of 16/16
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or [email protected] May 12, 2015

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or [email protected]

  • View

  • Download

Embed Size (px)

Text of Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM,...

Why Information Governance.instead of Records & Information Management?

Why Information Governance.instead of Records & Information Management?Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM817.352.4929 or [email protected] 12, 2015

Why Information Governance?Explosive growth of information outside of traditional records and information management venues.Challenges to maintenance of data integrity, availability, and data control in the face of massive volumes of data.Technology advances that have culturally changed how we create, capture, use, retrieve, and manage records.Regulatory requirements that require new measures of security and protection of information.Regulatory requirements that require production of data rather than just records (information that is not a distinct physical document.

2What is Information Governance?Security, control, and optimization of informationRobert Smallwood

Information governance is the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.Information Governance Initiative

Comprehensive, holistic approach to information management that manages information throughout its lifecycle.Penny Quirk

Information is secure in its three states: at rest, in transit, and in use. It means that your organizational IG processes control who has access to which information, and when. And it means that garbage information is destroyed and the most valuable information is leveraged to provide new insights and valuein other words, it is optimized.

Information security and control helps reduce risks and costs and also ensures that you are getting an appropriate return on investment, which means that your information is optimized because you are only keeping what you need and getting rid of what you dont.

Holistic information management means that a program is elevated to part of the corporate governance program and focuses specifically on management of information assets in accordance with a framework.3BenefitsRetention of information in compliance with regulations, operating needs, and legal hold requirements.Systematic disposition of information when it has no further legal or business valueImproved access to and preservation of needed information for both business and legal purposes.Protection of private and sensitive information requiring heightened security controls and oversight.Overall contribution to the mission and vision of an organization.

Key Components: Information Governance Steering CommitteeExecutive LeadershipInclusive RepresentationWorking TeamsInformation Stewards/Coordinators

Key Components: Information Governance PolicyScopePurposeObjectivesResponsibilitiesStandards

May also need to review other policies including privacy, security, and retention scheduling.6Key Components: Information MappingRetention ScheduleDiscovery Data MapsApplication ProfilesInformation Security and Data Classification InventoriesPrivacy Data FlowsHistorical Records PreservationVital Records ProtectionDefinitions

Key Components: Information Governance StrategyCreating a common language of definitionsProcess for management of physical recordsProcess for management of structured databasesProcess for management of unstructured content: Email, collaborative environments, information shares, etc.Process for risk-based assessments that are aligned with corporate goals and strategies

Key Components:Privacy and SecurityPrivacy Policy and ProgramData Loss PreventionData MinimizationInformation Storage ProgramBreach Response Program

Key ComponentsEmployee Training & ComplianceNew employeesExisting employeesContractorsThird Parties

Key Components:Discovery Readiness ProgramEnsure that the discovery process is managed, executed, and documented in a repeatable and defensible manner.Establish and communicate roles and responsibilities of each member of the discovery readiness team.Comply with applicable state and federal laws as well as best practice guidelines and recommendations pertaining to discovery.Reasonably respond to regulatory inquiries, discovery requests, and subpoenas in an efficient, effective, and fiscally responsible way.

Key Components:Measure and AdjustRisk AssessmentsFollow-UpMonitoringControlled Self AssessmentsChange ControlProject Team Participation

Key Components:Success Metrics!Number of employees that complete training on privacy and information management.Identification and elimination of duplicate, unstructured content on file shares using file analysis software.Elimination of orphaned content from decommissioned systems, terminated employees, and abandoned projects.Successful completion of intrusion detection, data leakage, or vulnerability testing.Employees trained on information privacy, management, and security.Successful defense against cyber attacks.Reduced costs for discovery.Reduction of storage space consumed.

Information Governance: A New Program

Future ChallengesCulturePoor data qualityCostRiskPrivacy

Culture: Keep everything so that we dont delete anything by accident. Information management is time-consuming, boring, and expensive.

Poor Data Quality: Information is so easy to capture as fact but lack of controls can make timely, accurate business decisions hard to makeparticularly if you have to sort through bad data to get to the good data.

Cost: Storage is not free and the cost of collecting, protecting, and managing information is expensive. Discovery costs can be massive if information is not managed.

Risk: Information is an asset and, if not adequately controlled, can prove to be a risk and liability.

Privacy: Many international companies require the removal of information about their organizations to be removed when it is no longer required and PII, PHI, and PCI information must be carefully guarded. Even if defense tools get better, so will the cyber attack tools. Clouds are making information much for vulnerable than ever before.15Future RolesData StewardsInformation Governance ProfessionalsProject ManagersBusiness AnalystsBusiness Process EngineersInformation AnalystsInformation Security Officers and Privacy OfficersInformation Technology AuditorsCompliance or Information Officers