2010 - RSD © Copyright - 1
Enterprise Records Knowledge Conference 2010
The FOG of Information GovernanceInformation Governance Architecture and Implementation
May 20th, 2010Sacramento, California
2010 - RSD © Copyright - 2
Agenda
• Introduction• Challenges of Information Governance• Realities on the ground• Information Governance Platforms• Information Governance Programs• Examples• Discussion
2010 - RSD © Copyright - 3
Speaker
Bassam Zarkout
Chief Technology Architect
RSD Corporation
Email: [email protected]
Mobile: 1-613-7913033
2010 - RSD © Copyright - 4
RSD Corporate Background
• Founded in Geneva, 1973► Offices in New York, London, Paris, Zürich, Madrid
• More than 1,200 customers worldwide► Over 2,000,000 users
• Pioneer in high-volume mainframe report and output management► EOS (Enterprise Output Solution)
• Innovator in records and document management, and Information Governance► RSD Folders► RSD GLASS™
2010 - RSD © Copyright - 5
Agenda
• Introduction• Challenges of Information Governance• Realities on the ground• Information Governance Platforms• Information Governance Programs• Examples• Discussion
2010 - RSD © Copyright - 6
Corporate Challenges
• Information Governance (IG) challenge► An urgency at the executive level in every enterprise
• Initial efforts to “tame the beast” have resulted in…► Solutions with unsound designs► The proliferation of content repositories► Skyrocketing management and admin overhead costs
Explosive growth in volu
me of content
creation
Rapid expansionin laws and compliance regulations
Growing urgencyto gain controlof this dynamic
Patriot Act
SEC 17a-4
Title 21 CFR 11MiFID
Basel II
DoD 5015.2
2010 - RSD © Copyright - 7
Managing Corporate Risk is Critical
• Managing information-related risks is critical► Enabling legal and regulatory compliance► Maximizing operational value of information assets► Improving competitiveness
• Three key terms to explore► Governance, Risk Management, and Compliance► Enterprise Information Management► Information Governance
Enterprise Information
Management
Governance, Risk Management, and Compliance (GRC)
Information Governance
ECMIDARS
RMPhysicalSecurity
FinancialReporting
Compliance
Imaging Systems
Business Intelligence
2010 - RSD © Copyright - 8
What does Information Governance provide?
• Solve RM problem► Too much information► No easy mechanism to address compliance and disposition
• Address eDiscovery problem► Reduction of ESI discovery burden for information retained► Information accessible within authenticated and auditable context
• Address compliance and legal concerns► Compliance and legal requirements are enforced within Information
Governance (IG) policy, procedures and methods• Bridge gap between RM and IT
► Management by policy enforcement at a Tier 2 level or below• Address cost of governance
► Efficiently manage very large records management programs• Integrate functions of managing record lifecycle
► Retention and disposition, ediscovery, data privacy, system overhead costs, auditability, etc.
2010 - RSD © Copyright - 9
Managing Corporate Risk is Critical
Electronic RM Email Archiving
DoD 5015.2 9/11Patriot Act
Morgan StanleyE-Discovery irregularity fine $1.58b
MoReq
HIPAA
Enron ScandalSarbanes-Oxley
FinancialCrisis 2008
Zubulake-UBS WarburgFRCP 2006
New Laws?
New Regulations?
New Laws?
New Regulations?
