Recently, high-profile cases involving breaches of privacy revealed the ongoing need to ensure that personal information is properly protected. The issue is multidimensional, involving regulations, corporate policies, reputation concerns, and technology development. 

Organizations often have an uneasy truce with privacy regulations, viewing them as an obstacle to the free use of information that might help the organization in some way. 

But like many compliance and governance issues, managing privacy will offer benefits, protecting organizations from breaches that violate laws and damage an organization's reputation. Sometimes the biggest risks in privacy compliance arise from the failure to take some basic steps. A holistic view is beneficial.

Privacy Compliance Components

Rather than being in conflict with the business objectives, privacy should be fully integrated with it. Privacy management should be part of knowledge management program.

An effective privacy management program has three major components: establish clear policies and procedures, follow procedures to make sure that organization's operation is in compliance with those policies, and provide an oversight to ensure accountability. Example of questions to consider: is data being shared with third parties, why the information is being collected, and what is being done with it.

Expertise about privacy compliance varies widely across industries, corresponding to some degree with the size of an organization. Although large companies are far from immune to privacy violations, they might at least be aware and knowledgeable about the issue.

The biggest mistake that organizations make in handling privacy is to collect data without a clear purpose. You should know not just how you are protecting personal information but also why you are collecting it. It is important for organizations to identify and properly classify all their data.

International Considerations

Increasingly, organizations must consider the different regulations that apply in countries throughout the world, as well as the fact that the regulations are changing. For example, on March 12, 2014, the Australian Privacy Principles (APPs) will replace the existing National Privacy Principles and Information Privacy Principles. 

The new principles will apply to all organizations, whether public or private, and contain a variety of requirements including open and transparent management of personal information. Of particular relevance to global companies are principles on the use and disclosure of personal information for direct marketing, and cross-border disclosure of personal information.

It is important to consider international regulations in those countries where an organization has operations.

Technology Role

The market for privacy management software products is still relatively small. The market for this software is expected to grow rapidly over the coming years. The current reform process for data protection has created a need for privacy managing technology. 

Products from companies such as Compliance 360 automate the process of testing the risk for data breaches, which is required for the audits mandated by the Economic Stimulus Act of 2009. This act expanded the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requirements through its Health Information Technology for Economic and Clinical Health (HITECH) provisions. 

These provisions include increased requirements for patient confidentiality and new levels of enforcement and penalties. In the absence of suitable software products, organizations must carry out the required internal audits and other processes manually, which is time consuming and subject to errors.

Enterprise content management (ECM), business process management (BPM) and business intelligence (BI) technology have important role in privacy compliance because content, processes, and reporting are critical aspects of managing sensitive information. 

As generic platforms, they can be customized, which has both advantages and disadvantages. They have a broad reach throughout the enterprise, and can be used for many applications beyond privacy compliance. However, they are generally higher priced and require development to allow them to perform that function.

Privacy in the Cloud

Cloud applications and data storage have raised concerns about security in general, and personally identifiable information (PII) in particular. Although many customers of cloud services have concluded that cloud security is as good or better than the security they provide in-house, the idea that personally identifiable information could be "out there" is unsettling.

PerspecSys offers a solution for handling sensitive data used in cloud-based applications that allows storage in the cloud while filtering out personal information and replacing it with an indecipherable token or encrypted value.

The sensitive data is replaced by a token or encrypted value that takes its place in the cloud-based application. The "real" data is retrieved from local storage when the token or encrypted value is retrieved from the cloud. Thus, even though the application is in the cloud, the sensitive information is neither stored in the cloud nor viewable there. It physically resides behind the firewall and can only be seen from there.

This feature is especially useful in an international context where data residency and sovereignty requirements often specify that data needs to stay within a specific geographic area.

Challenges for Small Organizations

Small to medium-sized organizations generally do not have a dedicated compliance or privacy officer, and may be at a loss as to where to start.

Information Shield provides a set of best practices including a policy library with prewritten policies, detailed information on U.S. and international privacy laws, checklists and templates, as well as a discussion of the Organization for Economic Co-operation and Development (OECD) Fair Information Principles. Those resources are aimed at companies that may not have privacy policies in place but need to do so to provide services to larger healthcare or financial services organizations.

