable perimeter. 46
Is Encryption Enough?
Many of the early solutions for locking down data involved encryption in one form or
another:
■ E-mail encryption
■ File encryption
■ Full Disk Encryption (FDE)
■ Enterprisewide encryption
These encryption solutions can be divided into two categories: encryption in
transit (e.g., e-mail encryption) and encryption t at rest (e.g., FDE).t
The various encryption solutions mitigate some risks. In the case of data in transit,
these risks could include an eavesdropper attempting to discern e-mail or network
traffi c. In the case of at-rest data, risks include loss of a laptop or unauthorized access to
an employee’s machine. The most advanced solutions are capable of applying a policy
across the organization and encrypting fi les, e-mails, and even databases. However,
encryption has its caveats.
Most simple encryption techniques necessarily involve the decryption of
documents so they can be viewed or edited. At these points, the fi les are essentially
exposed. Malware (e.g., Trojan horses, keystroke loggers) installed on a computer
may use the opportunity to send out the plain-text fi le to unauthorized parties.
Alternatively, an employee may copy the contents of these fi les and remove them
from the enterprise.
Device Control Methods
Another method that is related to DLP is device control . Many vendors offer
software or hardware that prevents users from copying data via the USB port to

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 227
portable drives and removing them from the organization in this manner. These
solutions are typically as simple as blocking the ports; however, some DLP so-
lutions, when installed on the client side, can selectively prevent the copying of
certain documents. 47
Thin Clients
One last method worth mentioning is the use of thin clients to prevent data leaks.
These provide a so-called walled garden containing only the applications users require
to do their work, via a diskless terminal. This prevents users from copying any data
onto portable media; however, if they have e-mail or Web access applications, they still
can send information out via e-mail, blogs, or social networks.
Note about Database Security
Database security and monitoring is addressed in Chapter 10 , “IG for IT.”
Compliance Aspect
Compliance has been key in driving companies to invest in improving their security
measures, such as fi rewalls, antivirus software, and DLP systems. More than 400
regulations exist worldwide mandating a plethora of information and data secu-
rity requirements. One example is the Payment Card Industry Data Security Stan-
dard (PCI-DSS), which is one of the strictest regulations for credit card processors.
Companies that fail to comply with these regulations are subject to penalties of
up to $500,000 per month for lost fi nancial data or credit card information. It is
estimated that the per-record cost of a breach is $90 to $305.” 48 But do compliance
activities always result in adequate protection of your sensitive data? In many cases
the answer is no. It is important to keep in mind that being formally compliant does
not mean the organization is actually secure. In fact, compliance is sometimes used as
a fi g leaf, covering a lack of real document security. One needs to look no further
than to the recent series of major document leakage incidents to understand this.
Those all came from highly secure and regulated entities, such as banks, hospitals,
and the military.
Hybrid Approach: Combining DLP and IRM Technologies
An idea being promoted recently is to make IRM an enforcement mechanism for
platforms like DLP. Together, DLP and IRM accomplish what they independently
cannot. Enterprises may be able to use their DLP tools to discover data fl ows, map
them out, and detect transmissions of sensitive information. They can then apply
their IRM or encryption protection to enforce their confi dentiality and information
integrity goals. 49
Several vendors in the fi elds of DLP, encryption, and IRM have already announced in-
tegrated products . However, at this point in time, most IRM solutions are by no meanss
ready for prime time when it comes to this use. Only a select few second-wave IRM

228 INFORMATION GOVERNANCE
software providers can offer comprehensive, streamlined, persistent security across
many platforms.
As the enterprise perimeter dissolves, document and data security should become
the focus of the Internet security fi eld. However, most legacy solutions, such as encryp-
tion and legacy IRM, are complex and expensive and provide only a partial solution to
the key problems. Combining several methods offers effective countermeasures, but
an ultimate solution has not yet arrived.
Securing Trade Secrets after Layoffs and Terminations
In today’s global economy—which has shifted labor demands—huge layoffs are not
uncommon in the corporate and public sectors. The act of terminating an employee
creates document security and IP challenges while raising the question: How does the
organization retrieve and retain its IP and confi dential data? An IG program to secure
information assets must also deal with everyday resignations of employees who are in
possession of sensitive documents and information. 50
According to Peter Abatan, author of the Enterprise Digital Rights Management
blog, “As a general rule all organizations should classify all their documents with the aim of
identifying the ones that need persistent protection” (emphasis added). That is to say, docu-”
ments should be protected at all times, regardless of where they travel and who is using
them, while the organization still retains control of usage rights. There are two basic
technological approaches to this protection:
1. The fi rst, as discussed earlier in this chapter, is combining IRM with DLP ; P
DLP is used to conduct deep content inspection and identify all documents
that may contain sensitive information, then the DLP agent “notifi es the en-
terprise [information] rights management engine that sensitive information
is about to be copied to external media or outside the fi rewall and therefore
needs to be encrypted.”
2. The second is using a form of context-sensitive IRM “in which all documents M
that contain sensitive data defi ned in the [global] data dictionary [are] auto-
matically encrypted.”
These two technological approaches must be fostered by an IG program. They
can have signifi cant positive impact in protecting sensitive information, no matter
where it is located, and can help document owners withdraw access to its sensitive
documents at any time.
Organizations must educate their employees to increase awareness of the fi nancial
and competitive impact of breaches and to clarify that sensitive documents are the
property of the organization. If those handling sensitive documents are informed of
the benefi ts of IRM and related technologies, they will be more vigilant in their efforts
to keep information assets secure.
Persistently Protecting Blueprints and CAD Documents
Certain IRM software providers have focused on securing large-format engineer-
ing and design documents, and they have made great strides in the protection of

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 229
computer-aided design fi les. As much as 95 percent of CAD fi les are proprietary designs
and represent valuable, proprietary IP of businesses worldwide. And CAD fi les are just
as vulnerable as any other e-document in that, when unprotected, they “can be
emailed or transferred to another party without the knowledge of the owner of the
content.”51
In today’s global economy, it is common to conduct manufacturing operations in
markets where labor is inexpensive and regulations are lax. Many designs are sent to
China, Indonesia, and India for manufacturing. Although they usually are accompa-
nied by binding confi dential disclosure contracts, but these agreements are often dif-
fi cult to enforce, especially given the disparity in cultures and laws. And what happens
if a rogue employee in possession of designs and trade secrets absconds with them and
sells them to a competitor? Or starts a competing business? There are a number of
examples of this happening.
Owners of valuable proprietary IP must vigilantly protect it; the very survival of
the business may depend on it. Monitoring and securing IP wherever it might travel is
now a business imperative.
Theft of IP and confi dential information represents a clear and present danger to
all types of businesses, especially global brands dependent on proprietary designs for
a competitive advantage. Immediate IG action by executive management is required
to identify possible leaks and plug the holes. Not safeguarding IP and confi dential or
sensitive documents puts the organization’s competitive position, strategic plans, rev-
enue stream, and very future at risk.
Securing Internal Price Lists
In 2010, it was reported that confi dential information about the advertising expen-
ditures of some of Google’s major accounts was leaked to the public. 52 This may not
seem like a signifi cant breach, but, in fact, with this information, Google’s custom-
ers can determine if they are getting a preferred price schedule, and competitors can
easily undercut Google’s pricing for major customers. According to Peter Abatan,
“[It is clear] why this information is so critical to Google that this information is tight-
ly secured.”
Is your company’s price list secured at all times? Price lists are confi dential infor-
mation assets, and if they are revealed publicly, major customers could demand steeper
discounts and business relationships could suffer irreparable damage, especially if cus-
tomers fi nd out they are paying more for a product or service than their competitors.
A company’s price list is critical to an organization because it impacts all aspects of
the business, from the ability to generate revenue to private dealings with customers
and suppliers. IRM should be used to protect price lists, and printing of these valuable
As much as 95 percent of CAD fi les are proprietary designs and represent
valuable IP.

230 INFORMATION GOVERNANCE
lists must be monitored and controlled using secure printing methods and document
analytics.
Confi dential information should be persistently protected throughout their docu-
ment life cycle in all three states (at rest, in motion, and in use) so that if they are com-
promised or stolen, they are still protected and controlled by the owning organization.
Approaches for Securing Data Once It Leaves the Organization
It is obvious with today’s trends that, as Andrew Jaquith of SilverSky (formerly with
Forrester Research) states, “The enterprise security perimeter is quickly dissolving.” A
lot of valuable information is routed outside the owning organization through unse-
cured e-mail. A breach can compromise competitive position, especially in cases deal-
ing with personnel fi les and marketing plans or merger details. Consider for a moment
that even proprietary software and company fi nancial statements are sent out. Expo-
sure of this data can have real fi nancial impact. Without additional protections, such
as IRM and e-mail encryption, these valuable information assets are often out of the
control of the IT department of the owning organization. 53
Third-party possession or control of enterprise data is a critical point of vulner-
ability, and many organizations realize that securing data outside the organizational
perimeter is a high priority. But a new concept has cropped up of late that bucks un-
conventional wisdom: “ Control does not require ownership.”
Instead of focusing on securing devices where confi dential data is accessed, the
new thinking focuses on securing the data and documents directly. With this new
mind-set, security can be planned under the assumption that the enterprise owns its
data but none of the devices that access it. As Forrester’s report states, “Don’t trust the
endpoints. Treat them as hostile”. This is referred to as the zero-trust model of infor-
mation security. The report states: “…trust but verify applies here. Enterprises must
put teeth into their contractual language and audit their partners.” 54
Forrester has developed a new network architecture that builds security into the
DNA of a network, using a mixture of fi ve data security design patterns:
1. Thin client. Access information online only, with no local operations, using a
diskless terminal that cannot store data, documents, or programs so confi den-
tial information stays stored and secured centrally. For additional security, “IT
can restrict host copy-and-paste operations, limit data transfers, and require
strong or two-factor authentication using SecurID or other tokens.”
2. Thin device. Devices such as smartphones, which have limited computing
resources, Web surfi ng, e-mail, and basic Web apps that locally conduct no
real information processing, are categorized as thin devices. In practice, these
devices do not hold original documents but merely copies, so the offi cial busi-
ness record or master copy cannot be altered or deleted. A nice feature of
many smartphones is the ability to erase or wipe data remotely, in the event
the device is lost. According to the Forrester report, “For insurance, thin de-
vices can be remotely wiped—making them truly ‘disposable,’ unlike PCs.” 55
3. Protected process. This approach allows local processing with a PC where confi –
dential e-documents and data are stored and processed in a partition that is
highly secure and controlled. This processing can occur even if the PC is not

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 231
owned and controlled by the organization. “The protected process pattern
has many advantages: local execution, offl ine operation, central manage-
ment, and a high degree of granular security control, including remote wipe
[erase].” A mitigating factor to consider here is most business PCs today
are Windows based, and the world is rapidly moving to other, more nimble
platforms.
4. Protected data. Deploying IRM and embedding security into the documents
(or data) provides complete DLS. The newer wave of more sophisticated,
easier-to-use IRM vendors have role-based policy implementation and such
features as “contextual” enforcement, where document rights are dependent
on the context —that is, tt where and when a user attempts access. For instance,
allow access to documents on workers’ desktops but not on their laptops; or
provide access to printing confi dential documents at the facility during offi ce
hours but not after. “ Of all the patterns in the Zero Trust data security strategy,
protected data is the most fi ne-grained and effective because it focuses on the informa-
tion, not its containers.”
5. Eye in the sky. This design pattern uses technologies such as DLP to scan
network traffi c content and halt confi dential documents or sensitive data at
the perimeter. Deployed properly, DLP is “ideal for understanding the veloc-
ity and direction of information fl ow and for detecting potential breaches,
outliers, or anomalous transmissions.” It should be noted that DLP does not
provide complete protection. To do so would mean that many legitimate and
sanctioned e-mails and documents would be held up for inspection, thus slow-
ing the business process. As stated earlier, DLP is best for discovering infor-
mation fl ows and monitoring network traffi c. Another negative is that you
cannot always require partner organizations and suppliers to install DLP on
their computers. So this is a complementary technology, not a complete solu-
tion to securing confi dential information assets.
By discarding the “age-old confl ation of ownership and control, enterprises will
be able to build data protection programs that encompass all possible ownership sce-
narios, including Tech Populism, offshoring, and outsourcing.”
Document Labeling
Document labeling is “an easy way to g increase user awareness about the sensitivity of
information in a document”(emphasis added).56 What is it? It is the process of attach-
ing a label to classify a document. For instance, who would not know that a document
labeled “confi dential” is indeed confi dential? If the label appears prominently at the
top of a document, it is diffi cult for persons accessing it to claim they did not know it
was sensitive.
The challenge is to standardize and formalize the process of s getting the label onto the
document— tt enterprisewide. This issue would be addressed in an IG effort focused on se-
curing confi dential e-documents, or may also be a part of a classifi cation and taxonomy
design effort. It cannot simply be left up to users to type in labels themselves, or it will
not be suffi ciently executed and will end up leaving a mishmash of labeled documents
without any formal classifi cation.

232 INFORMATION GOVERNANCE
Another great challenge are legacy or archived documents, which are the lion’s
share of an organization’s information assets. How do you go back and label those?
One by one? Nope. Not practical.
Some content repositories or portals, such as Microsoft SharePoint®, provide
some functionality toward addressing the document labeling challenge. SharePoint is
the most popular platform for sharing documents today.
SharePoint has an information management policy tool called Labels, which can
be used to add document labels, such as Confi dential , to the top of documents:l
There are several options available for administrators to customize the labels,
including the ability to:
1. Prompt users to add the label when they save or print, rather than relying
on the user to click the Label button in the ribbon;
2. Specify labels containing static text and/or variables such as Project Name;
3. Control the appearance of the labels, such as font, size, and justifi cation. 57
The labels are easily added from within Microsoft Offi ce Word, PowerPoint, and
Excel. One method that can be used is for the user to click the Label button on the
Insert ribbon group; another method is to add the label through a prompt that appears
when a user saves or prints a document (if the administrator has confi gured this option).
The labeling capabilities in document and content management systems such as
Microsoft’s SharePoint are a good start for increasing user awareness and improving
the handling of sensitive documents. However, the document labeling capabilities of Share-
Point are basic and limited . These basic capabilities may provide a partial or temporary d
solution, although organizations aiming for a high level of security and confi dentiality
for their documents will need to search for supplemental technologies from third-
party software providers. For instance, fi nding the capabilities to label documents in
bulk rather than one by one, add watermarks, or force users to save or print documents
with a standard document label that cannot be altered may require looking at alterna-
tives. Some are software vendors have enhanced the SharePoint document labeling
capability and may provide the complete solution.
Document Analytics
Some software providers also provide document analytics capabilities that monitor the
access, use, and printing of documents and create real-time graphical reports of docu-
ment use activities. These capabilities are very valuable.
Document analytics allows a compliance offi cer or system administrator to view
exactly how many documents a user accesses in a day and how many documents the
user accesses on average. Using this information, analytics monitors can look for spikes
or anomalies in use. It is also possible to establish baselines and compare usage with
that of an employee’s peers, as well as with his or her past document usage. If, for
instance, a user normally accesses an average of 25 documents a day and that sud-
denly spikes to 200, the system sends an alert, and perhaps it is time to pay a visit to
that person’s offi ce. Or, if an employee normally prints 50 pages per day, then one day
prints 250 pages, a fl ag is raised. Document analytics capabilities can go so far as to

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 233
calculate the average time a user spends reading a document; signifi cant time fl uctua-
tions can be fl agged as potentially suspicious activity.
Confi dential Stream Messaging
E-mail is dangerous. It contains much of an organization’s confi dential information, and
99 percent of the time it is sent out unsecured. It has been estimated that as many as
20 percent of e-mail messages transmitted pose a legal, fi nancial, or regulatory threat to
the organization. Specifi cally, “34 of employers investigated a leak of confi dential busi-
ness information via email, and an additional 26% of organizations suffered the expo-
sure of embarrassing or sensitive information during the course of a year,” according to
Nancy Flynn, Executive Director of the ePolicy Institute. These numbers are rising, giv-
ing managers and business owners cause to look for confi dential messaging solutions. 58
Since stream messaging separates the header and identifying information from the
message, sends them separately, and leaves no record or trace, it is a good option for
executives and managers, particularly when engaged in sensitive negotiations, litigation,
or other highly confi dential activities. Whereas e-mail leaves behind an indelible fi n-
gerprint that lives forever on multiple servers and systems, stream messaging does not.
Business records, IP and trade secrets, and confi dential executive communications
can be protected by implementing stream messaging. It can be implemented alongside
and in concert with a regular e-mail system, but clear rules on the use of stream mes-
saging must be established, and access to it must be tightly restricted to a small circle
of key executives and managers.
The ePolicy Institute offers seven steps to controlling stream messaging:
1. Work with your legal counsel to defi ne “business record” for your organization
on a companywide basis. Establish written records retention policies, dispo-
sition and destruction schedules. And litigation hold rules. Support the email
retention policy with a bona fi de email archiving solution to facilitate the in-
dexing, preservation and production of legally authentic records. Implement
a formal electronic records management system to manage all records.
2. Work with your legal counsel to determine when, how, why, and with
whom confi dential stream messaging is the most appropriate, effective—
and legally compliant—way to hold recordless, confi dential business dis-
cussions when permanent records are not required.
3. In order to preserve attorney-client privilege, a phone call or confi dential
electronic messaging may be preferable to email. Have corporate counsel
spell out the manner in which executives and employees should communi-
cate with lawyers when discussing business, seeking legal advice, or asking
questions related to specifi c litigation.
4. Defi ne key terms for employees. Don’t assume employees understand what
management means when using terms like “confi dential,” “proprietary,” or
“private” or “intellectual property,” etc. Employees must clearly understand
defi nitions If they are to comply with confi dentiality rules.
5. Implement written rules and policies governing the use of email and con-
fi dential stream messaging. E-policies should be written clearly and should

234 INFORMATION GOVERNANCE
be easy for employees to access, and understand. Make them [as] “short and
sweet” as possible. Do not leave anything up to interpretation.
6. Distribute a hard copy of the new confi dential messaging policy, email pol-
icy and other electronic communications (e.g., social media, blogs). Insist
that each and every employee signs and dates the policy, acknowledging that
they understand and accept it and that disciplinary action including termi-
nation may result from violation of the organization’s established policies.
7. Educate, educate, educate. Ensure that all employees who need to know
the difference between email which leaves a potential business record and
stream messaging which does not, and is confi dential. 59
Securing personal, classifi ed, or confi dential information effectively requires an
eclectic, multifaceted approach. It takes clear and enforced IG policies, a collection of
technologies, and regular testing and audits, both internally and by a trusted third party.
CHAPTER SUMMARY: KEY POINTS
■ The average cost of a data breach in 2013 was over $5 million.
■ Attacks on organizations’ networks and theft of their IP continue to increase.
There were an estimated 354 million privacy breaches between 2005 and
2010 in the United States alone.
■ Attacks can continue in organizations for years before they are uncovered—if
they are discovered at all.
■ All organizations should classify all their documents with the aim of identify-
ing the ones that need persistent security protection.
■ Today’s ECM and document management solutions rely mostly on perimeter
security and were not designed to allow for secure document sharing and
collaboration.
■ Businesses are operating in a more distributed model than ever before, and they
are increasingly sharing and collaborating—exposing confi dential documents.
■ Secure document printing reduces the chance that fi les can be compro-
mised during or after printing. There are various methods to secure the print
stream, depending on the print manufacturer. Copies or remnants of large
print fi les often exist unsecured on the hard drives of high-speed printers.
These fi les must be completely wiped to ensure security.
■ Identity and access management (IAM) software governs user access to in-
formation through an automated, continuous process that addresses access
creep, whereby employees move to a different business unit and their access
rights are not updated.

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 235
■ Data governance software is another tool that looks at who is accessing which
documents and creates a matrix of roles and access along behavioral lines.
■ Encrypting sensitive e-mail messages is an effective step to securing con-
fi dential information assets while in transit. Encryption can be applied to
desktop folders and fi les.
■ For e-mail communication with no trace or record, stream messaging is a
solution.
■ Digital signatures authenticate the identity of the signatory and prove that
the signature was, in fact, generated by the claimed signatory. This is known
as nonrepudiation.
■ Data loss prevention technology performs a “deep content inspection” of all
e-documents and e-mails before they leave the organization’s perimeter to
stop sensitive data from exiting the fi rewall.
■ DLP can be used to discover the fl ow of information within an organization.
Additional security tools can then be applied. This may be the best use for
DLP.
■ Information rights management software enforces and manages use rights of
electronic documents. IRM provides a sort of security wrapper around docu-
ments and protects sensitive information assets from unauthorized use or
copying. IRM is also known as enterprise rights management.
■ Persistent security tools like IRM should be enforced on price lists, proprietary
blueprints, and CAD designs. Printing these documents should be highly
restricted.
■ Most legacy or fi rst-to-market providers of IRM focused on internal sharing
and are heavily dependent on Microsoft Active Directory and lightweight di-
rectory access protocol (LDAP) for authentication. These early solutions were
not built for cloud use or the distributed enterprises of today, where mobile
devices are proliferating.
■ DLP started in the form of network gateways (much like fi rewalls) that
searched e-mails, Web traffi c, and other forms of information for data that
was defi ned as internal. When it detected such data, it blocked it from leav-
ing the perimeter or monitored its use.
■ Soon agent-based DLP technologies were introduced, performing the same
action locally on users’ computers. The next step brought a consolidation of
many agent- and network-based technologies to offer a more comprehen-
sive solution.
CHAPTER SUMMARY: KEY POINTS (Continued )
(( dcontinued ) )dd

236 INFORMATION GOVERNANCE
Notes
1. Ponemon Institute Research Report, “2013 Cost of Data Breach Study: United States,” May 2013, www
.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-us-report-2013.en-us
2. Jim Finkle, “‘State Actor’ behind Slew of Cyber Attacks,” Reuters, August 3, 2011, www.reuters.com/
article/2011/08/03/us-cyberattacks-idUSTRE7720HU20110803 (accessed August 18, 2011).
3. Ibid.
4. Ibid.
5. Ibid.
6. Peter Abatan, “Persistently Protecting Your Computer Aided Designs,” Enterprise Digital Rights Man-
agement, http://enterprisedrm.tumblr.com/post/1423979379/persistently-protecting-your-computer-
aided-designs (accessed August 18, 2011).
7. Ari Ruppin, March 20, 2011 via e-mail.
8. Sam Narisi, “IT’s role in secure staff cuts,” March 2, 2009. www.fi nancetechnews.com/its-role-in-
secure-staff-cuts/
9. Ibid.
10. Shira Scheindlin and Daniel Capra, The Sedona Conference, Electronic Discovery and Digital Evidence ,
Thomson Reuters, 2009, p. 204, www.amazon.com/Scheindlin-Conferences-Electronic-Discovery-Evidence-
ebook/dp/B00AUE0LRI
11. Oracle White Paper, “Oracle Information Rights Management 11g—Managing Information Every-
where It Is Stored and Used,” March 2010 p. 4, www.oracle.com/technetwork/middleware/webcenter/
content/irm-technical-whitepaper-134345 (accessed December 23, 2011).
12. Ibid.
13. Open Web Application Security Project, “Defense in Depth,” https://www.owasp.org/index.php/
Defense_in_depth (accessed June 24, 2013).
14. HCL, “Identity and Access Management Services,” www.hclisd.com/identity-and-access-management
.aspx (accessed September 2, 2011).
15. Ibid.
16. Ibid.
17. Nicola Clark and David Jolly, “Fraud Costs Bank 7.1 Billion,” New York Times , January 25, 2008, wwws
.nytimes.com/2008/01/25/business/worldbusiness/25bank-web.html?hp (accessed September 2, 2011).
■ Combining IRM and DLP technologies is the best available approach to
securing e-documents and data. Other encryption methods should also be
utilized, such as e-mail encryption and FDE).
■ The use of thin-client and thin-device architecture can reduce security threats
to confi dential information assets.
■ Document analytics monitor the access, use, and printing of documents and
create real-time graphical reports of document use activities.
■ Document labeling is an easy way to increase user awareness about the sen-
sitivity of information in a document.
■ Stream messaging is a way to conduct sensitive business negotiations and
activities without leaving a business record. Legal counsel must be consulted,
and clear policies for regular e-mail versus stream messaging must be estab-
lished and enforced.
CHAPTER SUMMARY: KEY POINTS (Continued )

http://www.reuters.com/article/2011/08/03/us-cyberattacks-idUSTRE7720HU20110803

http://enterprisedrm.tumblr.com/post/1423979379/persistently-protecting-your-computer-aided-designs

http://www.financetechnews.com/its-role-insecure-staff-cuts/

http://www.oracle.com/technetwork/middleware/webcenter/content/irm-technical-whitepaper-134345

https://www.owasp.org/index.php/Defense_in_depth

http://www.hclisd.com/identity-and-access-management.aspx

http://www.reuters.com/article/2011/08/03/us-cyberattacks-idUSTRE7720HU20110803

http://www.financetechnews.com/its-role-insecure-staff-cuts/

http://www.oracle.com/technetwork/middleware/webcenter/content/irm-technical-whitepaper-134345

https://www.owasp.org/index.php/Defense_in_depth

http://www.hclisd.com/identity-and-access-management.aspx

http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-us-report-2013.en-us

http://www.nytimes.com/2008/01/25/business/worldbusiness/25bank-web.html?hp

INFORMATION GOVERNANCE AND PRIVACY AND SECURITY FUNCTIONS 237
18. Oracle White Paper, “Oracle Information Rights Management 11g.”
19. Robert Smallwood, “E-DRM Plugs ECM Security Gap,” KM World, April 1, 2008, www.kmworld.com/
Articles/News/News-Analysis/E-DRM-plugs-ECM-security-gap-41333.aspx (accessed March 30, 2012).
20. Adi Ruppin, March 20, 2011, via e-mail to author.
21. Annik Stahl, “Secure Printing: No More Mad Dashes to the Copy Room,” http://offi ce.microsoft.com/
en-us/help/secure-printing-no-more-mad-dashes-to-the-copy-room-HA001227631.aspx (accessed
August 22, 2011).
22. Telephone interview of William Broddy by author, August 7, 2011.
23. Bill Blake, “WikiLeaks, the Pearl Harbor of the 21st Century,” eDocument Sciences LLC, December 6,
2010, http://edocumentsciences.com/wikileaks-the-pearl-harbor-of-the-21st-century.
24. VaporStream, www.vaporstream.com (accessed December 9, 2013).
25. Ibid.
26. Ibid.
27. NIST, “Federal Information Processing Standards Publication,” FIPS PUB 186-3, issued June 2009, http://
csrc.nist.gov/publications/fi ps/fi ps186-3/fi ps_186-3 (accessed August 15, 2011). FIPS Publication
186-3 (dated June 2009), was superseded on July 19, 2013 and is provided here only for historical purposes.
For the most current revision of this publication, see: http://csrc.nist.gov/publications/PubsFIPS.html
28. Doug Miles, AIIM White Paper, “Digital Signatures – Making the Business Case,” http://www.arx
.com/fi les/DOCUMENTS/Digital-Signatures-for-Document-Workfl ow-and-SharePoint-Survey
(accessed December 9, 2013).
29. Computer Desktop Encyclopedia, www.computerlanguage.com, retrieved March 30, 2012.
30. Doug Miles, AIIM White Paper, “Digital Signatures – Making the Business Case.”
31. Ibid.
32. Ibid.
33. Ibid.
34. Ari Ruppin, March 20, 2011, via e-mail.
35. Fred Donovan, “Gartner: Enterprise Content-Aware Data Loss Prevention Market to Reach $670 Million
This Year,” February 7, 2013, www.fi erceenterprisecommunications.com/story/gartner-enterprise-content-
aware-data-loss-prevention-market-reach-670-mill/2013-02-07
36. Data Loss Prevention Experts, “DLP Product Guide for RSA Conference Expo 2011,” January 17,
2011, www.dlpexperts.com/dlpxblog/2011/1/17/dlp-product-guide-for-rsa-conference-expo-2011
.html (accessed August 22, 2011).
37. Ibid.
38. Ibid.
39. Ibid.
40. Peter Abatan, “Who Should Be Blamed for a Data Breach?” Enterprise Digital Rights Management,
http://enterprisedrm.tumblr.com/post/1087100940/who-should-be-blamed-for-a-data-breach (accessed
December 9, 2013).
41. Peter Abatan, “Understanding Enterprise Rights Management,” Enterprise Digital Rights Manage-
ment, www.enterprisedrm.info/page/2 (accessed August 3, 2011).
42. Robert Smallwood, “Securing Documents in the WikiLeaks Era,” May 28, 2011, www.kmworld.com/
Articles/Editorial/Feature/Securing-documents-in-the-WikiLeaks-era-75642.aspx (accessed August 1,
2011).
43. Oracle, IRM Technical White Paper , Oracle.com, February 2008 (accessed December 9, 2013). r
44. Abatan, “Understanding Enterprise Rights Management,” http://enterprisedrm.tumblr.com/page/3
(accessed December 9, 2013).
45. Ibid.
46. Ibid.
47. Ibid.
48. “http://www.bankersonline.com/bankrobbery/2007/04/if-you-remember-old-tv-commercials-for
.html?”
49. Abatan, “Understanding Enterprise Rights Management,” http://enterprisedrm.tumblr.com/page/3
(accessed December 9, 2013).
50. This discussion and quotes are from Peter Abatan, “Preparing for Staff Layoffs/Resignations where
Confi dential Information Is Concerned,” Enterprise Digital Rights Management, http://enterprisedrm
.tumblr.com /post/1230356519/preparing-for-staff-layoffs-resignations (accessed December 9, 2013).
51. Ibid.
52. This discussion and quotes are from Peter Abatan, “Is Your Price List under Lock and Key?” Enter-
prise Digital Rights Management, http://enterprisedrm.tumblr.com/post/1120104758/is-your-price-
list-under-lock-and-key (accessed August 18, 2011).