eDiscovery Federated RM Enterprise IG Platforms
Goldman Sachs
2010 - RSD © Copyright - 10
Information Governance Challenges
Patriot Act SEC 17a-4Title 21 CFR 11MiFID
Basel IIDoD 5015.2
CurrentGenerationSolutions
Complexity of requirements grows
exponentially with size of organization
2010 - RSD © Copyright - 11
Legal and Regulatory Landscape
Sample Laws and Regulations USA Switz. UK France Germany Italy Canada Global*Government- US FOIA - Freedom of Information- PIPEDA - Freedom of Info & Data Privacy- Federal Rules of Civil Procedure 2006 (eDisc)- Loi 78-753 - Freedom of Information- US Privacy Act- Gramm-Leach-Bliley Act (GLBA)- EU Data Protection Directive- Digital Signature DPR 513/97- Digital Protocol DPR 428/98
x-x-xx---
---------
------x--
---x--x--
------x--
------xxx
-x-------
xxxxxxxxx
General Corporate- US Sarbanes Oxley- OSC Multilateral Instruments Bill 198 (CSOX)- JSOX
x--
---
---
---
---
---
-x-
xxx
Financial Services- Basel II- SEC 17a-4- FSA 3rd AML Directive-LSF
xx--
x---
x-x-
x--x
x---
x---
----
xxxx
Pharmaceutical- FDA 21 CFR- EMEA
x-
--
-x
-x
-x
-x
--
xx
Industrial- RoHS/WEEE directives - - x x x x - xHealthcare- HIPAA- HITECH
xx
--
--
--
--
--
--
xx
* Depending on vertical
Hundreds and in some cases thousands of
laws and regulations
2010 - RSD © Copyright - 12
Agenda
• Introduction• Challenges of Information Governance• Realities on the ground• Information Governance Platforms• Information Governance Programs• Examples• Discussion
2010 - RSD © Copyright - 13
The FOG of Information Governance
Realities on the ground
SecurityOfficer
PrivacyOfficer
LegalCounsel Corporate
RMCompliance
Officer
BOD
CorporateIT
RiskOfficer
OtherOfficer
Retrieve Information?
Capture Information?
Jurisdiction nJurisdiction C Other JurisdictionsJurisdiction A
LawsRegulations
Internal PoliciesBest Practices
Etc.
Data Privacy?
RecordsManagement?
Cost Governance?
Other Repositories
ECMSystemRSD Folders ECM
System
Corporate Records Retention Schedule?
Federated RMFunctionality?
Security?
Content Producers- MS Office- MS SharePoint- Alfresco- Business Applications- Other
Content Consumers- MS SharePoint- Alfresco- Business Applications- Other
End Users End Users
Other Repositories
Storage ILM?
Standard Metadata Definitions?
eDiscovery & Holds?
System Admin?
Lifecycle Event Sources- Business Applications- Processes
BusinessManagers
Events that impactinformation
lifecycle?
2010 - RSD © Copyright - 14
IG Function RM ITLifecycle of unstructured content
Responsibility RM Program and Records Retention Schedule (retention policies).
Often views RM as low priority and limited to paper & electronic documents.
Lifecycle of structured content
Often unaware/unable to manage lifecycle of this content.
Maintains control of its lifecycle.
EDiscovery and holds Limited scope to unstructured documents declared as records.
Gaining role conducting discovery within corporate repositories and producing them.
Data Privacy of content
Often unaware/unable to manage data privacy aspects of records.
Expects RM to manage privacy aspects of unstructured content. Often views privacy of structured content as data security.
Reduce Cost Limited visibility and leverage over topic.
Focused in reducing cost of infrastructure but lacks ability to optimize infrastructure costs versus IG SLAs.
Philosophy Organize information – cannot rely on search
Why organize, simply search.
Differences in LingoArchive Move content offsite when no longer
needed.Backup and recovery term.
Information Lifecycle Management
Manage retention/disposition of content.
Move content to lower cost storage tiers (Storage ILM).
