Information Governance Process Maturity Model Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes. Time limits should be established by the controller for erasure or for periodic review.
— Regulation (EU) 2016/679 of the European Parliament and of the Council, 27 April 2016
About CGOC
CGOC (Compliance, Governance and Oversight Council) is a forum of over 3,800 legal, IT, privacy, security, records and information management professionals from corporations and government agencies. CGOC publishes reference guides and articles and conducts primary research. Its Benchmark Reports have been cited in numerous legal opinions and briefs and its ILG Leaders Guide has been widely referenced and adopted by organizations. CGOC members convene in small working groups, regional meetings and its annual strategy summit to discuss information governance and economics, eDiscovery, data disposal, retention, and privacy. CGOC has been advancing governance practices and driving thought leadership since 2004. For more information go to www.cgoc.com.
Written by Heidi Maher, Esq and CIPM, CGOC Executive Director and Jake Frazier Esq and CIPP/US, CGOC Faculty Chair. Special thanks to Deidre Paknad, CGOC Founder and Rani Hublou, CGOC Faculty.
© Copyright CGOC Forum LLC, 2017.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. Nothing contained in these materials is intended to, nor shall have the effect of, state or imply that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. Do not copy, cite or distribute without permission of the CGOC.
For inquiries, please contact us at [email protected] or go to www.cgoc.com for more information. Information Governance Process Maturity Model
July 2018
CGOC Information Governance Process Maturity Model 2 Improving Information Economics and Defensible Disposal of Unnecessary Data
Improving information economics is imperative for most organizations. As information volume rises rapidly, business users face greater challenges to extract value, IT costs for basic infrastructure rise beyond budgets and legal risks and cost increase as well. To make way for new and more useful information, ensure businesses get value from data, control IT and legal costs and lower risk and exposure, companies should dispose of unnecessary data debris. As information ages, its value declines. Unfortunately, the cost to manage it is relatively constant and eDiscovery costs and risks rise with time. When information is no longer needed, information “supply” exceeds information “demand”. This creates a widening gap between the value the information provides an organization and its cost and risk. Closing these gaps is important to legal, IT, security, privacy and business stakeholders. When processes and stakeholders are siloed and operate without a high degree of interlock and transparency, it is very difficult to tie actual need for information (demand) with information assets (supply). QUANITY INFO VALUE Office Docs RISK Product Research
Sales/Customer HR Financials COST Messaging RISK-TO- VALUE GAP
IT Costs VALUE COST-TO- Risk VALUE GAP
TIME
Information volume BUSINESS It costs $18,000 to $2.5M/per year to store 1 Average cost of a data LEGAL I.T. PRIVACY will double every 2 AND do eDiscovery on 1 PB plus cost significantly SECURITY breach is $3.86M years, reaching 180 gigabyte2 add to run rate zettabytes by 2025 The average cost paid for eDiscovery consumers Data storage consumers each lost or stolen record 90% of the world’s as much as half of the growing share of budget; containing sensitive and data had been litigation budget sunsetting too slow confidential information created in the is $1483 last 12 months1
1 IBM Marketing Cloud Report “10 Key Marketing Trends For 2017” 2 Report from Rand Institute for Civil Justice 3 Benchmark research sponsored by IBM independently conducted by Ponemon Institute LLC June 2018
CGOC Information Governance Process Maturity Model 3 INFO VALUE Office Docs Product Research
Sales/Customer HR Financials Messaging
IT Costs
Risk
Three critical inflection points in information lifecycle drive value, cost and risk: 1. Analytics to maximize value as context erodes 2. Archiving and tiering to ensure cost declines as value declines 3. Disposal to ensure that when need is gone, there is no remaining cost or risk Information lifecycle governance improves information economics for business, legal & IT
Leverage information Meet eDiscovery Minimize “run the BUSINESS for better decisions and LEGAL obligations cost I.T. shop” costs to increase higher revenue effectively and efficiently investment in “grow the for the enterprise rm” activites Don’t waste budget on unnecessary IT or legal Manage conf licting Cut total costs even as services privacy and regulatory total volume rises
To improve information economics and enable defensible disposal of data debris, organizations need to understand and optimize twenty-two processes that determine information value, cost and risk. An organization’s process capabilities and maturity determine its ability to understand and extract information value, align cost to value over time, minimize information and legal risk and lower total IT and legal costs.
This CGOC practitioners model helps organizations understand and assess their process capabilities and current process risks; tools like the ILG Leaders Guide provide a roadmap to optimizing processes to improve information economics.
CGOC Information Governance Process Maturity Model 4 Processes Capability and Maturity
A clear understanding of process maturity levels and your organization’s current process capabilities and practices will help frame the work effort and change management required to improve information economics and achieve defensible disposal. The twenty-two information maturity processes incorporate the way an organization defines demand (what information is needed, why and for how long) and how it manages supply (what is provisioned, managed, decommissioned, and disposed).
At the highest level of maturity and capability, there is a closed loop between supply and demand, information cost is aligned with its value over time and risk is limited or removed. More precise and rigorous legal holds and retention as well as consistent, defensible disposal are designed into processes at maturity level 4.
Level 1 is an ad hoc, manual and unstructured process performed differently by each practitioner. Only the individual practitioner has access to the process facts or results. These processes are highly unreliable and difficult to audit.
Level 2 is a manual process with some consistency in how it is performed across practitioners within a particular function or department. Only the department has access to the process facts and results, and often these are embedded in multiple spreadsheets and seldom accessed. These processes can be more reliable, but still very difficult to audit.
Level 3 is a semi-automated process performed consistently within a department with process facts and results readily accessible to departmental stakeholders. Stakeholders beyond the department who participate in or are dependent upon the process are not integrated. These interdepartmental processes are more consistent and can readily be audited. However audit results may reflect their lack of intradepartmental collaboration.
