Information Governance Policy for International Business Machines

INFORMATION GOVERNANCE POLICY

Contents                  Page

1. Introduction to Information Governance Policy…………………………………………………………..  1

2. Purpose of Policy………………………………………………………………………………………………………………….1

3. Scope of Policy…………………………………………………………………………………………………………. 1
4. Approach towards Information Governance………………………………………………………………………..1

5. Information Governance Policy Framework…………………………………………………………………. 2

6. Roles and Responsibilities……………………………………………………………………………………………2

7. Information Governance Policy………………………………………………………………………………………….2

8. Monitoring and Audit………………………………………………………………………………………………………….2

9. Compliance…………………………………………………………………………………………………………………………….2

10. Approval………………………………………………………………………………………………………………… 2

 

 

1. Introduction to information Governance Policy

 1.1 International Business Machines (IBM) had been in existence since the 19^th century with
      its core business in manufacturing and selling computer hardware, software, provide
      infrastructure hosting besides consulting services from mainframe computers to
      nanotechnology.

 1.2 IBM being pioneer in IT Enterprise Services need to construct and lead IG implementation
      and good practices to maintain its client confidence and the authority in different
      geographical locations. It is important for IBM to emulate an accepted Information
      Governance Policy, Framework and Structure using acceptable industry standards such as
      Cobit5

2. Purpose of Policy

 2.1 This policy outlines IBM’s practices on how data, information and records should be collected, used, stored, accessed and transferred on a day-to-day operation by shouldering a specific role and responsibility towards an individual related directly or indirectly to the organization.

3. Scope of Policy

 3.1Staff within the scope of this document

• Employees (Permanent, Temporary & Interns)
• Regional Team
• IT Team
• Consultants
• Contractors
• Vendors
• Suppliers

 3.1This policy would target IBM’s data, software and systems which are
        physical, virtual and cloud based. The aim is to identify all risks
        pertaining to Information Assets and Clients Data located internally or
        externally within IBM.

4. Approach towards Information Governance

 4.1IBM believes that it is essential to follow the CIA Triad: – Confidentiality,
       Integrity and Availability approach towards the overall data, software and  
       system management. Thus, IBM would emphasize the below key
       points:-

• Ensure all data and Information is securely transferred onto encrypted devices using encryption methods virtually or online to avoid tampering, modification, misuse and unauthorized access.
• Minimize the number of existence of the same data in different places to reduce duplicity.
• Data and Information are stored on a secured network within the DMZ Zone.
• Necessary patches and upgrades are done in timely manner to avoid vulnerabilities and threat to the company’s network
• All data and information should be given file permissions and access controls to ensure the integrity of a document.
• Version controls to be implemented to prevent erroneous changes and accidental deletion by authorized users.
• A complete Business Continuity and Disaster Recovery Plan are readily available for all departments and the IT.
• There will be a Disaster Recovery (DR) plan being setup to well manage High Availability in case of an emergency.
• Continuous monitoring of network traffic within organization
• Vulnerability scanning on all system and devices

5. Information Governance Policy Framework

5.1Training and Awareness – This is the first approach towards Information governance for
     all the employees of this organization on their understanding of how to protect data and
     information.

5.2Roles and Responsibilities – The Information Governance Team will outline certain
     roles and responsibilities for each Regional, Department, Line Managers on their part to
     be played into securing, maintaining and managing Data and Information.

5.3 Adopt Best Practices – All Employees and Staffs must follow the best process and
      practices being outlined in this policy.

5.4 Ability to highlight shortcomings – Employees are encouraged to approach and
      discuss their concerns on standards and practices to their team mates or managers.

6. Roles and Responsibilities

6.1 This Information Governance Policy is to be established and managed by the Chief
      Executive Officer of this company. 

6.2 Chief Information Security Officer will work together with CSIRT to amend and
      maintain this Information Governance Policy

6.3 The Computer Security Incident Response Team (CSIRT) to co-ordinate with other
      functions within IBM to investigate suspected incidents and breach, define and execute
     appropriate response plan.