Among the resources is a list of core privacy principles based on OECD principles. Each principle has a question, brief discussion and suggested policy. For example, the purpose specification principle states, "The purposes for which personal information is collected should be specified no later than the time of data collection, and the subsequent use should be limited to fulfilling those purposes or such others that are specified to the individuals at the time of the change of purpose." The discussion includes comments on international laws and a citation of several related rulings.

Plans for Future

Business users and consumers alike have become accustomed to the efficiency and speed of digital data. However, more strict regulations are inevitable. Organizations should become more aware of having to prevent privacy breaches, and to make sure they have the systems in place to do this. Companies should also be concerned about reputation damage, which can severely affect business. Along with reliable technology, the best way forward is to follow best practices with respect to data privacy. Technology is essential, but it also has to be supported by people and processes.

The goals of any enterprise content management (ECM) system are to connect an organization's knowledge workers, streamline its business processes, and manage and store its information. 

Microsoft SharePoint has become the leading content management system in today's competitive business landscape as organizations look to foster information transparency and collaboration by providing efficient capture, storage, preservation, management, and delivery of content to end users.

A recent study by the Association for Information and Image Management (AIIM) found that 53% of organizations currently utilize SharePoint for ECM. SharePoint's growth can be attributed to its ease of use, incorporation of social collaboration features, as well as its distributed management approach, allowing for self-service. With the growing trends of social collaboration and enhancements found in the latest release of SharePoint 2013, Microsoft continues to facilitate collaboration among knowledge workers.

As SharePoint continues to evolve, it is essential to have a solution in place that would achieve the vision of efficiency and collaboration without compromising on security and compliance. The growing usage of SharePoint for ECM is not without risk. AIIM also estimated that 60% of organizations utilizing SharePoint for ECM have yet to incorporate it into their existing governance and compliance strategies. It is imperative that organizations establish effective information governance strategies to support secure collaboration.

There are two new nice features in SharePoint 2013 version that would help you with compliance issues. E-discovery center is a SharePoint site that allows to get more control of your data. It allows to identify, hold, search, and export documents needed for e-discovery. "In Place Hold" feature allows to preserve documents and put hold on them while users continue working on them. These features are available for both on-premises and in-cloud solutions.

2013 SharePoint has been integrated with Yammer which provides many social features. This presents new challenge with compliance. Yammer is planning to integrate more security in future releases. But for now, organizations need to create policies and procedures for these social features. Roles like "Community Manager", "Yambassadors", "Group Administrators" might be introduced.

There are 3rd party tools that could be used with SharePoint for compliance and information governance. They are: Metalogix and AvePoint for Governance and Compliance, CipherPoint and Stealth Software for Encryption and Security; ViewDo Labs and Good Data for Yammer analytics and compliance.

In order to most effectively utilize SharePoint for content management, there are several best practices that must be incorporated into information governance strategies as part of an effective risk management lifecycle. The goal of any comprehensive governance strategy is to mitigate risk, whether this entails downtime, compliance violation or data loss. In order to do so, an effective governance plan must be established that includes the following components:

Develop a plan. When developing your plan, it is necessary for organizations to understand the types of content SharePoint contains before establishing governance procedures. It is important to involve the appropriate business owners and gather any regulatory requirements. These requirements will help to drive information governance policies for content security, information architecture and lifecycle management. 

When determining the best approach to implement and enforce content management and compliance initiatives, chief privacy officers, chief information security officers, compliance managers, records managers, SharePoint administrators, and company executives will all have to work together to establish the most appropriate processes for their organization as well as an action plan for how to execute these processes. During the planning phase, your organization should perform an assessment, set your organization's goals, and establish appropriate compliance and governance requirements based on the results of the assessment to meet the business objectives.

Implement your governance architecture. Once your organization has developed a good understanding of the various content that will be managed through SharePoint, it is time to implement the governance architecture. In this phase, it is important to plan for technical enforcement, monitoring and training for employees that address areas of risk or noncompliance. It is important to note that while SharePoint is known for its content management functionality, there are specific challenges that come with utilizing the platform as a content management system for which your governance architecture must account: content growth and security management.