Level 4 is an automated and cross-functional process that is performed consistently with inclusion of dependent stakeholders across multiple departments. Process facts and results are readily available across organizations. These processes have the lowest risk, highest reliability and are readily and successfully audited.
CGOC Information Governance Process Maturity Model 5 Roles and Responsibilities
A cooperative relationship is needed among stakeholder groups to achieve the desired level of information governance maturity. This shared ownership and execution of IG processes ensures that accountabilities and dependencies across the stakeholders are clearly defined by each group to promote efficient and effective management of information. As a part of the process maturity and improvement effort, responsibilities for each process owner should be defined to reflect the level of maturity, integrity and reliability required to achieve the cost and risk reduction goals.
To support the objectives of the IG Program, the Legal organization will: • Maintain an accurate inventory of legal obligations for information by case and scope of obligation including individuals involved, information scope (dates, terms, elements), and relevant records. The inventory should indicate whether the duties have been satisfied fully or partially and how. • Precisely and timely define and clearly communicate specific requirements to preserve potential evidence to IT, records and business stakeholders for each matter including the individual employees, records and ranges of data that must be preserved as potential evidence. • Provide real-time, continuous transparency to current legal obligations for information that can be readily understood and acted upon by stakeholders in IT, records and business units. • Affirmatively communicate to and receive confirmation of compliance from employees, records managers or IT staff are relied upon to preserve information in their custody. • Ensure the defensibility of its process through complete, accurate, timely record keeping and closed loop communications with custodians, IT and records staff. • Enable defensible disposal of information through precise, consistent and timely communication of obligations to individuals, IT and records staff when the duty arises and as it changes over the course of a matter. • Work with Internal Audit to assess enterprise preservation procedures.
CGOC Information Governance Process Maturity Model 6 To support the objectives of the IG Program, the Records organization will: • Author and distribute a records management policy and provide training materials to employees or contribute content to corporate ethics training program. • Provide an information taxonomy that can be reliably used across business, IT and legal stakeholders to define and characterize business information and information required for regulatory obligations. • Maintain an inventory of regulatory requirements for records updated annually and identify which laws apply to which classes of information by country or jurisdiction and business area. • Provide actionable retention schedules that can be routinely and automatically applied by IT and business stake- holders on electronic information to ensure proper record keeping. • Maintain a network of records liaisons across the business to coordinate and communicate policy, taxonomy an schedule needs and changes; provide management visibility on liaison status
• Safeguard information of value to the business. Perform consistent, documented and precise collection and disposal (or cause to be collected and disposed) of electronic and physical records, regardless of their form, in accordance with the schedule. • Ensure timely response to regulator inquiry, enable Internal Audit to test records and retention procedures on physical and digital records.
To support the objectives of the IG Program, the IT organization will: • Retain and preserve information based on its value to the business and legal obligations and according to procedures/instructions provided by legal, RM and business, including aligning technique and technology to value. • Dispose of information no longer needed to lower information costs and related risks. • Author and follow backup and disaster recovery policies that limit the retention of backup media to the shortest necessary period to effectively recover from a disaster or failure. • Maintain an inventory of systems with current business value retention, record requirements and legal hold obligations for data contained in said systems or stores and ensure that staff involved in provisioning and decommissioning have access to this inventory in the course of their work. • Establish and provide a common data dictionary for organization and department, data source, employee, information classification, system classification, law, lawsuit for use by legal, records, business and IT in the governance program execution. • Provision new systems, servers and storage with automated or manual processes for imposing retention, preservation and disposition of information in the ordinary course of operation (revise SLDC policies, procedures). • Align systems and stores with the value of information contained in them, including security, privacy, confidentiality, regulatory, business, and litigation requirements.
CGOC Information Governance Process Maturity Model 7 • Develop protocols for disposal of data and protocols for storage and disposal of customer data and PII (in con- cert with information security and privacy stakeholders). • Enable Internal Audit to test retention/disposition, preservation/collection and privacy procedures. • Ensure that safeguards around information governance are applied to non-traditional procurement and provisioning channels such as cloud services.
To support the objectives of the IG Program, the Lines of Business will: • Ensure a business liaison for governance is able to participate in the Program and its processes. • Using online tools and taxonomy provided, participate in a bi-annual value inventory to articulate what information is generated by business teams or departments and the duration of its value to enable IT, records and legal stakeholders to manage accordingly. • Work in concert with IT to optimize the archiving and storage of information based on its utility and management cost in the interest of shareholders, regardless of charge back procedures. • As business processes and practices change, proactively initiate changes to the taxonomy, records and value procedures to reflect business practices and needs. • Enable timely disposal of information without value and active participation in the governance program via business leader transparency and accountability for the total unit cost of information (its storage, management and eDiscovery). • Participate in Internal Audit on business value inventory procedures. • Ensure data is accurate and fit to serve the business or compliance purpose by controlling data from its trusted original source and form throughout its usage by other applications.
To support the objectives of the IG Program, the Privacy and Security organization will: • Establish a catalog of privacy laws and policies that is accessible to litigation, records and IT staff. • Align with RM to associate privacy requirements during retention of records and business information. • Coordinate with litigation in advance of data preservation and collection to ensure that appropriate measures are used for data subjects and jurisdictions. • Require education and training to employees on relevant privacy obligations and best practices for securing information. • Create a framework for deterring, thwarting and identifying bad actors attempting to gain access to enterprise or unauthorized data. • Enable Internal Audit to effectively test privacy and security procedures.
