Preface xvii Acknowledgments xix Part One-Information Governance Concepts, Definitions, and Principles 1 Chapter 1 The Information Governance Imperative 3 Early Development of IG 4 Big Data Impact 5 Defining Information Governance 7 IG is Not a Project, But an Ongoing Program 9 Why IG is Good Business 9 Failures in Information Governance 11 Form IG Policies, Then Apply Technology for Enforcement 14 Chapter 2 Information Governance, IT Governance, Data Governance: What's the Difference? 19 Data Governance 19 Data Governance Strategy Tips 20 IT Governance 21 IT Governance Frameworks 22 Information Governance 25 Impact of a Successful IG Program 25 Summing Up the Differences 26 Chapter 3 Information Governance Principles 29 The Sedona Conference (R) Commentary on Information Governance 29 Smallwood IG Principles 30 Accountability is Key 34 Generally Accepted Recordkeeping Principles (R) 35 Contributed by Charmaine Brooks Assessment and Improvement Roadmap 42 Information Security Principles 45 Privacy Principles 45 Who Should Determine IG Policies? 48 Part Two-Information Governance Risk Assessment and Strategic Planning 53 Chapter 4 Information Asset Risk Planning and Management 55 The Information Risk Planning Process 56 Create a Risk Profile 59 Information Risk Planning and Management Summary 65 Chapter 5 Strategic Planning and Best Practices for Information Governance 69 Crucial Executive Sponsor Role 70 Evolving Role of the Executive Sponsor 71 Building Your IG Team 72 Assigning IG Team Roles and Responsibilities 72 Align Your IG Plan with Organizational Strategic Plans 73 Survey and Evaluate External Factors 75 Formulating the IG Strategic Plan 81 Chapter 6 Information Governance Policy Development 87 The Sedona Conference IG Principles 87 A Brief Review of Generally Accepted Recordkeeping Principles (R) 88 IG Reference Model 88 Best Practices Considerations 91 Standards Considerations 92 Benefits and Risks of Standards 93 Key Standards Relevant to IG Efforts 93 Major National and Regional ERM Standards 98 Making Your Best Practices and Standards Selections to Inform Your IG Framework 105 Roles and Responsibilities 105 Program Communications and Training 106 Program Controls, Monitoring, Auditing, and Enforcement 107 Part Three-Information Governance Key Impact Areas 113 Chapter 7 Information Governance for Business Units 115 Start with Business Objective Alignment 115 Which Business Units are the Best Candidates to Pilot an IG Program? 117 What is Infonomics? 117 How to Begin an IG Program 118 Business Considerations for an IG Program 119 By Barclay T. Blair Changing Information Environment 119 Calculating Information Costs 121 Big Data Opportunities and Challenges 122 Full Cost Accounting for Information 123 Calculating the Cost of Owning Unstructured Information 124 The Path to Information Value 127 Challenging the Culture 129 New Information Models 129 Future State: What Will the IG-Enabled Organization Look Like? 130 Moving Forward 132 Chapter 8 Information Governance and Legal Functions 135 Robert Smallwood with Randy Kahn, Esq., and Barry Murphy Introduction to E-Discovery: The Revised 2006 and 2015 Federal Rules of Civil Procedure Changed Everything 135 Big Data Impact 137 More Details on the Revised FRCP Rules 138 Landmark E-Discovery Case: Zubulake v. UBS Warburg 139 E-Discovery Techniques 140 E-Discovery Reference Model 140 The Intersection of IG and E-Discovery 143 By Barry Murphy Building on Legal Hold Programs to Launch Defensible Disposition 146 By Barry Murphy Destructive Retention of E-Mail 147 Newer Technologies That Can Assist in E-Discovery 147 Defensible Disposal: The Only Real Way to Manage Terabytes and Petabytes 151 By Randy Kahn, Esq. Chapter 9 Information Governance and Records and Information Management Functions 161 Records Management Business Rationale 163 Why is Records Management So Challenging? 