WIXLIB

How to Plan and ImplementYour Information Governance ProgramDoculabs’ Rick Tucker and Richard Medina

2Escape Now While You Can"How to Plan and Implement Your Enterprise InformationGovernance, Risk, and Compliance Program”Most organizations in highly regulated industries are missing severalcomponents in their information governance program that arenecessary to provide adequate, sustainable security, compliance, andrisk reduction.This session:1. Describes and classifies the missing components2. Shows how to incorporate them into your program3. Explains how to implement them in a multi-year roadmap

3Rick TuckerVice President at DoculabsRick Tucker has 17 years of experience in informationmanagement technologies, focusing on enterprise contentmanagement (ECM) technologies and their applications tobusiness ker88www.linkedin.com/in/ricktucker

4Richard MedinaCo-Founder and a Principal Consultant at Doculabs.In my 23 years with Doculabs, I’ve consulted fororganizations in a wide range of industries, includingfinancial services, insurance, manufacturing, utilities, linkedin.com/in/richmedinadoculabswww.doculabs.com

Management ConsultingObjectiveEnterprise Content Management (ECM)

Vision for ComplianceRRRRRCulture ofcomplianceSustainable Proactive,Beyond mereletter of lawEffectiveAudit readyDemonstrable

So How Do You Get There from Here?

You Need a Compliance Program Framework

What’s the Minimum that a ComplianceFramework Should Do?1. What regulations and standards should wecomply with?2. Who is responsible for compliance?3. What controls should be in place?4. How do we monitor compliance?

But the Framework Should Do More1. It must be “leak proof” for any regulatory audit, litigation, etc.2. It must explicitly show how it follows the relevant regulations and standards (Federal,State, Industry)3. It must be fulfillable4. It must be clearly translatable into a Roadmap5. It must be easily communicated and understood – so it must be as simple as possiblewhile meeting the other necessary requirements6. It must be aligned with your other enterprise objectives and initiatives to be effective andsustainable7. Since your organization has other GRC obligations (IS, Legal, Business Continuity), itshould fit into a general Framework and overall strategy that allows you to align andeffectively address all such obligations–Different, unaligned “frameworks” and initiatives will fail–You should have a single GRC framework into which compliance, IS, and other current and future “defensive”programs can fit10

Example #1: A Compliance Framework?

Example #2: A Compliance Framework?

Example #3: A Compliance Framework?

Example #4: A Compliance Framework?

Example #5: A Compliance Framework?

The Framework Should Address Rolesand Regulations

It Should Allow Us to Drill Down ina Direct WayUNIT #1ADAUNIT #2Commercial Payor RulesUNIT #3UNIT #4UNIT #5UNIT #6Malpractice LawsIRS Tax Reporting andFiling GuidanceNIST Cyber SecurityGuidanceLicensing Board ImposedSanctionsSEC GuidancePCIGAPP, FASB GuidanceBusiness Continuity,Disaster RecoveryOnboarding CredentialingRequirementsConfidential BusinessInformationInformation Requests forLegal InvestigationsLabor LawsEEOC & WorkplaceGuidelinesOnboarding BackgroundChecksSOXSexual Harassment LawsSOXContract GuidelinesRecords Management, Information Requests“Other” Regulations and StandardsHRRCSERMDACCOUNTING / FINANCEITOPERATIONSPhysical SafeguardsScope of PracticeRequirementsHIPAA and HITECH Privacy and SecurityAnti-Kickback StatutesGovernmental Payor RulesExternal AuditsFalse Claims ActDeficit Reduction ActACA ID of OverpaymentsLegal Requests &Investigations RegardingHC Fraud & AbuseAnti-Kickback StatutesAnti-Kickback StatutesStark LawConflicts of Interest, Gifts and Business Courtesies“In-Scope” Regulations and StandardsThis is a healthcare organization exampleAdministrativeSafeguardsTechnical SafeguardsOIG Guidance forContinuous SanctionChecks

The Framework Should AddressControls and MonitoringOverall Programand FrameworkStrategyPolicies andProceduresProcesses andOperationsInformationTechnology andInformationManagementPhysical Assetsand EnvironmentHumanResources andRoles andResponsibilitiesMetrics,Measurement,and MonitoringCommunicationand Training

Continuous Improvement Should beInherent to the Design

The Compliance Framework

A Simple Outline of theFramework Components

The Primary Framework Components1.2.3.4.5.6.7.8.Overall Program and Framework StrategyPolicies and ProceduresProcesses and OperationsIT and Information ManagementPhysical Assets and EnvironmentHR and Roles and ResponsibilitiesMetrics, Measurement and MonitoringCommunications and TrainingInformation Governance Program CategoriesOverall Program andFramework StrategyPolicies andProceduresProcesses andOperationsIT and InformationManagementPhysical Assets andEnvironmentHR and Roles andResponsibilitiesMetrics,Measurement, andMonitoringCommunications andTraining

Four Guiding PrinciplesDesign the Framework to:1. Align all areas of IG2. Align IG with your overall organization3. Directly address all IG requirements4. Address those requirements’ necessaryand enabling conditions

