RSD

Step 2 – Implementing an Information Governance Solution

Dear {employee name}

Congratulations. You just spent the last two years defining, validating and publishing our global retention schedule. Your team did an excellent job coordinating the cross functional meetings and incorporating all the requirements from legal, business users, compliance, and IT into our information governance policies. Everyone in the company now has access to the retention schedule on our Intranet because of your team’s hard work. Job well done and please extend my congratulations to the rest of the team for completing our information governance project. Enjoy the rest of the year off…

Sincerely,

Information Governance Officer

Completing a global retention schedule is certainly a significant and very important milestone, but you are not done. There is more – so much more. After you are done with step one, it’s now time to roll up your sleeves and begin implementing the retention schedule across the entire organization. Most companies have a very complex IT infrastructure – running hundreds of applications across a plethora of technology platforms. These technology platforms support business critical processes, back office operations, and a variety of business applications. To complicate matters, you have to manage these applications across different jurisdictions. Before you continue, you must first recognize you can’t do everything right away. This must be done in phases – typically subject to business cases, funding and resource availability.

Step Two – Map Information Governance Policy to Applications, Processes, and Jurisdictions

Start with the department or business unit in a jurisdiction with the biggest risk exposure. For example, some customers selected their accounting/finance department as the primary target for implementation while others selected product safety. Once this is selected, you need to map the information governance policies that apply to the business unit and “jurisdiction”. You cannot and should not do this alone. For the purpose of this article, let’s use the UK jurisdiction as an example. You need to sit down with the head of your UK operation, compliance manager for UK, the person responsible for all the records for the UK (can be the the same person) and someone from the IT organization who understands all the applications used within the UK operation. It’s also very helpful to have business representation in this exercise. You then need to select and map the information governance policies that apply to UK – internal email, financial records, human resources, customer records, etc, etc, etc.

The goal is to create a UK “information governance file plan” that includes the entire information governance hierarchy for the UK, along with its security and templates. Corporate records in the UK are grouped according to their file plan, so file plans are implemented as “easy to navigate” folders. The file plan also carries with it a set of rules for evaluating new records that must be properly governed. As new information is being created by the UK operation, the information governance rules are applied which guarantees compliance at content creation time.

Stay tuned for step three to learn how these policies are enforced.

Photo is courtesy of jeanlouis_zimmermann from Flickr.

Posted by Tamir Sigal at 11:03 AM in English language, Information Governance, Management and Administration, Records Management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: ECM, EIM, Electronic Records, enterprise content management, enterprise information management, file plan, implementation, Information Governance, policy, policy management, Records Management, records management file plan, retention, retention management, RM

July 12, 2010

Gruppo BPER Realizes a 253% ROI in One Year Using RSD Solution

As I have stated before, paper will never go away however there are numerous ways for an organization to reduce the amount of pages printed. Thoughtware Worldwide conducted a detailed analysis on how Gruppo BPER was able to reduce over 150 million printed pages annually by delivering data electronically. In addition to saving ~2000 trees, Gruppo BPER was able to streamline operations and dramatically improve decision making. As opposed to waiting for days to get information, users can now search, analyze, and customize the information.

Gruppo BPER improved customer interactions by reducing processing inefficiencies, better staff utilization, and putting knowledge at everyone’s finger tips for better decisions. The case study represents how data hidden in operational systems can be transformed into actionable intelligence and reduce print.

Read the case study, but please think twice before you print it.

Posted by Tamir Sigal at 06:57 AM in Archiving solution, Buisiness Information Delivery, English language, Ouput Management, Print Management, ROI | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Business information delivery, case study, ECM, EIM, enterprise content management, enterprise information management, Print reduction, ROI

July 01, 2010

Implementing an Information Governance Solution

Dear Customer,

Thank you very much for the recent purchase order for our information governance solution. You should be receiving the software CD in the next couple of days. Please insert the CD and after you run D:\setup, point to the applications that have the highest risk. It’s that simple. If you run into issues, access our online help system. Thank you again for your business and good luck.

