Preface xviiAcknowledgments xixPart One--Information Governance Concepts, Definitions, and Principles 1Chapter 1 The Information Governance Imperative 3Early Development of IG 4Big Data Impact 5Defining Information Governance 7IG is Not a Project, But an Ongoing Program 9Why IG is Good Business 9Failures in Information Governance 11Form IG Policies, Then Apply Technology for Enforcement 14Chapter 2 Information Governance, IT Governance, Data Governance: What's the Difference? 19Data Governance 19Data Governance Strategy Tips 20IT Governance 21IT Governance Frameworks 22Information Governance 25Impact of a Successful IG Program 25Summing Up the Differences 26Chapter 3 Information Governance Principles 29The Sedona Conference® Commentary on Information Governance 29Smallwood IG Principles 30Accountability is Key 34Generally Accepted Recordkeeping Principles® 35Contributed by Charmaine BrooksAssessment and Improvement Roadmap 42Information Security Principles 45Privacy Principles 45Who Should Determine IG Policies? 48Part Two--Information Governance Risk Assessment and Strategic Planning 53Chapter 4 Information Asset Risk Planning and Management 55The Information Risk Planning Process 56Create a Risk Profile 59Information Risk Planning and Management Summary 65Chapter 5 Strategic Planning and Best Practices for Information Governance 69Crucial Executive Sponsor Role 70Evolving Role of the Executive Sponsor 71Building Your IG Team 72Assigning IG Team Roles and Responsibilities 72Align Your IG Plan with Organizational Strategic Plans 73Survey and Evaluate External Factors 75Formulating the IG Strategic Plan 81Chapter 6 Information Governance Policy Development 87The Sedona Conference IG Principles 87A Brief Review of Generally Accepted Recordkeeping Principles® 88IG Reference Model 88Best Practices Considerations 91Standards Considerations 92Benefits and Risks of Standards 93Key Standards Relevant to IG Efforts 93Major National and Regional ERM Standards 98Making Your Best Practices and Standards Selections to Inform Your IG Framework 105Roles and Responsibilities 105Program Communications and Training 106Program Controls, Monitoring, Auditing, and Enforcement 107Part Three--Information Governance Key Impact Areas 113Chapter 7 Information Governance for Business Units 115Start with Business Objective Alignment 115Which Business Units are the Best Candidates to Pilot an IG Program? 117What is Infonomics? 117How to Begin an IG Program 118Business Considerations for an IG Program 119By Barclay T. BlairChanging Information Environment 119Calculating Information Costs 121Big Data Opportunities and Challenges 122Full Cost Accounting for Information 123Calculating the Cost of Owning Unstructured Information 124The Path to Information Value 127Challenging the Culture 129New Information Models 129Future State: What Will the IG-Enabled Organization Look Like? 130Moving Forward 132Chapter 8 Information Governance and Legal Functions 135Robert Smallwood with Randy Kahn, Esq., and Barry MurphyIntroduction to E-Discovery: The Revised 2006 and 2015 Federal Rules of Civil Procedure Changed Everything 135Big Data Impact 137More Details on the Revised FRCP Rules 138Landmark E-Discovery Case: Zubulake v. UBS Warburg 139E-Discovery Techniques 140E-Discovery Reference Model 140The Intersection of IG and E-Discovery 143By Barry MurphyBuilding on Legal Hold Programs to Launch Defensible Disposition 146By Barry MurphyDestructive Retention of E-Mail 147Newer Technologies That Can Assist in E-Discovery 147Defensible Disposal: The Only Real Way to Manage Terabytes and Petabytes 151By Randy Kahn, Esq.Chapter 9 Information Governance and Records and Information Management Functions 161Records Management Business Rationale 163Why is Records Management So Challenging? 165Benefits of Electronic Records Management 166Additional Intangible Benefits 167Inventorying E-Records 168RM Intersection with Data Privacy Management 169By Teresa SchochGenerally Accepted Recordkeeping Principles® 171E-Records Inventory Challenges 172Records Inventory Purposes 172Records Inventorying Steps 173Appraising the Value of Records 184Ensuring Adoption and Compliance of RM Policy 184Sample Information Asset Survey Questions 190General Principles of a Retention Scheduling 191Developing a Records Retention Schedule 192Why are Retention Schedules Needed? 