Free Newsletters




   
CIO magazine chief information officer ERP IT strategy research analysis business technology e-business CRM customer relationship management e-business enterprise resource management leadership
CIO.com
About
Search
Awards Programs
Subscribe
Magazine
Current
Previous
Print Links
Newsletters
CIO Store
CIO Conferences
CIO Executive Council
Blogs
News Alerts
CEO Reading
IT Strategy
Tech Linkletter
Tech Policy
Viewpoints
Experts
Alarmed
Analyst Corner
Beneath the Buzz
Consultant Briefing
Higher Learning
In the Know
Leading Questions
Weigh-In
Discussion Forums
Career
CIO Wanted
Counselor
IT Events Calendar
Movers & Shakers
Research & Polls
CIO Research Rpts
Quick Poll
Tech Poll
Reports & Guides
CIO Bookmark
Reading Room
Special Reports
Compliance
RITLAB
State of the CIO
Webcasts
White Papers
About Us
Advertise at CIO
Conference Info
Editorial Calendar
Editorial Staff
List Services
News Bureau
Reprints
Sales
Related Sites
CSO
CMO
Darwin
IDG Network
Feedback to CIO
© CXO Media Inc.
subscribe to CIO Magazine



Home > CIO Metrics
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Tactics

Developing an Information Governance Policy

By Courtney Macavinta

Despite increased regulation, the list of organizations that has acknowledged data privacy breaches in the past few years -- such as Choicepoint, Bank of America, Eli Lilly, and the U.S. Veteran's Affairs Department -- keeps growing. Whether a security breakdown involved a lost or stolen laptop, a break-in, human error, or a misplaced backup tape, once those people who are potentially affected receive notice of such an incident (as is usually required by law these days), they are often left wondering: Why did this happen? And this is the hard question that no CIO wants to have to answer.

On the data protection front, CIOs are contending with a battery of state, federal, and international privacy laws, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) or the European Union Data Protection Directive, along with recent amendments to the U.S. Federal Rules for Civil Procedure (FRCP), which reinforce that business records like email can be fair game for legal discovery.

"What that translates to for the CIO is you have to put in place a policy now that defines what is a business record," says Nancy Flynn, executive director of The ePolicy Institute. "Then you have to establish a policy governing the retention of those business records and the deletion of non-records."

To comply with such regulations and stave off bad press -- many CIOs are now creating information governance policies. The goal is to create a policy that governs what information can be collected from customers, clients, or employees, and how the data can be accessed, archived, disposed of, and secured. To create a policy that will not only help safeguard entrusted information, but perhaps even give an organization a competitive edge based on its information governance standards, experts offer these best practices:

1. Think: Responsible  At Carnegie Mellon's CIO Institute, Larry Ponemon, founder of the ethical information practices think tank the Ponemon Institute, teaches CIOs a process for creating information governance policies dubbed Responsible Information Management (or RIM). "It's a process for engendering trust and confidence in how an organization's leaders ... manage, retain, and secure ... confidential information," he notes.

The RIM process advises CIOs to take steps that include assessing their organization's information risks and vulnerabilities, developing a plan to educate executive management about the ROI for RIM, and developing key performance indicators (KPIs) to establish firm criteria for manager accountability and long-term success. CIOs should also, the RIM process outlines, help implement educational programs and a communications strategy to train and inform all employees "who handle private, confidential, or sensitive personal information."

2. Think: Comprehensive Although some organizations already have content policies that apply to email, instant messaging (IM), or employee blogs, for example, an information governance policy should cover how sensitive data is handled throughout an organization. "The CIO needs to work in conjunction with the legal, human resources, and audit departments in creating a comprehensive policy," says Stephen Pickett, the immediate past president of the Society for Information Management. "The policy needs to be comprehensive so as to leave little to the imagination of those handling information, but at the same time needs to be practical, making it easy to implement."

Ponemon adds that organizations "need an overarching framework that applies to the entire enterprise and that is respectful of the information owner who could be a customer, employee, or a business unit." Classes of information that CIOs need to consider protecting include intellectual property, customer data, employee data, and confidential business information.