Sincerely,

Your information governance vendor

I wish it was that simple and so do you. In reality, implementing an information governance solution requires more than software and running D:\setup.exe. Your company must document and validate (with executive management) the goals of an information governance program. Management needs to understand where in the company is the biggest risk. Is it in a particular line of business? Is it within a specific jurisdiction? Is it across a set of user groups (i.e. sales, finance, manufacturing)? Select a few areas and determine requirements, timelines, and budget constraints. Wait that’s right, you don’t have any budget constraints.

Step One – Create Information Governance Policy

One of challenges companies are grappling with is capturing all the requirements mandated by applicable laws and mapping them to corporate information and the various business applications and processes. Companies must hold cross functional meetings (stakeholders from legal, IT, business, compliance, and risk) to begin defining information governance policies. As I've stated before, information governance policies have some similarities to records management policies but also have lots of unique attributes. In addition to retention/disposition, information governance policies also include data privacy rules, eDiscovery requirements, metadata management, laws and regulations, as well as storage migration rules. This allows you to get “executive alignment” for managing the entire lifecycle of the record.

Once the policies are defined and validated, it’s time to publish the details to everyone in the organization. This should be published in PDF or HTML as well as an electronic format which can integrate with business applications across jurisdictions. By centralizing the definition of information governance policies, you reduce business risk while lowering your overall policy administration costs.

Stay tuned for step two.

Photo is courtesy of somegeekintn/Casey Fleser from Flickr

Posted by Tamir Sigal at 11:11 AM in Archiving solution, English language, Information Governance, Records Management, Weblogs | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: ECM, EIM, Electronic Records, enterprise content management, enterprise information management, implementation, Information Governance, policy, policy management, Records Management, retention, retention management, RM

June 22, 2010

Sécurité des systèmes d'information

Le CLUSIF a publié la semaine dernière son rapport biennal quant aux entreprises et à la sécurisation de leur système d'information.
S'appuyant sur les réponses de 350 sociétés de plus de 200 salariés, et sur l'analyse des 11 thèmes de la norme ISO 27002 (relative à la sécurité des SI), ce rapport souligne les failles actuelles ainsi que les améliorations mises en œuvre par les entreprises.

Restons optimistes

Nous retiendrons que les entreprises, reconnaissant leur dépendance vis à vis de informatique, sont de plus en plus nombreuses (73%, soit +14% par rapport à 2008)à formaliser leur politique en la matière (67 % confirment l'existence d'une charte Sécurité SI, + 17 % par rapport à 2008.

Une évolution qui s'explique sans doute par l'implication de plus en plus forte de la direction générale dans la politique de sécurité IT de l'entreprise. "La politique de sécurité de l'information des entreprises est massivement soutenue par la direction générale, qui a contribué pour plus de la moitié à son élaboration", constate le CLUSIF.

Il est également intéressant de relever que chez 47% des répondants, la fonction RSSI (responsable de la sécurité du système d'information) existe même si ces responsables sont un peu isolés dans l'entreprise.

Cette fonction est plus souvent liée à la DSI (36%) ainsi qu'à la direction générale (34%). Un second rattachement qui s'inscrit néanmoins en recul comparé à 2008 (45%).
Pour le CLUSIF, "ceci peut s'expliquer par l'arrivée plus nombreuse de RSSI au sein d'entreprises de tailles moyennes ayant un niveau de maturité en sécurité IT encore faible".

Des budgets épargnés

Les budgets restent très serrés, mais par rapport à 2008, la sécurité apparaît comme une catégorie de dépenses plutôt épargnée.
Poutant le CLUSIF constate des disparités selon les secteurs d'activité. "61% des entreprises du secteur BTP et 43% des Transport et Télécoms ont augmenté leur budget en 2010 parfois de manière très importante : 15% des entreprises du BTP ont noté une augmentation de plus de 10% de leur budget"

Peut mieux faire

Le CLUSIF a ajouté dans son enquête le thème ISO 27002 numéro 9 (sécurité physique), et les résultats montrent pour 41% des entreprises, le responsable des « données papier » n’est pas clairement identifié.

