ARMA International’ Information Governance Maturity Model

ARMA International' Information Governance Maturity Model

Principle

Level 1 (Sub-Standard)

Level 2 (In Development)

Level 3 (Essential)

Level 4 (Proactive)

Level 5 (Transformational)

Accountability

No senior executive (or person

A senior executive (or person of comparable authority) shall oversee the information

of comparable authority) is responsible for records or information.

governance program and delegate The records manager role is

responsibility for records and

largely non-existent, or it is an

information management to

administrative and/or clerical

appropriate individuals. The

role distributed among general

organization adopts policies and staff.

procedures to guide personnel and ensure that the program can be audited.

Information assets are managed in a disparate fashion or not at all.

No senior executive (or person The records manager role is The organization has appointed The organization's senior

of comparable authority) is recognized within the

an information governance

management and its governing

involved in or responsible for organization, and the person in professional, who also

board place great emphasis on the

records or information.

that role is responsible for the oversees the records

importance of information

The records manager role is recognized, although the person in that role is responsible only for tactical

tactical operation of the established records management program on an organization-wide basis.

management program.

governance.

The records manager is a

The records manager directs the

senior officer responsible for all records management program and

tactical and strategic aspects of reports to an individual in the senior

operation of the existing

The organization includes

the records management

level of management, (e.g., chief

records management

electronic records as part of program, which is an element information governance officer)

program, which is concerned primarily with managing records rather than all information assets.

the records management program.

The records manager is actively engaged in strategic

of an information governance program.

A stakeholder committee representing all functional

The chief information governance officer and the records manager are essential members of the organization's governing body.

In many cases, the existing information and records

records management program management initiatives with

covers paper records only. other officers of the

The information technology

organization.

areas meets on a periodic basis to review disposition policy and other records management-related issues.

The organization's initial goals related to accountability have been met, and it has an established process to ensure its goals for

function or department is the Senior management is aware

accountability are routinely

de facto lead for storing

of the records management

reviewed and revised.

electronic information, and the program.

records manager is not involved in discussions about electronic systems.

The organization envisions establishing a broader-based information governance

Information is not stored in a program to direct various

systematic fashion.

information-driven processes

throughout the enterprise. The organization is aware that

it needs to govern its broader The organization has defined

information assets.

specific goals related to

accountability.

Transparency

An organization's business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and the documentation shall be available to all personnel and appropriate interested parties.

It is difficult to obtain timely information about the organization, its business, or its records management program.

Business and records and information management processes are not well-defined, and no clear documentation regarding these processes is readily available. There is no emphasis on transparency.

The organization cannot readily accommodate requests for information, discovery for litigation, regulatory responses, freedom of information, or other requests (e.g., from potential business partners, investors, or buyers).

The organization realizes that some degree of transparency is important in its business processes and records and information management program for business or regulatory needs.

Although a limited amount of transparency exists in areas where regulations demand it, there is no systematic or organization-wide drive to transparency.

The organization has begun to document its business and records and information management processes.

Transparency in business and records and information management is taken seriously, and information is readily and systematically available when needed.

Transparency is an essential part of the corporate culture and is emphasized in training.

The organization monitors compliance on a regular basis.

There is a written policy regarding transparency in business and records and information management.

Business and records and information management process documentation is monitored and updated consistently.

Employees are educated on

the importance of transparency Requests for information,

and the specifics of the

discovery for litigation,

organization's commitment to regulatory responses, freedom

transparency.

of information, or other

requests (e.g., from potential

The organization has defined business partners, investors, or

specific goals related to

buyers) are managed through

information governance

routine business processes.

transparency.

The organization's senior management considers transparency as a key component of information governance.

The software tools that are in place assist in transparency.

Requestors, courts, and other legitimately interested parties are consistently satisfied with the transparency of the processes and the organization's responses.

The organization's initial goals related to transparency have been met, and it has an established process to ensure its goals for transparency are routinely reviewed and revised.

The organization has not established controls to ensure the consistency of information disclosure.

Business and records and information management processes are documented.

The organization can accommodate most requests for information, discovery for litigation, regulatory responses, freedom of information, or other requests (e.g., from potential business partners, investors, or buyers).

Integrity

An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.

There are no systematic audits Some organizational records The organization has a formal

or defined processes for

and information are stored

process to ensure that the

showing the authenticity of a with their respective metadata required level of authenticity

record or information, meaning that demonstrate authenticity; and chain of custody can be

that its origin, time of creation or however, no formal process is applied to its systems and

transmission, and content are defined for metadata storage processes.

what they are purported to be. and chain of custody.

Appropriate data elements to

Various organizational functions Metadata storage and chain of demonstrate compliance with

use ad hoc methods to

custody methods are

the policy are captured.

demonstrate authenticity and acknowledged to be important,

chain of custody, as

but they are left to the different The organization has defined

appropriate, but their

departments to handle as they specific goals related to

trustworthiness cannot easily be determine is appropriate.

integrity.

guaranteed.

