enterprise records knowledge conference 2010 the fog of information governance information...

2010 - RSD © Copyright - 1

Enterprise Records Knowledge Conference 2010

The FOG of Information GovernanceInformation Governance Architecture and Implementation

May 20th, 2010Sacramento, California


Agenda

• Introduction• Challenges of Information Governance• Realities on the ground• Information Governance Platforms• Information Governance Programs• Examples• Discussion


Speaker

Bassam Zarkout

Chief Technology Architect

RSD Corporation

Email: [email protected]

Mobile: 1-613-7913033


RSD Corporate Background

• Founded in Geneva, 1973► Offices in New York, London, Paris, Zürich, Madrid

• More than 1,200 customers worldwide► Over 2,000,000 users

• Pioneer in high-volume mainframe report and output management► EOS (Enterprise Output Solution)

• Innovator in records and document management, and Information Governance► RSD Folders► RSD GLASS™


Agenda



Corporate Challenges

• Information Governance (IG) challenge► An urgency at the executive level in every enterprise

• Initial efforts to “tame the beast” have resulted in…► Solutions with unsound designs► The proliferation of content repositories► Skyrocketing management and admin overhead costs

Explosive growth in volu

me of content

creation

Rapid expansionin laws and compliance regulations

Growing urgencyto gain controlof this dynamic

Patriot Act

SEC 17a-4

Title 21 CFR 11MiFID

Basel II

DoD 5015.2


Managing Corporate Risk is Critical

• Managing information-related risks is critical► Enabling legal and regulatory compliance► Maximizing operational value of information assets► Improving competitiveness

• Three key terms to explore► Governance, Risk Management, and Compliance► Enterprise Information Management► Information Governance

Enterprise Information

Management

Governance, Risk Management, and Compliance (GRC)

Information Governance

ECMIDARS

RMPhysicalSecurity

FinancialReporting

Compliance

Imaging Systems

Business Intelligence


What does Information Governance provide?

• Solve RM problem► Too much information► No easy mechanism to address compliance and disposition

• Address eDiscovery problem► Reduction of ESI discovery burden for information retained► Information accessible within authenticated and auditable context

• Address compliance and legal concerns► Compliance and legal requirements are enforced within Information

Governance (IG) policy, procedures and methods• Bridge gap between RM and IT

► Management by policy enforcement at a Tier 2 level or below• Address cost of governance

► Efficiently manage very large records management programs• Integrate functions of managing record lifecycle

► Retention and disposition, ediscovery, data privacy, system overhead costs, auditability, etc.


Managing Corporate Risk is Critical

Electronic RM Email Archiving

DoD 5015.2 9/11Patriot Act

Morgan StanleyE-Discovery irregularity fine $1.58b

MoReq

HIPAA

Enron ScandalSarbanes-Oxley

FinancialCrisis 2008

Zubulake-UBS WarburgFRCP 2006

New Laws?

New Regulations?

New Laws?

New Regulations?

eDiscovery Federated RM Enterprise IG Platforms

Goldman Sachs


Information Governance Challenges

Patriot Act SEC 17a-4Title 21 CFR 11MiFID

Basel IIDoD 5015.2

CurrentGenerationSolutions

Complexity of requirements grows

exponentially with size of organization


Legal and Regulatory Landscape

Sample Laws and Regulations USA Switz. UK France Germany Italy Canada Global*Government- US FOIA - Freedom of Information- PIPEDA - Freedom of Info & Data Privacy- Federal Rules of Civil Procedure 2006 (eDisc)- Loi 78-753 - Freedom of Information- US Privacy Act- Gramm-Leach-Bliley Act (GLBA)- EU Data Protection Directive- Digital Signature DPR 513/97- Digital Protocol DPR 428/98

x-x-xx---

---------

------x--

---x--x--

------x--

------xxx

-x-------

xxxxxxxxx

General Corporate- US Sarbanes Oxley- OSC Multilateral Instruments Bill 198 (CSOX)- JSOX

x--

---

---

---

---

---

-x-

xxx

Financial Services- Basel II- SEC 17a-4- FSA 3rd AML Directive-LSF

xx--

x---

x-x-

x--x

x---

x---

----

xxxx

Pharmaceutical- FDA 21 CFR- EMEA

x-

--

-x

-x

-x

-x

--

xx

Industrial- RoHS/WEEE directives - - x x x x - xHealthcare- HIPAA- HITECH

xx

--

--

--

--

--

--

xx

* Depending on vertical

Hundreds and in some cases thousands of

laws and regulations


Agenda



The FOG of Information Governance

Realities on the ground

SecurityOfficer

PrivacyOfficer

LegalCounsel Corporate

RMCompliance

Officer

BOD

CorporateIT

RiskOfficer

OtherOfficer

Retrieve Information?