33% (-7% vs 2008) des entreprises ne disposent toujours pas d’un plan de continuité d’activité pour traiter les crises majeures !…
Enfin, les aspects « conformité », pour lesquels des progrès restent à faire, au travers :

des « obligations CNIL » : en légère progression (68% « conforment », 20% « conforment pour leurs traitements sensibles », respectivement +4% et +1% vs 2008),
des audits de sécurité : 25% des entreprises n’en font toujours pas !…,
du tableau de bord de la sécurité informatique : 34% seulement en dispose (malgré les +11%).

A noter également, le sentiment de danger concernant la protection de la vie privée qui augmente (73% « mise en danger de la vie privée - fortement ou un peu », vs 60% en 2008).

Téléchargez l'intégralité des présentations faites par le CLUSIF autour du rapport 2010 sur les Menaces Informatiques et Pratiques de Sécurité en France.

Posted by Claude Super at 02:30 AM in Archiving solution, Current Affairs, Datacenter Solutions, French language, Information Governance, Management and Administration, Ouput Management, Records Management, Web/Tech | Permalink | Comments (0) | TrackBack (0)

June 21, 2010

Don Rumsfield and Information Governance

I was at a barbecue over this past weekend having a general discussion on the latest news, global economy and hottest technology trends when somehow the topic of Don Rumsfield’s infamous speech about known unknowns came up. This speech goes back to February 12, 2002 when former United States Secretary of Defense Donald Rumsfeld made a statement relating to the unstable situation in post-invasion Afghanistan. As I was driving home, it occurred to me the "there are known knowns..." statement can easily map to the information governance challenges companies are facing today.

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we now know we don’t know. But there are also unknown unknowns. These are things we do not know we don’t know. ”

—Former United States Secretary of Defense Donald Rumsfeld

There are known knowns – these are things we know that we know.

We all know corporations are dealing with huge volume of information – data about customers, employees, transactions, product development, and operations. According to a well-known survey by IDC, the amount of digital information created annually will grow by a factor of 44 from 2009 to 2020. Even though more than 70% of the information is generated by individuals, organizations are responsible for managing and protecting 80% of it. We know this is an issue in terms of employee productivity, value creation, and risk mitigation.

Employee productivity – Thanks to popular search engines and social media sites, we know we can find information we are looking for very quickly. Corporate employees are expecting the same capabilities when they come into the office Monday morning. Employees are more technical savvy these days. Employees know what they are looking for; they just spend too much time looking for it. Management knows this because they are in the same boat.
Value creation – There is tremendous value in corporate information, so we know we can’t delete everything immediately. Companies must keep information to support their customers, drive product innovation, and make critical business decisions.
Risk mitigation – We all know there is risk associated with information so I am not going to repeat what you already know. Bottom line, why keep information around if you don’t need it?

There are known unknowns. That is to say, there are things that we now know we don’t know.

We now know there will be ongoing eDiscovery requests and they are not going away anytime soon. According to a Gartner study, at any point in time many corporations are involved in an average of 86 lawsuits. Legal counsel doesn’t know when the next lawsuit will occur, who will be involved, and what information the courts will be looking for. Nevertheless, organizations need to be prepared and consider deploying a proactive eDiscovery project.

We now know there will be new rules and regulations around information management. With the various headlines in the last couple of months and the continuing global financial crisis, we do know there will be tougher regulations with new compliance laws. We just don’t know the details yet.

We also now know data privacy is becoming a hot topic around the world – from employee email privacy considerations to Facebook to Twitter. It seems like there is no end. Just last week, the Swiss parliament agreed to help IRS identify secret UBS accounts in tax probe. We don’t know when this will end and how this will evolve in the next couple of years.

