COVER
PREFACE
ACKNOWLEDGMENTS
PART ONE: Information Governance Concepts, Definitions, and Principles
1. CHAPTER 1: The Information Governance Imperative
  1. Early Development of IG
  2. Big Data Impact
  3. Defining Information Governance
  4. IG Is Not a Project, But an Ongoing Program
  5. Why IG Is Good Business
  6. Failures in Information Governance
  7. Form IG Policies, Then Apply Technology for Enforcement
  8. Notes
2. CHAPTER 2: Information Governance, IT Governance, Data Governance: What's the Difference?
  1. Data Governance
  2. Data Governance Strategy Tips
  3. IT Governance
  4. IT Governance Frameworks
  5. Information Governance
  6. Impact of a Successful IG Program
  7. Summing Up the Differences
  8. Notes
3. CHAPTER 3: Information Governance Principles
  1. The Sedona Conference® Commentary on Information Governance
  2. Smallwood IG Principles
  3. Accountability Is Key
  4. Generally Accepted Recordkeeping Principles®
  5. Assessment and Improvement Roadmap
  6. Information Security Principles
  7. Privacy Principles
  8. Who Should Determine IG Policies?
  9. Notes
PART TWO: Information Governance Risk Assessment and Strategic Planning
1. CHAPTER 4: Information Asset Risk Planning and Management
  1. The Information Risk Planning Process
  2. Create a Risk Profile
  3. Information Risk Planning and Management Summary
  4. Notes
2. CHAPTER 5: Strategic Planning and Best Practices for Information Governance
  1. Crucial Executive Sponsor Role
  2. Evolving Role of the Executive Sponsor
  3. Building Your IG Team
  4. Assigning IG Team Roles and Responsibilities
  5. Align Your IG Plan with Organizational Strategic Plans
  6. Survey and Evaluate External Factors
  7. Formulating the IG Strategic Plan
  8. Notes
3. CHAPTER 6: Information Governance Policy Development
  1. The Sedona Conference IG Principles
  2. A Brief Review of Generally Accepted Recordkeeping Principles®
  3. IG Reference Model
  4. Best Practices Considerations
  5. Standards Considerations
  6. Benefits and Risks of Standards
  7. Key Standards Relevant to IG Efforts
  8. Major National and Regional ERM Standards
  9. Making Your Best Practices and Standards Selections to Inform Your IG Framework
  10. Roles and Responsibilities
  11. Program Communications and Training
  12. Program Controls, Monitoring, Auditing, and Enforcement
  13. Notes
PART THREE: Information Governance Key Impact Areas
1. CHAPTER 7: Information Governance for Business Units
  1. Start with Business Objective Alignment
  2. Which Business Units Are the Best Candidates to Pilot an IG Program?
  3. What Is Infonomics?
  4. How to Begin an IG Program
  5. Business Considerations for an IG Program
  6. Changing Information Environment
  7. Calculating Information Costs
  8. Big Data Opportunities and Challenges
  9. Full Cost Accounting for Information
  10. Calculating the Cost of Owning Unstructured Information
  11. The Path to Information Value
  12. Challenging the Culture
  13. New Information Models
  14. Future State: What Will the IG-Enabled Organization Look Like?
  15. Moving Forward
  16. Notes
2. CHAPTER 8: Information Governance and Legal Functions
  1. Introduction to E-Discovery: The Revised 2006 and 2015 Federal Rules of Civil Procedure Changed Everything
  2. Big Data Impact
  3. More Details on the Revised FRCP Rules
  4. Landmark E-Discovery Case: Zubulake v. UBS Warburg
  5. E-Discovery Techniques
  6. E-Discovery Reference Model
  7. The Intersection of IG and E-Discovery
  8. Building on Legal Hold Programs to Launch Defensible Disposition
  9. Destructive Retention of E-Mail
  10. Newer Technologies That Can Assist in E-Discovery
  11. Defensible Disposal: The Only Real Way to Manage Terabytes and Petabytes
  12. Notes
3. CHAPTER 9: Information Governance and Records and Information Management Functions
  1. Records Management Business Rationale
  2. Why Is Records Management So Challenging?
  3. Benefits of Electronic Records Management
  4. Additional Intangible Benefits
  5. Inventorying E-Records
  6. RM Intersection with Data Privacy Management
