April 15, 2013 5:16 PM
Posted by: Ben Cole
(This blog post was written by Marilyn Bier, chief executive officer of ARMA International.)
Organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance, and monitor strategic initiatives. They’re all critical business processes, and they all share an important trait: An accounting of each resides in an organization’s business records.
As a key resource in the operation of any organization, records must be created, organized, secured, maintained, and used in a way that effectively supports the activities of that organization. This information facilitates operations, budgeting, and planning, and it documents compliance.
Identifying Information Risks
The risks are significant for those organizations with too much, too little, or incomplete information within their recordkeeping systems.
Numerous court rulings, for example, have established a legal demand that records be kept in accordance with legal requirements, that the records be accurate, and that organizations be accountable for ensuring their records and information are properly kept. Increasingly, organizations must defend their recordkeeping practices to courts, regulatory agencies, and other oversight organizations. In addition, organizations can be subject to excessive discovery costs for records that should have been disposed.
The transition from paper to predominantly electronic information has exponentially multiplied such challenges for organizations.
“When information was paper-based, organizations were likely to have detailed policies and procedures that ensured it was managed from its creation through the time it needed to be discarded or sent to archival storage,” says Paula F. Lederman, an information management consultant and principal with IMERGE Consulting Inc. and a contributor to Information Management magazine. “As organizations have shifted to electronic records, though, many have not managed their information with that same discipline because storage is cheap, stored information is invisible, and it is easy to keep everything. However, today’s exploding volumes of poorly managed electronic information present a number of risks and associated high costs, capturing the attention of C-level executives, particularly in legal, compliance, and risk management, and disputing the notion that keeping everything “just in case” is a good strategy.”
Unnecessary e-discovery costs, regulatory sanctions for being unable to produce required documentation, and poor business decisions based on incorrect or incomplete information are all risks that can be avoided by organizations with effective information governance processes.
Mitigating risks through information governance
To meet the challenge, organizations need to implement an effective information governance program, which is defined by ARMA International as “a strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.”
Like any critical business process, an information governance program should be defined, endorsed by executive management, communicated throughout the organization, and assessed regularly. The Generally Accepted Recordkeeping Principles® (the Principles) and its complementary Information Governance Maturity Model (Maturity Model) can be used by organizations of any size and in any industry sector to establish and monitor an effective information governance program.
Complying with the Principles assures the organization that its:
- Information will be protected against loss. Its critical records will be backed up, protected, and easily accessible, allowing it to continue business in the event of a disaster.
- Information will be available when needed. The organization will have systems and processes in place that will enable it to locate, retrieve, and disseminate information to the right people at the right time so it can be used for decision making, transacting business, and responding to litigation.
- Information will be retained as required and disposed of when no longer required. The organization will have a records retention schedule that will ensure that information is being retained to meet its operational, legal, regulatory, and historical requirements and that it is disposed of in the normal course of business when its required retention has been met.
- External investigation and litigation obligations can be met easily. Processes will be in places that ensure that all information that is relevant to litigation or regulatory investigation can be located, placed on legal hold to ensure its availability and integrity, and produced when needed.
The Principles were created with the assistance of renowned records and information management (RIM), legal, and IT professionals, who reviewed and distilled global best practice resources, including the international records management standard (ISO15489-1 Information and Documentation – Records Management), American National Standards, and court case law. The Principles were vetted through a public call for comment process involving the professional RIM community.
The Principles are:
1. Principle of Accountability — A senior executive (or a person of comparable authority) shall oversee the information governance program and delegate responsibility for records and information management to appropriate individuals. The organization adopts policies and procedures to guide personnel and ensure the program can be audited.
2. Principle of Transparency — An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties.
3. Principle of Integrity — An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.
4. Principle of Protection — An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, or essential to business continuity or that otherwise require protection.
5. Principle of Compliance — An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.
6. Principle of Availability — An organization shall maintain its records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.
7. Principle of Retention — An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.
8. Principle of Disposition — An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.
Organizations should view the Principles as a map for a road that is safely winding through an operational and legal minefield that has always existed but has recently become even more treacherous. An organization that doesn’t adhere to the Principles is teetering on the edge of the minefield. By using the Maturity Model, organizations can track their progress in becoming more compliant, moving away from that dangerous edge and toward safety.
Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000+ global members and countless external customers the education, publications, and resources they need to be able to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to their organization’s goals.
March 22, 2013 5:42 PM
Posted by: Ben Cole
Microsoft this week became the latest big-name U.S. company to be investigated for bribing foreign officials and violating the Foreign Corrupt Practices Act. The U.S. Department of Justice and the SEC are investigating a whistleblower’s allegations that Microsoft illegally offered kickbacks to Chinese officials to secure software contracts, according to a report first disclosed by the Wall Street Journal.
The importance of global anti-corruption programs was the topic of a presentation at the sixth annual Marcus Evans Enterprise Risk Management Conference held in Chicago earlier this week. Presenters noted that bribery and corruption investigations have increased dramatically in recent years, with companies such as Wal-Mart and Tyson Foods being charged with FCPA violations.
With more companies expanding global operations, sweeping controls are necessary to prevent bribery and maintain ethical business practices — and avoid FCPA violations in the process, ERM conference presenters said. This can be difficult, however, especially for large corporations with numerous foreign partners.
Microsoft Vice President and Deputy General Counsel John Frank referred to this difficulty in a blogged response to Microsoft’s alleged FCPA violations. Although Frank did not comment specifically on the allegations, he said that as Microsoft continues its business expansion throughout the globe, “legal and ethical standards” are a huge priority for the company.
“Compliance is the job of every employee at the company, but we also have a group of professionals focused directly on ensuring compliance,” Frank wrote in the blog post. “We have more than 50 people whose primary role is investigating potential breaches of company policy, and an additional 120 people whose primary role is compliance.”
As Frank notes in the blog, it’s impossible to say that there will never be any wrongdoing in a company as large as Microsoft. The company’s proactive approach, however, provides a great example for other companies. Presenters at the ERM conference in Chicago said companies can at least demonstrate good faith by having an ethics and compliance program in place that allows the business to pounce on such allegations quickly with their own internal investigations. This proactive approach, as well as a cooperative and transparent relationship with regulators, proves to investigators that high-ranking members of the organization know what is going on and are taking steps to fix the problem.
In addition to potentially garnering at least some sympathy from investigators when it comes to doling out punishment, the proactive, “we will not stand for this” approach could offset reputation damage stemming from these and similar allegations. This is increasingly important as more companies expand global operations — especially when these operations are in regions with lax corruption and anti-bribery controls.
Unsavory employees, rogue third party agents and corrupt officials will always have the potential to create legal concerns for companies all over the world. As the Microsoft case shows, it’s better to be prepared rather than hoping it doesn’t happen. Your bottom line — and business reputation — could depend on it.
February 22, 2013 6:05 PM
Posted by: Ben Cole
U.S. cybersecurity — or the lack of it — was big news this week, as President Barack Obama’s recent issuance of cybersecurity-related executive orders coincided with reports that China has systematically made cyberattacks against American interests.
Since 2006, a Chinese military unit within the People’s Liberation Army has been using cyber-espionage to steal “confidential data from at least 141 organizations across multiple industries,” according to a report from Alexandria, Va.-based security firm Mandiant Corp. Mandiant’s findings, first reported in the New York Times, allege the Chinese hackers targeted wide-ranging sectors — many with operations in the United States — including information technology, military contractors, aerospace, chemical plants, telecommunications and scientific research. The Chinese government denies the reports.
The China hacking allegations came shortly after President Obama issued an executive order titled “Improving Critical Infrastructure Cybersecurity.” The cybersecurity executive order stated that “repeated cyber intrusions” requires operators of critical U.S. infrastructure to improve cybersecurity information sharing and the implementation of risk-based standards. Following the Chinese hacking allegations, the Obama administration also announced new efforts to protect against U.S. intellectual property theft.
