reviews
TRANSCRIPT
R
IP8
citwmaagtl
phin
finaG
dacita
mclt
t
h0
International Journal of Information Management 35 (2015) 171–175
Contents lists available at ScienceDirect
International Journal of Information Management
jou rna l h om epage: www.elsev ier .com/ locate / i j in fomgt
eviews
nformation Governance and Assurance, A. MacLennan. Facetublishing, London (2014). 196 pp., Price: £49.95, ISBN: 978-1-5604-940-5
The book’s content and treatment of the subject, as will beome clearer later, reflects MacLennan’s career background includ-ng time as an analyst/programmer and an assistant librarian. Onhe back cover the book is advertised as a “comprehensive textbook”hich “discusses the legal, organizational and ethical aspects of infor-ation governance, assurance and security and their relevance to all
spects of information work”. In the book’s introduction his statedim is ‘to present information governance as the key to successful inte-ration of the information professionals with the organizations whichhey serve, with the interests of the individual and with society atarge”.
The term ‘information governance’ is open to various inter-retations and is one that has captured the imagination of manyardware, software and consultancy companies as ways of brand-
ng their offerings as solutions to problems many believed they didot have.
‘Information governance’ is a hot topic amongst the legal pro-ession in the context of e-discovery. Much has been done to createnformation governance models embracing the interests of busi-ess management, lawyers, records managers and IT specialistss exemplified by the EDRM Group which has linked Informationovernance to its Electronic Discovery Reference Model.1
The influential technology research organization Gartner2 hasefined it as “the specification of decision rights and an account-bility framework to ensure appropriate behaviour in the valuation,reation, storage, use, archiving and deletion of information. Itncludes the processes, roles and policies, standards and metricshat ensure the effective and efficient use of information in enablingn organization to achieve its goals”.
Wikipedia’s3 definition based on various sources is ‘the set ofulti-disciplinary structures, policies, procedures, processes and
ontrols implemented to manage information at an enterpriseevel, supporting an organization’s immediate and future regula-ory, legal, risk, environmental and operational requirements’.
MacLennan provides his own definition in the book’s Introduc-ion:
“‘information governance’ describes the activities and practices
which have developed around people’s attempts to control theuse of information, including, but not limited to, practices man-dated by law.”1 http://www.edrm.net/archives/23174.2 http://www.gartner.com/it-glossary/information-governance.3 http://en.wikipedia.org/wiki/Information governance.
ttp://dx.doi.org/10.1016/j.ijinfomgt.2014.11.003268-4012/
In MacLennan’s definition the emphasis is more on the con-trol of information usage rather than its value to the organization(although in later chapters the importance of information asbusiness data and records is made clear). He sees informationgovernance both as an activity conducted voluntarily within orga-nizations and one forced upon the same by laws and regulationsarising from legislatures.
However, outside of his definition he later recognizes the impor-tance of information as an asset, of handling information efficiently,of operating ethically with regards to the use of and access to infor-mation and of being able to demonstrate adherence to relevantinternal or external standards or good practice.
So to the book which consists of an introduction and five furtherchapters covering respectively: laws and regulations (ch. 2); dataquality management (ch. 3); dealing with threats (ch. 4); security,risk management and business continuity (ch. 5) and frameworks,policies, ethics and how it all fits together (ch. 6). Then comes asection on discussion points and exercises relating to those intro-duced at the end of each chapter and finally a comprehensiveindex.
In the introduction a differentiation is made between ‘data’ and‘information’. The former is raw data such as birth date, gender,body mass index and calorie consumption of a sample group ofparticipants in a dietary study. This only becomes information onceit is put in context with other data to enable identification of overalltrends or an individual’s performance in reaching personal targets,for example.
In the early part of Chapter 2 the concept of ‘records’ isintroduced. The definition provided – any information captured inreproducible form that is required for conducting business – is drawnfrom Penn et al. Records Management Handbook, Cambridge Uni-versity Press, 1994 rather than from the international standard onrecords ISO:2001 whose content is briefly mentioned.
