Phase 3
crestors
InstructionsforPhaseIII-spring2019-ig1.pdf
UNIVERSITY OF THE CUMBERLANDS
ITS 833 – INFORMATION GOVERNANCE
SPRING – IG BI-TERM 2019
SEMESTER PROJECT – PHASE III
SUBMISSION DEADLINE: 2/24/2019 11:30 P.M. Eastern Standard Time
Phases I and II were designed to assist you in beginning to analyze major components or
factors that ultimately affect the Information Governance Plan that you design for Merchant Bank
of America.
INSTRUCTIONS FOR PHASE III
It is your task to now add the “content” to the outline for the Information Governance
Plan/Program. That is you are to prepare an Information Governance Policy/Program for
Merchant’s Bank of America, as it pertains to the bank’s Merchant Customers who allow
their customers to buy on credit using their credit cards, for which they maintain a checking
account in your company, MBA’s, banking institution.
Recall, for each of your merchant customers who are engaged in credit card sales, at the
time SCP deposits Merchant Bank of America’s credit card processing fee into MBA’s account,
and deposits MBA’s merchant payment amount into the merchant’s bank account with MBA, SCP
will also provide MBA (your employer) with the details of each transaction. At the end of the
month, MBA will provide its merchant customers (depositors) with detailed information for each
transaction. After all, the amount deposited into the merchant customer’s bank account held with
MBA will certainly show up as a “MERCHANT BANK DEPOSIT”. That is, it will appear on the
merchant customer’s bank statement as a deposit. For every single transaction wherein your
merchant customers have allowed their customer to purchase something on credit using their credit
card, you will get the detail of the transaction. SCP will send you the name of your merchant
customer (depositor), their account information, the name and credit card information and
transaction information for each customer of your merchant who made a credit card purchase. The
information you are provided will also include the dates of each transaction, the name and relevant
information for the credit card holder’s Issuing Bank, that bank’s interchange fee charged for the
transaction, SCP’s fee charged, the fee that SCP withheld from your merchant customer’s sales
proceeds for you MBA’s fee, and the net amount deposited into your merchant customer’s
checking account.
Your IG program must protect sensitive information and must comply with the law
regarding what you can and cannot retain and/or share. It must also be complaint with PCI DSS.
You want a program that will allow you to identify information early that is required for legal
holds, but you do not want to retain information beyond the required period of time. All IG policies
or programs are somewhat different and unique to the industry and to the organization. Here, your
IG program will be unique to MBA, its Merchant Customers, and their credit card holding
customers.
There are a number of sample Information Governance Policy/Program templates and
samples on the internet. Attached to the end of this document is just one sample Information
Governance Framework template that was copied verbatim from the website
https://www.infogovbasics.com/creating-a-policy/. This framework gives you an idea of the
minimum items that might be included generally in an IG Plan. Please take into consideration that
it may not be complete for your industry or organization.
I have downloaded and saved for your review in the CONTENT section, subdirectory on
SEMESTER PROJECT¸ subfolder SAMPLE IG PLANS a few samples from the internet. You
may review them for a flavor of how different IG Plans may be for organizations in the same
industry, and even for companies managed by the same organization. Also, please feel free to
browse the internet to get a flavor for what an actual IG Policy/Program might look like. Also,
take into consideration the requirements promulgated by the PCI DSS security council. If you
desire, you may use the template attached to the end of this document as GENERAL outline for
how you might choose to format your IG Policy/Program for MBA, but remember you will need
to make modifications that will make it suited for the industry and specifically for MBA, as it
applies to its merchant customers.
It is certainly not a requirement that you use either the attached sample as a guideline for
formatting your own IG Policy/Program, or that you use anything that you may find on the internet.
You may design your own format for an IG Policy/Program for MBA that is far superior to
anything that you find online. If that is the case, then use your own model! It makes no difference
how you arrived at the final format you use for the IG Policy/Plan/Program that you submit, as
long as you give credit to all source(s), that you looked to in formulating or designing your IG Plan
or any portion of your plan.
The sample at the end of this document is merely attached for your convenience as one
example of the minimum type of information that might be contained in your IG policy/program.
