IT Compliance Advisor


February 28, 2014  3:03 PM

RSA 2014: Four luminaries discuss underestimated security threats

Ben Cole Ben Cole Profile: Ben Cole

(This blog post was written by Christina Torode, Editorial Director of SearchCIO Media Group)

I spent a whirlwind trip to the RSA conference this week in San Francisco hanging out in the Information Systems Security Association (ISSA) booth, catching up with the group’s members as they popped in. We talked about many things: cyber warfare, the need for collective security intelligence, how important being a member of a group such as ISSA is to a career, Edward Snowden, how much system access security vendors should give the government, how threats are becoming increasingly political in nature.

This post would be extraordinarily long if I went into all the discussions, but here are few snippets of the conversations where ISSA members and industry luminaries describe threats the security profession need to pay more attention to:

Marcus Ranum, CSO of Tenable and developer of the first commercial firewall
“The threats aren’t really new or emerging ones. We’re always up against mistakes we made 10 or 15 years ago. We’re really just now starting to cope with problems raised by distributed computing, which is kind of sad. We haven’t even gotten to transitive trust. Hackers are starting to understand transitive trust and we’re going to have a serious problem when that happens.”

Howard Schmidt, professor at Idaho State University, consultant with Ridge-Schmidt Cyber and former White House cyber advisor for Presidents George W. Bush and Barack Obama
“The mobile environment. When there were just a few BYO devices, there wasn’t a lot of connectivity so they weren’t really a threat to the environment. Now virtually everything has an IP address and is connected to a network to network through the home or work environment. We really haven’t thought that through. Some software is well vetted, but other software can be downloaded with malware, that piece of extra piece of extra software that can pull out your PII.

What people pay even less attention to is all the devices in the home. The TV is becoming an Internet device looking to control access to a lot of things. Hopefully we won’t go down the path [with home devices such as the TV] and make the same mistakes we have with other systems. We know that there are vulnerabilities, we need to get them fixed and go to the manufacturer and say ‘It’s great that you have this application, but it also exposes me.’”

Dave Cullinane, former eBay CISO and founder of SecurityStarfish
“The level of attack sophistication is getting incredibly scary. Ebay was a technology company so we had the resources and kind of money to be able to access shared information and intelligence on what’s going on across the industry and businesses. Small and mid-size companies don’t have those resources. Access to good intelligence [analytics] on what to look for and what to do about [a security threat] helps you invest the right way.

Another area that can help is software-defined perimeters. Coca-Cola and the Cloud Security Alliance are working with open standards, some technology that has been around for a while, that has the capability to eliminate the potential for huge groups of attacks.

Another helpful measure? If your customers pose a threat to your own security, teach them how to defend themselves and give them the tools to do it. Ebay gave its customers Microsoft Security Essentials, which allowed their customers to uncover a lot of hidden threats.”

Gene “Spaf” Spafford, professor of computer science at Purdue University
“I don’t think I’ve seen anything that I would consider a new attack. Many of the things occurring are attack technologies and behaviors that have been known about for decades, but practitioners in the field today don’t know about them. Certainly an awful lot of organizations that have been attacked have not bothered to make appropriate investments in security, so when these attacks occur everyone goes ‘wow that’s a surprise,’ but it isn’t really.

The recent series of attacks on POS terminals to collect credit card numbers, that’s not new. It’s malware, going after personal information and these organizations were ignoring the warnings.

What we are seeing that’s a little bit different is larger scale and a little more politically motivated element to attacks. The Syrian Electronic Army, for example. Those are disturbing because we don’t have a coordinated international response to the wide scale cybercrime and the politically motivated behavior.”

Christina Torode oversees coverage and special projects for SearchCIO.com, SearchCIO-Midmarket.com and SearchCompliance.com. She has been a high-tech journalist for more than a decade. Before joining TechTarget, she was a reporter for technology trade publication CRN, covering a variety of beats including security, networking, telcos and the channel. She also spent time as a business reporter and editor with Eagle Tribune Publishing in eastern Massachusetts.

