So, what is Information Governance? This question is really tough to answer. One starting point is to review the Information Governance Maturity Model
The five-level model is fairly standard:
- Level 1 (Sub-standard). IG and record keeping are not addressed at all, addressed minimally, or addressed in an ad-hoc manner. The primary concern here is legal/regulatory scrutiny.
- Level 2 (In development). There's a "developing recognition" that there should be some focus on IG and records. Pratices are largely undefined or incomplete.
- Level 3 (Essential). There are defined policies and procedures and there has been some implementation. The focus in primarily on risk and there are still opportunities for business improvement and cost control.
- Level 4 (Proactive). There is a proactive IG program in place and it receives some continuous improvement. It does not, however, transform itself through the effective use of information.
- Level 5 (Transformational). IG is integrated into its overall corporate infrastructure.
One starting point could be to assess each descriptor in the governance model to determine where a particular organization currently stands and where it could/should be.
The model presents an approach for execution, basically:
1. Determine a target maturity level.
2. Determine the maturity level of current practices.
3. Based on the gaps, opportunities, etc., assess the risks and opportunities.
4. Determine priorities and accountability.
5. Monitor, assess, and improve (continuously).
The model is based on the following principles: accountability, transparency, integrity, protection, compliance, availability, retention, disposition.
. A senior executive oversees the program and there are effective policies and procedures in place.
No senior executive is responsible.
Records manager role doesn't exist.
No management of information assets.
No senior executive is responsible.
There is a recognized records manager role but it focuses on defined records, not on information as a whole.
Records management only addresses paper.
IT has de facto responsibility for ESI and records management is not involved.
Not systematic storage of information.
Organization has some awareness that it needs to govern information assets.
RM role is recognized and operates on an organization-wide basis.
RM includes electronic records.
RM is engaged in strategic information and records management initiatives.
Senior management is aware of RM program.
Enterprise wants to exapnd information governance program to the whole organization.
Organization has specific defined goals for accountability.
Organization has an information governance professional that also oversees records management.
RM is senior officer responsible for all aspects of the RIM program.
Stakeholder committee meets on a regular basis to review disposition and other RM issues.
Senior management and board put emphasis on IG.
Information governance leadership is part of the organization's governing body.
Organization has a process to ensure goals for accountability are routinely reviewed and revised.
. Business process and activities (including IG) are documented and the documentation is openly available.
Difficult to obtain time information about the business or records management.
Records and IM processes are not well defined or documentation is not available.
No emphasis on transparency.
Cannot support information requests, ediscovery, regulatory responses, FOIA, etc.
No controls for information disclosure.
Organization recognizes the need for process transparency.
Some transparency exists where it is mandated by regulation.
Organization has started to document both business and RIM processes.
Transparency in processes is taken seriously and information is available when required.
Policy regarding transparency in business and records and information management.
Employees are trained on the importance of transparency.
Defined specific goals related to information governance transparency.
Business and RIM processes are documented.
Organization can accomodate requests for information.
Transparency is an essential part of the corporate culture.
The organization monitors compliance.
Process documentation is monitored and updated consistently.
Information requests are managed through regular business processes.
Senior management considers transparency to be a key component.
Automation is in place to facilitate transparency.
Information requestors are consistently satisfied with the transparency.
Organization has processes to ensure that transparency goals are reviewed and revised.
. IG program ensures that information has a "reasonable and suiteable guarantee of authenticity and reliability."
No audits or defined processes for showing authenticity of information or records.
Organizational functions use ad hoc approaches for chain of custody and authenticity.
There is not guarantee of trustworthiness.
Some records and information have metadata to demonstrate authenticity.
No formal process for metadata or chain of custody.
Acknolwedgement that metadata and chain of custody are important but control is at the departmental level.
Formal process to ensure level of authenticity and chain of custody.
Data elements are captured to demonstrate policy compliance.
Defined goals for integrity.
Clear definition for metadata requirements for systems, applications, and records.
Metadata requirements include security and signature requirements.
Metadata definition process is part of the RM practice.
Formal process for introducing new records-generating systems and processes, including metadata, authenticity requirements, and chain of custody.
. A reasonable level of protection for records and information that are confidential, privileged, secret, classified, essential for business continuity.
No consideration for information protection.
Haphazard storage of information and records.
Access controls -- if any -- are assigned by the author.
Some protection of assets.
There is a policy for records and information that require protection but the policy doesn't provide clear guidelines for all media types.
Employee training isn't formalized.
Policy doesn't address the sharing of protected information among internal and external stakeholders.
Access controls implemented by content owners.
Formal written policy for protecting records and information.
Confidentiality and privacy considerations are well-defined within the organization.
Chain of custody is defined.
Employee training is available.
Records and information audits are conducted only in regulated areas of the business. Audits in other areas are at the discretion of the functional area.
Organization has defined goals related to records and information protection.