1. Overall Program and Framework StrategyKey Elements Comprehensive organizational compliance strategy and roadmap thataddress and align all relevant areas of compliance and risk Strategy and roadmap align with other and overall objectives of theorganization Compliance program is designed for continuous improvement Strategy and roadmap align with resources (including time, people, andmoney) and failure risk tolerancePrimary Gaps Lack of alignment in IG areas, between IG areas, and between IG and the“offensive” strategies and functions (“the business”) No Future State or Roadmap forcompliance program thatInformation Governance Program CategoriesIT and InformationOverall Program andPolicies andProcesses andaddresses necessary/enablingManagementFramework StrategyProceduresOperationsconditions for complianceMetrics,Physical Assets andEnvironmentHR and Roles andResponsibilitiesMeasurement, andMonitoringCommunications andTraining

252. Policies and ProceduresKey Elements Establishes policy oversight, P&Ps, and efforts to set required standards,guidance, and enforcement to meet compliance and risk requirements Includes Code of Conduct and relevant P&Ps Addresses P&Ps relevant to information lifecycle management, includingInformation Security, Information Privacy, Records Management, Email,Social MediaPrimary Gaps The scope and coverage of P&Ps are not clear, and they are poorlydesigned for authoring, updating, and implementing Most lack clear “crosswalking” understanding and documentation of allrelevant regulations and P&PS to identify and address gaps and overlaps Many RM Retention Plans areInformation Governance Program CategoriesIT and InformationOverall Program andPolicies andProcesses andunclear and can’t be effectivelyManagementFramework al Assets andEnvironmentHR and Roles andResponsibilitiesMeasurement, andMonitoringCommunications andTraining

263. Processes and OperationsKey Elements Includes processes relevant to compliance and ILM, from creation andingestion of information through disposition Addresses clear lines of communication, procedure for raising concerns Includes incident management, the response and resolution of complianceincidentsPrimary Gaps Lack defined processes for many areas of the information lifecycle, e.g wheninformation leaves the control of systems Many have “pockets” of well-managed processes -- but these processes areinconsistently appliedInformation Governance Program CategoriesOverall Program andFramework StrategyPolicies andProceduresProcesses andOperationsIT and InformationManagementPhysical Assets andEnvironmentHR and Roles andResponsibilitiesMetrics,Measurement, andMonitoringCommunications andTraining

Understand the Risk andRegulatory Environment2Create and Maintain theRequirements Matrix3Perform Compliance RiskAssessment4Manage Obligations andImplementationMeasure and Monitor156Communications and TrainingA Simple Process for ComplianceManagement

284. IT and Information ManagementKey Elements Architecture strategy, standards, and portfolio for EIM, IG, RM, Ediscovery, and other tools and capabilities Information architecture -- a content taxonomy, records retention schedule,and an ESI-repository map Technical security and access control, to restrict access for IS (infosecurity)Primary Gaps Effective approach for managing the system portfolio Some lack an advanced ECM system for high-risk and high value ESI Inconsistencies in content organization between and within departments;over-reliance on shared drivesInformation Governance Program Categories No good ESI-repository map orIT and InformationOverall Program andPolicies andProcesses andManagementdocumented understanding ofFramework StrategyProceduresOperationswhere the ESI residesMetrics,Communications andPhysical Assets andHR and Roles andMeasurement, andTrainingEnvironmentResponsibilitiesMonitoring Records retention plan isinadequate for ESI

Information Management Capabilities in aReference ModelInformation ManagementInformation GovernanceGRCControls and Policy Library and ResponseRemediation and ExceptionManagementIT Application RegistryControls, Risk Evaluation andCompliance DashboardPrivacy ManagementRecords Management and DiscoveryRecords PlanManagementESI InventoryRetention andDestructionElectronic DiscoveryInformation ionConfidentialityIntegrityIsolationEnterprise Content ManagementEnterprise Data ManagementContent Capture and AccessMaster Data ManagementProcess ManagementMetadata ManagementContent MiddlewareData Quality ManagementRepository ServicesData Architecture

ECM Capabilities in a Reference ModelECM PresentationInformation ManagementInformation GovernanceCaptureGRCControls and Policy Library and ResponseRemediation and ExceptionManagementProcess and CollaborationControls, Risk Evaluation andCompliance DashboardPrivacy ManagementESI InventoryRetention tionConfidentialityWorkflowProcess AutomationContent MiddlewareTaxonomyManagementDocument Comp/PublishingElectronic DiscoveryInformation SecurityIdentityManagementUser InterfaceIT Application RegistryRecords Management and DiscoveryRecords PlanManagementE-formsIntegrityIsolationEnterprise SearchEnterprise Content ManagementEnterprise Data ManagementContent Capture and AccessMaster Data ManagementProcess ManagementMetadata ManagementContent MiddlewareData Quality ManagementRepository ServicesData ArchitectureDocument SecurityInformation RightsManagementE-discoveryDocument ExchangeIntegrationDigital SignaturesDocumentManagementRepository ManagementDocument ImageManagementWeb ContentManagementDigital AssetManagementTechnical entEmail ManagementStorage

315. Physical Assets and EnvironmentKey Elements Physical and environmental for physical protections of the data center,other secure processing areas, physical assets, and data from theft,damage, or loss Asset identification and classification for the inventory, accountability,responsibility, classification, and implementation of associated controlsPrimary Gaps Many actually have relatively good comprehensive security for theirphysical environment, including e.g. controlling physical access, printercontrol, clean desk access Many have relatively good comprehensive IT asset security, includinge.g. laptop, mobile device, and other IT asset controlInformation Governance Program CategoriesOverall Program andFramework StrategyPolicies andProceduresProcesses andOperationsIT and InformationManagementPhysical Assets andEnvironmentHR and Roles andResponsibilitiesMetrics,Measurement, andMonitoringCommunications andTraining