But is the executive order enough to protect U.S. interests? Part of the reason the order was necessary is due to several failed attempts in recent years to pass a sweeping piece of cybersecurity legislation. Past U.S. cybersecurity bills have been thwarted by privacy groups and those representing businesses — including the very vocal U.S. Chamber of Commerce that argued the bills would put undue costs and regulations on industry.
Both the privacy and bottom line-related arguments could be perilous in the face of the Chinese hacking allegations, as well as other recent high-profile hacks of Apple, Facebook and the New York Times itself. It’s just common sense that hackers are usually seeking trade secrets, business information and personally identifiable information. This is all information that would ultimately degrade online privacy and business interests for those organizations and individuals that are being hacked.
If businesses and privacy groups don’t realize the need for U.S. cybersecurity after recent attacks against the country’s interests, the entire nation will continue to face these threats. As hackers and their targets get more sophisticated, a comprehensive, cooperative approach to the nation’s cybersecurity will be necessary. Of course, privacy and costs will have to be considered when developing the rules. But until at least some cybersecurity rules are outlined, online security for all Americans remains vulnerable.
January 18, 2013 4:25 PM
Posted by: KevinBeaver
So you want to pursue a career in compliance? I can’t really blame you. With a median salary of more than $60,000, it can certainly pay off — and the sky’s the limit moving forward. Of course, money’s not everything. Sure, it ranks up there with oxygen — but there’s certainly more to a career in compliance than the financial aspects alone, right?
In my past 11 years working as a consultant, I’ve had the opportunity to work with a number of compliance officers and managers. These roles have evolved from policy pushers to gain a much more respectable seat at the table when critical IT and business decisions are being made. Many businesses even have their own lawyers that serve in a compliance oversight role. There’s no doubt that compliance, and the need for intelligent people to manage it, has certainly gained traction in the last decade.
There are, however, still some potential issues you need to be aware of before running down the compliance career path at full tilt. Here are some aspects about the role compliance plays in organizations I’ve seen time and again:
- It can be overwhelming. With government and industry rules expanding all over the world, IT compliance regulations seem to change every week. Add to that the complexity and verbosity of the lawyer-speak you’ll be subjected to, and you have to keep up with a lot of information.
- Compliance is not sexy. It’s important, no doubt, and one of the most important roles in business today. But working with policies, procedures and audit processes may not be the most elegant and appealing work. And don’t forget the endless number of meetings.
- If they need a scapegoat, expect peers and management to throw you under the bus during and after a data breach. After all, you’re the person who wrote the policies and oversaw the security assessments and controls leading up to the event, right?
- IT staff will think you’re out to get them. There can be continual paranoia — even if they need to be called out for their oversights. It’s not normally all that terrible — just know that it can be. Admit it: Those of us working in IT can be hard-headed.
- Staying on top of what’s happening in and around IT can require more technical skills than many people assume. You don’t necessarily need a technical degree or certifications to get by — just some sharp insight and well-placed questions (periodically and consistently, of course) to ensure no one is pulling the wool over your eyes.
In the end, you have to ask yourself if you have the right personality, level of patience and raw ability to put up with a lot of nonsense necessary for a career in compliance. If your organization’s culture and leadership embrace compliance and your role in it, however, you can definitely go places in the business — all while making vital decisions that determine its success.
December 14, 2012 5:10 PM
Posted by: Ben Cole
Some of the changes include:
New tools to manage content. In Facebook’s updated activity log, there will be a new “request and removal tool” that allows users to take action on photos they are tagged in. “If you spot things you don’t want on Facebook, now it’s even easier to ask the people who posted them to remove them,” Lessin wrote.
The Facebook policy updates are scheduled to roll out before the end of the year, and come as online
privacy remains a hot topic in the IT world. Earlier this month, Delta Air Lines Inc. became the first organization to be sued for potential violations of California’s Internet privacy law. The suit claims the mobile phone application “Fly Delta” violates the law because it does not adequately disclose what personal information is being collected from users and how that information will be distributed.
The U.S. government is paying attention to online and mobile privacy as well: This week, the Senate Judiciary Committee voted in favor of the Location Privacy Protection Act, which would require companies to get customers’ consent before collecting or sharing mobile location data. The move came just weeks after the same committee approved a bill to update privacy safeguards for email and other electronic communications.