Strained Relationship between RM and IT
2010 - RSD © Copyright - 15
Types of Record Formats
Types of Record
Formats
Physical documents
Electronic documents
Messages
Sections of large
reports
Data in application databases
Data in data warehouses
Other typesof formats
- Paper- Film- Fiche
- MS-Office- PDF- Other
- MS Exchange- Lotus Notes- IM- Other
- AFP- PDF- Other
Entries in SQL Database
Entries in data warehouse
Other
Unstructured content(high volumes)
Structured content(very high volumes)
2010 - RSD © Copyright - 16
Multiple facets of information lifecycle policies
Record Class
Retention & Disposition
Lifecycle of Paper
Record (Storage)
Lifecycle of Data Privacy
settings
Lifecycle of Security
Classification
Lifecycle of Electronic
Record (Storage
ILM)
Lifecycle of Metadata
Groups
Lifecycle of Content
Index
Other Lifecycle
facets
SecurityOfficer
PrivacyOfficer
LegalCounsel
RM
ComplianceOfficer
IT
RiskOfficer
OtherOfficer
IT
IT
PrivacyOfficer
2010 - RSD © Copyright - 17
Multiple facets of information lifecycle policies
Ope
ratio
nal U
sage
of C
onte
nt
days decadesweeks months years
Decl
are
as R
ecor
d
Com
ply
with
lega
l and
regu
lato
ryre
cord
rete
ntion
requ
irem
ents
Dis
pose
of R
ecor
d
Com
ply
with
lega
l and
regu
lato
ryre
cord
rete
ntion
requ
irem
ents
Dele
te C
onte
nt In
dex
Redu
ce c
osts
of s
torin
g co
nten
t ind
exes
Mov
e Co
nten
t to
Stor
age
Tier
n
Redu
ce c
osts
of s
torin
g co
nten
t
Anon
ymiz
e Re
cord
Com
ply
with
Priv
acy
requ
irem
ents
Dec
lass
ify R
ecor
d
Com
ply
with
gov
ernm
ent
de-c
lass
ifica
tion
requ
irem
ents
SecurityOfficer
PrivacyOfficer
LegalCounsel
CorporateRM
ComplianceOfficer
BOD
CorporateIT
RiskOfficer
OtherOfficer
?
2010 - RSD © Copyright - 18
To be continued…Current Solutions Landscape
Evolution in the solutions landscape
Size of bubbles not to scale
Next Generation IntelligentContent Addressable Storage
Repositories PoliciesControl & Admin
Repository
IDARS
PoliciesControl & Admin
Repository
ECM
RM
PoliciesControl & Admin
Repository
Data PrivacyPolicies
Control & Admin
Structured Content
RepositoriesPolicies
Control & AdminRepositoryeDiscovery
PoliciesControl & AdminPolicies
Control & AdminRepository
2010 - RSD © Copyright - 19
Agenda
• Introduction• Challenges of Information Governance• Realities on the ground• Information Governance Platforms• Information Governance Programs• Examples• Discussion
2010 - RSD © Copyright - 20
Creative Solution StrategyCurrent Solutions Landscape
Evolution in the solutions landscape
Size of bubbles not to scale
Next Generation IntelligentContent Addressable Storage
Repositories PoliciesControl & Admin
Repository
IDARS
PoliciesControl & Admin
Repository
ECM
RM
PoliciesControl & Admin
Repository
Data PrivacyPolicies
Control & Admin
Structured Content
RepositoriesPolicies
Control & AdminRepositoryeDiscovery
PoliciesControl & Admin
Rules(Policies)
Corporate Information Governance Policies
Tools(Control &
Admin)
Information GovernanceCorporate/Regional/Jurisdictional
Control and Administration Processes
RecordsMgmt
eDiscovery
DataPrivacy
Other
AuditMgmt
Information RepositoriesRegional/Jurisdictional/Local
Tools(Repositories)
Content inCAS Systems
Content inIDARS
Content inData Whse
Content inECM Systems
PoliciesControl & Admin
Repository
2010 - RSD © Copyright - 21
Key Differences with existing RM/ECM Technologies
• Modular architecture aligned with emerging market specifications• Comprehensive repository-independent IG policy
► Human readable (Web or PDF based) analog policies► Application readable/integratable digital policies
• Integration of all facets of the record lifecycle ► Retention and disposition► Security declassification lifecycle► Data privacy lifecycle► Migration of electronic records across storage tiers (storage ILM)► Metadata lifecycle (very granular)► Content index lifecycle► Other
• Standardized record metadata definitions• “Business” and “Operational” events integrated with lifecycle
functions of IG Platform
2010 - RSD © Copyright - 22
Enterprise Information Governance Solution Platform
Lifecycle Event Sources- Business Applications- Processes Enterprise Information Governance Solution Platform
Retrieve Information
Capture Information
BusinessManagers
Jurisdiction nJurisdiction C Other JurisdictionsJurisdiction A
Enforce lifecycle actions
RecordsManagement Storage ILM
Standard Metadata Definitions
eDiscovery & Holds
System Admin
Security
Information GovernanceSteering Committee
SecurityOfficer
PrivacyOfficer
LegalCounsel Corporate
RMCompliance
Officer
BOD
CorporateIT
RiskOfficer
OtherOfficer
EDiscovery & Holds
Control andAdministrationof lifecycle for
ALL information
ECMSystem
Other RepositoriesRSD Folders ECM
SystemOther
Repositories
Events that impactinformation
lifecycle
DataPrivacy
Cost Governance
Standard Metadata Definitions
Information Governance Policies - Retention and Disposition - Data Privacy - Discovery - Migration across storage tiers - Standard Metadata Definitions - Other
Content Producers- MS Office- MS SharePoint- Alfresco- Business Applications- Other
Content Consumers- MS SharePoint- Alfresco- Business Applications- Other
End Users End UsersLaws
RegulationsInternal Policies
Best PracticesEtc.