In order to implement effective content management, organizations should address and plan to manage growth of sites, files, storage, and the overall volume of content. Organizations without a governance strategy often struggle with proliferation of content with no solutions to manage or dispose of it. This is a huge problem with file servers. Over time, file servers grow to the point where they become a bit like the file cabinet collecting dust in the corner of your office. It is easy to add in a new file, but you will not find it later when you need it. The challenge comes from the planning on how to organize and dispose of out-of-date content. 

SharePoint offers the technology to address these challenges, but only if it is enabled as part of your governance plan. Information management policies can be used to automatically delete documents, or you may be using third-party solutions to archive documents, libraries and sites. By default in SharePoint 2013, Shredded Storage is enabled to reduce the overall storage of organizations that are utilizing versioning. Remote BLOB Storage (RBS) can also be enabled in SharePoint or through third-party tools to reduce SharePoint's storage burden on SQL Server.

Tagging and classification plays a key role in information governance. Proper classification can improve content findability. Organizations can utilize SharePoint's extensive document management and classification features, including Content Types and Managed Metadata to tag and classify content. Third-party tools that extend SharePoint's native capabilities can also filter for specified content when applying management policies for storage, deletion, archiving, or preservation. Ultimately, however, the people in your organization will play the biggest role here. As such, your plan should identify who the key data owners are and the areas for which they are responsible. This role is often filled by a "site librarian" or those responsible for risk management in the enterprise.

In order to minimize risk to the organization, it is imperative to ensure information is accessible to the people that should have it, and protected from the people that should not have access. SharePoint has very flexible system of permissions that can accommodate this issue.

Ongoing assessments. In order to ensure that established governance procedures continue to meet your business requirements ongoing assessment is required. Conduct ongoing testing of business solutions, monitoring of system response times, service availability and user activity, as well as assessments to ensure that you have complied with your guidelines and requirements for properly managing the content. The content is essentially your intellectual property, the lifeblood that sustains your organization. 

React and revise as necessary. In order to continue to mitigate risk, respond to evolving requirements, and harden security and access controls, we must take information gathered in your ongoing assessments and use that to make more intelligent management decisions. Continue to assess and react and revise as necessary. With each change, continue to validate that your system meets necessary requirements. 

The risk has never been higher, especially as more data is created along an growing regulatory compliance mandates requiring organizations to ensure that its content is properly managed. 

If you develop a plan, implement a governance architecture that supports that plan, assess the architecture on an ongoing basis, and react and revise as necessary, your organization will have the support and agility necessary to truly use all of the content it possesses to improve business processes, innovation, and competitiveness while lowering total costs.

ISO 9001 compliance becomes increasingly important in regulated industries. How does it affect documentation? Here is how...

What is Document Control?

Document control means that the right persons have the current version of the documents they need, while unauthorized persons are prevented from use.

We all handle many documents every day. These documents include forms that we fill out, instructions that we follow, invoices that we enter into the computer system, holiday schedules that we check for the next day off, rate sheets that we use to bill our customers, and many more.

An error on any of these documents could lead to problems. Using an outdated version could lead to problems. Not knowing if we have the latest version or not could lead to problems. Just imagine us setting up a production line to outdated specifications or making strategic decisions based on a wrong financial statement.

ISO 9001 gives us tools (also referred to as "requirements") that show us how to control our documents.

ISO 9001 Documents

There are no "ISO 9001 documents" that need to be controlled, and "non ISO 9001 documents" that don't need control. The ISO 9001 system affects an entire company, and all business-related documents must be controlled. Only documents that don't have an impact on products, services or company don't need to be controlled - all others need control. This means, basically, that any business-related document must be controlled.

However, how much control you apply really depends on the document.

The extent of your approval record, for example, may vary with the importance of the document (remember, documents are approved before they are published for use).

The Quality Policy, an important corporate policy document, shows the signatures of all executives.

Work instructions often just show a note in the footer indicating approval by the department manager.

Some documents don't even need any approval record: if the person who prepared a document is also responsible for its content (e.g., the Quality Manager prepares instructions for his auditors), a separate approval is superfluous.

On the other hand, identifying a document with a revision date, source and title is basic. It really should be done as a good habit for any document we create.

Please note that documents could be in any format: hard copy or electronic. This means that, for example, the pages on the corporate internet need to be controlled.

Responsibility for Document Control

Document control is the responsibility of all employees. It is important that all employees understand the purpose of document control and how to control documents in accordance with ISO 9001.