6.4 Global Incident Managers from all 170 countries will report, analyse, plan and
      execute a global disaster recovery plan and business continuity strategies in the event of
     emergency. 

7. Information Governance Policies

7.1The complete overarching policies and procedures  

• Business Conduct Guidelines and Policy 
• Security controls, processes and practices policy
• Intellectual Property Information guidelines and policy
• Worldwide records management policy
• Incident Management and Response Policy
• Change Management Policy
• Internet & Email policy
• Printed Document Retention & Disposal Policy
• Remote working policy
• Software Licence Policy
• Online Privacy Policy
• Big Data Policy
• Block Chain Policy
• Internet of Things Policy
• Mobile & Wireless Computing (BYOD) Policy
• Cloud Computing & e-Discovery Policy
• Freedom of Information Act 2004
• Data Protection Act 1998

8. Monitoring and Audit
8.1This policy will be reviewed the minimum on an annual basis and will be
      enhanced as needed to keep pace with current threats and in check with
      revised international standards such as ISO/IEC 27001 and 27002 which are
      predominantly used. Besides, a compliance assessment from IBM Info
      Sphere Information Governance Dashboard will be used to measure the
      impact and effectiveness of this Policy. Additionally, independent third-
      party industry standard audits are performed annually.

9. Compliance

9.1In all circumstances, it is mandatory for every employee to abide the law and act
     ethically by adopting this Information Governance Policy as a guideline. It is the
     individual responsibility of every employee to comply with these standards.
     Failure would result in investigation and disciplinary action be taken and possible
     dismissal if it is deemed unacceptable. 

10. Approval

       This Information Governance Policy would be approved by the relevant team as  
        per the footer note pointer.

 

Table of Contents                              Page
1.  Company Background………………………………………………………………………………………………..7

2.  Executive Summary……………………………………………………………………………………………………………..7
2.1   Introduction…………………………………………………………………………………………..…………………..7
2.2   Structure of Report………………………………………………………………………………………..…………..7
2.3   The need to implement an Information Governance Policy……..……………………………..… 8
3.  The definition of Information Governance Policy and its objectives………………………..……… 8
8.  Data Governance………………………………………………………………………………………………………………10

9.  Differences between Cobit and ITIL…………………………………………………………………………………….11

10.  Governing e-Discovery……………………………………………………………………………………………………….12

11.  Governing Big Data……………………………………………………………………………………………………………..13

12.  Governing the Cloud…………………………………………………………………………………………………………..14

13.  Governing Internet of Things……………………………………………………………………………………………..15

14.  Summary…………………………………………………………………………………………………………………………….16
14.1 Findings from analysis and areas to be addressed……………………………………………………..16

15.  Recommendation……………………………………………………………………………………………………………….16
15.1 Costs and Timescales………………………………………………………………………………………………….17

16.  Conclusion……………………….………………………………………………………………………………………………….17

References………………………………………………………………………………………………………………………………………..

Table of Figures 

Figure 1 – The Cycle of Data

Figure 2 – COBIT vs ITIL perspective

Figure 3 – e-Discovery Model

Figure 4 – The definition of Big Data involves the volume, velocity, variety and veracity of information

Figure 5 – Cloud Governance Model

List of Abbreviations

OS – Operating System

IBM – International Business Machines

IG – Information Governance

ISO – International Organization for Standardization

 

1. Company Background

International Business Machines (IBM) or better known as “Big Blue” is an American multinational technology company with existence in 175 countries around the world. IBM supports more than 20 industries, among which are the Aerospace, Automotive, Banking, Consumer Products, Defence, Financial, Education, Government – US Federal and Health Care.

IBM’s core business into manufacturing hardware, middleware and software has shifted paradigm towards higher-value market offerings, focusing towards cloud computing. Today, IBM’s cloud provides services in cloud computing such as Infrastructure as a service (IAAS), Platform as a Service (PAAS) and Software as a service (SAAS). Being a Cloud Service provider, IBM has more than 81,000 servers for more than 26,000 clients and its client numbers are growing.