2010 - RSD © Copyright - 23
Enterprise Information Governance Solution Platform
Enterprise Information Governance Solution Platform
Retrieve Information
Capture Information
Information Governance Policies - Retention and Disposition - Data Privacy - Discovery - Migration across storage tiers - Standard Metadata Definitions - Other
Jurisdiction nJurisdiction C Other JurisdictionsJurisdiction A
DataPrivacy
RecordsManagement
Enforcement
IG Control & Admin
IG Policies
Corporate IG Policies
Enforcement
IG Control & Admin
IG Policies
Cost Governance
Control andAdministrationof lifecycle for
ALL information
Security
ECMSystem
Other RepositoriesRSD Folders ECM
SystemOther
Repositories
Storage ILM
Standard Metadata Definitions
eDiscovery & Holds
System Admin
EDiscovery & Holds
BusinessManagers
Events that impactinformation
lifecycle
Content Producers- MS Office- MS SharePoint- Alfresco- Business Applications- Other
Content Consumers- MS SharePoint- Alfresco- Business Applications- Other
End Users End Users
Lifecycle Event Sources- Business Applications- Processes
Enforce lifecycle actions
Information GovernanceSteering Committee
SecurityOfficer
PrivacyOfficer
LegalCounsel Corporate
RMCompliance
Officer
BOD
CorporateIT
RiskOfficer
OtherOfficer
LawsRegulations
Internal PoliciesBest Practices
Etc.
2010 - RSD © Copyright - 24
File Plan Security
• ACL Security► Inherited from Master Classification► Inherited from parent to child within File Plan► ACL assignments can be modified by Security Officer or Administrator
• Security Classification► Inherited from Master Classification► Inherited from parent to child within File Plan► Security Classification can be increased but NOT decreased
• Metadata-value Security► Inherited from Master Classification► Inherited from parent to child within File Plan► Right to change field value limited to authorized Security Officers
• Repository Security► Security assigned to Object in Repository respected in IG Platform
• Security Accreditation (used within US DoD)
http://www.archives.gov/isoo/training/marking-booklet.pdf http://metadata.dod.mil/mdr/irs/DDMS/documents/ICS2007-500-2SecurityMarkingMetadata.pdf
2010 - RSD © Copyright - 25
Information Governance Platform Benefits
• Enable legal and regulatory compliance► Mitigate overall corporate risks by supporting the implementation and
operation of an effective and agile enterprise-wide Information Governance Program
• Maximize operational value of information assets► Address pressing needs for advanced content access and information
lifecycle management► Transparent access to corporate content in all repositories (structured
and unstructured)• Improve competitiveness
► Provide cost governance capabilities through the use of advanced IT-centric as well as business and compliance centric information lifecycle functions• Reduce overall cost of infrastructure• Reduce overall cost of storage• Reduce amount of information stored on Tier 1 storage through granular
management of information lifecycle
2010 - RSD © Copyright - 26
Agenda
• Introduction• Challenges of Information Governance• Realities on the ground• Information Governance Platforms• Information Governance Programs• Examples• Discussion
2010 - RSD © Copyright - 27
Information Governance Programs
• Definition► IG Programs support compliance and accountability regarding corporate
information throughout their lifecycle• Primary objectives
► Enable legal and regulatory compliance and mitigate related risk► Maximize operational value of information assets► Improve competitiveness
Information Governance Programs
RM Programs
2010 - RSD © Copyright - 28
Information Governance Programs
• Superset of RM Program• Features analogous methodologies and processes
► Create and manage corporate policies and procedures about how information should be “properly looked after” consistently