September 4, 2013  4:06 PM

Extending information governance controls to the cloud

Ben Cole Ben Cole Profile: Ben Cole

(This blog post was written by Marilyn Bier, chief executive officer for ARMA International.)

All organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance and monitor strategic initiatives. This critical information resides in the organization’s business records.

Good information governance controls are difficult enough to apply inside an organization, even when it is using its own best practices tool set. While it is possible to manage aspects of the lifecycle and disposition of the information that resides in the cloud, these rules become more difficult to enforce.

“Proper information governance requires a centralized control point, as well as effective enforcement, for an organization’s records management tool set to be effective,” said Brent Gatewood, owner of consultIG, in a recent issue of Information Management magazine. “Today, the controls in place with most SaaS [Software as a Service] providers are too non-specific. The controls in place are collection-focused and largely managed according to the provider’s rules, not those of the organization whose information is being stored.”

To satisfy the information governance needs of most organizations, control and management of data in the cloud should reside inside the organization itself and extend to cloud-based repositories. A centralized tool managing lifecycle rules for the organization needs to have the proper hooks into the data residing in the cloud. These tools need to have a complete view of the information owned by the organization to be responsive to internal and external requests.

According to Gatewood, “The reality is this: The tools may not exist, but organizations are moving — or have already moved — data into the cloud. Data relationships and management controls inside of organizations are more important than ever. Unless the management controls are already in place, it is unlikely that individuals are going to seek advice about extending controls to cloud-based repositories.”

Cloud computing is not going away. It can be a valuable tool, but a tool that needs to be understood and managed. Applying information governance controls, with the proper relationships in legal and information technology and services, can help to reasonably manage information in the cloud.

Information governance controls: cloud provider accountability
Gatewood recommends that organizations considering a cloud-based initiative — or reviewing a solution already in place — find answers to the following questions about contracts, audit controls and integration points:

Contracts

  • What service are we contracting for and what are the vendor’s records management and compliance obligations?
  • What kind of data controls does the vendor have in place?
  • How is information destroyed?
  • Can we set minimum and maximum retentions and at what level?
  • Are there secure destruction options?
  • What are the vendor’s policies for backups, replication or failover?
  • How do we confirm disposition takes place on a timely basis and according to our rules?

Audit controls

  • What is the provider’s internal audit process?
  • How often is the provider audited by external agencies?
  • What standards is the provider held to?
  • Is the vendor open to being audited for compliance? (If not, this may be a sign of bigger issues.)

Integration points

  • Is the vendor open to integration with our systems and applications?
  • Has the vendor integrated with any systems that provide a structure for compliance?

Organizations must also consider if the vendor’s policies and procedures related to the handling and management of information are acceptable. If they are not, Gatewood believes the organization should either move the data elsewhere or require an auditable change that meets its needs.

Gatewood also recommends that organizations require a data map that details where the information resides. Data maps can be complicated because they detail what is often a complex infrastructure that might involve third-party relationships specific to your data, but the effort to review them is definitely worthwhile.

Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000-plus global members and countless external customers the education, publications and resources they need to be able to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to their organization’s goals.


August 26, 2013  7:05 PM

GRC, big data require law firms to reexamine information governance

Ben Cole Ben Cole Profile: Ben Cole

Big data presents numerous data governance challenges: Regulatory compliance, information security and risk management and are all complicated by the amount of data generated by the average business today.

Law firms are very affected by this exponential data growth and the increased importance of information governance processes. Clients increasingly require — and demand — higher standards for how lawyers secure their data and manage access to it.

“It’s becoming important to law firms because clients are making it important to law firms,” said Rudy Moliere, director of records and information at Morgan Lewis & Bockius, LLP. “There is an increasing need for them to manage their information.”