Finally, we do know now solving the information governance challenge must be a top-down approach – otherwise it will be difficult to succeed. One of the key questions I get from customers is where to start, when to delete content, and how to go about managing this process. Someone within the organization (typically from legal) needs to stand up and bring the issue to the attention of the executives. Executives must first acknowledge there is an issue and then have a commitment to resolve it. This will only work when management brings in various stakeholders from the organization including legal, business, compliance, and IT.

But there are also unknown unknowns. These are things we do not know we don’t know.

Companies do not know what’s going to happen in the next 5-10 years. Surely, companies have strategies, growth tactics, mission statements, and contingency plans – but at the end of the day companies have very little control over external factors, mergers and acquisitions, new technology offerings, and the competition. This is precisely the reason why an information governance program is required. Information governance is an accountability program to enforce desirable behavior in the creation, use, archiving, and deletion of corporate information. I like to explain it as a vehicle to drive value from information and as an insurance policy on the unknown unknowns.

Posted by Tamir Sigal at 11:50 AM in English language, Information Governance, Records Management, ROI, Weblogs | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: audit, data governance, data privacy, ECM, EIM, Electronic Records, enterprise content management, enterprise information management, Information Governance, Records Management, RM, security

May 21, 2010

Push, Pull, quels services pour l'information ?

Mise en exergue à la fin des années 90, la distinction "Push/Pull" ne fait plus recette aujourd'hui dans les débats.

Avec le web 2.0 et l'apparition des réseaux sociaux, les responsables marketing tentent de marier les deux avec opportunisme, tandis que les consommateurs et utilisateurs que nous sommes se satisfont d'une approche orientée "pull" ressentie comme plus respectueuse et moins agressive.

Côté entreprise, il semble que l'orientation soit bien différente et que le "push" soit toujours synonyme d'efficacité.

La valorisation de l'information par une distribution sélective

Le travail quotidien dans l'entreprise est bien plus exigeant en terme de disponibilité des informations que la participation à des réseaux sociaux ou plus simplement la consultation de portail web.

Pour répondre aux besoins de rapidité des utilisateurs, les outils "push" font merveille dans la distribution des informations et des documents.

La distribution permet de valoriser une information au service de l'activité de l'utilisateur. Il peut s'agir d'une alerte liée à une métadonnée ou d'un document résumant une transaction ou encore un rapport financier statuant sur une situation à un instant t.
Cette information ou ce contenu est délivré dans le format adapté au besoin de l'utilisateur (courrier électronique, pièce jointe, feuille de calcul, flux CSV ou XML, etc.).
La distribution en push facilite l'interopérabilité des applications par la rapidité à laquelle les informations sont communiquées mais également par sa facilité d'intégration dans une architecture opérationnelle.

Les outils ou fonctionnalités push permettent à la fois un contrôle et une finesse dans la diffusion de l'information pour optimiser les solutions de gestion de contenus et de gouvernance de l'information.

La valorisation de l'information par une exposition pertinente

Ces qualités font que le mode "push" est souvent ressenti comme très efficace mais peu adapté à certains de types de contenus et/ou de public.

Le mode "pull" largement représenté par les sites tant professionnels (mise à disposition de factures, de relevés, etc.) que sociaux (exposition de photos, d'informations, d'avis, etc.) convient bien pour une approche marketing.
Il véhicule et valorise une image de transparence et d'ouverture de l'entreprise.

L'exposition permet à chacun de trouver et de sélectionner, à sa convenance, l'information dont il a besoin. Les fonctionnalités "pull" sont idéales pour valoriser un patrimoine informationnel au service d'une relation client.

Si avec le "push" l'entreprise étendue et l'économie du savoir deviennent une réalité avec le "pull" c'est l'entreprise "citoyenne" (au sens acteur de la vie sociale et économique) du monde qui s'affiche.

"Push-Pull" ou "Push" versus "Pull" ?

Il est probable que les deux ont leur place. Il convient d'être pragmatique et d'utiliser la meilleure technique selon la cible, le contenu et surtout son objectif.