193What Records Do You Have to Schedule? Inventory and Classification 195Rationale for Records Groupings 196Records Series Identification and Classification 197Retention of E-Mail Records 197How Long Should You Keep Old E-Mails? 199Destructive Retention of E-Mail 199Legal Requirements and Compliance Research 200Event-Based Retention Scheduling for Disposition of E-Records 201Prerequisites for Event-Based Disposition 202Final Disposition and Closure Criteria 203Retaining Transitory Records 204Implementation of the Retention Schedule and Disposal of Records 204Ongoing Maintenance of the Retention Schedule 205Audit to Manage Compliance with the Retention Schedule 206Chapter 10 Information Governance and Information Technology Functions 211Data Governance 213Steps to Governing Data Effectively 214Data Governance Framework 215Information Management 216IT Governance 220IG Best Practices for Database Security and Compliance 223Tying It All Together 225Chapter 11 Information Governance and Privacy and Security Functions 229Information Privacy 229By Andrew YsasiGenerally Accepted Privacy Principles 231Fair Information Practices (FIPS) 232OCED Privacy Principles 233Madrid Resolution 2009 234EU General Data Protection Regulation 235GDPR: A Look at Its First Year 237By Mark DriskillPrivacy Programs 239Privacy in the United States 240Privacy Laws 244Cybersecurity 245Cyberattacks Proliferate 246Insider Threat: Malicious or Not 247Information Security Assessments and Awareness Training 248By Baird BruesekeCybersecurity Considerations and Approaches 253By Robert SmallwoodDefense in Depth 254Controlling Access Using Identity Access Management 254Enforcing IG: Protect Files with Rules and Permissions 255Challenge of Securing Confidential E-Documents 256Apply Better Technology for Better Enforcement in the Extended Enterprise 257E-Mail Encryption 259Secure Communications Using Record-Free E-Mail 260Digital Signatures 261Document Encryption 262Data Loss Prevention (DLP) Technology 262Missing Piece: Information Rights Management (IRM) 265Embedded Protection 268Hybrid Approach: Combining DLP and IRM Technologies 270Securing Trade Secrets After Layoffs and Terminations 270Persistently Protecting Blueprints and CAD Documents 271Securing Internal Price Lists 272Approaches for Securing Data Once It Leaves the Organization 272Document Labeling 274Document Analytics 275Confidential Stream Messaging 275Part Four--Information Governance for Delivery Platforms 283Chapter 12 Information Governance for E-Mail and Instant Messaging 285Employees Regularly Expose Organizations to E-Mail Risk 286E-Mail Polices Should Be Realistic and Technology Agnostic 287E-Record Retention: Fundamentally a Legal Issue 287Preserve E-Mail Integrity and Admissibility with Automatic Archiving 288Instant Messaging 291Best Practices for Business IM Use 292Technology to Monitor IM 293Tips for Safer IM 294Team and Channel Messaging Solutions Emerge 294Chapter 13 Information Governance for Social Media 299Dr. Patricia Franks and Robert SmallwoodTypes of Social Media in Web 2.0 299Additional Social Media Categories 303Social Media in the Enterprise 304Key Ways Social Media is Different from E-Mail and Instant Messaging 305Biggest Risks of Social Media 306Legal Risks of Social Media Posts 307Tools to Archive Social Media 309IG Considerations for Social Media 311Key Social Media Policy Guidelines 312Records Management and Litigation Considerations for Social Media 313Emerging Best Practices for Managing Social Media Records 315Chapter 14 Information Governance for Mobile Devices 319Current Trends in Mobile Computing 322Security Risks of Mobile Computing 323Securing Mobile Data 324Mobile Device Management (MDM) 324IG for Mobile Computing 325Building Security into Mobile Applications 326Best Practices to Secure Mobile Applications 330Developing Mobile Device Policies 330Chapter 15 Information Governance for Cloud Computing 335Monica Crocker and