ARMA Information Governance Maturity ModelThe Maturity Model for Information Governance begins to paint a more complete picture of what effective information governance looks like. It is based on the eight Principles as well as a foundation of standards, best practices, and legal/regulatory requirements. The maturity model goes beyond a mere statement of the principles by beginning to define characteristics of various levels of recordkeeping programs. For each principle, the maturity model associates various characteristics that are typical for each of the five levels in the model ... Information is one of the most vital, strategic assets organizations possess. They depend on information to develop products and services, make critical strategic decisions, protect property rights, propel marketing, manage projects, process transactions, service customers, and generate revenues. This critical information is contained in the organizations' business records. It has not always been easy to describe what "good information governance" looks like. Yet, this question gains in importance as regulators, shareholders, and customers are increasingly concerned about the business practices of organizations. ARMA International recognized that a clear statement of "Generally Accepted Recordkeeping Principles®" (The Principles) would guide: * CEOs in determining how to protect their organizations in the use of information assets; * Legislators in crafting legislation meant to hold organizations accountable; and * Records management professionals in designing comprehensive and effective records management programs. The Principles identify the critical hallmarks of information governance, which Gartner describes as an accountability framework that "includes the processes, roles, standards, and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals." As such, they apply to all sizes of organizations, in all types of industries, and in both the private and public sectors. Multi-national organizations can also use The Principles to establish consistent practices across a variety of business units. Association of Records Managers and AdminstratorsARMA_9cc0255e-8cc9-444e-b03b-aaae7581551e_493bcd3a-3472-11e4-ae07-6d07f0c8cb35To describe effective information governance_493bced4-3472-11e4-ae07-6d07f0c8cb35AccountabilityComplianceTransparencyAailabilityIntegrityRetentionProtectionDispositionAccountabilityAdopt policies and procedures to guide personnel and hold a senior executive accountable to oversee recordkeeping._493bd1c2-3472-11e4-ae07-6d07f0c8cb351A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited. Level 1 (Sub-Standard) -- No senior executive (or person of comparable authority) is responsible for the records management program. The records manager role is largely non-existent or is an administrative and/or clerical role distributed among general staff. Level 2 (In Development) -- No senior executive (or person of comparable authority) is involved in or responsible for the records management program. The records manager role is recognized, although he/she is responsible for tactical operation of the existing program. In many cases, the existing program covers paper records only. The information technology function or department is the de facto lead for storing electronic information, but this is not done in a systematic fashion. The records manager is not involved in discussions of electronic systems. Level 3 (Essential) -- The records manager is an officer of the organization and is responsible for the tactical operation of the ongoing program on an organization-wide basis. The records manager is actively engaged in strategic information and record management initiatives with other officers of the organization. Senior management is aware of the program. The organization has defined specific goals related to accountability. Level 4 (Proactive) -- The records manager is a senior officer responsible for all tactical and strategic aspects of the program. A stakeholder committee representing all functional areas and chaired by the records manager meets on a periodic basis to review disposition policy and other records management-related issues. Records management activities are fully sponsored by a senior executive. Level 5 (Transformational) -- The organization’s senior management and its governing board place great emphasis on the importance of the program. The records management program is directly responsible to an individual in the senior level of management, (e.g., chief risk officer, chief compliance officer, chief information officer) OR, A chief records officer (or similar title) is directly responsible for the records management program and is a member of senior management for the organization. The organization’s stated goals related to accountability have been met.EmphasisEmphasize the importance of the [records management] program._493bd2da-3472-11e4-ae07-6d07f0c8cb351.1Senior ManagersBoards of DirectorsResponsibility[Make] the records management program directly responsible to an individual in the senior level of management or make a chief records officer a senior manager._493bd406-3472-11e4-ae07-6d07f0c8cb351.2Senior ManagerThe records management program is directly responsible to an individual in the senior level of management, (e.g., chief risk officer, chief compliance officer, chief information officer) OR,Chief Records OfficerA chief records officer (or similar title) is directly responsible for the records management program and is a member of senior management for the organization.Chief Risk OfficerChief Compliance OfficerChief Information OfficerGoalsMeet stated goals related to accountability._493bd514-3472-11e4-ae07-6d07f0c8cb351.3ComplianceComply with applicable laws, authorities, and policies._493bd640-3472-11e4-ae07-6d07f0c8cb352The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies. Level 1 (Sub-Standard) -- There is no clear definition of the records the organization is obligated to keep. Records and other business documentation are not systematically managed according to records management principles. Various groups of the organization define this to the best of their ability based on their interpretation of rules and