There is a clear definition of There is a formal, defined process

metadata requirements for all for introducing new record-

systems, business applications, generating systems, capturing their

and records that are needed to metadata, and meeting other

ensure the authenticity of

authenticity requirements, including

records and information.

chain of custody.

Metadata requirements include security and signature requirements and chain of custody as needed to demonstrate authenticity.

The metadata definition process is an integral part of the records management practice in the organization.

Integrity controls of records and information are reliably and systematically audited.

The organization's initial goals related to integrity have been met, and it has an established process to ensure its goals for integrity are routinely reviewed and revised.

Protection

An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.

No consideration is given to information protection.

Records and information are stored haphazardly, with protection taken by various groups and departments and with no centralized access controls.

Access controls, if any, are assigned by the author.

Some protection of information The organization has a formal The organization has

Executives and/or senior

assets is exercised.

written policy for protecting implemented systems that

management and other governing

There is a written policy for records and information that require a level of protection

records and information, as well as centralized access controls.

provide for the protection of the bodies (e.g., board of directors)

information.

place great value in the protection

of information. Employee training is formalized

(e.g., personnel records).

Confidentiality and privacy

and well-documented.

Audit information is regularly

considerations are well-defined

However, the policy does not within the organization.

Auditing of compliance and

give clear and definitive

protection is conducted on a

examined, and continuous improvement is undertaken.

guidelines for all information in The importance of chain of regular basis.

Inappropriate or inadvertent

all media types.

custody is defined, when

information disclosure or loss

appropriate. Guidance for employees is not

incidents are rare.

universal or uniform.

Training for employees is

The organization's initial goals

Employee training is not formalized.

The policy does not address how to exchange these records and information

available.

Records and information audits are conducted only in regulated areas of the business.

related to protection have been met, and it has an established process to ensure its goals for protection are routinely reviewed and revised.

among internal or external

Audits in other areas may be

stakeholders.

conducted, but they are left to

Access controls are implemented by individual

the discretion of each functional area.

content owners.

The organization has defined

specific goals related to

records and information

protection.

Compliance

There is no clear understanding The organization has identified The organization has identified The organization has

The importance of compliance and

or definition of the information some of the rules and

key compliance laws and

An information governance

or records the organization is regulations that govern its

regulations.

program shall be constructed to obligated to keep.

business and introduced some

comply with applicable laws and

compliance policies and good Information creation and

other binding authorities, as well Information is not systematically information management

capture are in most cases

as with the organization's policies. managed. Groups and units

practices around those

systematically carried out in

within the organization manage policies.

accordance with information

information as they see fit

management principles.

implemented systems to

the role of records and information

capture and protect information in it are clearly recognized at the

for all key repositories and

senior management and governing

systems.

body levels (e.g., board of

Records are linked with the

directors).

metadata used to demonstrate Auditing and continuous

and measure compliance.

improvement processes are well-

based upon their own

Policies are not complete, and

established and monitored by

understanding of their

there are no structured

The organization has a code of Employees are trained

senior management.

responsibilities, duties, and

accountability processes or business conduct that is

appropriately, and audits are

what the appropriate

controls for compliance.

integrated into its overall

conducted regularly.

The roles and processes for

requirements are.

information governance There is a hold process, but it structure and policies.

Lack of compliance is

information management and discovery are integrated, and those

There is no central oversight or is not well-integrated with the

consistently remedied through processes are well-developed and

guidance and no consistently organization's information

Compliance is highly valued implementation of defined

effective.

defensible position on

management and discovery and measurable, and suitable corrective actions.

information governance. There is no formally defined or

processes, and the

records and information

organization does not have full demonstrating the

confidence in it.

organization's compliance are

Records of audits and training are available for review.

The organization suffers few or no adverse consequences based on information governance and

generally understood process

maintained.

The legal, audit, and

compliance failures.

for imposing legal, audit, or other information production processes.

The hold process is integrated information production

The organization's initial goals

into the organization's

processes are well-managed related to compliance have been

information management and and effective, with defined roles met, and it has an established

The organization has significant

discovery processes for the and repeatable processes that process to ensure its goals for

exposure to adverse

critical systems, and it is

are integrated into the

compliance are routinely reviewed

consequences from poor

generally effective.

organization's information

and revised.

compliance practices.

governance program.

The organization has defined

specific goals related to

The organization is at low risk

compliance.

of adverse consequences from

poor information management

The organization's exposure to and governance practices.

adverse consequences from

poor information management

and governance practices is

reduced.

?NoAtReM: RAecInotredrsnmataionnaagle, m20e1n3t terms used in the Generally Accepted Recordkeeping Principles? Information Governance Maturity Model are defined in the Glossary of Records and Information Management Terms,3rd Edition (ARMA International, 2007).

