Taken from Information Governance – Concepts, Strategies and Best Practices
by Robert F. Smallwood
Access control list
In systems such as electronic records management, electronic document and records management systems, or document management systems, a list of individuals authorized to access, view, amend, transfer, or delete documents, records or files. Access rights are enforced through software controls.
Application programming interface (API)
A way of standardizing the connection between two software applications. It is essentially a standard hook that an application uses to connect to another software application.
The storing information and records for long-term or permanent preservation. With respect to e-mail, it is stored in a compressed and indexed format to reduce the storage requirements and allow for rapid, complex searches. (This also can be done for blogs, social media, or other applications.) Archiving of real-time applications like e-mail can be deemed reliable with record integrity only if it is performed immediately, in real-time.
Authentication, authorization, and audit (or accounting) (AAA)
A network management and security framework that controls computer system logons and access to applications that enforces IG policies and audits usage.
Authenticity of records
Verified content and author information as original for the purposes of electronic records management; in a legal context, proof that the e-document is what it purports to be when electronically stored information is submitted during the e-discovery process.
A complete spare copy of data for purposes of disaster recovery. Backups are nonindexed mass storage and cannot substitute for indexed, archived information that can be quickly searched and retrieved (as in archiving)
Those methods, processes, or procedures that have been proven to be the most effective, based on real-world experience and measured results.
More data than can be processes by today’s database systems, or acutely high volume, velocity, and variety of information assets that demand IG to manager and leverage for decision-making insights and cost management.
The tasks performed to accomplish a particular business function. Several activities may be associated with each business function.
Business classification scheme (BCS)
The overall structure an organization uses for organizing, searching, retrieving, storing, and managing documents and records in electronic records management. The BCS must be developed based on the business functions and activities. A file plan is a graphic representation of the BCS, usually a hierarchical structure consisting of headings and folders to indicate where an when records should be created during the conducting of the business of an office. In other words, the file plan links the records to their business context.
A compelling business reason that motivates an organization to implement a solution to a problem. Business drivers can be based on financial, legal or operational gaps or needs.
Basic business units, such as accounting, legal, human resources, and purchasing.
A coordinated set of collaborative and transactional work activities carried out to complete work steps.
Business process improvement (BPI)
Analyzing and redesigning business processes to streamline them and gain efficiencies, reduce cycle times, and improve auditability and worker productivity.
Business process outsourcing (BPO)
Contracting with a third party to perform specific business processes. One example could be using a customer service centre taking inbound telephone calls from U.S. customers and handling customer requests and complaints from a service entre located offshore, in locations such as India, where labour costs are lower.
Business process management (BPM)
Managing the work steps of business activities of an organization’s workers in an automated way.
Business process management system (BPMS)
A superset of workflow software, and more. BPMS software offers five main capabilities:
Puts existing and new applications software under the direct control of business managers.
Makes it easier to improve existing business processes and create new ones.
Enables the automation of processes across the entire organizations and beyond it.
Gives managers real-time information on the performance of processes.
Allows organizations to take full advantage of new computing services.
Components that also often are called input components. These are several levels of technologies, from simple document scanning and capture to complex information preparation using automatic classification.
Records that are characterized as having a beginning and an end but are added to over time. Case records generally have titles that include names, dates, numbers, or places.
The provision of computational resources on demand via a network. Cloud computing can be compared to the supply of electricity and gas or the provision of telephone, television, and postal services. All of these services are presented to users in a simple way that is easy to understand without users’ needing to know how the service is provided. The simplified view is called an abstraction. Similarly, could computing offers computer application developers and users an abstract view of services, which simplifies and ignores much of the details and inner workings. A provider’s offering of abstracted Internet services is often called the cloud.
systematic identification and arrangement of business activities and/or records into categories according to logically structured conventions, methods, and procedural rules represented in a classification system. A coding of content items as members of a group for the purposes of cataloging them or associating them with a taxonomy.
Methods and best practices to assist an organization and its employees in implementing changes to business processes, culture and systems.
CobiT (Controlled Objectives for Information and related Technology)
A process-based information technology governance framework that represents a consensus of experts world-wide. It was codeveloped by the IT Governance Institute and ISACA.
