Ask the Expert - Legal / Compliance
About the Expert:
Fiona Schrader is group product manager within the Compliance Business Unit at EMC. She is responsible for the product management and market release of EMC’s Records Manager Solution, which comprises retention policy services, records manager, physical records manager, and federated records manager products (read more ...).
Schrader can be contacted at email@example.com.
Developing an organization-wide information governance strategy will help organizations keep tabs on its valuable business assets. The first step is to consider all the difference sources of information that reside within the organization. Devising an information governance strategy has its benefits, challenges and risks. Seeing its importance within their organizations, some of them are creating task forces or other internal committees to create these strategies, policies, and procedures surrounding the importance of internal and external distribution of information.
Q: What is information governance?
Information governance is the umbrella term used to cover compliance, e-discovery, and archiving requirements. It refers to the practice or management of an organization’s information in adherence to internal, local, state, and federal regulations. It ensures an organization has a response to any questions about its management of information and how it can respond to any internal or external audits, investigations, FOIA requests, or lawsuits involving e-discovery.
Q: What is the value of information governance?
The value of information governance to an organization is multi-faceted.
- It enables an organization to know what information it has, the various types of information it stores, where the information is stored, and what value it provides. With this knowledge, that information can be leveraged, and resources will not be wasted on trying to determine if it already exists or recreating it.
- It helps the organization manage its information in accordance with its policies and requirements. The policies can be either internally or externally driven, but the ultimate ideal is that the information is stored for its appropriate life and then processed at the end of the life. This means that information stores are actually being maintained accordingly, which ultimately should lower the cost of information management.
Q: What are the components of an information governance strategy?
The components of an information governance strategy are varied.
Technical components include where the information is physically stored, what archiving tools are being used, and how backups are being run and stored.
Legal components include where the organization get its retention policies; who is responsible for maintaining the policies; how it is managing legal holds; and who is responsible for hold creation, approval, application, and removal. They distinguish between internal and externally driven policies and identify any legal mandates.
Organizational policy components include policies that define records and compliance, as well as the information-related responsibilities of users and managers.
Information components regard how various types of information are managed – including whether the organization is managing electronic information in one way and physical in another or if it is managing all types of information in the same manner – and what the plans are for managing physical information (e.g., to scan it or manage it in place).
Future plan components include identifying new types of information that might be created, how the organization will manage those types, and how the information governance team will be made aware of this information.
Q: How does an organization assess its information governance strategy?
- A first step in assessing the effectiveness of an information governance strategy is to review the organization’s definitions of “compliance” and “records” to ensure that they are current, reflecting recent regulatory changes, for example. Then, check to verify that the definitions have been communicated throughout the organization.
- Determine whether the organization is managing all of its information – not just e-mail or other specific types of information – in a consistent manner.
- Check to see that the organization is not compartmentalizing its information, managing physical and electronic information separately, for example, or scanning physical content and continuing to manage it physically, as well as in its new electronic form.
- Verify that the organization is not managing electronic information by format type (e.g., e-mails, normal office documents, wikis, blogs, IMs), rather than by the information’s content (e.g., contracts, correspondence, financial).
- Examine the organization’s retention and disposition processes for effectiveness, ensuring that both physical and electronic information are addressed, retention schedules are current, procedures are in place to obtain authorization signoffs for disposition, and that appropriate disposition is occurring.
- Determine that all groups who are responsible for managing information stores are working together and that they understand who is responsible for what information and what their roles are.
Q: How does information governance help an organization gain control of information in disparate systems across the enterprise?
Information governance is meant to be applied company-wide to ensure the organization can access, use, and manage all information assets regardless of where they reside, such as in a file cabinet, a legacy system, or an internal or external website. In practice, many organizations have applied this discipline only to select parts of their total information assets and they must now extend the practice across all of them.
Q: What is the importance of collaboration with other business units, such as legal and IT, in supporting an information governance strategy?
Organizations must ensure that all of the groups who manage information are aware of the policies and are all following the same set of procedures. Legal, IT, records management, and other business units play an integral role within an organization’s information governance strategy; without their collaboration, the strategy could not be truly global.
For example, information is not truly being managed if IT, which is responsible for – among other things – managing the physical storage of the information, running backups, and installing new software, is not involved.
Conversely, if the records management group is not aware of what IT is doing for backups and addressing that process in the retention and disposition strategies, those strategies will not be effective. Legal must be involved in the retention and disposition processes, too, as it is generally the stakeholder of internal retention policies, as well as of responses to e-discovery requests.
Legal must work with records management and IT to ensure holds are placed, suspending the disposition process for the relevant information and then removed as their corresponding cases are completed, allowing the disposition process to resume and ensuring that information is kept only for the appropriate period of time.
Finally, there are the end users. If they are not aware of the information governance strategy, they may expose the organization to unnecessary risk.
Q: What are the roles and responsibilities of employees for adhering to an information governance strategy?
Employees are key contributors to the success of the organization’s information governance strategy. They must understand the strategy and manage their information in accordance with information policies and procedures. If all information is stored appropriately, for example, all users will have access to information that is appropriate and necessary to their jobs, which is a key factor for business success. Employees also need to understand the ramifications of not adhering to information policies and procedures so they don’t expose the organization to unnecessary risks.
Does PCI compliance apply to record centers who store hard copy documents that contain credit card information?
PCI does apply to anyone who is storing credit card information in any format - electronic or physical. They have to be able to demonstrate secure, control management processes to ensure that the credit card information is not leaked to any type of external organization.