http://www.kmworld.com/Articles/News/News-Analysis/E-DRM-plugs-ECM-security-gap-41333.aspx

http://office.microsoft.com/en-us/help/secure-printing-no-more-mad-dashes-to-the-copy-room-HA001227631.aspx

http://edocumentsciences.com/wikileaks-the-pearl-harbor-of-the-21st-century

Home

http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3

http://csrc.nist.gov/publications/PubsFIPS.html

http://www.arx.com/files/DOCUMENTS/Digital-Signatures-for-Document-Workflow-and-SharePoint-Survey

http://www.computerlanguage.com

http://www.fierceenterprisecommunications.com/story/gartner-enterprise-contentaware-data-loss-prevention-market-reach-670-mill/2013-02-07

http://www.dlpexperts.com/dlpxblog/2011/1/17/dlp-product-guide-for-rsa-conference-expo-2011.html

http://enterprisedrm.tumblr.com/post/1087100940/who-should-be-blamed-for-a-data-breach

http://www.enterprisedrm.info/page/2

http://www.kmworld.com/Articles/Editorial/Feature/Securing-documents-in-the-WikiLeaks-era-75642.aspx

http://enterprisedrm.tumblr.com/page/3

http://www.bankersonline.com/bankrobbery/2007/04/if-you-remember-old-tv-commercials-for.html

http://enterprisedrm.tumblr.com/page/3

http://enterprisedrm.tumblr.com/post/1230356519/preparing-for-staff-layoffs-resignations

http://enterprisedrm.tumblr.com/post/1120104758/is-your-price-list-under-lock-and-key

http://www.kmworld.com/Articles/News/News-Analysis/E-DRM-plugs-ECM-security-gap-41333.aspx

http://office.microsoft.com/en-us/help/secure-printing-no-more-mad-dashes-to-the-copy-room-HA001227631.aspx

http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3

http://www.arx.com/files/DOCUMENTS/Digital-Signatures-for-Document-Workflow-and-SharePoint-Survey

http://www.fierceenterprisecommunications.com/story/gartner-enterprise-contentaware-data-loss-prevention-market-reach-670-mill/2013-02-07

http://www.dlpexperts.com/dlpxblog/2011/1/17/dlp-product-guide-for-rsa-conference-expo-2011.html

http://www.kmworld.com/Articles/Editorial/Feature/Securing-documents-in-the-WikiLeaks-era-75642.aspx

http://www.bankersonline.com/bankrobbery/2007/04/if-you-remember-old-tv-commercials-for.html

http://enterprisedrm.tumblr.com/post/1230356519/preparing-for-staff-layoffs-resignations

238 INFORMATION GOVERNANCE
53. This discussion and quotes are from “Own Nothing. Control Everything”, Forrester Research, Inc.,
January 22, 2010.
54. “Own Nothing. Control Everything”, Forrester Research, Inc., January 22, 2010.
55. “Own Nothing. Control Everything”, Forrester Research, Inc., January 22, 2010.
56. This discussion and quotes are from Charlie Pulfer, “Document Labeling in SharePoint,” September 13,
2009, www.contentmanagementconnection.com/Home/21196/ (accessed January 28, 2014.
57. Ibid.
58. Nancy Flynn, The E-Policy Handbook: Rules and Best Practices to Safely Manage Your Company’s E-Mail, Blogs,
Social Networking, and Other Electronic Communication Tools , 2nd ed. (New York: AMACOM, 2009), p. 57. s
59. Ibid., pp. 68–70.

http://www.contentmanagementconnection.com/Home/21196/

PA RT F O U R
Information
Governance
for Delivery
Platforms

241
E
-mail is a major area of focus for information governance (IG) efforts: It is the
most common business software application and the backbone of business com-
munications today, and e-mail is the leading piece of evidence requested during
the discovery phase of civil trials, so it is critically important to implement IG mea-
sures for e-mail communications.
Employees utilize e-mail all day, including during their personal time, some-
times mixing business and personal use of e-mail. Social media use has skyrocketed in
recent years and actually has surpassed e-mail for personal use, but the fact remains
that in business, knowledge workers rely on e-mail for almost all communications,
including those of a sensitive nature. A 2013 survey of 2,400 corporate e-mail users
worldwide found that nearly two-thirds stated that e-mail was their favorite form
of business communication, surpassing not only social media but also telephone and
in-person contact.1
These e-mail communications may contain discoverable information in litigation, and a
percentage of them will be declared formal business records. E-mail often contains records,
such as fi nancial spreadsheets and reports, product price lists, marketing plans, com-
petitive analyses, safety data, recruitment and salary details, progressing contract ne-
gotiations, and other information that may be considered as constituting a business
record.
E-mail systems can be hacked, monitored, and compromised and cause far-reaching
damage to a victimized organization. The damage may occur slowly and go undetected
while information assets—and business value—are eroded.
In mid-2011, the “hacktivist” group AntiSec claimed responsibility for hacking
a U.S. government contractor, Booz Allen Hamilton, and publicly exposing 90,000
military e-mail addresses and passwords from the contractor by posting them online.
It was the second attack on a government defense contractor in a single week. 2
Booz Allen employees “maintain high government security clearances” while
working with the defense sector (yet in 2013 another Booz Allen employee, Edward
Snowden, gained access to secret communications monitoring programs that the U.S.
Information
Governance for
E-Mail and Instant
Messaging*
C H A P T E R 12
* Portions of this chapter are adapted from Chapter 11 , Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.s

242 INFORMATION GOVERNANCE
National Security Agency operated to capture metadata and other information from
the private e-mail and telephone conversations of American citizens on a broad scale).
AntiSec penetrated the communications systems with relative ease and noted there
were “basically had no security measures in place.” 3 AntiSec was able to go even fur-
ther, by running its own rogue application to steal software source code and to search
and fi nd access credentials to steal data from other servers, which the group said would
help it to infi ltrate other federal contractors and agencies. It even stated it might pass
the security information on to other hackers.
The attack did not stop there. Later that week, another federal defense and FBI
contractor, IRC Federal, was hacked, databases were invaded, the Web site was modi-
fi ed, and information from internal e-mail messages was posted online. 4
Employees Regularly Expose Organizations to E-Mail Risk
A 2011 global e-mail survey, commissioned by a leading hosted e-mail services pro-
vider, found that nearly 80 percent of all employees send work e-mail to and from their
personal accounts, and 20 percent do so regularly, which means that critical informa-
tion assets are exposed to uncontrolled security risks. 5
“Awareness of the security risks this behavior poses does not act as a deterrent” (emphasis”
added). Over 70 percent of people questioned recognize that there is an additional
risk in sending work documents outside the corporate e-mail environment, but
almost half of “these same respondents feel it is acceptable to send work emails
and documents to personal email accounts anyway.” According to the survey, the
reasons for using personal e-mail accounts for work purposes range from working on
documents remotely (71 percent), to sending fi les that are too big for the company
mailbox (21 percent), to taking documents with them when they leave a company
(18 percent), to simply not wanting to carry a laptop home (9 percent). The top two
frustrations users had with work e-mail were restrictions on mailbox size, which has a
negative impact on e-mail management, and the inability to send large attachments.
This second issue often forces workers to use a personal account to send and receive
necessary fi les. If size limits are imposed on mailboxes and attachments, companies
must provide a secure alternative for fi le storage and transfer. Otherwise, employees
are pushed into risking corporate information assets via personal e-mail. This scenario
not only complicates things for e-mail administrators but has serious legal and
regulatory implications. Clearly, as stated by Paul Mah in his “Email Admin” blog,
“email retention and archival becomes an impossible task when emails are routed in a
haphazard manner via personal accounts.”6
This means that security, privacy, and records management issues must be ad-
dressed by fi rst creating IG policies to control and manage the use of e-mail. These
policies can utilize the e-mail system’s included security features and also employ ad-
ditional monitoring and security technologies where needed.
The e-mail survey also found an overall lack of clear e-mail policies and weak
communication of existing guidelines. This means a lack of IG. Nearly half of the
respondents stated either that their company had no e-mail policy or that they were
unaware of one. Among those aware of a corporate e-mail policy, 4 in 10 think it
could be communicated better. Among companies that have a policy, most (88 percent)
deal with the appropriate use of e-mail as a business tool, but less than one-third
(30 percent) address e-mail retention from a security standpoint.

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 243
Generally, employees are aware that sending work documents outside of their
corporate network is unsafe, yet they continue to do so. It is abundantly clear that e-mail
policies have to be updated and upgraded to accommodate and manage the increasingly sophisticated
and computer-savvy generation of users who are able to fi nd ways to work around corporate
e-mail restrictions. (These users have been dubbed Generation Gmail. ) In addition, new
e-mail monitoring and security technologies need to be deployed to counter this risky
practice, which exposes information assets to prying eyes or malicious attacks.
E-Mail Polices Should Be Realistic and Technology Agnostic
E-mail policies as part of your IG program must not be too restrictive. It may be
tempting to include catchall policies that attempt to tamp down user behavior, but
such efforts cannot succeed. 7 An important step is consulting with stakeholders to
understand their usage patterns and needs and then going through a series of drafts of
the policy, allowing for input. It may be determined that some exceptions and changes
in technologies need to be factored in and that some additional technology is needed
to accommodate users while keeping information assets safer and meeting compliance
and legal demands. Specifi cs of these policies and tools should be progressively tight-
ened on a regular basis as the process moves forward.
These new IG guidelines and policies need to refer to technology in a generic
sense—a “technology-neutral” sense—rather than specifying proprietary software
programs or features. 8 That is to say, they should be written so that they are not in t
need of revision as soon as new technologies are deployed.
Developing organization-wide IG policies is time consuming and expensive; they are
a defensive measure that does not produce revenue, so managers, pressed for performance,
often relegate policy making to the low-priority list. Certainly, it is a tedious, diffi cult
task, so organizations should aim to develop policies that are fl exible enough to stand
the test of time. But it is also necessary to establish a review process to periodically revise
policies to accommodate changes in the business environment, the law, and technology.
Here is an example of a technology-agnostic policy directive:
All confi dential information must be encrypted before being transmitted over
the Internet.
This statement does not specify the technology to be used, or the mode of trans-
mission. The policy is neutral enough to cover not only e-mail and instant messaging
(IM) but also social media, cloud computing, mobile computing, and other means of
communication. The policy also does not specify the method or brand of the encryp-
tion technology, so the organization can select the best method and technology avail-
able in the future without adapting the policy.9
E-Record Retention: Fundamentally a Legal Issue
Considering the massive volume of e-mail exchanged in business today, most e-mail
messages do not rise to the level of being formal business records. But many of them
do and are subject to IG, regulatory compliance, and legal requirements for maintain-
ing and producing business records.

244 INFORMATION GOVERNANCE
Although often lumped in with other information technology (IT) concerns, the
retention of e-mail and other e-records is ultimately a legal issue. Other departments,
including records management and business units, should certainly have input and
should work to assist the legal team to record retention challenges and archiving
solutions. But e-mail and e-record retention is “fundamentally a legal issue,”l
particularly for public or highly regulated companies. According to Nancy Flynn of
the ePolicy Institute, “It is essential for the organization’s legal department to take the
lead in determining precisely which types of email messages will be preserved, exactly
how and where data will be stored, and specifi cally when —if ever—electronically stored
information [ESI] will be deleted” 10 (emphasis added).
Since they are often shot out in the heat of battle, many times e-mail messages
are evidence of a smoking gun in lawsuits and investigations. In fact, they are the most
requested type of evidence in civil litigation today. The content and timing of e-mail
messages can provide exonerating information too.
In January 2010, a U.S. House of Representatives committee probing bailout deals
subpoenaed the Federal Reserve Bank of New York for e-mail and other correspon-
dence from Treasury Secretary Timothy Geithner (former president of the New York
Federal Reserve Bank) and other offi cials. The House Oversight and Government
Reform Committee was in the process of examining New York Fed decisions that fun-
neled billions of dollars to big banks, including Goldman Sachs Group and Morgan
Stanley.11
This is just one example of how crucial e-mail messages can be in legal investiga-
tions and how they play an important role in reconstructing events and motives for
legal purposes.
Preserve E-Mail Integrity and Admissibility with
Automatic Archiving
Most users are not aware that e-mail contents and characteristics can be changed—
“and rendered legally invalid”—by anyone with malicious motives, including those
who are essentially “covering their tracks.” Not only can the content be edited, but
metadata that includes such information as the time, date, and total number of charac-
ters in the message can also be changed retroactively. 12
To offset this risk and ensure that spoliation (i.e., the loss of proven authenticity
of an e-mail) does not occur, all messages, both inbound and outbound, should be captured
and archived automatically and in real time. This preserves legal validity and forensic
compliance. Additionally, e-mail should be indexed to facilitate the searching process,
and all messages should be secured in a single location. With these measures, e-mail
records can be assured to be authentic and reliable.
Managing e-records is primarily a legal issue, especially for public and heavily
regulated companies.

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 245
E-Mail Archiving Rationale: Compliance, Legal, and Business Reasons
There are good reasons to archive e-mail and retain it according to a specifi c retention
schedule that follows your organization’s IG policies. Having a handle on managing
voluminous e-mail archives translates to being able to effectively and rapidly search
and retrieve exactly the right messages, which can provide a signifi cant legal advantage.
It gives your legal team more and better information and more time to fi gure out
how to leverage it in legal strategy sessions. This means the odds are tipped in your
organization’s favor in the inevitable litigation arena. Your legal opponent may be driven
to settle a weak claim when confronted with indisputable e-mail evidence, and, in fact,
“email often produces supportive evidence that may help ‘save the day’ by providing
valuable legal proof” of innocence.13 This evidence may stop frivolous lawsuits in their
tracks. Further, reliable e-mail evidence also can curtail lengthy and expensive lawsuits,
and prevail. And if your company is public, Sarbanes–Oxley regulations require the
archiving of e-mail.
Don’t Confuse E-Mail Archiving with Backup
All backups are not created equal. There is a big difference between traditional system back-
ups and specialized e-mail archiving software.
Backups are huge dumps to mass storage, where the data is stored sequentially and
not compressed or indexed. 14 It is impossible to search backups except by date, and
even doing that would mean combing through troves of raw, non-indexed data.
The chief executive may not be aware of it, but without true e-mail archiving,
system administrators could spend long nights loading old tapes and churning out
volumes of data, and legal teams will bill hourly for manual searches through troves
of data. This compromises your enterprise’s legal position and not only increases raw
costs but also leads to less capable and informed legal representation. According to
one study, fully one-third of IT managers state they would have diffi culty producing
an e-mail that is more than one year old. “A backup system is no substitute for automatic
archiving technology”15 (emphasis added).
No Personal Archiving in the Workplace
Employees are naturally going to want to back up their most important fi les, just as
they probably do at home. But for an overall IG information-security program to be
effective, personal archiving at work must be prohibited. This underground archiving
results in hidden shadow fi les and is time consuming and risky. According to Flynn,
“Self-managed email can result in the deletion of electronic records, alteration of email evidence,
time-consuming searches for back-up tapes, and failure to comply with legal discovery demands”
(emphasis added). Also, users may compromise formal electronic records, or they may
work from unoffi cial records, which therefore by defi nition might be inaccurate or
out-of-date, posing compliance and legal ramifi cations. 16
Are All E-Mails Records?
Are e-mail messages records? This question has been debated for years. The short
answer is no, not all e-mail messages constitute a record. But how do you determine

246 INFORMATION GOVERNANCE
whether certain messages are a business record or not? The general answer is that a
record documents a transaction or business-related event that may have legal rami-
fi cations or historic value. Most important are business activities that may relate to
compliance requirements or those that could possibly come into dispute in litigation.
Particular consideration should be given to fi nancial transactions of any type.
Certainly evidence that required governance oversight or compliance activities
have been completed needs to be documented and becomes a business record. Also,
business transactions, in which there is an exchange of money or the equivalent
in goods or services, are also business records. Today, these transactions are often
documented by a quick e-mail. And, of course, any contracts (and any progressively
developed or edited versions) that are exchanged through e-mail become business
records.
The form or format of a potential record is irrelevant in determining whether
it should be classifi ed as a business record. For instance, if a meeting of the board of
directors is recorded by a digital video recorder and saved to DVD, it constitutes a
record. If photographs are taken of a ground-breaking ceremony for a new manufac-
turing plant, the photos are records too. If the company’s founders tape-recorded a
message to future generations of management on reel-to-reel tape, it is a record also,
since it has historical value. But most records are going to be in the form of paper,
microfi lm, or an electronic document.
Here are three guidelines for determining whether an e-mail message should be
considered a business record:
1. The e-mail documents a transaction or the progress toward an ultimate trans-
action where anything of value is exchanged between two or more parties. All
parts or characteristics of the transaction, including who (the parties to it),
what, when, how much, and the composition of its components, are parts of
the transaction. Often seemingly minor parts of a transaction are found bur-
ied within an e-mail message. One example would be a last-minute discount
offered by a supplier based on an order being placed or delivery being made
within a specifi ed time frame.
2. The e-mail documents or provides support of a business activity occurring
that pertains to internal corporate governance policies or compliance to
externally mandated regulations.
3. The e-mail message documents other business activities that may possibly be
disputed in the future, whether it ultimately involves litigation or not. (Most
business disputes actually are resolved without litigation, provided that proof
of your organization’s position can be shown.) For instance, your supplier may
dispute the discount you take that was offered in an e-mail message and, once
you forward the e-mail thread to the supplier, it acquiesces. 17
Destructive Retention of E-Mail
Destructive retention is an approach to e-mail archiving where e-mail messages are
retained for a limited time (say, 90 days or six months), followed by their permanent
manual or automatic deletion of messages from the company’s network, so long as
there is no litigation hold or the e-mail has not been declared a record in accordance
with IG and records management policies. Implementing this as a policy may shield

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 247
the enterprise from retaining potentially libelous or litigious e-mail that is not a formal
business record (e.g., off-color jokes or other personnel violations).
For heavily regulated industries, such as health care, energy, and fi nancial services,
organizations may need to archive e-mail for longer periods of time.
Instant Messaging
Instant messaging (IM) use in enterprises has proliferated—despite the fact that fre-
quently proper policies, controls, and security measures are not in place to prevent
e-document and data loss. There are a variety of threats to IM use that enterprises
must defend against to keep their information assets secure.
The fi rst basic IM systems, which came into use in the mid-1960s, had real-time
text capabilities for routing messages to users logged on to the same mainframe com-
puter. Early chat systems, such as AOL Instant Messenger, have been in use since the
late 1980s, but true IM systems that included buddy list features appeared on the scene
in the mid-1990s, followed by the release of Yahoo! and Microsoft IM systems. The
use of these personal IM products in the workplace has created new security risks. 18
More secure enterprise instant messaging (EIM) products can be deployed.
Leading EIM installed systems include IBM Lotus Sametime, Microsoft Offi ce Com-
munications Server, Cisco Unifi ed Presence, and Jabber XCP. In the fi nancial sector,
Bloomberg Messaging and Reuters Messaging are leading platforms.
By the year 2000, it was estimated that nearly 250 million people worldwide were
making use of IM, and today estimates are that more than 2 billion people use IM, with
the addition of hundreds of millions of users in China.
As with many technologies, IM became popular fi rst for personal use, then crept
into the workplace—and exploded. IM is seen as a quicker and more effi cient way
to communicate short messages than engaging in a telephone conversation or going
through rounds of sending and receiving endless e-mail messages. The problem with
IM is that many organizations are blind to the fact that their employees are going to use it one
way or another , sometimes for short personal conversations outside the organization.r
If unchecked, such messaging exposes the organization to a myriad of risks and gives
hackers another way to compromise confi dential information assets.
Best Practices for Business IM Use
Employing best practices for enterprise IM use can help mitigate its security risks
while helping to capitalize on the business agility and velocity benefi ts IM can provide.
Best practices must be built in to IG policies governing the use of IM, although “the
specifi cs of these best practices must be tailored for each organization’s unique needs.”
A methodology for forming IM-specifi c IG policies and implementing more
secure use of IM must begin with surveying and documenting the proliferation of
IM use in the organization. It should also discover how and why users are relying
on IM—perhaps there is a shortcoming with their available IT tools and IM is a
work-around.
Typically, executives will deny there is much use of IM and that if it is being
used, its impact is not worth worrying about. Also, getting users to come clean about

248 INFORMATION GOVERNANCE
their IM use may be diffi cult, since this may involve personal conversations and vio-
lations of corporate policy. A survey is a good place to start, but more sophisticated
network monitoring tools need to be used to factually discover what IM systems are
actually in use.
Once this discovery process has concluded and the use of IM is mapped out, the
IG team or steering committee must create or update policies to: decide which IM
systems it will allow to be used, how, when, and by whom; decide what restrictions or
safeguards must be imposed; and create guidelines as to appropriate use and content.
As a part of an overall IG effort, Quest Software determined that a successful IM
policy will:
■ Clearly and explicitly explain the organization’s instant messaging objectives.
Users should know why the organization permits IM and how it is expected
to be used.
■ Defi ne expectations of privacy. Users should be made aware that the organiza-
tion has the right to monitor and log all IM sessions for corporate compli-
ance, safety, and security reasons.
■ Detail acceptable and unacceptable uses. An exhaustive list of permitted and
forbidden activities may not be necessary, but specifi c examples are helpful
in establishing a framework of IM behaviors for users.
■ Detail content and contact restrictions (if any). Most organizations will want to
limit the amount of idle IM chat that may occur with family, friends, and
other nonbusiness-related contacts. There may also be additional issues
related to information confi dentiality and privacy. Some businesses may
choose to block the distribution of certain types of information via live IM
chat session or fi le transfer.
■ Defi ne consequences for violations of the policy. Users should be advised of the
consequences of policy violations. Generally these should be aligned with
the company’s personnel and acceptable use policies.
The use of a standard disclaimer, to be inserted into all users’ IM sessions, can
remind employees of appropriate IM use and that all chat sessions are being moni-
tored and archived, and can be used in court or compliance hearings.
The next major step is to work with the IT staff to fi nd the best and most
appropriate security and network monitoring tools, given the computing environ-
ment. Alternatives must be researched, selected, and deployed. In this research and
selection process, it is best to start with at least an informal survey of enterprises within
the same industry to attempt to learn what has worked best for them.
The key to any compliance effort or legal action will be ensuring that IM records
are true and authentic, so the exact, unaltered archiving of IM messages along with
associated metadata should be implemented in real time. This is the only way to
Documenting IM use in the organization is the fi rst step in building IG policies
to govern its use. Those policies must be tailored to the organization and its
IM use.

