Information governance Study Guide

📖 Core Concepts Information Governance (IG) – Organization‑wide strategy that balances the risk of information (legal, security, privacy) with its value (operational, analytical). Scope – Encompasses security, compliance, data quality, data governance, e‑discovery, risk management, privacy, storage/archiving, knowledge‑management, audit, analytics, IT, master data, enterprise architecture, BI, big data, finance. Records Management – Sub‑discipline focused on the creation, retention, storage, and disposition of records (physical or digital). Historically the whole “life‑cycle” from creation to disposal. Stakeholder Triangle – Legal, IT, Compliance are the primary owners; other business units provide input via an IG committee. Chief Information Governance Officer (CIGO) – Senior exec who creates, coordinates, and continuously improves IG across the enterprise. Frameworks & Models – ARMA Implementation Model, Generally Accepted Recordkeeping Principles, CGOC Process Maturity Model, EDRM Reference Model. Regulatory Landscape – U.S. (FATCA, PCI DSS, HIPAA, GLBA, SOX, FRCP, CCPA, COPPA) vs. EU/UK (GDPR, NIS, Data Protection Act 2018). --- 📌 Must Remember IG adds value and reduces risk – it’s not just compliance. Three primary IG pillars: Legal, IT, Compliance (plus business representation). CIGO = Chief → enterprise‑wide authority; IG initiatives succeed when top‑down. ARMA Principles apply to any size/industry – they are the “gold standard.” Maturity Levels (CGOC): 1 = manual/ad‑hoc → 4 = integrated/automated. Key regulations dictate what data must be protected, how long it must be retained, and who can access it. E‑discovery is a legal driver for IG; poor IG = higher discovery costs. --- 🔄 Key Processes Define IG Policy Identify data domains → Assign owners → Draft handling rules (creation, access, retention, disposition). Stakeholder Alignment Form IG committee → Map responsibilities (Legal ↔ IT ↔ Compliance) → Establish decision‑making cadence. Implement Framework (ARMA Model) Assess current state → Design controls & technology → Deploy policies → Monitor compliance. Maturity Assessment (CGOC) Score each of 13 e‑discovery processes → Plot on 4‑level maturity ladder → Prioritize automation. Regulatory Mapping List applicable laws → Map each to data types → Define retention schedules & security controls. Continuous Improvement Audit & analytics → Identify gaps → Update policies → Retrain staff. --- 🔍 Key Comparisons Records Management vs. Information Governance Records Management: Focuses on lifecycle of records (creation → disposal). Information Governance: Broader – adds risk, compliance, analytics, value extraction to the lifecycle. ARMA Principles vs. CGOC Maturity Model ARMA: What principles to follow (integrity, transparency, accountability…). CGOC: How mature your processes are in practice (manual → automated). U.S. Regulations vs. EU Regulations U.S.: Sector‑specific (HIPAA, PCI DSS, GLBA, SOX) + discovery‑focused (FRCP). EU: GDPR – universal data‑protection standard; NIS – infrastructure security. Traditional RM Software vs. Modern IG Software Traditional: Departmental, limited enforcement, static records. Modern IG: Enterprise‑wide policy enforcement, real‑time compliance monitoring, integrated with BI/Big Data. --- ⚠️ Common Misunderstandings “IG is only about legal compliance.” – It also drives operational efficiency and data‑value extraction. “Records managers can handle IG alone.” – IG requires cross‑functional coordination; siloed effort fails. “Maturity models are optional.” – They provide a roadmap; skipping them leads to uncontrolled ad‑hoc processes. “One regulation covers all data.” – Different data types (financial, health, payment) trigger multiple, overlapping rules. --- 🧠 Mental Models / Intuition Risk‑Value Balance Scale – Imagine every piece of data on a scale; risk (legal, security) on the left, value (insight, revenue) on the right. IG’s job is to tilt the scale toward value while keeping risk manageable. Three‑Legged Stool – Legal, IT, Compliance are the three legs; if any leg is weak, the stool (IG program) collapses. Maturity Ladder – Think of climbing a ladder: each rung (manual → automated) unlocks greater speed, lower cost, and higher auditability. --- 🚩 Exceptions & Edge Cases Legacy Systems – May lack APIs for policy enforcement; need wrapper solutions or data migration. Cross‑border Data Transfers – GDPR’s “adequacy” decisions can override U.S. rules; special contracts (Standard Contractual Clauses) may be required. COPPA – Applies only if the service is directed to children <13; not all educational tech falls under it. PCI DSS – Even a single stored card number triggers full scope; partial redaction does not exempt you. --- 📍 When to Use Which Choose ARMA Principles when you need a universal, policy‑level foundation (all industries). Adopt CGOC Maturity Model when you must benchmark and improve e‑discovery processes. Deploy Modern IG Software if you have distributed data stores, need automated policy enforcement, and want analytics. Rely on Traditional RM Tools only for small, low‑risk archives where manual controls suffice. Apply GDPR controls for any EU resident data, regardless of where the data is stored. Apply HIPAA only when handling protected health information (PHI); other data can follow less stringent rules. --- 👀 Patterns to Recognize “Discovery‑cost spikes” → Likely a gap in retention classification or policy enforcement. Repeated audit findings on the same data domain → Indicates policy mis‑alignment; revisit stakeholder ownership. Regulation‑driven projects (e.g., new privacy law) → Expect tight timelines; prioritize high‑risk data first. Multiple departments requesting the same data → Signals an opportunity for data‑value extraction through IG. --- 🗂️ Exam Traps Distractor: “IG is only the responsibility of the IT department.” – Wrong; IG is cross‑functional (Legal, IT, Compliance). Distractor: “Records management and IG are interchangeable terms.” – Incorrect; IG is broader (adds risk/value). Distractor: “Compliance alone guarantees legal protection.” – False; you also need risk management and data‑value strategies. Distractor: “If a regulation is U.S. based, EU GDPR does not apply.” – Misleading; global data may still be subject to GDPR if EU residents are involved. Distractor: “Maturity models are optional best‑practice documents.” – They are critical for measuring and improving IG effectiveness. ---