book

Information Nation: Seven Keys to Information Management Compliance, Second Edition

Name: Information Nation: Seven Keys to Information Management Compliance, Second Edition
ISBN: 9780470453117

by Randolph Kahn, Barclay Blair

February 2009

Intermediate to advanced

270 pages

5h 51m

English

Wiley

Read now

Unlock full access

Copyright
About the Authors
Credits
Acknowledgments
Introduction
Information Management ComplianceNotes
I. Laying the Foundations of Information Management Compliance
1. Why Information Management Matters
1.1. Sink or Swim1.1.1. What Is Information Management?1.1.2. Changing Times, Changing Terms1.1.3. An Umbrella Term1.1.4. Determine Your Needs1.2. Notes
2. Building the Foundation: Defining Records
2.1. Determining If Information Is a Record2.2. Defining Records2.2.1. Why These Definitions Matter2.3. Why We Retain Records2.4. Not All Information Has to Be Retained2.5. Top 10 Reasons Not to Keep Everything Forever2.6. Medium Does Not Matter2.7. Intent Does Matter2.8. Record Qualification Checklist2.9. Survey: Employee Responsibility for Records and Information2.10. Notes
3. An Overview of Records Management
3.1. Defining Records Management3.2. The Lifecycle Approach3.3. Information Assets3.4. Components of a Records Management Program3.5. Managing Electronic Records3.5.1. Electronic Records Must Be Trustworthy3.5.2. Digital Trustworthiness Is a Challenge3.5.3. Technology Can Help with Trustworthiness3.6. Notes
4. Information Management Compliance (IMC)
4.1. What Is Compliance?4.2. How Compliance and Information Management Fit Together4.2.1. Combining the Two Approaches4.3. Sources of IMC Criteria4.4. Establishing Your Compliance Criteria4.5. Organizational Liability4.6. A Case Study in IMC Failure: Morgan Stanley4.6.1. The Coleman Case4.6.2. Other E-Mail Challenges4.6.3. Failure to Monitor for Possible Insider Trading4.6.4. System Compliance Problems4.6.5. Conclusions4.7. Notes