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 249
preserve business records that may be needed in the future. But in addition, a policy
for deleting IM messages after a period of time, so long as they are not declared busi-
ness records, must be formulated.
IG requires that these policies and practices not be static; rather, they must be reg-
ularly revisited and updated to refl ect changes in technology and legal requirements
and to address any shortcoming or failure of the IG policies or technologies deployed.
Technology to Monitor IM
Today, it has been estimated that as much as 80 percent of all IM used by corporate
employees comes from free IM providers like Yahoo!, MSN, or AOL. These programs
are also the least secure. Messages using these IM platforms can fl y around the Inter-
net unprotected. Any monitoring technology implemented must have the capability to
apply and enforce established IM use policies by constantly monitoring Internet traffi c
to discover IM conversations. Traffi c containing certain keywords can be monitored
or blocked, and chat sessions between forbidden users (e.g., those who are party to a
lawsuit) can be stopped before they start. But this all necessarily starts with IG and
policy formulation.
Tips for Safer IM
Organizations should assume that IM is being used, whether they have sanctioned
it or not. And that may not be a bad thing—employees may have found a reasonable
business use for which IM is expedient and effective. So management should not rush
to ban its use in a knee-jerk reaction. Here are some tips for safer use of corporate IM:
■ Just as e-mail attachments and embedded links are suspect and can contain ma-
licious executable fi les, beware of IM attachments too. The same rules governing s
e-mail use apply to IM, in that employees should never open attachments from
people they do not know. Even if they do know them, with phishing and social
engineering scams, these attachments should fi rst be scanned for malware using
antivirus tools.
■ Do not divulge any more personal information than is necessary. This comes into play
even when creating screen names—so the naming convention for IM screen
names must be standardized for the enterprise. Microsoft advises, “Your screen
name should not provide or allude to personal information. For example, use a
nickname such as SoccerFan instead of BaltimoreJenny.” 19
■ Keep IM screen names private ; treat them as another information asset that needs
to be protected to reduce unwanted IM requests, phishing, or spam (actually
spim , in IM parlance).
Records of IM use must be captured in real time and preserved to ensure they
are reliable and accurate.

250 INFORMATION GOVERNANCE
■ Prohibit transmission of confi dential corporate information. It is fi ne to set up a
meeting with auditors, but do not attach and route the latest fi nancial report
through unsecured IM.
■ Restrict IM contacts to known business colleagues. If personal contacts are allowed
for emergencies, limit personal use for everyday communication. In other
words, do not get into a long personal IM conversation with a spouse or teen-
ager while at work. Remember, these conversations are going to be monitored
and archived.
■ Use caution when displaying default messages when you are unavailable or away.
Details such as where an employee is going to have lunch or where their child is
being picked up from school may expose the organization to liability if a hacker
takes the information and uses it for criminal purposes. Employees may be un-
knowingly putting themselves in harm’s way by giving out too much personal
information.
■ Ensure that IM policies are being enforced by utilizing IM monitoring and fi ltering
tools and by archiving messages in real time for a future verifi able record, should
it be needed.
■ Conduct an IM usage policy review at least annually ; more often in the early stages
of policy development.
CHAPTER SUMMARY: KEY POINTS
■ E-mail is a critical area for IG implementation, as it is a ubiquitous business
communication tool and the leading piece of evidence requested at civil
trials.
■ Nearly 80 percent of all employees send work e-mail messages to and from
their personal e-mail accounts, which exposes critical information assets to
uncontrolled security risks.
■ Meeting e-mail retention and archival requirements becomes an impossible
task when e-mail messages are routed in a haphazard manner via personal
accounts.
■ In developing e-mail policies, an important step is consulting with
stakeholders.
■ E-mail policies must not be too restrictive or tied to a specifi c technology.
They should be fl exible enough to accommodate changes in technology and
should be reviewed and updated regularly.
■ Not all e-mail messages constitute a business record.
■ Not all e-mail rises to the level of admissible legal evidence. Certain condi-
tions must be met.
■ Automatic archiving protects the integrity of e-mail for legal purposes.

INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT MESSAGING 251
Notes
1. “Research Finds that Restrictive Email Policies are Creating Hidden Security Risks for Businesses,”
BusinessWire , March 9, 2011, www.businesswire.com/news/home/20110309005960/en/Research-
Finds-Restrictive-Email-Policies-Creating-Hidden .
2. Elizabeth Montalbano , “AntiSec Hacks Booz Allen, Posts Confi dential Military Email,” Information-
Week , July 12, 2011, www.informationweek.com/news/security/attacks/231001418?cid=nl_IW_dai-
ly_2011-07-12_html .
3. Ibid.
4. Mathew J. Schwartz, “AntiSec Hacks FBI Contractor,” InformationWeek , July 11, 2011, www.informa-
tionweek.com/news/security/attacks/231001326 .
5. Quotes from this survey are from “Research Finds That Restrictive Email Policies Are Creating Hid-
den Security Risks for Businesses.”
6. Paul Mah, “How to Reduce the Email Security Risks to Your Business,” EmailAdmin , March 10, 2011,
www.theemailadmin.com/2011/03/how-to-reduce-the-email-security-risks-to-your-business/ .
7. Blair Kahn, Information Nation: Seven Keys to Information Management Compliance (Silver Spring, MD:
AIIM International, 2004), pp. 98–99.
8. Ibid, pp. 95–96.
9. Ibid.
10. Nancy Flynn, The E-Policy Handbook: Rules and Best Practices to Safely Manage Your Company’s E-Mail, Blogs,
Social Networking, and Other Electronic Communication Tools , 2nd ed. (New York: AMACOM, 2009), 20.s
11. Hugh Son and Andrew Frye, “Geithner’s E-mails, Phone Logs Subpoenaed by House (update3),”
January 13, 2010, www.bloomberg.com/apps/news?pid=newsarchive&sid=aGzbhrSxFlXw ,.
12. Flynn, E-Policy Handbook , p. 37.
13. Flynn , E-Policy Handbook , pp. 40–41.
14. Nancy Flynn and Randolph Kahn, Email Rules, A Business Guide to Managing Policies, Security, and Legal
Issues for E-Mail and Digital Communication (New York: AMACOM, 2003), pp. 81–82.
■ Instant messaging use in business and the public sector has become wide-
spread, despite the fact that often few controls or security measures are in
place.
■ Typically as much as 80 percent of all IM use in corporations today is over
free public networks, which heightens security concerns.
■ IM monitoring and management technology provides the crucial compo-
nents that enable the organization to fully implement best practices for
business IM.
■ Enterprise IM systems provide a greater level of security than IM from free
services.
■ Regular analysis and modifi cation (if necessary) of business IM policies and
practices will help organizations leverage the maximum benefi t from the
technology.
■ Records of IM use must be captured in real time and preserved to ensure they
are reliable and accurate.
CHAPTER SUMMARY: KEY POINTS (Continued )

http://www.businesswire.com/news/home/20110309005960/en/Research-Finds-Restrictive-Email-Policies-Creating-Hidden

http://www.informationweek.com/news/security/attacks/231001418?cid=nl_IW_dai-ly_2011-07-12_html

http://www.informa-tionweek.com/news/security/attacks/231001326

http://www.theemailadmin.com/2011/03/how-to-reduce-the-email-security-risks-to-your-business/

http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aGzbhrSxFlXw

252 INFORMATION GOVERNANCE
15. Flynn, The E-Policy Handbook , p. 41.
16. Ibid., p. 43.
17. Robert F. Smallwood, Taming the Email Tiger: Email Management for Compliance, Governance, & Litiga-
tion Readiness (New Orleans, LA: Bacchus Business Books, 2008). s
18. This discussion is based on Quest Software White Paper, “Best Practices in Instant Messaging
Management” (October 2008), http://media.govtech.net/Digital_Communities/Quest%20Software/
Best_Practices_in_Instant_Messaging_Management , p. 5.
19. M. Adeel Ansari, “10 Tips for Safer IM Instant Messaging,” July 6, 2008, http://adeelansari.wordpress.
com/tag/safer-im-instant-messaging/ .

http://media.govtech.net/Digital_Communities/Quest%20Software/Best_Practices_in_Instant_Messaging_Management

http://adeelansari.wordpress.com/tag/safer-im-instant-messaging/

http://media.govtech.net/Digital_Communities/Quest%20Software/Best_Practices_in_Instant_Messaging_Management

http://adeelansari.wordpress.com/tag/safer-im-instant-messaging/

253
By Dr. Patricia Franks and Robert
Smallwood
Information
Governance for Social
Media*
C H A P T E R 13
I
nformation is the lifeblood of every organization, and an increasing volume of infor-
mation today is created and exchanged through the use of social networks and Web
2.0 tools like blogs, microblogs, and wikis.
Corporations use public social media technology to create a visible brand,
strengthen relations with current customers while attracting new connections and cli-
ents, highlight their products and services, and gather intelligence that can be used in
decision making.
Governments use public social media technologies to consult with and engage citi-
zens, provide services, and keep pace with fast-moving events (e.g., natural disasters).
Both types of enterprises also benefi t from the use of internal social media solu-
tions that facilitate communication and collaboration, improve employee engagement,
and boost productivity and effi ciency.
Content created through or posted to these new social media platforms must be
managed, monitored, and, quite often, archived. Content that meets the organization’s
defi nition of a record (i.e., documents business activities) must be retained in accor-
dance with the organization’s records retention and disposition policy.
Too often, social media content is not managed by information governance (IG) policies or
monitored with controls that ensure protection of the brand and critical information assets and
preservation of business records.
Types of Social Media in Web 2.0
The term “Web 2.0” was coined to characterize the move from static Web sites that
passively provided information to consumers to more participative, interactive, col-
laborative, and user-oriented Web sites and Web applications that allow for input,
discussion, and sharing. Users can add content, increasing the value of the Web site
or service. Examples include blogs and Web pages containing podcasts (digital me-
dia, usually audio) where readers can post comments or pose questions; wikis that
* Portions of this chapter are adapted from Chapter 13 , Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.s

254 INFORMATION GOVERNANCE
hyperlink to related information to create a knowledge base that shows interrelation-
ships and allow users to add content; and RSS (really simple syndication) feeds that
provide a stream of fresh content to the user or consumer.
Web 2.0 is the term used to describe the second generation of the World Wide
Web, which is comprised of a combination of technologies that allow consumers of
Web content to participate, collaborate, and share information online. The improved
functionality refl ects consumer needs and preferences that surfaced as a result of in-
creased use of the Web for daily information and communications.
Social media sites like LinkedIn, Twitter, and Facebook encourage social interac-
tions by allowing users to create their own close network of business associates or
friends—essentially a hand-picked audience—and to post their own content in the
form of comments, links, photos, videos, and so forth. Others in their social network
may view, forward, share, organize, and comment on this content.1
Web 2.0 and social media platforms began as outward-facing, public Web services
that could link users from around the world. Subsequently, businesses discovered that
social media technology could also be leveraged for internal use in various ways, such
as by creating a directory and network of subject matter experts that users can search
when working on special projects or by sending out microblog messages to keep
their workforce informed. These internal social networks may be extended to include
external stakeholders, such as suppliers and customers, in a controlled environment.
A number of platform and software options exist for enterprise social media develop-
ment and use.
According to the U.S. National Archives and Records Administration:
Social media platforms can be grouped into the categories below. Some spe-
cifi c platforms may fi t into more than one category depending on how the
platform is used.
■ Web Publishing . Platforms used to create, publish, and reuse content. g
■ Microblogging (Twitter, Plurk)
■ Blogs (WordPress, Blogger)
■ Wikis (Wikispaces, PBWiki)
■ Mashups (Google Maps, popurls)
■ Social networking. Platforms used to provide interactions and collaboration
among users.
■ Social networking tools (Facebook, LinkedIn)
■ Social bookmarks (Delicious, Digg)
■ Virtual worlds (Second Life, OpenSim)
■ Crowdsourcing/Social voting (IdeaScale, Chaordix)
■ File sharing/storage. Platforms used to share fi les and host content storage.
■ Photo libraries (Flickr, Picasa)
■ Video sharing (YouTube, Vimeo)
■ Storage (Google Drive, Dropbox)
■ Content management (SharePoint, Drupal)
Agencies [and businesses] use a variety of software tools and platforms.
The examples given above are not meant to be an exhaustive list. 2

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 255
Additional Social Media Categories
Breaking out the categories of social media further, we can see in Table 13.1 examples
of the wide range of social media applications that exist in the marketplace today.
These categories will increase and fl uctuate as the market matures and the companies
providing the social media technologies and services expand, merge, are acquired, or
die off.
There are certainly additional categories, and the categories will continue to grow.
In addition, social media companies do not always fi t neatly into one category. Applica-
tions (apps) for smartphones and tablets offer instant gratifi cation and combine several
functions. For example, Snapchat allows the sender to share an experience by snapping
an image or video, adding a caption, and sending it to a friend.3 The image, unless
saved by the recipient, is visible only for the number of seconds set by the sender. The
goal is to share a moment in time by sending a fl eeting message. Another app, Vine,
introduced by Twitter in early 2013, allows anyone to capture and share short looping
videos. 4 Popular for personal use, a number of fi rms (e.g., GE, Urban Outfi tters, and
Table 13.1 Social Media by Application Type
Category Examples
Content curation Buzzfeed, Flipboard, Skygrid, Storify, Summify
Content sharing Yelp, Scribd, Slideshare, Digg, Topix
Photo sharing Flickr, Picasa, SmugMug, Photobucket
Social ad networks Lifestreet, AdKnowledge, Media6degrees, BurstMedia
Social analytics Awe.sm, Bluefi n Labs, Mixpanel, Webtrends
Social bookmarking BibSonomy, Delicious, Diigo, Folkd
Social business software Lithium, Jive, Pluck, Mzinga, Telligent, Ingage, Leverage
Software, Huddle, Cubetree, Yammer (Microsoft), Socialcast,
Igloo, Socialtext, Watchtoo, Acquia*
Social brand engagement Socialvibe, Mylikes, Adly, Sharethrough
Social commerce platforms Ecwid, Moontoast, Shop Tab, Dotbox, Storenvy, VendorShop
Social community platforms Ning, Mixxt, Grou.ps, Groupsite
Social data GNIP, DataSift, Rapleaf, RavenPack
Social intelligence software SDL, Netbase, Postrank, Google Analytics, Trendrr, Trackur,
Visible
Social marketing management Shoutlet, Syncapse, Objective Marketer, Immobi, MediaFunnel
Social promotion platforms Offerpop, Seesmic, Strutta, Votigo, Fanzila, Zuberance, Extole,
Social AppsHQ, Social Amp
Social publishing platforms Hootsuite, Spredfast, Hearsaysocial, MutualMind, SproutSocial,
Flowtown, Socialware
Social referral 500Friends, Curebit, Tip or Skip, Turnto
Social search and browsing StumbleUpon, Topsy, Wink, Kurrently, SocialMention
Social scoring Klout, EmpireAvenue, PeerIndex
Source: Luma Partners and Terry Kawaja, http://static5.businessinsider.com/image/4fb5077becad04
5f47000003-960/buddy-media-social-marketing (accessed May 21, 2012).

http://static5.businessinsider.com/image/4fb5077becad045f47000003-960/buddy-media-social-marketing

256 INFORMATION GOVERNANCE
20th Century Fox) have begun to integrate Vine into their marketing/branding strat-
egy, including major brands.
Social Media in the Enterprise
Public-facing social media integrates Internet-based applications, technology, social
interaction, and content creation to enable communication, collaboration, and content
sharing within and across subnetworks of millions of public users. Implementing tight
security on these types of mass networks would likely slow response time and inhibit
the user experience, and it may not provide a suffi cient level of security to warrant the
investment on the part of the social media provider.
While popular consumer-based technologies (Facebook, Twitter, and LinkedIn)
top the list of social media technologies used in enterprises today, 5 these services were not
designed with the business in mind. Enterprises that need tight security but wish to take
advantage of the many benefi ts of social media use are increasingly implementing enter-
prisewide social media solutions in addition to or in place of public-facing social media.
In the business world, Facebook-like social networking software is offered for pri-
vate, closed networks with a fi nite number of users. In this computing environment,
implementing security is more manageable and practical. Some services are cloud
based; others operate internally behind the enterprise fi rewall; and some operate ei-
ther way or in conjunction as hybrid architecture. Usage statistics that refl ect trends,
adoption rates, and areas of content interest can be provided to help feed the metrics
needed to chart the progress and effectiveness of the enterprise social network. 6
Enterprise social networking is being adopted by business and public-sector entities
at a rapid rate. With the entry of Generation Gmail into the workforce, many of these l
initiatives took on an experimental, “cool” image. However, it is crucial to establish so-
cial media business objectives, to defi ne time-limited metrics, and to measure progress.
There does need to be some leeway, as calculating return on investment (ROI) for en-
terprise social networks is very new, and all the benefi ts (and pitfalls) have not yet been
discovered or defi ned. Certainly the network load and required bandwidth for e-mail
and attachments will decrease; instead of sending a 25MB PowerPoint fi le back and
forth among 10 coworkers, the fi le can sit in a common workspace for collaboration.
Another intangible benefi t is the competitive value in being a market leader or
industry innovator. But to keep that edge, companies need to continually scan the
horizon for new technologies and services. Engaging in online conversations with cus-
tomers and other stakeholders is the norm rather than the exception. One sign of a
progressive-thinking organization is its ability to leverage social media technology to
refi ne operations, improve customer services, and make employees’ lives easier. An
organization with a strong social media reputation likely will be better able to attract,
recruit, and retain qualifi ed, high-achieving employees.
Implementing security is more manageable and practical with enterprise so-
cial networking software.

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 257
Key Ways Social Media Is Different from E-Mail and
Instant Messaging
Social media offers some of the same functionality as other communication and col-
laboration systems like e-mail and instant messaging (IM), yet its architecture and
underlying assumptions are quite different.
When implementing enterprise versions of social media applications, a company
may exert more control over the computing and networking environment through
in-house implementation rather than outsourcing. Consumer-oriented social media
applications, such as Facebook and Twitter, reside on application servers outside the
enterprise controlled by third-party providers. This creates IG and records manage-
ment (RM) challenges and poses legal risks. 7
Obviously, social media is an emerging technology, so standards, design, and archi-
tecture are in fl ux, whereas e-mail has been stable and established for 15 to 20 years.
E-mail is a mature technology set, meaning it is unlikely to change much. There are
standard e-mail communications protocols, and the technology’s use is pervasive and
constant. So when e-mail IG policies are formed, less updating and fi ne-tuning are
required over time. With social media, new features are being added, standards are non-
existent, privacy settings change overnight, and the legalese in terms of service agree-
ments is continually modifi ed to include new features and settings, which means that
your social media policy must be more closely monitored and frequently fi ne-tuned.
E-mail, IM, and social media are all communication tools used to share content
and collaborate, but social media also offers user interaction features, such as “Like”
on Facebook or “retweet” (copying and posting a 140-character tweet) on Twitter,
that bring attention to the content in the user’s network and can be construed as an
endorsement or rejection of content based on user opinions expressed and associated
with the content. 8
Further confounding the organization’s ability to control the social media envi-
ronment is the fact that the social media sites are dynamic and ever changing, with
comments and opinions being published in real time. This is not true with e-mail and
IM systems, which are more structured, stable, and technologically mature.
Biggest Risks of Social Media
Social media is the Wild West of collaboration and communication. Vulnerabilities
still are being exposed, and rules still are being established. Users often are unsure of
exactly who can see what they have posted. They may believe that they have posted
a comment only for the eyes of a friend or colleague, not realizing it may have been
posted publicly. “One of the biggest risks that social networking poses to organizations
Social media differs greatly from e-mail use. E-mail is mature and stable. Social
media is not. These distinctions have important ramifi cations for IG policy
development.

258 INFORMATION GOVERNANCE
is that employees may be exposing information that’s not meant for public consumption , es-
pecially in highly regulated environments like banking and healthcare, in industries
that rely heavily on proprietary research and development, or even in the military”9
(emphasis added).
Organizations that believe they can ban social media in order to avoid risks are
mistaken. Prohibition of social media can result in social media use being driven
underground. Employees accustomed to the ease of communicating and collaborating
through social networks may turn to the use of personal devices and accounts outside
the control of the organization. Even strict adherence to a nonuse policy can harm the
organization’s reputation, fi nances, ability to gather information that can be used to
improve operations, and ability to remain competitive.
Once an organization decides it will engage in social media initiatives, it must
identify different types of risks to initiate its IG effort in this area. According to Chris
Nerney of Network World , two of the greatest social media security threats are:d
1. Lack of a social media policy. Many organizations are just now discovering
the extent to which social media has popped up in various pockets of their
organization. They may believe that their e-mail and communications policy
will pretty much cover social media use and that it is not worth the time and
expense to update IG policies to include social media.
This invites complexities, vagaries, and potential disaster. A simple Twitter
comment could invite litigation: “Our new project is almost ready, but I’m not
sure about the widget assembly.” It’s out there. There is a record of it. Instant
potential liability in 140 characters or less. s
Social media can add value to an organization’s efforts to reach out to cus-
tomers and other stakeholders, but this must be weighed carefully against the
accompanying risks.
The objectives of a social media initiative must be spelled out, and metrics
must be in place to measure progress. But more than that, who can utilize social
media on behalf of the company and what they can state needs to be established with
clarity in the IG policy. If not, employees are essentially fl ying blindly without
controls, and they are more likely to put the enterprise at risk. 10
More than policy development is needed. If your organization is going to
embark on a social media program, it needs an executive sponsor to champion
and drive the program, communicating policy to key leaders. You will also
need to conduct training—on a consistent basis. Training is key, since social me-
dia is a moving target.
2. Employees—the accidental and intentional insider threat. This may be in part due
to lack of social media policy or due to lack of monitoring and enforcement.
Sometimes an employee harms an organization intentionally. Remember Pri-
vate Bradley Manning’s release of hundreds of thousands of classifi ed gov-
ernment documents to WikiLeaks?11 But most times employees do not realizes
the negative impact of their behavior in posting to social media sites. People
might use social media to vent about a bad day at work, but the underlying
message can damage the company’s reputation and alienate coworkers and
clients. Other times a post that is seemingly unrelated to work can backfi re
and take a toll on business. We’re all human and sometimes emotion gets the
better of us, before we have rationally thought out the consequences. And that

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 259
is especially true in the new world of social media, where it may be unclear
exactly who can see a comment.
The dangers of social media are quite different from those posed by an iso-
lated, off-color, or offensive verbal comment made in the workplace, or even
one errant e-mail. With social media it is possible that the whole world will be
able to see a comment meant only for a limited and controlled audience. For
example, consider Ketchum public relations vice president James Andrews,
who in 2009 “fi red off an infamous tweet trashing the city of Memphis, home-
town of a little Ketchum client called FedEx, the day before he was to make a
presentation to more than 150 FedEx employees (on digital media, no less!).”
FedEx employees complained to Ketchum and their own executives, point-
ing out that while they suffered salary reductions, money was being spent on
Ketchum, which had been clearly disrespectful of FedEx. Andrews was forced
to make a “very public and humiliating apology.” 12
This story shows that high-level executives must be just as careful as lower-
level employees. Andrews was not only a corporate vice president, but also a
public relations, communications, and social media expert, well versed in the
fi rm’s policies and mission. He also had no ill intent. Knowing this, consider
what a rogue employee intent on damaging the company might do. Such im-
pact could be much worse. For instance, what if a chief executive’s assistant
were to release details of strategic plans, litigation, or ethics investigations to
the public? Or embarrassing details of the CEO’s private life? The impact
could be quite costly.
Legal Risks of Social Media Posts
With over 554 million active registered users and an estimated average of 58 million
tweets per day in 2013 to the microblogging site Twitter, 13 a number that continues
to increase, surely some employees in your organization are tweeting. As of the fi rst
quarter of 2013, more than 225 million professionals in over 200 countries and ter-
ritories were members of the LinkedIn network, and the network continues to expand,
with students and recent college graduates being the fastest-growing segment. Ap-
proximately 33 percent of members are in the United States.14
The casual use of public comments can easily create liability for a company. With
no IG policy, guidelines, monitoring, or governance, legal risks of using social media increase
signifi cantly. This is an avoidable risk.
Many people are posting birthday wishes and pictures of what they had for dinner, but
others may be venting about specifi c companies and individuals within those companies.
There’s a difference between “I can’t stand Wall Street,” and “Goldman is run by Satan,
and his name is John Smith. We’re going to sue his butt off.” Instant liability .
Two of the biggest threats of social media use for organizations come from the
lack of a social media policy and threats presented by employee use.

260 INFORMATION GOVERNANCE
The specifi cs of where and how an employee posted or tweeted a message may
mean whether a lawsuit against your company is successful or not. If a personal
LinkedIn or Twitter account is used, and it was posted after hours using a PC from
home, the company may be off the hook. But if it was done using a company computer
or network, or from a company-authorized account, a defense will be diffi cult.
Opposing counsel likely will ask questions about the policy for posting fi rst. One thing
is true: “Much of this remains unsettled ground.”15
Just when compliance and records managers thought they had nailed down IG
for e-mail, IM, and electronic records, social media came on the scene creating new,
dynamic challenges!
Even though not all social media content will rise to the level of a record, accord-
ing to the defi nition in use, the organization still may be responsible for managing the
nonrecord content. For example, an organization may consider a social networking
profi le a record but consider comments nonrecords. That decision will have an impact
on what must be retained according to the records retentions schedule. It does not,
however, absolve the organization from monitoring and evaluating the comments. 16
“Tweets are no different from letters, e-mail, or text messages—they can be dam-
aging and discoverable, which is especially problematic for companies that are required
to preserve electronic records, such as the securities industry and federal contractors.
Yet another compliance headache is born.”
Blogs are simply Web logs, a sort of online journal that is focused on a particular
topic. Blog readers can become followers and receive notices when new content is
posted as well as add their own comments, which may be moderated or restricted. It
seems confounding, but with the explosion in the use of blogs, there have been actual
incidents where employees have “disclosed trade secrets and insider trading informa-
tion on their blogs. Blogs have also led to wrongful termination and harassment suits.”
So the liability and potential for leakage or erosion of information assets is not
theoretical; it is real.
To safeguard the enterprise that sanctions and supports blog use, IG policies must
be clear, and real-time capture and management of blog posts should be implemented. Re-
member, these can be business records that are subject to legal holds, and authenticity
and accuracy are crucial in supporting a legal case. So a true and original copy must
be retained. This may, in fact, be a legal or regulatory requirement, depending on the
industry.
If content-posting guidelines are not clear, then the informal nature of social me-
dia posts potentially can be damaging to an organization. The usual fact checking
and vetting that is done for traditional press releases and advertising may not be con-
ducted, so social media posts can be unscreened and unfi ltered, which poses problems
when IG policies are not clear and fully enforced. 17 Beyond that, the consequences of
violating policy should be severe and clearly stated in policies, as should the penalties
imposed, a message that should be reinforced consistently over time.
With no IG policy, guidelines, monitoring, or governance, legal risks of using
social media increase signifi cantly. This is an avoidable risk.