regulations. There is no central oversight and no consistently defensible position. There is no defined or understood process for imposing "holds." Level 2 (In Development) -- The organization has identified the rules and regulations that govern its business and introduced some compliance policies and recordkeeping practices around those policies. Policies are not complete and there is no apparent or well-defined accountability for compliance. There is a hold process, but it is not well-integrated with the organization’s information management and discovery processes. Level 3 (Essential) -- The organization has identified all relevant compliance laws and regulations. Record creation and capture are systematically carried out in accordance with records management principles. The organization has a strong code of business conduct which is integrated into its overall information governance structure and recordkeeping policies. Compliance and the records that demonstrate it are highly valued and measurable. The hold process is integrated into the organization’s information management and discovery processes for the “most critical” systems. The organization has defined specific goals related to compliance. Level 4 (Proactive) -- The organization has implemented systems to capture and protect records. Records are linked with the metadata used to demonstrate and measure compliance. Employees are trained appropriately and audits are conducted regularly. Records of the audits and training are available for review. Lack of compliance is remedied through implementation of defined corrective actions. The hold process is well-managed with defined roles and a repeatable process that is integrated into the organization’s information management and discovery processes. Level 5 (Transformational) -- The importance of compliance and the role of records and information in it are clearly recognized at the senior management and board levels. Auditing and continuous improvement processes are well-established and monitored by senior management. The roles and processes for information management and discovery are integrated. The organization’s stated goals related to compliance have been met. The organization suffers few or no adverse consequences based on information governance and compliance failures.RecognitionRecognize the importance of compliance and the role of records and information._493bd7c6-3472-11e4-ae07-6d07f0c8cb352.1Senior ManagersBoards of DirectorsAuditing & ImprovementEstablish and monitor auditing and continuous improvement processes._493bd8f2-3472-11e4-ae07-6d07f0c8cb352.2Senior ManagersInformation Management & DiscoveryIntegrate the roles and processes for information management and discovery._493bda3c-3472-11e4-ae07-6d07f0c8cb352.3GoalsMeet stated goals related to compliance._493bdb5e-3472-11e4-ae07-6d07f0c8cb352.4Adverse Consequences[Ensure that] the organization suffers few or no adverse consequences based on information governance and compliance failures._493bdc94-3472-11e4-ae07-6d07f0c8cb352.5TransparencyDocument recordkeeping processes and activities._493bde10-3472-11e4-ae07-6d07f0c8cb353The processes and activities of an organization’s recordkeeping program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties. Level 1 (Sub-Standard) -- It is difficult to obtain information about the organization or its records in a timely fashion. No clear documentation is readily available. There is no emphasis on transparency. Public requests for information, discovery for litigation, regulatory responses, or other requests (e.g., from potential business partners, investors, or buyers) cannot be readily accommodated. The organization has not established controls to ensure the consistency of information disclosure. Business processes are not well defined. Level 2 (In Development) -- The organization realizes that some degree of transparency is important in its recordkeeping for business or regulatory needs. Although a limited amount of transparency exists in areas where regulations demand transparency, there is no systematic or organizationwide drive to transparency. Level 3 (Essential) -- Transparency in recordkeeping is taken seriously and information is readily and systematically available when needed. There is a written policy regarding transparency. Employees are educated on the importance of transparency and the specifics of the organization's commitment to transparency. The organization has defined specific goals related to transparency. Level 4 (Proactive) -- Transparency is an essential part of the corporate culture and is emphasized in training. The organization monitors compliance on a regular basis. Level 5 (Transformational) -- The organization's senior management considers transparency as a key component of information governance. The organization's stated goals related to transparency have been met. The organization has implemented a continuous improvement process to ensure transparency is maintained over time. Software tools that are in place assist in transparency. Requestors, courts, and other legitimately interested parties are consistently satisfied with the transparency of the processes and the response.Information Governance[Treat] transparency as a key component of information governance._493bdf46-3472-11e4-ae07-6d07f0c8cb353.1Senior ManagersGoalsMeet stated goals related to transparency._493be07c-3472-11e4-ae07-6d07f0c8cb353.2ImprovementImplemented a continuous improvement process to ensure transparency is maintained over time._493be1d0-3472-11e4-ae07-6d07f0c8cb353.3Software Tools[Implement] software tools to assist in transparency._493be306-3472-11e4-ae07-6d07f0c8cb353.4SatisfactionConsistently satisfy requestors, courts, and other legitimately interested parties with the transparency of the processes and the response._493be446-3472-11e4-ae07-6d07f0c8cb353.5RequestorsCourtsInterested PartiesAvailabilityEnsure timely, efficient, and accurate retrieval of needed information._493be644-3472-11e4-ae07-6d07f0c8cb354An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information. Level 1 (Sub-Standard) -- Records are not readily available when needed and/or it is unclear who to ask when records need to be produced. It takes