La gouvernance de l'information ne pousse pas à privilégier l'une ou l'autre de ces méthodes pour autant que les actifs informationnels soient utilisés au mieux des intérêts de son propriétaire.
C'est pour cette raison qu'il serait contre productif d'abandonner la distribution en faveur d'une exposition systématique.

Chacun comprend l'intérêt de déposer en "mains propres" de chaque récipiendaire concerné l'information sensible plutôt que de l'afficher dans un espace (même protégé).

Posted by Claude Super at 05:44 AM in Archiving solution, Buisiness Information Delivery, Enterprise Archiving and Retrieval, French language, Information Governance, Ouput Management, Print Management, Records Management | Permalink | Comments (0) | TrackBack (0)

May 07, 2010

Thoughts from IBM Impact 2010

I just got back from the IBM Impact conference in Las Vegas. I really didn’t know what to expect as this was my first time attending Impact. IBM invited me to present on information governance and explain how companies can better manage their risk around corporate information. Before departing to Las Vegas, I reached out to my network to learn this conference was primarily a technical conference. Historically, this conference may have focused on technology however it seems that IBM has done a great job introducing business topics to this event.

During the conference, I heard great customer case studies about cloud computing, service oriented architecture, and business process management. I learned that the mainframe is not going anywhere anytime soon and how cloud computing is for real. I have to say the theme on Wednesday was my favorite – technology changing as fast as the business changes. We are all aware business strategies are forced to change in this economic climate and how quickly IT reacts will make or break an organization.

However, companies also need to respond to external conditions such as new regulations and laws as well as litigation and competitive threats. I was somewhat surprised there were limited conversations about the impact legal and compliance have on technology deployments and business processes. I certainly understand this may not be the primary audience for this type of discussion – but there is a very strong connection.

Enterprise systems exist to manage processes, line of business applications, and corporate information. There are hundreds, if not thousands, of different laws and regulations for managing corporate information. Exactly how does a company:

1) Capture these laws and regulations?

2) Understand the impact these regulations have on the business and IT organization?

3) Map the laws and regulations to their corporate information repositories?

4) Enforce the laws and regulations across the enterprise complex infrastructure?

This is where information governance comes in and why I attended Impact 2010. Information governance is an accountability program to enforce desirable behavior in the creation, use, archiving, and deletion of corporate information. Information governance enables companies to not only align IT with business – but also with the other corporate functions such as legal, finance, compliance, and records management.

An information retention schedule sets out the periods for which an organization’s corporate records should be retained to meet its operational and business needs and to comply with legal and other requirements. The retention schedule is just one component of information governance that protects the interests of the company and its stakeholders.

After my session and throughout the conference, I had fruitful discussions around the challenges of getting all the stakeholders (IT, business, compliance, and legal) on the same page to create the retention schedule. It’s quite difficult and there is no silver bullet. At the end of the day, each function needs to recognize the benefits of deploying an information governance framework and each function will need to give in order to receive.

The question I leave you with:

What if technology can change as fast as your information retention schedule?

See you next year in Las Vegas.

Posted by Tamir Sigal at 10:33 AM in Current Affairs, English language, Information Governance, Records Management, Web/Tech, Weblogs | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: cloud computing, data governance, ECM, EIM, governance, IBM Impact 2010, Impact, Information Governance, Records Management, RM, Websphere

May 04, 2010

8ème Conférence européenne sur l'archivage digital - Genève 28-30|04|2010

Le centre de conférence international de Genève abritait du 28 au 30 avril, la 8ème conférence européenne sur l'archivage digital.

Un nombre impressionnant de participants ont fait honneur aux speakers et il était bien difficile de faire son programme sans avoir l'impression de manquer une présentation ou un atelier important.

Avant de parler des thèmes, nous voudrions partager avec vous notre satisfaction quant à l'organisation de l'évènement et notre coup de coeur pour le travail de signalétique fait par des étudiants de la Haute école des arts de Berne (Hochschule der Künste - Bern) sous la houlette de Jimmy Schmid. Bravo pour leur créativité et leur sens pratique !

