The purpose of an information technology governance framework is to establish the organization’s approach toward information management within a business, legal, and regulatory context. An effective framework covers the following areas.
Scope and Charter
Establish the scope of the information governance program. Set out the procedures that govern the creating, sharing, storage, and disposal of information. Define the management of all information and associated systems that affect the enterprise’s legal and regulatory obligations.
Roles and Responsibilities
Define the key roles and responsibilities in information governance. That includes the information governance committee, information governance team, information risk management team, information asset management team, records management team, business line managers, and employees.
Information Policies and Procedures
Some enterprise information will be created and stored by third parties. The framework establishes how the organization manages information with partners, suppliers, and stakeholders. Define how information governance affects contractual obligations and supplier relationships. Establish metrics that third parties are evaluated against to confirm conformity with information governance goals.
Business, Continuity, Disaster Recovery and Contingency
The framework should set out the process for reporting information losses, reporting information breaches, incident management, incident escalation, disaster recovery, and business continuity.
Audit and Review
Continuous monitoring of information access, information use, regulatory compliance, information security, infrastructure performance, and storage performance. Conduct regular risk assessments, audits, and reviews.