Please be aware that if you copy a document or print one out from the Intranet and then distribute it, you are responsible for controlling its distribution! The original author will not know that you distributed copies of this documents, so the original author can't control your distribution.

Dating Documents

ISO 9001 requires to show on every document when it was created or last updated. Many of us may have thought to use our word processor's automatic date function for this, but... should we use the automatic date field on documents?

Generally not. If you enter the automatic date field into a document, the field will automatically be updated to always show the current date, no matter when you actually created or updated the document.

Example: For example, if you use the automatic date field in a fax and you save the fax on your computer for future reference, you won't be able to tell when you wrote the fax: when you open the fax on your computer, it will always show today's date.

The automatic date field is not suitable for document control. Therefore, as a general rule, don't use the automatic date field to identify revision status.

ISO 9001 Documentation

ISO 9001 documentation includes:

• the Quality Procedures Manual, which also includes corporate policies and procedures affecting the entire company;
  
• work instructions, which explain in detail how to perform a work process;
  
• records, which serve as evidence of how you meet ISO 9001 requirements.
  

Policies and Procedures

Our ISO 9001 Quality Manual includes the corporate Quality Policy and all required ISO 9001 Procedures. While most procedures affect only managers, every employee must be familiar with the Quality Policy and with the Document Control procedures. The Quality Policy contains the corporate strategy related to quality and customer satisfaction; all other ISO 9001 documents must follow this policy. The Document Control procedures shows how to issue documents, as well as how to use and control documents.

Continuous Improvement

Implementing ISO 9001 is not a one-time benefit to a company. While you are utilizing the quality manual, quality procedures and work instructions in daily business activities, you are not only benefiting from better quality and increased efficiency but you are also continually improving. In fact, the ISO 9001 requirements are designed to make you continually improve. This is a very important aspect because companies that don't continue to improve are soon overtaken by the competition.

In part 1 and 2 of my post about governance, risk, and compliance, I have described why information governance is important, where to begin with the information governance, and I started to describe what needs to be considered in information governance polices. In this my post I will describe information governance policies as they relate to crisis management and e-discovery, and list general information governance control.

Information Governance for Crisis Management

Crisis management is set of procedures for unplanned situation that would prevent you from doing critical functions on your job. 

Such situations can be:

• Availability – illness, weather, turnover, fire, flood, severe weather, facility issues
• Technology – phone cut-off, system outage, applications is down, network problems
• Volume/Capacity – huge number of calls (in the example of call center)
• Special situations – pandemic, loss of facility, tornado, etc.

An approaching storm or disaster does not provide much leeway to assess your disaster recovery preparations. 

For example, if your CMS is down, what happens to those departments who need to use critical documents?

Solutions: 

What you need to do is to develop a plan for each crisis situation. It should be designed to implement disaster recovery. Planning is very important.

Prioritize requirements – short, medium, long-term. Assess business needs. For example, how do you want to handle spike of calls (if you are in the call center)? Short term plan could be such as – re-route calls for live answer where there are people. Medium to long term could be such as plan for alternative site, work from home.

Make your plan flexible. Have incident coordinator. Create communication plan which should include who is responsible for coordinating the recovery process. Create crisis team which could include IT, QA, management, business partners. Outline responsibilities and procedure in the document.

Test this procedure at least once a year. Do post-analysis – timing, access gaps, communications of results, recommend changes and training plan for next testing, maybe next quarter, not next year. Evaluate your systems when you have no crisis.

Other points:

• Address disaster recovery in addressing planned and unplanned downtime.
• Virtualize your data center.
• Ensure swift restoration of content items following corruption or accidental deletion.
• Maintain all metadata during and after recovery events.
• Ensure seamless transition to a warm stand-by system should the main system fail.
• Plan what to do if outage happens.
• Maximize platform up-time and swift restoration of platform following a disaster event.
• Users need to feel confident that the system will protect content and will be available regardless of any disaster, otherwise user adoption will fail – users will go back to their old habits essentially halting KM effort in its tracks.

Information Governance for E-Discovery

E-Discovery preparedness makes it imperative for organizations to develop an enterprise wide strategy to manage the volume of electronic information. The discovery process affects many individuals in an organization, not just lawyers and others involved in discovery, but also IT professionals and records managers, who have to be prepared to produce electronic content for discovery and litigation.