Moliere is one of the authors of two new reports titled “Building Law Firm Information Governance: Prime Your Processes” and “Emerging Trends in Law Firm Information Governance” that focus on how the legal field manages, secures and accesses information. The reports were written by a handful of information management professionals from U.S. law firms, and published by Iron Mountain, Inc.

The reports are designed to provide law firms a blueprint for creating information security policies and processes, and making data readily available to both staff and clients. The reports were developed during a symposium held earlier this year.

“In the legal environment, information governance is becoming more of a requirement than an option, especially as more clients want to know how their information is being protected,” said Brianne Aul, senior manager of Firmwide Records, Reed Smith LLP, and a member of the symposium steering committee, in a statement.

“Clients have very valid expectations that their outside counsel will have policies and protocols for keeping information secure.”

In addition to clients making these information governance and security demands, they are also auditing firms to ensure firms are meeting regulatory and security requirements. New and expanding compliance regulations are forcing those in the legal field to closely examine their approach to information governance. The HIPAA Omnibus rule, for example, extends Health Insurance Portability and Accountability Act compliance to business associates of the typical covered entities directly involved in patient care, including law firms.

This increased focus on data management as it relates to staying compliant is having a major effect on legal information governance, said Carolyn Casey, Esq., senior manager, legal vertical for Iron Mountain.

“In the past, law firms were of the mind that they advise clients on regulatory compliance,” Casey said. “I think, more and more, it’s really turning back to the law firms itself.”

Another driver of this trend is the increased scope of cyberthreats, and the federal government’s reaction to them. Earlier this year, President Barack Obama signed an executive order requiring federal agencies to share cybersecurity information with private companies.

The order also requires the creation of a cybersecurity framework designed to reduce risks to U.S. companies that provide critical infrastructure.

“In correlation with that new executive order, [it] stepped up interest by clients in just how law firms are managing that sensitive information that corporate clients entrust to them,” Casey said.

A new approach to information governance has huge benefits to the law firms themselves, according to the reports’ authors. These include operational efficiencies and a reduction in data management costs, as well as mitigating the law firms’ risk of security breaches and non-compliance.

As the amount of information law firms are responsible for continues to grow, the need to quickly access, classify and protect that information becomes a key issue from a legal standpoint. By making information governance processes a bigger part of everyday operations, law firms can make sure data is readily available and protected, said the reports’ authors.

“Proliferation of information has been happening for quite some time,” Molier said, but until recently “we didn’t have a clear understanding what exactly information governance meant in a law firm environment.”


July 24, 2013  8:56 PM

U.S. cybersecurity concerns continue for public, private sector

Ben Cole Ben Cole Profile: Ben Cole

Gaping holes in U.S. cybersecurity — especially vulnerabilities relating to trade secrets — remain a top concern for the Obama administration as it struggles to get industry on board with digital security efforts.

Consider these reports: Last week, a New York Times article estimated U.S. research universities suffer “millions” of hacking attempts weekly. Many of these attacks are believed to stem from China, but the increased sophistication of hackers makes it difficult to determine the exact origin. Earlier this year, Alexandria, Va.-based security firm Mandiant Corp. reported that since 2006, a Chinese military unit within the People’s Liberation Army has been using cyber-espionage to steal “confidential data from at least 141 organizations across multiple industries.” In May, a research firm uncovered an India-based cyber-espionage network designed to gather intelligence from a combination of national security targets and private-sector companies across the globe.

In addition, a report released earlier this month by the Center for Strategic and International Studies, co-sponsored by software firm McAfee Inc., estimated that cybercrime and theft of intellectual property costs the United States up to $100 billion in losses annually.

Despite these obvious concerns, the Obama administration and other boosters have struggled to pass sweeping cybersecurity measures, mostly due to bureaucracy: Budget constraints forced the Department of Homeland Security to cut a number of cybersecurity-related training sessions with utility companies, the Wall Street Journal reported this week. Business groups, including the U.S. Chamber of Commerce, have argued against past U.S. cybersecurity bill iterations, with the biggest argument being the regulations would put undue burden on industry.