5. Achieving IMC: Introduction to the Seven Keys
5.1. The Facts: Something Is Broken5.2. What Exactly Is Broken?5.2.1. 1. The natural result of market contraction/correction5.2.2. 2. The rush to technology5.2.3. 3. The design of information technology itself5.2.4. 4. Authority and responsibility5.2.5. 5. Lack of a holistic view5.3. The Federal Sentencing Guidelines5.3.1. Challenges to the Guidelines Don't Diminish IM Relevance5.4. The Seven Keys5.5. Notes
6. Sarbanes-Oxley and IMC
6.1. Doing Business in the Post-Sarbanes-Oxley Era: Everyone Is Affected6.2. Destruction and Alteration of Information: SOX Section 8026.3. Internal Controls: The Role of Information Management in Financial Reporting and Corporate Governance6.4. Information Management and SOX6.5. Notes
II. Seven Keys to Information Management Compliance
Key #1: Good Policies and Procedures
Key Overview
7. The Purpose of Policies and Procedures
7.1. Laying the Foundation of IMC7.2. The Difference between Policies and Procedures7.3. Provide Clear Directives to Employees7.4. Making a Statement to the World7.5. Not Following Your Own Policy Is Bad Policy7.6. If You Don't Do It, Someone Else Will7.7. Putting It Down in Writing7.8. Limiting Corporate Liability for Employee Actions7.8.1. Scenario 1: Pornography Sent Through Instant Messaging7.8.2. Scenario 2: The Unencrypted E-Mail7.8.3. You Make The Call:7.9. The Legal Hold7.10. Notes
8. Making Good Policies and Procedures
8.1. Create a Policy and Procedure Structure8.1.1. Records Management Policies and Procedures8.2. Create Clear and Unambiguous Directives8.2.1. Avoid Technology Snafus8.2.2. Personal Use of Company Resources8.2.3. Keys to Clarity8.3. Policies in the Real World8.3.1. What We Can Learn8.4. Policies Should Be Technology-Neutral8.5. Guiding IT/IS with Policies and Procedures8.6. Resist the Temptation to Make Catch-All Policies8.7. Address Ongoing Changes in the Law8.8. Addressing Policy Violations: A Four-Stage Program Courtesy of the FTC8.9. Notes
9. Information Management Policy Issues
9.1. Issue #1: Electronic Discovery9.1.1. What Is Discoverable?9.1.2. Electronic Discovery Planning Checklist9.2. Issue #2: Privacy9.2.1. Private Information Is an Asset9.2.2. Privacy Policy Revisions9.2.3. Writing a Privacy Policy Is Not Enough9.2.4. Ownership of Information9.2.5. Privacy of Employee Information at Work9.3. Issue #3: Protecting Company Information—the Programmer's Toolkit9.3.1. Lessons Learned9.4. Issue #4: Disaster Recovery and Business Continuance9.5. Issue #5: Information Security9.5.1. What Are We Trying to Protect?9.5.2. Managing Information Security Records9.5.3. Road Warriors9.5.4. Employee Use of Public Terminals9.5.5. Patch Management9.6. Notes
Key #2: Executive-Level Program Responsibility
Key Overview
10. Executive Leadership, Sine Qua Non1
10.1. Policy Comes from Above10.2. Companies and Executives Pay the Price for Their Failures10.3. Who Has Time for It?10.4. Organizational Culture10.5. It's Not Just the CFO10.6. Fighting the Tide Is a Job for Someone Strong10.7. Consistency across Lines-of-Business10.8. Put Your Money Where Your Mouth Is10.9. Can the CEO Really Be Held Accountable for Information Management?10.9.1. Specific Issues for the CEO10.9.2. In-House Council's Responsibility10.9.3. The Role of the Board10.10. Notes
11. What Executive Responsibility Means
11.1. Creating a Culture of Information Management Awareness11.1.1. The CEO Statement11.2. The Executive Information Management Council11.3. What Happens to Records When Executives Leave the Organization?11.4. Notes
12. IT Leadership
12.1. IT Leadership Is Changing12.1.1. Digital Information Is Changing12.2. The Impact of Sarbanes-Oxley on IT/IS Management12.3. The Total Cost of Failure (TCF)12.3.1. TCF—Turning the Model on Its Head12.3.2. Determining TCF Cost Sources12.3.3. Quantifying TCF Risk12.3.4. The Risk Model at Work: An Example12.3.5. Another Example: Verizon and the Slammer Worm12.3.6. Lessons Learned12.4. Notes
Key #3: Proper Delegation of Program Roles and Components
Key Overview
13. Create an Organizational Structure to Support IMC
13.1. Specialization Is the Reality13.2. Training and Certification Should Be Standardized13.3. Competing Needs: Why Your Committees Need to Be Broad and Deep13.4. Who Should Be Responsible?13.5. Notes
14. A Sample Information Management Organizational Structure
14.1. About This Model14.1.1. The Councils14.1.2. The Information Management Committees14.1.3. Individual Roles and Responsibilities14.2. The Model14.2.1. A. Executive Information Management Council14.2.1.1. Executive Records Retention Committee14.2.1.2. Executive Records Preservation Committee14.2.1.3. Executive Electronic Records Committee14.2.2. B. Business Unit Information Management Council14.2.2.1. Business Unit Records Retention Committee14.2.2.2. Business Unit Records Preservation Committee14.2.2.3. Business Unit Electronic Records Committee14.2.3. C. Individual Roles and Responsibilities14.2.3.1. Information Management Director14.2.3.2. Business Unit Information Management Managers14.2.3.3. Information Management Coordinators14.2.3.4. Responsible Attorney14.2.3.5. IT E-Discovery Liaison
Key #4: Program Communication and Training
Key Overview
15. Essential Elements of Information Management Communication and Training
15.1. Be Clear and Consistent15.1.1. How Did This Happen?15.2. Clarity Is King15.3. Be Concise15.4. Be Visible15.5. Be Proactive and Responsive15.6. Offer Engaging and Interactive Training Programs15.6.1. Intranet-Based15.6.2. Instructor-Led Training15.7. Make IMC an Employee Priority15.8. Constantly Communicate and Train15.8.1. Keep Current with the Latest Laws and Regulations15.8.2. Adjust to Major Events15.9. Educate Employees about the Implication of New Technology15.10. Notes
Key #5: Auditing and Monitoring to Measure Program Compliance
Key Overview
16. Use Auditing and Monitoring to Measure IMC
16.1. Information Management Auditing and Monitoring16.2. Find Out before Someone Else Does16.3. Auditing and Monitoring Programs Help to Build Trust16.4. Know What Is Happening on Your Own Networks16.5. Auditing or Monitoring May Be Required by Law16.5.1. Internal and External Audits: IRS Revenue Procedure 97–2216.5.2. Monitoring Programs: Supervision Under NASD Conduct Rule 301016.5.3. Monitoring Legal Holds16.6. Internal versus External Auditing and Monitoring Programs16.6.1. Required Third-Party Involvement16.6.2. Making Representations to Third Parties16.7. Piracy: Don't Look the Other Way16.7.1. Action Items16.8. Monitoring Employee Activity16.9. Notes
Key #6: Effective and Consistent Program Enforcement
Key Overview
17. Addressing Employee Policy Violations
17.1. Make Sure Employees Understand the Consequences17.1.1. Inform Employees of Past Violations17.2. Enforcement Must Be Consistent17.2.1. The Risks of Inconsistency17.2.2. Common Inconsistencies17.3. Notes
18. Using Technology to Enforce Policy
18.1. Which Directives Can Be Automatically Enforced?18.1.1. Sample Policy Element #1: E-Mail Content18.1.1.1. Automatically Enforceable?18.1.1.2. How?18.1.2. Sample Policy Element #2: Software Use18.1.2.1. Automatically Enforceable?18.1.2.2. How?18.1.3. Sample Policy Element #3: File Sharing and Instant Messaging18.1.3.1. Automatically Enforceable?18.1.3.2. How?18.1.4. Sample Policy Element #4: Legal Hold18.1.4.1. Automatically Enforceable18.1.4.2. Why?18.2. Managing the Administrators
Key #7: Continuous Program Improvement
Key Overview
19. The Ongoing Work of IMC
19.1. Why Is Continuous Program Improvement (CPI) Required?19.2. Changing Technology Means Changing the Program19.2.1. Which Technology Is Next?19.3. Dealing with Flaws and Failure19.3.1. Find the True Source of the Failure19.3.2. Take Disciplinary Action19.3.3. Correct the Problem19.3.4. Change and Improvement Is Always Needed19.3.5. Provide a Mechanism for Inquiries19.4. Communicating Flaws and Failures19.4.1. Communication May Be Required by Law19.5. Notes
Conclusion