Les thèmes

Les présentations étaient organisées autour de 4 thèmes :

Profil professionnel : nouvelles compétences à l'ère numérique
Constitution des fonds : comment documenter la société de l'information
e-Archivage : réorganisation des processus et des modèles d'entreprise
accès en ligne : solutions et implications.

e-Archivage

A défaut de pouvoir suivre toutes les présentations, nous avons privilégié l'e-Archivage et la réorganisation des processus et des modèles d'entreprises. La plupart des contributions étaient très intéressantes et nous avons retenu celle de Monsieur Alexander Samarin à propos de la synergie entre BPM (Business Process Model) et archivage électronique [www.improving-bpm-systems.com].
Nous avons également suivi avec intérêt les retours d'expérience du CNES, des Archives nationales de France (le rôle structurant des référentiels), de la Poste française ou encore de de l'AFSSAPS (Agence Française de Sécurité Sanitaire des Produits de Santé) et le projet d'archivage électronique des autorisations de mise sur le marché des médicaments.

L'importance des standards

Les normes et les standards sont au cœur des réflexions, des projets et des expériences. Nombreux sont les pays ou les organisations qui ont choisi le PDF/A comme standard d'archivage pour les documents et plus globalement le contenu non structuré.
Moreq2 et l'annonce de Moreq2010 couplé à un appel à contribution fait partie de ces normes et l'approche plus "verticalisée" de la présentation des exigences de Moreq2 ne peut qu'en faciliter la mise en oeuvre.

Aujourd'hui, la définition des référentiels se fait au regard du respect des standards tels PRONOM [formats de fichiers], IANA [types MIME], ICA, ISO 639, OAIS, Moreq2 et des l'exigence d'interopérabilité.

Enfin, nous retiendrons également le projet d'émulation DIOSCURI présenté par Nationaal Archief of the Netherlands en alternative à la migration par ainsi que SIARD, la solution d'archivage de bases de données relationnelles développée et mise à disposition gratuitement par les ingénieurs des Archives fédérales suisses.

Il ne nous est malheureusement pas possible de rendre compte de toutes les présentations, aussi merci d'utiliser les commentaires pour partager vos impressions et réactions au contenu de cette note ou à celui des séances auxquelles vous avez pu participer.

Cordialement,

Claude SUPER

Posted by Claude Super at 12:47 AM in Archiving solution, Buisiness Information Delivery, Datacenter Solutions, Enterprise Archiving and Retrieval, French language, Information Governance, Records Management | Permalink | Comments (0) | TrackBack (0)

April 23, 2010

Review of AIIM 2010

I first attended AIIM back in 1997. Over the last few years, the AIIM conference managed to keep its momentum despite the consolidation of ECM vendors and tight travel budgets. This year’s AIIM conference seemed to be very busy as the expo hall was constantly crowded and some of the sessions were packed. Here is my summary of AIIM 2010 – or should I say the unofficial SharePoint user conference.

SharePoint is Everywhere

Microsoft didn’t have a booth at AIIM in 1997. They only recently started to get involved with AIIM with the development and adoption of SharePoint 2007. In 2008, Microsoft claimed over a billion dollars in SharePoint sales. According to a recent Gartner survey, 50% of all organizations (large and small) have piloted or deployed SharePoint as a key element of their overall information infrastructures. During AIIM, I had the opportunity to see SharePoint 2010. Kudos to Microsoft. They enhanced the (much needed) search facilities, revamped the user interface, delivered basic records management capabilities, and with promised better scalability. I am now telling everyone “SharePoint 2010 was MY idea.” I counted over 20 different vendors offering a huge variety of services and products around SharePoint. There was even a dedicated SharePoint pavilion for partners, integrators and complementary technologies. I saw great demos from KnowledgeLake and NteliPath on imaging services for SharePoint. NextPage seems to have a unique information governance solution for SharePoint.