  7. Generally Accepted Recordkeeping Principles®
  8. E-Records Inventory Challenges
  9. Records Inventory Purposes
  10. Records Inventorying Steps
  11. Appraising the Value of Records
  12. Ensuring Adoption and Compliance of RM Policy
  13. Sample Information Asset Survey Questions
  14. General Principles of a Retention Scheduling
  15. Developing a Records Retention Schedule
  16. Why Are Retention Schedules Needed?
  17. What Records Do You Have to Schedule? Inventory and Classification
  18. Rationale for Records Groupings
  19. Records Series Identification and Classification
  20. Retention of E-Mail Records
  21. How Long Should You Keep Old E-Mails?
  22. Destructive Retention of E-Mail
  23. Legal Requirements and Compliance Research
  24. Event-Based Retention Scheduling for Disposition of E-Records
  25. Prerequisites for Event-Based Disposition
  26. Final Disposition and Closure Criteria
  27. Retaining Transitory Records
  28. Implementation of the Retention Schedule and Disposal of Records
  29. Ongoing Maintenance of the Retention Schedule
  30. Audit to Manage Compliance with the Retention Schedule
  31. Notes
4. CHAPTER 10: Information Governance and Information Technology Functions
  1. Data Governance
  2. Steps to Governing Data Effectively
  3. Data Governance Framework
  4. Information Management
  5. IT Governance
  6. IG Best Practices for Database Security and Compliance
  7. Tying It All Together
  8. Notes
5. CHAPTER 11: Information Governance and Privacy and Security Functions
  1. Information Privacy
  2. Generally Accepted Privacy Principles
  3. Fair Information Practices (FIPS)
  4. OCED Privacy Principles
  5. Madrid Resolution 2009
  6. EU General Data Protection Regulation
  7. GDPR: A Look at Its First Year
  8. Privacy Programs
  9. Privacy in the United States
  10. Privacy Laws
  11. Cybersecurity
  12. Cyberattacks Proliferate
  13. Insider Threat: Malicious or Not
  14. Information Security Assessments and Awareness Training
  15. Cybersecurity Considerations and Approaches
  16. Defense in Depth
  17. Controlling Access Using Identity Access Management
  18. Enforcing IG: Protect Files with Rules and Permissions
  19. Challenge of Securing Confidential E-Documents
  20. Apply Better Technology for Better Enforcement in the Extended Enterprise
  21. E-Mail Encryption
  22. Secure Communications Using Record-Free E-Mail
  23. Digital Signatures
  24. Document Encryption
  25. Data Loss Prevention (DLP) Technology
  26. Missing Piece: Information Rights Management (IRM)
  27. Embedded Protection
  28. Hybrid Approach: Combining DLP and IRM Technologies
  29. Securing Trade Secrets After Layoffs and Terminations
  30. Persistently Protecting Blueprints and CAD Documents
  31. Securing Internal Price Lists
  32. Approaches for Securing Data Once It Leaves the Organization
  33. Document Labeling
  34. Document Analytics
  35. Confidential Stream Messaging
  36. Notes
PART FOUR: Information Governance for Delivery Platforms
1. CHAPTER 12: Information Governance for E-Mail and Instant Messaging
  1. Employees Regularly Expose Organizations to E-Mail Risk
  2. E-Mail Polices Should Be Realistic and Technology Agnostic
  3. E-Record Retention: Fundamentally a Legal Issue
  4. Preserve E-Mail Integrity and Admissibility with Automatic Archiving
  5. Instant Messaging
  6. Best Practices for Business IM Use
  7. Technology to Monitor IM
  8. Tips for Safer IM
  9. Team and Channel Messaging Solutions Emerge
  10. Notes
2. CHAPTER 13: Information Governance for Social Media
  1. Types of Social Media in Web 2.0
  2. Additional Social Media Categories
  3. Social Media in the Enterprise
  4. Key Ways Social Media Is Different from E-Mail and Instant Messaging
  5. Biggest Risks of Social Media
  6. Legal Risks of Social Media Posts
  7. Tools to Archive Social Media
  8. IG Considerations for Social Media
  9. Key Social Media Policy Guidelines
  10. Records Management and Litigation Considerations for Social Media
  11. Emerging Best Practices for Managing Social Media Records
  12. Notes