Capture Information?

Jurisdiction nJurisdiction C Other JurisdictionsJurisdiction A

LawsRegulations

Internal PoliciesBest Practices

Etc.

Data Privacy?

RecordsManagement?

Cost Governance?

Other Repositories

ECMSystemRSD Folders ECM

System

Corporate Records Retention Schedule?

Federated RMFunctionality?

Security?

Content Producers- MS Office- MS SharePoint- Alfresco- Business Applications- Other

Content Consumers- MS SharePoint- Alfresco- Business Applications- Other

End Users End Users

Other Repositories

Storage ILM?

Standard Metadata Definitions?

eDiscovery & Holds?

System Admin?

Lifecycle Event Sources- Business Applications- Processes

BusinessManagers

Events that impactinformation

lifecycle?


IG Function RM ITLifecycle of unstructured content

Responsibility RM Program and Records Retention Schedule (retention policies).

Often views RM as low priority and limited to paper & electronic documents.

Lifecycle of structured content

Often unaware/unable to manage lifecycle of this content.

Maintains control of its lifecycle.

EDiscovery and holds Limited scope to unstructured documents declared as records.

Gaining role conducting discovery within corporate repositories and producing them.

Data Privacy of content

Often unaware/unable to manage data privacy aspects of records.

Expects RM to manage privacy aspects of unstructured content. Often views privacy of structured content as data security.

Reduce Cost Limited visibility and leverage over topic.

Focused in reducing cost of infrastructure but lacks ability to optimize infrastructure costs versus IG SLAs.

Philosophy Organize information – cannot rely on search

Why organize, simply search.

Differences in LingoArchive Move content offsite when no longer

needed.Backup and recovery term.

Information Lifecycle Management

Manage retention/disposition of content.

Move content to lower cost storage tiers (Storage ILM).

Strained Relationship between RM and IT


Types of Record Formats

Types of Record

Formats

Physical documents

Electronic documents

Messages

Sections of large

reports

Data in application databases

Data in data warehouses

Other typesof formats

- Paper- Film- Fiche

- MS-Office- PDF- Other

- MS Exchange- Lotus Notes- IM- Other

- AFP- PDF- Other

Entries in SQL Database

Entries in data warehouse

Other

Unstructured content(high volumes)

Structured content(very high volumes)


Multiple facets of information lifecycle policies

Record Class

Retention & Disposition

Lifecycle of Paper

Record (Storage)

Lifecycle of Data Privacy

settings

Lifecycle of Security

Classification

Lifecycle of Electronic

Record (Storage

ILM)

Lifecycle of Metadata

Groups

Lifecycle of Content

Index

Other Lifecycle

facets

SecurityOfficer

PrivacyOfficer

LegalCounsel

RM

ComplianceOfficer

IT

RiskOfficer

OtherOfficer

IT

IT

PrivacyOfficer


Multiple facets of information lifecycle policies

Ope

ratio

nal U

sage

of C

onte

nt

days decadesweeks months years

Decl

are

as R

ecor

d

Com

ply

with

lega

l and

regu

lato

ryre

cord

rete

ntion

requ

irem

ents

Dis

pose

of R

ecor

d

Com

ply

with

lega

l and

regu

lato

ryre

cord

rete

ntion

requ

irem

ents

Dele

te C

onte

nt In

dex

Redu

ce c

osts

of s

torin

g co

nten

t ind

exes

Mov

e Co

nten

t to

Stor

age

Tier

n

Redu

ce c

osts

of s

torin

g co

nten

t

Anon

ymiz

e Re

cord

Com

ply

with

Priv

acy

requ

irem

ents

Dec

lass

ify R

ecor

d

Com

ply

with

gov

ernm

ent

de-c

lass

ifica

tion

requ

irem

ents

SecurityOfficer

PrivacyOfficer

LegalCounsel

CorporateRM

ComplianceOfficer

BOD

CorporateIT

RiskOfficer

OtherOfficer

?


