You are previewing Information Nation: Seven Keys to Information Management Compliance, Second Edition.
O'Reilly logo
Information Nation: Seven Keys to Information Management Compliance, Second Edition

Book Description

This fully updated edition demonstrates how businesses can succeed in creating a new culture of information management compliance (IMC) by incorporating an IMC philosophy into a corporate governance structure. Expert advice and insight reveals the proven methodology that adopts the principles, controls, and discipline upon which many corporate compliance programs are built and explains how to apply this methodology to develop and implement IMC programs that anticipate problems and take advantage of opportunities. Plus, you?ll learn how to measure information management compliance through the use of auditing and monitoring, following the proper delegation of program roles and components, and creating a culture of information management awareness.

Table of Contents

  1. Copyright
  2. About the Authors
  3. Credits
  4. Acknowledgments
  5. Introduction
    1. Information Management Compliance
    2. Notes
  6. I. Laying the Foundations of Information Management Compliance
    1. 1. Why Information Management Matters
      1. 1.1. Sink or Swim
        1. 1.1.1. What Is Information Management?
        2. 1.1.2. Changing Times, Changing Terms
        3. 1.1.3. An Umbrella Term
        4. 1.1.4. Determine Your Needs
      2. 1.2. Notes
    2. 2. Building the Foundation: Defining Records
      1. 2.1. Determining If Information Is a Record
      2. 2.2. Defining Records
        1. 2.2.1. Why These Definitions Matter
      3. 2.3. Why We Retain Records
      4. 2.4. Not All Information Has to Be Retained
      5. 2.5. Top 10 Reasons Not to Keep Everything Forever
      6. 2.6. Medium Does Not Matter
      7. 2.7. Intent Does Matter
      8. 2.8. Record Qualification Checklist
      9. 2.9. Survey: Employee Responsibility for Records and Information
      10. 2.10. Notes
    3. 3. An Overview of Records Management
      1. 3.1. Defining Records Management
      2. 3.2. The Lifecycle Approach
      3. 3.3. Information Assets
      4. 3.4. Components of a Records Management Program
      5. 3.5. Managing Electronic Records
        1. 3.5.1. Electronic Records Must Be Trustworthy
        2. 3.5.2. Digital Trustworthiness Is a Challenge
        3. 3.5.3. Technology Can Help with Trustworthiness
      6. 3.6. Notes
    4. 4. Information Management Compliance (IMC)
      1. 4.1. What Is Compliance?
      2. 4.2. How Compliance and Information Management Fit Together
        1. 4.2.1. Combining the Two Approaches
      3. 4.3. Sources of IMC Criteria
      4. 4.4. Establishing Your Compliance Criteria
      5. 4.5. Organizational Liability
      6. 4.6. A Case Study in IMC Failure: Morgan Stanley
        1. 4.6.1. The Coleman Case
        2. 4.6.2. Other E-Mail Challenges
        3. 4.6.3. Failure to Monitor for Possible Insider Trading
        4. 4.6.4. System Compliance Problems
        5. 4.6.5. Conclusions
      7. 4.7. Notes
    5. 5. Achieving IMC: Introduction to the Seven Keys
      1. 5.1. The Facts: Something Is Broken
      2. 5.2. What Exactly Is Broken?
        1. 5.2.1. 1. The natural result of market contraction/correction
        2. 5.2.2. 2. The rush to technology
        3. 5.2.3. 3. The design of information technology itself
        4. 5.2.4. 4. Authority and responsibility
        5. 5.2.5. 5. Lack of a holistic view
      3. 5.3. The Federal Sentencing Guidelines
        1. 5.3.1. Challenges to the Guidelines Don't Diminish IM Relevance
      4. 5.4. The Seven Keys
      5. 5.5. Notes
    6. 6. Sarbanes-Oxley and IMC
      1. 6.1. Doing Business in the Post-Sarbanes-Oxley Era: Everyone Is Affected
      2. 6.2. Destruction and Alteration of Information: SOX Section 802
      3. 6.3. Internal Controls: The Role of Information Management in Financial Reporting and Corporate Governance
      4. 6.4. Information Management and SOX
      5. 6.5. Notes
  7. II. Seven Keys to Information Management Compliance
    1. Key #1: Good Policies and Procedures
      1. Key Overview
    2. 7. The Purpose of Policies and Procedures
      1. 7.1. Laying the Foundation of IMC
      2. 7.2. The Difference between Policies and Procedures
      3. 7.3. Provide Clear Directives to Employees
      4. 7.4. Making a Statement to the World
      5. 7.5. Not Following Your Own Policy Is Bad Policy
      6. 7.6. If You Don't Do It, Someone Else Will
      7. 7.7. Putting It Down in Writing
      8. 7.8. Limiting Corporate Liability for Employee Actions
        1. 7.8.1. Scenario 1: Pornography Sent Through Instant Messaging
        2. 7.8.2. Scenario 2: The Unencrypted E-Mail
        3. 7.8.3. You Make The Call:
      9. 7.9. The Legal Hold
      10. 7.10. Notes
    3. 8. Making Good Policies and Procedures
      1. 8.1. Create a Policy and Procedure Structure
        1. 8.1.1. Records Management Policies and Procedures
      2. 8.2. Create Clear and Unambiguous Directives
        1. 8.2.1. Avoid Technology Snafus
        2. 8.2.2. Personal Use of Company Resources
        3. 8.2.3. Keys to Clarity
      3. 8.3. Policies in the Real World
        1. 8.3.1. What We Can Learn
      4. 8.4. Policies Should Be Technology-Neutral
      5. 8.5. Guiding IT/IS with Policies and Procedures
      6. 8.6. Resist the Temptation to Make Catch-All Policies
      7. 8.7. Address Ongoing Changes in the Law
      8. 8.8. Addressing Policy Violations: A Four-Stage Program Courtesy of the FTC
      9. 8.9. Notes
    4. 9. Information Management Policy Issues
      1. 9.1. Issue #1: Electronic Discovery
        1. 9.1.1. What Is Discoverable?
