Free Consultation (323) 413-7432
Privacy Compliance
Compliance And Privacy Partners
Regulatory Resources
Information Governance and Data Protection Definitions, Resources, Standards & Guidelines
This comprehensive set of links includes definitions, standards and guidelines as well as other useful resources for individuals, students and organizations involved in Information Governance and Data Protection and is updated regularly.![]()
Primary resources are linked where possible.
Defining Information Governance
Information Governance is an organization’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value. – The Sedona Conference® – Commentary On Information Governance Second Edition
Popular IG / Data Protection Standards, Directives, Frameworks and Guidelines
- AIIM ARP1-2007 – Analysis, Selection and Implementation of Electronic Document Management Systems (EDMS)
- ANSI/ARMA 5-2010 – Vital Records Programs: Identifying, Managing and Recovering
- ANSI/NISO Z39.19 – Guidelines for the Construction, Format, and Management of Monolingual Controlled Vocabularies
- BSI 10012 – Standard Data Protection. Specification for a personal information management system
- Cloud Control Matrix – Cloud Security Aliance
- CMMI – Capability Maturity Model Integration
- COBIT 5 – Control Objectives for Information and Related Technologies
- Fair Information Practice Principles (FIPP)
- GAAP – Generally Accepted Accounting Principles
- GARP – Generally Accepted Record Keeping Principles from ARMA
- GAPP – Generally Accepted Privacy Principles from AICPA
- DoD Directive 5015.02 – Electronic Records Management Standard
- DoD Directive 8140.01 – Cyberspace Workforce Management
- Dublin Core – Metadata Initiative
- EDRM – Electronic Discovery Reference Model
- GPEN – Global Privacy Enforcement Network
- IEEE P2413 – Standard for an Architectural Framework for the Internet of Things (IoT)
- Mike2.0 – Open Framework Information Standard
- MARC – Machine Readable Cataloging
- MoReq2010 Modular Requirements for Records Systems V.1
- MPAA – Content Security Best Practices Common Guidelines
- NARA – Best Practices for Social Media Capture
- NFPA 232 – National Fire Protection Association Records Protection Standard
- NIST – National Institute of Standards and Technology – Cybersecurity Framework
- OASIS – Open Source Standards
- Privacy Shield
- NIST / NSRL – National Software Reference Library
- SAA – Society of American Archivists – Case 7 – Standards and Standards Development: The Development of Digital Records Conversion Process (ANSI/ARMA 16-2007)
- SSAE no. 18 – Attestation (Internal Control and Auditing) Standards from AICPA
- The Sedona Conference® Commentary on Information Governance
ISO Standards
- ISO 13008 – Digital records conversion and migration process
- ISO 13-28 – Implementation guideline for digitization of records
- ISO 15489-1 – Records Management – General
- ISO 15489-2 – Records Management – Guidelines
- ISO 15836 – Information and documentation — The Dublin Core metadata element set
- ISO 16175 – Principles and functional requirements for records in electronic office environments
- ISO 22957 – Document management — Analysis, selection and implementation of electronic document management systems (EDMS)
- ISO 18492 – Long-term preservation of electronic document-based information
- ISO 25964 – Information and documentation — Thesauri and interoperability with other vocabularies — Part 1: Thesauri for information retrieval
- ISO 26122 – Work Process Analysis for records
- ISO 27001 – Information Security Standard
- ISO 27002 – Information Security Standard – Information Technology Security Techniques – Code of practice for informatin security controls
- ISO 27018 – Information Technology — Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII Processors
- ISO 27552 – Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines
- ISO 30300-1 – Management Systems For Records – Fundamentals and Vocabulary
Supplemental ANSI/ARMA/AIIM Standards
- ANSI/AIIM ARMA TR48-2004 04-Jul-2004 – Framework for Integration of Electronic Document Management Systems and Electronic Records Management Systems Technical Reports
- ANSI/AIIM MS1-1996 01-Jan-1996 – Recommended Practice for Alphanumeric Computer-Output Microforms – Operational Practices for Inspection & Quality Control
- ANSI/AIIM MS48-1999 09-Apr-1999 – American National Standard for Information and Image Management – Recommended Practice – Microfilming Public Records on Silver Halide Film
- ANSI/AIIM TR02-1998 01-Aug-1998 – Glossary of Document Technologies
- ANSI/AIIM TR13-1998 01-Jan-1998 – Preservation of Microforms in an Active Environment – Guidelines
- ANSI/AIIM TR31/1-1992(R1999) 01-Jan-1992 – Performance Guidelines for Admissibility of Records Produced by Information Technology Systems As Evidence – Part I: Performance Guideline for Admissibility of Records Produced by Information Technology Systems as Evidence
- ANSI/AIIM TR31/2-1993(R1999) 01-Jan-1993 – Performance Guideline for the Admissibility of Records Produced by Information Technology Systems As Evidence – Part II: Acceptance by Federal or State Agencies of Records Produced by Information Technology Systems
- ANSI/AIIM TR31/3-1994(R1999) 01-Jan-1994 – Performance Guidelines for Admissibility of Records Produced by Information Technology Systems as Evidence – Part III: Implementation of Performance Guidelines for the Legal Acceptance of Records Produced by Information Technology Systems
- ANSI/AIIM TR31/4-1994(R1999) 01-Jan-1994 – Performance Guidelines for Admissibility of Records Produced by Information Technology Systems As Evidence – Part IV: Model Act and Rule
- ANSI/AIIM/ARMA TR48-2004 – Framework for Integration of Electronic Document Management Systems and Electronic Records Management Systems
- ANSI/ARMA 10-1999 – Glossary of Records and Information Management Terms
- ANSI/ARMA 1-1997 – Alphabetic Filing Rules, 2nd Ed.
