Wednesday, August 19, 2009

Addressing Employee Policy Violations (Key #6: Effective and Consistent Program Enforcement) - Highlights of Chap. 17 Information Nation 2e

IMC violations occur for a variety of reasons, ranging from the unintentional and negligent, to the willful. Regardless, organizations must be crystal clear with employees about the consequences of violating Information Management policies and procedures. Statements outlining consequences should be a standard part of the policies to which they relate, and should be highlighted, communicated, and re-communicated.

It is also important that organizations inform current employees of past violations of Information Management policies that have resulted in employee termination and other disciplinary actions. The reason for such communications is to provide a warning to all employees and to prevent further violations, not to embarrass or humiliate the employees who have been disciplined. The courts have made clear that not only do organizations have the right to communicate with their employees about such matters, but it is also in their interest to do so.

Consistency is central to effective Information Management program enforcement for a variety of reasons. However, one of the most important reasons is to protect organizations from claims by accused violators that they are being selectively, unfairly or discriminately singled out and disciplined while other violators are not disciplined for the same reason.

Read about some of the common areas where organizations fail to enforce consistently in the second edition of Information Nation, available from John W. Wiley & Sons. For more information, see

Comments? Contact the author at

Thursday, August 6, 2009

Use Auditing and Monitoring to Measure IMC (Key #5: Auditing & Monitoring to Measure Program Compliance) Highlights: Chap. 16, Information Nation 2e

The best Information Management policies and practices in the world will not protect an organization unless they have the means to find out if employees are in fact complying with those directives. Auditing and monitoring allow organizations to understand where their Information Management program is succeeding and where it is failing, and correct any compliance problems before they blossom into full-fledged disasters.

Auditing and monitoring programs are required by law in some instances. Taxpayers wishing to keep records in electronic form must meet the requirements of IRS Revenue Procedure 97-22, which explicitly requires Information Management style controls and audits. The National Association of Securities Dealers, in conjunction with the Securities and Exchange Commission, regulates the securities industry, and has promulgated Conduct Rule 3010, which requires members to “establish and maintain a system to supervise the activities [of employees] that is reasonably designed to achieve compliance with applicable securities laws and regulations.”

Organizations should also consider the role of independent third parties in auditing and monitoring activities, particularly those in highly regulated industries. Such audits can be very formal and involve multiple steps, including a complete review of Information Management documentation, employee interviews, or examination of “live” processes and technology in action. On the other hand, such audits can also be less formal, and limited to an offsite review of specific policies and procedures, for example.

Learn more about auditing and monitoring processes in the second edition of Information Nation, available from John W. Wiley & Sons. For more information, see

Comments? Contact the author at