With the growing number of clients in cloud, IBM needs to maintain a standard, practice, and policy for all of its client data and information to preserve the overall level of security and privacy as any breach increases the vulnerability of data and information. Thus, Information Governance Framework and Policy is to be implemented to mitigate risk, improve security, implement training and awareness and to underline best practices in IBM. The risks towards IBM’s Business, facilities, premises, data and information would be assessed on a yearly basis or when there is a need to address an emergency as per advised by the IBM’s Computer Security Incidence Response Team (CSIRT).

Moreover, IBM’s CSIRT will be in check with National Institute of Standards and Technology, United States Department of Commerce guidelines for computer security incident handling processes. Meanwhile as for the EU geographical location of IBM’s existences, it will implement a strategy to be in compliance with the implementation of General Data Protection Regulation (GDPR) in the year 2018.  The National Cyber Security Centre (NCSC.gov.uk) alerts, advisories, analysis and guidelines to be followed at all times.

It is a must for all companies to implement Information Governance and it becomes more challenging for multinational companies to keep pace with laws and regulations in different geographical locations which are improvised over time.

2. Executive Summary

2.1 Introduction

The report speaks about Information Governance and how it is implemented in this organization. Many key elements were outlined on how to govern and protect data and information in this organization according to widely used principles, policies and framework.

2.2 Structure of Report
This report resumes with an introduction and explains on the companies’ background and what drives towards the implementation of Information Governance Policy, followed by the definitions and importance of Information Governance and its key elements. It is then analysed, each components of the policy items and how it is to be implemented within the organization, moving towards the future of Information Governance with e-Discovery, Cloud, Big Data and Internet of Things (IoT).

2.3 The need to implement an Information Governance Policy in IBM

Information Governance is the way on how information, in specific personal and sensitive information related to clients are created, transmitted and stored from desktops in offices to remote data centres, an asset which should not be underrated of its security objectives.

The need for the implementation of an Information Governance Policy for IBM as following:-

• The need to fulfil the requirement of GDPR regulations by the UK government in the year 2018 across Europe.
• The increasing Cyber-attacks around the world which is compromising Confidentiality, Integrity and Availability.
• The Increasing number of Data Breach incidents from people within the organisation.
• The company believes that by implementing Information Governance policies and practices within the organisation, it would increase client confidence with the purchase of Information Governance Catalogue tool for the design and build of Information Governance Policy.
• The need to provide best practices on how to manage Information (e.g. Big Data, e-Discovery, etc.) by applying control processes and procedures.

3. The definition of Information Governance Policy and its objectives

Information governance (IG) which is also a subset of corporate governance can be defined as any information related to people (staffs, users and clients) and organisations (IT, Financial, Accounting) information which is to be handled and processed using a series of law acts and frameworks.

According to Walker, (2017) (itbusinessedge) the father of the Principals of Holistic Information Governance, defines IG as “Information governance is all the rules, regulations, legislation, standards and policies with which organizations need to comply when they create, share and use information”
 

As per defined by Information Governance Initiative, (2016) (iginitiative.com)
“Information governance is the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs”

Another expert Woolen, (2017) (itbusinessedge) founder and principal consultant at The Records Guru, “Information governance is a holistic and much broader view of how information is managed, maintained and accessed as it covers everything including emails,

social media, vital records program and access to lists of employees/customers. Information governance involves how you secure information in an economical fashion across the board”

4. Analysis of the policy elements

Analysis of 1.1

IBM has been in the IT industry and was a pioneer for decades in the IT industry without competitors. The company had become a major research company in technology by holding most generated patents for 24 years consecutively due to its intense and venture into Research and Development has helped the company to stay ahead in the industry by creating, implementing and adopting the latest technology into its business portfolio.

