ARMA NYC Annual Conference

March 6, 2018

INFORMATION MANAGEMENT PROFESSIONALS

METRO CHAPTER

Privacy and Security: An

Opportunity for IG Presented by

Lauren Barnes, Director of Information Governance,

S&P Global

Susan Chapdelaine, Managing Director, Morae Global

INTERNATIONAL

Opportunity

“A time or set of circumstances that makes it possible to do something.” (Oxford English Dictionary)

Data protection and information security today present unique opportunities to advance information governance objectives.

METRO CHAPTER 2

INTERNATIONAL

Frequency and severity of data breaches

Equifax 143 million consumers affected

Yahoo – 0ver 1 billion accounts breached

Uber – 57 users and 600,000 drivers affected

Sony Pictures Data Breach

o Release of confidential data, including personal information on employees and families.

o Also released information on an unreleased film “the Interview” - estimated financial impact 15 million

METRO CHAPTER 3

INTERNATIONAL

Potential Fines and penalties

Privacy Shield – fines of up to $40K per violation or $40K per day for

continuing violations

GDPR changes the game – potential fines of up to 4% annual global

turnover

New York Cyber Security Regulation - $2,500 per day for continuing

violations, $15K per day for “reckless or unsound practice or pattern of

misconduct, or $75,000 per day in the event of a willful violation

New requirements and potential penalties raise the bar for

Information Governance, making it a strategic imperative in

business today.

METRO CHAPTER 4

INTERNATIONAL

What are the Issues?

METRO CHAPTER 5

Requirement Implication Actions Required

Limitations of personal data retention

• Companies may only retain personal data as long as there is a business need for the information

• Expectation of compliance with retention requirements • Ability to apply retention/disposition within all corporate

repositories / systems containing personal data • Call for action to implement before deadlines for

compliance

Consent and Right to Erasure • Individuals must give explicit consent to data processing

• Individuals have a right to request deletion of their personal data

• Documentation of consent is required • Organizations must have a process in place to respond to

request for erasure and the ability to delete if required

Record of processing activities • Identification of role of processor • Establish and maintain a record of all

processing activities

• Identification of processing activities • Establish process and system for documenting processing

activities

Data breach notification • Notification to data subjects after the occurrence of data breach

• Process for breach detection and notification • Record of notification

Potential loss of IP and reputational damage through data breach

• Security protocols and safeguards • Enhanced security on networks/systems • Assessment of security classifications and

protection to prevent loss • Policies and tools for Data Loss Prevention

6656

INTERNATIONAL

METRO CHAPTER 6

Create Classify Use Retain Dispose

The IG program strategy is to embed information lifecycle management by design into the tools, systems, and processes that support the business, making it an integral part of the way information is managed. This minimizes disruption to the business and reduces or eliminates additional actions required of employees outside of their normal business activities.

Priority Initiatives Business Process Alignment Technology/Governance Models

• Backup Strategy • Data Privacy/GDPR • Data Loss Prevention • Security Assessments • Risk Assessments

• Information Assessments • Technology evaluations • Transition Planning • Defensible Disposition • Metrics/KPIs

• Software Development Lifecycle

• Record enable tool identification

• Compliance tools

Recordkeeping by design

6

INTERNATIONAL

How do we get this done?

METRO CHAPTER 7

INTERNATIONAL

Collaboration, Coordination and Integration

METRO CHAPTER 8

• information management initiatives designed to mitigate risks, reduce costs, and obtain maximum value from our information.

• Collaboration with legal, compliance and privacy to address privacy and regulatory compliance

• Alignment of IT stakeholders to address integration of RM requirements into systems and support for business and corporate implementation

Collaboration, coordination, and integration is necessary to embed Information Governance into the tools, systems, and processes that support the business. Legal, Compliance and IT disciplines provide valued input and direction to the vision for workable and sustainable IG models.