165 Benefits of Electronic Records Management 166 Additional Intangible Benefits 167 Inventorying E-Records 168 RM Intersection with Data Privacy Management 169 By Teresa Schoch Generally Accepted Recordkeeping Principles (R) 171 E-Records Inventory Challenges 172 Records Inventory Purposes 172 Records Inventorying Steps 173 Appraising the Value of Records 184 Ensuring Adoption and Compliance of RM Policy 184 Sample Information Asset Survey Questions 190 General Principles of a Retention Scheduling 191 Developing a Records Retention Schedule 192 Why are Retention Schedules Needed? 193 What Records Do You Have to Schedule? Inventory and Classification 195 Rationale for Records Groupings 196 Records Series Identification and Classification 197 Retention of E-Mail Records 197 How Long Should You Keep Old E-Mails? 199 Destructive Retention of E-Mail 199 Legal Requirements and Compliance Research 200 Event-Based Retention Scheduling for Disposition of E-Records 201 Prerequisites for Event-Based Disposition 202 Final Disposition and Closure Criteria 203 Retaining Transitory Records 204 Implementation of the Retention Schedule and Disposal of Records 204 Ongoing Maintenance of the Retention Schedule 205 Audit to Manage Compliance with the Retention Schedule 206 Chapter 10 Information Governance and Information Technology Functions 211 Data Governance 213 Steps to Governing Data Effectively 214 Data Governance Framework 215 Information Management 216 IT Governance 220 IG Best Practices for Database Security and Compliance 223 Tying It All Together 225 Chapter 11 Information Governance and Privacy and Security Functions 229 Information Privacy 229 By Andrew Ysasi Generally Accepted Privacy Principles 231 Fair Information Practices (FIPS) 232 OCED Privacy Principles 233 Madrid Resolution 2009 234 EU General Data Protection Regulation 235 GDPR: A Look at Its First Year 237 By Mark Driskill Privacy Programs 239 Privacy in the United States 240 Privacy Laws 244 Cybersecurity 245 Cyberattacks Proliferate 246 Insider Threat: Malicious or Not 247 Information Security Assessments and Awareness Training 248 By Baird Brueseke Cybersecurity Considerations and Approaches 253 By Robert Smallwood Defense in Depth 254 Controlling Access Using Identity Access Management 254 Enforcing IG: Protect Files with Rules and Permissions 255 Challenge of Securing Confidential E-Documents 256 Apply Better Technology for Better Enforcement in the Extended Enterprise 257 E-Mail Encryption 259 Secure Communications Using Record-Free E-Mail 260 Digital Signatures 261 Document Encryption 262 Data Loss Prevention (DLP) Technology 262 Missing Piece: Information Rights Management (IRM) 265 Embedded Protection 268 Hybrid Approach: Combining DLP and IRM Technologies 270 Securing Trade Secrets After Layoffs and Terminations 270 Persistently Protecting Blueprints and CAD Documents 271 Securing Internal Price Lists 272 Approaches for Securing Data Once It Leaves the Organization 272 Document Labeling 274 Document Analytics 275 Confidential Stream Messaging 275 Part Four-Information Governance for Delivery Platforms 283 Chapter 12 Information Governance for E-Mail and Instant Messaging 285 Employees Regularly Expose Organizations to E-Mail Risk 286 E-Mail Polices Should Be Realistic and Technology Agnostic 287 E-Record Retention: Fundamentally a Legal Issue 287 Preserve E-Mail Integrity and Admissibility with Automatic Archiving 288 Instant Messaging 291 Best Practices for Business IM Use 292 Technology to Monitor IM 293 Tips for Safer IM 294 Team and Channel Messaging Solutions Emerge 294 Chapter 13 Information Governance for Social Media 299 Dr. Patricia Franks and Robert Smallwood Types of Social Media in Web 2.0 299 Additional Social Media Categories 303 Social Media in the Enterprise 304 Key Ways Social Media is Different from E-Mail and Instant Messaging 305 Biggest Risks of Social Media 306 Legal Risks of Social Media Posts 307 Tools to Archive Social Media 309 IG Considerations for Social Media 311 Key Social Media Policy Guidelines 312 Records Management and Litigation Considerations for Social Media 313 Emerging Best Practices for Managing Social Media Records 315 Chapter 14 Information Governance for Mobile Devices 319 Current Trends in Mobile Computing 322 