eDiscovery Pavilion

The concept of eDiscovery really didn’t exist at AIIM 1997. However, with the introduction of FRCP and the high costs associated with litigation, eDiscovery is becoming a hot topic within corporation. With AIIM being an “information management” association, it absolutely makes sense to discuss eDiscovery. However the current challenge for corporations with eDiscovery is getting alignment between IT, business, and legal. Furthermore, most of the discussions around eDiscovery have been limited to email archiving, reactive products (i.e. let’s search our 500 servers), and the consulting services to assist with eDiscovery. I didn’t hear many people at AIIM really talk about being proactive and what it takes to be litigation ready. There is a very well known case study by DuPont detailing the costs when companies do not have an information governance solution for eDiscovery readiness. The case study concluded over 39 million documents were reviewed during litigation that were past their retention period which cost in $12 million. Most of the ECM vendors at AIIM already have some type of message around eDiscovery (but did not really promote it) or will make one up before next year’s AIIM. For AIIM 2011, I predict there will be many more vendors in the eDiscovery pavilion.

Records, Records wherefore art thou Records?

At AIIM 1997, everyone (including me) was talking about efficient ways of keeping all the content in your business just in case someone may need it in the future. I agree with Barclay Blair that for most organizations keeping everything forever is not a viable option. I have said this before and know it’s not that simple to implement. When talking with customers, the biggest obstacle is to have agreement between all the stakeholders on exactly what needs to be kept and for how long. This conversation is not an hour long discussion and it’s no longer an IT or business decision. It involves legal, compliance, data security and finance. It also includes a proactive program which incorporates all the components of the lifecycle of the content – not just retention and disposal (data privacy, regulations, storage platforms, metadata). I discussed the difference between information governance and records management before and Greg Clark also wrote a good article on this topic.

Summary

AIIM 2010 was an excellent event for me. I was able to connect with customers, chat with partners, bump into old colleagues, and meet new people in this fascinating industry. At the end of the day, the main principal of AIIM hasn’t really changed since 1997. It’s all about companies using technology to efficiently better manage their number one asset – information. See you next year in Washington, DC.

Posted by Tamir Sigal at 07:38 AM in Current Affairs, English language, Information Governance, Weblogs | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: AIIM, AIIM 2010, AIIM2010, ECM, EIM, Electronic Records, enterprise content management, enterprise information management, Information Governance, Records Management, RM

Gestion des actifs informationnels versus "records management"

Les organisations font généralement un gros effort pour gérer ou à défaut maîtriser l'information qu'elles produisent et qu'elles utilisent. Pourtant, il est souvent facile de prévoir quels services ou fonctions bénéficient en priorité de ces investissements.

Une inégalité de service

En effet, nul ne doute qu'un comptable sache exactement où et comment puisse retrouver facilement une facture datant de plusieurs années.
Il est également rassurant de pouvoir être certain de retrouver la copie d'un contrat dans ses archives (ou à défaut dans celles de l'autre contractant).

Mais, il est regrettable, bien que très courant, de ne pas savoir ou aller rechercher les correspondances clients, les études de marché ou encore les documents liés à des projets marketing.
Ces contenus ont-ils moins de valeur et d'importance ?

La valeur des contenus

Elle est relative bien sûr, et c'est bien pour cela que l'entreprise doit mener une réflexion approfondie sur la question.

Valeur patrimoniale, valeur "légale", valeur "marchande", qu'en est-il pour définir les actifs informationnels de l'organisation ?

Le "records management" considère essentiellement la valeur patrimoniale et "légale" pour définir l'actif informationnel et supporter une politique de gouvernance de l'information.
Mais la politique de gouvernance de l'information, véritable socle de la stratégie de gestion des actifs informationnels, requiert plus !

Aller plus loin

Le records management est statique alors que la gouvernance de l'information est dynamique,
le records management est réactif alors que la gouvernance de l'information se veut pro active,
le records management est principalement centré sur la rétention alors que la gouvernance de l'information est au service du développement et de la croissance des affaires.