- ANSI/ARMA 12-2005 – Establishing Alphabetic, Numeric and Subject Filing Systems
- ANSI/ARMA 5-2003 – Vital RecordsPrograms: Identifying, Managing, and Recovering Business-Critical Records
- ANSI/ARMA 8-2005 – Retention Management for Records and Information
- ANSI/ARMA 9-2004 – Requirements for Managing Electronic Messages as Records
- ANSI/ARMA TR-01-2002 – Records Center Operations, 2nd Ed.
US Regulatory Rules, Laws, Directives & Agencies
- BSA – Bank Secrecy Act (1978)
- Cable TV Privacy Act (1984)
- CALEA – Communications Assistance to Law Enforcement Act
- COPPA – Children’s Online Privacy and Protection Act – FTC (1998)
- Dodd-Frank Wall Street Reform and Consumer Protection Act (2010)
- DMCA – Digital Millenium Copyright Act (1998)
- ECPA – Elecronic Communications Privacy Act (1986)
- EUTA – Uniform Electronic Transactions Act (1999)
- Fair Credit Reporting Act (1970)
- FACTA – Fair and Accurate Credit Transactions Act (2003)
- FERPA – Family Educational Rights and Privacy Act (2010)
- Federal Information Security Act (2002)
- FRCP Rule 26 – Duty to Disclose; General Provisions Governing Discovery
- FRCP Rule 34 – Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes
- FRCP Rule 37(e) – Failure to Make Disclosures or to Cooperate in Discovery; Sanctions
- FINRA – Broker-Dealer Books and Records (Established 2007)
- FOIA – Freedom of Information Act (FOIA)
- Gramm–Leach–Bliley Act (1999)
- HIPAA – Health Information Privacy Act (1996)
- HITECH – Final Rule (2009)
- NARA – National Archives & Records Administration (Established 1934)
- Privacy Act (1974)
- Red-Flags Rule
- Right to Financial Privacy Act (1978)
- SOX – Sarbanes Oxley Act (2002)
- https://www.law.cornell.edu/uscode/text/18/2701Stored Communications Act (SCA)
- Telemarketing sales rule
- Telephone Consumer Protection Act (1991)
- Video Privacy Protection Act (VPPA)
- 21 U.S. Code § 350c – Maintenance and inspection of records (Food)
- 21 U.S.C. §331(e) – Prohibited Acts (Food and Drugs)
- 21st Century Cures Act (2016)
- CFR – Code of Federal Regulations Title 21 (FDA Rules)
Notable US State Specific Data Security, Protection and Privacy Laws & Proposed Legislation
- California AB-375 Privacy: personal information: businesses
- California AB-375 Summary
- California AB-2828
- California Public Records Act – California Government Code 6250
- California Civil Code 1798.81.5. – Protecting Sensitive Customer Information (2018) – Shine the Light Law
- California Electronic Communications Privacy Act SB-178 (2015)
- Conneticut RB 1108 – An Act Establishing a Task Force Concerning Consumer Privacy
- Delaware Online Privacy and Protection Act (2016)
- Hawaii SB 418
- Illinois Right to Know Act (2017)
- Maryland SB 613 – Online Consumer Privacy Act
- Massachussetts SD 341/S 120
- Nevada SB 538 (2017)
- Nevada Chapter 603A – Security of Information Maintained By Data Collectors and Other Businesses
- New Jersey Personal Information and Privacy Protection Act (2017)
- New Jersey S2834
- New Mexico HB15
- New Mexico SB 176 – Consumer Information Privacy Act
- North Carolina – Identity Theft and Protection Law (2005)
- North Dakota HB 1485
- NY Department of Financial Services – Cybersecurity Requirements (23 NYCRR 500)
- NY SB S8641
- NY S224 – Right to Know Act
- Tennessee SB 2005
- Texas HB 4518 – Texas Consumer Privacy Act
- Texas HB 4390 – Texas Privacy Protection Act
- Vermont Data Broker Law (2018)
- Washington SB 5376
- Washington Biometric Privacy Law (H.B. 1493) (2017)
Notable Global Regulatory Rules, Laws, Directives & Agencies
- DLA Piper’s Data Protection Laws of The world (Recommended)
- ENISA – European Union Agency for Network and Information Security
- EU General Data Protection Regulation (GDPR)
- NARS – National Archives and Records Service of South Africa No. 43
- French Record Retention Schedules
- UK Information Commissioner’s Office
- Victorian (Australia) Electronic Records Strategy (VERS)
Information Management, Archives, Data Security and Privacy Organizations
- ACA – Academy of Certified Archivists
- ACFE – Association of Certified Fraud Examiners
- AHIMA – American Health Information Management Association
- AIIM – Association for Intelligent Information Management
- ARMA International