Security Risks of Mobile Computing 323 Securing Mobile Data 324 Mobile Device Management (MDM) 324 IG for Mobile Computing 325 Building Security into Mobile Applications 326 Best Practices to Secure Mobile Applications 330 Developing Mobile Device Policies 330 Chapter 15 Information Governance for Cloud Computing 335 Monica Crocker and Robert Smallwood Defining Cloud Computing 336 Key Characteristics of Cloud Computing 337 What Cloud Computing Really Means 338 Cloud Deployment Models 339 Benefits of the Cloud 340 Security Threats with Cloud Computing 341 Managing Documents and Records in the Cloud 351 IG Guidelines for Cloud Computing Solutions 351 IG for SharePoint and Office365 352 By Robert Bogue Chapter 16 Leveraging and Governing Emerging Technologies 357 Data Analytics 357 Descriptive Analytics 358 Diagnostic Analytics 358 Predictive Analytics 358 Prescriptive Analytics 359 Which Type of Analytics is Best? 359 Artificial Intelligence 363 The Role of Artificial Intelligence in IG 363 Blockchain: A New Approach with Clear Advantages 366 By Darra Hoffman Breaking Down the Definition of Blockchain 366 The Internet of Things: IG Challenges 372 IoT as a System of Contracts 375 IoT Basic Risks and IG Issues 376 IoT E-Discovery Issues 377 Why IoT Trustworthiness is a Journey and Not a Project 380 By Bassam Zarkout Governing the IoT Data 381 IoT Trustworthiness 382 Information Governance Versus IoT Trustworthiness 384 IoT Trustworthiness Journey 385 Conclusion 386 Part Five-Long-Term Program Issues 391 Chapter 17 Long-Term Digital Preservation 393 Charles M. Dollar and Lori J. Ashley Defining Long-Term Digital Preservation 393 Key Factors in Long-Term Digital Preservation 394 Threats to Preserving Records 396 Digital Preservation Standards 397 PREMIS Preservation Metadata Standard 404 Recommended Open Standard Technology-Neutral Formats 405 Digital Preservation Requirements 409 Long-Term Digital Preservation Capability Maturity Model (R) 409 Scope of the Capability Maturity Model 412 Digital Preservation Capability Performance Metrics 416 Digital Preservation Strategies and Techniques 417 Evolving Marketplace 419 Looking Forward 420 Conclusion 421 Chapter 18 Maintaining an Information Governance Program and Culture of Compliance 425 Monitoring and Accountability 425 Change Management-Required 426 By Monica Crocker Continuous Process Improvement 429 Why Continuous Improvement is Needed 430 Appendix A Information Organization and Classification: Taxonomies and Metadata 433 Barb Blackburn, CRM, with Robert Smallwood; edited by Seth Earley Importance of Navigation and Classification 435 When is a New Taxonomy Needed? 435 Taxonomies Improve Search Results 436 Metadata and Taxonomy 437 Metadata Governance, Standards, and Strategies 438 Types of Metadata 440 Core Metadata Issues 441 International Metadata Standards and Guidance 442 Records Grouping Rationale 446 Business Classification Scheme, File Plans, and Taxonomy 446 Classification and Taxonomy 447 Prebuilt Versus Custom Taxonomies 448 Thesaurus Use in Taxonomies 449 Taxonomy Types 449 Business Process Analysis 453 Taxonomy Testing: A Necessary Step 457 Taxonomy Maintenance 457 Social Tagging and Folksonomies 458 Appendix B Laws and Major Regulations Related to Records Management 463 United States 463 Gramm-Leach-Bliley Act 463 Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) 463 PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) 464 Sarbanes-Oxley Act (SOX) 464 SEC Rule 17A-4 464 CFR Title 47, Part 42-Telecommunications 464 CFR Title 21, Part 11-Pharmaceuticals 464 US Federal Authority on Archives and Records: National Archives and Records Administration (NARA) 465 US Code of Federal Regulations 465 Canada 466 United Kingdom 468 Australia 469 Identifying Records Management Requirements in Other Legislation 471 Appendix C Laws and Major Regulations Related to Privacy 475 United States 475 European Union General Data Protection Regulation (GDPR) 476 Major Privacy Laws Worldwide, by Country 478 Glossary 481 About the Author 499 About the Major Contributors 501 Index 505