CGOC Information Governance Process Maturity Model 8 Process Risk or Level 1: Ad Hoc, Brief Description Level 2: Manual, Level 3: Semi-Automated Level 4 Automated and Fully Process Immaturity or Manual, : Structured Within Silo Integrated Across Functions Consequences Unstructured
Determining employees Custodians are not Multiple custodian Custodian lists are kept Systematic scope and selection by Real-time update of custodian roles, with information identified and spreadsheets managed in Word or Excel in a organization, people from current and transitions, responsibilities, automatic potentially relevant to potentially relevant by the individual shared location or in a historical organization data. employee transition/transition alerts by attorney and matter; copy or cross an actual or anticipated information is paralegal or attorney. shared mailbox. Systematically track all custodians in all holds including multiple holds per reference custodian lists across similar Employees lawsuit or government inadvertently modified Questionnaire mailed to matters. Scope is revisited and refined at on Legal custodian. Scope terminated/transferred A investigation. or deleted. custodians, responses, least quarterly to release or include Hold employees involved. Interviews are comzpiled manually for systematically done, responses compiled custodians. Individual responses to collection/ counsel and responses are automatically flagged interview questions are propagated to follow up. and escalated as appropriate. hold scope and interview results shared with outside counsel to interview by exception.
Determining Actual, rogue or IT Limited collection Identify data sources Have linked legacy tapes and data Automatically scope people, systems, information, records managed data sources from data sources, by organization; sources to organizations and open holds/ production and backup data, information and and data sources that missed in hold custodian rather than understand back up collections. records in holds; scope terminated employee are potentially relevant execution; potentially information based; procedures. data and legacy data/tapes where applicable. to an actual or relevant information is spreadsheet tracking/ Questionnaire emailed Scope is revisited and refined at least anticipated lawsuit or quarterly to release or include data. Can Data on inadvertently modified lists. to custodians, government responses compiled scope directly from a data source catalog B Legal or deleted. investigation. manually for shared with business liaisons, IT, Info Sec Hold collection/counsel and other data quality stakeholders with follow up. reliability. IT interviews are done both periodically and in matter context and responses are aggregated for individual matters and across the legal team.
Communicating, IT or employees Manual notices, Centralize reply email Systematically send notices and Publish to system, propagate hold, syndicating and migrate, retire or confirmations, no box for confirmations, reminders, require and track automate hold enforcement. IT Staff have executing legal holds modify data because escalations. Description process well confirmations, ability to manage continuous visibility to current discovery Hold to people, systems and they lacked hold of information hold communicated, all exceptions, employees can look up their duties, holds during routine data C Publication data sources for visibility. requires interpretation holds on intranet. holds at any time. Communications management activities; automatically flag execution and and manual effort to tailored to recipient role (IT, RIM, records in appropriate systems. Holds are compliance. comply. employee). timely released and release syndication is done with same rigor as hold syndication.
Fact finding and Dynamic, diverse Duplicate Centralized, version System log of collection requests by Interview results are automatically inquiry with employees information facts not spreadsheets of controlled matter, issuer and collector. Collection incorporated into custodian or data source with knowledge of a considered in custodians and spreadsheets of logging is done by discovery staff in a specific collection instructions without matter in dispute to preservation and information in IT custodians and shared system. An inventory of evidence rekeying. IT or collection staff can determine potentially collection planning and and Legal; multiple information; evidence is well managed and not overlooked in efficiently and automatically collect by relevant information data is over-looked; no copies of collected server organized by scoping other matters. Interview results custodian and content without re- logging and its whereabouts and follow through on data. matter folder but no and insights are used to inform the the request or recollecting the same data. Evidence sources. Collecting information identified in inventory by collection activity. Collection data and chain of custody is D Collection potential evidence in custodian interviews. custodian and data. automatically logged. IT and legal share response to an agreed- Collection failure from complete transparency on collections, and upon request with an over-looked source, legal can monitor progress and process adversary or departing employee, while IT can process work by custodian or government agency. incomplete prior data source efficiently. Evidence is not collection inventory, duplicated in multiple locations and it is communication and timely disposed. tracking errors.
CGOC Information Governance Process Maturity Model 9 Process Risk or Level 1: Ad Hoc, Level 2: Manual, Level 3: Semi-Automated Level 4: Automated and Fully Process Brief Description Immaturity or Manual, Structured Within Silo Integrated Across Functions Consequences Unstructured
Assessing information Material issues in Over collect from High quantity of data for Quantity of data reviewed from tightly Consistently limit scope of collection and to understand dispute dispute are poorly custodians, over scope review. Some basic scoped custodians, leveraging prior review; early case assessment performed and potential understood until after custodians. No culling of processes for culling of scoping histories. Consistent & enforced before collection for earliest/optimized clearly irrelevant irrelevant information by culling performed by preferred vendors matter resolution, advanced culling Evidence information sources and strategy established and information before basic means such as date utilizing objective criteria such as techniques employed leveraging visual Analysis & for determining, expenses incurred. sending to vendor or ranges used in some keywords, date ranges, file types, domain analytics; defined & repeatable process E Cost controlling and Excessive data causes outside counsel. Don’t cases. Estimate costs on names & data sources. Discovery cost for providing outside counsel early case Controls communicating the litigation costs to exceed costs of outside review dispute value. assess costs prior the “big matters” in forecasts available as the hold is scoped, assessment before processing, manage of relevant information. to collection and review; spreadsheets or by costs are calculated continuously. cost at portfolio level. no cost baseline available. outside counsel.
Unable to readily Documenting the Each attorney tracks Formal, but manual Automated reminders and escalations, Appropriate visibility across IT, Legal assemble, understand or custodians and data his or her own reporting of open online audit trail, management and Business; self- service dashboards for defend preservation and sources identified the matters, status. holds; no summary reporting on discovery status, visibility legal obligations, tasks, risk and cost discovery record. Failures legal hold and reporting on within legal department across reduction opportunities. Legal in custodian and data F collection activities interviews, collections, custodians, collected inventory and Records source management. over multi-year matter response. matters. lifecycle. Preservation, collection detected long after occurrence and cause unnecessary remediation cost and risk.