Analysis of 1.2

Taking the lead as the industry player, the company has to design, refine, implement and practice a policy to secure all of its client data, information and records with an accepted industry standard. The company is to implement Cobit 5 framework which would generate the maximum added value to the business via its IT investments, while mitigating risks and optimizing resources.
 

5. Purpose of this policy

Policy 2.1
This policy outlines IBM’s practices on how data, information and records should be collected, used, stored, accessed and transferred on a day-to-day operation by
shouldering a specific role and responsibility towards an individual related directly or  indirectly to the organization.

Analysis of 2.1
The policy defines that there is a role for each and every management person in a team to play by making sure that all data are collected using the approved tools, used within the organization context, stored in encrypted devices and transferred using approved devices.

6. Scope of this Policy 

The scope of this policy extends to all Employees (Permanent, Temporary & Intern), Regional Team, IT Team, Consultants, Contractors, Vendors and Suppliers who manage and handle data, software and systems which are physical, virtual and cloud based located within company internally or externally.

7. Policy Objectives

Analysis 4.1
IBM is committed with the CIA triad to implement an Information Governance Policy following the concept of Confidentiality, Integrity and Availability towards the overall data, software and system management. Thus, IBM would emphasize the below key points

• All data and information must be encrypted when transferred to avoid unauthorized person to access, tamper, modify or misuse. 
• Any revised version to be over written against newer version to avoid duplicate data at different locations
• Data and information will be stored in systems in a protected network zone, separate from the public network (internet) to minimize threat to important data and information of clients.
• There will be latest patches and upgrades done to server OS and Network devices on a daily basis during non-production hours to minimize vulnerabilities to system and network devices. 
• All data and information will be protected with file permission and access controls targeting only the authorized users have access within the organization.
• Every document versions will be included in each and every data produced to control changes and deletion of authorized users with the organization.
• A complete Business Continuity and Disaster Recovery Plan are readily available for all departments and the IT.
• Business Continuity Plan will be distributed to all departments whereas Disaster Recovery Plan will be created and maintained by the IT for all the systems, hardware, software and devices in the network to make sure there is a work around during downtime in this organization.
• There would be a Disaster Recovery (DR) being setup to well manage High Availability in case of an emergency.
• A Disaster Recovery (DR) plan will be used to fail over the network devices to secondary backup during down time with primary devices to make sure High Availability exists in this organization.
• Continuous monitoring of network traffic within organization to detect and abnormal traffic in the network to detect any attacks towards network
• Vulnerability scanning on all system and devices to check if there is a need to improve on the configuration and patches. 

 

Figure 1:- The Cycle of Data

Theera-Ampornpunt (2017

8. Data Governance
Data is any type of information which is interpreted in an understandable manner which can be represented in the form of text, graphs, visuals, Video, Audio, Emails, Images, documents and etc.

There are many terms and buzz words in recent years such as Data Analytics, Big Data, Data Visualization and Data Science. However, the aim is for visibility, authority and consistency of data.  Data is created by Business users in an organisation and accumulates over time. There could be duplicate, irrelevant and meaningless data in an organisation.

In order to eliminate the drawbacks of data, there should be a Data Governance Program implemented in all organisations. Data Governance should be the responsible of all stakeholders and not limited to the IT department. IT department should help to develop a framework for Data Governance and be a participant in the Data Governance Program.
9. Differences between Cobit and ITIL

COBIT and ITIL are frameworks which are based on real-world experience and can be used by any type or size of enterprise. COBIT and ITIL are used in IT Service Management (ITSM) by IT Enterprises for years now. ITIL is seen as how to manage IT services across their lifecycle whereas COBIT is seen as a way on how to govern an Enterprise IT to generate the maximum value by the business, while optimizing the risks and the resources. Towards a simpler understanding, COBIT describes what should be done whereas ITIL describes how to do it.