Information Governance

Information Technology

Architecture & Data

Management

Information Security

Business Continuity

Records and Information

Management

Discovery Privacy

Co

mp

lian

ce M

on

ito

rin

g/A

ssu

ran

ce

INTERNATIONAL

Framework

METRO CHAPTER 9

COMPLIANCE • Compliance Metrics

• Monitoring/Escalation

• Audit Process

ACCOUNTABILITY • Roles/Responsibilities

• Business Ownership

• Implementation Plan Tracking

POLICY • RM Policy • IG Standards • Retention Schedules

PROCESS • Identify Information Value

• Assess IG Compliance

• Remediation Roadmap

EDUCATION • Communications • Training & Guidance

• Self-Service IG Site

TECHNOLOGY • Acceptable Record Repository

• Recordkeeping/Tech Integration

• IT User-facing Support

Information Governance Execution Support

Information Governance Structure

Information Lifecycle Management

CAPTURE IDENTIFY CLASSIFY UTILIZE RETAIN DISPOSE*

TECHNOLOGY INTEGRATION

· Electronic Signatures· Encryption· Document Imaging· Back-up and Archiving· Active Environments With Records· Approved Record Repository

TECHNOLOGY STANDARDS

PROCESS ALIGNMENT

· Management Communication· Business Lead Appointment· Education & Training· Business Review and Assessment· IG Mitigation Plan· Annual Compliance Certification

· Retention Schedule· Preservation Holds· Security Classification· Data Privacy· Communications Retention· Unstructured Information Retention· Structured Information Retention· Compliance Monitoring and Audit· IG Compliance Process

BUSINESS-OWNED PROCESSES

IG STANDARDS & PROCESSES

INDUSTRY BEST PRACTICESINFORMATION GOVERNANCE

(IG) STANDARDSINFORMATION TECHNOLOGY STRATEGY

RECORDS MANAGEMENT POLICYBUSINESS REQUIREMENTS LEGAL AND COMPLIANCE REQUIREMENTS

INTERNATIONAL

Policy, Retention Schedule, Standards

METRO CHAPTER 10 10

INTERNATIONAL

IG Standards

METRO CHAPTER 11

RETENTION PROTECTION INTEGRITY AVAILABILITY DISPOSITION

COMMUNICATIONS

STRUCTURED DATA

UNSTRUCTURED DATA

DATA PRIVACY

SYSTEM BACKUP & ARCHIVING

SECURITY CLASSIFICATION

IMAGING AND ELECTRONIC SIGNATURES

DATA MIGRATION

APPROVED RECORD REPOSITORY

INFORMATION SHARING & COLLABORATION

DISCOVERY andINVESTIGATIONS

META DATA STANDARD

LEGACY DATA REMEDIATION

PRESERVATION HOLDS

DEFENSIBLE DISPOSITION PROTOCOLS

INTERNATIONAL

Accountability

METRO CHAPTER 12

IG STANDARDS & RETENTION SCHEDULE

RM POLICY

COMPLIANCE PROGRESSION PLANS

IG MONITORY & COMPLIANCE PROGRAM

IG PROGRAM STRUCTUREINDUSTRY BEST

PRACTICES

GENERALLY ACCEPTED RECORDKEEPING

PRINCIPLES

INDUSTRY STANDARDSLEGAL & REGULATORY

RESEARCH

GOVERNANCE

IMPLEMENTATION

SUSTAINMENTINTERNAL REPORTING,

REVIEW AND AUDIT AUDIT GUIDELINES

LEAD: IG, Legal, ComplianceSUPPORT: IT, CISO

LEAD: Business, ITSUPPORT: IG, Legal, Compliance

LEAD: BusinessSUPPORT: IT, IG, CISO, Legal, Compliance

ENTERPRISE & BUSINESS UNIT COMPLIANCE

PROGRESSION PLANS

INTERNATIONAL

METRO CHAPTER 13

Information Governance (IG)