Defining an information Unable to comply or Retention periods Master retention policy Established retention period for regulated Retention schedules reflect regulatory, classification schema that demonstrate compliance defined only for physical updated to reflect physical information. The specific or actual laws policy and business value and encompass all reflects the organization with regulatory record- records. Record keeping and electronic records. that dictate retention periods are known forms of information enabling them to be structure; cataloging, keeping obligations. requirements based on Policy and schedules and clearly mapped to each record class executed on records repositories, application updating and mapping the Disparate nomenclatures aggregations of similar posted to a centrally so changes can be easily traced and and archived data, backup media and laws that apply to each for records make laws and longest accessible site. decisions readily defended. Posted policy physical records. Legal holds can be applied class in the countries in by record class and suspend automated Information application of retention retention period. Jurisdicitonal schedules and schedules are role specific so that disposal. There is a shared library of country G which the organization schedules/procedures share a common individuals can determine their Retention operates to determine protocols for eDiscovery, privacy, and difficult to apply and taxonomy. Ability to obligations. Electronic and physical and regulatory record keeping retention to form a comprehensive view. audit. update aspects of the records are both retained and disposed Disposal obligations; establishing Schedules align with and are systematically policy and schedules on a against the schedule. Disaster recovery, Obligation and managing a network of used to dispose of production and back up regular basis. retention, and preservation are all records liaisons to ascertain data whether structured, unstructured, the existence and location disentangled and severable in policy and electronic, physical, record or business of records. practice. information.
Using an enterprise IT ‘saves everything’ Departmental Inventories of Departmental liaisons work with their Retention schedules are automatically information taxonomy, which increases information departmental line of business to identify information executed across the information cataloging what info- discoverable mass, management needs and information of value, its duration of value and where environment. Cost and benefit are rmation each business complexity and legal habits for electronic and management practices it is managed; this informs more weighed in determining retention periods organization values, risk; IT disposes of physical information are and source information comprehensive retention schedules for and the enterprise impact is considered. generates or stores by class, not visible to records are used to develop all information (regulated, unregulated, Departmental information of business Schedule changes are syndicated to IT where they store it and management, IT or legal retentions schedules and electronic, physical). Business is able to Information value undermining and directly to systems for execution of H how long it has utility to coordinate physical Practice enterprise operation. stakeholders (who have request changes to master schedule and both retention and disposition. When them; results in retention Procedures for no knowledge of actual records (via a network department/ country schedules at the rate business objectives or laws change, schedules for information retention/disposal procedures, information, of records coordinators of business change. schedules are updated and stakeholders and enables data source- difficult to articulate and location, use or value). focused on physical notified. Legal and IT have transparency specific retention defend and unapplied by records management). to what information each line of business schedules that reflect both LoB. has where and for how long to inform business value and eDiscovery and data management. regulatory requirements.
CGOC Information Governance Process Maturity Model 10 Process Risk or Level 1: Ad Hoc, Level 2: Manual, 3: - Process Brief Description Immaturity or Manual, Level Semi Automated Level 4: Automated and Fully Structured Consequences Unstructured Within Silo Integrated Across Functions Important business Information is difficult to Information for a group is Search and analytics enable Gaining timely access to Application data and business process decisions are made on retrieve or search. After organized in shared drives employees to realize value and to and ability to apply data cam be searched by departmental missing information or creator loses initial and collaboration sites. apply information to decision- information in the course staff in the course of their work from poor quality information, context, it is forgotten Employees must search making in real time even as context of their work, including within the system. resulting in poor and no value is realized. multiple drives and erodes across information sources the ability to harness collaboration sources to find decisions. Information is Staff must mine, open and types; assertions on value and Realize information of quality as what they need; relevant I Information it ages and the ability to not used shortly after its and view files on their sources of information made in creation because business information is extracted by processes H, I and J are used to Value use relevant information individual drives to find opening multiple files, has forgotten the source or ensure accessibility and authenticity with or without author what they need and emails, documents or context to maximize the location of information or access to relevant reports; structured and of information the business defined enterprise value of can’t find it, resulting in information they didn’t unstructured data must be as valuable. The cost of information information. cost without create is exchanged via harvested separately and to the enterprise is consistent and corresponding value. email. manually correlated. appropriate over its lifecycle.
Data quality assessment conducted Ensuring data is accurate Data elements in various Lack of proactive Individual business units Data quality management processes resulting in a management strategy and fit to serve the systems cannot be understanding or taken ownership for are fully automated with complete tailored to its needs, and governance trusted to be accurate tracing of data preserving quality of audit trails. Master datamap is fully business or compliance policies addressing specific data and fit for the purpose elements to ensure data. Quality is managed integrated and ubiquitous. Astute purpose for which it management requirements. Master it was designed or quality. No Master was designed or record-by-record. Master datamap for 50% or more silos. A data management processes can datamap. Reactive captured. Understanding captured to serve. datamap showing ETL virtual data quality firewall is collect and move data to a Data Quality & Inability to trace data investigations by silo processes between one repository for cleansing. Advanced Data Lineage and controlling data implemented to detect and quarantine J from its trusted elements throughout as data quality issues or two silos. Data bad data at the point of entry. ”Golden analytics used to predict the use original source and their lifecycle to are raised in production lineage can be Sources” of key data elements and misuse of data. form throughout its determine containment or testing only. determined and identified, monitored and updated. usage by other of a data quality issue. demonstrated through a Business intelligence solutions applications. manual process. determine which data sets are most likely to be utilized and targeted for quality management and governance.