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 261
Tools to Archive Social Media
New approaches to capture, manage, and archive social media are emerging. Some are
free or inexpensive and appropriate for personal and small business use. Others require
a more substantial investment of resources but better meet the needs of midsize and
large organizations.
Public Social Media Solutions
Launched as a personal cloud organizing service in March 2012, Jolicloud took a fi le
system approach to social media so Facebook, Flickr, Instagram, Picasa, and Twitter
content that was previously interacted with or shared could be sorted and searched. 18
The service “slurps” (extracts) content from social media sites and makes it available
for viewing through any mainstream Internet browser, tablet, or smartphone. As users
perform social media functions like sharing, “liking,” and “favoriting” content on their
various social media services, the content is automatically saved to their Jolicloud ac-
count, which can later be sorted and searched.
Jolicloud has similarities with other “personal social Web memory” products, such
as Facebook Timeline and TimeHop. In 2013, Jolicloud added the ability to view and
edit fi les and rebranded its unifi ed cloud platform Jolidrive.19
If you prefer to maintain copies of all fi les on your own computer, an alternative to
Jolicloud is a product called SocialFolders. This app lives on your computer and con-
nects directly to your favorite social media sites so you can manage, backup, and sync
your photos, videos, and documents in a centralized location. 20
Since Facebook and Twitter initially did not provide archiving tools, some third-
party applications have popped up to perform the task.
TwInbox is a free MS Outlook plug-in that archives Twitter postings and allows us-
ers to install a (Twitter) menu option to send tweets directly from Outlook; these tweets
are archived into a standard Outlook folder. The folder can be confi gured to capture
tweets that a user sends outside of Outlook, so that everything is stored in one folder.
TweetTake is a free utility that archives followers and tweet posts. It does not
require a software download, and the archive can be stored as a zip fi le and then im-
ported into a spreadsheet (e.g., Excel) for further analysis. By the time this book goes
to press, there will be even more options, and the existing ones will have changed and
(it is hoped) improved.
If your organization uses Twitter and social media archiving is required by law,
regulations, or internal IG policies, a good place to start your research is with software
like TwInbox (if you operate in a Microsoft Offi ce environment) and TweetTake as well
as other new entrants to the market or other options your organization may have. 21
For archiving Facebook posts, there are several options. Facebook users can down-
load and archive their Facebook data from their account settings page. Also, there are
free plug-ins for Mozilla’s Firefox browser. One comes directly from Mozilla, which
archives everything but fan pages into a zip fi le. Another is a Firefox add-on called
ArchiveFacebook, which allows you to save Facebook content directly to your hard
drive and view the content exactly as it looks on Facebook. Other tools, including So-
cialSafe, PageFreezer, and Wayback Machine, charge a small fee. All of these options
and new ones need to be evaluated when selecting an archiving solution for Facebook
that meets your organization’s requirements.

262 INFORMATION GOVERNANCE
For archiving LinkedIn posts and information, SocialSafe, PageFreezer, and Way-
back Machine can be used, and other tools will surface.
To convert records to a standard format for use outside of the social media
application, there are also options to create PDF documents out of social media
posts using products like PDF995 and PrimoPDF.22 Nuance Software also provides
PDFCreate.
Additional archiving tools are being developed as the social media market matures.
Bear in mind that tools developed by third parties always carry some risk that tools
directly from the software or service provider do not.
These tools may not provide a legally defensible audit trail in court. Choosing
among the tools requires a critical analysis and may require additional technology
layers. Other alternatives, such as real-time content archiving tools and even in-house
developed customizations, also have to be considered.
Government and Industry Solutions
Most of the products and methods that could be of use for personal or small business
archiving of social media content involves manual intervention, which can be time
consuming. All organizations must focus on their core business and would benefi t
from tools and services that streamline and automate the archiving process as much
as possible—however, there is a cost. Midsize and large organizations, often using
both public and enterprise social media technologies, may fi nd the investment in com-
mercial products and services worth the additional cost, especially those products that
integrate and manage social media content with other enterprise content. Capture
and management of social media content is an area that must be addressed as part
of an overall IG strategy. Some of the solutions available at this time are described
in Table 13.2 ; however, because of the recent increased focus on archiving solutions
for public and enterprise social media content, the landscape will continue to become
more effi cient, effective, and possibly unifi ed.d
In addition to providing archiving functions, unifi ed and integrated solutions
provide business intelligence applications and tools to enable the enterprise to better
achieve its organizational goals, processes, and performance requirements.
IG Considerations for Social Media
The report “How Federal Agencies Can Effectively Manage Records Created Us-
ing Social Media Tools” addresses building an IG framework for social media. An IG
model provides the overarching policies, guidelines, and boundaries for social media
initiatives. 23
An IG framework for social media should incorporate social media policy, controls, and
operational guidelines as well as spell out consequences for violations. Best practices for social
media still are being established, and those that have been established are evolving. In
addition to establishing policies to govern the use of social media across the organiza-
tion, best practices should include industry-specifi c, vertical market considerations. A
cross-section of functional groups within the enterprise should provide input into the
policy-making process. At the very minimum, internal audit, marketing, fi nance, infor-
mation technology (IT), legal, human resources, and RM must be consulted, and all

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 263
Table 13.2 Social Media Archiving and Management Software
Type of Solution Description Examples
Archiving solution Services that capture, protect, and
retain social media for compliance,
e-discovery, digital preservation, and
records management
Archives Social; Smarsh; RegEd by
Arkovi
Unifi ed solutions Services and software that facilitate
the management of various
fi le types across the enterprise
(e.g., social media, legacy data,
word fi les, SharePoint fi les) for
storage, optimization, e-discovery,
compliance, and records
management
Unifi ed Archive® by ZL
Technologies; Symantec
Enterprise Vault; HP Autonomy
Integrated solutions Services that integrate various
types of systems (e.g., customer
relationship management in the
cloud with social media tools,
enterprise content management
[ECM], and/or records management)
to manage records and information
for business operations and
compliance.
Microsoft SharePoint 2013 and
Yammer (contains social and
collaboration features as well as
RM and compliance features);
Salesforce and Chatter (integrates
social collaboration technology
and potential to integrate with
ECM content repository and ECM
Documentum Records Manager).
business units should be represented. Clear roles and responsibilities must be spelled
out, and controls must be established to govern acceptable use—essentially what is al-
lowed and what is not. Even writing style, logo format, branding, and other marketing
considerations should be weighed. The enterprise’s image and brand are at risk, and
prudent steps must be taken to protect this valuable, intangible asset. And most im-
portant, all legal and regulatory considerations must be folded into the new IG policy
governing the use of social media.
Key Social Media Policy Guidelines
Your social media policy development process can begin by examining the published
policies of major organizations in your industry or closely related industries. It should
also be based on changes in the workplace as well as established standards, such as
guidance developed as the result of a January 2013 ruling by the National Labor Rela-
tions Board. More important, social media policies must be hand-crafted and customized for
each organization.
An IG framework for social media should incorporate social media policy, con-
trols, and operational guidelines, and spell out consequences for violations.

264 INFORMATION GOVERNANCE
A prudent and properly crafted social media policy:
■ Specifi es who is authorized to create social media accounts for the organization.
■ Authorizes specifi cally who can speak on the organization’s behalf and who
cannot (by role/responsibility).
■ Outlines the types of negative impact on the company’s brand and reputation
that unscreened, poorly considered posts may have. 24
■ Draws clear distinctions between business and personal use of social media and
specifi es whether personal access is allowed during work hours.
■ Underscores the fact that employees should not have any expectation of privacy
when using social media for corporate purposes, just as in using other forms of
communications such as e-mail, IM, and voicemail, which may be monitored.
■ Clearly states what is proper and allowed on the organization’s behalf and what
is forbidden in social media posts or using organization resources.
■ Instructs employees to always avoid engaging in company-confi dential or even
controversial discussions.
■ Encourages/requires employees to include a standard disclaimer when pub-
lishing content that makes clear the views shared are representative of the em-
ployee and not the organization.
■ Strictly forbids the use of profanity and uses a professional business tone, albeit
more informal than in other corporate communications.
■ Strictly forbids any statements that could be construed as defamatory, discrimi-
native, or infl ammatory.
■ Outlines clear punishments and negative actions that will occur to enforce so-
cial media policy.
■ Draws clear rules on the use of the company name and logo.25
The policy need not be long but should be clear. Best Buy’s social media policy, for
example, uses the slogan, “Be smart. Be respectful. Be human.”26 It then breaks the guid-
ance into two major sections: what you should do and what you should never disclose.
A word of caution contained in the Best Buy Social Media Policy explains the rationale
for the employee to abide by the social media policy: Protect the brand, protect yourself.
To ensure compliance with the organization’s IG strategy, it is also necessary to
include a reference to the organization’s related policies, including the records and
information management policy.
Records Management and Litigation Considerations
for Social Media
Legal requirements and demands trump all others when making decisions about captur-
ing and preserving social media records. Social media is no different from other forms
of electronically stored information (ESI) in that it is potentially discoverable during n
litigation.27 Not all ESI residing in social media are records, but all are discoverable.
If an organization employs social media and makes a conscious decision not to archive t
all or some portion of that data, it is taking risks. A legally defensible records retention
schedule must be in place, and it must be based on specifi c laws that identify the records
that must be retained and to a records retention policy that explains the process for iden-
tifying, categorizing, and managing information and records.

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 265
From an RM perspective, it is critical to consider that social media posts are
more than the posts themselves; for legal or compliance purposes, they include
metadata and hyperlinks to external content—and that external content in its native
format— that must also be preserved, preferably in real time. That external content
may be a PDF document, a PowerPoint presentation, Web site content, or even a
video on YouTube, which would require that video archiving, along with associated
metadata, is in place.
To truly capture the necessary content required by law, records and compli-
ance managers must understand how software programs communicate with each
other in order to recommend possible solutions to the IT department. One way to
preserve the Web-based data of social media applications is to use the application
programming interfaces (APIs) that social media providers offer. APIs offer standard
“hooks” into an application. Another way, perhaps preferable, is to enlist a service
that can capture and archive information from multiple social networks. Further
innovations in tools and services that will make capturing these records easier are
being developed.
Content found in social media networks can be static or dynamic. Profi les in Face-
book and blog posts are examples of static content. They can be captured before being
posted to the Web. Blog comments and endorsements through “liking” or “favoriting”
a post are examples of dynamic content. The ideal method from a RM standpoint is
to capture all dynamic social media content in real time in order to be able to prove
authenticity and fi ght claims of records spoliation (corruption or adulteration of evi-
dence) in the event of a discovery request.
Regardless of method of capture, social media content that meets record status
criteria should be moved to a repository in an electronic records management
U.S. corporations must archive social media records under Rule 34 of the FRCP.
U.S. corporations that utilize social media are compelled to preserve those records,
including metadata and associated linked content , according to Rule 34 of the t
Federal Rules of Civil Procedure (FRCP), which states that opposing parties in
litigation may request “any designated documents or ESI—including writings,
drawings, graphs, charts, photographs, sound recordings, images, and other
data or data compilations—stored in any medium from which information can
be obtained either directly or, if necessary, after translation by the responding
party into a usable form.”28 This echoes a key principle of the Sedona Confer-
ence ®, a leading RM and legal retention think tank. Also, Rule 26 of the FRCPe
requires that any and all information that might be discoverable or “potentially
responsive” must be preserved and produced if requested by the opposing
party. So it is clear that there is a legal duty to preserve social media records.

266 INFORMATION GOVERNANCE
(ERM) system application. Then business rules for retention should be applied to
those records. Typical functions of an ERM system include these:
■ Marking an electronic document as a read-only electronic record
■ Protecting the record against modifi cation or tampering
■ Filing a record against an organizational fi le plan or taxonomy for categorization
■ Marking records as vital records
■ Assigning disposal (archival or destruction rules) to records
■ Freezing and unfreezing disposal rules
■ Applying access and security controls (Security rules may differ from the source
elec tronic document in an electronic document management system or enter-
prise content management [ ECM] software.)
■ Executing disposal processing (usually an administrative function)
■ Maintaining organizational/historical metadata that preserves the business
context of the record in the case of organizational change
■ Providing a history/audit trail 29
Robust search capabilities are perhaps the most crucial component of a social media ERM
or archiving solution. It is fi ne to preserve the records and their associated metadata
perfectly, but if you cannot easily fi nd and produce the information, compliance and e-
discovery efforts will fall short and may cost the organization dearly.
Social media policy will be unique to each particular organization. It is fi ne to start with
a social media policy example or template, but it must be tailored to the needs of the
organization for it to be effective and legally defensible. 30
Records Retention Guidelines
Here are some basic records retention guidelines:
■ Make records threshold determinations. Examine the content to see if it in fact
constitutes a record by your own organization’s defi nition of a record , which should d
be contained in your IG policies. This records determination process likely
also will require consultation with your legal counsel. If the social media site
has not been kept operating, or it was used for a specifi c project that has been
completed (and all pertinent records for that project have been retained), then
its content may not require retention of records. 31
■ Use existing retention schedules if they apply. If your organization already has reten-
tion policies for, say, e-mail, then any e-mail sent by social media should adhere
to that same scheduling guideline, unless there is some legal reason to change it.
■ Apply basic content management principles. Focus on capturing all related content
for social media posts, including conversation threads, and associated metadata
that may be required in legal discovery to provide context and maintain the
completeness, authenticity, and integrity of the records.
Social media policy must be unique to each particular organization.

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 267
■ Risk avoidance in content creation. Instruct and reinforce the message to employ-
ees participating in corporate social media that content on the Web stays there
indefi nitely and that it carries potential legal risks. In addition, once something
is posted on the Web, completely erasing and destroying the content at the end
of its retention period is nearly impossible.
Content Control Models
There are several basic ways to manage social media content, ranging from tightly con-
trolling it through one single, accountable person, to delegating control to the busi-
ness unit level, all the way to letting the social media participants post their thoughts,
unmoderated and unfettered, to encourage spontaneity and enthusiastic use of the
tool. The approach your organization takes will depend on the specifi ed business ob-
jectives you have for utilizing social media and your organization’s appetite for risk.
Emerging Best Practices for Managing Social Media Records
Best practices for managing social media business records are still evolving, and will
continue to develop as records and information practitioners gain more experience
with social media records. Here are some emerging best practices:
■ Identify records during the social media planning stage. Both a social media policy
and the records and information policy should refer to a form to be completed
by the person or unit proposing a new social media initiative. The person com-
pleting the form should indicate if records will be created and, if so, how they
will be managed.
■ Promote cross-functional communications. A social media team of representatives
from various departments, such as IT, social media, legal, compliance, records
management, and other stakeholders, is formed, and communication and col-
laboration is encouraged and supported.
■ Require consultation in policy development. Extending beyond the social media
team, input and advice from multiple stakeholder groups is essential for creat-
ing IG policies that cover social media records management.
■ Establish clear roles and responsibilities. The cross-functional social media team
must lay out clear expectations and responsibilities and draw lines of account-
ability so that stakeholders understand what is expected of them.
■ Utilize content management principles. Management of social media content
should fall under an ECM software implementation, which can capture and
track content, including associated metadata and external content, and manage
that social media content through its life cycle.
■ Implement RM functionality. Management by an ERM system that offers fea-
tures that enable records retention and disposition, implementation of legal
holds, and lifting of legal holds is essential.
■ Control the content. Clear guidelines and monitoring mechanisms must be in
place to control and manage content before it gets published on the Web, when
possible (e.g., static content on blogs and profi les in social networks) if there is
any potential legal risk at all.

268 INFORMATION GOVERNANCE
■ Capture content in real time. By implementing a real-time content capture solu-
tion for content posted directly to social media (e.g., comments on blogs and
posting of someone else’s content or retweets), organizations will begin their
control and management of the content at soonest point and can more easily
prove it is authentic and reliable from a legal perspective.
■ Champion search capabilities. After capture and preservation of records and as-
sociated metadata, search capabilities are the single most important feature that
the technology must provide.
■ Train, train, train. Social media is a new and emerging technology that changes
rapidly. Users must be trained, and that training must be updated and rein-
forced on a regular basis so that employees have clear guidelines, understand
the technology, and understand the business objectives for its use.
CHAPTER SUMMARY: KEY POINTS
■ Organizations are increasingly using social media and Web 2.0 platforms to
connect people to companies and government.
■ Social media use presents unique challenges because of key differences with
other electronic communications systems, such as e-mail and IM.
■ Two of the biggest risks that social networking poses to organizations are (1)
not having a social media policy; and (2) employees may be—intentionally or
not—exposing information that is not meant for public consumption.
■ Enterprise social networking software has many of the features of consumer
social applications such as Facebook, but with more oversight and control,
and they come with analytics features to measure adoption and use.
■ Various software tools have become available in recent years for archiving
social media posts and followers for RM purposes.
■ An IG framework provides the overarching policies, guidelines, and bound-
aries for social media initiatives, so that they may be controlled, monitored,
and archived.
■ Social media posts are more than the post itself; they include metadata and
also include hyperlinks to external content—and that external content must
be preserved in its native format to meet legal standards.
■ Robust search capabilities are the most crucial component of a social media
ERM or archiving solution.
■ Social media policy will be unique to each particular organization.
■ Best practices for managing social media business records are still evolving but
include forming cross-functional social media teams with clear responsibilities,
encouraging communication, and capturing complete content in real time.

INFORMATION GOVERNANCE FOR SOCIAL MEDIA 269
Notes
1. U.S. National Archives and Records Administration, NARA Bulletin 2011-02, “Guidance on Manag-
ing Records in Web 2.0/Social Media Platforms,” October 20, 2010, www.archives.gov/records-mgmt/
bulletins/2011/2011-02.html .
2. Ibid.
3. See www.snapchat.com/ (accessed June 3, 2013).
4. See http://vine.com/ (accessed June 3, 2013).
5. Nancy Gohring , “Facebook and Twitter Rule the Enterprise, Too,” May 20, 2013, www.citeworld.com/
social/21893/facebook-twitter-rule-enterprise (accessed June 4, 2013).
6. Andrew Conry-Murray, “Can Enterprise Social Networking Pay Off?” Internet Evolution, March 21, 2009,
www.internetevolution.com/document.asp?doc_id=173854 .
7. Patricia C. Franks, “How Federal Agencies Can Effectively Manage Records Created Using New
Social Media Tools,” IBM Center for the Business of Government, San Jose State University, 2010,
www.businessofgovernment.org/sites/default/files/How%20Federal%20Agencies%20Can%20
Effectively%20Manage%20Records%20Created%20Using%20New%20Social%20Media%20Tools.
pdf , pp. 20–21 (accessed March 30, 2012).
8. Ibid.
9. Paul McDougall, “Social Networking Here to Stay Despite Security Risks,” Information Week , May 12,
2011, www.informationweek.com/news/security/privacy/229500138 .
10. Chris Nerney, “5 Top Social Media Security Threats,” Network World , May 31, 2011, www.network-d
world.com/news/2011/053111-social-media-security.html .
11. C. Savage, “Soldier Admits Providing Files to WikiLeaks,” New York Times , February 23, 2013, wwws
.nytimes.com/2013/03/01/us/bradley-manning-admits-giving-trove-of-military-data-to-wikileaks
.html?ref=bradleyemanning&_r=0 (accessed May 19, 2013).
12. Ibid.
13. Twitter Statistics, Statistic Brain, www.statisticbrain.com/twitter-statistics/ (accessed May 18, 2013).
14. LinkedIn, “About Us,” www.linkedin.com/about-us (accessed May 18, 2013).
15. Sharon Nelson, John Simek, and Jason Foltin, “Capturing Quicksilver: Records Management for
Blogs, Twittering and Social Networks,” Sensei Enterprises, 2009, www.senseient.com/storage/articles/
Capturing_Quicksilver (accessed December 10, 2013).
16. This discussion and the next quotes in this section are from Patricia C. Franks, Records and Information
Management (Chicago: American Library Association Neal-Schuman, 2013), p. 179.t
17. Sharon Nelson and John Simek, “Mitigating Legal Risks of Using Social Media,” Information Manage-
ment 45, no. 5 (September/October 2011), ARMA International.t
18. Liz Gannes, “Saving the Social Web for Later Use: Jolicloud Organizes Everything You’ve Shared,
Liked, and Favorited,” March 19, 2012, http://allthingsd.com/20120319/saving-the-social-web-for-
later-use-jolicloud-organizes-everything-youve-shared-liked-and-favorited/ .
19. Nick Summers, “Jolicloud Rebrands Its Unifi ed Cloud Platform as Jolidrive, Adds the Ability to View
and Edit Files,” TNW , March 6, 2013, http://thenextweb.com/insider/2013/03/06/jolicloud-rebrands-its-WW
unifi ed-cloud-service-as-jolidrive-adding-the-ability-to-edit-and-view-fi les/ (accessed May 18, 2013).
20. Social Folders, “About Us,” http://socialfolders.me/about-us/ (accessed May 18, 2013).
21. Andy Opsahl, “Backing Up Twitter and Facebook Posts Challenges Governments,” Government
Technology , January 20, 2010, www.govtech.com/policy-management/Backing-Up-Twitter-and-Face-
book-Posts.html?utm_source=related&utm_medium=direct&utm_campaign=Backing-Up-Twitter-
and-Facebook-Posts .
22. Ibid.
23. The next discussion is based on Franks, “How Federal Agencies Can Effectively Manage Records.”
24. Nelson and Simek, “Mitigating Legal Risks of Using Social Media.”
25. Ibid.
26. Best Buy Social Media Policy, http://forums.bestbuy.com/t5/Welcome-News/Best-Buy-Social-Media-
Policy/td-p/20492 (accessed December 10, 2013).
27. The next discussion is based on Rakesh Madhava, “10 Things to Know about Preserving Social Media,”
Information Management (September/October 2011): 34–35, 37. ARMA International.t
28. Federal Rules of Civil Procedure, http://www.uscourts.gov/uscourts/rulesandpolicies/rules/cv2009
(accessed 2/20/14).
29. Franks, Records and Information Management , p. 151. t
30. Ibid., pp. 36–37.
31. Guidelines here and in the next section are from New York State Archives, “Records Advisory: Preliminary
Guidance on Social Media,” May 24, 2010, www.archives.nysed.gov/a/records/mr_social_media.shtml .

http://www.archives.gov/records-mgmt/bulletins/2011/2011-02.html

http://www.snapchat.com/

http://vine.com/

http://www.citeworld.com/social/21893/facebook-twitter-rule-enterprise

http://www.internetevolution.com/document.asp?doc_id=173854

http://www.businessofgovernment.org/sites/default/files/How%20Federal%20Agencies%20Can%20Effectively%20Manage%20Records%20Created%20Using%20New%20Social%20Media%20Tools

http://www.informationweek.com/news/security/privacy/229500138

Twitter Statistics

http://www.linkedin.com/about-us

http://www.senseient.com/storage/articles/Capturing_Quicksilver

http://allthingsd.com/20120319/saving-the-social-web-for-later-use-jolicloud-organizes-everything-youve-shared-liked-and-favorited/

http://thenextweb.com/insider/2013/03/06/jolicloud-rebrands-its-unified-cloud-service-as-jolidrive-adding-the-ability-to-edit-and-view-files

http://socialfolders.me/about-us/

http://www.govtech.com/policy-management/Backing-Up-Twitter-and-Facebook-Posts.html?utm_source=related&utm_medium=direct&utm_campaign=Backing-Up-Twitter-and-Facebook-Posts

http://forums.bestbuy.com/t5/Welcome-News/Best-Buy-Social-Media-Policy/td-p/20492

http://www.uscourts.gov/uscourts/rulesandpolicies/rules/cv2009

http://www.archives.nysed.gov/a/records/mr_social_media.shtml

http://www.archives.gov/records-mgmt/bulletins/2011/2011-02.html

http://www.citeworld.com/social/21893/facebook-twitter-rule-enterprise

http://www.businessofgovernment.org/sites/default/files/How%20Federal%20Agencies%20Can%20Effectively%20Manage%20Records%20Created%20Using%20New%20Social%20Media%20Tools

http://www.senseient.com/storage/articles/Capturing_Quicksilver

271
Information
Governance for Mobile
Devices*
C H A P T E R 14
* Portions of this chapter are adapted from Chapter 7 , Robert F. Smallwood, Safeguarding Critical E-Documents: Imple-
menting a Program for Securing Confi dential Information Assets , © John Wiley & Sons, Inc., 2012. Reproduced withs
permission of John Wiley & Sons, Inc.
T
he use of mobile devices is ubiquitous in today’s society. According to CTIA (the
Wireless Association), over 326 million mobile devices were in use within the
United States as of December 2012. 1 This is a more than 100 percent penetra-
tion rate, since many users have more than one mobile device, and usage continues
to grow. Citizens of China, India, and the European Union (EU) have even greater
mobile phone usage than those in the United States.
Mobile computing has vastly accelerated in popularity over the last decade. Sev-
eral factors have contributed to this: Improved network coverage, physically smaller
devices, improved processing power, better price points, a move to next-generation
operating systems (OSs) such as Google’s Android and Apple’s iOS, and a more mobile
workforce have fueled the proliferation of mobile devices.
Mobile devices include laptops, netbooks, tablet PCs, personal digital assistants
(PDAs) such as BlackBerries, and smartphones such as Apple’s iPhone and those based
on Google’s Android platform. What used to be simple cell phones are now small com-
puters with nearly complete functionality and some unique communications capabilities.
These devices all link to an entire spectrum of public and private networks.
Gartner has estimated that “by 2016, 40 percent of the global workforce will be mobile ,
with 67 percent of workers using smartphones” 2 (emphasis added).
With these new types of devices and operating environments come new demands
for information governance (IG) policies and unknown security risks. 3 The Digital
Systems Knowledge Transfer Network, a UK think tank, found: “The plethora of mo-
bile computing devices fl ooding into the market will be one of the biggest ongoing
security challenges [moving forward].” “With mobile devices connecting to Wi-Fi and
Bluetooth networks, there are suddenly many more opportunities [for hackers] to get
in and steal personal information.”4
Due to this rapid shift toward mobile computing, companies with mobile person-
nel, such as salespeople and service technicians, need to be aware of and vigilant toward
these impending security threats, which can compromise confi dential information.
Securing mobile devices is critical: A survey by Aberdeen Group, an IT research
and analysis fi rm, estimates that that data leakage or loss can cost an organization anywhere
from $10,600 to over $400,000 . 5

272 INFORMATION GOVERNANCE
The reality is that most mobile devices are not designed with security in mind ; in fact, d
some compromises have been made to enable new smartphone operating systems to
run on a variety of hardware, such as the Android OS from Google. This is analogous
to the trade-offs Microsoft made when developing the Windows OS to run across a
variety of hardware designs from many PC manufacturers.
Smartphone virus infections are particularly diffi cult to detect and thorny to
remove. Users may be unaware that all their data is being monitored and captured and
that a hacker is waiting for just the right time to use it. Businesses can suffer economic
and other damage, such as erosion of information assets or even negative goodwill
from a damaged image.
The smartphone market is rapidly expanding with new developments almost daily,
each providing criminals with a new opportunity. An International Data Corporation
report indicated that “ smartphone sales outpaced PC sales for the fi rst time ever in the fourth
quarter of 2010 , with 100.9 million smartphones shipped versus 92.1 million PCs” (em-
phasis added). 6 The growth in smartphone sales and new services from banks—such as
making deposits remotely by snapping a picture of a check—means that there are new
and growing opportunities for fraud and identity theft.
Awareness and education are key. The fi rst line of defense is for users to better under-
stand cybercriminal techniques and to become savvier in their use of information and commu-
nications technologies. s
A large part of the battle will be won when biometric authentication technolo-
gies (those that use retina, voice, and fi ngerprint recognition) are mature enough
to positively identify a user to ensure the correct person is accessing fi nancial or
confi dential accounts. Application suppliers are fi rst concerned about functionality
and widespread adoption; security is not their top priority. Users must be aware and
vigilant to protect themselves from theft and fraud. On a corporate level, organi-
zations must step up their training efforts in addition to adding layers of security
technology to safeguard critical electronic documents and data and to protect infor-
mation assets.
Social engineering —using various ways of fooling the user into providing privategg
data—is the most common approach criminal hackers use , and it is on the rise. Machines do
their job, and software performs exactly as it is programmed to do, but human beings
are the weakest link in the security chain. As usage trends in the direction of a more
mobile and remote workforce, people need to be trained as to what threats exist and
constantly updated on new criminal schemes and approaches. This training is all part
of an overall IG effort, controlling who has access to what information, t when, and from
where.
With more and more sensitive business information being pushed out to mo-
bile devices (e.g., fi nancial spreadsheets, business contracts, strategic plans, etc.)
and advancing and evolving threats to mobile the mobile realm, IG becomes an
imperative; and the most important part of IG is that it is done on an ongoing basis, con-
sistently and regularly . Policies must be reviewed when a new mobile device starts
to be utilized, when new threats are uncovered, as employees use unsecured public
Wi-Fi networks more and more, and as business operations change to include more
and more mobile strategies. Information technology (IT) divisions must ensure
their mobile devices are protected from the latest security risks, and users must
regularly be apprised of changing security threats and new criminal approaches by
hackers.