November 15, 2012 5:11 PM
Posted by: Ben Cole
The Internet — and Wall Street — was abuzz this past week after the reelection of President Barack Obama and the election of newcomer Elizabeth Warren as the U.S. Senator in Massachusetts. Wall Street, in all likelihood, was hoping that Mitt Romney would unseat Obama -– as well as dismantle the Dodd-Frank Act regulations and cut back financial reform. Warren has also been outspoken in her disdain for Wall Street’s treatment of consumers, and can now cast financial regulation votes from her Senate seat.
Several bloggers and major newspapers speculated that Obama would target financial reform in his second term. The Washington Post stated that with the election behind him, Obama no longer needs to cater to special interests and can be more tenacious in attacking changes in the financial system. Bloomberg Businessweek reported that Warren’s Senate seat gives her “powerful tools” in the debate over whether and how to regulate the finance industry.
Some, however, remain skeptical that the new regime will have much of an influence on financial reform, especially when it comes to Dodd-Frank regulations. After all, the U.S. is still way behind in implementing most parts of the law. Only a third of the rules have been finalized, noted ProPublica reporter Jesse Eisinger in an article published in the New York Times online, and Eisinger is not sure Obama’s reelection will speed the process.
“The core problems with the financial system and its regulators are deeper than personnel and sadly impervious to which party occupies the White House,” Eisinger wrote. “They are bipartisan and structural.”
The question is: How much of the anti-Wall Street campaign talk was just that — campaign talk? After spouting “sticking up for the little guy” rhetoric on the campaign trails, both Warren and Obama may scale back to more moderate viewpoints after the election. It’s also going to take more than two people to overhaul the financial system — it requires a sea change in the political stance toward Wall Street, and the attitudes of Wall Streeters themselves.
What do you think? Will the 2012 election, particularly the victories by Obama and Warren, have an impact on Dodd-Frank regulations and financial reform? Or will it be business as usual on Wall Street?
October 5, 2012 5:01 PM
Posted by: Ben Cole
Many companies are now seeing the benefits of cloud computing: cost savings, increased network accessibility and improved scalability, to name just a few. But cloud security issues, compliance and privacy are increasing concerns.
The Cloud Market Maturity study, a joint survey released by the Cloud Security Alliance and ISACA last month, revealed that government regulations, legal issues and international data privacy are among the top 10 areas ranked by respondents as “low confidence” when it comes to the cloud.
These concerns were echoed during the recent “Cloud 2.0″ panel discussion held in Waltham, Mass., last week. Among the panelists was Judy Klickstein, CIO at Cambridge Health Alliance, who said that, ideally, the cloud provides the means to offer services to her company’s users in a very cost-competitive, secure environment. It’s that “secure environment” part that creates concern for organizations currently moving to the cloud — especially those in the health care field, Klickstein said.
“We have an obligation, and a duty, a judiciary responsibility at our organization to make sure that somebody’s personal information does not get hacked, stolen, shared or sent to the wrong place,” Klickstein said. “As part of that, there’s an enormous array of federal and state regulations guiding everything about what happens to you if you really screw it up.”
When these regulations are violated, it triggers a loss of patient trust, as well as severe financial penalties, Klickstein said. As a result, Cambridge Health Alliance is very conscious of these cloud security issues when working with providers, and looks closely to see how reliable and secure the platform is.
And, of course, alleviating these data security, privacy and compliance concerns more than likely will not come cheap. Even with the numerous benefits of the cloud, choosing which platform is best is still, ultimately, a business decision — and is treated as such.
“If the cloud was providing me with all the things that I feel we have to have for controlling my data center and my environment and they can do it more cheaply, that would be a terrific thing,” Klickstein said. “If there is a risk of doing that and it’s going to cost me three times as much, then do the math.”
Speaking of cloud-related business, a recent blog post from Fidelity.com examined the possible investing possibilities when it comes to the cloud. While the bloggers state that there are many investment opportunities, there are still many questions around cloud security issues. Successful investing in cloud computing will require a thorough understanding of the technology and any potential regulatory issues that may surface, they added.
