Phase III
rahul0104
InstructionsforPhaseIII-spring2019main.pdf
UNIVERSITY OF THE CUMBERLANDS
ITS 833 – INFORMATION GOVERNANCE
SPRING – MAINTERM 2019
SEMESTER PROJECT – PHASE III
SUBMISSION DEADLINE: 4/14/2019 11:30 P.M. Eastern Standard Time
Phases I and II were designed to assist you in beginning to analyze major components or
factors that ultimately affect the Information Governance Plan that you design for Superior Card
Processors, Inc. (hereafter “SPC”).
INSTRUCTIONS FOR PHASE III
It is your task to now add the “content” to the outline for the Information Governance
Plan/Program. That is you are to prepare an Information Governance Policy/Program for
SPC.
Recall, for each of merchant customer who engages in credit card sales, SCP processes the
transaction, which involves interacting with the issuing bank, deducting its fee from the sales
proceeds, deposits the relevant merchant bank’s credit card processing fee into the merchant
bank’s account, and deposits the merchant’s net revenue into the merchant’s bank account with
the merchant bank. SCP will be required to retain details of the transactions and provide detail
and summary reports to each relevant third party, including the issuing banks, merchant banks and
merchants.
Your IG program must protect sensitive information and must comply with the law
regarding what SPC can and cannot retain and/or share. It must also be complaint with PCI DSS.
You want a program that will allow you to identify information early that is required for legal
holds, but you do not want to retain information beyond the required period of time. All IG policies
or programs are somewhat different and unique to the industry and to the organization. Here, your
IG program will be unique to SCP, and to the merchant banks and merchants that it services.
There are a number of sample Information Governance Policy/Program templates and
samples on the internet. Attached to the end of this document is just one sample Information
Governance Framework template that was copied verbatim from the website
https://www.infogovbasics.com/creating-a-policy/. This framework gives you an idea of the
minimum items that might be included generally in an IG Plan. Please take into consideration that
it may not be complete for your industry or organization.
I have downloaded and saved for your review in the CONTENT section, subdirectory on
SEMESTER PROJECT¸ subfolder SAMPLE IG PLANS a few samples from the internet. You
may review them for a flavor of how different IG Plans may be for organizations in the same
industry, and even for companies managed by the same organization. Also, please feel free to
browse the internet to get a flavor for what an actual IG Policy/Program might look like. Also,
take into consideration the requirements promulgated by the PCI DSS security council. If you
desire, you may use the template attached to the end of this document as GENERAL outline for
how you might choose to format your IG Policy/Program for SCP, INC., but remember you will
need to make modifications that will make it suited for the industry and specifically for SCP, as it
applies to its merchant customers and banks.
It is certainly not a requirement that you use either the attached sample as a guideline for
formatting your own IG Policy/Program, or that you use anything that you may find on the internet.
You may design your own format for an IG Policy/Program for SCP that is far superior to anything
that you find online. If that is the case, then use your own model! It makes no difference how you
arrived at the final format you use for the IG Policy/Plan/Program that you submit, as long as you
give credit to all source(s), that you looked to in formulating or designing your IG Plan or any
portion of your plan.
The sample at the end of this document is merely attached for your convenience as one
example of the minimum type of information that might be contained in your IG policy/program.
Do as much research from all sources you have access to or can locate to determine how you want
to format your own IG Policy/program, and the types of things you will include. If you decide to
use the attached sample, or anything you find on the internet, you are required to customize either
to meet the distinct characteristics and needs of SCP and to add the detail required. Please know,
this assignment DOES NOT consist of submitting an outline for SCP’s IG Plan. This assignment
is to submit “THE” Information Governance Plan for SCP, complete with detail.
That is, please do not misconstrue the sample/example format attached hereto or any
outlines that you find on the internet that are generic in nature. Those are merely outlines for what
I am asking you to develop in this assignment. They are skeletons that contain only headings for
the content that you will include in the IG Policy/Plan/Program that you develop in Phase III. That
is, what follows is merely an Information Governance Framework.