An empty computer facility or data centre that is ready for operation with air-conditioning, raised floors, telecommunications lines, and electric power. Backup hardware and software will have to be purchased and shipped in quickly to resume operations. Arrangements can be made with suppliers for rapid delivery in the event of a disaster.
In records, the actual information contained in the record; more broadly, content is information. For example, content is managed by enterprise content management systems and may be e-mail, e-documents, Web content, report content, and so on.
Set, defined terms used in a taxonomy.
The set of activities and processes that result in meeting and adhering to all regulations and laws that apply to an organization.
Data cleansing (or data scrubbing)
The process of removing corrupt, redundant, and inaccurate data in a data governance process.
Processes and controls at the data level; a newer, hybrid quality control discipline that includes elements of data quality, data management, information governance policy development, business process improvement, and compliance and risk management.
Data loss prevention (DLP; or data leak prevention)
A computer security term referring to systems that identify, monitor, and protest data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.) and with a centralized management framework. Systems are designed to detect and prevent unauthorized use and transmission of confidential information.
The process of identifying and eliminating redundant occurrences of data.
Disposing of unneeded data, e-documents, and reports based on set policy that can be defended in court. It reduces an organization’s information footprint.
The process of eliminating or deleting records, beyond any possible reconstruction.
A certificate issued once destruction of a record is complete. It verifies that destruction has taken place, who authorized the destruction, and who carried it out. It also may include some metadata about the record.
Destructive retention policy
Permanently destroying documents or e-documents (such as e-mail) after retaining them for as specified period of time.
An electronic document (i.e., a document in digital form).
A term used by many software systems to refer to a grouping of related records.
Managing documents throughout their life cycle from creation to final disposition, including managing revisions. Also called document life cycle management.
Document life cycle security (DLS)
Providing a secure and controlled environment for e-documents. This can be accomplished by properly implementing technologies including information rights management and data loss prevention, along with complementary technologies like digital signatures.
Document life cycle
The span of a document’s use, from creation, through active use, storage, and final disposition, which may be destruction or preservation.
Scanning and digitally capturing images of paper documents.
Recorded information or object that can be treated as a unit.
The range of processes associated with implementing records retention, destruction, or transfer decisions, which are documented in deposition authorities or other instruments.
The process of gathering and exchanging evidence in civil trials; or discovering information flows inside an organization using data loss prevention tools. This term is also used to the gathering of information in more general terms.
Disaster recovery (DR) / Business continuity (BC)
The planning, preparation, and testing set of activities used to help a business plan for and recover from any major business interruption and to resume normal business operations.
Electronic document and records management system (EDRMS)
Software that has the ability to manage documents and records.
Electronic records management (ERM)
The management of electronic and nonelectronic records by software, including maintaining disposition schedules for keeping records for specified retention periods, archiving, or destruction. (For enterprise rights management, see information rights management [IRM]).
Information recorded in a from that requires a computer or other machine to process and view it and that satisfies the legal or business definition of a record.
Electronic records repository
A direct access device on which the electronic records and associated metadata are stored.
Electronically stored information (ESI)
Any information stored by electronic means; this can include not just e-mail and e-documents but also audio and video recordings and any other type of information stored on electronic media. The term was created in 2006 when the U.S. Federal Rules of Civil Procedure were revised to include governance of ESI in litigation.
eMail and eDocument encryption
Encryption or scrambling (and often authentication) or e-mail messages, which can be done in order to protect the content from being read by unintended recipients.
Enterprise content management
Software that manages unstructured information such as e-documents, document images, email, word processing documents, spreadsheets, Web content, and other documents; most systems also included some records management capability.
Allow for multiple organizing principles to be applied to information along various dimensions. Facets can contain subjects, departments, business units, processes, tasks, interests, security levels, and other attributes uses to describe information. There is never really one single taxonomy but rather collections of taxonomies that describe different aspects of information.
a graphic representation of the business classification scheme, usually a hierarchical structure consisting of headings and folders to indicate where and when records should be created during the conduct of business of an office. In other words, the file plan links the records to their business context.
The term used for a free-form, social approach to metadata assignment. Folksonomies are not an ordered classification system but are lists of keywords input by users that are ranked in order of popularity.