The state of foreign relations is not helping matters. At the annual U.S.-China Strategic and Economic Dialogue in Washington, D.C., earlier this month, cybersecurity regulations were a major topic. Coming to a cybersecurity compromise proved difficult, however, especially because the leaks surrounding the National
Security Agency’s PRISM program
and its associated online surveillance activities make U.S. efforts to curb cyberattacks seem hypocritical. In addition, Chinese government officials continue to deny involvement in state-sponsored cyberattacks on foreign soil.

The question is: Do U.S. businesses realize the tenuous state of their online information? POLITICO reported earlier this week that President Obama is considering tax breaks and other benefits to entice businesses, especially those involved with critical infrastructure, to make cybersecurity improvements.

One thing is certain: Cybercrime and determining a path to cybersecurity continues to be a growing problem on a global scale. Hackers are only getting more sophisticated, and often seem one step ahead of efforts to curb them. As a result, protecting state secrets, business data and citizen information are a priority for not just the U.S., but for countries all over the world. Improving cybersecurity will require collaboration between the U.S. government, businesses and possibly even other countries. Without this cooperation, hackers will continue to gain the upper hand and put sensitive information at risk.


July 8, 2013  6:51 PM

A records retention schedule helps assure efficiency and defensibility

Ben Cole Ben Cole Profile: Ben Cole

(This blog post was written by Marilyn Bier, chief executive officer for ARMA International.)

It’s tempting to hang on to every document and every email message we create and receive because we think there’s always a chance it will be needed again. It’s especially easy to retain electronic records because they don’t pile up on our desks or choke our cabinets; instead, they can be tucked away on a network server or in a hibernating e-mail account, out of sight and mind.

Meanwhile, we continue to generate electronic records at a staggering pace – and, in the process, we may be piling on more and more operational and legal risk.

The best safeguard is a sound information governance program that treats records as the strategic assets they really are. Such a program will help identify gaps in business processes, minimize legal and compliance risk, and potentially save enormous sums of money in discovery and litigation.

At the heart of an information governance program is the records retention schedule. ARMA International, the authority on information governance, defines a records retention schedule as “a comprehensive list of records series, indicating for each the length of time it is to be maintained and its disposition.”

How do you develop a retention schedule? There are many resources that provide detailed guidance. ARMA International recommends How to Develop a Retention Schedule, by John Montana, founder of records management consulting firm Montana & Associates; and Records Retention and Disposition, an online course that includes a copy of Montana’s book.

Generally, the process of developing a records retention schedule begins with categorizing records. Their worth is then defined against established criteria, such as how long a record has operational or legal value. Next, a time frame for maintaining the records is defined. Finally, the disposition of the records is determined, which entails some method of destruction or preservation for their historical value.

Because a records retention program touches every part of an organization, it provides operational, legal and regulatory benefits.

A consistently enforced retention program will help control the growth of your records. If you’ve ever had a hard time finding a document you’re sure is stashed on a server or flash drive somewhere, then imagine how difficult it would be to locate and analyze 880 million pages of information. That’s how much data the plaintiff requested in McNulty v. Reddy Ice Holdings Inc., a 2011 civil action in the United States. It may seem like an extraordinary example, but there are many cases of parties having requested millions of records in litigation.

So, clearly, keeping records that have outlived their use will clog the system, making it expensive to find those items that are urgently needed for a business purpose or to meet a discovery request. In a lawsuit, the searching parties may be paralegals, who typically charge $175 or more per hour, or lawyers, who are much more expensive.

Also, keep in mind that storing useless records is the equivalent of burning money. As IT budgets continue to tighten, system administrators are looking for ways to reduce their overall costs – and one tool at their disposal is a good retention program.

A good retention program also minimizes the organization’s exposure to the legal risks that may be associated with document retention and disposal. Retention and disposition are designed to occur regularly — in the normal course of business — rather than on an arbitrary basis. Thus, a retention schedule will demonstrate to courts and regulatory agencies that certain records were disposed of as scheduled, with no hidden motives for doing so.