The latest refined version of Cobit is Cobit 5 and ITIL is ITILv3 respectively. If we compare both COBIT and ITIL, it is undeniable that Cobit has a wider scope of coverage compared to ITIL. Cobit connects business goals to IT goals with models and standards. Besides, Cobit assigns objectives and tasks for both Business and IT leaders. The most significant plus for Cobit is that it was designed to oversee other governance models which include ITIL. Cobit enables enterprises to create, monitor and refine its implementation. In IBM, both ITIL and Cobit works together. The implementation of ITIL starts from the L1 Helpdesk up to the Support Teams of Network, Server, Storage, Database and etc.

Incident Management is used to respond to Priority 1 & 2 issues relating to 100 – 1000 or more affected people in IBM. It aligns with a Change Management which identifies a need for a change in hardware, software, configuration, decommissioning or deployment of new system and devices besides running patches to strengthen the network. This is indeed a part in Cobit 5 which helps to aware the whole organisation of the changes being done onto the network. IT Risk Management is used in IBM to identify risks pertaining to vulnerabilities and threats. The team focuses on reducing all risks from within the organisation from hardware, software, devices, systems and etc.

IBM uses ITILv3 as the foundation for all employees on how to manage the whole IT infrastructure by structuring IT Business into layers or different function to support Cobit 5 within few of its ITILv3 functions in Incident Management, Change Management and Risk Management. COBIT 5 is specifically used by the IT Security Management Team to mitigate risks and generate maximum value for the IBM’s business.

Figure 2:- COBIT vs ITIL perspective

Itskeptic.org, (2017)
                    

10. Governing e-Discovery

E-Discovery is a process of gathering all types of electronic information or better known as “electronically stored information” (ESI) which are to be used during litigation or legal processes in court. It has become an important aspect in a business or organisation to deal accordingly with electronic discovery as failure to do so innocently or otherwise could lead to a vast amount of sanctions and to be worse could adverse judgements in a law suit.

Almost all information is electronic in today’s businesses. Papers are used in a limited amount. Electronic communication has increased the amount of data that companies store and the location of storage which includes desktops, laptops, PDA’s, Smartphones, thumb drives, optical drives, iPod, servers and many more. Social media communications and online activities are also considered as “electronically stored information (ESI) in today’s technology advancement. As for businesses, company emails and electronic documents are considered an important part in e-discovery.

It is important that when developing policies and procedures for handling ESI in litigation, IBM should take extra care to consider specific procedures for backup tapes. A strong corporate wide understanding of the importance of preserving ESI is needed and all employees of IBM should understand the consequences of improper handling of ESI which includes personal social accounts such as Facebook and Twitter, email accounts and laptops.  There will be adverse consequences failing to do so. IBM’s goals in e-Discovery are to provide case review, search and analysis capabilities by bringing down the cost of electronic discovery costs

As a summary, all employees, stake holders, IT, Information governance directors and even an attorney needs to get the basic understandings of emerging technologies such as e-Discovery and how it functions. This is why there is an e-Discovery policy being included into this Information Governance Policy.
 

Figure 3:- e-Discovery Model

EDRM, Duke Law (2017)

11. Governing Big Data 

Since the new era of computing and the emergence of Big Data, Information Governance to govern big data has emerged more important than ever.

According to IBM, (2017) Information Governance Principles and Practices for a Big Data Landscape, “Information Governance is the glue that drives value and mitigates risk. There are several key areas where Information Governance for big data is critical, such as metadata management, security and privacy, data integration and data quality, and master data management. It is interesting to note that big data innovators recognize the importance of governance to the success of their projects.  According to a recent study, 58% of the organizations who report having active big data efforts included security and governance processes in their efforts”

In IBM, (2017) Integrating and governing big data article, it is said that “Cloud, mobile and social technologies are often mentioned alongside big data. However, it is crucial to think of big data as a phenomenon rather than a singular technology. In every system, the volume of data is increasing, data is being produced at an increasing velocity, data types and formats have more variety, and data veracity is becoming more uncertain. It means that big data affects every application in your enterprise in four areas: volume, velocity, variety and veracity” (see Figure 4).