To be continued…Current Solutions Landscape

Evolution in the solutions landscape

Size of bubbles not to scale

Next Generation IntelligentContent Addressable Storage

Repositories PoliciesControl & Admin

Repository

IDARS

PoliciesControl & Admin

Repository

ECM

RM


Repository

Data PrivacyPolicies

Control & Admin

Structured Content

RepositoriesPolicies

Control & AdminRepositoryeDiscovery

PoliciesControl & AdminPolicies

Control & AdminRepository


Agenda



Creative Solution StrategyCurrent Solutions Landscape

Evolution in the solutions landscape

Size of bubbles not to scale

Next Generation IntelligentContent Addressable Storage

Repositories PoliciesControl & Admin

Repository

IDARS


Repository

ECM

RM


Repository

Data PrivacyPolicies

Control & Admin

Structured Content

RepositoriesPolicies

Control & AdminRepositoryeDiscovery


Rules(Policies)

Corporate Information Governance Policies

Tools(Control &

Admin)

Information GovernanceCorporate/Regional/Jurisdictional

Control and Administration Processes

RecordsMgmt

eDiscovery

DataPrivacy

Other

AuditMgmt

Information RepositoriesRegional/Jurisdictional/Local

Tools(Repositories)

Content inCAS Systems

Content inIDARS

Content inData Whse

Content inECM Systems


Repository


Key Differences with existing RM/ECM Technologies

• Modular architecture aligned with emerging market specifications• Comprehensive repository-independent IG policy

► Human readable (Web or PDF based) analog policies► Application readable/integratable digital policies

• Integration of all facets of the record lifecycle ► Retention and disposition► Security declassification lifecycle► Data privacy lifecycle► Migration of electronic records across storage tiers (storage ILM)► Metadata lifecycle (very granular)► Content index lifecycle► Other

• Standardized record metadata definitions• “Business” and “Operational” events integrated with lifecycle

functions of IG Platform


Enterprise Information Governance Solution Platform

Lifecycle Event Sources- Business Applications- Processes Enterprise Information Governance Solution Platform

Retrieve Information

Capture Information

BusinessManagers


Enforce lifecycle actions

RecordsManagement Storage ILM

Standard Metadata Definitions

eDiscovery & Holds

System Admin

Security

Information GovernanceSteering Committee

SecurityOfficer

PrivacyOfficer


RMCompliance

Officer

BOD

CorporateIT

RiskOfficer

OtherOfficer

EDiscovery & Holds

Control andAdministrationof lifecycle for

ALL information

ECMSystem

Other RepositoriesRSD Folders ECM

SystemOther

Repositories


lifecycle

DataPrivacy

Cost Governance


Information Governance Policies - Retention and Disposition - Data Privacy - Discovery - Migration across storage tiers - Standard Metadata Definitions - Other



End Users End UsersLaws

RegulationsInternal Policies

Best PracticesEtc.




Retrieve Information

Capture Information

Information Governance Policies - Retention and Disposition - Data Privacy - Discovery - Migration across storage tiers - Standard Metadata Definitions - Other


DataPrivacy

RecordsManagement

Enforcement

IG Control & Admin

IG Policies

Corporate IG Policies

Enforcement

IG Control & Admin

IG Policies

Cost Governance

Control andAdministrationof lifecycle for

ALL information

Security

ECMSystem

Other RepositoriesRSD Folders ECM

SystemOther

Repositories

Storage ILM


eDiscovery & Holds

System Admin

EDiscovery & Holds

BusinessManagers


lifecycle



End Users End Users

Lifecycle Event Sources- Business Applications- Processes

Enforce lifecycle actions

Information GovernanceSteering Committee

SecurityOfficer

PrivacyOfficer


RMCompliance

Officer

BOD

CorporateIT

RiskOfficer

OtherOfficer

LawsRegulations

Internal PoliciesBest Practices

Etc.


File Plan Security

• ACL Security► Inherited from Master Classification► Inherited from parent to child within File Plan► ACL assignments can be modified by Security Officer or Administrator

• Security Classification► Inherited from Master Classification► Inherited from parent to child within File Plan► Security Classification can be increased but NOT decreased

• Metadata-value Security► Inherited from Master Classification► Inherited from parent to child within File Plan► Right to change field value limited to authorized Security Officers

• Repository Security► Security assigned to Object in Repository respected in IG Platform

• Security Accreditation (used within US DoD)

http://www.archives.gov/isoo/training/marking-booklet.pdf http://metadata.dod.mil/mdr/irs/DDMS/documents/ICS2007-500-2SecurityMarkingMetadata.pdf