Access, transport and use Each country and Determining privacy All privacy requirements An up-to-date and accurate catalog of There is a process to continually limitations not business keeps a list of obligations by type of are tracked in the privacy privacy laws and policies by monitor and update privacy understood and customer applicable privacy rules. data, data subject and office and corporate country is readily accessible to all obligations arising from changes data location, including or employee rights are Reviews and comparisons policies are published. with applicable laws and relevant employees. Policy to legislation, regulations, business overlapping obligations impacted. Large fines Implementation Privacy and Data regulations are performed communications are routine and practices and industry for information and a levied for non- decisions are left to local K Protection sporadically. Procedures semi-automated. Privacy controls requirements. Privacy by Design means of communicating compliance, eg. up to €20 Obligation for the use, retention and business and system are included on any provisioned is incorporated into design requirements to million or 4% of global owners. Some use of turnover for violations of disposal of personal system. A comprehensive privacy specifications and architecture of employees and 3rd privacy zones in General Data Protection information are zone schema is deployed. new systems and processes. parties who process and inconsistent, informal or infrastructure and storage Regulation control information. incomplete. is deployed. (GDPR). Creating a framework Information assets and Fortress approach used A comprehensive data Periodic cyber-risk audits or Risk assessments and threat for deterring, thwarting related systems are with a single barrier or breach response plan is in penetration testing are performed to intelligence sharing are automated. place. Employees are and identifying compromised resulting patchwork of barriers identify areas of weakness and There is an integrated view of log designed to keep trained on the plan with external bad actors in stolen trade secrets, clearly assigned include “table-top” exercises, with and event data, with network flow intruders out. attempting to gain violation of privacy responsibilities. In-house participants from key areas that would and packets. access to enterprise restrictions, lessened Framework is not simulated phishing attacks be affected by an incident. There is L External Intrusion data. performance or loss of flexible enough to are regularly conducted dual factor authentication and access to rightful adapt to intruder on employees to identify encryption at rest of repositories. parties. behaviors quickly. and monitor high risk Sensitive and proprietary data is users. Back-up systems discovered, classified and are segregated from other company systems with segregated in repositories with mechanisms for quick strict access and security controls system restoration when such as masking. required.
CGOC Information Governance Process Maturity Model 11 Process Brief Description Process Risk or Level 1: Ad Hoc, Level 2: Manual, Level 3: Semi-Automated Level 4: Automated and Fully Immaturity or Manual, Structured Within Silo Integrated Across Functions Consequences Unstructured
Developing safeguards Employees accidentally Employees offered Employee training on Employees can designate sensitive or Messaging and other systems provide around classifying expose data to 3rd training on best practices information classification confidential information. Endpoint both automatic and easy-to-use for securing confidential and handling and social confidential information parties; including trade data protection including encryption, manual designation of sensitive secrets, information information. media policy is mandated. and preventing it from remote wiping and backup is information. Accidental with associated privacy Mobile workstation and implemented. Access controls are M Data leaving via the network or employee devices. or data protection devices are encrypted. enforced for users across multiple Leakgage obligations or Automatic notification for channels, including mobile, social, information that can external email. and cloud. harm the organization brand equity.
Preventing employees Employees steal Investigation of Employee agreements Endpoint data protection including 360-degree proactive monitoring of define the boundaries and from stealing information of value, potential trade secret encryption, remote wiping and employee behavior including email, outline ramifications for information assets. theft initiated solely on backup is implemented. Access instant messages, documents accessed such as customer lists or breaches in privacy and a reactive basis when controls enforced for users across and software applications is available. proprietary trade secrets. security of all proprietary reason to suspect an multiple channels, including mobile, data and information. Ability to capture and archive evidence insider is found. social and cloud. Insider Agreements clearly outline of incidents for forensic analysis. N Theft of policies for using personal Ability to perform behavioral analytics Data devices for company duties, to perform threat analysis. or BYOD. Document each employee's set of tools, apps and permissions for quick cancellation of accounts or access upon an employee departure.
Shared data source catalog across IT, The type and nature of IT maintains an asset database for its Establishing a common No common definition IT has an asset tracking legal, records and business stakeholders data in a system or use; IT manually enters legal holds, definition and object of data sources and data system. IT does not have which is used to express information business liaison and retention rules model for information process is poorly elements exists across visibility to holds or assets and relevant business needs and for each asset/ system. Legal and the people and understood, leading to IT, legal, business and retention schedules for any legal obligations. Catalog as source of maintains its own data map for Data Source systems with custody of incomplete or records. No linkage of given asset. truth for provisioning and back up eDiscovery purposes. O Catalog it for use in determining, inaccurate application asset to the specific retention/ disposition requirements and & defining, communicating, of retention, applicable business all back up, archiving and provisioning Stewardship understanding and preservation, privacy, value or legal duties. procedures and decisions are executing governance and collection and transparent in the catalog. Common procedures. policy. definitions are used to describe duties, needs, stewards, employees, laws and lawsuits across ILM&G stakeholders.
Provisioning new servers Systems are unable to Retention, preservation, Some systems are Some systems are configured to Systems are provisioned with protocol and applications, comply with or execute collection and/or manually configured with retain, dispose, preserve and collect and technical capability to retain/dispose and hold/collect, including a properly including associated defined procedures for disposition are not capabilities to retain and data but schedules and instructions collect, but policy and are manually applied and authorized retention schedule and storage, with capabilities retaining, preserving, considered prior to business value inventory. Systems are capability to dispose or configured. Instructions from legal, for systematically collecting, protecting provisioning. provisioned with the capability to archive preserve are lacking. records and the business on duties placing holds, enforcing and disposing of data to lower cost storage at the earliest retention schedules, and values are communicated in point in time, archive procedures are well information, exposing System disposing, collecting disparate tools and techniques and defined and archives execute retention/ P Provisioning evidence, and protection the company to must be reconciled within IT. disposition of approved schedules. Back data elements subject to significantly higher up is used for disaster recovery only and does not function as long term archive. privacy rights. costs and risks. Retention schedules, legal holds and collection requests are systematically propagated from their respective initiators; data source catalog is updated to reflect the provisioning, archiving and back up mechanism.