Content preview from Information Nation: Seven Keys to Information Management Compliance, Second Edition

Chapter 4. Information Management Compliance (IMC)

In the first three chapters, we provided a framework for understanding Information Management and for identifying and managing business records. In this chapter we begin to explore the core concept of the book, Information Management Compliance (IMC).

What Is Compliance?

Although the term compliance is most often associated with the legal world, understanding it solely as a legal term is too narrow. In a broader context, and in the context used in this book, compliance simply means to act in accordance with any accepted standard or criteria. The "accepted standard" can refer to any kind of criteria, including business goals, performance measurements, laws, regulations, or quality targets.

In a general sense, there are two basic elements to compliance, namely:

Determining what the criteria should be
Developing techniques (often called controls) to ensure that the criteria are followed

Compliance is also a specific discipline that is practiced within dedicated departments in many regulated organizations around the world. These departments focus on ensuring that the organization complies with laws, regulations, codes, and other sources of compliance criteria. According to the International Compliance Association, organizational compliance departments have five key functions:^[36]

To identify the risks that an organization faces and provide guidance on the identified risks.
To design and implement controls to protect an organization from those ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Information Security Management, 2nd Edition

Publisher Resources

ISBN: 9780470453117Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Information Nation: Seven Keys to Information Management Compliance, Second Edition

by Randolph Kahn, Barclay Blair

Chapter 4. Information Management Compliance (IMC)

What Is Compliance?

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.