Information Governance Platform Benefits

• Enable legal and regulatory compliance► Mitigate overall corporate risks by supporting the implementation and

operation of an effective and agile enterprise-wide Information Governance Program

• Maximize operational value of information assets► Address pressing needs for advanced content access and information

lifecycle management► Transparent access to corporate content in all repositories (structured

and unstructured)• Improve competitiveness

► Provide cost governance capabilities through the use of advanced IT-centric as well as business and compliance centric information lifecycle functions• Reduce overall cost of infrastructure• Reduce overall cost of storage• Reduce amount of information stored on Tier 1 storage through granular

management of information lifecycle


Agenda



Information Governance Programs

• Definition► IG Programs support compliance and accountability regarding corporate

information throughout their lifecycle• Primary objectives

► Enable legal and regulatory compliance and mitigate related risk► Maximize operational value of information assets► Improve competitiveness


RM Programs



• Superset of RM Program• Features analogous methodologies and processes

► Create and manage corporate policies and procedures about how information should be “properly looked after” consistently

► Carry out policies and procedures► Enforce policies on corporate information ► Maintain audit trail of these activities


RM Programs


Main activities in the IG Program

• Develop and maintain IG policies and procedures at corporate and jurisdictional levels► IG Steering Committee

• Deploy IG policies and procedures into jurisdictions• Manage information lifecycle in business units and department

► Perform control and administration of IG activities► Enforce IG lifecycle actions on information

• Maintain audit trail on above

Information Governance Steering Committee

RepositoryRepository

IG Enforcement Activities

IG Control andAdministration Activities

Local IG Policies (Jurisdictions)

Corporate IG Policies

CorporateCorporate IG Policies:- Retention and disposition- Data Privacy- Electronic discovery- Lifecycle of content- Lifecycle of content indexes- Lifecycle of metadata- OtherJurisdictions & Legal EntitiesIG Policies in Jurisdictions and Legal EntitiesBusiness UnitsFile Plans in Business Units controlled by IG Policies


Conventional Corporate RM Program

Jurisdiction #1

Jurisdiction #2

Jurisdiction #n

Corporate RM Programs versus Corporate IG Programs

Corporate RM

Corporate RM ProgramManual Retention Policy DevelopmentPolicy in Excel/Email/Paper/PDFManagement of unstructured documentsRetention policy ONLYLittle or no involvement of IT

Manual Administrationof RM Program

File Plan

File Plan

File Plan

RiskOfficer

RecordsAdmin


RM

RecordsAdmin

RecordsAdmin

CorporateIT

RecordsAdmin

RecordsAdmin

RecordsAdmin

Manual RM

RMA

RMA

RMA

RetentionSchedule

Manual RM

Manual RM

End User

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

RetentionSchedule

RetentionSchedule

RetentionSchedule

RetentionSchedule

RetentionSchedule

RetentionSchedule


Corporate RM Programs versus Corporate IG Programs

Information Governance Program

Jurisdiction #1

Jurisdiction #2

Jurisdiction #n

File Plan

File Plan

File Plan

RRS

RRSRRS

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

File Plan

Corporate RM

RecordsAdmin

RecordsAdmin

Integrated Administrationof IG Program

IG Policies

IG Platform technology deployed at CorporateRecordsAdmin

RecordsAdmin

RecordsAdmin

RecordsAdmin

End User

RiskOfficer


RM

CorporateIT

Corporate IG ProgramAll facets of Information LifecycleManagement of all forms of recordsPolicies in application integratable formDirect involvement of IT


Information Governance Steering Committee

SecurityOfficer Privacy

Officer


RMCompliance

Officer

BOD

CorporateIT

RiskOfficer

OtherOfficer

Corporate IT: Manage corporate information and IT infrastructure

Corporate RM: - Manage process of creating IG policies- Ensure that policies are up to date- Ensure policies are available to field personnel

Legal Counsel: Responsible for legal department within organization - must be able to act decisively regarding legal challenges that face organization.

Risk Officer: Manage risk matters within organization

Privacy Officer: Oversee and manage compliance with Privacy laws and regulations

Compliance Officer: Oversee and manage compliance issues within organization

Security Officer: Responsible for security matters within organizations, including data security

Other Officer: Other corporate officer

BOD: Board of Directors with primary responsibility for approving corporate IG policy

Other: Depends on organization.


Agenda



Thank you!

Bassam [email protected]

Discussion

enterprise records knowledge conference 2010 the fog of information governance information...

Documents