- ALA – Association of Legal Administrators
- ANSI – American National Standards Institute
- CIS – Center for Internet Security
- CompTIA – Computing Technology Industry Association
- DLM Forum – European Information Governance
- EDM – Enterprise Data Management Council
- FASB – Financial Accounting Standards Board
- HTCIA – High Technology Crime Investigation Association
- IIA – Institute of Internal Auditors
- ICA – International Counsel on Archives
- ICDPPC – International Conference of Data Protection and Privacy Commissioners
- ICRM – Institute of Certified Records Managers
- IFLA – International Federation of Library Associations
- IGI – Information Governance Initiaitve
- IRMT – International Records Management Trust
- ISAA – Information Systems Security Association
- ISACA – Information Systems Audit and Control Organization
- NAGARA – National Association of Government Archives and Records Administration
- NAID – National Association for Information Destruction
- NIRMA – Nuclear Information & Records Association
- OASIS – Organization for Advancement of Structured Information Standards
- OCF – Open Connectivity Foundation
- OWSAP – Open Web Application Security Project
- PCI – Payment Card Security Standards Council
- PRISM International – Global Society for Information Management Companies
- SAA – Society of American Archivists
Notable Academic and Certification Programs
- Certified Ethical Hacker (CEH)
- Certified Information Professional (CIP)
- Certified Records Manager (CRM)
- Data Protection Officer (DPO)
- Information Governance Professional (IGP)
- International Association of Privacy Professionals (IAPP)
- LSU RIM Certificate Program
- Offensive Security Certified Professional (OSCP)
- Project Management Professional (PMP)
- San Jose University (SJSU) School of Information
- University of Toronto – Records Management Program
Health Information Management Specific Resources
- ACA – Patient Protection and Affordable Care Act
- ANIA – The American Nursing Informatics Association
- AHIMA – American Health Information Management Association
- HITECH – The Health Information Technology for Economic and Clinical Health
- HHS. GOV Health Information Privacy (Official HIPAA Resources)
- HITRUST CSF Framework for Healthcare
- PRIMO – Pharmaceutical Records and Information Management Organization
- UK NHS Data Security and Protection Toolkit
Email Retention Rules and Guidance
- General Business Oversight – Sarbanes-Oxley Act (SOX) – Final Rule: Retention of Records Relevant to Audits and Reviews
- Banking – FDIC, OCC (Office of the Comptroller of the Currency)
- Telecommunications: FCC – Title 47, Part 42
- Pharmaceutical: FDA – Title 21, Part 11
- Brokerage Firms : SEC – Rule 17a-3 and 17a-4
- Investment Advisors: SEC Rule 204-2 (Books and Records Retention)
IG Periodicals, Weblogs & ListServs
Disaster Recovery Resources
- Business Case for Vital Records Programs (Book excerpt)
- Emergency Management Concepts(Book excerpt)
- Quantifying Vital Records Risks(IM article)
- How to Develop a Vital Records Program Project Plan (IM article)
- Incident Response Toolkit Preparation(Job aid)
- Information Risk Impact and Probability Matrix(Form)
- Records Risks Mitigation: Values and Strategies (Job aid)
- Disaster Recovery Steps and Methods (Online course excerpt)
- Information Damage and Assessment Report (Form)
- Planning for and Managing During a Paper Document Disaster(IM article)
- Sample Business Continuity Plan (RIM Professionals Australasia)
- Business Continuity Plan Template for Small to Medium Businesses (Tech Target)
- 12 Things IT Can Do to Create the Business Continuity Plan (Eaton)
- How to Create an Effective Business Continuity Plan (CIO)
Miscellaneous IG and Records Resources and Articles
- Records Retention in Relational Database Systems: Bridging the gap between laws and enforcement actions
- Business Policy Modeling and Enforcement in Databases
- Standardized Information Gathering (SIG) Questionaire
- CAIQ Cloud Security Alliance – Questionaire
- IoT – The Internet of Things and Information Governance: What You Need To Know To Manage Data Streaming From Everywhere
Connect With CAPP Consulting
Need more information or ready to take the next step?
You can contact us at support@capp-llc.com