IBM uses its advances to extract the value from big data, increases its efficiency by responding to litigation and regulations and increases the scope of the data before disposing once it has outlived to reduce the storage.

Figure 4:The definition of Big Data involves the volume, velocity, variety and veracity of informationIBM, (2017)

12. Governing the Cloud

Many enterprises are looking at moving their enterprises into cloud due to its performance value and range of offerings.

Gartner, (2017) predicts the worldwide public cloud services market will grow 18% in 2017 to $246.8B, up from $209.2B in 2016.Infrastructure-as-a-Service (IaaS) is projected to grow 36.8% in 2017 and reach $34.6B. Software-as-a-Service (SaaS) is expected to increase 20.1%, reaching $46.3B in 2017. Many organisations today often use two or more cloud providers in their cloud environment to mitigate risk from data loss and downtime. The move towards planning or implementing cloud in an organisation should consider governance as the first step before anything else.

There are doubts of data security and privacy when a decision is made to move to the cloud on transferring and storing backups to the cloud. All organisations must be able to produce an answer on who owns a data when a decision is taken to move enterprise data towards hosted cloud.

Cloud governance requires establishing cloud governance for everyone to follow. Otherwise, the business will move on its own and IT will lose sight of the changing environment and become irrelevant to the business.

Being said that, “IBM being cloud service provider, had designed its cloud with the below security features:-

• Targets to maintain confidentiality, integrity and availability towards its business from data centre to compliance with the ISO/IEC standards to ISEC security agreements to supports industry regulatory requirements.

• Security is designed, researched, enforced and maintained by IBM.
• Patching is built into the environment and there would be pre-emptive protection and rapid threat resolution to help reduce potential damages and losses.

• There would be continuous monitoring and granular control provide improved visibility into attacks by detecting network traffic anomalies that could indicate an attack before it affects data and infrastructure.

• There would be readily available network experts to respond to incidents”.
• Data created by the user before uploading it into cloud will be governed by copyright law
• Data being created on the cloud platform itself will not be shared with other third-party using IBM API. 
• All data stored in cloud will be encrypted
  
  Figure 5:- Cloud Governance Model
  LexisNexis, (2017)

13. Governing Internet of Things

The next generation capabilities of Internet of Things (IoT) is gaining importance in today’s industries. Many vendors had entered the Internet of Things due to its ability to represent next generation.  Presently, IoT is just a vision and it is yet to penetrate the life of normal people. As time develop, so do Internet of Things and there is a need to develop a governance framework for tackling data confidentiality, data integrity and operation control issues faced by IoT. We need a well-defined IoT governance framework to be accountable for breaches in data confidentiality, violations of data integrity or irregularities in operational control.  It is a norm with any evolution within technology that there would be an unavoidable question about the needed and adequate legislation and regulatory theory
governing the subject matter and in our case, the Internet of Things (IoT).
It is undeniable that Internet of Things (IoT) is shifting paradigm and gaining its importance towards managing various devices built on different technologies and to apply complex event-triggered business rules to the data streams. Likewise with any huge development of telecoms and innovation, come the inescapable inquiries regarding the ampleness of the legislation and regulatory principle standards overseeing the Internet of things (IoT) ecosystem. There is a continuous need to address Internet of Things (IoT) in Information Governance Policy in future.

 

 

14. Summary

14.1 Findings from analysis and areas to be addressed

1. There were few issues while writing this policy. There were many different terminologies being implemented in Enterprises while this policy was being written. For example, there were many different terminologies or buzz words being used for data such as Data Analytics, Big Data, Data Visualization and Data Science and Meta Data. The main goal in managing a data is to create, manage and maintain data in a secure way according to widely accepted standards ISO/IEC27001:2013 and Cobit 5.

2. There is a need for large organizations to revise and review Information Governance

Policy from time to time by at least 6 months once to include the latest technology or terms explored or used in the IT industry.

