• Information - Governance, Risk and Compliance – GRC - Part 3

Information - Governance, Risk and Compliance – GRC - Part 3

In part 1 and 2 of my post about governance, risk, and compliance, I have described why information governance is important, where to begin with the information governance, and I started to describe what needs to be considered in information governance polices. In this my post I will describe information governance policies as they relate to for crisis management and e-discovery, and list general information governance control.
Information Governance for Crisis Management
Crisis management is set of procedures for unplanned situation that would prevent you from doing critical functions on your job.
Such situations can be:
  • Availability – illness, weather, turnover, fire, flood, severe weather, facility issues
  • Technology – phone cut-off, system outage, applications is down, network problems
  • Volume/Capacity – huge number of calls (in the example of call center)
  • Special situations – pandemic, loss of facility, tornado, etc.
An approaching storm or disaster does not provide much leeway to assess your disaster recovery preparations.
For example, if your CMS is down, what happens to those departments who need to use critical documents?
What you need to do is to develop a plan for each crisis situation. It should be designed to implement disaster recovery. Planning is very important.
Prioritize requirements – short, medium, long-term. Assess business needs. For example, how do you want to handle spike of calls (if you are in the call center)? Short term plan could be such as – re-route calls for live answer where there are people. Medium to long term could be such as plan for alternative site, work from home.
Make your plan flexible. Have incident coordinator. Create communication plan which should include who is responsible for coordinating the recovery process. Create crisis team which could include IT, QA, management, business partners. Outline responsibilities and procedure in the document.
Test this procedure at least once a year. Do post-analysis – timing, access gaps, communications of results, recommend changes and training plan for next testing, maybe next quarter, not next year. Evaluate your systems when you have no crisis.
Other points:
  • Address disaster recovery in addressing planned and unplanned downtime.
  • Virtualize your data center.
  • Ensure swift restoration of content items following corruption or accidental deletion.
  • Maintain all metadata during and after recovery events.
  • Ensure seamless transition to a warm stand-by system should the main system fail.
  • Plan what to do if outage happens.
  • Maximize platform up-time and swift restoration of platform following a disaster event.
  • Users need to feel confident that the system will protect content and will be available regardless of any disaster, otherwise user adoption will fail – users will go back to their old habits essentially halting KM effort in its tracks.
Information Governance for E-Discovery
E-Discovery preparedness makes it imperative for organizations to develop an enterprise wide strategy to manage the volume of electronic information. The discovery process affects many individuals in an organization, not just lawyers and others involved in discovery, but also IT professionals and records managers, who have to be prepared to produce electronic content for discovery and litigation.
You need to have an ability to respond to legal request, to solve litigation issue, mitigate the risk of sanctions, reduce impact and cost associated with future litigation.
For legal counsel, it means having a review process to determine what discovered content is relevant to the case. For an IT person, it means restoring backup tapes to show evidence on file shares, content management systems, e-mail systems, or other applications. But for records managers, this work will have begun long before any lawsuit with managing records for retention, placing legal holds, and finalizing disposition.
Ediscovery could be costly because it requires organizations to retrieve content from servers, archives, backup tapes, and other media.
In some cases, an organization is unable to execute a discovery order because it is unable to locate all content in a timely manner, or it is unable to place holds on all content and some of it is deleted during the lawsuit. The inability to do this correctly also has a cost, and it can be considerable.
To address these costs, many organizations are looking at e-discovery solutions that will enable them to review the found content and take it through litigation.
But organizations can also lower costs for archiving and restoring, legal review, and sanctions by simply cutting down how much content it retains. Less stored content means less content on which to perform discovery.
Developing a strategy and a plan of action for handling e-discovery will help organizations mitigate their risk and save them a significant amount of money in the event of litigation. Organizations need to have a retention policy to determine which content can be destroyed and at what time and which content should be kept and for how long. The key is to have a retention program that is flexible enough to keep content for the right retention period.
By categorizing content, creating a catalog of the content, creating a retention plan, implementing a hold methodology, and having disposition procedures, an organization will benefit in many ways.
Solutions: Integrate e-discovery into information governance practice. Include key capabilities:
  • understand and secure – identify and categorize docs; docs are distributed globally; find and correctly indentify them
  • automate and enforce - extend policies to docs within unmanaged repositories such as file shares, SharePoint, etc. Automate processes in a transparent manner to manage and control docs. Retention and disposition policies that can be enforced within ECM.
  • protect and control – regulate how docs accessed and used; security controls over docs; control who can access protected docs
  • discover and produce – ability to produce relevant docs upon demand is a mandatory requirement.
Develop retention programs. Create committees within your organizations and bring their expertise together with legal counsel and IT to prepare for e-discovery and litigation.
General Governance Controls
  • Understand your data topology – holistically across the enterprise: how much, where, who owns it, and what value does it provide.
  • Employ real-time indexing of content – to keep track of its changes.
  • Store the intelligence about your content (metadata).
  • Create an information intelligence service center and include data analysis, governance analysis.
  • Employ change management to stay current of new forms of content and new business requirements.
  • Become proactive in deploying policies for securing data, storing data, sharing data and enforcing compliance.
  • Remove obsolete or unnecessary content.
  • Define content life cycle and retention policies.
  • Tier your access to enable relevant data to be closer to users and devices that are local.
  • Educate the organization on the value of good governance; it is less about control and more about raising the intelligence and health of information.
  • Categorize your information and determine its value and rank.
  • Use content approval function in your CMS.
  • As deployments grow, organizations must also find ways to efficiently store records in compliance with retention of records management policies.
  • Create retention schedule, content controls, consistent disposition of content in accordance with records management policies for content preservation, remediation, retention.
  • Keep track of what info is created, stored, and accessed.
  • Use auto-classification and semantic tools within the search engines.
  • Move relevant documents from desktops and shared drives to your central docs repository.
  • Create efficient document versioning and check-in/check-out management for information consistency.
  • Create robust administration of users to ensure that each as access rights for only documents that they are authorized to have access to.
(There are no comments yet)
Leave a Comment