        2. 9.1.2. Electronic Discovery Planning Checklist
      2. 9.2. Issue #2: Privacy
        1. 9.2.1. Private Information Is an Asset
        2. 9.2.2. Privacy Policy Revisions
        3. 9.2.3. Writing a Privacy Policy Is Not Enough
        4. 9.2.4. Ownership of Information
        5. 9.2.5. Privacy of Employee Information at Work
      3. 9.3. Issue #3: Protecting Company Information—the Programmer's Toolkit
        1. 9.3.1. Lessons Learned
      4. 9.4. Issue #4: Disaster Recovery and Business Continuance
      5. 9.5. Issue #5: Information Security
        1. 9.5.1. What Are We Trying to Protect?
        2. 9.5.2. Managing Information Security Records
        3. 9.5.3. Road Warriors
        4. 9.5.4. Employee Use of Public Terminals
        5. 9.5.5. Patch Management
      6. 9.6. Notes
    5. Key #2: Executive-Level Program Responsibility
      1. Key Overview
    6. 10. Executive Leadership, Sine Qua Non1
      1. 10.1. Policy Comes from Above
      2. 10.2. Companies and Executives Pay the Price for Their Failures
      3. 10.3. Who Has Time for It?
      4. 10.4. Organizational Culture
      5. 10.5. It's Not Just the CFO
      6. 10.6. Fighting the Tide Is a Job for Someone Strong
      7. 10.7. Consistency across Lines-of-Business
      8. 10.8. Put Your Money Where Your Mouth Is
      9. 10.9. Can the CEO Really Be Held Accountable for Information Management?
        1. 10.9.1. Specific Issues for the CEO
        2. 10.9.2. In-House Council's Responsibility
        3. 10.9.3. The Role of the Board
      10. 10.10. Notes
    7. 11. What Executive Responsibility Means
      1. 11.1. Creating a Culture of Information Management Awareness
        1. 11.1.1. The CEO Statement
      2. 11.2. The Executive Information Management Council
      3. 11.3. What Happens to Records When Executives Leave the Organization?
      4. 11.4. Notes
    8. 12. IT Leadership
      1. 12.1. IT Leadership Is Changing
        1. 12.1.1. Digital Information Is Changing
      2. 12.2. The Impact of Sarbanes-Oxley on IT/IS Management
      3. 12.3. The Total Cost of Failure (TCF)
        1. 12.3.1. TCF—Turning the Model on Its Head
        2. 12.3.2. Determining TCF Cost Sources
        3. 12.3.3. Quantifying TCF Risk
        4. 12.3.4. The Risk Model at Work: An Example
        5. 12.3.5. Another Example: Verizon and the Slammer Worm
        6. 12.3.6. Lessons Learned
      4. 12.4. Notes
    9. Key #3: Proper Delegation of Program Roles and Components
      1. Key Overview
    10. 13. Create an Organizational Structure to Support IMC
      1. 13.1. Specialization Is the Reality
      2. 13.2. Training and Certification Should Be Standardized
      3. 13.3. Competing Needs: Why Your Committees Need to Be Broad and Deep
      4. 13.4. Who Should Be Responsible?