You need to have an ability to respond to legal request, to solve litigation issue, mitigate the risk of sanctions, reduce impact and cost associated with future litigation.

For legal counsel, it means having a review process to determine what discovered content is relevant to the case. For an IT person, it means restoring backup tapes to show evidence on file shares, content management systems, e-mail systems, or other applications. But for records managers, this work will have begun long before any lawsuit with managing records for retention, placing legal holds, and finalizing disposition.

E-discovery could be costly because it requires organizations to retrieve content from servers, archives, backup tapes, and other media.

In some cases, an organization is unable to execute a discovery order because it is unable to locate all content in a timely manner, or it is unable to place holds on all content and some of it is deleted during the lawsuit. The inability to do this correctly also has a cost, and it can be considerable.

To address these costs, many organizations are looking at e-discovery solutions that will enable them to review the found content and take it through litigation.

But organizations can also lower costs for archiving and restoring, legal review, and sanctions by simply cutting down how much content it retains. Less stored content means less content on which to perform discovery.

Developing a strategy and a plan of action for handling e-discovery will help organizations mitigate their risk and save them a significant amount of money in the event of litigation. Organizations need to have a retention policy to determine which content can be destroyed and at what time and which content should be kept and for how long. The key is to have a retention program that is flexible enough to keep content for the right retention period.

By categorizing content, creating a catalog of the content, creating a retention plan, implementing a hold methodology, and having disposition procedures, an organization will benefit in many ways.

Solutions: Integrate e-discovery into information governance practice. Include key capabilities:

• understand and secure – identify and categorize docs; docs are distributed globally; find and correctly identify them
• automate and enforce - extend policies to docs within unmanaged repositories such as file shares, SharePoint, etc. Automate processes in a transparent manner to manage and control docs. Retention and disposition policies that can be enforced within ECM.
• protect and control – regulate how docs accessed and used; security controls over docs; control who can access protected docs
• discover and produce – ability to produce relevant docs upon demand is a mandatory requirement.

Develop retention programs. Create committees within your organizations and bring their expertise together with legal counsel and IT to prepare for e-discovery and litigation.

General Governance Controls

• Understand your data topology – holistically across the enterprise: how much, where, who owns it, and what value does it provide.
• Employ real-time indexing of content – to keep track of its changes.
• Store the intelligence about your content (metadata).
• Create an information intelligence service center and include data analysis, governance analysis.
• Employ change management to stay current of new forms of content and new business requirements.
• Become proactive in deploying policies for securing data, storing data, sharing data and enforcing compliance.
• Remove obsolete or unnecessary content.
• Define content life cycle and retention policies.
• Tier your access to enable relevant data to be closer to users and devices that are local.
• Educate the organization on the value of good governance; it is less about control and more about raising the intelligence and health of information.
• Categorize your information and determine its value and rank.
• Use content approval function in your CMS.
• As deployments grow, organizations must also find ways to efficiently store records in compliance with retention of records management policies.
• Create retention schedule, content controls, consistent disposition of content in accordance with records management policies for content preservation, remediation, retention.
• Keep track of what info is created, stored, and accessed.
• Use auto-classification and semantic tools within the search engines.
• Move relevant documents from desktops and shared drives to your central docs repository.
• Create efficient document versioning and check-in/check-out management for information consistency.
• Create robust administration of users to ensure that each as access rights for only documents that they are authorized to have access to.

In my last post about governance, risk, and compliance, I have described why information governance is important and where to begin with the information governance. Today, I will describe what needs to be considered in information governance polices and will give some recommendations.

What needs to be considered in information governance polices?

Government mandates - If you are in a regulated industry, you need to consider first and foremost government mandates such as GMP/GxP, ISO 9001. You need to make sure that your documents management and IT are compliant with these requirements.

Proliferation of content - there has been explosive growth in the creation and collection of content by organization and individuals. Content is stored in CMS, data warehouses, physical warehouses, desktop computers, file shares, back-up archives, mobile devices, cloud services, employees personal computers and other devices such as tablets, smart phones, etc. To complicate matters this information is also geographically disbursed.

In SharePoint, for example, you get a small department that has a site, other departments take notice and start their own sites. Suddenly you have small SharePoint instances pervading everywhere. What organization should do instead is take those separate silos of SharePoint and combine them into one centrally managed environment. It is the matter of having a plan in place first, then applying the technology to achieve those business goals.