Do as much research from all sources you have access to or can locate to determine how you want
to format your own IG Policy/program, and the types of things you will include. If you decide to
use the attached sample, or anything you find on the internet, you are required to customize either
to meet the distinct characteristics and needs of MBA and to add the detail required. Please know,
this assignment DOES NOT consist of submitting an outline for MBA. This assignment is to
submit “THE” Information Governance Plan for MBA, complete with detail.
That is, please do not misconstrue the sample/example format attached hereto or any
outlines that you find on the internet that are generic in nature. Those are merely outlines for what
I am asking you to develop in this assignment. They are skeletons that contain only headings for
the content that you will include in the IG Policy/Plan/Program that you develop in Phase III. That
is, what follows is merely an Information Governance Framework.
The purpose of the Information Governance framework is to formally establish an
organization’s approach to Information Governance. No two Information Governance programs
are the same, so each framework will be unique to the organization but any program should, as a
minimum, cover the following areas. https://www.infogovbasics.com/creating-a-policy/
In other words, in Phase III, you must include actual content or provide instruction for a
minimum of the sections listed below, and include your own additional subsections where
appropriate. For example, should you find an example or sample IG Program/Policy/Program
similar to the following framework you should interpret it as follows:
Roles and Responsibilities
Use sentence here that talks about the Roles and Responsibilities of those responsible for the IG
Plan/Program/Policy. The first major section of most frameworks clearly defines key roles of the
individuals responsible for implementation, audit, update, accountability and revision of the IG
plan for the organization, and the responsibilities for each, and may include:
Information Governance Committee: Description of the representatives of the committee goes
here, followed by a description of their roles and responsibilities.
Information Governance Team:____
Information Risk Management:____
Information Asset Management:___
Records Manager:____
Line-of-Business Managers:____
Employees:____
“Roles and Responsibilities” is merely a category or heading for one portion of the IG
policy/program that you design. The section that reads, “Use sentence here that talks about the
Roles and Responsibilities of those responsible for the IG Plan/Program/Policy. The first major
section of most frameworks clearly defines key roles of the individuals responsible for
implementation, audit, update, accountability and revision of the IG plan for the organization, and
the responsibilities for each, and may include:” is nothing more than an instruction from me to
you describing the section. It is more of a tip from me to you, and is not to be construed as the
actual content for your IG Program/Policy/Plan. Then the 7 lines that follow are just examples of
what might be key players in this particular example. In your IG Plan that you submit to me, if
you have a section that looks like this, then you must also include an actual description of the roles
and responsibilities for each entity/position that you have listed. You will not include in your IG
policy/program that you design the descriptions of what each category is used for as I did in my
example to you.
Please use entire sentences rather than phrases in your IG Program/Plan/Policy (whichever
you choose to call it). Remember that I said I want you to use complete sentences, and complete
paragraphs where applicable. Please do not just give me listings like that which is included in the
outline for Roles and Responsibility example above. DO NOT GIVE ME BULLETED ITEMS
with no descriptions or explanations in sentence form. The IG policy/program that you submit
should be so much more than just bullet items followed by phrases (or nothing at all). You will
lose a significant number of points if you ignore this instruction. Phase III is not conducive to
using the APA format or any other similar format. Use your own formatting but make sure that
you follow my guidelines and do not simply give me bullet items or lists with no explanation of
what it is or why you are including it in your list.
Please, do not attempt to plagiarize or copy another IG policy that you find on the internet
(or anywhere else). Remember, I will run the IG Policy that you submit through a plagiarism
checker that will compare it with others on the web and with those of the other students in the
class. Where a match is found, the source is also disclosed. In addition, your paper will be broken
down and will display the percentage of your entire paper was plagiarized from a source other than
your own independent creation. If you use anything from an IG policy that you find on the Internet,
please give credit to the source so that the plagiarism issue will not come up. If you and another
student both copy directly from the same outside source, but do not give credit to that source, there
are times when the plagiarism checker will tag your paper as being identical to that of the other
student. And the other student’s paper is identified as being plagiarized from the outside source.
So, if you use anything from an outside source, please cite to the source and provide me with the
source so that I may look at the source to see just how similar your work is.