Bien évidemment, dans le cas d'industries fortement réglementées ou à haut risque de contentieux, l'accent sera mis sur sur la création de règles strictes et rapides pour la rétention d'information et la disposition. Dans d'autres secteurs, l'accent sera mis sur le développement de processus fiables de valorisation des contenus dans le développement de leurs affaires.

Aujourd'hui, et selon IDC, les contenus sont crées à plus de 70% par des personnes et non par des applications (traitement batch par exemple). Ceci fait que seules les organisations qui savent mettre en œuvre des structures de gestion des informations simples, intuitives et, surtout flexibles, réussiront.

Ainsi la structuration de gestion de l'information (hiérarchie de dossiers, modèle de métadonnées, intégration applicative, verticalisation, ou personnalisation) doit avoir un sens pour les utilisateurs finaux et de s'insérer facilement dans le flux de leur travail quotidien.

La difficulté de la gouvernance de l'information réside notamment dans le fait qu'elle requiert flexibilité, adaptabilité et souplesse.

Le records management se nourrit de contraintes et de règles strictes et "gravées dans le marbre". Il lui manque cet espace de "liberté" que la gouvernance de l'information doit favoriser pour contribuer à l'objectif de toute organisation : le développement ou la croissance.

Nous reviendrons sur ces réflexions, notamment à l'issue du 8th European Conference on Digital Archiving qui se déroule à Genève du 28 au 30 avril.

Posted by Claude Super at 02:39 AM in Archiving solution, Enterprise Archiving and Retrieval, French language, Information Governance, ROI | Permalink | Comments (2) | TrackBack (0)

April 15, 2010

Importance of PCI Compliance

Last week, I was finalizing my information governance presentation for the upcoming IBM Impact 2010 conference. I have this excellent slide that shows the relationship of the entire content lifecycle with the different stakeholders in the organization – Privacy Officer, Security Officer, legal counsel, and of course IT. When I usually present this slide I give specific examples related to HIPPA, Sarbanes Oxley, and DOD 5015.2. One example I sometimes leave out is the Payment Card Industry Data Security Standard (PCI DSS).

PCI applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. A simpler way of saying this – if any customer of that organization ever pays the merchant directly using a credit card or even with a debit card, then the PCI DSS requirements apply.

PCI is designed to prevent hackers and criminals for targeting credit card theft and its subsequent fraudulent use of customer data. The intent of PCI is to make it much harder to obtain credit cardholder data due to the more robust and standardized approach to data security. Unfortunately, as I have seen, many companies are still struggling to demonstrate PCI compliance. The costs and effort associated with meeting PCI requirements can sometimes be daunting. However, so can the fines. Fines can amount from $5,000 to $100,000 per month for PCI compliance violations. How about brand reputation and stock price?

Some of the requirements for PCI include building and preserving a secure network while maintaining a vulnerability management program. Also included is to implement strong access control which includes protecting and encrypting cardholder data. This includes new data being generated as well as content stored for years and years.

The PCI Security Standard Council published a new version (1.2) of the PCI DSS in October 1st 2008, which includes 12 major requirements. The Lifecycle Process for changes to PCI DSS is currently in stage 3; stage 5 is expected to end by September 30th 2010 with the publication of a new version.

When defining and planning a PCI program scope, one of the first action items is to know what is in and what is out of scope - including systems, content repositories, storage platforms, networks, people, and processes. As I have said many times before, measure your risk but don't ignore it.

Posted by Tamir Sigal at 05:30 PM in Archiving solution, Current Affairs, English language, Enterprise Archiving and Retrieval, Information Governance, Records Management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: audit, credit card, data governance , data privacy, ECM, EIM, Electronic Records, enterprise content management, enterprise information management, Information Governance, Payment Card Industry, Payment Card Industry Data Security Standard, PCI, PCI DSS, Records Management, RM, security

RSD

Blogs Home

Categories

Archives