Information governance policies should cover desktops and shared drives, CMSs, databases and data warehouses, email systems, cloud based apps, social media platforms, physical warehouses. Content may be stored with the 3rd party, this needs to be considered.

Employees send email with documents attachments. This email and attachments have significant value to the business whether they contain contract terms, meeting notes or even employees opinions on a given topic. Email requires governance and so it needs to be included in your information governance policies.

Big data – are you prepared? What measures your IT has taken to help with this issue?

Cloud computing – If you use cloud computing, you need to create governance policy for it.

Mobile Devices - Employees use mobile devices to do their job. Many companies don’t have policies that cover things like tablets and handhelds. They are starting to, but it is just a beginning. You need to create polices for mobile devices and a mechanism to enforce those policies. And in the regulated environment, you would need to prove that you are enforcing those policies.

Social media - effectively leveraging social media while protecting the organization from non-compliance.

Create comprehensive social media governance plan. It should include compliance, supervision to interactive social content; perform conceptual search and policy-based monitoring of all info, inside and outside the firewall; establish social media usage policies and procedures and then train staff on them; preserve and collect relevant social media content for compliance and litigation purposes.

Consider all content and access methods involved as users connect via smartphones and tablets.

Employ solutions that capture additional approval on a site-by-site basis to verify assent for capturing and monitoring.

Wherever possible create separate business identities for social media to minimize capture of personal or private information.

Govern employees interactions. Most regulated organizations are taking a measured approach to social media, starting with small number of employees and approved social media sites.

Monitor and capture inside-based interactions within a corporate networks. Moderate inside-based interactions. Be mindful of legal and regulatory guidelines.

BYOD phenomena – “bring your own device”. People bring their iPads, iPhones, etc. to conferences, work, taking notes, making presentations, responding to email, updating pipeline,etc. All this content belongs to the organization but the device is not. What happens when this employee leaves the company? Or that employee loses the tablet? What happens to information?

I read about the case where a doctor had all his patients’ medical records unencrypted on his laptop. The laptop was stolen.

It could also be that there are multiple versions of documents floating around, gets passed from one person to another person, maybe tweaked a little along the way. And they each are legally discoverable. 

Be sure that the official version of the document is stored in your CMS and managed by your governance program.

It is imperative to have a policy to protect this information and to enforce that policy across all those devices.

Security – sensitive information must be protected – encrypted. LinkedIn got hacked and all passwords got stolen. What are you going to do that this does not happen to your organization?

Intellectual property - What about a pharmaceutical company developing a new drug, not yet under patent protection, and an employee takes that information to a competitor?

Of special importance is information related to future revenue. For example, a pharmaceutical company should place a high priority on protecting information related to future products which are not covered by patents.

It is vital for companies to have a system in place to protect sensitive content such as for example product roadmaps, manufacturing plans, vendor supply lists, marketing and promotional strategies.

In my next post, I will describe information governance for crisis management and e-discovery.

Governance is about securing the information and also about using information for greater value. People don’t talk much about value of information but information is strategic asset of a company. 

What makes a company great among other things is the ability to take information and use it as an asset. Information is what drives an organization, whether it is through development of new drugs, new products, looking into new geographic regions to expand to, etc.

Governance is like an insurance policy that that you feel like you are paying for nothing, until you need it. You don’t know when and if an “accident” will happen and you don’t know how big it will be, but when it does happen, you are very happy that you have that insurance policy. Until then you resent having to pay for it. Governance which is controls is your insurance policy.

KM can be costly in terms of fines, brand reputation, legal fees. In case of a legal discovery, the lack of documents means a disaster. Absence of document control in place will result in violating regulatory compliance.

To an increasing extent, organizations are focusing on risk management as a central issue in GRC equation. Enterprise Risk Management (ERM) is now a bigger driver for GRC than Sarbanes-Oxley or other compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.

Governance and compliance are essential business functions. Risks need to be understood and managed. Risk management does not mean that every risk can be anticipated but it can plan for the risk and have alternatives ready.

Information governance – effective content controls, allowing all info to be securely and properly shared across departments, geographic locations, and systems.