3. CHAPTER 14: Information Governance for Mobile Devices
  1. Current Trends in Mobile Computing
  2. Security Risks of Mobile Computing
  3. Securing Mobile Data
  4. Mobile Device Management (MDM)
  5. IG for Mobile Computing
  6. Building Security into Mobile Applications
  7. Best Practices to Secure Mobile Applications
  8. Developing Mobile Device Policies
  9. Notes
4. CHAPTER 15: Information Governance for Cloud Computing
  1. Defining Cloud Computing
  2. Key Characteristics of Cloud Computing
  3. What Cloud Computing Really Means
  4. Cloud Deployment Models
  5. Benefits of the Cloud
  6. Security Threats with Cloud Computing
  7. Managing Documents and Records in the Cloud
  8. IG Guidelines for Cloud Computing Solutions
  9. IG for SharePoint and Office365
  10. Notes
5. CHAPTER 16: Leveraging and Governing Emerging Technologies
  1. Data Analytics
  2. Descriptive Analytics
  3. Diagnostic Analytics
  4. Predictive Analytics
  5. Prescriptive Analytics
  6. Which Type of Analytics Is Best?
  7. Artificial Intelligence
  8. The Role of Artificial Intelligence in IG
  9. Blockchain: A New Approach with Clear Advantages
  10. Breaking Down the Definition of Blockchain
  11. The Internet of Things: IG Challenges
  12. IoT as a System of Contracts
  13. IoT Basic Risks and IG Issues
  14. IoT E-Discovery Issues
  15. Why IoT Trustworthiness Is a Journey and Not a Project
  16. Governing the IoT Data
  17. IoT Trustworthiness
  18. Information Governance Versus IoT Trustworthiness
  19. IoT Trustworthiness Journey
  20. Conclusion
  21. Notes
PART FIVE: Long-Term Program Issues
1. CHAPTER 17: Long-Term Digital Preservation
  1. Defining Long-Term Digital Preservation
  2. Key Factors in Long-Term Digital Preservation
  3. Threats to Preserving Records
  4. Digital Preservation Standards
  5. PREMIS Preservation Metadata Standard
  6. Recommended Open Standard Technology–Neutral Formats
  7. Digital Preservation Requirements
  8. Long-Term Digital Preservation Capability Maturity Model®
  9. Scope of the Capability Maturity Model
  10. Digital Preservation Capability Performance Metrics
  11. Digital Preservation Strategies and Techniques
  12. Evolving Marketplace
  13. Looking Forward
  14. Conclusion
  15. Notes
2. CHAPTER 18: Maintaining an Information Governance Program and Culture of Compliance
  1. Monitoring and Accountability
  2. Change Management—Required
  3. Continuous Process Improvement
  4. Why Continuous Improvement Is Needed
  5. Notes
APPENDIX A: Information Organization and Classification: Taxonomies and Metadata
1. Importance of Navigation and Classification
2. When Is a New Taxonomy Needed?
3. Taxonomies Improve Search Results
4. Metadata and Taxonomy
5. Metadata Governance, Standards, and Strategies
6. Types of Metadata
7. Core Metadata Issues
8. International Metadata Standards and Guidance
9. Records Grouping Rationale
10. Business Classification Scheme, File Plans, and Taxonomy
11. Classification and Taxonomy
12. Prebuilt Versus Custom Taxonomies
13. Thesaurus Use in Taxonomies
14. Taxonomy Types
15. Business Process Analysis
16. Taxonomy Testing: A Necessary Step
17. Taxonomy Maintenance
18. Social Tagging and Folksonomies
19. Endnotes
APPENDIX B: Laws and Major Regulations Related to Records Management
1. United States
2. Gramm-Leach-Bliley Act
3. Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA)
4. PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001)
5. Sarbanes-Oxley Act (SOX)
6. SEC Rule 17A-4
7. CFR Title 47, Part 42—Telecommunications
8. CFR Title 21, Part 11—Pharmaceuticals
9. US Federal Authority on Archives and Records: National Archives and Records Administration (NARA)
10. US Code of Federal Regulations
11. Canada*
12. United Kingdom
13. Australia
14. Identifying Records Management Requirements in Other Legislation
15. Notes
APPENDIX C: Laws and Major Regulations Related to Privacy
1. United States
2. European Union General Data Protection Regulation (GDPR)
3. Major Privacy Laws Worldwide, by Country
4. Notes
GLOSSARY
1. Notes
ABOUT THE AUTHOR
ABOUT THE MAJOR CONTRIBUTORS
INDEX
END USER LICENSE AGREEMENT

