STP IG PROGRAM IMPLEMENTATION – PHASE 1
Student’s name
Institutional affiliation
Date
Abstract
The data revolution is at a peak in this century. In a corporate world, an information governance (IG) program plays a key role that creates a discipline by bringing people and tools together to make the data work better for the business. In a data-driven world, it’s having numerous metrics in place to measure and validate the value of data and help manage the lifecycle of the data through a certain set of standards and policies that helps us to get the most out of it. To get most of the data benefits, we must focus its completeness, correctness, relevance, timeliness, consistent, meaningful and usability. In this project, we will analyze the risk, opportunity, and threat of current infrastructure of STP and build a road map to reduce STP’s exposure to vulnerabilities by increasing the overall security pro5le and reducing the risk profile
Team and Role Selection
According to (Smallwood, 2014), Information Governance leverages technologies to enforce policies and procedures to manage information which is risk in compliance with legal and litigation demand which will be compliant to both external regulatory requirementsand internal governance objectives. As the first process in building information governance, I will build a solid functional team, who can help me to achieve my project objective. I will select the below 10 people to help me with this IG project team.
· In-house Financial Analyst and Risk Manager
· Senior Records Manager
· IT Security Expert
· Overland Transport Manager
· Airway Transport Manager
· Overland Transport Manager
· Airway Transport Manager
· Southern Region General Manager (Houston, Florida)
· Western Region General Manager (San Diego, California
· Information Security Specialist.
For any data project whether it is big data, analytics or information governance, understanding the core data and how it currently resides, its correctness and completeness is the key to success. So, I will take the help of transport managers and records manager to understand the current process, risks, and existing data repositories. For the analysis of the data, I will take the help of financial analyst and risk manager for better modeling perspective. Keeping the security expert and IT security analyst will help me to do a current infrastructure study and future feasibility analysis. They will help me to decode the IT infrastructure, study its technological capability, file transfer mechanisms and understanding renewals. Above all, I need the SME support on information retention, sensitive data, and process flow diagrams to better build an infrastructure. Both western and southern regional managers are going to help me in that process. They both will work as Business Data Architects to guide the team in the gap analysis.
Research on State Data Retention and Privacy Laws
As data information grows, privacy rises significantly to be critical. Current business face challenges of data privacy with the growing list of regulations. Data protection laws have been made to curb cybercrimes in general all over the world and data protection given a priority. Several factors affect the recent influx of several legislative activities that report security breaches that compromise personal information. As STP is doing its business in 3 major states in the USA like KY (STP State home), CA and TX (STP primary hubs), it should comply with the federal as well as these state laws when it comes with information retention and privacy consideration.
Kentucky information retention and privacy laws:
As per KY revised status (18A.020), state that any civil employee is permitted to examine her files and records if fully pledged identification is done upon request. One is expected to make a written response in line with the file on request which is identified as the security measure placed on the file. These is made so that if any unlawful practices are committed they may be found without much hustle. Additionally, personal information and records would be kept for a certain period of time in the event that the employee is fired just in case the details maybe needed in the specified period. The information is therefore detained by the employer but still available to the employer at any time of need until the date of termination, (KY Commission on Human Rights Act-339.400).
California Information retention and privacy laws:
The California Consumer Privacy Act of 2018 was an initiative formed by privacy advocates professional who sought to provide consumers with visibility enter into groups that could control their personal information collected and sold by businesses maybe they were employed by, (”(California Consumer Privacy Act, 2018). The initiative faced substantial opposition from the technical industries despite its supporters and members signed and qualified to be certified for the November ballot (Mathews, 2018).
Texas Information retention and privacy laws:
In Texas, there are number of laws and regulations in place regarding document retention, privacy protection including tax audit procedures by the Internal Revenue Service (IRS), employment laws such as the Fair Labor Standards Act (FSLA). In addition to these federal laws, numerous state and local laws apply specifically to every business or organization. In 2011 the State of Texas also adopted a new law specifically pointing patent data privacy. The law, which will become active on September 1, 2012, incorporates the definition of the term “covered entity” in Texas’ existing health privacy law and could have a broad impact on many non-HIPAA covered entities (Lineman, 2012).