Automated systems provide for protection of information.
Employee training is formalized and documented.
Compliance auditing occurs on a regular basis.
Senior management and the governing body put emphasis on the protection of information.
Audit information is regularly examined and there is continuous improvement.
Information disclosure or loss is rare.
Initial protection goals have been met and there is a process of routine review and revision.
. The RIM program complies with laws and regulations.
No clear understanding of what the organization needs to keep.
Information isn't systematically managed.
Information management occurs at the department level based on their local understanding.
No oversight or guidance for defensible disposition or IG.
No process for information production processes.
Significant exposure to adverse consequences.
Organization has identified some rules and regulations.
Organization has introduced some compliance policies but they are not complete.
No accountability or control processes.
The organization has identified key compliance laws.
Information cration and capture are generaly carried out in accordance with RIM principles.
The code of business conduct is integrated into the overall IT structure.
Compliance is valuded and measurable.
Hold process is integrated into IM and discovery processes.
Organization has defined compliance goals.
Organization has reduced exposure due to poor information management and governance.
Organization has automated the capture and protection of information from key systems/repositories.
Records are linked with metadata to demonstrate compliance.
Lack of compliance is monitored and remedied.
Records of training and audits are available.
Legal, audit, and information production processes have defined roles and repeatable processes integrated into the IG program.
Organization is at low risk of exposure due to poor information management.
Importance of compliance is recognized at the snior management/governing body levels.
Auditing and continuous improvement is monitored by senior management.
Roles and processes for IM and discovery are integrated.
Processes are well-developed and effective.
Organization has pratically no expsure due to poor information management.
Initial compliance goals have been met and there is a process of routine review and revision.
. Information records should be available in a timely, efficient, and accurate manner.
Records and information is not available when needed.
It is unclear who is responsible for information retrieval.
It requires time to find the correct version (current, final, signed, etc.), if it can be found at all.
There are no finding aids such as indices, metadata, etc.
Information requests are difficult because it's unclear where information resides.
Records and information retrieval mechanisms are in place in some parts of the organization.
It's possible to distinguish records, duplicates, and non-records where there are retrieval mechanisms.
There are some policies on where to store information but the policies aren't consistently applied throughout the organization.
Responding to information requests is difficult due to inconsistent information storage.
There is a standard for the stroage and protenction for records and information.
There are defined policies for handling records and information.
Retrieval mechanisms are consistent and effective.
It is generally easy to determine where to find final and authentic versions of information.
Information request processes are defined and systematic.
Existing systems and infrastructure facilitate information availability.
Organization has specific goals related to records and information availability.
IG policies have been communicated to employees.
Guidelines and inventories of systems and associated information assets.
Records and information is available when required.
Systems and controls are in place for information requests.
Holds and information requests are automated.
Senior management/governing body support processes to upgrade records and information availability.
Training and continuous improved is available across the organization.
There is a measurable ROI for records and information availability.
Initial availability goals have been met and there is a process of routine review and revision.
. Information and records are kept for an appropriate amount of time considering legal, regulatory, fiscal, operational, and historical requirements.
There is no documented records retention schedule or policy.
Applicable rules and regulations defining retention are not identified or centralized.
Retention guidelines are haphazard.
Employees either keep everything or dispose of records and information based on their own business needs.
A retention schedule and polices are available but do not get reviewed, don't apply to all information, or are not well known.
Retention schedule and policies are not updated or maintained.
No trainin on the retention schedule is available.
The organization has a policy for retention.
The retention schedule is consistently applied throughout the organization.
Employees are knowledgeable about the retention policy and their individual responsibilities.
The organization has specific goals related to retention.
Employees can classify records and information appropriately.
Retention training is in place.
Retention schedules are regularly reviewed and there is a revision process.
Records and information retention is a major organizational objective.
Retention is important at the senior management/governing body level.
Retention is applied to all information in the organization, not just records.
Information is consistently retained for an appropriate period of time.
Initial retention goals have been met and there is a process of routine review and revision.
. Provides for secure and appropriate disposition of records and information.
There is no documentation of the processes for transferring or disposing records or information.
There is no process for suspending disposition.
Different departments have different approaches to holds and disposition.
Prelimary guidelines for disposition.
Realization of the importance of consistent holds or suspended disposition.
No auditing or enforcement of disposition.
Procedures for records and information disposition and transfer.
Policy and procedures for holds.
The policies and procedures might not be consistent across the enterprise.
Organization has defined specific goals related to disposition.
Disposition procedures are understood by all and regularly applied.
The disposition process is defined, understood, and consistently applied.
Records and information in all media are disposed in an appropriate manner.
Disposition processes cover all records and information in all media.
Disposition is automated and integrated into all applications and supporting systems.
Disposition processes are consistent and effective.
Disposition processes are regularly evaluated and improved.
Initial disposition goals have been met and there is a process of routine review and revision.