time to find the correct version, the signed version, or the final version, if it can be found at all. The records lack finding aides: indices, metadata, and locators. Legal discovery is difficult because it is not clear where information resides or where the final copy of a record is located. Level 2 (In Development) -- Record retrieval mechanisms have been implemented in certain areas of the organization. In those areas with retrieval mechanisms, it is possible to distinguish between official records, duplicates, and non-record materials. There are some policies on where and how to store official records, but a standard is not imposed across the organization. Legal discovery is complicated and costly due to the inconsistent treatment of information. Level 3 (Essential) -- There is a standard for where and how official records and information are stored, protected, and made available. Record retrieval mechanisms are consistent and contribute to timely records retrieval. Most of the time, it is easy to determine where to find the authentic and final version of any record. Legal discovery is a welldefined and systematic business process. The organization has defined specific goals related to availability. Level 4 (Proactive) -- There are clearly defined policies regarding storage of records and information. There are clear guidelines and an inventory that identifies and defines the systems and their information assets. Records and information are consistently and readily available when needed. Appropriate systems and controls are in place for legal discovery. Automation is adopted to facilitate the implementation of the hold process. Level 5 (Transformational) -- The senior management and board levels provide support to continually upgrade the processes that affect record availability. There is an organized training and continuous improvement program. The organization’s stated goals related to availability have been met. There is a measurable ROI to the business as a result of records availability.UpgradingContinually upgrade the processes that affect record availability._493be77a-3472-11e4-ae07-6d07f0c8cb354.1Senior ManagersBoards of DirectorsTraining & Improvement[Institute] organized training and a continuous improvement program._493be8ce-3472-11e4-ae07-6d07f0c8cb354.2GoalsMeet stated goals related to availability._493bea36-3472-11e4-ae07-6d07f0c8cb354.3ROIMeasure ROI to the business as a result of records availability._493beb8a-3472-11e4-ae07-6d07f0c8cb354.4Integrity[Ensure that] records and information have reasonable and suitable guarantees of authenticity and reliability._493becde-3472-11e4-ae07-6d07f0c8cb355A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability. Level 1 (Sub-Standard) -- There are no systematic audits or defined processes for showing the origin and authenticity of a record. Various organizational functions use ad hoc methods to demonstrate authenticity and chain of custody, as appropriate, but their trustworthiness cannot easily be guaranteed. Level 2 (In Development) -- Some organizational records are stored with their respective metadata that demonstrate authenticity; however, no formal process is defined for metadata storage and chain of custody. Metadata storage and chain of custody methods are acknowledged to be important, but are left to the different departments to handle as they determine is appropriate. Level 3 (Essential) -- The organization has a formal process to ensure that the required level of authenticity and chain of custody can be applied to its systems and processes. Appropriate data elements to demonstrate compliance with the policy are captured. The organization has defined specific goals related to integrity. Level 4 (Proactive) -- There is a clear definition of metadata requirements for all systems, business applications, and paper records that are needed to ensure the authenticity of records. Metadata requirements include security and signature requirements and chain of custody as needed to demonstrate authenticity. The metadata definition process is an integral part of the records management practice in the organization. Level 5 (Transformational) -- There is a formal, defined process for introducing new record-generating systems and the capture of their metadata and other authenticity requirements, including chain of custody. This level is easily and regularly audited. The organization’s stated goals related to integrity have been met. The organization can consistently and confidently demonstrate the accuracy and authenticity of its records.ProcessesFormally define processes for introducing new record-generating systems and the capture of their metadata and other authenticity requirements, including chain of custody._493bee64-3472-11e4-ae07-6d07f0c8cb355.1AuditsRegularly audit such processes._493befd6-3472-11e4-ae07-6d07f0c8cb355.2GoalsMeet stated goals related to integrity have been met._493bf17a-3472-11e4-ae07-6d07f0c8cb355.3The organization can consistently and confidently demonstrate the accuracy and authenticity of its records.RetentionMaintain records and information for an appropriate time._493bf2ce-3472-11e4-ae07-6d07f0c8cb356An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements. Level 1 (Sub-Standard) -- There is no current documented records retention schedule. Rules and regulations that should define retention are not identified or centralized. Retention guidelines are haphazard at best. In the absence of retention schedules, employees either keep everything or dispose of records based on their own business needs, rather than organizational needs. Level 2 (In Development) -- A retention schedule is available, but does not encompass all records, did not go through official review, and is not well known around the organization. The retention schedule is not regularly updated or maintained Education and training about the retention policies are not available. Level 3 (Essential) -- A formal retention schedule that is tied to rules and regulations is consistently applied throughout the organization. The organization’s employees are knowledgeable about the retention schedule and they understand their personal responsibilities for records retention. The organization has