The Chapter focuses almost wholly on those pieces of UK leg-islation that place restriction on what can be done with personalinformation and also the freedom to access such information. Hav-ing described the role of the Information Commissioner’s Office, thenext four pages cover the requirements of The Freedom of Informa-tion (FOI) Act 2000, ways of posing and dealing with FOI requestsand the importance of the Publication scheme.
The bulk of the Chapter (16 pages) deals with the Data Protec-tion Act (DPA) 1998 whose powers go beyond those of the FOI Act(FOIA) which applies only to the public sector (however this mayinclude organizations providing services to the government). WhileMacLennnan covers the main elements of the DPA – definitions,requirements, principles, and subject access requests – it is disap-
pointingly mainly a summary of that which is readily available inmore detail and in more accessible form on the ICO website, despitethe provision of some examples of their impact. Those interestedin the scope and application of the DPA would be better advised
1 eview
tsb
sSFlObubS
RwaustiapbPIr
pastatlaa
dm
ptJehvp
iaOot‘rdbeidti
n(
72 R
o consult the ICO website, where for example a guide to posingubject access requests (SARs) can be downloaded (this could haveeen usefully cited by the author).
Some reference is made to the position in Scotland as regardsuch matters as SARs. More generally, as noted on the ICO site,cotland has its own Information Commissioner who regulates thereedom for Information (Scotland) Act which covers Scottish pub-ic authorities. Because of this, the main focus of the ICO’s Scottishffice is data protection, for which the ICO is the sole regulatoryody in Scotland. However, the ICO does have regulatory powernder the Freedom of Information Act for UK public authoritiesased in Scotland. These include The Forestry Commission, BBCcotland and The Scottish Consumer Council.
The disclosure implications of the Environmental Informationegulations (EIR) 2004, 2005 are then dealt with in just over 2 pagesith mention of the ICO’s Code of Practice for fulfilling obligations
nd a similar code covering the responsibilities of public authoritiesnder FOI and EIR. Again, most of the information is culled andummarized from the ICO site, such as the minimum informationhat must routinely be published, what must be provided, fees, thempact on copyright, database and intellectual property rights (IPR)nd how public authorities should respond to requests for localroperty search information taking into account the relationshipetween the EIR and the Local Authorities (England) Charges forroperty Searches Regulations (CPSR). As for the latter topic, theCO has downloadable guides which the author could have usefullyeferenced.
Good records management is seen as a vital component in therocess of responding to requests for information and in helping tovoid sanctions due to non-compliance. Having a records retentionchedule not only avoids the ongoing retention of those recordshat are no longer needed for regulatory or business reasons; itlso ensures that the organization is better placed to focus on thosehat require proper attention. The availability or otherwise of theseatter records must, according to the FOIA, be made known through
publication scheme. Such publication is not required, although isdvisable, under the EIA.
MacLennan highlights the role of the information professional inealing with such matters including the handling enquiries whichay result in formal requests and keeping abreast of the legislation.The conclusion to the Chapter notes the value of good records
ractice in providing information assurance and the help and advicehat that can be obtained on such matters from the ICO and theoint Information Services Committee (Jisc) – although no refer-nce is provided as to where the latter could be located (it is in factttp://www.jisc.ac.uk/). As with other chapter, scenarios are pro-ided at the end of the Chapter with suggested answers availablerior to the book’s extensive index.