Program

IG Training and Support

Policy, Standards & Records Retention Schedule

Business Initiatives

Business DivisionsAssess information to

determine gaps with IG Standards and RRS

Technology Initiatives

Global TechnologyAssess system capabilities to

meet IG Standards

Support plan development and technology implementation

Guide goal setting and monitor milestone

achievement

Develop and Execute Business Transition Plans

Information Governance

Business Ownership

IT Support

Collaboration

Coordination

Interdependence

Alignment

IG Strategy and Implementation Plan

INTERNATIONAL

Engaging IT – System Assessment

METRO CHAPTER 14

Identify Gaps

Lacks recordkeeping features or uses ineffective and error prone manual recordkeeping processes

Capable of meeting recordkeeping standards, but may not be configured or have scalable governance models in place

May not meet recordkeeping standards without configuration, add-ons, customization, or other enhancements

May not meet recordkeeping standards without configuration, add-ons, customization, or other enhancements

Examples

• File shares • Desktops • Email (unmanaged)

• Box.com • O365/SharePoint • Other CMS

• Salesforce (Sales) • OneTrust (Data Privacy) • Collibra (Security)

• Oracle ERP • SAP • Workday (HR/Finance +)

Identify Solutions

Retire non-compliant recordkeeping systems and processes

Migrate records to records-enabled solutions (e.g. Box.com, O365)

Confirm recordkeeping configuration or customization plans with IT

Identify governance models, file plans, and taxonomies as necessary

Confirm recordkeeping configuration or customization plans with IT

Replace and migrate to records-enabled systems

Confirm recordkeeping configuration or customization plans with IT

Replace and migrate records to records-enabled systems

Unstructured Systems

Collaboration Tools

(Enterprise)

Structured Business Systems

(Departmental/Niche)

Structured Business Systems

(Enterprise)

Options to resolve recordkeeping gaps may vary for on premise, cloud, and hybrid solutions.

INTERNATIONAL

Engaging the Business

METRO CHAPTER 15

Identify Analyze Develop

Transition Plan Engage Execute

• Develop communications & support materials

• Confirm availability of required resources

• Inform team members

• Determine record keeping capabilities of applications based upon IT Assessment

• Identify gaps in existing systems and practices

• Determine solutions • Identify required

process changes and milestones

• Establish timing, resources and budget

• Execute change • Implement process

changes • Deploy tools

• Provide guidance and support team members

Monitor / Measure

Assess Implement

Timeframes are based upon dependencies including: • Scope of change required • Available resources

• Technology • SMEs • Budget

Business / Technology / Information Governance Partnership

• Report progress & measure results • Evaluate effectiveness • Implement improvements

• Identify information in business process

• Assess information value

• Map to Retention Schedule

INTERNATIONAL

Bringing it together

METRO CHAPTER 16

Business develops and executes

Transition Plan to IG Compliance

(est. approx. 2 years)

Monitoring & Reporting

Division IG Plan

Monitoring & Reporting

Has Business

Transition Plan?

Compliance with RM Policy and IG Standards

subject to Audit

Business assesses Information to determine gaps with new Standards

IG provides Tools, Support & Training

Compliance monitors Transition Plan progress

IT provides technology capability

for IG Compliance

Policy, Standards, RRS, Change Management

Business Ownership and Compliance Assessment

LEGEND

, IT Support to Business

Audit Process

When Transition Plan is complete, it is evaluated

for IG Compliance

IG provides metrics to measure compliance

As part of Transition Plan, technology is aligned with IG processes

Brings

applications,

repositories

and

information

storage

locations

into

compliance

Policy and Standards

T

R

A

N

S

I

T

I

O

N

P

L

A

N

INTERNATIONAL

Defensibility of IG Program

METRO CHAPTER 17

Policy, program and implementation approach meet regulatory

obligations

Documented policy, standards and process for coming into

compliance

Monitoring and audit process designed to measure and

document progress in meeting implementation milestones

INTERNATIONAL

Questions / Comments

Lauren Barnes, S&P Global (lauren.barnes@SPGlobal.com)

Susan Chapdelaine, Morae Global (susan.Chapdelaine@moraeglobal.com)

www.MoraeGlobal.com

METRO CHAPTER 18