3. There are newer technologies emerging such as Internet of Things (IoT) which needs to be discussed in the ISO/IEC27001:2013 in future to align an acceptable security practice which to be implemented in IG Policy of future.
4. There is an increased amount of data in organization which accumulates over time and requires additional storage.

15. Recommendation

1. An Information Technology Service Management (ITSM) ticketing tool called “BMC Remedy” is being proposed to keep records of ITILv3 Managed Enterprise Service to be created, recorded, and retrieved from the database when needed for analysis.

2. Every employee and stakeholders should be aware of the security needs of this organisation. Thus, there would be a compulsory training and documents to be signed to assure that employees are aware of the security needs during the signing of an employee’s offer letter. There would be additional training and documents to be signed by all employees when there is a change in the Information Governance Policy from time to time.

3. There would be minimal use of paper based documents as to avoid security issues. All printed documents should not be left unattended in the printer for more than 30minutes. All paper based documents would be converted into digital and stored in an encrypted drive or server.  This included contractual agreements and SLA of clients.

4. All hard drives of desktops, laptops, iPad and other devices assigned to employees will be encrypted with Bit locker to secure unauthorized access during lost or stolen event.

5. There would be continuous monitoring of network events to detect any abnormal traffic in the network to avoid unauthorized access by hackers.

6. There will be vulnerability scanning done for all machines, systems, devices and configurations to detect and improve and minimize threat into organization network. Immediate patching to be done when there is a vulnerability found.

15.1 Costs and Timescales

1. Hybrid virtual cloud deployment in phases by Second quarter of 2018

2. There would be additional storage resource (Microsoft/Wintel Server) to be added to the network by second quarter of 2018.

3. Additional network resources of Cisco routers and switches to be added into the network to lease it to clients networking needs which would cost approximately $150,000

4. Maintenance Contract Renewal and Licensing for CISCO Switches and Routers, Riverbed Optimizers, F5 Load Balancers, Firewall and Proxies for all Data Centre devices (Router/Switches/Checkpoint/ASA/Juniper/VOIP peripherals) which costs $500,000 to be done by end of 2018, reflecting for 2019.

16. Conclusion

Information Governance Policy was created and implemented to identify asset in this organisation and identify the risks towards those assets. The Information Governance Policy was successfully implemented to meet the needs of this organisation’s security and integrity with client data and information from many sources.

It has been the norm to provide a high level of security towards client’s data and information and protect using the baseline of ISO27001:2013 and Cobit 5 in aligned with ITILv3 processes within this organisation, in different geographical location. This Information Governance Policy would be reviewed and realigned with additional Policy with newer data types such as Big Data, Internet of Things, Cloud and etc.

IBM is positive that once this policy is being implemented; there would be a realisation and action from employees and stake holders towards protecting data and information in a more responsible way to keep risk and threat at the minimum level. This is in addition to the GDRP which will be in effect in 2018 for all the organisations in the UK

It is hoped that this report had demonstrated the following key points:-

• Identifying all assets in the organisation belonging to clients and IBM
• Identifying and Mitigating Risks of those assets
• Train and educate staffs and stakeholders
• Monitor and revise the implementation of policy
• Meet the requirements and regulatory of industry standards ISO/IEC27001:2013 & Cobit 5.

 

 

References:-

Anon, (2017). [online] Available at: https://www.itbusinessedge.com/slideshows/defining-information-governance-an-exploration-with-industry-experts- 10.htmlous/status/830324443285184512 [Accessed 08 Dec. 2017].

Image.slidesharecdn.com. (2017). [online] Available at: https://image.slidesharecdn.com/introductiontohealthinformaticsandhealthit-part1-130824045256-phpapp02/95/introduction-to-health-informatics-and-health-it-part-1-12-638.jpg?cb=1377320050  [Accessed 11 Dec. 2017].

Ibm,(2017). IBM Knowledge Center. [online] Available at: https://www.ibm.com/support/knowledgecenter/en/SSXPJK_6.0.3/com.ibm.aps.install.doc/apsov001.html  [Accessed 08 Dec. 2017].