Overall the content of this Chapter lacks that which could classt as a textbook (A book used as a standard work for the study of
particular subject; esp. one written specially for this purpose –xford English Dictionary 2007). For example, despite his focusn information governance MacLennnan makes no mention ofhe international standards ISO 30300:2011 and ISO 3030:2011a management system to direct and control an organization withegard to records’. The requirements documented in these stan-ards for establishing a management system for records (MSR) areased on the principles and processes found in the earlier and wellstablished ISO to which MacLennan refers. This latter standards concerned more with analytical and operational details and theesign and use of records systems. The ISO 30300/1 series establishhe management and control framework so key to the success of
nformation governance.The content of Chapter 3 is more promising as it plays to MacLen-an’s past strength as an analyst/programmer. Over 32 pagesincluding references) he discusses approaches to the management
s
of data quality with a particular focus on aspects of accuracy, com-pleteness, consistency and timeliness as commonly identified inthe academic literature which he cites.
Starting with issues around incorrect or variable spelling ofnames and the interpretation of abbreviations such as ‘St.’ for‘Saint’, he then differentiates between syntactic and semantic accu-racy. Thus, recording ‘McLennan’ as author for this book in abibliographic database would be a syntactic inaccuracy, while stor-ing the value ‘Reid’ as the author would constitute a semantic error.Some such errors can be avoided by using authority list of terms –an agreed data set – against which checks can be made at data entrytime.
Completeness involves ensuring that the description providedfor an entity meets an agreed level of thoroughness, however thatmay be defined. Thus a database or list of contact details may haveno entry for a person’s mobile telephone number – the entry canbe considered complete if that person does not possess a mobilephone or incomplete if they have a phone but its number has notbeen provided.
Consistency requires that data be consistent with each other.This is a necessity in relational databases where for example checkssuch as ‘if has Driving Licence’ is ‘Yes’, then age must be ≥16 shouldbe commonplace. MacLennan cites the problem encountered bythe US National Aeronautics and Space Administration (NASA) wholost a craft orbiting Mars because the attitude-control system usedimperial units (feet and pounds) while the navigation software usedmetric units (metres and kilos).
It has proved more difficult to agree a definition on timeliness.MacLennan suggests the idea has something to do with how up-to-date the data is; how quickly it reflects changes in the real-worldsituation. As a further quality component, it is also possible to applya ‘reasonability check’ – does the data make sense, based on whatis known about it?
These various quality issues are then exemplified by consideringthe entries in a simple flat-file bibliographic database.
The foregoing quality issues may be addressed in various ways,some amenable to computerized solutions, others by changes to thebusiness processes, or a combination of both. Six data quality tools(not necessarily mechanized) as defined by Gartner are then pre-sented, namely: profiling, parsing and standardization, cleansing,matching, enrichment and finally monitoring.
• Profiling is concerned with deriving metadata to determine towhat extent the data needs modification.
• Parsing breaks down text field into their components (for exam-ple a telephone number comprising a country code and area codebefore the number).
• Cleansing means changing data values so that they fall withinacceptable domains, or satisfy integrity constraints.
• Matching is a process which begins with identifying recordswhich are related or similar. This may help identify ‘data silos’containing similar or the same information and lead to agree-ment on what is to be the authoritative source for particulartypes of information (what MacLennan later refers to as ‘MasterData Management’ – MDM). Later MacLennan refers to the prob-lems of ‘data integration’ as encountered when different systemscontaining similar data need to be merged.
• Enrichment involves the improvement of records by adding datafrom other sources. For example commercial organizations makegreat use of data mining whereby the records of customer pur-chases recorded via use of their loyalty cards enable advertising to
be targeted based on this data. MacLennan later gives the exam-ple of a charity exploiting the Royal Mail’s Postcode Address File(PAF) to save on mailing costs through the use of this authoritativedata.
eview
•
bsstdn
oeto
c‘npeswol
waooeebsp
ws
sraca
tosww
topot
iMoui
t
series of standards addresses this deficiency and falls within thesame group of management system standards as ISO 9000 for qual-ity management and ISO 30300 for records management (although
R
Monitoring is an ongoing process of ensuring that data continuesto meet acceptable standards, however they may be defined. Thismay be helped by systematically applying system updates as laterdiscussed in the Chapter.