In-House counsel advises on project planning:
Despite these complex laws and limitations, it is possible to create a useful and measurable set of goals for the legal department of STP to proactively scoping risks to the organization and its various business models and, more importantly, taking steps to deal with those risks associated to our project. We need to identify the grey areas after working with different operational departments to broadly classify this project scope or deliverable. Here are the things legal department or in-house counsel to-do list to work on these laws.
· We will work with STP’s human resource team to review and update company policies and employee agreements.
· Create process and a set of operations to effective manage legal department budget and planning for better analysis and spread awareness of IG
· Encourage company’s compliance health check periodically working with different departments.
· Review company websites, processes, and procedures around litigations and disruptive events.
· STP needs to encourage customer/client satisfaction survey and engage closely with the business to identify key-government related actions.
· Take/update an inventory of the company's intellectual property and con5den'alinforma'on.
· Create a calendar of actions and improve the quality of data, its archival procedures working closely with the legal department of STP.
Identifying Risk Pro8les and Mitigation plans
The primary objective of an effective information governance policy is to ensure we understand the associated risks well and frame suitable controls to effectively manage all type of risks, such that proper models are used to inform and influence management’s decision-making process. There is a clear business rationale for ensuring the control environment around decision making is robust. There is also numerous external stakeholder expectation that needs to be met and the Model Governance Policy will also be designed to minimize the risk of the parent-STP and partnering companies-ISAs. The framework itself needs to be risk-based and aligned with the enterprise Risk Management Strategy (RMS) to ensure an adequate balance between the governing efforts and practical usability of the governance policies.
Conclusion:
Effectiveness and future sustainability of STP depend on its current IG plans. STP needs to comply with the set IG standards all the time as it’s a customer support industry i.e. customers being at the center of operation. The effectiveness of its ERM Framework is subject to review by internal and external audit at least annually to understand the vulnerability and all the operational gaps. The results of this review should be reported to the Business Risk Access and Control (BRAC) and the board of directors. They should continue to be responsible for the appropriate management of risks relating to non-compliant operations. I strongly believe risk-related matters continue to be reported and to adhere to the company’s RMS model code and privacy protection policies. As a project manager, all these above-said inputs and criteria are going to prove effective for successful project execution and delivery.
Reference
Smallwood, R. F. (2019). Information governance: Concepts, strategies, and best practices. Hoboken, NJ: John Wiley & Sons.
Kentucky Laws Requiring Retention of Employee Records. (KY Human Rights, 2012). Retrieved from https://louisville.edu/5nance/payroll/5les/kyreten'onlaws
Luis V. Casaló, Carlos Flavián, Miguel Guinalíu, (2007) "The role of security, privacy, usability and Reputation in the development of online banking", Online Information Review, Vol. 31 Issue: 5, pp.583-603, https://doi.org/10.1108/14684520710832315
Lineman, D. J. (2012, April 15). Data Protection Laws. Retrieved from https://texasceomagazine.com/departments/data-protec'on-laws/
Miller, S. (2015, June). Thomson Reuters Legal Solutions. Retrieved from https://store.legal.thomsonreuters.com/law-products/news-views/corporate-counsel/in-house-counsel-to-do-list-for-2016
Mathews, K. J. (2018, July 13). The California Consumer Privacy Act of 2018. Retrieved from https://privacylaw.proskauer.com/2018/07/ar'cles/data-privacy-laws/the-california-consumer-privacy act-of-2018/
STP IG PROGRAM IMPLEMENTATION
–
PHASE 1
Student’s name
Institutional affiliation
Date
UNIVERSITY OF THE CUMBERLANDS
ITS 833 – INFORMATION GOVERNANCE
SEMESTER PROJECT – PHASE II
Please review the description of the organization that is the subject of your semester project. The description of that organization, Security Transport Professionals, Incorporated, (STP) is described in the instructions for Phase I that you have already completed.
1. This phase will involve performing a records inventory. The organization is far too large to undertake a records inventory for the entire company. You will need to make a determination of which program or division or functional area whether that be (a) the narcotic/drugs that you ship/store, (b) the top secret materials that you ship/store, or (c) the toxic or dangerous materials that you ship/store to include in its records inventory. Once you have made that determination, decide which of the managers/personnel previously identified that you will need to contact/interview and work with in order to complete the records inventory for the functional area that your group has selected. It will most likely include more than one of the personnel/departments listed above. As project manager you have decided to collect information using a two-step approach where you first send out survey questions and then once you have received the responses you will follow up by conducting interviews.
