Developing an Information Governance Policy

By Courtney Macavinta

Despite increased regulation, the list of organizations that has acknowledged data privacy breaches in the past few years -- such as Choicepoint, Bank of America, Eli Lilly, and the U.S. Veteran's Affairs Department -- keeps growing. Whether a security breakdown involved a lost or stolen laptop, a break-in, human error, or a misplaced backup tape, once those people who are potentially affected receive notice of such an incident (as is usually required by law these days), they are often left wondering: Why did this happen? And this is the hard question that no CIO wants to have to answer.

On the data protection front, CIOs are contending with a battery of state, federal, and international privacy laws, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA) or the European Union Data Protection Directive, along with recent amendments to the U.S. Federal Rules for Civil Procedure (FRCP), which reinforce that business records like email can be fair game for legal discovery.

"What that translates to for the CIO is you have to put in place a policy now that defines what is a business record," says Nancy Flynn, executive director of The ePolicy Institute. "Then you have to establish a policy governing the retention of those business records and the deletion of non-records."

To comply with such regulations and stave off bad press -- many CIOs are now creating information governance policies. The goal is to create a policy that governs what information can be collected from customers, clients, or employees, and how the data can be accessed, archived, disposed of, and secured. To create a policy that will not only help safeguard entrusted information, but perhaps even give an organization a competitive edge based on its information governance standards, experts offer these best practices:

1. Think: Responsible  At Carnegie Mellon's CIO Institute, Larry Ponemon, founder of the ethical information practices think tank the Ponemon Institute, teaches CIOs a process for creating information governance policies dubbed Responsible Information Management (or RIM). "It's a process for engendering trust and confidence in how an organization's leaders ... manage, retain, and secure ... confidential information," he notes.

The RIM process advises CIOs to take steps that include assessing their organization's information risks and vulnerabilities, developing a plan to educate executive management about the ROI for RIM, and developing key performance indicators (KPIs) to establish firm criteria for manager accountability and long-term success. CIOs should also, the RIM process outlines, help implement educational programs and a communications strategy to train and inform all employees "who handle private, confidential, or sensitive personal information."

2. Think: Comprehensive Although some organizations already have content policies that apply to email, instant messaging (IM), or employee blogs, for example, an information governance policy should cover how sensitive data is handled throughout an organization. "The CIO needs to work in conjunction with the legal, human resources, and audit departments in creating a comprehensive policy," says Stephen Pickett, the immediate past president of the Society for Information Management. "The policy needs to be comprehensive so as to leave little to the imagination of those handling information, but at the same time needs to be practical, making it easy to implement."

Ponemon adds that organizations "need an overarching framework that applies to the entire enterprise and that is respectful of the information owner who could be a customer, employee, or a business unit." Classes of information that CIOs need to consider protecting include intellectual property, customer data, employee data, and confidential business information.

3. Think: Enforcement  At the end of the day, an information governance policy is only effective if it's backed up by monitoring, performance measurement, and -- perhaps most important -- enforcement, experts say. This means CIOs need to help establish a formal process for responding to complaints and holding employees or business units responsible for clear violations of the policy. "You have to have a set of rules and policies -- and ways to vigorously monitor them -- or people won't take it seriously," Ponemon says.

And Ponemon adds that no information governance policy will be perfect, but that CIOs can prioritize based on the organization's responsibility to customers, employees, and shareholders and investors. "They need to build an [information governance] framework that doesn't just look good to regulators, but is real."

Courtney Macavinta is a Silicon Valley-based business and technology writer. Her articles have appeared in CNET News.com, Business 2.0, Red Herring, Wired News, and The Washington Post. She also is managing editor of  The Online Family (TheOnlineFamily.net).