INFORMATION GOVERNANCE FOR MOBILE DEVICES 273
Mobile device management (MDM) is critical to secure confi dential informa-t
tion assets and managing mobile devices. Some available technologies can wipe devices
free of confi dential documents and data remotely, even after they are lost or stolen.
These types of utilities need to be deployed to protect an enterprise’s information
assets.
Current Trends in Mobile Computing
With the rapid pace of change in mobile computing, it is crucial to convey an under-
standing of trends, to better know what developments to anticipate and how to plan
for them. When a new mobile device or operating system is released, the best thing
may be to wait to see what security threats pop up. It is important to understand the
direction mobile computing usage and deployment are taking in order to plan and
develop IG policies to protect information assets.
From CIOZone.com, here are the top trends in mobile computing:
1. Long Term Evolution (LTE). The so-called fourth generation of mobile
computing (4G) is expected to be rolled out across North America over the
next several years [2013–2015], making it possible for corporate users to
run business applications on their devices simultaneously with Voice over
IP (VoIP) capabilities.
2. WiMax [Worldwide Interoperability for Microwave Access]. As LTE andx
WiMax networks are deployed in the U.S. through [2013 and beyond],
expect to see more netbooks and laptops equipped with built-in radio fre-
quency identifi cation (RFID) and wireless support. [WiMax is protocol
for communications that provides up to 40 megabits/second speeds (much
faster than Wi-Fi) for fi xed and mobile Internet access. The next IEEE
802.16m update will push the speed to up to 1 gigabyte bit/second fi xed
speeds.]
3. 3G and 4G interoperability. Sprint has developed a dual mode card which
will enable mobile device users to work on both 3G and 4G networks.
Other carriers are expected to follow suit.
4. Smartphone applications. Third-party software vendors will increasingly
make enterprise applications available for smartphones, including inven-
tory management, electronic medical records management, warehousing,
distribution and even architectural and building inspection data for the
construction industry.
5. GPS. Global Positioning Systems (GPS) will increasingly be used to iden-
tify end users by their whereabouts and also to analyze route optimization
for delivery workers and service technicians.
6. Security. As new and different types of mobile devices are introduced, cor-
porate IT departments will fi nd it increasingly challenging to identify and
authenticate individual end users. As such, expect to see a combination of
improvements in both Virtual Private Network (VPN) software and hard-
ware-based VPNs to support multiple device types.

274 INFORMATION GOVERNANCE
7. Antivirus. As more third-party business applications are made available on
smartphones and other mobile devices, CIOs [chief information offi cers]
will also have to be cognizant about the potential for viruses and worms.
8. Push-button applications. Let’s say a waste disposal truck arrives at an indus-
trial site and is unable to empty a Dumpster because a vehicle is blocking
its path. Smartphones will increasingly have applications built into them
that would make it possible for the disposal truck driver to photograph
the impeding object and route the picture to a dispatcher to document and
time-stamp the obstruction.
9. Supplemental broadband. As carriers implement LTE and WiMax networks,
companies such as Sprint and Verizon are looking at potentially extending
wireless broadband capabilities to small businesses which don’t have fi ber
optic or copper connections on the ground. Under this scenario, a small
packaging company in New Jersey could potentially be able to receive T-1
level (high-speed) broadband capabilities in regions of the U.S. where it has
offi ces but doesn’t have wireline broadband connections.
10. Solid State Drives (SSDs). Corporate customers should expect to see contin-
ued improvements in the controllers and fi rmware built into SSDs in order
to improve the longevity of the write cycles in notebooks. 7
Security Risks of Mobile Computing
Considering their small size, mobile computing devices store a tremendous amount of
data, and storage capacities are increasing with the continued shrinking of circuits and
advancement in SSD technologies. Add to that the fact that they are highly portable
and often unsecured and you have a vulnerable mix that criminals can target. Consid-
ering how often people lose or misplace their mobile devices daily, and what valuable
targets they are for physical theft (this author had a laptop stolen in the Barcelona air-
port, right from under his nose), and it is clear that the use of mobile devices represents
an inherent security risk.
But they do not have to be lost or stolen to be compromised, according to Stan-
ford University’s guidelines, which are intended to help mobile computing device us-
ers protect the information the devices contain. “ Intruders can sometimes gain all the
access they need if the device is left alone and unprotected, or if data is ‘sniffed out of the air’
during wireless communications” s 8 (emphasis added). The devices can be compromised
with the use of keystroke loggers that capture every single entry a user makes. This can
be done without the user having any knowledge of it. That means company passwords,
confi dential databases, and fi nancial data (including personal and corporate credit card
numbers) are all at risk.
Securing Mobile Data
The fi rst and best way to protect confi dential information assets is to remove confi dential, un-
necessary, or unneeded data from the mobile device. Confi dential data should not be stored
on the device unless explicit permission is given by the IT department, business unit

INFORMATION GOVERNANCE FOR MOBILE DEVICES 275
head, or the IG board to do so. This includes price lists, strategic plans, competi-
tive information, photo images of corporate buildings or coworkers, and fi nancial data
such as tax identifi cation numbers, company credit card or banking details, and other
confi dential information.
If it is necessary for sensitive data to be stored on mobile devices, there are options to secure
the data more tightly, using USB drives, fl ash drives, and hard drives that have integrated
digital identity and cryptographic (encryption) capabilities.
Mobile Device Management
MDM software helps organizations to remotely monitor, secure, and manage devices
such as smartphones and tablet PCs. 9 MDM improves security and streamlines
enterprise management of mobile devices by providing ways to contact the remote
devices individually or en masse to add, upgrade, or delete software, change
confi guration settings, and “wipe,” or erase, data, and make other security-related
changes and updates. More sophisticated MDM offerings can manage not only
homogenous company-owned mobile devices but also those that employees use in the
workplace in a bring-your-own-device (BYOD) environment.
The ability to control confi guration settings and secure data remotely allows or-
ganizations to better manage and control mobile devices, which reduces the risk of
data leakage and reduces support costs by providing more uniformity and the ability
to monitor enforce company-dictated IG policy for mobile devices.
Key vendors in the MDM marketplace include AirWatch, Apple (Profi le Man-
ager) AppSense, BoxTone, Centrify, Citrix, Good Technology, IBM (Endpoint Man-
ager for Mobile Devices), LANDesk, MobileIron, SAP (Afaria MDM), and Symantec
(Mobile Management Suite).
Rapid growth is expected in the MDM marketplace, with Gartner projecting that
nearly two-thirds of organizations will deploy MDM software by 2018. 10 And Frost &
Sullivan projects that “the market for enterprise MDM will grow from $178.6 million
in 2011 to $712.4 million by 2018.” 11
Trends in MDM
Six key trends in the MDM marketplace are discussed next.
1. MDM software expansion and maturity. Many experts believe that MDM will
develop and reach beyond just mobile endpoints to include deep integration
with mobile infrastructure and applications (apps). 12 What is important is
securing and authenticating data. To ensure that, MDM must expand beyond
remote device locking, tracking, and wiping. A more comprehensive life
cycle management approach will emerge beginning with the acquisition or
introduction of the device into the enterprise network until its retirement or
destruction. In addition, monitoring and controlling costs through integrated
expense management will likely occur.
2. Consolidation of MDM major players. Acquisitions by Citrix, Good Technology, TT
and others signal that fewer but stronger market leaders are likely to emerge.

276 INFORMATION GOVERNANCE
3. Cloud-based MDM. This will become the norm, not the exception, and it will
happen quite rapidly.
4. Emphasis on mobile device policy. Technology can do only so much—an orga-
nization must have its IG policies, processes, and audit practices formalized,
tested, and monitored. The IT department must have clear direction on which
data and devices to monitor and secure, and employee rights and responsibili-
ties must be clearly delineated and communicated.
5. Diversifying and expanding mobile monitoring and security. This means that
MDM may go beyond today’s mobile devices and include remote instruments
and machines that are churning out data in applications, such as process man-
agement, transportation management, and enterprise resource management.
6. Infrastructure consolidation. The currently disparate pieces, including social
computing, mobile computing, and cloud computing, may consolidate and
become the new construct for the infrastructure paradigm. This means that
tools will emerge to manage all these pieces in a centralized and holistic way.
IG for Mobile Computing
Stanford University’s guidelines are a helpful foundation for IG of mobile devices.
They are “relatively easy to implement and use and can protect your privacy” and
safeguard data “in the event that the device becomes compromised, lost or stolen.” 13
Smartphones and Tablets
■ Encrypt communications. For phones that support encrypted communication
(secure sockets layer [SSL], virtual private network [VPN], hypertext transfer
protocol secure [https]), always confi gure defaults to use encryption.
■ Encrypt storage. Phones approved to access confi dential information assets must
encrypt their bulk storage with hardware encryption.
■ Password protect. Confi gure a password to gain access and or use the device.
Passwords for devices that access confi dential information assets should be at
least seven characters in length and use upper- and lowercase letters as well as
some numerical characters. Passcodes should be changed every 30 days.
■ Timeout. Set the device so that it is locked after a period of idleness or timeout,
perhaps as short as a few minutes.
■ Update. Keep all system and application patches up to date, including mobile
OSs and installed applications. This allows for the latest security measures and
patches to be installed to counter ongoing threats.
■ Protect from hacking. Phones approved to access confi dential and restricted data
must not be jailbroken (hacked to gain privileged access on a smartphone us-
ing the Apple iOS) or rooted (typically refers to jailbreaking on a smartphone
running the Android OS). The process of rooting varies widely by device. It
usually includes exploiting a security weakness in the fi rmware shipped from
the factory. “‘Jailbreaking’ and ‘rooting’ removes the manufacturer’s protection
against malware.”
■ Manage. Phones approved to gain access to confi dential information assets
must be operating in a managed environment to maintain the most current
security and privacy settings, and monitor use for possible attacks.

INFORMATION GOVERNANCE FOR MOBILE DEVICES 277
Portable Storage Devices
These include thumb drives or memory sticks, removable hard drives, and even
devices like iPods that are essentially mobile disc storage units with extra bells and
whistles.
■ Create a user name and password to protect the device from unauthorized ac-d
cess—especially if lost or stolen.
■ Utilize encryption to protect data on devices used to store and/or transport con-
fi dential information assets.
■ Use additional levels of authentication and management for accessing the device,t
where possible.
■ Use biometric identifi cation to authenticate users, where possible.
Laptops, Netbooks, Tablets, and Portable Computers
■ Password protect. This is the most basic protection, yet it is often not used. Cre-
ate a user name and password to protect the device from unauthorized access;
require that they are entered each time the computer is used.
■ Timeout. Require that the password is reentered after a timeout period for the
screensaver.
■ Encrypt. Laptops, notebooks, or tablets used to access confi dential information
assets should be required to be encrypted with whole disk encryption.
■ Secure physically. Physical locks should be used “ whenever the system is in a station-
ary location for extended periods of times.” s
Building Security into Mobile Applications
While it is a relatively new channel, mobile electronic commerce (e-commerce) is
growing rapidly, and new software apps are emerging for consumers as well as business
and public sector enterprises. These apps are reducing business process cycle times
and making the organizations more agile, more effi cient, and more productive. Some
key strategies can be used to build secure apps.
As is the case with any new online delivery channel, security is at the forefront
for organizations as they rush to deploy or enhance mobile business apps in the fast-
growing smartphone market. Their priorities are different from those of the software
developers churning out apps.
In the banking sector, initially many mobile apps limited customers to a walled-off
set of basic functions—checking account balances and transaction histories, fi nding
a branch or automated teller machine location, and initiating transfers—but “a new
wave of apps is bringing person-to-person payments, remote deposit capture and bill
pay to the mobile channel. Simply, the apps are getting smarter and more capable. But
with those capabilities comes the potential for greater threats”s 14 (emphasis added).
Security experts state that the majority of the challenges that could result from
mobile fraud have not been seen before. Mobile e-commerce is relatively new and
has not been heavily targeted—yet. But industrial espionage and the theft of trade
secrets by targeting mobile devices is going to be on the rise and the focus of rogue
competitive intelligence-gathering organizations. User organizations have to be even

278 INFORMATION GOVERNANCE
more proactive, systematic, and diligent in designing and deploying mobile apps than
they did with Web-based apps.
Software developers of mobile apps necessarily seek the widest audience possible,
so they often deploy them across multiple platforms, which forces some security trade-
offs: Enterprises have to build apps for the “strengths and weaknesses intrinsic to every device,
which adds to the security challenges”15 (emphasis added).
A side effect of mobile app development efforts from the user perspective is that
it can reshape the way users interact with core information management (IM) applica-
tions within the enterprise.
The back-offi ce IM systems, such as accounting, customer relationship manage-
ment, human resources, and other enterprise apps that are driving online and mobile,
are the same as before, but the big difference comes in how stakeholders (employees,
customers, and suppliers) are interacting with the enterprise. In the past, when deploy-
ing basic online applications for browser access, there was much more control over the
operating environment; with newer mobile applications running on smartphones and
tablets, that functionality has been pushed out to end user devices.
Real Threats Are Poorly Understood
The list of threats to mobile apps is growing, and existing threats are poorly under-
stood, in general. They are just too new, because mobile commerce by downloadable
app is a relatively new phenomenon—the Apple iTunes App Store and the Android
Marketplace debuted in the second half of 2008. “But that doesn’t mean the threat isn’t
real—even if the app itself is not the problem.” 16 The problem could be the unsecure
network users are on or a device infection of some sort.
For mobile apps, antivirus protection is not the focus as it is in the PC world; the
security effort mostly focuses on keeping malware off the device itself by addressing
software development methods and network vulnerabilities. Surely, new types of at-
tacks on mobile devices will continue to be introduced. That is the one thing that can
be counted on.
There already have been some high-profi le examples of mobile devices being
compromised. For example, in 2010:
New York–based Citibank’s iPhone app was found to be storing customers’
[private] data on their phones, with obvious privacy implications [and expos-
ing it to theft and fraud]. Meanwhile, Google (New York) has had to pull a
number of apps from the Android Marketplace built by an anonymous [crim-
inal] developer who was creating fake bank apps [with realistic and usable
features] that attempted to exploit information on users’ devices to commit
banking and [credit] card fraud.
There are many more examples, but the cited incidents make it imperative to
understand the mobile app marketplace itself in order that effective IG policies and
controls may be developed, deployed, and enforced. Simply knowing how Google has
approached soliciting app development is key to developing an IG strategy for Android
devices. Google’s relatively open-door approach initially meant that almost anyone
could develop and deploy an app for Google Android. Although the policy has evolved
somewhat to protect Android users, it is still quite easy for any app developer—well

INFORMATION GOVERNANCE FOR MOBILE DEVICES 279
intentioned or malicious—to release an app to the Android Marketplace. This in
itself can pose a risk to end users, who sometimes cannot tell the difference between
a real app released by a bank and a banking app built by a third party, which may be
fraudulent. Apple has taken a more prudent and measured approach by enforcing a
quality-controlled approval process for all apps released to its iTunes App Store. Sure,
it slows development, but it also means apps will be more thoroughly tested and secure.
Both approaches have their positives and negatives the companies and for the de-
vice users. But clearly, Apple’s curated and quality-controlled approach is better from
a security risk standpoint.
Understanding the inherent strengths and, perhaps more important, weaknesses
of specifi c mobile hardware devices and OS—and their interaction with each other—
is key when entering the software design phase for mobile apps.
The development environment is altogether different. Windows programmers
will experience a learning curve. Mobile apps under Android or Apple OS operate in a
more restricted and less transparent fi le management environment.
Bearing that in mind—regardless of the mobile OS—fi rst ensure that data is secured, —
and then check the security of the application itself. That is, practice good IT governance to
ensure that the software source code is also secure. Malicious code can be inserted into
the program; once it is deployed, hackers will have an easy time stealing confi dential
data or documents.
Innovation versus Security: Choices and Trade-offs
As organizations deploy mobile apps, they must make choices, given the limited or
confi ned software development environment and the need to make agile, intuitive apps
that run fast so users will adopt them. To ensure that a mobile offering is secure, many
businesses are limiting their apps’ functionality. So stakeholder users get mobile access
that they didn’t have before and a new interface with new functionality, but it is not
possible to offer as much functionality as in Web apps. And more security means some
sacrifi ces and choices will need to be made versus speed and innovative new features.
Some of the lessons learned in the deployment of online Web apps still apply to
mobile apps. Hackers are going to try social engineering like phishing (duping users
into providing access or private information) and assuming the identity of an account
holder, bank, or business. They will also attempt man-in-the-middle attacks. (More on
that topic soon).
With mobile applications, typically the app is operated directly on a mobile de-
vice, such as a smartphone. This is a key difference between apps and traditional PC-based
interfaces that rely on browser access or using basic mobile phone text messaging. Connect-
ing to a business via app can be more secure than relying on a browser or texting
platform, which require an additional layer of software (e.g., the browser, texting
platform, or Wi-Fi connection) to execute sensitive tasks. These security vulnerabili-
ties can compromise the safety of information transmitted to a secure site. Thank-
fully, if the app is developed in a secure environment, it can be entirely self-contained, and
the opportunity to keep mobile data secure is greatest when using the app as opposed to a
browser-based platform.
This is because a mobile app provides a direct connection between the user’s de-
vice and the business, governmental agency, or e-commerce provider. Some security
experts believe that mobile apps potentially could be more secure than browser-based

280 INFORMATION GOVERNANCE
access from the desktop because they can communicate on an app-to-app (or comput-
er-to-computer) level.
In fact, “a customer using a bank app on a mobile network might just be safer than
a customer accessing online banking on a PC using an open Wi-Fi connection” that
anyone can monitor.
How do you combat this browser-based vulnerability if it is required to access an
online interface? The most effective and simplest way to counter security threats in the PC-
based browser environment and to eliminate man-in-the-browser or man-in-the-middle r
attacks is to use two different devices rather than communicate over a standard Internet s
connection. This approach can be built into IG guidelines.
Consider this: Mobile apps actually can bring about greater security. For exam-
ple, do you receive alerts from your bank when hitting a low-balance threshold?
Or a courtesy e-mail when a transaction is posted? Just by utilizing these types of
alerts—and they can be applied to any type of software application beyond bank-
ing—tech-savvy users themselves can serve as an added layer of protection. If they
receive an alert of account activity regularly, they may be able to identify fraudulent
activity immediately and take action to counter it and stop it in its tracks, limiting
the damage and potential exposure of additional private data or confi dential infor-
mation assets.
Best Practices to Secure Mobile Applications
Mobile computing is not going away; it is only going to increase in the future. Most
businesses and governments are going to be forced to deploy mobile apps to compete
and provide services customers will require. There is the potential for exposure of
confi dential data and e-documents, but this does not mean that organizations must shy
away from deploying mobile apps. 17 Some proven best practice approaches can help to
ensure that mobile apps are secure.
Some steps can be taken to improve security—although there can never be any
guarantees— and some of these should be folded into IG guidelines in the policy de-
velopment process. BankTech magazine identifi ed six best practices that can shape an
organization’s app development process:
1. Make sure your organization or outside development fi rm uses seasoned
application developers who have had secure-coding training and use a se-
cure software development life cycle (SDLC).
2. [Developed for banking apps, this approach can be applied to other vertical
apps too.] Follow the guidance suggested by the Federal Deposit Insur-
ance Corp. (FDIC FIL-103-2005) regarding authentication in an Inter-
net banking environment. The guidance describes enhanced authentication
methods, such as multifactor authentication, that regulators expect banks to
use when authenticating the identity of customers using the bank’s online
products and services.
3. Make sure that the customer (or employee) is required to re-enter his or her
credentials after a certain time period to prevent someone other than the mo-d
bile device’s owner from obtaining access to private account information.

INFORMATION GOVERNANCE FOR MOBILE DEVICES 281
4. Hire an information security expert to assess the security around your mobile t
application servers. Unfortunately, an organization’s servers are often over-
looked during a risk assessment, as they require a specialized skill set to test d
them.
5. Encrypt sensitive data that is stored on a mobile device and account data that
travels from the handset across the Internet. Ensure that the encryption is
implemented properly.
6. Hire a security expert to test the security of a mobile application before you
implement it across your customer base. 18 (Emphasis added throughout.)
Developing Mobile Device Policies
Where do you start? Developing a comprehensive mobile strategy is key before you
craft your mobile device policies. You will need input from a variety of stakeholders,
and you will need to understand where mobile devices fi t in your overall technology
infrastructure and strategy. Here are some best practices for developing your mobile
device policies.
1. Form a cross-functional mobility strategy team. You will need the input of primary
stakeholder groups, including IT, fi eld business units, and human resourc-
es (for policy creation and distribution). Your strategy development process
should also tap into the expertise of your risk management, compliance, re-
cords management, and legal departments. The aim will be to balance risks
and benefi ts to improve employee productivity and guard against risk while
focusing on the goals and business objectives of the organization. 19
2. Clarify goals for your mobile strategy. Start your discussion with the big picture,
the “30,000 foot view” of the business drivers, challenges, threats, and op-
portunities that mobile computing provides in today’s technology context and
your business context. Draw a direct line from your mobile business needs to
your planned mobile support strategy and infrastructure. Keep your business
goals in mind and link them to the discussion.
3. Drill down into policy requirement details. You may want to survey other exist-
ing mobile device policies to inform your mobility strategy team. Those from
peer organizations and competitors will be most relevant. Then start with
the basics: which types of devices and OS make sense for your organization
to support, what changes and trends are occurring in the technology market-
place, which sensitive e-documents and data you must protect (or disallow) on
mobile devices, and what available security technologies (e.g. MDM, mobile
VPNs, encryption, information rights management) you might deploy. It may
be helpful to segment your mobile users into broad categories, and break out a
list of their specifi c business needs related to mobile computing. Your strategy
and policies for executives will be somewhat different than those for users in
fi eld business units. And you will need BYOD policies if your organization
opts to go this route.
4. Budgeting and expense control. Is the organization going buy devices and pay all
mobile expenses through direct billing each month? What cost controls need

282 INFORMATION GOVERNANCE
to be in place? Or will mobile device use expenses be reimbursed by a fl at
rate or by processing expense reports? What about BYOD? Roaming charge
limits? Decisions on the fi nancial and cost control aspects of mobile comput-
ing use must be made by your mobility policy team, under the guidance of an
executive sponsor.
5. Consider legal aspects and liability issues. Consult your legal counsel on this.
What key laws and regulations apply to mobile use? Where could users run
afoul? What privacy and security issues are most prominent to consider? What
about the private data that users may hold on their own (BYOD) devices? An
overarching consideration is to maintain security for private information and
to have a policy in place for data leaks and lost or stolen devices. That includes
your policy on remote “wipes” of sensitive data or perhaps all data.l
6. Weigh device and data security issues. Since most mobile devices—especially
smartphones—were not designed with security as a foremost consideration,
you must take steps to protect your sensitive data and to secure the devices
themselves without impeding business or making operation too diffi cult for
the end user. The world of mobile computing presents new challenges that
were not present when IT had full control of endpoint devices and internal
networks. Clear mobile security policies and controls must be in place.
7. Develop your communications and training plan. Users must be apprised and re-
minded of your mobile device policy if they are going to adhere to it. They
also need to know the consequences of violating your policies. Your commu-
nications and training plan should be creative—from wall posters to text and
e-mail messages, from corporate newsletters to group training sessions. You
may want to fi rst pilot your new policy with a small group of users. But com-
munication and training are key: A perfect mobile device policy will not work
if it is not communicated properly and users are not trained properly.
8. Update and fi ne-tune. There will be some misses, some places where after your
deploy your mobile policy you fi nd room for improvement. You will receive
user feedback, which should be considered too. And there will be changes in
the technology marketplace and user trends. A program must be in place to
periodically (every six months, perhaps) review your mobile device policy and
any audit information to make improvements in the policy.
If your organization sanctions the use of mobile devices, you must have a clear,
updated IG policy for their use, and you must be able to monitor, test, and audit com-
pliance with the policy. Bear in mind that mobile devices are inherently unsecured
and have many vulnerabilities, and you will have to consider possible security threats.
If your organization plans to utilize a BYOD approach, your support for mobile de-
vices will be more challenging and complex. Critical to success in leveraging mobile
devices is training employees on your IG policy and policy updates and consistently
reinforcing the message of cautiousness with confi dential company data. If you are us-
ing mobile devices to conduct business, there will be business records that are created
that must be captured and archived with their integrity and authenticity intact. All
information on an employee’s smartphone or tablet is potentially discoverable in legal
proceedings, so you must include your legal team in policy development and periodic
updates. Mobile device use can allow for great productivity gains, but the gains come
with associated risks.