CGOC Information Governance Process Maturity Model 12 Process Brief Description Process Risk or Level 1: Ad Hoc, Level 2: Manual, Level 3: Semi-Automated Level 4: Automated and Fully Integrated Across Immaturity or Manual, Structured Within Silo Consequences Unstructured Functions Ensuring that Individual businesses Little is known about Unapproved and Current Service Level Agreeements Regular compliance audits are safeguards around execute contracts with cloud application usage unsupported cloud (SLAs) with cloud service providers performed to verify cloud information cloud providers and put across the enterprise. services or “Shadow have been reviewed for those with a service providers’ security governance are data into the cloud with IT” used by employees standards based cloud environment policies, practices and Q Cloud applied to non- no ability to protect, is documented and and a security program that meet reg- procedures. Audits show Computing traditional hold, retain or dispose remediated. Provisioning ulatory policies and procedures. De- whether all of the applicable procurement and of information in of any new cloud service tailed SLAs addressing specific re- regulatory requirements are met provisioning accordance with other must go through the quirements for encryption, application and compliance is channels such as cloud information governance designated approval design, monitoring, incident response properly documented. services. safeguards. process. and disaster recovery have been created for future contracts.
Differentiating high New, valuable, aging, Data is managed over End user employees Some archiving is performed to batch Data of high value actively used value actively used and useless data are time as the system was perform hygiene and off aging data and provide business by the business is differentiated data by the business commingled within the provisioned and new, clean up actions on file users with faster access to more from aging data of value to from aging data of data source, its back up valuable, aging, and shares and systems to frequently used data. Archive regulators only or less value to regulators and its non-production useless data are ensure function and approach varies by data source and frequently accessed data. only or less frequently instances. Business users comingled within the access. IT performs business unit. Policies for retention, Business users have ready access accessed data; results waste their time sifting data source, its back basic back up and privacy and security are manually to high value data and spend no in increased through debris to find up and its non- availability functions. applied, if at all. time sifting through debris to accessibility, security, what they need without production instances. find it. Data is secured and Active Data privacy; aligns and success. IT costs soar. R Management retained based on its business enables data value with Organization is exposed value. Aging data with storage tiering by to privacy, security and declining value is archived or value. legal risks. moved to lower cost locations over time; unnecessary data is routinely disposed. Private data is masked based on policy. Back up data complies with the retention schedule and is not used as long-term archive alternative.
Disposing data IT is unable to/ IT ‘keeps everything’ Some systems are IT de-duplicates files and disposes of Data is automatically deleted at and fully improperly disposes because it has no manually configured log files under its control. IT responds the end of its retention period decommissioning data and systematic way to with capabilities to to business requests to decommission when no legal hold has been applications at the decommission systems determine obligations retain, hold, collect or applications and works with legal on specified; back up data is end of their business causing unnecessary or value. dispose of data. a manual review process to routinely and systematically utility and after legal risk and legal or Changes in legal determine if any open legal matters overwritten.IT routinely duties have elapsed. business expense. requirements must be may apply before decommissioning. analyzes the data source catalog manually configured. to identify systems with low Disposal business value to proactively S & determine savings Decommissioing opportunities; IT can easily determine duplicative systems from the business value and taxonomy map for instance consolidation. IT performs routine disposal with transparent, reliable facts on preservation and retention obligations; looks up any asset or employee to determine value, current legal requirements.
CGOC Information Governance Process Maturity Model 13 Process Risk or Level 1: Ad Hoc, Level 2: Manual, Level 3: Semi-Automated Level 4: Automated and Fully Process Brief Description Immaturity or Manual, Within Silo Consequences Unstructured Structured Integrated Across Functions
Processes, technology IT is unable to No hold release Email hold release IT initiates a process with legal to Legacy data on disk and tape is and methodologies by associate data with notification, no communication from “reverse engineer” legacy data dispositioned using legal hold inventory which data is disposed business stakeholders lookup ability. Legal to IT. holds to dispose of unstructured enriched with custodian and data sets Legacy and applications fully or ensure legal duties data or back up data. subject to hold. Data subject to ongoing T Data decommissioned at the are met, leading to regulatory or legal requirement is isolated Manage- end of their utility and oversight in collecting and “surrounding” data is disposed. ment after legal duties have evidence and Additional legacy data is not elapsed. unnecessary legal accumulated. and operating costs.
The process of Storage is over- No reliable means of Intensive manual Automated storage utilization Storage is provisioned for new systems determining and allocated, misaligned determining storage effort to achieve an reporting and charge back commensurate with retention schedules and aligning storage with business needs requirements and accurate picture of mechanism and transparency to archive protocols; refresh accounts for capacity and allocation and consumes inability to allocate/ storage capacity and refresh cycles across the capacity aav ilability from continuous deletion to information unnecessary capital; reclaim based on cost; difficulty inventory. Charge back reporting and decommissioning activity. Storage cost is business value and IT is unable to retention needs. assessing and by tier and organization is weighed in retention schedule approval retention requirements, process and archive decision-making; unit Storage reclaim storage and Each DBA reconciling need, reliable and fact based. including optimizing cost is available in data source catalog. U Alignment eliminate cost after determines capacity allocation and utilization targets, data is deleted and capacity is not utilization. Charge Current and forecasted storage capacity and storage reclamation causing unnecessary revisited. backs are used but costs are transparent and align to business and re-allocation after cost. not reactive of cost value and data retention schedules. data is deleted to link facts or cost Optimization practice captures benefit of storage cost to accounting. deletion and decomm to avoid continuous business need for data capacity addition. Accurate charge back stored. reporting by business unit and source and gap analysis to retention schedule, business value and information cost to inform business decision-making on the costs/benefits of storing data over time.