Functional retention schedule
A schedule that groups records series based on business functions, such as financial, legal, product management, or sales. Each function or grouping is also used for classification. Rather than detail every sequence or records, these larger functional groups are less numerous and are easier for users to understand.
A framework or model that can assist in guiding governance efforts. Examples include using SharePoint governance model, the information governance reference model (IGRM), MIKE2.0, and others.
the basic principles used to guide the development of a governance model (e.g., for SharePoint deployment). They may include principles such as accountability (who is accountable for managing the site, who is accountable for certain content), who is authorized access to which documents, and whether the governance model is required for use or is used optionally as a reference.
One that has identical or nearly identical hardware and operating system configurations and copies of application software, and receives live, real-time backup data from business operations. In the event of a business interruption, the information technology and electronic vital records operations can be switched over automatically, providing uninterrupted service.
The total size of the amount of information an organization manages.
a strategic framework composed of standards, processes, roles, and metrics, that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals. IG is how an organization maintains security, complies with regulations, and meets ethical standards when managing information. It is a multidisciplinary program that requires an ongoing effort. Practicing good IG is the essential foundation for building legally defensible disposition practices to discard unneeded information.
In the broadest sense, IG is a subset of corporate governance, and includes key concepts from records management, content management, IT and data governance, information security, data privacy, risk management, litigation readiness, regulatory compliance, long-term digital preservation, and even business intelligence. This also means that it includes related technology and discipline sub-categories, such as document management, enterprise search, knowledge management, and business continuity/disaster recovery.
Information governance reference model (IGRM)
A geographically depicted practical framework that includes risk and profit considerations for the business, legal, information technology, records and information management (RIM), and privacy and security functions of an organization. IGRM enables organizations to establish IG programs that more effectively deal with the rising volume and diversity of information and the risks, costs, and complications this presents. IGRM is most frequently used to facilitate dialogue and combine disparate information stakeholders and perspectives across legal, records, information technology, and business organizations.
Information life cycle
The span of the use of information, from creation, through active use, storage, and final disposition, which may be destruction or preservation.
Information rights management (IRM)
Often referred to an enterprise rights management (ERM) or enterprise digital rights management (E-DRM). IRM applies to a technology set that protects sensitive information, usually documents or email messages, from unauthorized access. IRM is technology that allow for information (mostly in the form of documents) to be remote access controlled. Information and its control can be separately created, viewed, edited, and distributed.
Automatically assigning of each record series or system, together with an indication of location and other pertinent data. It is not a list of each document or each folder but rather of each series or system.
A descriptive listing of each record series or system, together with an indication of locations and other pertinent data. It is not a list of each document or each folder but rather of each series or system.
ISO – International Organization for Standardization
a highly regarded and widely accepted global standards body.
Knowledge management (KM)
The accumulation, organization, and use of experience and lessons learned, which can be leveraged to improve future decision-making efforts. KM often involves listing and indexing subject matter experts, project categories, reports, studies, proposals, and other intellectual property sources or outputs that are retained to build corporate memory. Good KM systems help train new employees and reduce the impact of turnover and retirement of key employees.
Legal hold or litigation hold
Also know as preservation order or hold order. A temporary suspension of the company’s document retention destruction policies for the documents that may be relevant to a lawsuit or that are reasonably anticipated to be relevant. It is a stipulation requiring the company to preserve all data that may relate to a legal action involving the company. A litigation hold available for the discovery process prior to litigation. The legal hold process is a foundational element of information governance.
Legal hold notification (LHN)
the process of identifying information that my be required in legal proceeding and locking that (data or documents) down to prevent editing or deletion while notifying all parties within an organization who may be involved in processing that information that it is subject to a legal hold. LHN management is arguably the absolute minimum an organization should be doing in order to meet the guidelines provided by court rules, common law, and case law precedent.
The length of time after which legal action cannot be brought before the courts. Limitation periods determine the length of time records must be kept to support court actions, including subsequent appeal periods.
Long-term digital preservation (LTDP)
The managed activities, methods, standards, and technologies used to provide long-term, error-free storage of digital information, with means for retrieval and interpretation, for the entire time span the information is required to be retained.
Master retention schedule
A retention schedule that includes the retention and disposition requirements for records series that cross business unit boundaries. The master retention schedule contains all the records series in the entire enterprise.
