This is one of the few books that brings together the concepts of records and information management and information security and is a really solid introduction to the way in which the various information disciplines, whether concerned with security and protection or reuse and optimisation, need to come together to ensure that information remains useful, yet is appropriately secured to minimise risk.
Early chapters of the book focus on introducing the concepts of governance and assurance and the UK law and regulations that drive these requirements; there was a definite bias toward those laws that specifically concern information, in particular, the Data Protection Act, and I would have liked to have seen more about those laws that affect the way in which information is managed both in the broader context, e.g. employment law but also a reference to the implications and issues when working in a global or international context which can present some quite significant challenges when implementing an Information Governance Framework.
I really like that this book referenced information in all of its forms, including data, which is all too often considered as an entirely separate entity, yet remains a challenge when attempting to implement policy or demonstrate or assure compliance. Data are the focus of a whole chapter, and it is a great introduction to the concepts of data management for those who have worked more around information policy than the operational delivery of data and information services, systems and solutions.
The chapter that focusses on the identification and assessment of threats is really useful and this is followed up with a subsequent chapter on the security and protective measures that can be implemented to mitigate the threat and any associated risk to the information. Again, this is a useful introduction to the concepts of information risk management and information security.
While there are a couple of case studies, I would have liked this book to include some practical examples or potential methodologies that bring together and integrate these information disciplines. Chapter 6 which focusses on frameworks and “how it all fits together” identifies all of the various components that are referenced in the broad spectrum of “information governance and assurance” and suggests an approach but does not sufficiently demonstrate its effectiveness. There are many real challenges that will need to be overcome if a truly integrated approach to the management, governance and assurance of information and data is to be achieved within an enterprise environment, and it would have been useful to have some tools and techniques that have been proven elsewhere for consideration by the reader.
The challenge that the author faces is that this is such a broad subject that to try to go into any degree of detail is not really practical, and this means that much of the content literally introduces a concept rather than go into any great detail. I do not think that this is a bad thing though; instead, I feel that this book demonstrates the necessary integration of functions that have previously been seen (and treated) as distinctly different in an organisation. It highlights that it is no longer practical to produce information policies, to develop and implement security controls and to operate and support key information management services in isolation of each other. Instead, it is absolutely necessary to develop a framework approach that highlights the importance of each of these roles and functions and seeks to establish the way in which they can work together to manage information as an asset in an enterprise context.
Overall, I think that this is a useful addition to the books that are currently available that attempt to address this subject area; having worked across the spectrum of information management, records management, information assurance, information governance, risk and compliance and information security, I was already familiar with much of the content. Through necessity, I had come by this knowledge the hard way, and I feel that this book is a really solid introductory resource for those currently working in a specific discipline or those starting their careers. It introduces integrated concepts and highlights the various information management principles that need to be considered if we are to truly manage information at an enterprise level and as a key business asset that has long been a (significant) challenge for many information professionals, irrespective of their specific discipline.
