I’m still processing a lot of the information gathered, shared, and created during our 8th RIM Renaissance this past weekend in Minneapolis. One of our sessions focused on the creation of an information governance “treaty” that holds various organizational members to a high standard (consistent with our RIM principles). Please review the following draft document and let me know what you think.
RIM Council Treaty on Information Governance
Draft V.1
[A.K.A. Archer-Ponemon Treaty project, created by the participations of the 2009 RIM Renaissance on 18 July 2009 in Minneapolis, Minnesota]
We the professionals, in order to establish and maintain a trustworthy secure enterprise that meets legal and regulatory requirements, customer expectations, and corporate vision, do hereby agree to the following:
· Establish commonly understood terms and clearly defined policies with respect to data protection, privacy and information security.
· Establish data protection and privacy principles that can be applied across the enterprise on a global basis.
· Establish an information governance body to achieve an all-inclusive, cross-functional approach to oversee the organization’s data protection, privacy and information security requirements.
· Establish a transparent mechanism for operational governance starting with a charter that is approved by the organization’s chief executive and other senior executives.
· Ensure the governing body is representative of the organization’s various information users.
· Ensure that representatives to the governing body are fully supported by their respective organizations or operating units.
· Strive to build data protection and privacy into the organization’s DNA by educating all employees as to why it is fundamentally important to the organization.
· Strive to create an information stewardship culture that fosters collaboration across the enterprise and diminishes silo thinking.
· Ensure this initiative is top-down, starting with the chief executive and the board.
· Empower the governing body to make difficult choices and take substantive action when necessary.
· Require the chair of the governing body to report to the organization’s chief executive with communication to the board of directors or audit committee when internal conflict arises.
· Establish and use objective metrics that define the organization’s performance in meeting data protection, privacy and information security objectives.
· Communicate to internal and external stakeholders, including regulators and supply chain partners, about the organization’s information governance approach in ways that do not compromise the program.
· Empower and reward employees to do the right thing with respect to their stewardship of information assets.
· Ensure the organization takes advantage of enabling technologies that improve the state of information security in an effective and cost efficient manner.
RSS Feed
Add Comment
(3 comments)