Lorrie Luellig, J.D., and Jake Frazier, J.D.
The successful IT governance plan demands a modern and transparent approach to data retention and routine disposal. Today’s chief information officers (CIOs) face an unprecedented array of challenges:
IT can meet all of these challenges with a comprehensive, globally aware information governance program that reduces information volumes, centralizes the management of data across all jurisdictions and ensures regulatory compliance—all while reducing costs. Many CIOs already use the COBIT framework to support business objectives, reduce corporate risk and optimize resource use. Yet, when it comes to information governance practices related to regulatory issues, legal compliance, records retention and disposal policies, COBIT principles are often not being leveraged as broadly and as effectively as possible. However, COBIT may be the key to a successful governance program.
A lack of insight into what information needs to be kept has led many organizations to accumulate mountains of electronically generated debris in the form of excess applications, servers, storage and backup tapes that no longer have any utility.
A recent a survey of corporate CIOs and general counsels conducted at a Compliance, Governance and Oversight Council (CGOC)1 summit found that typically only 1 percent of corporate information is on litigation hold, only 5 percent is in a records retention category and a mere 25 percent has any current business value.2 This means that approximately 69 percent of all the data collected and maintained by most organizations have no business, legal or regulatory value at all.
A key step in creating a successful information governance program is developing the ability to identify and protect any information that has business, legal or regulatory value in order to support the legally defensible disposal of everything else. Effective defensible disposal—the ability to regularly and automatically eliminate information that has no regulatory, legal or business value—can have a dramatic impact on information economics. Less IT budget spent on storage, servers and backup means that more can go to strategic investments. Less information to sift through means that the legal and regulatory response can be handled in a streamlined and efficient fashion while minimizing the risk associated with keeping too much or too little data, including retaining information that evolving privacy regulations require be eliminated and unnecessarily providing opposing counsel with broader discovery access than required. Less wasteful information management ultimately allows corporations to return more profit to shareholders.
Historically, retention schedules have included only records—whether paper or electronic—that are distinct from the rest of the information in the organization. To achieve defensible disposal, IT stakeholders must be able to collaborate closely and transparently with the records and information management (RIM), legal and business units to create modern executable retention schedules—schedules that go beyond the scope of setting retention periods. What is deemed a “record” should include all information in the organization and incorporate retention criteria related to legal holds and business value.
A retention schedule provides the legal foundation for records management and legal departments to organize corporate records and information and then detail the length of time that such records must be retained for compliance and business needs. The problem is that the retention schedules used by many organizations today were devised when paper records were the norm. Thus, they simply do not work in today’s enterprises because a large amount of the information that needs to be retained or deleted is electronically generated and includes information not historically defined as a record, e.g., social media posts and tweets. This creates a critical disconnect because the information is now under the domain of IT and the company’s compliance obligations will need to be linked to the thousands of applications, databases and other repositories IT manages.
Meanwhile, legal and RIM professionals possess the knowledge to set retention schedules and disposal policies according to relevant laws and regulations, but they may not have a holistic view of the IT infrastructure or any understanding of the business value of existing information. Relevant data should be identified and there should be a mechanism for disposing of information.
This disconnect is highlighted in the CGOC survey, which reported that:3
The goal of creating a modern, transparent and executable retention schedule is to overcome these challenges by facilitating the identification of valueless information and automating its disposal in a legally defensible manner.
Because a modern, executable retention schedule recognizes the dynamic nature of electronic data and the shared responsibility for information management and disposal, COBIT principles provide a solid foundation for creating one.
COBIT 5 is based on five key principles for the governance and management of enterprise IT:
All of these principles are directly applicable to the creation of a modern and executable retention schedule that supports a legal framework for defensible disposal of unneeded data and takes into account the needs and roles of legal, RIM, business and IT stakeholders by:
In such an environment, users would have the knowledge and tools they need to classify information, and IT would have the legal and records support it needs to implement a workable retention schedule and appropriately dispose of valueless information at the right time.
The following are the key elements that must be incorporated into a retention schedule for it to work in the modern information age:
Unprecedented data growth, global business operations, cost concerns, and a complex and constantly changing regulatory environment have created daunting information governance challenges for CIOs. However, the COBIT framework makes it possible to apply proven governance principles to overcoming these challenges by efficiently and cost-effectively shepherding the flow of corporate information through its useful life cycle and automatically eliminating information that no longer has any legal, regulatory or business value. By collaborating with legal, RIM and business stakeholders, IT can also help to create a modern, transparent and executable retention schedule that can ensure compliance while increasing business agility, reducing risk and lowering costs through the defensible disposal of valueless information.
1 The Compliance, Governance and Oversight Council (CGOC), founded by Deidre Paknad, director of information life cycle governance at IBM Corporation, is a forum of more than 1,900 legal, IT, records and information management professionals from corporations and government agencies. 2 Compliance, Governance and Oversight Council (CGOC), “Benchmark Report on Information Governance in Global 1000 Companies,” www.cgoc.com/register/benchmark-survey-information-governance-fortune-1000-companies3 Ibid.
Lorrie Luellig, J.D., of Ryley Carlock & Applewhite, is the founding member and practice leader of Information Governance (RCA-IG) PC, faculty member of the Compliance, Governance and Oversight Council (CGOC), and leader of the Electronic Discovery Reference Model (EDRM) IGRM Corporations Subgroup and CGOC RIM WorkGroup. Luellig advises global clients from Fortune 100 to small privately held companies headquartered in Europe and the US.
Jake Frazier, J.D., is the information life cycle governance expert for IBM and is the program director, legal and e–discovery for the CGOC. Frazier provides assistance to corporate legal departments and law firms in identifying, evaluating and implementing in–house e–discovery and information governance solutions.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.