Process improvement initiatives to address data quality maye applied vertically in an organization (for example where it istructured into separate regional business each with their ownupport and operational functions), or horizontally where informa-ion silos exist across different departments or units. MacLennanescribes the experience of Nestlé who, although vertically orga-ized, adopted a horizontal approach to improve data quality.
The issues outlined above need to be tackled through the devel-pment and adoption of an appropriate strategy and policy, thelements of which are briefly discussed together with the role ofhe ‘information professional’ and the need to involve the widerrganizational community.
Chapter 4 (29 pages) covers internal and external threats toomputerized data. The former include both the ‘disgruntled’ andex-’employee and are exemplified by the cases of Bradley Man-ing and Edward Snowden. Ways of minimizing the risks from suchersons are discussed ranging from pre- employment checks (forxample relating to credit and police records) to post-departureteps (for example collecting security passes and deleting pass-ords) and all in between (for example training and education
n security and creating an organizational culture that fostersoyalty).
External threats are often subsumed under the heading ‘hacking’hich MacLennan rightly states should not have this connotation
s it originally related to such activities as extending the capabilitiesf hardware beyond what it was originally designed for. ‘Cracking’r simply ‘attacking’ is a more appropriate term in the context ofxternal threats to an organization’s data. Later MacLennan differ-ntiates between ‘Black hat’ and White hat’ attackers – the formereing the bad guys and the latter those that use their skills in aocially responsible way. An example of bad guy turned good isrovided by citing the case of Kevin Mitnick.
Software-based attacks variously categorized as malware,orms, viruses, Trojans, spyware and rootkits are described in
ome detail along with real-world examples of their application.Denial of service (DoS) attacks take advantage of the client-
erver architecture to overwhelm the capacity of the server toespond to requests for files, thereby effectively shutting down
website. DoS attacks are difficult to defend against but may beountered to some extent by ensuring overcapacity in the systemrchitecture.
Phishing is seen as a way to ‘fish’ for personal informationypically using emails. However it can constitute a breach to anrganization’s security where the recipient is an employee. A casetudy concerning the phishing of bank employees showed that evenith training to detect such emails some 28% of decisions madeere incorrect.
The process of getting users to reveal otherwise secure informa-ion has come to be called (somewhat confusingly perhaps becausef its earlier wider connotations), ‘social engineering’. This is exem-lified by the recent rise in telephone calls from bogus policefficers or bank employees to unsuspecting members of the publico obtain sensitive information.
Individuals are just as likely unwittingly to reveal sensitivenformation via social media such as Facebook and LinkedIn, as
acLennan covers under ‘the unwitting internal threat’. Photosr documents may be tagged with such information via metadata
nseen to the user maybe, but accessible to those with maliciousntent.As regards legal counters to such threats, legislation has
he author feels, struggled to keep pace with new and
s 173
emerging threats to data. The UK Computer Misuse Act 1990defines the offences as follows (the information comes fromhttp://www.legislation.gov.uk/ukpga/1990/18/contents)
1. Unauthorized access to computer material.2. Unauthorized access with intent to commit or facilitate com-
mission of further offences.3. Unauthorized acts with intent to impair, or with recklessness
as to impairing, operation of computer, etc.3A. Making, supplying or obtaining articles for use in offence under
Section 1 or 3
MacLennan also cites the Council of Europe Convention onCybercrime, 2001, and legislation in the USA.
Having detailed the various threats measures to counter themare presented and are seen as being ones that are well under-stood by many information professionals. These include choiceof secure and well-structured passwords, changing them regu-larly as and when needed (when staff changes are made forexample), and ensuring the removal of temporary and guestaccounts once no longer required. (On a personal note I returnedafter 2 years to undertake a second contract assignment for aclient only to find that my earlier account and emails were stillavailable).
Firewalls and anti-virus software are commonly deployed, butneed to be reviewed to ensure they are kept up-to-date and areappropriate for the current or planned software environment.