(a) State whether you intend to focus on the narcotic/drug area, top secret materials for the government, or toxic or dangerous materials/chemicals.
(b) Identify which of the above department(s)/areas/units that you will need to survey and subsequently interview, depending on which one of the three functional areas you have decided to focus your attention on.
(c) For the functional area that you have selected you want to be able to speak intelligently to the knowledge personnel within that department and ask appropriate and relevant questions. Therefore, you need to do some preparation and brainstorming before making contact with the departments/units that you have identified as essential. To that end, identify (using diagram, table, hierarchy chart, taxonomy, or other form that is most descriptive) the “record types” that you expect are created and maintained in each of the departments/areas/units that you have decided to focus on. Use descriptive names for each record type and tell the type of information that would be retained in each record type. This can be as specific as creating a taxonomy for the record if you should decide to do so (see Appendix A in your text book), or you may conduct research and determine what other structure would be appropriate in order to convey this information. The most effective way to convey this information to me would be in the form of a table that identifies the Record Type, Responsible Department, and the Event that triggers the creation of each record type. [For example, if we were dealing with a health care provider (WHICH WE ARE NOT, I am only using this unrelated example to give you an idea of what I want you to do), an example of a record type that your doctor’s office might keep would be an Insurance Record that would include things like information about the Insurer, information about the patient, information about the insured if different from the patient, information about the plan options and conditions of coverage, information about the insured history of using this insurance in the past and the prior payment record.] [Another example: You will find a record type used on page 172 of your text book to describe a workers’ compensation insurance company’s accident/injury report as part of its record retention schedule.]
(d) Develop a Records Inventory Survey Form that you are going to use in surveying the departmental unit(s) you have identified above. The purpose for your survey is to be able to identify the kinds of records (contracts, financial reports, memorandum, invoices, etc.), which department owns the records, which departments access the records, what application creates the record, where the record is stored physically and logically, date created, last changed, whether it is a vital record, and whether there are other forms of the record. You want to be able to use this information to make decisions related to retention and disposal of the records. Explain who will receive the survey and why. The survey will be sent about one month prior to the follow up interviews. This will allow for two (2) weeks to complete and return the survey and two weeks to tabulate and review it, and to tweak your interview questions, depending on the results of the survey. Explain the rationale for the questions that you included in your survey.
(e) Develop an initial set of interview questions that you plan to use as a follow up to the initial survey that you drafted in (d) above.
(f) Based upon the records you have identified above, develop a record retention schedule and for the record types. Include in this the method of destruction when the record is marked for destruction. Explain whether you are going to use event-based retention for any of your record types and if so why, and identify the triggering event. For this question, you need to discuss the legal requirements and compliance considerations.
THE RESEARCH PAPER: While your research paper will undoubtedly include a number of tables, diagrams, lists and other illustrations, the paper is to be written in narrative form. The illustrations may be included in appendix at the end of the paper, or may imbedded in the body. But please don’t forget that the paper itself is written in narrative form. Include citations to your research.
The paper should be written in narrative form using the APA format. Please use ample subsections or subheading as appropriate. Your paper should have a 1-in margin on top, bottom, left and right margins. The paper should be double spaced. Use a cover page with a title, and the name of each team member who contributed to your project/paper. Each page should have a page number in the bottom right margin. The paper should also include a table of contents, which includes subject headings, subheadings or subtopics, references or sources, and illustrations as well as page numbers for each.
For each major area or section of your paper explain identify the options you have considered, where applicable. Discuss the alternatives you considered, giving pros and cons of each, and provide information from the research you conducted that assisted you in arriving at your conclusion as to why one alternative was selected over another. You MUST cite the sources for your research any time you make reference to your research, whether that be through direct quotations or in summary. Your work should include no fewer than five (5) sources. While there is no minimum or maximum length for your paper, I anticipate that you cannot complete the assign in under ten (10) pages, excluding illustrations.
The research paper should be submitted using the link contained in the CONTENT section of iLearn. It will not be accepted via email to me.