      5. 13.5. Notes
    11. 14. A Sample Information Management Organizational Structure
      1. 14.1. About This Model
        1. 14.1.1. The Councils
        2. 14.1.2. The Information Management Committees
        3. 14.1.3. Individual Roles and Responsibilities
      2. 14.2. The Model
        1. 14.2.1. A. Executive Information Management Council
          1. 14.2.1.1. Executive Records Retention Committee
          2. 14.2.1.2. Executive Records Preservation Committee
          3. 14.2.1.3. Executive Electronic Records Committee
        2. 14.2.2. B. Business Unit Information Management Council
          1. 14.2.2.1. Business Unit Records Retention Committee
          2. 14.2.2.2. Business Unit Records Preservation Committee
          3. 14.2.2.3. Business Unit Electronic Records Committee
        3. 14.2.3. C. Individual Roles and Responsibilities
          1. 14.2.3.1. Information Management Director
          2. 14.2.3.2. Business Unit Information Management Managers
          3. 14.2.3.3. Information Management Coordinators
          4. 14.2.3.4. Responsible Attorney
          5. 14.2.3.5. IT E-Discovery Liaison
    12. Key #4: Program Communication and Training
      1. Key Overview
    13. 15. Essential Elements of Information Management Communication and Training
      1. 15.1. Be Clear and Consistent
        1. 15.1.1. How Did This Happen?
      2. 15.2. Clarity Is King
      3. 15.3. Be Concise
      4. 15.4. Be Visible
      5. 15.5. Be Proactive and Responsive
      6. 15.6. Offer Engaging and Interactive Training Programs
        1. 15.6.1. Intranet-Based
        2. 15.6.2. Instructor-Led Training
      7. 15.7. Make IMC an Employee Priority
      8. 15.8. Constantly Communicate and Train
        1. 15.8.1. Keep Current with the Latest Laws and Regulations
        2. 15.8.2. Adjust to Major Events
      9. 15.9. Educate Employees about the Implication of New Technology
      10. 15.10. Notes
    14. Key #5: Auditing and Monitoring to Measure Program Compliance
      1. Key Overview
    15. 16. Use Auditing and Monitoring to Measure IMC
      1. 16.1. Information Management Auditing and Monitoring
      2. 16.2. Find Out before Someone Else Does
      3. 16.3. Auditing and Monitoring Programs Help to Build Trust
      4. 16.4. Know What Is Happening on Your Own Networks
      5. 16.5. Auditing or Monitoring May Be Required by Law
        1. 16.5.1. Internal and External Audits: IRS Revenue Procedure 97–22
        2. 16.5.2. Monitoring Programs: Supervision Under NASD Conduct Rule 3010
        3. 16.5.3. Monitoring Legal Holds
      6. 16.6. Internal versus External Auditing and Monitoring Programs
        1. 16.6.1. Required Third-Party Involvement
        2. 16.6.2. Making Representations to Third Parties
      7. 16.7. Piracy: Don't Look the Other Way
        1. 16.7.1. Action Items
      8. 16.8. Monitoring Employee Activity
      9. 16.9. Notes
    16. Key #6: Effective and Consistent Program Enforcement
      1. Key Overview
    17. 17. Addressing Employee Policy Violations
      1. 17.1. Make Sure Employees Understand the Consequences
        1. 17.1.1. Inform Employees of Past Violations
      2. 17.2. Enforcement Must Be Consistent
        1. 17.2.1. The Risks of Inconsistency
        2. 17.2.2. Common Inconsistencies
      3. 17.3. Notes
    18. 18. Using Technology to Enforce Policy
      1. 18.1. Which Directives Can Be Automatically Enforced?
        1. 18.1.1. Sample Policy Element #1: E-Mail Content
          1. 18.1.1.1. Automatically Enforceable?
          2. 18.1.1.2. How?
        2. 18.1.2. Sample Policy Element #2: Software Use
          1. 18.1.2.1. Automatically Enforceable?
          2. 18.1.2.2. How?
        3. 18.1.3. Sample Policy Element #3: File Sharing and Instant Messaging
          1. 18.1.3.1. Automatically Enforceable?
          2. 18.1.3.2. How?
        4. 18.1.4. Sample Policy Element #4: Legal Hold
          1. 18.1.4.1. Automatically Enforceable
          2. 18.1.4.2. Why?
      2. 18.2. Managing the Administrators
    19. Key #7: Continuous Program Improvement
      1. Key Overview
    20. 19. The Ongoing Work of IMC
      1. 19.1. Why Is Continuous Program Improvement (CPI) Required?
      2. 19.2. Changing Technology Means Changing the Program
        1. 19.2.1. Which Technology Is Next?
      3. 19.3. Dealing with Flaws and Failure
        1. 19.3.1. Find the True Source of the Failure
        2. 19.3.2. Take Disciplinary Action
        3. 19.3.3. Correct the Problem
        4. 19.3.4. Change and Improvement Is Always Needed
        5. 19.3.5. Provide a Mechanism for Inquiries
      4. 19.4. Communicating Flaws and Failures
        1. 19.4.1. Communication May Be Required by Law
      5. 19.5. Notes
  8. Conclusion