Importantly staff need to be educated and updated on devel-opments in external threats and also in the ways they conductthemselves on social media, in emails and in using their personaldigital devices (mobile phones, tablets, CDs, DVDs, USB devicesetc.). Such behaviour needs to be signed up for by staff in termsof employment or an Acceptance Use Policy (AUP).
The next Chapter 5 expands on the topic of threats from theprevious Chapter by considering the security environment and theapplication of standards as exemplified by
• ISO/IEC (Information technology – Security techniques – Code ofpractice for information security management)
• ISO/IEC (Information technology – Security techniques – Informa-tion security management systems – Overview and vocabulary).(NOTE: since the publication of this book the latter has been super-seded by ISO/IEC)
• ISO/IEC – Information security management system (ISMS)
The importance of having a strategy to counter breaches ofsecurity is emphasized here by the results of a survey by PriceWaterhouse Cooper’s in 2013 which found that the number ofbreaches continues to increase. The implementation of an infor-mation security governance (ISG) system in Entrust (a US providerof security solutions) is presented in some details as a case study.They selected ISO as the best reference for ISG, but found it weakin non-technical, strategic terms. The approach they adopted wasbased on a cycle of continuous improvement.
The shortfall in ISO is based on the fact that it is more concernedwith the operational aspects of security control. The ISO 27000
as already noted the latter was not cited in MacLennan’s book).These management system standards are designed to be markersagainst which conformance can be assessed by authorized externalbodies.
1 eview
e
•
•
•
•
•
•
•
thefewtn
s‘tif–mvs
3pbwaurcdlbrio
t2ma
74 R
MacLennan describes the following standards in the everxpanding series.
ISO 27000 itself provides the overview of information securitymanagement systems, and terms and definitions commonly usedin the ISMS family of standards.ISO 27001 provides requirements for establishing, implementing,maintaining and continuously improving an ISMS.ISO 27002 gives guidelines for organizational information secu-rity standards and information security management practicesincluding the selection, implementation and management of con-trols taking into consideration the organization’s informationsecurity risk environment.ISO 27003 provides guidance on the process of obtaining man-agement approval to implement an ISMS, defines a project toimplement an ISMS, and outlines how to plan the ISMS project,resulting in a final ISMS project implementation plan.ISO 27004 provides guidance on the development and use ofmeasures and measurement in order to assess the effectivenessof an implemented information security management system(ISMS) and controls or groups of controls, as specified in ISO/IEC27001.ISO 27005 provides guidelines for information security risk man-agement (ISRM) in any type of organization.ISO 27006 offers guidelines for the accreditation of organizationswhich offer certification and registration with respect to an ISMS.
I note that ‘Building a clear picture of future publica-ions within the ISO 27000 series is far from simple’ (seettp://www.27000.org/future.htm). Furthermore changes in thexisting standards bring further confusion. Thus MacLennan quotesrom ISO 27000:2012 which includes definitions for ‘asset’. How-ver in the revised version ISO 27000:2014, issued since the bookas published, the terms “Accountability”, “Asset” and “Informa-
ion asset” are no longer defined, and there are updated, lengthyotes for “Risk”.
This is not the place to delve further into these issues; suffice toay organizations are being faced by an increasing number of ISOmanagement systems’ that overlap as regards the business func-ions they are aimed at and are administratively burdensome tontegrate. MacLennan, in part, acknowledges this and offers a dif-erent, and complementary approach based on ‘follow the data’
looking at the flow of information. He continues by discussingeasures such as improving physical security and conducting
arious types of back-up (incremental, differential and cloudtorage).