ARMA International' Information Governance Maturity Model

Availability

An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

Records and other information Records and information

There is a standard for where Information governance

The senior management and

are not readily available when retrieval mechanisms have and how records and

policies have been clearly

governing body (e.g., board of

needed, and/or it is unclear who been implemented in some information are stored,

communicated to all employees directors) provide support to

to ask when there is a need for parts of the organization.

protected, and made available. and other parties.

continually upgrade the processes

it to be produced.

that affect records and information

In those areas with retrieval There are clearly defined

There are clear guidelines and availability.

It takes time to find the correct mechanisms, it is possible to policies regarding the handling an inventory that identify and

version, the signed version, or distinguish among official

of records and information. define the systems and their There is an organized training and

the final version of information, if it can be found at all.

The records and other information lack finding aids,

records, duplicates, and non-

record information.

Records and information

retrieval mechanisms are

There are some policies on consistent and contribute to

where and how to store official timely retrieval.

information assets. Records and information are consistently and readily available when needed.

continuous improvement program across the organization.

There is a measurable return on investment to the organization as a

such as various indices, metadata, and other methodologies.

Legal discovery and information

records and information, but a standard is not imposed across the organization.

Responding to legal discovery

Most of the time, it is easy to determine where to find the authentic and final version of any information.

Appropriate systems and controls are in place for legal discovery and information requests.

result of records and information availability.

The organization's initial goals related to availability have been

requests are difficult because it is not clear where information resides or where the final copy is located.

and information requests is complicated and costly due to the inconsistent treatment of information.

Legal discovery and information request processes are well-defined and systematic.

Automation is adopted to facilitate the consistent implementation of the hold and information request processes.

met, and it has an established process to ensure its goals for availability are routinely reviewed and revised.

Systems and infrastructure contribute to the availability of records and information.

The organization has defined specific goals related to availability of records and information.

Retention

There is no current,

A retention schedule and

documented records retention An organization shall maintain its schedule or policy. records and information for an

appropriate time, taking into

Rules and regulations that

account its legal, regulatory, fiscal, should define retention are not

operational, and historical

identified or centralized.

requirements.

Retention guidelines are

policies are available, but they do not encompass all records and information, did not go through an official review, and are not well known around the organization.

haphazard, at best.

The retention schedule and

In the absence of retention schedules and policies,

policies are not regularly updated or maintained.

employees either keep

Education and training about

everything or dispose of records the retention policies are not

and information based on their available.

own business needs, rather

than organizational needs.

The organization has instituted Employees understand how to Retention is an important item at

a policy for records and

classify records and information the senior management and

information retention. A formal appropriately.

governing body level (e.g., board of

retention schedule that is tied

directors).

to rules and regulations is

Retention training is in place.

consistently applied throughout Retention schedules are

Retention is looked at holistically

the organization.

reviewed on a regular basis, and is applied to all information in

and there is a process to adjust an organization, not just to official

The organization's employees retention schedules, as

records.

are knowledgeable about the needed.

Information is consistently retained

retention policy, and they

understand their personal

Records and information

responsibilities for records and retention is a major

information retention.

organizational objective.

for appropriate periods of time.

The organization's initial goals related to retention have been met, and it has an established process

The organization has defined

to ensure its goals for retention are

specific goals related to

routinely reviewed and revised.

retention.

Disposition

There is no documentation of

the processes (if there are any)

An organization shall provide

used to guide the transfer or

secure and appropriate disposition disposition of records and

for records and information that information.

are no longer required to be

maintained by applicable laws and The process for suspending

the organization's policies.

disposition in the event of

investigation or litigation is non-

existent or is inconsistent

across the organization.

Preliminary guidelines for

Official procedures for records Disposition procedures are

disposition are established. and information disposition understood by all and are

There is a realization of the importance of suspending

and transfer have been developed.

consistently applied across the enterprise.

disposition in a consistent

Official policy and procedures The process for suspending

manner, when required.

for suspending disposition

disposition is defined,

have been developed.

understood, and used

There may not be enforcement

consistently across the

and auditing of disposition. Although policies and

organization.

procedures exist, they may not

be standardized across the Records and information in all

organization.

media are disposed of in a

The organization has defined specific goals related to disposition.

manner appropriate to the information content and retention policies.

The disposition process covers all records and information in all media.

Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories.

Disposition processes are consistently applied and effective.

Processes for disposition are regularly evaluated and improved.

The organization's initial goals related to disposition have been met, and it has an established process to ensure its goals for disposition are routinely reviewed and revised.

?NoAtReM: RAecInotredrsnmataionnaagle, m20e1n3t terms used in the Generally Accepted Recordkeeping Principles? Information Governance Maturity Model are defined in the Glossary of Records and Information Management Terms,3rd Edition (ARMA International, 2007).

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download