List of Tables

Chapter 3
1. Table 3.1 Generally Accepted Recordkeeping Principles Levels
2. Table 3.2 Improvement Areas for Generally Accepted Recordkeeping Principles
3. Table 3.3 Assessment Report and Roadmap
Chapter 4
1. Table 4.1 Risk Assessment
Chapter 7
1. Table 7.1 Key Steps in the IG Process
Chapter 8
1. Table 8.1 IG Impact on E-Discovery
Chapter 13
1. Table 13.1 Social Media Categories and Examples of Tools Commonly Used by Marke...
2. Table 13.2 Social Media Tools Used by NARA
3. Table 13.3 Additional Social Media Tools by Application Type
4. Table 13.4 Social Media Archiving and Management Software
Chapter 17
1. Table 17.1 Recommended Open Standard Technology-Neutral Formats
2. Table 17.2 Digital Preservation Performance Metrics

List of Illustrations

Chapter 6
1. Figure 6.1 Information Governance Reference Model
Chapter 7
1. Figure 7.1 Key Factors Driving Cost
Chapter 8
1. Figure 8.1 Electronic Discovery Reference Model
Chapter 9
1. Figure 9.4 Sample Records Retention Schedule
2. Figure 9.5 Excerpt from Canadian Records Retention Database
Chapter 10
1. Figure 10.1 DGI Data Governance Framework™
2. Figure 10.2 Key Steps from Data Modeling to Integration
3. Figure 10.3 Categories of Data
Chapter 17
1. Figure 17.1 Open Archival Information System Reference Model
2. Figure 17.2 PREMIS Data Model
3. Figure 17.3 Five Levels of Digital Preservation Capabilities
4. Figure 17.4 Digital Preservation Capability Maturity Model
Appendix A
1. Figure A.1 Metadata Link to Taxonomy Example
2. Figure A.2 Application of Metadata to Taxonomy Structure
3. Figure A.3 Mapping the Records Retention Schedule to the Taxonomy
4. Figure A.4 Library of Congress Subject Headings
5. Figure A.5 Yellow Pages Example
6. Figure A.6 Community Government Business-Unit Taxonomy
7. Figure A.7 State Government Regulatory Agency Functional Taxonomy
8. Figure A.8 Metadata Cross-Referencing within a Taxonomy
9. Figure A.9 Basic Accounting Business-Unit Taxonomy
10. Figure A.10 Business Process Example—Travel Expense Process

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Asia, and Australia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers’ professional and personal knowledge and understanding.

The Wiley CIO series provides information, tools, and insights to IT executives and managers. The products in this series cover a wide range of topics that supply strategic and implementation guidance on the latest technology trends, leadership, and emerging best practices.

Titles in the Wiley CIO series include:

The Agile Architecture Revolution: How Cloud Computing, REST-Based SOA, and Mobile Computing Are Changing Enterprise IT by Jason Bloomberg
Architecting the Cloud: Design Decisions for Cloud Computing Service Models (SaaS, PaaS, and IaaS) by Michael Kavis
Big Data, Big Analytics: Emerging Business Intelligence and Analytic Trends for Today's Businesses by Michael Minelli, Michele Chambers, and Ambiga Dhiraj
The Chief Information Officer's Body of Knowledge: People, Process, and Technology by Dean Lane
Cloud Computing and Electronic Discovery by James P. Martin and Harry Cendrowski
Confessions of a Successful CIO: How the Best CIOs Tackle Their Toughest Business Challenges by Dan Roberts and Brian Watson
CIO Best Practices: Enabling Strategic Value with Information Technology (Second Edition) by Joe Stenzel, Randy Betancourt, Gary Cokins, Alyssa Farrell, Bill Flemming, Michael H. Hugos, Jonathan Hujsak, and Karl Schubert
The CIO Playbook: Strategies and Best Practices for IT Leaders to Deliver Value by Nicholas R. Colisto
Decoding the IT Value Problem: An Executive Guide for Achieving Optimal ROI on Critical IT Investments by Gregory J. Fell
Enterprise Performance Management Done Right: An Operating System for Your Organization by Ron Dimon
Information Governance: Concepts, Strategies and Best Practices by Robert F. Smallwood
IT Leadership Manual: Roadmap to Becoming a Trusted Business Partner by Alan R. Guibord
Leading the Epic Revolution: How CIOs Drive Innovation and Create Value Across the Enterprise by Hunter Muller
Managing Electronic Records: Methods, Best Practices, and Technologies by Robert F. Smallwood
On Top of the Cloud: How CIOs Leverage New Technologies to Drive Change and Build Value Across the Enterprise by Hunter Muller
Straight to the Top: CIO Leadership in a Mobile, Social, and Cloud-based World (Second Edition) by Gregory S. Smith
Strategic IT: Best Practices for Managers and Executives by Arthur M. Langer and Lyle Yorks
Trust and Partnership: Strategic IT Management for Turbulent Times by Robert Benson, Piet Ribbers, and Ronald Billstein
Transforming IT Culture: How to Use Social Intelligence, Human Factors, and Collaboration to Create an IT Department That Outperforms by Frank Wander
Unleashing the Power of IT: Bringing People, Business, and Technology Together, Second Edition by Dan Roberts
The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save America's Future by Gary J. Beach