Articles. [online] Business of Law Blog. Available at: http://businessoflawblog.com/2015/09/ediscovery-articles/  [Accessed 12 Dec. 2017].

Anon, (2017). [online] Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/266214/government-cloud-strategy_0.pdf [Accessed 12 Dec. 2017].

 Itbusinessedge (2017). Defining Information Governance: An Exploration with Industry Experts. [online] Available at: https://www.itbusinessedge.com/slideshows/defining-information-governance-an-exploration-with-industry-experts.html  [Accessed 17 Dec. 2017]. Pdfs.semanticscholar.org.(2017).  https://pdfs.semanticscholar.org/30de/d8e8d59b187e7eab5ced7101e808d4eab6da.pdf  [Accessed 16 Dec. 2017].

Gartner (2017). Gartner Says Worldwide Public Cloud Services Market to Grow 18 Percent in 2017. [online] Available at: https://www.gartner.com/newsroom/id/3616417  [Accessed 15 Dec. 2017].

Findlaw. (2017). eDiscovery Across Borders I: Practical and Legal Aspects of Multi-Jurisdictional Discovery and Data Collection – FindLaw. [online] Available at: http://technology.findlaw.com/electronic-discovery/ediscovery-across-borders-i-practical-and-legal-aspects-of.html  [Accessed 17 Dec. 2017].

Theera-Ampornpunt, (2017). Health Informatics: An Overview of the Field. [online] Slideshare.net. Available at: https://www.slideshare.net/nawanan/health-informatics-an-overview-of-the-field-13955970  [Accessed 09 Dec. 2017].

LexisNexis, (2017). Devil is in the Data and 20 Other Must-Read eDiscovery Articles Available at http://businessoflawblog.com/2015/09/ediscovery-articles/

IBM, (2017). Integrating and governing big data Available at: https://www-01.ibm.com/events/wwe/grp/grp037.nsf/vLookupPDFs/Integrating_Governing_BigData/$file/Integrating_Governing_BigData.pdf   [Accessed 10 Dec. 2017])

IBM, (2017).[online] Available at: http://Information Governance Principles and Practices for a Big Data Landscape [Accessed 09 Dec. 2017].

Edrm.net. (2017). EDRM Model. [online] Available at: https://www.edrm.net/frameworks-and-standards/edrm-model/  [Accessed 11 Dec. 2017].

EDRM, Duke Law, (2017) Available at: https://www.edrm.net/frameworks-and-standards/edrm-model/ [Accessed 08 Dec. 2017].

Itskeptic.org. (2017). Why COBIT wins in a showdown with ITIL | The IT Skeptic. [online] Available at: http://www.itskeptic.org/content/why-cobit-wins-showdown-itil [Accessed 17 Dec. 2017].

Itskeptic.org, (2017) Available at: http://www.itskeptic.org/content/why-cobit-wins-showdown-itil [Accessed 10 Dec. 2017].

Slideshare.net. (2017). Health Informatics: An Overview of the Field. [online] Available at: https://www.slideshare.net/nawanan/health-informatics-an-overview-of-the-field-13955970  [Accessed 08 Dec. 2017].

Mondaq.com. (2017). The Essentials Of E-Discovery (Top Five) – Strategy – United States. [online] Available at: http://www.mondaq.com/unitedstates/x/165314/Ecommerce/The+Essentials+of+EDiscovery+Top+Five  [Accessed 11 Dec. 2017].

Sullivan, D. (2017). Cloud Computing Solutions: IaaS, PaaS, SaaS. [online] Tom’s IT Pro. Available at: http://www.tomsitpro.com/articles/cloud-computing-solutions,1-1755.html [Accessed 11 Dec. 2017].

Iginitiative.com. (2017). Information Governance Initiative. [online] Available at: https://iginitiative.com/  [Accessed 15 Dec. 2017].

Total words for Policy (Inc. table of contents) = 880 words
Total words for Report (Inc. reference) = 3,930 words
Total words for Policy and Report = 4,830 words