► Carry out policies and procedures► Enforce policies on corporate information ► Maintain audit trail of these activities
Information Governance Programs
RM Programs
2010 - RSD © Copyright - 29
Main activities in the IG Program
• Develop and maintain IG policies and procedures at corporate and jurisdictional levels► IG Steering Committee
• Deploy IG policies and procedures into jurisdictions• Manage information lifecycle in business units and department
► Perform control and administration of IG activities► Enforce IG lifecycle actions on information
• Maintain audit trail on above
Information Governance Steering Committee
RepositoryRepository
IG Enforcement Activities
IG Control andAdministration Activities
Local IG Policies (Jurisdictions)
Corporate IG Policies
CorporateCorporate IG Policies:- Retention and disposition- Data Privacy- Electronic discovery- Lifecycle of content- Lifecycle of content indexes- Lifecycle of metadata- OtherJurisdictions & Legal EntitiesIG Policies in Jurisdictions and Legal EntitiesBusiness UnitsFile Plans in Business Units controlled by IG Policies
2010 - RSD © Copyright - 30
Conventional Corporate RM Program
Jurisdiction #1
Jurisdiction #2
Jurisdiction #n
Corporate RM Programs versus Corporate IG Programs
Corporate RM
Corporate RM ProgramManual Retention Policy DevelopmentPolicy in Excel/Email/Paper/PDFManagement of unstructured documentsRetention policy ONLYLittle or no involvement of IT
Manual Administrationof RM Program
File Plan
File Plan
File Plan
RiskOfficer
RecordsAdmin
LegalCounsel Corporate
RM
RecordsAdmin
RecordsAdmin
CorporateIT
RecordsAdmin
RecordsAdmin
RecordsAdmin
Manual RM
RMA
RMA
RMA
RetentionSchedule
Manual RM
Manual RM
End User
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
RetentionSchedule
RetentionSchedule
RetentionSchedule
RetentionSchedule
RetentionSchedule
RetentionSchedule
2010 - RSD © Copyright - 31
Corporate RM Programs versus Corporate IG Programs
Information Governance Program
Jurisdiction #1
Jurisdiction #2
Jurisdiction #n
File Plan
File Plan
File Plan
RRS
RRSRRS
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
File Plan
Corporate RM
RecordsAdmin
RecordsAdmin
Integrated Administrationof IG Program
IG Policies
IG Platform technology deployed at CorporateRecordsAdmin
RecordsAdmin
RecordsAdmin
RecordsAdmin
End User
RiskOfficer
LegalCounsel Corporate
RM
CorporateIT
Corporate IG ProgramAll facets of Information LifecycleManagement of all forms of recordsPolicies in application integratable formDirect involvement of IT
2010 - RSD © Copyright - 32
Information Governance Steering Committee
SecurityOfficer Privacy
Officer
LegalCounsel Corporate
RMCompliance
Officer
BOD
CorporateIT
RiskOfficer
OtherOfficer
Corporate IT: Manage corporate information and IT infrastructure
Corporate RM: - Manage process of creating IG policies- Ensure that policies are up to date- Ensure policies are available to field personnel
Legal Counsel: Responsible for legal department within organization - must be able to act decisively regarding legal challenges that face organization.
Risk Officer: Manage risk matters within organization
Privacy Officer: Oversee and manage compliance with Privacy laws and regulations
Compliance Officer: Oversee and manage compliance issues within organization
Security Officer: Responsible for security matters within organizations, including data security
Other Officer: Other corporate officer
BOD: Board of Directors with primary responsibility for approving corporate IG policy
Other: Depends on organization.
2010 - RSD © Copyright - 33
Agenda
• Introduction• Challenges of Information Governance• Realities on the ground• Information Governance Platforms• Information Governance Programs• Examples• Discussion