INFORMATION GOVERNANCE FOR MOBILE DEVICES 283
Notes
1. CTIA, “Wireless Quick Facts,” www.ctia.org/advocacy/research/index.cfm/aid/10323 (accessed
May 13, 2013).
2. Alan Joch, “How to Create an Effective Mobile Device Policy,” Biztech , www.biztechmagazine.com/
article/2013/03/how-create-effective-mobile-device-policy , March 26, 2013.
3. “Current Mobile Computing Calls for Security as Powerful as Titanium,” http://techreview.blogpool
.co.uk/2011/02/10/modern-day-mobile-computing-calls-for-security-as-powerful-as-titanium
(accessed March 30, 2012).
CHAPTER SUMMARY: KEY POINTS
■ The plethora of mobile computing devices fl ooding into the market will be
one of the biggest ongoing security challenges moving forward.
■ An IDC report indicated that smartphone sales outpaced PC sales for the fi rst
time ever in the fourth quarter of 2010.
■ As businesses work to deploy mobile apps, they walk a fi ne line between in-
novation and risk. To ensure that a mobile offering is secure, many businesses
are limiting their apps’ functionality.
■ Human beings remain the weakest link in security, particularly with the in-
creasing use of mobile devices. IG policies must be established and employ-
ees must be trained to be aware of security and privacy risks.
■ Connecting to a business directly via an app can be more secure than rely-
ing on a browser or texting platform, which require an additional layer of
software.
■ Over the next several years North America will be upgrading to 4G networks,
faster WiMax will be deployed, and there will be 3G and 4G interoperability.
■ MDM software helps organizations to remotely monitor, secure, and manage
devices such as smartphones and tablet PCs.
■ There will be new enhanced security and antivirus products developed to
combat the increasing threat of cyberattacks.
■ Mobile computing security challenges require that organizations follow best
practices when developing and deploying apps. Some keys are: encrypting
sensitive data, using the secure software development life cycle (SDLC) meth-
odology and enhanced authentication methods, and hiring a security expert
to test new apps.
■ Develop a comprehensive mobile strategy before you craft your mobile de-
vice policies. You will need input from a variety of stakeholders, and you
will need to understand where mobile devices fi t in your overall technology
infrastructure and strategy.

http://www.ctia.org/advocacy/research/index.cfm/aid/10323

http://www.biztechmagazine.com/article/2013/03/how-create-effective-mobile-device-policy

http://techreview.blogpool.co.uk/2011/02/10/modern-day-mobile-computing-calls-for-security-as-powerful-as-titanium

http://www.biztechmagazine.com/article/2013/03/how-create-effective-mobile-device-policy

http://techreview.blogpool.co.uk/2011/02/10/modern-day-mobile-computing-calls-for-security-as-powerful-as-titanium

284 INFORMATION GOVERNANCE
4. Warwick Ashford, “Mobility among the Top IT Security Threats in 2011, Says UK Think Tank,”
Computer Weekly , January 7, 2011, www.computerweekly.com/Articles/2011/01/07/244797/Mobility-
among-the-top-IT-security-threats-in-2011-says-UK-think.htm (accessed March 30, 2012).
5. Ann All, “Mobile Device Management: 6 Trends to Watch,” eSecurity Planet , www.esecurityplanet.com/t
mobile-security/mobile-device-management-6-trends-to-watch.html (accessed February 8, 2013).
6. Matt Gunn, “How to Build a Secure Mobile App,” Bank Systems and Technology , July 6, 2011, www
.banktech.com/risk-management/231001058?itc=edit_stub (accessed December 19, 2011).
7. “Top Ten Trends in Mobile Computing,” CIO Zone , www.ciozone.com/index.php/Editorial-Research/
Top-Ten-Trends-in-Mobile-Computing/2.html (accessed December 19, 2011).
8. Stanford University, “Guidelines for Securing Mobile Computing Devices,” www.stanford.edu/group/
security/securecomputing/mobile_devices.html (accessed December 19, 2011).
9. Symantec, “Business Challenge: Mobile Device Management,” www.symantec.com/mobile-device-
management (accessed May 14, 2013).
10. All, “Mobile Device Management: 6 Trends to Watch.”
11. Vikrant Gandhi, “U.S. Mobile Device Management (MDM) Market,” October 4, 2012, www.frost
.com/sublib/display-report.do?ctxixpLink=FcmCtx1&searchQuery=mdm&bdata=aHR0cDovL3d3d
y5mcm9zdC5jb20vc3JjaC9jYXRhbG9nLXNlYXJjaC5kbz9xdWVyeVRleHQ9bWRtQH5AU2Vhc-
mNoIFJlc3VsdHNAfkAxMzYwMzI5NTg4NTc5&ctxixpLabel=FcmCtx2&id=NB29-01-00-00-00
12. All, “Mobile Device Management: 6 Trends to Watch.”
13. Quotes in this section are from Stanford University, “Guidelines for Securing Mobile Computing
Devices.” www.stanford.edu/group/security/securecomputing/mobile_devices.html
14. Quotations in this section are from Matt Gunn, “How to Build a Secure Mobile App,” Bank Systems
and Technology , July 6, 2011, www.banktech.com/risk-management/231001058?itc=edit_stub (accessed
March 30, 2012).
15. Ibid.
16. Ibid.
17. Beau Woods, “6 Ways to Secure Mobile Apps,” Bank Systems and Technology , May 26, 2011, www
.banktech.com/architecture-infrastructure/229700033 (accessed March 30, 2012).
18. Ibid.
19. Joch, “How to Create an Effective Mobile Device Policy.”

http://www.computerweekly.com/Articles/2011/01/07/244797/Mobility-among-the-top-IT-security-threats-in-2011-says-UK-think.htm

http://www.ciozone.com/index.php/Editorial-Research/Top-Ten-Trends-in-Mobile-Computing/2.html

http://www.stanford.edu/group/security/securecomputing/mobile_devices.html

http://www.symantec.com/mobile-device-management

http://www.frost.com/sublib/display-report.do?ctxixpLink=FcmCtx1&searchQuery=mdm&bdata=aHR0cDovL3d3dy5mcm9zdC5jb20vc3JjaC9jYXRhbG9nLXNlYXJjaC5kbz9xdWVyeVRleHQ9bWRtQH5AU2VhcmNoIFJlc3VsdHNAfkAxMzYwMzI5NTg4NTc5&ctxixpLabel=FcmCtx2&id=NB29-01-00-00-00

http://www.stanford.edu/group/security/securecomputing/mobile_devices.html

http://www.banktech.com/risk-management/231001058?itc=edit_stub

http://www.ciozone.com/index.php/Editorial-Research/Top-Ten-Trends-in-Mobile-Computing/2.html

http://www.stanford.edu/group/security/securecomputing/mobile_devices.html

http://www.banktech.com/architecture-infrastructure/229700033

285
Information
Governance for Cloud
Computing*
C H A P T E R 15
By Monica Crocker CRM, PMP, CIP, and
Robert Smallwood
* Portions of this chapter are adapted from Chapter 12 , Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.s
C
loud computing represents one of the most signifi cant paradigm shifts in infor-
mation technology (IT) history. It may have evolved as an extension of sharing
an application-hosting provider, which has been around for a half century and
was common in highly regulated vertical industries, such as banks and health care
institutions. But cloud computing is a very different computing resource, utilizing
advances in IT architecture, system software, improved hardware speeds, and lower
storage costs.
The impetus behind cloud computing is that it provides economies of scale by
spreading costs across many client organizations and pooling computing resources
while matching client computing needs to consumption in a fl exible, (nearly) real-
time way. Cloud computing can be treated as a utility that is vastly scalable and
can be readily modulated, just as the temperature control on your furnace regulates
your energy consumption. This approach has great potential, promising on-demand
computing power, off-site backups, strong security, and “innovations we cannot yet
imagine.”1
When executives hear of the potential cost savings and elimination of capital
outlays associated with cloud computing, their ears perk up. Cloud deployments
can give users some autonomy and independence from their IT department, and
IT departments are enthused to have instant resources at their disposal and to shed
some of the responsibilities for infrastructure so they can focus on business applica-
tions. Most of all, they are excited by the agility offered by the on-demand provision-
ing of computing and the ability to align IT with business strategies more nimbly
and readily.
But for all the hoopla and excitement, there are also grave concerns about security risks
and loss of direct IT control , which call for strict information governance (IG) policies andl
processes. Managers and IT leaders who are customers of cloud computing services
are ultimately responsible for IT performance. A number of critical IG challenges as-
sociated with cloud computing must be addressed. These include privacy and security
issues, records management (RM) issues, and compliance issues, such as the ability to

286 INFORMATION GOVERNANCE
respond to legal discovery orders. In addition, there are metadata management and
custody challenges to consider. An investigation and analysis of how the cloud services
provider(s) will deliver RM capability is crucial to supporting IG functions, such as
archiving and e-discovery, and meeting IG policy requirements.
Organizations need to understand the security risks of cloud computing, and they
must have IG policies and controls in place for leveraging cloud technology to manage
electronic information before moving forward with a cloud computing strategy.
Defi ning Cloud Computing
The defi nition of cloud computing is, rather, well, g cloudy , if you will. The fl urry of
developments in cloud computing makes it diffi cult for managers and policy makers to
defi ne it clearly and succinctly, and to evaluate available options. Many misconceptions
and vagaries surround cloud computing. Some misconceptions and questions include:
■ “That hosting thing is like SaaS”
■ “Cloud, SaaS, all the same, we don’t own anything”
■ “OnDemand is Cloud Computing”
■ “ASP, Hosting, SaaS seems all the same”
■ “It all costs the same so what does it matter to me?”
■ “Why should I care if it’s multi-tenant or not?”
■ “What’s this private cloud versus public cloud?” 2
Cloud computing is a shared resource that provides dynamic access to computing services
that may range from raw computing power, to basic infrastructure, to fully operational and
supported applications.
It is a set of newer information technologies that provides for on-demand, modu-
lated, shared use of computing services remotely. This is accomplished by telecom-
munications via the Internet or a virtual private network (which may provide more
security). It eliminates the need to purchase server hardware and deploy IT infrastruc-
ture to support computing resources and gives users access to applications, data, and
storage within their own business unit environments or networks. 3 Perhaps the best
feature of all is that services can be turned on or off, increased or decreased, depending
on user needs.
There are a range of interpretations and defi nitions of cloud computing, some of
which are not completely accurate. Some merely defi ne it as renting storage space or
applications on a host organization’s servers; others center defi nitions around Web-
based applications like social media and hosted application services.
Someone has to be the offi cial referee, especially in the public sector. The Na-
tional Institute of Standards and Technology (NIST) is the offi cial federal arbiter of
“Cloud computing encompasses any subscription-based or pay-per-use service
that, in (near) real time over the Internet, extends IT’s existing capabilities.”

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 287
defi nitions, standards, and guidelines for cloud computing. NIST defi nes cloud com-
puting as:
a model for enabling convenient, on-demand network access to a shared pool
of confi gurable computing resources (e.g., networks, servers, storage, applica-
tions, and services) that can be rapidly provisioned and released with minimal
management effort or service provider interaction. 4
NIST has offered its offi cial defi nition, but “the problem is that (as with Web 2.0)
everyone seems to have a different defi nition.” 5 The phrase “the cloud” has entered
the mainstream—it is promoted on prime-time TV—but its meaning and description
are in fl ux: that is, if you ask 10 different people to defi ne it, you will likely get 10 dif-
ferent answers. According to Eric Knorr and Galen Gruman in InfoWorld, it’s really
just “a metaphor for the Internet,” but when you throw in “computing” alongside it,
“the meaning gets bigger and fuzzier.” Cloud computing provides “a way to increase
capacity [e.g., computing power, network connections, storage] or add capabilities dy-
namically on the fl y without investing in new infrastructure, training new personnel,
or licensing new software. Cloud computing encompasses any subscription-based or
pay-per-use service that, in (near) real time over the Internet, extends IT’s existing
capabilities.” 6
Given the changing nature of IT, especially for newer developments, NIST has
stated that the defi nition of cloud computing “is evolving.” People looking for the lat-
est offi cial defi nition should consult the most current defi nition available from NIST’s
Web site at www.nist.gov (and other resources).
Key Characteristics of Cloud Computing
NIST also identifi es fi ve essential characteristics of cloud computing:
1. On-demand self-service. A [computing] consumer can unilaterally provision
computing capabilities, such as server time and network storage, as needed
automatically without requiring human interaction with each service’s
provider.
2. Broad network access. Capabilities are available over the network and accessed
through standard mechanisms that promote use by heterogeneous thin or
thick client platforms (e.g., mobile phones, laptops, and PDAs [personal digi-
tal assistants]).
3. Resource pooling. The [hosting] provider’s computing resources are pooled to
serve multiple consumers using a multi-tenant model, with different physi-
cal and virtual resources dynamically assigned and reassigned according to
Cloud computing enables convenient, on-demand network access to a shared
pool of confi gurable computing resources that can be rapidly provisioned.

http://www.nist.gov

288 INFORMATION GOVERNANCE
consumer demand. There is a sense of location independence in that the
customer generally has no control or knowledge over the exact location of
the provided resources but may be able to specify location at a higher level
of abstraction (e.g., country, state, or datacenter). Examples of resources
include storage, processing, memory, network bandwidth, and virtual ma-
chines.
4. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some
cases automatically, to quickly scale out, and rapidly released to quickly scale
in. To the consumer, the capabilities available for provisioning often appear to
be unlimited and can be purchased in any quantity at any time.
5. Measured service. Cloud systems automatically control and optimize resource
use by leveraging a metering capability at some level of abstraction appro-
priate to the type of service (e.g., storage, processing, bandwidth, and active
user accounts). Resource usage can be monitored, controlled, and reported,
providing transparency for both the provider and consumer of the utilized
service.7
What Cloud Computing Really Means
Cloud computing growth is expected to continue to climb dramatically. A recent Gart-
ner study shows that the United States is the leader in adopting cloud computing, and
the market is expanding rapidly. 8 The cloud computing market is expected to grow
21 percent annually from 2012 to 2016, exceeding $16 billion in 2014 and growing to
over $22 billion in 2016. 9
The use of service-oriented architecture —which separates infrastructure, ap-
plications, and data into layers—permeates enterprise applications, and the idea of
loosely coupled services running on an agile, scalable infrastructure may eventually
“make every enterprise a node in the cloud.” That is the direction the trend is headed.
A common misconception is that an organization “moves to the cloud.” In reality,
the organization may decide to transition some specifi c business applications to the
cloud. Those specifi c business applications are selected because a cloud architecture
may offer crucial functions that the internally hosted solution does not or because the
internal solution is burdensome to maintain. Some examples of business applications
that frequently are moved to the cloud include advertising, collaboration, e-mail, of-
fi ce productivity applications, sales support solutions, customer response systems, fi le
storage, and system backups.
Another common misconception is that if your organization does not decide to
migrate to a cloud solution, you are protected from all the dangers of cloud computing.
The hard facts are that, for the vast majority of organizations, users are already putting
information in the cloud. They are simply using cloud solutions to compensate for
Among metatrends, “Cloud computing is the hardest one to argue with in
the long term.”

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 289
limitations of the current environment. They may be using Box.com to get at infor-
mation when working remotely or Dropbox.com to share information with an outside
business partner. Or they are using SkyDrive get to documents from their iPad. They
may not even realize they have posted company information to a cloud environment,
so they do not realize they violated any policy against doing that. To complicate mat-
ters, they probably also left a copy of the information within your organization’s fi re-
wall. Internal users might not realize they are not using the current version, and your
records manager does not know another copy is fl oating around out there. This is
completely ungoverned information in the cloud . The best defense against it is to deliver d
solutions for those business needs so that users do not have to fi nd their own.
Cloud Deployment Models
Depending on user needs and other considerations, cloud computing services typically
are deployed using one of four models, as defi ned by NIST:
1. Private cloud. This is dedicated to and operated by a single enterprise. This is
a particularly prudent approach when privacy and security are key issues, such
as in the health care and fi nancial services industries and also for sensitive gov-
ernment or military applications and data. A private cloud may be managed by
the organization or a third party and may exist on or off premises.
2. Community cloud. Think co-ops, nonprofi t organizations, and nongovernmen-
tal organizations. In this deployment, the cloud infrastructure is shared by sev-
eral organizations and supports a specifi c community that has shared concernss
(e.g., mission, security requirements, policy, and compliance considerations).
It may be managed by the organizations or a third party and may exist on or
off premises.
3. Public cloud. Open to the public, this cloud can be maintained by a user group
or even a fan club. In this case, “the cloud infrastructure is made available to
the general public or a large industry group and is owned by an organization
selling cloud services.”
4. Hybrid cloud. This utilizes a combined approach, using parts of the aforemen-
tioned deployment models: private, community, and/or public. The cloud
infrastructure is a “ composition of two or more clouds, (private, community, or
public) that remain unique entities but are bound together by standardized
The idea of loosely coupled services running on an agile, scalable infrastruc-
ture should eventually “make every enterprise a node in the cloud.”
There are four basic cloud computing models: private, public, community,
and hybrid (which is a combined approach).

290 INFORMATION GOVERNANCE
or proprietary technology that enables data and application portability (e.g.,
cloud bursting for load-balancing between clouds)” (emphasis added). 11
Security Threats with Cloud Computing
Cloud computing comes with serious security risks—some of which have not yet been
uncovered. In planning your cloud deployment, these risks must be borne in mind
and dealt with through controls and countermeasures. Controls must be tested and
audited, and the actual enforcement must be carried out by management. Key cloud
computing security threats are discussed next, along with specifi c examples and reme-
dial measures that can be taken (fi xes). The majority of this information and quotations
are from the Cloud Security Alliance. 12
Information Loss
When information is deleted or altered without a backup, it may be lost forever.
Information also can be lost by unlinking it from its indices, deleting its identifying
metadata, or losing its encoding key, which may render it unrecoverable. Another
way data/document loss can occur is by storing it on unreliable media. And as with
any architecture—not just cloud computing—unauthorized parties must be prevented
from hacking into the system and gaining access to sensitive data. In general, pro-
viders of cloud services have more resources at their disposal than their individual
clients typically have.
Examples
■ Basic operational failures, such as server or disk drive crashes.
■ Data center reliability, backup, and disaster recovery/business continuity issues.
■ Implementation of information purging without your approval (e.g., purging
all data over three years old without regard to your retention schedule or exist-
ing legal holds).
The Fixes
■ Agreement by cloud provider to follow standard operating procedures for data
backup, archiving, and retention.
■ Standard procedures for information purges that require your signoff before
they are completed.
■ Check your insurance coverage. Are you covered for the costs or liability asso-
ciated with a breach or loss of information that is stored in the cloud?
■ Clear delineation of the process for notifying the client of a security breach or
data loss.
Cloud computing carries serious security risks—some of which have not yet
been uncovered.

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 291
Information Breaches
Many times damage to information is malicious, while other times damage is
unintentional. Lack of training and awareness, for example, can cause an information user
to accidentally compromise sensitive data. Organizations must have proactive IG policies
that combat either type of breach. The loss of data, documents, and records is always a
threat and can occur whether cloud computing is utilized or not.
But the threat of data compromise inherently increases when using cloud comput-
ing, due to “the number of and interactions between risks and challenges which are
either unique to cloud, or more dangerous because of the architectural or operational
characteristics of the cloud environment.”
Examples
■ Lack of document life cycle security (DLS) technologies, such as data lossy
prevention (DLP) and information rights management (IRM) technologies.
■ Insuffi cient authentication, authorization, and audit controls to govern log-t
in access.
■ Ineffective encryption and software keys, including lost keys or inconsistent
encryption.
■ Security challenges related to persistent data or ineffective disposal methods.
■ Inability to verify disposal at the end of information lifecycle.
The Fixes
■ DLS implementation where needed to protect information from creation to
their fi nal disposition.
■ Strong encryption to protect sensitive data at rest, in use, and in transit.
■ IG policies for data and document security during the software application de-
sign phase as well as testing and auditing the controls for those policies during
live operation.
■ Secure storage, management, and document destruction practices.
■ Contractual agreement by cloud service providers to completely delete data
before storage media are reused by other clients.
■ Check your insurance coverage. Are you covered for the costs or liability asso-
ciated with a breach or loss of information that is stored in the cloud?
■ Clear delineation of the process for notifying the client of a security breach or
data loss.
The Enemy Within: Insider Threats
Since the advent of the National Security Agency controversy and the slew of examples
in the corporate world, the threat of the malicious insider is well known. “ This threat is
amplifi ed for consumers of cloud services by the convergence of IT services and customers under
Lack of training on cloud use can lead to users compromising sensitive data.

292 INFORMATION GOVERNANCE
a single management domain, combined with a general lack of transparency into provider
process and procedure” (emphasis added). It is important to understand your cloud pro-”
vider’s security procedures for its employees: How are they screened? Are background
checks performed? How is physical access to the building and data center granted and
monitored? What are its remedial procedures for noncompliance?
When these security, privacy, and support issues are not fully investigated, it cre-
ates an opportunity for identity thieves, industrial spies, and even “nation-state spon-
sored intrusion. The level of access granted could enable such an adversary to harvest
confi dential data or gain complete control over the cloud services with little or no risk
of detection.”
Examples
■ A cloud provider’s employee steals information to give or sell to one of your
company’s competitors.
■ Inadequate screening processes (by your company or a cloud provider) can
result in the hiring of people with criminal records, granting them access to
sensitive information.
■ A cloud provider’s subcontractor steals information to give or sell to one of
your company’s competitors.
■ A cloud provider’s employee allows unauthorized access to data that your com-
pany believes is secure in the cloud.
■ The physical cloud storage facility lacks security, so anyone can enter the build-
ing and access information.
The Fixes
■ Implementation of DLP and IRM technologies and related technology sets at
all stages of DLS.
■ Assessment of suppliers’ practices and complete supply chain, especially those
services that are subcontracted.
■ Screening and hiring requirements (e.g., background checks) for employees as
part of contract with cloud provider.
■ Transparent policies regarding information security, data management, com-
pliance, and reporting, as approved by the client.
■ Clear delineation of the process for notifying the client of a security breach or
data loss.
Hacking and Rogue Intrusions
Although cloud computing providers, as a rule, invest heavily in security, they also
can be the target of attacks, and those attacks can affect many client enterprises. Pro-
viders of cloud infrastructure service (e.g., network management, computing power,
It is prudent to investigate the security and personnel screening processes of
a potential cloud provider.

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 293
databases, storage) offer their customers the illusion of unlimited infrastructure expan-
sion in the form of computing, network resources, and storage capacity. Often this is
coupled with a very easy sign-up process, free trials (even for anonymous users), and
simple activation with a credit card. This is a boon to hackers who can assume multiple
identities. Using these anonymous accounts to their advantage, hackers and spammers
can engage in criminal operations while remaining elusive.
Examples
■ Cloud services providers have often unknowingly hosted malicious code,
including Trojan horses, keystroke loggers, bot applications, and other pro-
grams that facilitate data theft. Recent examples include the Zeus botnet and
InfoStealer.
■ Malware can masquerade as downloads for Microsoft Offi ce, Adobe PDFs, or
other innocuous fi les.
■ Botnets can infect a cloud provider to gain access to a wide range of data, while
leveraging the cloud provider’s control capabilities.
■ Spam is a perennial problem—each new countermeasure is met with new ways
to sneak spam through fi lters to phish for sensitive data.
The Fixes
■ IG policies and monitoring controls must require tighter initial registration
and thorough user verifi cation processes.
■ IG policies and technologies to combat credit card fraud.
■ Total network monitoring, including deep content inspection.
■ Requirement that the cloud provider regularly monitor public blacklists to
check for exploitation.
Insecure Points of Cloud Connection
By their very nature, cloud computing solutions involve the movement of information.
Information moves from a workstation in your network to the cloud, from the cloud
to a mobile device user, from an external partner to the cloud and then to one of
your workstations, and so on. Further, information may be moved automatically from
an application in the cloud to an application you host internally and vice versa. The
movement of information complicates the process of securing it, as it now must be
protected at the point of origin, the point of receipt, on the device that transmits it, on
the device that receives it and at all times when it is in transit.
An application programming interface (API) is a way of standardizing the con-
nection between two software applications. APIs are essentially standard hooks that an
application uses to connect to another software application—in this case, a system in
Easy sign-up procedures for cloud services mean that hackers can easily assume
multiple identities and carry out malicious attacks.