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Names: Smallwood, Robert F., 1959- author.

Title: Information governance: concepts, strategies, and best practices / Robert F. Smallwood.

Description: Second edition. | Hoboken, New Jersey: John Wiley & Sons, Inc., [2020] | Series: The Wiley CIO series | Includes index. |

Identifiers: LCCN 2019015574 (print) | LCCN 2019017654 (ebook) | ISBN 9781119491415 (Adobe PDF) | ISBN 9781119491408 (ePub) | ISBN 9781119491446 (hardback)

Subjects: LCSH: Information technology—Management. | Management information systems. | Electronic records—Management.

Classification: LCC HD30.2 (ebook) | LCC HD30.2 .S617 2020 (print) | DDC 658.4/038—dc23

LC record available at https://lccn.loc.gov/2019015574

Cover Design: Wiley

PREFACE

In the five plus years since the first edition of this book was published, information governance (IG) has matured as a discipline, and business executives and managers at leading enterprises now see IG programs as increasingly valuable. A combination of factors have created an imperative for IG programs: new, tightened regulations; the continuing deluge of Big Data; and the realization that new value can be gained from information stores using analytics have all combined to raise the profile of IG programs across the globe.

In particular, new privacy legislation, including the EU General Data Protection Regulation and the California Consumer Privacy Act, helped foster a newfound awareness of data protection issues, and organizations worldwide scrambled to inventory and gain insight into their information stores. This is often a first step in IG programs, and so the realization of IG as a needed and valued undertaking set in. Enterprises began to see IG not only as a cost center and risk reduction activity, but also as one that can add value to the enterprise, in some cases even monetizing information.

This book clarifies and codifies what IG is—and what it is not—and how to launch, control, and manage IG programs. Based on exhaustive research, and with the contributions of a number of industry pioneers and experts, this book lays out IG as a complete discipline, fully updated, including an expanded section on information privacy and new material on managing emerging technologies.

IG is a “super-discipline” of sorts in that it includes components of privacy, cybersecurity, infonomics, law and e-discovery, records management, compliance, risk management, information technology (IT), business operations, and more. This unique blend calls for a new breed of information professional who is competent across these complex disciplines. Training and education are key to IG program success, and this book provides the fundamentals as well as advanced concepts to enable organizations to train a new generation of IG professionals. The book is being used to guide IG programs at major corporations, as well as to educate graduate students in information science, computer science, law, and business.

Practitioners in the component areas of IG will find the book useful in expanding their knowledge and helping them understand the linkages between the various facets of IG. And how breaking down existing siloed approaches and leveraging information as an asset across the enterprise is critical to gaining the full benefits of IG programs.

The book strives to offer clear and concise IG concepts, actionable strategies, and proven best practices in an understandable and digestible way; a concerted effort was made to simplify language and offer examples. There are summaries of key points throughout the book and at the end of each chapter to help the reader retain key points. The text is organized into five parts: (1) IG Concepts, Definitions, and Principles; (2) IG Risk Assessment and Strategic Planning; (3) IG Key Impact Areas; (4) IG for Information Delivery Platforms, including a new section on emerging technologies; and (5) Long-Term Program Issues.

No other book offers comprehensive coverage of the complex and challenging field of IG with such clarity. Use the insights and advice contained in these pages and your IG program will have lower risks and costs, and produce better and more measurable results.

Robert Smallwood

INFORMATION GOVERNANCE

CONCEPTS, STRATEGIES, AND BEST PRACTICES

PREFACE

ACKNOWLEDGMENTS

PART ONE
Information Governance Concepts, Definitions, and Principles