3. Think: Enforcement  At the end of the day, an information governance policy is only effective if it's backed up by monitoring, performance measurement, and -- perhaps most important -- enforcement, experts say. This means CIOs need to help establish a formal process for responding to complaints and holding employees or business units responsible for clear violations of the policy. "You have to have a set of rules and policies -- and ways to vigorously monitor them -- or people won't take it seriously," Ponemon says.

And Ponemon adds that no information governance policy will be perfect, but that CIOs can prioritize based on the organization's responsibility to customers, employees, and shareholders and investors. "They need to build an [information governance] framework that doesn't just look good to regulators, but is real."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  the online program The Online Family.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"The CIO needs to work in conjunction with the legal, human resources, and audit departments in creating a comprehensive policy."

-- Stephen Pickett, former president, Society for Information Management

Copyright © 2010 Studio One Networks. All rights reserved.





Advertisers



Free Newsletters
Sponsor Content
 Domains
Compliance CIO Partner Domain for I.T. Productivity
The domain for everything you need to assess, measure and improve
IT Productivity within your organization, Whitepapers, Books, Research, Benchmarking tools and lots more.
 Webcasts
Compliance Failure is not an option: Why online compliance and security can’t wait.
Compliance BI Standardization: Attend our virtual conference for real advice.
Compliance Getting Smart about Offshoring: How Visual Simulation Gets It Right the First Time
Compliance Turning Best Practices to Best Projects
Compliance Securing Enterprise Data In An Unsecured World
Compliance A New Game—The Fast Emerging World of IP Convergence
Compliance All CIO Webcasts
 White Papers
Compliance Organizations Shift Focus to Information Management
Compliance Tera-Scale Data Warehouse Appliances Overcome the Technology Bottleneck
Compliance Knowing the Risk
Compliance Why Asset Management and Discovery are Core Contributors to Effective Business Service Management
Compliance Start your ERP upgrade with a distinctive master data advantage
Compliance Putting your Spend Data Warehouse on steroids
Compliance All CIO White Papers

IDG ENTERPRISE NETWORK

NetApp launches expanded NAS line - Infoworld Staff
IBM, BEA lay out new Java specs - Infoworld Staff
  »More  

Phishing scams rocket
Wi-Fi switches: breakthrough year, future fear
  »More  

Users get going on SP2 rollouts
Shark Tank: Just one more thing to remodel
  »More  

SPONSORED LINKS:
Align IT with business goals. Introducing PlanView Enterprise.
A data warehouse 10-50x faster at ½ the cost. Learn more!
How do you compare with 565 IT organizations?
For real advice on BI Standardization attend the Virtual Conference on Feb 22
Manage IT Change. Manage the Business. Free white paper.
Ten Principles for Knowledge Management Success" - Get the free white paper from ServiceWare
Audit the Data or Else: Un-audited data increases business risk Grid
See Qualcomm, EPL, and Deutsche Post on the Oracle Grid
Preventing Client/Vendor Mismatch: click here to learn more

Free Newsletters

Dated: March 01, 2005
http://www.cio.com/blog_view.html?ID=221

About CIO.com | Welcome | Privacy Policy | Terms of Service | Linking to us

CIO.COM complies with the ASME Guidelines with IDG extensions for new media.

CIO magazine chief information officer ERP strategy IT research analysis business technology management e-business knowledge management intranet CRM cio.com CRM customer relationship management e-business ERP enterprise resource management leadership management measuring IT value outsourcing supply chain

© 1994 - 2005 CXO Media Inc.

An International Data Group (IDG) Company



 HOME  CURRENT ISSUE  ARCHIVE   About CIO :: Advertise :: Subscribe :: Conferences 

Reprints, IDG Network, Privacy Policy

THE IDG NETWORK
CSO :: CMO :: Darwin :: Computerworld :: Network World :: Infoworld :: PC World :: Bio-IT World
IT Careers:: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp



Problems/complaints/compliments about this site can be sent to deiben@cio.com.