Organizations need a closed loop environment for assessing business risks, documenting compliance and automating control monitors to sift through their business systems.

For example, SharePoint is widely adopted system for knowledge management. According to a recent AIIM report, more than 60% of organizations have yet to bring their SharePoint deployment into existing compliance, retention, and long-term archive policies.

To prevent potential exposure of sensitive or classified information, it is imperative for organizations to bring their SharePoint in line with existing compliance policies.

Benefits of information governance: helps management to enforce focus on business mission, employees have information that is accurate, current and is in suitable format for their use; employees are more efficient and productive; removing duplicate and unnecessary content reduces the time needed to find information, derive higher profits; operational cost is lowered; retention management optimizes cost-effectiveness of storage platforms; legal fees are reduced in case of litigation.

Where to begin?

To start information governance initiative, create steering committee – CIO, legal officer, compliance officer, other main stakeholders.

Outline the scope, timeline, budget.

It should be rolled out from the top. This way everybody will be on the same page.

Have a strategy. Strategy should drive what is measured and monitored for compliance and performance.

Information governance strategy must account for the value of information and how it is classified and accessed.

Info governance policies should support all of the organization’s governance controls – retention, disposition, legal hold, data privacy and security.

Policies need to be scalable, enforceable, and measurable. It is better not to have a policy than to have a policy which can’t be enforced.

Policies should change depending on new business requirements, regulatory demands, rising costs, litigation. Companies must have a process to update, validate, deploy, and enforce these policies. They should be deployed without negatively impacting users and operations.

Rank the value of information depending on its type and where it is coming from. For example, information created by VP of sales should be ranked higher that information created by a marketing intern.

More about governance in the next post.

In my last post, I described change control process in general and I mentioned that in the regulated industries, manufactures are required to use a change control procedure. I am going to describe this change control procedure in this post.

A change control procedure is usually one of standard operating procedures (SOP's). It usually includes a change control form. Some companies also use change request forms for suggested changes. This procedure usually includes the following components:

Identification

The identification of the changed device, assembly, component, labeling, packaging, software, process, procedure, manufacturing material, and any other related item or document. The change control form has blank spaces for recording this data.

Effective Date

The effective date of the change which is usually a completion date, or an action to be performed when a specific event occurs, such as "implement the change when the new part is installed, validated, and operational." The blank on the change control form for recording the effective date should not be left empty.

Responsibility

The change procedure should state which department or designee is responsible for each function to be performed.

Revision Number

The change procedure should describe the way the revision level is to be incremented. It is common practice to use sequential numbers for revisions.

Communication

The change procedure should describe the communication of changes to all affected parties such as production, purchasing, contractors, suppliers, etc. As appropriate, the document might include activities that apply to internal operations. Examples are employee training, rework, or disposition of in-process assemblies, use of revised drawings and/or procedures, and disposition of old documents.

Updating Documentation

The change procedure should cover updating of primary and secondary documentation such as instruction manuals. Usually there are no problems with updating or revising primary documentation -- in fact, that is a major reason the given change order is being processed. In contrast, it is rather easy to forget that related secondary documents such as component drawings, instruction manuals or packaging require revision if affected by a given change. The use of a good change control form can alleviate this problem.

Documentation Distribution

Revised documentation should be distributed to persons responsible for the operations affected by the change and old documents removed and filed or discarded, as appropriate. After updated documents have been approved, these documents have to be made available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents have to be promptly removed from all points of use or otherwise prevented from unintended use.

Remedial Actions

Certain changes may require remedial action. Changes of this nature should be addressed in the change control procedure.

Regulatory Submissions

There may be changes may that require a regulatory submission. The change control procedure should specify if regulatory submissions should be considered when making a change.

Business Factors

The change procedure should also cover other factors such as financial impact, modification of sales literature, update of products in commercial distribution, etc.

Quality Assurance Review

The change procedure should cover if the quality assurance review is required for the change.

This change control procedure is also used for document control.

Changes to documents have to be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval of these documents unless there is a specific designation that states otherwise. These approved changes have to be communicated to the appropriate personnel in a timely manner. A company has to maintain records of changes to documents.

Change control for documents should include:

• identification of the affected documents;
• a description of the change;
• revision number
• the signature of the approving individual(s);
• the approval date;
• the date when the change becomes effective.

