Please enjoy this blog post which was authored and posted on behalf of Randy Anderson, Loffler, CISSP and Manager of the Cybersecurity and IT Consulting teams, Loffler Companies.
Establishing an Information Governance (IG) Committee is an important first step on a journey that will allow your firm to create and implement effective policies and procedures and select the appropriate technologies to manage and protect the confidentiality of the information that is gathered and stored about your clients. This article it written as a starting point for firms that may not yet have a formal committee and related policies in place.
Committee Representation and Leadership
Smaller law firms especially may not have individuals specifically hired for the job titles below but will likely have partners or employees who either have current responsibilities in these areas or who could assume the responsibilities of these roles. At a minimum, make sure that these roles are identified and represented in the committee structure:
- Chief Information Security Officer (CISO)
- Responsible for overall Cybersecurity measures and information security policies and privacy
- Chief Compliance Officer
- Responsible for ensuring compliance with regulatory and ethics requirements
- Chief Risk Manager Officer
- Responsible for evaluating, understanding, and mitigating risk to the organization
- Records Management Manager or IT Manager
- Responsible for maintaining electronic and paper records and the systems used to manage them
- eDiscovery Practice Manager
- Responsible for managing systems and processes for eDiscovery
In determining who should lead the IG Committee it is important to begin with the understand that that the work of this committee is not solely an Information Technology or Information Security responsibility. If the firm has one, it may be appropriate for a CISO to chair the committee, but greater acceptance of the committee’s work and importance to the firm may be gained by having a partner chair the committee. For many organizations, the establishment of an IG Committee will be an opportunity to lead change within the organization and establish new and better ways of working.
The Work of the Committee
Once the committee is formed and a charter is established, the committee can begin working on assessing the needs of the firm. Begin with a review of existing information security policies with a focus on data classification and information governance. If these policies are not already in place, this is where the initial work of the committee will be focused.
Resist the urge to combine policies and procedures into a single document. Policies should be limited to describing high level requirements and expectations. Their purpose is to guide the organization in the creation of procedures and selection of technical solutions that meet the needs of the organization. Policies determine what is expected of the organization, its officers, and its employees. Procedures are more specific and describe how a policy will be implemented.
This article is primarily focused on the fundamentals of establishing an IG from the risk and compliance perspective, but it is also important to understand that information governance can provide a strategic advantage to the firm or conversely, a hindrance to efficient work processes. In developing policies and procedures and selecting technology solutions, ensure that the ease with which people can understand and comply with new policies and procedures is considered. Focus and writing policies and procedures that people can easily understand and comply with and select technologies that support efficient workflows.
Confidentiality and data privacy are certainly among the most important concerns of the IG Committee. Along with these concerns, the committee must always consider the Ethical Wall when writing policies and procedures and selecting technology solutions. Every policy must be written in such a way as to ensure that a conflict of interest is avoided. Here again, procedures must describe the specific steps that are to be employed to ensure that the technology is used properly, and conflicts are avoided.
The Role of Insurance in Information Governance
No business activity is without risk, so it is important to consider the role that insurance must play in transferring the remaining risk. Once policies, procedures, and technologies are in place, a Business Impact Analysis (BIA) should be conducted to assess residual risk and then the firm must ensure that Cyber Insurance and Professional Liability Insurance policies are adequate for the residual risk relative to the type and amount of data that is maintained by the firm.
Establishing an IG committee will allow your organization to manage information security, risk, compliance, and privacy concerns, and potentially achieve strategic advantage through the creation of policies and procedures and the subsequent adoption of effective technologies. Selecting the right team members and committee leadership is important to the success of the committee. Make sure that polices are easy to understand and follow and that they promote efficiency in the organization, while also avoiding conflicts of interest.