I will uncloak for a moment to add a couple pennies of my thoughts.
I've used the term "Information Governance" for quite a while (probably
before anyone else) to describe what I do because nothing else fit. Records
Management is less than 5% of what I do. I don't have any operational
responsibilities, which is a key differentiator. I also own all of our
information security policies, exceptions to those policies, and a bunch of
other security stuff.
Definition-wise, what I have come up with (if you steal this in any way,
shape or form, you better tell me about it) is:
"A system of policies, controls, procedures, and tools governing the
lifecycle of an organization’s data that matters. This system ensures
appropriate ease of access to data when needed and defensible disposition
of data when no longer needed. This system limits business disruption,
while maintaining appropriate security, within an auditable framework in
line with the organization’s risk appetite and regulatory environment."
Close to an elevator speech in language that is almost understandable. I'm
not going to call it a universal truth, but it works to help me define my
space. This comes from a presentation that I call, "Information Governance:
Blind Men Meet Your Elephant" Could this describe records management? Sure.
The principles underlying this definition are:
Prevent loss of data that matters.
Support legal discovery process
Define and manage defensible disposition
Drive information to secure, common repositories
Identify, locate, and secure sensitive and proprietary information
Communicate and train secure behaviors
Minimize disruption to the business.
Balance controls to risk appetite
Deliver simple, effective tools
Reduce and mitigate threats
Ensure appropriate behaviors
Meet compliance requirements
When I talk about disruption to business, I'm not talking about disaster
recovery or business continuity exclusively. I'm also speaking about
putting in stupid systems or policies that require workers to manually try
to do things that get in the way of them doing their real work.
And lastly, one more nit to pick. We are a controls driven organization.
When an audit is performed, it is based upon compliance against documented
controls. RIM is very difficult to define adequately in measurable
controls, but we're trying to get there. Most "audits" in RIM that I have
seen would be laughed at by an auditor. The sample sizes are not
appropriate and really provide little better than anecdotal review of
state. But we're working to get there with a control set that can be
properly measured and that also comes back to implementing systems around
information management.
Patrick Cunningham, FAI
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]
|