In a case of the regulatory agencies inspection, the change control procedure is usually audited. 

Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without analysis, introducing faults into the system or undoing changes made by other users of software.

The goals of a change control procedure include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing a change.

Change control is used in a wide variety of products and systems. For Information Technology (IT), it is a major aspect of the broader discipline of change management. Typical examples from the computer and network environments are patches to software products, installation of new operating systems, upgrades to network routing tables, or changes to the electrical power systems supporting such infrastructure.

Change control process can be described as the sequence of of six steps: record/classify, assess, plan, build/test, implement, close/gain acceptance.

Record/classify

A user initiates a change by making a formal request for something to be changed. The change control team then records and categorizes that request. This categorization would include estimates of importance, impact, and complexity.

Assess

Change control team makes an assessment typically by answering a set of questions concerning risk, both to the business and to the process, and follow this by making a judgment on who should carry out the change. If the change requires more than one type of assessment, the head of the change control team will consolidate them. Everyone with a stake in the change then meet to determine whether there is a business or technical justification for the change. The change is then sent to the delivery team for planning.

Plan

Management will assign the change to a specific delivery team, usually one with the specific role of carrying out this particular type of change. The team's first job is to plan the change in detail as well as construct a regression plan in case the change needs to be backed out.

Build/test

If all stakeholders agree with the plan, the delivery team will build the solution, which will then be tested. They will then seek approval and request a time and date to carry out the implementation phase.

Implement

All stakeholders must agree to a time, date and cost of the implementation of the change. Following the implementation, it is usual to carry out a post-implementation review which would take place at another stakeholders meeting.

Close/gain acceptance

When the user agrees that the change was implemented correctly, the change can be closed.

Change Control in a Regulatory Environment

In a Good Manufacturing Practice (GMP) or ISO 9001 regulated environment, change control activities and procedures apply to software, labeling and packaging, device manufacturing processes, production equipment, manufacturing materials, and all associated documentation such as quality system procedures, standard operating procedures, quality acceptance procedures, data forms, and product-specific documentation. Change control is also applied to any production aids such as photographs and models or samples of assemblies and finished devices.

Any regulated industry has a compilation of documents containing the procedures and specifications for a finished product. It includes specifications and all other documentation required to procure components and produce, label, test, package, install, and service a finished product. Manufacturers are to prepare, control changes to, and maintain these documents using change control procedure which is in fact the document control procedure.

In my next post, I will describe the change control procedure as it applies to documentation in a regulated industry. 

In my last post, I described the GMP requirements for document control. In this post, I am going to describe the GMP requirements for information technology used in a GMP company.

For a drug to be produced in a GxP compliant manner, some specific information technology practices must be followed. Computer systems involved in the development, manufacture, and sale of regulated product must meet certain requirements such as:

• secure logging: each system activity must be registered, in particular what users of the system do, that relate to research, development and manufacturing. The logged information has to be secured appropriately so that it cannot be changed once logged, not even by an administrative user of the system;
• auditing: an IT system must be able to provide conclusive evidence in litigation cases, to reconstruct the decisions and potential mistakes that were made in developing or manufacturing a medical device, drug or other regulated product;
• keeping archives: relevant audit information must be kept for a set period. In certain countries, archives must be kept for several decades. Archived information is still subject to the same requirements, but its only purpose is to provided trusted evidence in litigation cases;
• accountability: Every piece of audited information must have a known author who has signed into the system using an electronic signature. No actions are performed by anonymous individuals;
• non-repudiation: audit information must be logged in a way that no user could say that the information is invalid, e.g. saying that someone could have tampered with the information. One way of assuring this is the use of digital signatures.

GMP guidelines require that software programs must be validated by adequate and documented testing. Validation is defined as the documented act of demonstrating that a procedure, process, and activity will consistently lead to the expected results. The software validation guideline states: “The software development process should be sufficiently well planned, controlled, and documented to detect and correct unexpected results from software changes."

To validate software, it must be:

• structured, documented, and evaluated as it is developed;
• checked to make sure that it meets specifications;
• adequately tested with the assigned hardware systems;
• operated under varied conditions by the intended operators or persons of like training to assure that it will perform consistently and correctly.

It is important to notice these requirements since a document management system is required to control documents, so this document management system must meet these requirements for information technology.