The IG Policy that you develop should be specific to Merchant Bank of America, and
designed specifically to meet the organizational needs, and should be limited in scope to MBA as
it applies to its Merchant customer. (What I mean by this is that while MBA is a commercial bank
with for example, a loan department, your IG Program, will not address that department as it does
not impact the credit card function of MBA’s merchant customers.) Explain any decisions or
assumptions you have made for MBA that were not outlined in the description of the company.
This phase (phase III) of your project is due no later than at 11:30 p.m. Eastern Standard
Time on Sunday, February 24, 2019. Make sure to submit the project in WORD format. Use 1
inch top, bottom, left and right margins on each page. Include a cover page that will contain the
Course name and number, semester term, your full name, student id, and the title of your paper:
This portion of the semester project is worth 15% of the overall grade.
You should submit this assignment using iLearn. Go to the content section where you will
see a folder labeled “SEMESTER PROJECT. Select that folder. You will then see a subfolder for
PHASE III, and in that the instructions and link for uploading Phase III in the form of a WORD
document.
Again, this assignment must be submitted no later than 11:30 p.m. Eastern Standard Time
on Sunday, February 24, 2019. Assignments will not be accepted late. This means that you should
not plan to contact me at 11:35 p.m. or 11:59 p.m. in order to request that I accept a late submission.
I will not.
SAMPLE TEMPLATE FOR THE MINIMUM FRAMEWORK AND
FORMAT OF AN INFORMATION GOVERNANCE POLICY
The remainder of this paper was reproduced for educational purposes in its entirety from: https://www.infogovbasics.com/creating-a-policy/
A Definition of Scope
The framework should begin by establishing the full extent of the Information Governance program. An example of this could be:
“The Information Governance framework covers all staff that create, store, share and dispose of information.
It sets out the procedures for sharing information with stakeholders, partners and suppliers. It concerns the
management of all paper and electronic information and its associated systems within the organization, as
well as information held outside the organization that affects its regulatory and legal obligations.”
Roles and Responsibilities
The first major section of most frameworks clearly define key roles and their responsibilities, including:
Information Governance Committee
Information Governance Team
Information Risk Management
Information Asset Management
Records Manager
Line-of-Business Managers
Employees
Information Policies
Information Governance covers a wide range of policies. The framework should set out which corporate policies are relevant to the Information Governance program. These may include:
▪ Information security policy
▪ Records management policy
▪ Retention and disposal schedules
▪ Archiving policy
▪ Data privacy policy
▪ ICT policy
▪ Information sharing policy
▪ Remote working policy
Information Procedures
A major part of the Information Governance framework should set out how the organization and its employees work with information. This can be broken into separate sections covering:
▪ Legal and regulatory compliance
▪ Creating and receiving information
▪ Acceptable content types
▪ Managing the volume of information
▪ Managing personal information
▪ Storing and archiving information
▪ Collaboration and sharing information
▪ Disposing of information
Working with Third Parties
As more and more information that affects a business is created and stored elsewhere it is essential to establish how the organization operates and shares information with stakeholders, partners and suppliers. The framework should:
▪ Define the policies for sharing information with third parties
▪ Define how the organization can manage how third parties handle personal and confidential information
▪ Define how Information Governance fits within supplier relationships and contractual obligations
▪ Define measurement and metrics for third party meeting the organization’s Information Governance
goals
Disaster Recovery, Contingency and Business Continuity
The framework should set out the organization’s approach to:
▪ Reporting information losses
▪ Reporting information security breaches
▪ Incident management and escalation
▪ Back up and disaster recovery
▪ Business continuity management
Auditing, Measurement and Review
Information Governance is a continuous improvement process so it must be underpinned by a continuous monitoring procedure. The framework can set out the organization’s approach to:
▪ Monitoring information access and use
▪ Monitoring effectiveness of regulatory compliance
▪ Monitoring the effectiveness of information security policy and procedure
▪ Monitoring of ICT and storage infrastructure performance
▪ Risk assessment and auditing
▪ Information Governance review
Like many things in Information Governance, there is a balance to be achieved with the
Information Governance framework. The more comprehensive the document, the better.
However, it shouldn’t become so large and unwieldy that it ends up gathering dust on the shelf.