Robert SmallwoodDefining Cloud Computing 336Key Characteristics of Cloud Computing 337What Cloud Computing Really Means 338Cloud Deployment Models 339Benefits of the Cloud 340Security Threats with Cloud Computing 341Managing Documents and Records in the Cloud 351IG Guidelines for Cloud Computing Solutions 351IG for SharePoint and Office365 352By Robert BogueChapter 16 Leveraging and Governing Emerging Technologies 357Data Analytics 357Descriptive Analytics 358Diagnostic Analytics 358Predictive Analytics 358Prescriptive Analytics 359Which Type of Analytics is Best? 359Artificial Intelligence 363The Role of Artificial Intelligence in IG 363Blockchain: A New Approach with Clear Advantages 366By Darra HoffmanBreaking Down the Definition of Blockchain 366The Internet of Things: IG Challenges 372IoT as a System of Contracts 375IoT Basic Risks and IG Issues 376IoT E-Discovery Issues 377Why IoT Trustworthiness is a Journey and Not a Project 380By Bassam ZarkoutGoverning the IoT Data 381IoT Trustworthiness 382Information Governance Versus IoT Trustworthiness 384IoT Trustworthiness Journey 385Conclusion 386Part Five--Long-Term Program Issues 391Chapter 17 Long-Term Digital Preservation 393Charles M. Dollar and Lori J. AshleyDefining Long-Term Digital Preservation 393Key Factors in Long-Term Digital Preservation 394Threats to Preserving Records 396Digital Preservation Standards 397PREMIS Preservation Metadata Standard 404Recommended Open Standard Technology-Neutral Formats 405Digital Preservation Requirements 409Long-Term Digital Preservation Capability Maturity Model® 409Scope of the Capability Maturity Model 412Digital Preservation Capability Performance Metrics 416Digital Preservation Strategies and Techniques 417Evolving Marketplace 419Looking Forward 420Conclusion 421Chapter 18 Maintaining an Information Governance Program and Culture of Compliance 425Monitoring and Accountability 425Change Management--Required 426By Monica CrockerContinuous Process Improvement 429Why Continuous Improvement is Needed 430Appendix A Information Organization and Classification: Taxonomies and Metadata 433Barb Blackburn, CRM, with Robert Smallwood; edited by Seth EarleyImportance of Navigation and Classification 435When is a New Taxonomy Needed? 435Taxonomies Improve Search Results 436Metadata and Taxonomy 437Metadata Governance, Standards, and Strategies 438Types of Metadata 440Core Metadata Issues 441International Metadata Standards and Guidance 442Records Grouping Rationale 446Business Classification Scheme, File Plans, and Taxonomy 446Classification and Taxonomy 447Prebuilt Versus Custom Taxonomies 448Thesaurus Use in Taxonomies 449Taxonomy Types 449Business Process Analysis 453Taxonomy Testing: A Necessary Step 457Taxonomy Maintenance 457Social Tagging and Folksonomies 458Appendix B Laws and Major Regulations Related to Records Management 463United States 463Gramm-Leach-Bliley Act 463Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) 463PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) 464Sarbanes-Oxley Act (SOX) 464SEC Rule 17A-4 464CFR Title 47, Part 42--Telecommunications 464CFR Title 21, Part 11--Pharmaceuticals 464US Federal Authority on Archives and Records: National Archives and Records Administration (NARA) 465US Code of Federal Regulations 465Canada 466United Kingdom 468Australia 469Identifying Records Management Requirements in Other Legislation 471Appendix C Laws and Major Regulations Related to Privacy 475United States 475European Union General Data Protection Regulation (GDPR) 476Major Privacy Laws Worldwide, by Country 478Glossary 481About the Author 499About the Major Contributors 501Index 505

ROBERT F. SMALLWOOD, MBA, CIP, IGP, is founder of the Institute for Information Governance, a specialty training and consulting practice, and CEO, Publisher, and co-founder of Information Governance World magazine. Some of his past research and consulting clients include Abbott Labs, Kirkwood and Ellis LLP, NASA, Novartis Pharmaceuticals, and Verizon. He is the author of Managing Electronic Records: Methods, Best Practices, and Technologies and Safeguarding Critical E-Documents, both from Wiley.