The purpose of the Information Governance framework is to formally establish an
organization’s approach to Information Governance. No two Information Governance programs
are the same, so each framework will be unique to the organization but any program should, as a
minimum, cover the following areas. https://www.infogovbasics.com/creating-a-policy/
In other words, in Phase III, you must include actual content or provide instruction for a
minimum of the sections listed below, and include your own additional subsections where
appropriate. For example, should you find an example or sample IG Program/Policy/Program
similar to the following framework you should interpret it as follows:
Roles and Responsibilities
My instruction to you: Use sentence here that talks about the Roles and Responsibilities of those
responsible for the IG Plan/Program/Policy. The first major section of most frameworks clearly
defines key roles of the individuals responsible for implementation, audit, update, accountability
and revision of the IG plan for the organization, and the responsibilities for each, and may include:
Information Governance Committee: Description of the representatives of the committee goes
here, followed by a description of their roles and responsibilities.
Information Governance Team: Here you would include a description of the representatives of
the IG Team, followed by a description of their roles and responsibilities.
Information Risk Management: Here you would include a description of the representatives
from Information Risk Management, followed by a description of their roles and responsibilities.
Information Asset Management: Here you would include a description of the representatives of
the Information Asset Management team, followed by a description of their roles and
responsibilities.
Records Manager: Here you would include a description of the roles, responsibilities and
qualifications for the records manager for the organization.
That is, “Roles and Responsibilities” is merely a category or heading for one portion of the IG
policy/program that you design. The section that reads, “Use sentence here that talks about the
Roles and Responsibilities of those responsible for the IG Plan/Program/Policy. The first major
section of most frameworks clearly defines key roles of the individuals responsible for
implementation, audit, update, accountability and revision of the IG plan for the organization, and
the responsibilities for each, and may include:” is nothing more than an instruction from me to
you describing the section. It is more of a tip from me to you, and is not to be construed as the
actual content for your IG Program/Policy/Plan. Then the subheading that follow are just examples
of what might be key players in this particular example. In your IG Plan that you submit to me, if
you have a section that looks like this, then you must also include an actual description of the roles
and responsibilities for each entity/position that you have listed. You will not include in your IG
policy/program that you design the descriptions of what each category is used for as I did in my
example to you.
Please use entire sentences rather than phrases in your IG Program/Plan/Policy (whichever
you choose to call it). Remember that I said I want you to use complete sentences, and complete
paragraphs where applicable. Please do not just give me listings like that which is included in the
outline for Roles and Responsibility example above. DO NOT GIVE ME BULLETED ITEMS
with no descriptions or explanations in sentence form. The IG policy/program that you submit
should be so much more than just bullet items followed by phrases (or nothing at all). You will
lose a significant number of points if you ignore this instruction. Phase III is not conducive to
using the APA format or any other similar format. Use your own formatting but make sure that
you follow my guidelines and do not simply give me bullet items or lists with no explanation of
what it is or why you are including it in your list.
Please, do not attempt to plagiarize or copy another IG policy that you find on the internet
(or anywhere else). Remember, I will run the IG Policy that you submit through a plagiarism
checker that will compare it with others on the web and with those of the other students in the
class. Where a match is found, the source is also disclosed. In addition, your paper will be broken
down and will display the percentage of your entire paper was plagiarized from a source other than
your own independent creation. If you use anything from an IG policy that you find on the Internet,
please give credit to the source so that the plagiarism issue will not come up. If you and another
student both copy directly from the same outside source, but do not give credit to that source, there
are times when the plagiarism checker will tag your paper as being identical to that of the other
student. And the other student’s paper is identified as being plagiarized from the outside source.
So, if you use anything from an outside source, please cite to the source and provide me with the
source so that I may look at the source to see just how similar your work is.