The phrase “potential regulatory issues” is interesting. One has to wonder, with increased cloud use, if we’re one major cloud security breach away from government-induced, cloud-specific regulations. After all, these regulations are usually not on the horizon until something goes wrong. It’s good that at least some companies are paying attention, and being proactive about the potential cloud security issues before they arise.
August 30, 2012 5:00 PM
Posted by: Ben Cole
, data security and storage
, White House
We’ve been talking a lot about records management here at SearchCompliance.com this summer … perhaps President Barack Obama is a fan? Probably not, but last week the White House announced key dates and directives regarding his “Presidential Memorandum — Managing Government Records“, first unveiled in December 2011.
The directives were released in an Aug. 24 memo from Jeffrey D. Zients, acting director of the Office of Management and Budget, and David S. Ferriero, archivist at the United States National Archives and Records Administration.
“This Directive requires that to the fullest extent possible, agencies eliminate paper and use electronic recordkeeping,” Ferriero and Zients wrote in the memo. “It is applicable to all executive agencies and to all records, without regard to security classification or any other restriction.”
The goal of President Obama’s record management initiative is to “develop a 21st-century framework for the management of Government records.” Under the initiative, by the end of 2019, all federal agencies’ permanent records will be managed electronically to the “fullest extent possible.” The president has said the framework will ultimately reduce government costs and help agencies operate more efficiently, as well as improve federal transparency by better documenting actions and decisions.
Some other key dates that federal officials should mark on their calendars:
- By Nov. 15 of this year, each agency should name its “senior agency official” who will oversee their records management program.
- Although federal agencies have until 2019 to move records to an electronic format, they must have plans for how they will do so completed by Dec. 31, 2013.
- Agencies must have records management training in place for appropriate staff by Dec. 31, 2014.
In a blog post following the memo’s release, Ferriero called President Obama’s record management strategy a “historic moment” that will “allow current and future generations to hold their government accountable and to learn from the past.”
Ferriero is correct — President Obama’s records management initiative is a step in the right direction for modernizing the federal government’s data management processes (although one does wonder why it took this long). As we have explored here recently at SearchCompliance.com, sound records management can have many positive implications for entities: When done correctly, it can help boost the bottom line and aid adherence to compliance standards.
There no doubt will be, however, many data governance challenges to overcome as the initiative moves forward. The sheer complexity of federal records, coupled with their sensitive nature that necessitates proper security protocol, will no doubt cause hiccups for at least some agencies along the way. While 2019 sounds far off, it’s probably a good thing the fed has until the end of the decade to complete this initiative.
August 10, 2012 6:36 PM
Posted by: Ben Cole
, cyber security
, data protection
Data management and security could create huge problems in our increasingly-connected world, as two recent events have made evident: Earlier this month, a Knight Capital computer program unleashed a series of erroneous stock orders that resulted in a $440 million loss for the trading firm. Last week, journalist Mat Honan described in length how hackers, taking advantage of security flaws at Apple, Amazon and Gmail, completely wiped several of his Apple devices and commandeered two of his Twitter accounts.
The two events show that data management and security is taking a backseat as businesses and consumers strive to stay connected. The New York Times reported that Knight Capital rushed to develop the faulty software to take advantage of computer-driven market and failed to work out problems with the system. In his frank, detailed description of the events that led to his “epic hacking,” Honan admits he is very much to blame for his inattention to security. But he also notes the apparent IT security disconnect that people — and corporations — often forget when technology is used across developers and platforms.
“Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information,” Honan wrote. “In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.”
At least some are paying attention to the potential risks: Apple announced it had stopped allowing over the phone password resets, and Amazon announced fixes to its security policies after Honan’s hacking went public. In response to the Knight Capital debacle, SEC officials are pushing for new regulations around trading technology.
But more consumers and businesses need to realize these data management and security concerns are not going anywhere — and will likely get worse unless they take the necessary steps to protect themselves. In the struggle to stay ahead of the next guy when it comes to the latest IT gadgets and tools, security should stay a primary concern or, as Honan and Knight Capital can attest, more will suffer the personal and financial consequences.