Testing to assess the Unable to Do not audit Verifies that the Audits publication of records, Establishes and conducts testing procedures for effectiveness of other demonstrate retention, holds, global retention privacy, disaster recovery, records management, business value processes, in this reasonable efforts to disposal processes. schedule is application lifecycle and legal inventories, data sources, privacy instance the processes establish and follow published and hold policies. Does not test requirements and legal holds such that for determining, governance policies visible to IT and execution of the policy. information assets are properly defined and communicating and and procedures LOB. retained until their value expires and it is executing processes increases sanctions timely disposed when there is no longer a and procedures for risks, penalties and business need or legal duty. Sample tests of managing information judgments and erodes organizations and record class for retention V Audit based on its value and customer trust. and timely disposition. Establishes and legal duties and conducts testing procedures for legal matters to disposing of ensure preservation duties are properly unnecessary data. communicated and executed and holds are timely released. Tests data source catalog, back up data and system provisioning to ensure ability to comply and actual policy adherence. Audits storage provisioning and procurement against retention/disposition/ decom schedules.
CGOC Information Governance Process Maturity Model 14 Risk Heat Map
1. Using the 22 processes and their risks, consider your facts. 2. Plot the current process risks on the graph by placing the letter for each process on the grid where it belongs.
3. Plot the risk level if your organization had level 3 and level 4 capabilities.
CGOC Information Governance Process Maturity Model 15 The Business Case for Information Governance
Cost Levers Process Drivers Scorecard
Storage Infrastructure: Storing Excess storage cost (processes R and U) 1 2 3 4 1 resulting from over-accumulation Data with No Utility 350 and/or inability to delete data for lack of R Utilized Storage Cost and Volume certainty on legal holds, regulatory Forecast 286 Cost - $M requirements or business value. Costs U
Size - PB 234 correlate to capabilities in process A) A 191 employees on legal hold, B) data on legal hold, C) hold publication, G) information 156 B 128 116 retention and disposal obligations, and H) 103 86 departmental information practice. 83 C 63 46 34 25 14 18 H
2015 2016 2017 2018 2019 2020 2021 2022 G 2 Data Security: Cost Reduction through Excess storage and use of data creates Process Maturity increased opportunities for data breaches, leakage and theft. Costs correlate to Impact of process improvements on the per record capabilities in process, H) departmental 1 2 3 4 cost of data breach information practice, L) external Intrusion, Consolidated view measured in US$ M) accidental data leakage, N) insider theft H $148 of data theft and Q) cloud provisioning. L cost per $142 record M
N
Status Process Q Quo Maturity
CGOC Information Governance Process Maturity Model 16 Scorecard 3 Applications: Delayed or partial application Instances without Business Value decommissioning (process P and S) from Annual Cost for a Typical Applications Application per Year inability to discern which data is required (Thousands $) TOTAL 9,500 by legal, regulators and business. Cycle TOTAL $81,000 time delays lead to excess run rate. Costs correlates to capabilities in process A)
SW: 41 scoping people on hold, B) scoping data Middleware Apps not eligible 8,200 on hold, C) publishing holds, G) for decom information retention and disposal Storage 11 obligations, and H) departmental information practices. Servers 28 Apps in current 1,300 decom effort
4 eDiscovery: Excess eDiscovery and outside counsel Costs of Collection and Review fees from over collection of data from lack Comparison of 5 Year eDiscovery Process Costs of visibility to what data exists, inability to ($M) collect with precision, excess data across $615.8 the information environment, and late case
$554.8 resolution with excess run rate legal costs or excessive eDiscovery cost relative to
Review 557.7 case merits. Costs correlates to capabilities
502.6 in process O) data source catalog, R) active data management, S) disposal, T) legacy data management, H) departmental Processing 43.9 39.5 Storage 1.4 information practice, G) information 1.3 Collection 12.7 1.4 retention and disposal obligations as well BAU ILG as D) evidence collection.
CGOC Information Governance Process Maturity Model 17 Level 2: Facts accessible with Level 3: Facts readily available Level 4: Facts readily available and Level 1: Facts known only to with frequently used in individuals practicioners. difficulty by others within the fully integrated across related Process Score Card same practice. departmental actions and enterprises process, used by all decisions. stakeholders in decisions and actions. Maturity Potential Likelihood IG Process Brief Description Potential Risk of Failure Scale (1-4) Impact to Occur
LEGAL Employees Determining employees with information potentially relevant to Custodians are not identified and potentially relevant information is A on Legal an actual or anticipated lawsuit or government investigation. inadvertently modified or deleted. Hold
B Data on Determining information, records and data sources that are potentially Actual, rogue or IT managed data sources missed in hold execution, Legal Hold relevant to an actual or anticipated lawsuit or government investigation. potentially relevant information is inadvertently modified or deleted.
Communicating, syndicating and executing legal holds to people, IT or employees migrate, retire or modify data because they lacked hold C Hold systems and data sources for execution and compliance. Publication visibility.
Dynamic, diverse information facts not considered in preservation and Fact finding and inquiry with employees with knowledge of a matter in collection planning, data is overlooked; no follow through on information D Evidence dispute to determine potentially relevant information and its whereabouts identified in custodian interviews. Collection failure from overlooked and and sources. Collecting potential evidence in response to an agreed-upon source, departing employee, incomplete prior collection inventory, Collection request with an adversary or government agency. communication and tracking errors.
Evidence Assessing information to understand dispute and potential information Material issues in dispute are poorly understood until after strategy E Analysis & sources and for determining, controlling and communicating the costs of established and expenses incurred. Excessive data causes litigation costs Control outside review of relevant information. to exceed dispute value.