The IG Policy that you develop should be specific to Superior Card Processors, Inc., and
designed specifically to meet the organizational needs, and should be limited in scope to SCP as it
applies to its merchant customers and banks. Explain any decisions or assumptions you have made
for MBA that were not outlined in the description of the company.
This phase (phase III) of your project is due no later than at 11:30 p.m. Eastern Standard
Time on Sunday, April 14, 2019. Make sure to submit the project in WORD format. Use 1 inch
top, bottom, left and right margins on each page. Include a cover page that will contain the Course
name and number, semester term, your full name, student id, and the title of your paper:
You should submit this assignment using iLearn. Go to the content section where you will
see a folder labeled “SEMESTER PROJECT. Select that folder. You will then see a subfolder for
PHASE III, and in that the instructions and link for uploading Phase III in the form of a WORD
document.
Again, this assignment must be submitted no later than 11:30 p.m. Eastern Standard Time
on Sunday, April 14, 2019. Assignments will not be accepted late. This means that you should
not plan to contact me at 11:35 p.m. or 11:59 p.m. in order to request that I accept a late submission.
I will not.
SAMPLE TEMPLATE FOR THE MINIMUM FRAMEWORK AND
FORMAT OF AN INFORMATION GOVERNANCE POLICY
The remainder of this paper was reproduced for educational purposes in its entirety from: https://www.infogovbasics.com/creating-a-policy/
A Definition of Scope
The framework should begin by establishing the full extent of the Information Governance program. An example of this could be:
“The Information Governance framework covers all staff that create, store, share and dispose of information.
It sets out the procedures for sharing information with stakeholders, partners and suppliers. It concerns the
management of all paper and electronic information and its associated systems within the organization, as well as information held outside the organization that affects its regulatory and legal obligations.”
Roles and Responsibilities
The first major section of most frameworks clearly define key roles and their responsibilities, including:
Information Governance Committee
Information Governance Team
Information Risk Management
Information Asset Management
Records Manager
Line-of-Business Managers
Employees
Information Policies
Information Governance covers a wide range of policies. The framework should set out which corporate policies are relevant to the Information Governance program. These may include:
▪ Information security policy
▪ Records management policy
▪ Retention and disposal schedules
▪ Archiving policy
▪ Data privacy policy
▪ ICT policy
▪ Information sharing policy
▪ Remote working policy
Information Procedures
A major part of the Information Governance framework should set out how the organization and its employees work with information. This can be broken into separate sections covering:
▪ Legal and regulatory compliance
▪ Creating and receiving information
▪ Acceptable content types
▪ Managing the volume of information
▪ Managing personal information
▪ Storing and archiving information
▪ Collaboration and sharing information
▪ Disposing of information
Working with Third Parties
As more and more information that affects a business is created and stored elsewhere it is essential to establish how the organization operates and shares information with stakeholders, partners and suppliers. The framework should:
▪ Define the policies for sharing information with third parties
▪ Define how the organization can manage how third parties handle personal and confidential information
▪ Define how Information Governance fits within supplier relationships and contractual obligations
▪ Define measurement and metrics for third party meeting the organization’s Information Governance
goals
Disaster Recovery, Contingency and Business Continuity
The framework should set out the organization’s approach to:
▪ Reporting information losses
▪ Reporting information security breaches
▪ Incident management and escalation
▪ Back up and disaster recovery
▪ Business continuity management
Auditing, Measurement and Review
Information Governance is a continuous improvement process so it must be underpinned by a continuous monitoring procedure. The framework can set out the organization’s approach to:
▪ Monitoring information access and use
▪ Monitoring effectiveness of regulatory compliance
▪ Monitoring the effectiveness of information security policy and procedure
▪ Monitoring of ICT and storage infrastructure performance
▪ Risk assessment and auditing
▪ Information Governance review
Like many things in Information Governance, there is a balance to be achieved with the
Information Governance framework. The more comprehensive the document, the better.
However, it shouldn’t become so large and unwieldy that it ends up gathering dust on the shelf.