Data about data, or detailed information describing context, content, and structure of records and their management through time. Examples include the author, department, document type, date created, and length, among others.
The act of moving records from one system to another while maintaining their authenticity, integrity, reliability, and usability.
a network of relationships that are self-describing and used to track how items or words related to one another. For example, a “lives at” link or “works for” link in an ontology would be used to track these types of relationships and their corresponding values for listed individuals.
Optical character recognition (OCR)
A visual recognition process that involves photo-scanning text character by character.
A way of attempting to acquire sensitive information, such as user names, passwords, and credit card details, by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social websites, auction sites, online payment processors, or information technology administrators are commonly used to lure the unsuspecting public. Phishing typically is carried out by email or instant messaging, and it often directs users to enter details a fake website that looks and feels almost identical to the legitimate one. Phishing is an example of social engineering techniques used to fool users, and it exploits the poor usability of current web security technologies.
Personally identifiable information (PII)
Information about individuals that identifies them personally, such as Social Security number, address, credit card information, health information, and the like. PII is subject to privacy laws.
Process enabled technologies
Information technologies that automate and streamline business processes. Process-enabled technologies often are divided into two categories that have a great deal in common: work flow automation or business process management. It is fair to say that a good deal of the technology that underpins business process management concepts has its roots in the late 1980’s and early 1990’s and stems from the early efforts of the work flow community.
In records management, information about who created a record and what it is used for.
The process of assessing the value and risk of records to determine their retention and disposition requirements. Legal research is outlined in appraisal reports. This may be accomplished as a part of the process of developing the records retention schedules as well as conducting a regular review to ensure that citations and requirements are current.
A description of a particular set of records within a file plan. Each category has retention and disposition data associated with it, applied to all record folders and records within the category.
Refers to the accuracy and consistency of records, and the assurance that they are genuine and unaltered.
Records management (RM) or records and information management (RIM)
The field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use, and disposition or records, including processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records. It is also the set of instructions allocated to a class or file to determine the length of time for which records should be retained by the organization for business purposes, and the eventual fate of the records on completion of this period of time.
Records retention schedule
Spells out how long different types of records are to be held and how they will be archived or disposed of at the end of their life cycle. Such a schedule considers legal, regulatory, operational, and historical requirements.
A group or unit of identical or related records that are normally used and filed as a unit and that can be evaluated as a unit or business function for (records retention) scheduling purposes.
The process of copying stored e-records to new copies of the same media, to extend the storage life of the record by using new media.
The loss of proven authenticity of a record. Spoliation can occur in the case of email records if they are not captured in real time or it they have been edited in any way.
A collection of records or data that is stored in a computer; records maintained in a database or application.
a hierarchical or polyhierarchical listing of topics or subject categories. It may not include a definition of the topics, but only the hierarchical relations to one another. A taxonomy can incorporate content from both a thesaurus and an ontology. There are no standard formats or approaches to taxonomy construction. A taxonomy is often used to provide a structured navigational path through a content collection. See More Information Here
a network of words and word meanings and relationships used to put conceptual definitions into context. It defines a lexicon and the relationships between words in the lexicon. A thesaurus may be a precursor to a taxonomy, in which the leading or preferred terms in a thesaurus are used to define the taxonomy structure. Thesaurus construction is defined by ANSI standard Z39.19. A thesaurus is often used to enhance the intelligence of a taxonomy and/or search tool by providing insight into word meanings and relationships.
Records that are not expressed in numerical rows and columns but rather are objects, such as image files, email files, Microsoft Office files, and so forth. Structured records are maintained in a database.
Mission critical records that are necessary for an organization to continue to operate in the event of disruption or disaster and cannot be re-created from any other source. Typically, they make up 3 to 5 percent of an organization’s total records. They are the most important records to be protected, and a plan for disaster recovery/business continuity must be in place to safeguard these records.
A computer facility location that has all (or almost all) of the hardware and operating systems as a hot site does, and software licences for the same applications, and needs only to have data loaded to resume normal operations. Internal information technology staff may have to retrieve magnetic tapes, optical disks, or be lost if the backup is not real time and continuous.
Work flow, work flow automation, and work flow software
Software that can route electronic folders through a series of work steps to speed processing and improve auditability. Not to be confused with business process management systems, which have more robust capabilities.