defined specific goals related to retention. Level 4 (Proactive) -- Employees understand how to classify records appropriately. Retention training is in place. Retention schedules are reviewed on a regular basis, and there is a process to adjust retention schedules as needed. Records retention is a major corporate concern. Level 5 (Transformational) -- Retention is an important item at the senior management and board levels. Retention is looked at holistically and is applied to all information in an organization, not just to official records. The organization’s stated goals related to retention have been met. Information is consistently retained for appropriate periods of time.Senior ManagersSenior managers view retention is important._493bf530-3472-11e4-ae07-6d07f0c8cb356.1RetentionApply retention holistically, to all information in an organization._493bf684-3472-11e4-ae07-6d07f0c8cb356.2GoalsMeet stated goals related to retention._493bf986-3472-11e4-ae07-6d07f0c8cb356.3ConsistencyRetain information consistently for appropriate periods of time._493bfac6-3472-11e4-ae07-6d07f0c8cb356.4ProtectionEnsure a reasonable level of protection to records and information._493bfc10-3472-11e4-ae07-6d07f0c8cb357A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business continuity. Level 1 (Sub-Standard) -- No consideration is given to record privacy. Records are stored haphazardly, with protection taken by various groups and departments with no centralized access controls. Access controls, if any, are assigned by the author. Level 2 (In Development) -- Some protection of records is exercised. There is a written policy for records that require a level of protection (e.g., personnel records). However, the policy does not give clear and definitive guidelines for all records in all media types. Guidance for employees is not universal or uniform. Employee training is not formalized. The policy does not address how to exchange these records between employees. Access controls are still implemented by individual record owners. Level 3 (Essential) -- The organization has a formal written policy for protecting records and centralized access controls. Confidentiality and privacy are well defined. The importance of chain of custody is defined, when appropriate. Training for employees is available. Records and information audits are only conducted in regulated areas of the business. Audits in other areas may be conducted, but are left to the discretion of each function area. The organization has defined specific goals related to record protection. Level 4 (Proactive) -- The organization has implemented systems that provide for the protection of the information. Employee training is formalized and well documented. Auditing of compliance and protection is conducted on a regular basis. Level 5 (Transformational) -- Executives and/or senior management and the board place great value in the protection of information. Audit information is regularly examined and continuous improvement is undertaken. The organization’s stated goals related to record protection have been met. Inappropriate or inadvertent information disclosure or loss incidents are rare.Senior Managers[Ensure that] senior managers place great value in the protection of information._493bfd82-3472-11e4-ae07-6d07f0c8cb357.1AuditsRegularly examine and continuously improve audit information._493bff6c-3472-11e4-ae07-6d07f0c8cb357.2GoalsMeet stated goals related to record protection._493c0142-3472-11e4-ae07-6d07f0c8cb357.3Disclosure & LossEnsure that incidents of inappropriate or inadvertent information disclosure or loss are rare._493c02b4-3472-11e4-ae07-6d07f0c8cb357.4DispositionProvide secure and appropriate disposition for records._493c0408-3472-11e4-ae07-6d07f0c8cb358An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization's policies. Level 1 (Sub-Standard) -- There is no documentation of the processes, if any, that are used to guide the transfer or disposition of records. The process for suspending disposition in the event of investigation or litigation is non-existent or is inconsistent across the organization. Level 2 (In Development) -- Preliminary guidelines for disposition are established. There is a realization of the importance of suspending disposition in a consistent manner, repeatable by certain legal groupings. There may or may not be enforcement and auditing of disposition. Level 3 (Essential) -- Official procedures for records disposition and transfer are developed. Official policy and procedures for suspending disposition have been developed. Although policies and procedures exist, they are not standardized across the organization. Individual departments have devised alternative procedures to suit their particular business needs. The organization has defined specific goals related to disposition. Level 4 (Proactive) -- Disposition procedures are understood by all and are consistently applied across the enterprise. The process for suspending disposition due to legal holds is defined, understood, and used consistently across the organization. Electronic information is expunged, not just deleted, in accordance with retention policies. Level 5 (Transformational) -- The disposition process covers all records and information in all media. Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories. Disposition processes are consistently applied and effective. Processes for disposition are regularly evaluated and improved. The organization's stated goals related to disposition have been met.Coverage[Ensure] the disposition process covers all records and information in all media._493c0566-3472-11e4-ae07-6d07f0c8cb358.1IntegrationIntegrate disposition, assisted by technology, into all applications, data warehouses, and repositories._493c0728-3472-11e4-ae07-6d07f0c8cb358.2ProcessesApply disposition processes consistently and effectively._493c0886-3472-11e4-ae07-6d07f0c8cb358.3Evaluation & ImprovementRegularly evaluate and improve processes for disposition._493c09e4-3472-11e4-ae07-6d07f0c8cb358.4GoalsMeet stated goals related to disposition._493c0b74-3472-11e4-ae07-6d07f0c8cb358.52014-09-04http://www.arma.org/r2/generally-accepted-br-recordkeeping-principles/metricsOwenAmburOwen.Ambur@verizon.net