Risk management is then considered in the context of ISO/IEC100:2009 (Risk management – Principles and guidelines) whichrovides principles, framework and a process for managing riskased on the ‘plan-do-check-act’ cycle, and ISO Guide 73:2009hich provides the definitions of generic terms related to risk man-
gement. Hazard risks, control risks and opportunity risks (latterndertaken voluntarily) and ways of handling and dealing withisk are briefly discussed including those based on preventativeontrol, corrective control and directive control. The risks whichirectly affect information workers are, according to MacLennan,
ikely to be hazard risks. He sees current awareness programmes toe a valuable way to inform management about the external envi-onment (customers, competitors, government) thereby enablingnformed decisions to be made that reduce the risk of unforeseenutcomes.
Yet another ‘management system’ standard discussed is
hat relating to business continuity management (BCM), ISO2301:2012. It ‘specifies requirements to plan, establish, imple-ent, operate, monitor, review, maintain and continually improvedocumented management system to protect against, reduce the
s
likelihood of occurrence, prepare for, respond to, and recoverfrom disruptive incidents when they arise’. Again, the businesscontinuity preparedness of organizations can be assessed byapproved external certification bodies. MacLennan outlines plan-ning for BCM, developing a strategy, documenting procedures andthe testing of the outcome. A BCM case study for a small UK engi-neering company is described.
The Chapter ends by outlining an information management roleand reiterating some of the factors that need to be considered aspart of business continuity: back-ups, patches and updates, fire-walls, websites, anti-virus software, personal digital devices and
The final Chapter 6 covers a framework approach to informa-tion governance with a framework being defined as establishedpractices than can be repeatedly applied to solving problems uni-formly. MacLennan again refers to ISO 15489 as one for recordsmanagement (although ISO 30300/1 is the appropriate one to use)and ISO 27000 for security. He poses a scenario where these variousframeworks (including business continuity and risk management)could be placed in an all encompassing framework for use by theorganization.
Lessons learned from various initiatives or approaches are dis-cussed including
• The approach adopted by the US National Archives and RecordsAdministration (NARA) for developing records managementguidance
• An information security framework based on literature searchesand a survey of security professional
• The impact of the Sarbanes-Oxley Act which impacted accountingpractices in the US
• The use of the COSO (Committee of Sponsoring Organizations ofthe Treadway Commission) framework for enterprise risk man-agement
• Business continuity practices identified by Ernst & Young• An IT framework developed internally by an IT department
MacLennan then draws together the various threads of his ear-lier discussions to consider, in brief, the information governanceand assurance framework in operation. It would be multidis-ciplinary including IT, information security, records, risk andcontinuity and would be developed through assessment, designand implementation phases.
The Chapter ends by emphasizing ethical responsibilities inhandling sensitive personal data and the role that the infor-mation professional can play such as acting as a fair dealer ininter-departmental discussion, tracing information flows throughbusiness procedures, suggesting roles and responsibilities andmaking recommendations for practices compliant with legislationand standards. At the highest level, selection of standards or otherplans for the components of the overall framework would be advi-sory.
Crucially, in this book, MacLennan omits reference to the rele-vant international standards ISO 30300/1 for a management systemfor records (MSR). Although those who adopt ISO 15489 can assesstheir conformance to its requirements it cannot lead to formal cer-tification under ISO rules. Coverage of the MSR standards wouldhave enabled a more complete analysis of the use of managementsystem standards in organizations in the context of informationgovernance.
Overall the coverage of data quality, dealing with threats, infor-mation security, risk management, and business continuity is moreakin to a ‘text book’ than that of the information legislation (FOIA
and DPA) and records management. From that aspect the book willbe of value to new or existing records, information and library staffwho have had little exposure to the more ‘system analyst’ aspectsof information management.
eview
E-mail addresses: [email protected]
R
Bob WigginsCura Organisation, 1 Theatre Lane, Chichester PO19
1SR, United Kingdom
Stuart James Fitz-Gerald ∗
Kingston Business School, United Kingdom
s 175
∗ Corresponding reviewer.
(B. Wiggins), [email protected](S.J. Fitz-Gerald).