294 INFORMATION GOVERNANCE
the cloud. System actions like provisioning, management, orchestration, and monitor-
ing can be performed using these API interfaces.
It comes down to this: A chain is only as strong as its weakest link, so APIs must
be thoroughly tested to ensure that all connections abide by established policy. Doing this will
thwart hackers seeking work-arounds for ill intent as well as valid users who have made
a mistake. It is possible for third parties to piggyback value-added services on APIs,
resulting in a layered interface that is more vulnerable to security breaches.
Examples
■ Anonymous logins and reusable passwords can undermine the security of an
entire cloud community.
■ Unencrypted transmission or storage and unencrypted verifi cation allow suc-
cessful man-in-the-middle data theft.
■ Rigid basic access controls or false authorizations pose a threat.
■ Poor management, monitoring, and recording of cloud logins and activity
make it diffi cult to detect malicious behavior.
■ Weak APIs provide opportunities for data compromise.
■ Dependency on unregulated API interfaces, especially third-party add-ons, can
allow critical information to be stolen as necessary connections are made.
The Fixes
■ Utilization of multiple logon authentication steps and strong access controls.
■ Encryption of sensitive data during transmission.
■ More robust and secure API access control.
■ An understanding of the security model of cloud provider APIs and interfaces,
including any third-party or organization-created dependencies.
■ Understanding how the API impacts associated cloud usage.
Issues with Multitenancy and Technology Sharing
Basic cloud infrastructure is designed to leverage scale through the sharing of
components. Despite this, many component manufacturers have not designed their
products to function in a multitenant system. Newer architectures will evolve to
address this issue.
In the meantime, virtual computing is often used, allowing for multiple instances
of an operating system (OS) (and applications) to be walled off from others that are
running on the same computer. Essentially, each instance of the OS runs indepen-
dently, as if it were the only one on the computer. A “virtualization hypervisor me-
diates access between guest operating systems and the physical compute resources”
(like central processing unit processing power). Yet fl aws have been found in these
hypervisors “that have enabled guest operating systems to gain inappropriate levels
of control or infl uence on the underlying platform”—and therefore indirectly impact
APIs must be thoroughly tested to ensure they are secure and abide by policy.

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 295
the other guest OSs running on the machine. To combat this, “security enforcement
and monitoring” of all shared computing resources must be employed. Solid partitions
between the guest OSs—known as compartmentalization—should be employed to en-
sure that one client’s activities do not interfere with others running on the same cloud
provider. Customers should never have access to any other tenant’s “actual or residualr
data, network traffi c” or other proprietary data.
Examples
■ Joanna Rutkowska’s Blue Pill root technique, which describes how an unau-
thorized user could intercept data by using virtual hardware called a hypervisor.
The Blue Pill would be undetectable as long as the host system was functioning
properly. Rutkowska also developed a Red Pill, which could detect a Blue Pill
hypervisor, allowing the owner to eliminate it.
■ Kostya Kortchinksy’s CloudBurst is another example of hypervisor exploitation.
The Fixes
■ Security IG that leverages best practices for installation, confi guration, moni-
toring, testing, and auditing of cloud computing resources.
■ Requirements for monitoring the computing environment for any rogue
intrusions or misuse of cloud resources.
■ Control and verifi cation of access. Promote a more secure two-factor authen-
tication procedure.
■ Enforceable service-level agreements (SLAs) for patching software bugs,
addressing data breaches, and fi xing vulnerabilities.
■ An IG policy that requires regular audits and evaluations to detect weaknesses
in cloud security and confi guration.
Hacking, Hijacking, and Unauthorized Access
Hacking into accounts to assume the identity of an authorized user has been happen-
ing almost since personal e-mail existed. It can be as simple as stealing passwords with
a keystroke logger. Attack methods such as social engineering (e.g., phishing), fraud
by identity theft, and exploitation of software vulnerabilities are still effective at com-
promising systems. Most people recycle a few passwords and reuse them for multiple
accounts, so once one is breached, criminals can gain access to additional accounts. If
login credentials are compromised, a hacker can monitor nearly everything your or-
ganization is doing: A less passive hacker might alter or destroy sensitive documents,
create false information, or replace your links with fraudulent ones that direct users
to sites harboring malware or phishing scams. Once they have control, it can look
like your organization is the origin of the malicious downloads or information capture.
From here, the attackers can assume the good name and reputation of an organization
to further their attacks.
Cloud providers use virtualization heavily and hypervisors may allow intrusions.

296 INFORMATION GOVERNANCE
Examples
■ Examples are widespread in the general population; however, no clear instances
of this occurring with cloud services providers are known (as this book goes to
press).
The Fixes
■ IG policies should clearly state that users and providers should never reveal
their account information to anyone.
■ An IG policy should require more secure two-factor authentication techniques
to verify login identity, where possible.
■ Require your cloud services provider to actively monitor and log all activity
in order to quickly identify users engaging in fraudulent actions or those that
otherwise fail to comply with the client’s IG policy.
■ Understand, analyze, and evaluate the cloud provider’s contract, especially re-
garding security protocols. Negotiate improved terms in SLAs to improve or
enhance security and privacy.
Who Are Your Neighbors?
Knowing your neighbors—those who are sharing the same infrastructure with you—is
also important, and, as we all know, good fences make good neighbors. If the cloud
services provider will not or cannot be forthcoming about who else is sharing its infra-
structure services with your organization and this becomes a signifi cant issue, you may
want to insert contract language that forbids any direct competitor from sharing your
servers. These types of terms are always diffi cult to verify and enforce, so moving to a
private cloud architecture may be the best option.
Examples
■ The Internal Revenue Service (IRS) utilized Amazon’s Elastic Compute Cloud
service. When the IRS asked Amazon for a certifi cation and accreditation
(C&A) report, Amazon declined. (Note: The C&A process was developed to
help ensure compliance with NIST standards and mandated by the Offi ce of
Management and Budget, which oversees Federal Information Security Man-
agement Act of 2002 compliance.)
■ Heartland, a payment processing corporation, suffered a data breach in 2008.
Hackers stole account details for over 100 million credit and debit cards.
This data was stored on Heartland’s network, which the hackers broke into
using information (pertaining to employees, corporate structure, company
networks, and related systems) it had stolen in the weeks leading up to the
major breach.
It is important to know what other clients are being hosted with your cloud
services provider, as they may represent a threat. Moving to a private cloud
architecture is a solution.

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 297
The Fixes
■ An IG policy that requires full disclosure of activity and usage logs, and related
information. Audit the policy for compliance.
■ Investigate the architecture of your cloud services provider (e.g., version levels,
network OSs, fi rewalls, etc.).
■ Robust and vigilant supervision, logs, and reporting of all system activity,
particularly requesting expansive and detailed reports on the handling of sensi-
tive information.
Additional IG Threats and Concerns
A primary selling point of cloud computing is that enterprises are freed up to focus
on their core business rather than being focused on providing IT services. Modulating
computer hardware and software resources without making capital expenditures is an-
other key advantage. Both of these business benefi ts allow companies to invest more
heavily in line-of-business activities and focus on their core products, services, and
operations. However, the security risks must be weighed against the fi nancial and
operational advantages. Further complicating things is the fact that cloud deployments
often are enthusiastically driven by advocates who focus inordinately on potential ben-
efi ts and do not factor in risk and security issues. Additional examples of IG concerns
are listed next.
■ Lack of clarity about who owns the information (and if that changes at any point).
■ Risk of association with any larger failures of the cloud provider.
■ Inability of the cloud services provider to manage records at the fi le level.
■ Inability to closely follow the user’s retention schedule and produce certifi cates of
destruction at the end of the information life cycle. This may result in informa-
tion that is held for too long and ends up costing the client unnecessary expense
if it is deemed to be responsive to litigation or other legal action.
■ Lack of RM functionality in many cloud-based applications. This problem is
not unique to cloud platforms, but the key difference is that internal storage
resource systems may have functionality that supports integration with a RM
solution. It is unlikely that a cloud provider will provide the option of integrat-
ing your in-house RM system with its system. Too many potential security,
access control, and performance issues may result.
■ Inability to implement legal holds when litigation is pending or anticipated.s
■ Poor response time—inability to deliver fi les quickly and in line with user expectations.
■ Limited ability to ensure your cloud provider meets your duties to follow regulations
related to the governance of your information .
■ Jurisdiction and political issues that may arise due to the fact that the cloud
provider resides outside of the client’s geographic region.
■ Storage of personally identifi able information (PII) on servers in Europe or
other locales that prohibit or restrict the release of PII back to the United States (or s
home country of the cloud services client organization). 13
An analysis of an organization’s exposure to risk must include checking on software t
versions and revision levels, overall security design, and general IG practices. This
includes updating software, tools, and policy, as needed.

298 INFORMATION GOVERNANCE
Finally, for each of these challenges, “IG policies and controls to secure informa-
tion assets” and “IG policies and controls to protect the most sensitive documents and
data” are a key part of the solution.
Benefi ts of the Cloud
The risks and security vulnerabilities of cloud computing have been reviewed in this
chapter—so much so that perhaps some readers wondering whether cloud computing
really is worth it. The answer is a qualifi ed yes—it can be, based on your organization’s d
business needs and computing resource capabilities. Besides the obvious benefi t of
getting your company out of the IT infrastructure business and back to focusing on
its real business goals, there are many benefi ts to be gained from cloud computing
solutions.
Some of the specifi c benefi ts offered by cloud computing solution are listed next.
■ Cloud computing solutions provide a means to support bring-your-own-device
(BYOD) initiatives. As long as users have an Internet browser and Internet
connectivity, they can use any device to access an application deployed in the
cloud.
■ Your workers need to be able to access corporate information via a mobile
device. Some cloud solutions allow them to access information stored in a
secure location that only requires a smart phone and a login. Some of these
solutions can even ensure that the information is not actually stored on the
device itself. Entire applications, such as expense reporting, can be deployed
this way and incorporate mobile capture technology as well.
■ Cloud computing solutions provide a mechanism to support collaboration with
external business partners. You need to exchange information with an outside
business partner in a manner that e-mail just will not support. For instance, you
want to create one copy of the information that anyone on your team or on a
business partner’s team can access and that refl ects any updates or changes on
an ongoing basis. Or you need to exchange fi les that are large or in a format
that is prohibited by your e-mail servers. And you do not want to grant part-
ners access to information within your fi rewall and they do not want to grant
you access to information within theirs. A third-party cloud-based fi le-sharing
solution may provide the answer. You can post fi les there, partners can access
them, you can update them as necessary, and everyone always has access to
the most current version of the information without compromising security to
your network.
■ A cloud fi le storage solution provides a better alternative to remote infor-
mation access than having users copy information to unsecured removable
media or send an e-mail to their personal e-mail account. Again, it prevents
duplication of information, provides access to the most current version of
information, and stores information in an environment that only authenti-
cated users can access.
■ Cloud computing solutions also can form a key part of your organization’s
disaster recovery/business continuity strategy. If your data center is rendered
inoperable, users still can access applications and information hosted by cloud

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 299
providers. Most cloud providers have redundant data centers so that even if
one of their data centers was affected by the same incident that rendered your
data center inaccessible, all your information is available. Many organizations
deploy solutions to back up their in-house applications to a cloud-based
storage provider for just this reason. It is a way to provide geographic
diversifi cation.
The business benefi ts of cloud computing may largely outweigh the security
threats for the vast majority of enterprises, so long as they are anticipated and the
preventive actions described are taken.
Managing Documents and Records in the Cloud
The National Archives and Records Administration has established guidelines for cre-
ating standards and policies for managing an organization’s e-documents records that
are created, used, or stored in cloud computing environments.
1. Include the Chief Records Management Offi cer and/or lead RM staff in the
planning, development, deployment, and use of cloud computing solutions.
2. Defi ne which copy of records will be declared as the organization’s record
copy and manage these in accordance with information governance poli-
cies and regulations. . . . Remember, the value of records in the cloud may
be greater than the value of any other set because of indexing or other
reasons. In such instances, this added value may require designation of the
copies as records.
3. Include instructions for determining if records in a cloud environment are
covered under an existing records retention schedule.
4. Include instructions on how all records will be captured, managed, re-
tained, made available to authorized users, and retention periods applied.
5. Include instructions on conducting a records analysis, developing and sub-
mitting records retention schedules to an organization’s central records
department for unscheduled records in a cloud environment. These
instructions should include scheduling system documentation, metadata,
and related records.
6. Include instructions to periodically test transfers of records to other
environments, including departmental servers, to ensure the records remain
portable.
7. Include instructions on how data will be migrated to new formats, operating
systems, etc., so that records are readable throughout their entire life cycles.
Include in your migration planning provisions for transferring permanent
records in the cloud to central records.
8. Resolve portability and accessibility issues through good records man-
agement policies and other data governance practices. Data governance
typically addresses interoperability of computing systems, portability of
data (able to move from one system to another), and information security

300 INFORMATION GOVERNANCE
and access. However, such policies by themselves will not address an
organization’s compliance and information governance demands and
requirements.14
IG Guidelines for Cloud Computing Solutions
A set of guidelines aimed at helping you leverage cloud computing in a way that meets
your business objectives without compromising your IG profi le is presented next.
1. As with any technology implementation, it is critical that you defi ne your
business objectives fi rst, then select the provider that best meets your busi-
ness objectives—provided, of course, it can meet your IG requirements. This
is consistent with applying a proven IT project management methodology to
the initiative. Even though the solution may reside outside your environment,
the same basic phases for your project approach still apply, especially for those
tasks related to documentation.
2. As part of the project documentation, make sure to identify roles and respon-
sibilities related to the system in at least the same level of detail you do fort
internally supported systems (preferably in more detail).
3. The biggest deviation from your standard approach is the need to incorporate
the investigation and application of the appropriate fi xes described in the “Se-
curity Threats with Cloud Computing” section into your project plan. Again,
as with any service contract, it is helpful to involve a good contract negotiator.
The contract negotiation phase is when you have the most infl uence with
your provider. Therefore, you have the greatest chance of mitigating potential
risks and optimizing the benefi ts if you can incorporate specifi c requirements
into the contract language.
4. If the cloud computing paradigm is relatively new to your organization, try to
fi gure out approaches to issues and high-level processes that can be reused in
subsequent cloud computing projects. For instance, during the course of your
project, you need to fi gure out:
■ How to migrate information, including metadata, to the cloud solution.
■ How to get your information, including metadata, back if you quit using
that solution.
■ How to implement a legal hold.
Utilizing cloud computing resources provides an economic way to scale IT resources
which allows more focus on core business operations. It can render signifi cant business
benefi ts, but its risks must be carefully weighed, and specifi c threats must be coun-
tered, in the context of a long-range cloud deployment plan.
Most cloud services providers do not have mass content migration or RM
capabilities.

INFORMATION GOVERNANCE FOR CLOUD COMPUTING 301
Notes
1. Cloud Security Alliance, “Top Threats to Cloud Computing V1.0,” March 2010, https://cloudsecurity-
alliance.org/topthreats/csathreats.v1.0 , p. 6.
2. R. “Ray” Wang, “Tuesday’s Tip: Understanding the Many Flavors of Cloud Computing and SaaS,”
March 22, 2010, http://blog.softwareinsider.org/2010/03/22/tuesdays-tip-understanding-the-many-
fl avors-of-cloud-computing-and-saas/ .
3. NARA Bulletin 2010-05, “Guidance on Managing Records in Cloud Computing Environments,”
September 8, 2010, www.archives.gov/records-mgmt/bulletins/2010/2010-05.html .
4. Peter Mell and Tim Grance, “NIST Defi nition of Cloud Computing,” Version 15, 10-07-09, www.nist
.gov/itl/cloud/upload/cloud-def-v15 (accessed December 12, 2013).
5. Knorr and Gruman, “What Cloud Computing Really Means.”
6. Ibid.
7. Mell and Grance, “NIST Defi nition of Cloud Computing.”
8. Gartner Press Release, “Gartner Says Worldwide Public Cloud Services Market to Total $131 Billion,”
February 28, 2013, www.gartner.com/newsroom/id/2352816 (accessed October 11, 2013).
9. This and the next quotes in this section are from Louis Columbus, “451 Research: Cloud-Enabling
■ Cloud computing represents a paradigm shift in computing capabilities.
It can streamline operations and cut costs but because it also has inherent
risks, a well-researched and documented IG policy is needed.
■ Organizations need to understand cloud computing’s security risks and for-
mulate IG policies and controls before deploying it.
■ Organizations are rapidly moving applications and storage to the cloud.
Cloud computing allows users to access and use shared data and computing
services via the Internet or a VPN.
■ Five key characteristics of cloud computing are: (1) on-demand self-service,
(2) broad network access, (3) resource pooling, (4) rapid elasticity, and (5)
measured service.
■ Cloud computing services typically are deployed using one of four models:
(1) private cloud, (2) public cloud, (3) community cloud, and (4) hybrid
cloud.
■ Utilizing cloud computing carries signifi cant security risks, which can be off-
set by establishing IG policies and preventive measures so that the business
benefi ts of agility and reduced cost may be exploited.
■ Cloud application services may have weaknesses related to supporting RM
functions, such as: the inability to manage records at the fi le level; the inabil-
ity to closely follow the user’s RM retention schedule, the inability to migrate
data and documents to other platforms for preservation, and the inability to
enforce legal holds when litigation is pending or anticipated.
CHAPTER SUMMARY: KEY POINTS

https://cloudsecurity-alliance.org/topthreats/csathreats.v1.0

http://blog.softwareinsider.org/2010/03/22/tuesdays-tip-understanding-the-many-flavors-of-cloud-computing-and-saas/

http://www.archives.gov/records-mgmt/bulletins/2010/2010-05.html

http://www.nist.gov/itl/cloud/upload/cloud-def-v15

http://www.gartner.com/newsroom/id/2352816

http://www.nist.gov/itl/cloud/upload/cloud-def-v15

302 INFORMATION GOVERNANCE
Technologies Revenue Will Reach $22.6B by 2016,” September 26, 2013, http://softwarestrategies-
blog.com/2013/09/26/451-research-cloud-enabling-technologies-revenue-will-reach-22-6b-by-2016/
(accessed October 11, 2013).
10. It’s a long-running trend with a far-out horizon. But among big metatrends, cloud computing is the
hardest one to argue with in the long term. (emphasis added).
11. All defi nitions are from Mell and Grance, “NIST Defi nition of Cloud Computing.”
12. Cloud Security Alliance, “Top Threats to Cloud Computing V1.0.”
13. Gordon E. J. Hoke, CRM, e-mail to author, June 10, 2012.
14. NARA Bulletin 2010-05, “Guidance on Managing Records in Cloud Computing Environments.”

http://softwarestrategies-blog.com/2013/09/26/451-research-cloud-enabling-technologies-revenue-will-reach-22-6b-by-2016/

303
SharePoint®
Information
Governance*
C H A P T E R 16
By Monica Crocker, CRM, PMP, CIP,
edited by Robert Smallwood
* Portions of this chapter are adapted from Chapter 14 , Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.s
M
icrosoft’s SharePoint® server product dramatically altered the content and
records management (RM) markets. Previous to SharePoint, solutions were
somewhat cumbersome, managed large quantities of documents, and required
extensive implementation effort for each business application. SharePoint provided an
enterprise level platform for the remaining small-volume, ad hoc solutions.
At a basic level, it is a collaboration platform, but it is often leveraged to be a con-
tent repository as well. If properly implemented, SharePoint can reduce duplication of
information, automate business processes, serve up a common lexicon for categorizing
information, provide a social media platform, give users access to current and histori-
cal e-documents, dramatically reduce network traffi c loads (by cutting the number of
e-mails with attachments), and stop the growth of shared drives. It can also provide
a secure platform to support bring-your-own-device (BYOD) mobile programs and
other mobile solutions.
Given all its stated capabilities, SharePoint can be used to help organizations
govern their information. But, in order to achieve those benefi ts, the implementing
organization must take a structured approach to the deployment of its SharePoint
environment. The 2006 amendment to the U.S. Federal Rules of Civil Procedure re-
quire American organizations to produce any and all “electronically stored information
that is relevant, not privileged, and reasonably accessible.” Similar legal requirements
exist in Canada, the United Kingdom and Europe, Australia, and other developed
countries. Information stored in SharePoint often is included in the “relevant” infor-
mation that must be produced. So SharePoint should be deployed in a manner that makes all
information contained within it fi ndable, accessible, securable by a legal hold notifi cation (LHN)
and available for production in a timely manner.r
For SharePoint deployments, an ounce of prevention truly is worth a pound of
cure. Since every SharePoint environment includes corporate information, organiza-
tions can avoid a lot of headaches and future information governance (IG) risks if
they invest time and deliberation in planning how they will deploy SharePoint. Theseg
plans should be based on the business objectives for SharePoint that are tied to the

304 INFORMATION GOVERNANCE
organization’s overall business objectives and include making all the necessary IG
policy decisions before rolling out the solution to users.
SharePoint itself is a tool; it is not a panacea for poor IG, and simply deploying it
will not resolve business issues or compliance problems. When it comes to managing
business records, “Like any RM solution, SharePoint alone will not solve your needs
unless it is used to support clearly defi ned [business] processes.”1 Therefore, IG policy
development and business process analysis are critical in the planning process.
SharePoint often is expected to perform content management and records man-
agement, and also support e-discovery requests and legal holds. But sometimes, instead
of solving records and IG problems, they become worse in an ungoverned SharePoint
environment, since users often:
■ Do not understand which SharePoint content (documents, discussions,
announcements, lists) should be managed as a record.
■ Are not clear on when or how to declare content a business record (and as a
result make either everything a record or nothing a record).
■ Simply replicate their existing fi le share folder structure, creating a new (often
redundant) set of disorganized documents on SharePoint.
■ Do not know how to attach well-defi ned metadata to information to make it
fi ndable in the long term.
■ Do not understand how to apply appropriate security restrictions to information.
The unacceptable result of this lack of governance is that, instead of being a plat-
form that can positively transform business processes, SharePoint actually can make it
more diffi cult for people to do their jobs. And if users decide that SharePoint is actually t
making their work harder, they will begin to revert back to old, familiar (disorganized)
ways of managing their information. In other words, they may continue to keep du-
plicate documents on their local C drives, go back to their existing shared drives, and
keep sharing information by attaching documents to e-mails.
The SharePoint governance model should make it clear where and how users
should both store and fi nd information. A well-governed SharePoint environment pro-
vides enough consistency in how information is categorized to support sorting and
fi ltering of search results so that users can quickly narrow results to the specifi c infor-
mation or documents they need.
But keep in mind that a SharePoint governance model needs to be tailored to your
organization. It will not work if it does not fi t with your culture, technology standards,
and staffi ng resources.
There is no such thing as one set of SharePoint governance best practices that every orga-
nization can adopt. Rather, developing a SharePoint governance model involves deter-
mining the appropriate answer to a series of questions regarding your organization’s
business goals, resource limitations and policy constraints. Once the initial plan is de-
veloped, it should be validated against a broad sample of use cases for the system.
Process Change, People Change
As with any initiative that requires behavior change or additional effort, you will
encounter resistance. The nature of the resistance will depend on the culture of
your organization and the personalities of the individuals involved. Some of the

SHAREPOINT INFORMATION GOVERNANCE 305
SharePoint-specifi c objections you should be prepared to counter include the prem-
ise that nothing in SharePoint is a record or that the very nature of SharePoint
dictates that it should just be turned on and allowed to spread virally. Others are that
“Users won’t follow those procedures” and “Governance is too much of a burden to
the user.” And then, of course, there is all the standard user resistance to any system
change implementation.
Too many organizations deploy SharePoint without putting the necessary effort t
into planning how this technology tool will be governed. The result is similar to what
is often found with e-mail or network shared drives —scattered information and docu-ss
ments with no organization or governing policies. Only the situation is worse , because
SharePoint has more types of content and quickly collects an even greater volume of
information. At the highest level, all these types of content are part of SharePoint: sites,
pages, libraries, and lists. And there are many subtypes within each of these content
types. For instance, the list content type includes announcements, calendars, contacts,
tasks, discussions, issues, surveys, and custom lists. And the site content type includes
“MySites,” which allows users to store a vast array of content, including their own
documents (which could be personal and/or work related) and social content, such as
tags and ratings of content on other sites.
Another contributing risk factor for SharePoint is that, to a large degree, it is self-
provisioned. This means that, while the environment typically is deployed by central
information technology (IT) staff, business users usually are given the authority to cre-
ate new repositories for information within that environment without IT intervention.
This allows SharePoint to function as a dynamic collaboration platform.
Because of its nature, in an ungoverned SharePoint environment, you may have:
■ Information chaos because there is no way to identify who owns specifi c informa-s
tion, no context for information, and no consistent organization or hierarchy
to information.
■ Orphaned information , which results when the individual who understood the
context of the information leaves the organization or when the site, page, list,
or library is no longer in use.
■ Redundant information. If no one knows who should put what on SharePoint, t
multiple users may upload the same new document to a dozen different loca-
tions, and users have no way to identify the “authentic” version of a piece of
information when multiples are found.
■ Unfi ndable information , which results when everyone decides for themselves how
to secure a given piece of information and if and how to tag it with metadata.
Then no one can fi nd anything outside the sphere of the information they con-
trol or know if they have found everything in a search.
■ Noncompliant retention. The organization cannot apply any records retention
periods to information if there is no means to determine which records series
applies to specifi c information.
As with any initiative that requires behavior change or additional effort, you
will encounter resistance when implementing a new SharePoint system.