Unable to readily assemble, understand or defend preservation and F Legal Documenting the custodians and data sources identified, the legal hold discovery records. Failures in custodian and data source management. Record and collection activities over multi-year matter lifecycle. Preservation, collection detected long after occurrence and cause unnecessary remediation cost and risk.
RIM Defining an information classification schema that reflects the organization Information structure; cataloging, updating and mapping the laws that apply to each class Unable to comply or demonstrate compliance withregulatory record G Retention and in the countries in which the organization operates to determine regulatory keeping obligations. Disparate nomenclatures for records make Disposal record keeping obligations; establishing and managing a network of records application of retention schedules/procedures difficult to apply and audit. Obligations liaisons to ascertain the existence and location of records.
BUSINESS Using an enterprise information taxonomy, cataloging which information Departmental each business organization values, generates or stores by class, where they IT ‘saves everything’ which increases discoverable mass, complexity and H Information store it and how long it has utility to them; results in retention schedules for legal risk; IT disposes of information of business value undermining enterprise operation. Procedures for retention/disposal difficult to Practice information and enables data source-specific intention schedules that reflect both business value and regulatory requirements. articulate and defend and unapplied by LoB.
Gaining timely access to an ability to apply information in the course of Important business decisions are made on missing information or poor quality information, resulting in poor decisions. Information isnot used Realize their work, including the ability to harness information of quality as it I Information shortly after its creation because business has forgotten the source or ages and the ability to use relevant information with or without author Value location of information or can’t find it, resulting in cost without context to maximize the enterprise value of information. corresponding value.
Data Quality Ensuring data is accurate and fit to serve the business or compliance Data elements in various systems cannot be trusted to be accurate and fit J & Data purpose for which it was designed or captured. Understanding and for the purpose it was designed or captured to serve. Inability to trace Lineage controlling data from its trusted original source and form throughout its data elements throughout their lifecycle to determine containment of a usage by other applications. data quality issue. PRIVACY AND SECURITY Privacy and Determining privacy obligations by type of data, data subject and data Access, transport and use limitations not understood and customer or K Data location, including overlapping obligations for information and a employee rights are impacted. Large fines levied for non-compliance, eg. Protection means of communicating requirements to employees and 3rd parties up to €20 million or 4% of global turnover for violations of General Data Obligations who process and control information. Protection Regulation (GDPR).
CGOC Information Governance Process Maturity Model 18 Level 2: Facts accessible with Level 3: Facts readily available Level 4: Facts readily available and Level 1: Facts known only to with frequently used in individuals practicioners. difficulty by others within the fully integrated across related Process Score Card same practice. departmental actions and enterprises process, used by all decisions. stakeholders in decisions and actions. Maturity Potential Likelihood IG Process Brief Description Potential Risk of Failure Scale (1-4) Impact to Occur
Information assets and related systems are compromised resulting L External Creating a framework for deterring, thwarting and identifying in stolen trade secrets, violation of privacy restrictions, lessened Inclusion external bad actors attempting to gain access to enteprise data. performance or loss of access to rightful parties.
Accidental Employees accidentally expose data to 3rd parties; including trade Developing safeguards around classifying confidential information secrets, information with associated privacy or data protection M Data and preventing it from leaving via the network or employee devices. obligations or information that can harm the organizations brand Likeage equity.
Insider N Theft of Employees steal information of value, such as customer lists or Preventing employees from stealing information assets. proprietary trade secrets. Data
I.T. Establishing a common definition and object model for information The type and nature of data in a system or process is poorly Data Source and the people and systems with custody of it for use in determining, understood, leading to incomplete or inaccurate application of O Catalog & defining, communicating, understanding and executing governance retention, preservation, privacy, and collection and disposition Stewardship procedures. policy.
Provisioning new servers and applications, including associated Systems are unable to comply with or execute defined procedures storage, with capabilities for systematically placing holds, enforcing P System for retaining, preserving, collecting, protecting and disposing of Provisioning retention schedules, disposing, collecting evidence, and protecting information, exposing the company to significantly higher costs data elements subject to privacy rights. and risks.
Individual businesses execute contracts with cloud providers and Cloud Ensuring that safeguards around information governance are put data into the cloud with no ability to protect, hold, retain or Q applied to non-traditional procurement and provisioning channels Computing dispose of information in accordance with other information such as cloud services. governance safeguards.
Differentiating high value actively used data by the business from New, valuable, aging, and useless data are commingled within the data aging data of value to regulators only or less frequently accessed source, its back up and its non-production instances. Business users R Active Data waste their time sifting through debris to find what they need without Management data; results in increased accessibility, security, privacy, aligns and enables data value with storage tiering by value. success. IT costs soar. Organization is exposed to privacy, security and legal risks.
Disposal & IT is unable to/improperly disposes data and decommission systems S Disposing data and fully decommissioning applications at the end of Decommissioning their business utility and after legal duties have elapsed. causing unnecessary risk and legal or business expense.
Processes, technology and methodologies by which data is disposed IT is unable to associate data with business stakeholders or ensure Legacy Data T and applications fully decomissioned at the end of their utility and legal duties are met, leading to oversight in collecting evidence and Management after legal duties have elapsed. unnecessary legal and operating costs.
The process of determining and aligning storage capacity and allocation to information business value and retention requirements, including Storage is over-allocated, misaligned with business needs and U Storage consumes unnecessary capital; IT is unable to reclaim storage and optimizing utilization targets, storage reclamation and re-allocation after Alignment eliminate cost after data is deleted causing unnecessary cost. data is deleted to link storage cost to business need for data stored.
Testing to assess the effectiveness of other processes, in this instance Unable to demonstrate reasonable efforts to establish and follow the processes for determining, communicating and executing V Audit governance policies and procedures increases sanctions risks, processes and procedures for managing information based on its value penalties and judgments and erodes customer trust. and legal duties and disposing of unnecessary data.
CGOC Information Governance Process Maturity Model 19