306 INFORMATION GOVERNANCE
■ E-discovery risk. Ungoverned information limits the means to narrow the list
of potentially responsive information, requiring the organization to fi nd and
review a lot of information in response to an e-discovery request. t
■ Inappropriate use. Lack of governance means the organization is at risk from
individuals or teams deciding to use SharePoint in a way that may not be ap-
propriate or legally defensible.
In sum, lack of governance can signifi cantly diminish the business value and increase the
risk of your SharePoint deployment.
This is more than a mess. It is a costly mess, because the organization is not achiev-
ing the maximum business benefi t from SharePoint. Further, retrieving information
during e-discovery for legal proceedings will be fraught with search and retrieval chal-
lenges and will be more costly and less effi cient.
However, even if you have already started your SharePoint project or need to
deploy before you feel your governance model is complete, you still can implement
some IG strategies. That is, late is better than never, and gradual implementation of
governance is better than none at all.
Where to Begin the Planning Process
As with any well-managed project, the fi rst step in a SharePoint deployment is to draft
a project charter that defi nes the scope, budget, timeline, and business objectivesr for your s
SharePoint environment.
The next step is to draft a project schedule that includes copious amounts of s
time for the up-front planning effort necessary to create the SharePoint Governance
Model. Have the project executive sponsor sign off on this timeline so that he orr
she understands that the project will include time to think through key issues prior to
deployment and why that is critical for your organization.
Then assemble your governance team. Include someone who understands the
organization’s culture and the business objectives for SharePoint (such as a business
analyst), someone who understands the technical aspects of SharePoint (like a system
administrator), someone who understands the compliance aspects of SharePoint (such
as a compliance offi cer, records manager, or legal counsel), and someone who can help
Lack of governance can signifi cantly diminish the business value and increase
the risk of your SharePoint deployment.
Critical to success in SharePoint deployments is consulting with users about
their processes and needs.

SHAREPOINT INFORMATION GOVERNANCE 307
implement the training and communications plan (perhaps from the human resources
department). And, most important, make sure your governance team has the necessary
authority level to determine the governance approach.
The SharePoint governance model planning process necessarily involves consulting with
users about their collaboration, business process, document usage, and information s
storage needs. If the governance structure interferes with their ability to do their jobs,
users will start creating and storing documents without knowing what rules to follow,
or why the rules exist, and they will fi nd their own work-arounds to satisfy their busi-
ness requirements. For instance, if you restrict fi le size requirements too much, users
still will store large fi les somewhere—perhaps unsecured in the cloud. If you do not
allow certain fi le types and users need them, they will fi nd another place to store them
where they might be diffi cult for other users to fi nd. And soon you will have all sorts of
variations of folder and fi le systems and scattered documents and information, which
results in the aforementioned information chaos scenario.
Regulatory and compliance factors also must be incorporated into SharePoint
governance decisions for most organizations. Therefore, the process must include
RM staff for guidance on crucial RM issues and legal staff for legal and compliance
requirements.
Finally, create a formal SharePoint governance model “document.” Do not rely on
meeting notes or design documents to refl ect the decisions made during governance
discussions, though it may be valuable to keep those as a way to retain the reasoning
and decision paths that led to the fi nal model. Governance decisions can be controversial, so
the governance model selected should be explicitly stated in a dedicated document and offi cially
“approved” by the appropriate stakeholders.
Begin at a High Level
Start from a high level, with strategy and corporate governance issues. Develop
a problem statement in your project charter so that you know what you are trying to
accomplish, and then develop measureable, time-constrained business objectives so
progress and success toward milestones can be measured. Next, be sure to align
these objectives with your organization’s overall vision statement or strategic
plan. Aligning the technology with business considerations is key to a successful
SharePoint deployment.
Governance decisions can be very controversial and require documentation.
First, develop a problem statement and formulate business objectives for
the SharePoint deployment. Then align those objectives with your overall
Strategic Plan.

308 INFORMATION GOVERNANCE
In order to identify specifi c business objectives for SharePoint, you may fi nd it
useful to conduct some focus group sessions with thought leaders from across the
organization. Some examples of questions you might ask are listed next:
■ How do you fi nd information owned by your unit?
■ How do you share information within your team?
■ How do you fi nd information owned by other units?
■ How do you share information with other teams?
■ How do you fi nd expertise to assemble a project team?
■ How do you fi nd expertise to perform a single task?
■ How do you exchange information with external business partners?
■ What processes are particularly painful?
■ How comfortable would you be sharing information with others in your unit?
With others outside your unit?
■ How would you like to connect with others in your organization?
Look for these themes in survey responses that might apply to your organization:
■ It is diffi cult to fi nd information without prior knowledge of its existence and
location.
■ It is diffi cult to fi nd personnel resources with specifi c expertise (a subject
matter expert ). t
■ It is diffi cult to determine whether a given piece of information is the current
version.
■ The organization relies heavily on e-mail to create, share, and manage informa-
tion. Therefore, the effort spent managing e-mail is burdensome.
■ Most document creation processes included review and approval steps among
multiple users, which slow down critical business processes.
■ Users are struggling to fi nd a way to communicate outside their immediate
work group, but they have strong motivation to do so.
■ It takes too long to onboard a new employee.
■ Users want solutions that provide seamless access for remote workers.
Understanding the organization’s current information management challenges al-
lows the SharePoint governance team to identify business objectives for SharePoint
and ensure that each individual governance decision supports accomplishment of the
business objectives while at the same time supporting compliance with IG policy.
Once business objectives are formed, use them to defi ne the guiding principles
for the SharePoint governance model. It is prudent to lay out the guiding principles
early in the governance document, since they provide a framework for everything that
follows. Decision categories that can help shape the guiding principles are:
■ Required or optional. Is this governance model a “mandated” approach or just
“recommendations”? The answer must be clear to users, and enforcement ac-
tions against violations must be taken if governance is mandated.
■ Appropriate use. What are the rules for SharePoint usage? For instance, you
could declare that SharePoint is for business information only so that users
know it is not OK to run their fantasy football league on a SharePoint site.

SHAREPOINT INFORMATION GOVERNANCE 309
■ Information access policy. Clarify your organization’s philosophy about access to
information; is it open to every authenticated user by default, or is it strictly se-
cured and available on a need-to-know basis only? As a compromise, sites could
be open to all by default, with secured information as an exception.
■ Accountability. Who is accountable for information and managing governance
at a site level?
■ Level of control. Clarify how tightly SharePoint will be managed. This might
range from rigid control, where a typical user can publish only information
that has gone through a review process; to “semicontrolled,” which permits
superusers to create libraries and lists; to very loosely controlled, where site
owners in the business are given complete site collections to manage according
to their needs.
■ Information ownership. Since users come and go and site administrators are very
often administrative staff with little authority, information ownership must be
clearly defi ned (e.g., the responsibility of the manager or director of a business
unit).
Each of these guiding principles should be linked to any appropriate organiza-
tional policy or applicable law. In addition, they all should be linked to the business
objectives for SharePoint. For instance, this could be a guiding principle:
Every site and page in SharePoint must have a clearly identifi ed owner and a
backup owner.
This sets a standard for the project team to follow, which helps end users identify
the authoritative copy of information and addresses the governance issue regarding
orphaned content.
Establish Scope
After business objectives are formed and sharpened and guiding principles are es-
tablished, determine the scope of the SharePoint deployment: Just where are the
boundaries of information you are going to govern? Any governance model likely
will cover sites and pages and documents. But will it also include specifi c types of
content, such as calendar items, announcements, discussions, and lists? Which spe-
cifi c documents will be governed in SharePoint (all/only those declared “records”/
only those that are fl agged as “fi nal”)? How will documents be managed in the
different stages of their life cycle (delete anything that has not been modifi ed for
a year/move anything declared fi nal to an archive)? How will your organization
address e-discovery requirements? Which document and content types are not
governed in SharePoint? For instance, some organizations govern down to the
Once business objectives are formed, use them to defi ne the guiding
principles for the SharePoint governance model.

310 INFORMATION GOVERNANCE
“X” level (e.g., three levels deep in the site structure) but not below. Some choose
to manage content on MySites while others simply impose a storage size limit on
MySites.
These are the types of questions you should be asking, not only from an IG
perspective but also to optimize future system performance of SharePoint. Better
processes and fewer documents means faster performance when you are in the heat of
the business battle.
Your governance model needs to address the two issues related to scope:
1. Describe the scope of SharePoint as a technology solution. In terms of the scope
of SharePoint itself, document whether it is purely for internal use or
whether it also includes external access, whether MySites are deployed,
and which existing systems it was designed to replace, if applicable. Add
any other information you can about what is included when you refer to
“the SharePoint solution” in your organization, such as interfaces with
other systems
2. Defi ne the scope of the governance model. In your description of the scope of the
governance model, you should enumerate whether governance applies to all
types of sites, all types of content, all users, or some subset of those; and who
has the authority to change the scope of SharePoint governance.
Exactly what information will be stored and managed in SharePoint? And, of that,t
which information or documents rise to the level of being records?
The selection criteria for storing information in SharePoint must be clear to all system us-
ers and administrators. They need to know not only what fi le sizes are allowed but also
what fi le formats are permitted—or prohibited—as well as size limits for lists, libraries,
and the entire site itself.
Policy Considerations
You must determine how your organization’s IG policies relate to SharePoint. Micro-
soft has structured SharePoint so that every piece of information is a “content type.” In
addition, the tool allows you to confi gure RM policies/actions at various levels in the
system; you can set them at a site collection level, a site level, a library or list level, or
all the way down to the specifi c item level. Every particular instance of every content
type could have a retention schedule and resulting actions associated with it, but that
might be a lot of overhead for very little payback. What do you manage and what do you
not manage? Examples of things you might not manage are work fl ow confi gurations, t
views, searches, and page templates. Examples of things you probably want to manage
are documents and lists.
Be sure to clearly state the selection criteria for storing information in
SharePoint.

SHAREPOINT INFORMATION GOVERNANCE 311
Your IG policy section should answer these questions:
■ How is each type of content in SharePoint governed?
■ Who decides what gets governed?
■ At what point in the information’s SharePoint existence is a governance action
taken?
Any existing retention schedules must be translated into defensible disposition
policies within your SharePoint environment. Finally, specifi c processes for managing
business records must be established. s
For instance, if your SharePoint charter identifi ed “sharing administrative in-
formation such as meeting agendas and minutes” as a primary objective of your
deployment, you could create standard libraries for “administrative” documents on
each division’s site, create an “administrative record” content type to categorize any
document in that library, and associate the retention policy for that content to all those
documents. This method would automate the purging of all administrative documents
after the retention period has expired.
At some point in the SharePoint governance model document, you also need to
address if and how you going to use document IDs and how major and minor versions
of information are used and retained. For example, you could decide not to keep any
previous versions of meeting agendas but to keep previous versions of policies for a
number of years after they are superseded with new versions. The IG policy section is
a good place for those items.
Roles and Responsibilities
Clear roles and their associated responsibilities for contributing to, maintaining, and
utilizing the information in SharePoint must be established during the governance
planning process. Only by spelling out who is responsible for what are you able to
expect that your SharePoint environment will continue to follow the governance
model.
Questions to ask with regard to defi nition of roles and responsibilities include
these:
■ Who is the executive sponsor for the solution?
■ Who “owns” the system (and what does “ownership” entail)?
■ Who is the sponsor/steward for a specifi c site or site collection?
■ Who owns the information in the site?
■ Who is responsible for completing the initial deployment of a site or collection?
■ Who is responsible for day-to-day administration of the site?
■ Who defi nes and sets up various information architecture components, such as
content types, columns (metadata), and the term store (enterprise taxonomy)?
■ Who is responsible for controlling access to a site? For making changes to
security access as users’ roles change or as users are terminated?
■ Who will train super users and users initially? On an ongoing basis?
■ Who will contribute information?
■ Who will be allowed to view and/or edit information?

312 INFORMATION GOVERNANCE
Some examples of possible SharePoint roles within a given organization are listed
next.
■ Executive sponsor
■ Information owner or “steward” for a site or site collection
■ Site owner
■ Site member
■ Site contributor
■ Site visitor
■ System administrator
■ Site collection administrator
■ Business analyst
■ Training, education, and user support
■ Information architect/taxonomist
■ IG representative
The roles and responsibilities section of the SharePoint governance model will
need to describe how users can request a site and how they get support for their sites,
including the support escalation process. For this purpose, a service-level agreement
(SLA) that outlines the basic support levels, time frames, problem escalation processes,
cost allocations, and other issues related to service is useful. Wherever possible, create
an SLA and refer to it so that users have clear expectations regarding how long it will
take them to get a new site or get support for an existing site.
Establish Processes
Guiding principles provide the “what” of SharePoint governance. Roles and responsibili-
ties defi ne the “who.” The governance model, or a separate set of procedures referenced
by the model, also needs to describe the “how” of governance. Most important, it should
detail the process of requesting and creating SharePoint sites. Also critical, the model must
include a process for decommissioning sites. Further, as the ownership of the site may
change in the future, the process of transferring site ownership must be established and
standardized. In addition, more specifi c processes, such as those for migrating information
into SharePoint, must be created. If a business record is created, you need a process to
manage it accordingly, whether that is by sending it to a central records repository to com-
plete its life cycle or by managing it in the library where it originated. When legal holds are
required, standard processes must be established to produce information requested dur-
ing e-discovery. A demonstrated ability to produce trustworthy information—information
that can be proven to be authentic and unaltered—is an absolute requirement. All these
processes must be designed to be as effi cient and low cost as possible.
While guiding principles provide the “what” of SharePoint Governance, roles
and responsibilities provide the “who”—that is, who can store information,
access it, and make changes to the system.

SHAREPOINT INFORMATION GOVERNANCE 313
Training Plan
A well-defi ned training model as part of your SharePoint governance plan shows that
your organization gave users the rules about SharePoint usage and the necessary tools
to comply with those rules.
The training section of your SharePoint governance model should break down
the overall training strategy: train everyone, just train site owners, or simply refer users
to training resources. This section should explain the process for requesting training.
It also should describe or include a reference to a detailed training plan. The train-
ing plan describes the ways training will be delivered and how training content will
be created. It should include a level of detail suffi cient to identify the different types
of training (site owner training, information custodian training, user training, basic
training, advanced training, etc.). As you defi ne the training plan, remember that any
given individual may fi ll more than one role; one person might be an owner on one
site, a contributor on another, and a reader on many. So the training plan should allow
people to get all the training they need, without having to endure the same training
modules (such as “Introduction to Our SharePoint environment”) multiple times.
An important training consideration is that SharePoint is a popular technol-
ogy right now, and individuals with SharePoint skills are hot commodities in the
marketplace. Therefore, in order to eliminate any single points of failure in your
SharePoint roles, make sure to cross-train key roles to ensure that more than one
person can perform critical functions.
Communication Plan
Your communication plan for SharePoint governance needs to take into account that
you are asking people to change the fundamental way in which they manage much of
the core information they use to do their work. So your communication plan needs to
clearly state that the proposed SharePoint governance model:
■ Is good for the organization as a whole, not just for IT or the compliance offi ce. d
■ Makes it easier for team members to manage and fi nd the information they
need to do their jobs.
Your training plan needs to recognize that a given individual may fi ll more
than one role on different SharePoint sites.
Your communication plan needs to recognize that you are asking people to
change the fundamental way they access and manage documents.

314 INFORMATION GOVERNANCE
An understanding of the SharePoint governance model should make it clear to
users what the organization intends to do with SharePoint: the business drivers behind
the deployment. It also should be very clear what users are expected to do and the
training they will receive so that they can work well in the SharePoint environment.
Every person assigned a SharePoint role should be able to review the communications
regarding governance and understand how, exactly, it will impact them.
Note
1. Don Lueders, “It’s All About the Processes,” June 18, 2009, http://sharepointrecordsmanagement.
com/2009/06/18/its-all-about-the-processes/ .
■ As with any initiative that requires behavior or attitude change, you will en-
counter resistance when implementing IG within SharePoint.
■ Lack of governance can signifi cantly diminish the business value and increase
the risk of your SharePoint deployment.
■ Critical to success in most SharePoint deployments is an understanding of the
business objectives for the solution and how those map to the organization’s
strategic plan.
■ Your SharePoint governance model needs to be tailored to your organization.
■ Governance decisions can be very controversial and require documentation.
■ First, develop a problem statement and formulate business objectives for the
SharePoint deployment. Then align those objectives with your overall strate-
gic plan.
■ Once business objectives are formed, use them to defi ne the guiding prin-
ciples for the SharePoint governance model.
■ While guiding principles provide the “what” of SharePoint governance, roles
and responsibilities provide the “who”—that is, who can store information,
access it, and make changes to the system.
■ Be sure to clearly state the selection criteria for storing information in Share-
Point.
■ Your communication plan needs to consider that you are asking people to
change the fundamental way they access, share and manage documents.
■ A well-designed SharePoint governance model can help your organization
achieve its IG objectives and can contribute to the achievement of business
objectives.
CHAPTER SUMMARY: KEY POINTS

http://sharepointrecordsmanagement.com/2009/06/18/its-all-about-the-processes/

PA RT F I V E
Long-Term
Program
Issues

317
C H A P T E R 17
Long-Term
Digital
Preservation*
* Portions of this chapter are adapted from Chapter 17 , Robert F. Smallwood, Managing Electronic Records: Methods, Best
Practices, and Technologies , © John Wiley & Sons, Inc., 2013. Reproduced with permission of John Wiley & Sons, Inc.s
By Charles M. Dollar and Lori J. Ashley
E
very organization—public, private, or not for profi t—now has electronic records
and digital content that it wants to access and retain for periods in excess of
10 years. This may be due to regulatory or legal reasons, a desire to preserve
organizational memory and history, or entirely by operational reasons. But long-term
continuity of digital information does not happen by accident— it takes information gover-—
nance (IG), planning, sustainable resources, and a keen awareness of the information
technology (IT) and fi le formats in use by the organization, as well as evolving stan-
dards and computing trends.
Defi ning Long-Term Digital Preservation
Information is universally recognized as a key asset that is essential to organizational
success. Digital information, which relies on complex computing platforms and net-
works, is created, received, and used daily to deliver services to citizens, consumers
and customers, businesses, and government agencies. Organizations face tremendous
challenges in the 21st century to manage, preserve, and provide access to electronic
records for as long as they are needed.
Digital preservation is defi ned as long-term, error-free storage of digital infor-
mation, with means for retrieval and interpretation, for the entire time span the
information is required to be retained. Digital preservation applies to content that is born
digital as well as content that is converted to digital form.
Some digital information assets must be preserved permanently as part of an organiza-
tion’s documentary heritage. Dedicated repositories for historical and cultural memory,
such as libraries, archives, and museums, need to move forward to put in place trust-
worthy digital repositories that can match the security, environmental controls, and
wealth of descriptive metadata that these institutions have created for analog assets
(such as books and paper records). Digital challenges associated with records manage-
ment affect all sectors of society—academic, government, private and not-for-profi t
enterprises—and ultimately all citizens of all developed nations.

318 INFORMATION GOVERNANCE
The term “preservation” implies permanence, but it has been found that elec-
tronic records, data, and information that is retained for only 5 to 10 years is likely
to face challenges related to storage media failure and computer hardware/software
obsolescence. A useful point of reference for the defi nition of “long term” comes from
the International Organization for Standardization (ISO) standard 14721, which de-
fi nes long-term as “long enough to be concerned with the impacts of changing tech-
nologies, including support for new media and data formats, or with a changing user
community. Long Term may extend indefi nitely.” 1
Long-term records are common in many different sectors, including govern-
ment, health care, energy, utilities, engineering and architecture, construction, and
manufacturing. During the course of routine business, thousands or millions of elec-
tronic records are generated in a wide variety of information systems. Most records
are useful for only a short period of time (up to seven years), but some may need to be
retained for long periods or permanently. For those records, organizations must plan for
and allocate resources for preservation efforts to ensure that the data remains acces-
sible, usable, understandable, and trustworthy over time.
In addition, there may be the requirement to retain the metadata associated with records
even longer than the records themselves.2 A record may have been destroyed according to
its scheduled disposition at the end of its life cycle, but the organization still may need
its metadata to identify the record, its life cycle dates, and the authority or person who
authorized its destruction.
Key Factors in Long-Term Digital Preservation
Some electronic records must be preserved, protected, and monitored over long pe-
riods of time to ensure they remain authentic, complete, and unaltered and available
into the future. Planning for the proper care of these records is a component of an
overall records management program and should be integrated into the organization’s
information governance (IG) policies and technology portfolio as well as its privacy
and security protocols.
Digital preservation is defi ned as long-term, error-free storage of digital infor-
mation, with means for retrieval and interpretation, for the entire time span
that the information is required to be retained.
Total capability for properly ensuring access to authentic electronic records
over time, (in addition to the challenges of technological obsolescence), is
a sophisticated combination of policies, strategies, processes, specialized re-
sources, and adoption of standards.

LONG-TERM DIGITAL PRESERVATION 319
Enterprise strategies for sustainable and trustworthy digital preservation reposi-
tories have to take into account several prevailing and compound conditions: the
complexity of electronic records, decentralization of the computing environment,
obsolescence and aging of storage media, massive volumes of electronic records, and
software and hardware dependencies.
The challenges of managing electronic records signifi cantly increased with the
trend of decentralization of the computing environment. In the centralized environ-
ment of a mainframe computer, prevalent from the 1960s to 1980s but also in use
today, it is relatively easy to identify, assess, and manage electronic records. This is not
the case in the decentralized environment of specialized business applications and of-
fi ce automation systems, where each user creates electronic objects that may constitute
a formal record and thus will have to be preserved under IG polices that address record
retention and disposition rules, processes, and accountability.
Electronic records have evolved from simple text-based word processing fi les or
reports to include complex mixed media digital objects that may contain embedded
images (still and animated), drawings, sounds, hyperlinks, or spreadsheets with compu-
tational formulas. Some portions of electronic records, such as the content of dynamic
Web pages, are created on demand from databases and exist only for the duration of
the viewing session. Other digital objects, such as electronic mail, may contain mul-
tiple attachments, and they may be threaded (i.e., related e-mail messages linked in
send-reply chains). These records cannot be converted to paper or text formats for
preservation without the loss of context, functionality, and metadata.
Electronic records are being created at rates that pose signifi cant threats to our ability to
organize, control, and make them accessible for as long as they are needed. This continued
volume increase includes documents that are digitally scanned or imaged from a vari-
ety of formats to be stored as electronic records.
Electronic records are stored as representations of bits—1s and 0s—and therefore
depend on software applications and hardware networks for the entire period of
retention, whether it is 3 days, 3 years, or 30 years or longer. As information technologies
become obsolete and are replaced by new generations, the capability of a specifi c software
application to read the representations of 1s and 0s and render them into human-
understandable form will degrade to the point that the records are neither readable nor
understandable. As a practical matter, this means that the readability and understandability
of the records can never be recovered, and there can be serious legal consequences.
Most records are useful for only a short period of time, but some may need to
be retained for long periods or permanently.
Electronic records are being created at rates that pose signifi cant threats to
our ability to organize, control, and make them accessible for as long as they
are needed.

320 INFORMATION GOVERNANCE
Storage media are affected by the dual problems of obsolescence and decay. They
are fragile, have limited shelf life, and become obsolete in a matter of a few years.
Mitigating media obsolescence is critical to long-term digital preservation (LTDP) because
the bitstreams of 1s and 0s that comprise electronic records must be kept “alive”
through periodic transfer to new storage media.
In addition to these current conditions associated with technology and records
management, organizations face tremendous internal change management challenges t
with regard to reallocation of resources, business process improvements, collaboration
and coordination between business areas, accountability, and the dynamic integration
of evolving recordkeeping requirements. Building and sustaining the capability to
manage digital information over long periods of time is a shared responsibility of all
stakeholders.
Threats to Preserving Records
A number of known threats may degrade or destroy electronic records and data:
■ Failure of storage media. Storage media is inherently vulnerable to errors and
malfunction, including disk crashes. Solid-state drives (SSD) largely address
these concerns, as there are no moving parts and data can be stored without
needing electrical power.
■ Failure of computer systems. Computer hardware has moving parts and circuits
that deteriorate and fail over time, at an average rate called mean time between
failure. Some failures are complete and irrecoverable, and some are minor and
can be fi xed with no loss of data. Computer software is prone to bugs and mal-
ware that can compromise the safekeeping of data.
■ Systems and network communications failures. A small number of network commu-
nications is likely to contain errors or misreads, especially undetected check-
sum errors, which may impact the authenticity of a record. Network errors can
occur from changes or redirection of URLs, and any communication over a
network is subject to intrusions, errors, and hackers.
■ Component obsolescence. As hardware, software, and media age, they become ob-
solete over time, due to the continued innovation and advances by the computer
industry. Sometimes obsolescence is due to outdated component parts, changes
in software routines, or changes in the hardware to read removable media.
■ Human error. People make mistakes, and they can make mistakes in selecting,
classifying, storing, or handling archived records. Some of these errors may be
detected and can be remedied; some go unnoticed or cannot be fi xed.
■ Natural disaster. Hurricane Katrina is the clearest U.S. example of how a natu-
ral disaster can interrupt business operations and destroy business records, al-
though in some instances, damaged records were able to be recovered. Floods,
fi res, earthquakes, and other natural disasters can completely destroy or cause
media or computer hardware/software failures.
■ Attacks. Archived electronic records are subject to external attacks from
malware, such as viruses and worms, so preserved records must be scanned for
malware and kept separate from external threats. Preserved records also can
be subject to theft or damage from insiders, such as the theft of historical ra-

LONG-TERM DIGITAL PRESERVATION 321
dio recordings by a National Archives And Records Administration employee,
which was reported in 2012. Proper monitoring and auditing procedures must
be in place to detect and avoid these types of attacks.
■ Financial shortfall. It is expensive to preserve and maintain digital records.
Power, cooling and heating systems, personnel costs, and other preservation-
associated costs must be budgeted and funded.
■ Business viability. If an organization has fi nancial or legal diffi culties or suffers a
catastrophic disaster, it may not survive, placing the preserved records at risk.
Part of the planning process is to include consideration of successor organiza-
tion alternatives, should the originating organization go out of business. 3
The impact on the preserved records can be gauged by determining what per-
centage of the data has been lost and cannot be recovered or, for the data that can be
recovered, what the impact or delay to users may be.
It should be noted that threats can be interrelated and more than one type of
threat may impact records at a time. For instance, in the event of a natural disaster,
operators are more likely to make mistakes, and computer hardware failures can create
new software failures.
Digital Preservation Standards
The digital preservation community recognizes that open standard technology-neutral
standards play a key role in ensuring that digital records are usable, understandable,
and reliable for as far into the future as may be required.
There are two broad categories of digital preservation standards. The fi rst category in-
volves systems infrastructure capabilities and services that support a trustworthy re-
pository. The second category relates to open standard technology-neutral fi le formats.
Digi