Additionally, the retention schedule helps assure compliance with retention laws and regulations. Certain records must be kept for certain periods, while others must not be kept after certain periods. For example, a sound retention schedule will prevent an organization from retaining confidential medical or personnel records beyond their lifecycle, thereby eliminating their unnecessary risk of exposure.

There is one thing that trumps a retention schedule, and that’s a legal hold.

A legal hold is issued as a result of current or anticipated litigation, or audit, or investigation, or other matter that suspends the disposition of records. When a legal hold is in place, the affected records must not be destroyed or changed until the hold is lifted. Spoliation is the destruction of records that are held under a current legal hold. It can lead to severe fines, adverse publicity and even prison.

Organizations of all sizes and types are subject to laws that affect the records they create, how long they keep them and what they can do with them. A consistently enforced records retention program will demonstrate to the courts, regulators, boards and key stakeholders that the organization is fully leveraging its records for the purposes of operational efficiency and legal defensibility.

Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000+ global members and countless external customers the education, publications, and resources they need to be able to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to their organization’s goals.


May 31, 2013  2:50 PM

Financial compliance regulations often ignored at the local level

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Compliance regulations, including those targeting the finance industry, are in place to protect sensitive personal information, right? Apparently some people at the giant, “mega banks” didn’t get the memo. I once completed a real estate transaction and got to see first-hand how the Gramm-Leach-Bliley Act, PCI DSS and even state breach notification laws are completely and utterly ignored in the real world.

I saw firsthand unbelievably sloppy handling of Social Security Numbers and similarly sensitive information via pdf files, emails and the like. I was expecting to see such behavior and was doubly intrigued (but not surprised) when I saw the under-protected smartphones and unencrypted laptops processing and storing all of this information. Another funny bit: We were even sent the financial history of the opposite party via a cc’d email. Nice.

I found it interesting that the giant banks are so careless. After all, they have such great visibility in financial compliance regulation arena, not to mention those glossy marketing pamphlets promising us that they value our personal information and vowing to keep it protected. Talk is cheap indeed.

I’m not picking on just the giant monster mega banks. I dealt with a small community bank as well, and when I asked the lender some basic questions about her computer’s security and the bank’s data management processes, she looked at me like I was crazy. It was as if I didn’t need to know that kind of stuff.

Sure, financial compliance regulations are a means for government and industry bodies to fall back and enact sanctions when people don’t obey the rules. In reality, they’re often for show and not much else. It’s easy for “corporate” to enact their policies and wow their auditors and regulators. But when the rubber meets the road at the local level, it’s quite a different story. I’ve seen it in my security assessment work, but my experience provided deeper insight into banking and the financial industry as a whole — not to mention this grand façade we call “compliance.”

It reminds me of the saying “when seconds count, the police are just minutes away.” Relying on regulations to keep our personal information in check is short-sighted. You have to look out for yourself because someone along the chain of custody at these financial institutions, whether intentional or not, will no doubt be careless in their actions.

Keep all of this in mind the next time you buy or sell a home or give out tons of personal information to a business in the financial industry. Perhaps the time’s ripe to freeze your credit if you haven’t done so. Many people aren’t aware of it, but freezes are one of the cheapest and most foolproof means of protecting your credit. It won’t keep people from accessing your private information, but at least the criminals won’t be able to get credit in your name — which can be real mess to get out of. Home buyer beware.


May 2, 2013  7:24 PM

Predictive coding: It’s not just for e-discovery any more

Ben Cole Ben Cole Profile: Ben Cole

(This blog post was written by Marilyn Bier, chief executive officer for ARMA International.)

By now, everyone in the world of information management is aware of the staggering increases in electronically stored information (ESI). Pundits and consultants often use colorful analogies to emphasize these remarkable numbers. Extreme predictions are routinely made and routinely replaced by predictions that are even more extreme. Obscure terms like “exabytes” and “yottabytes” are commonly summoned.

There’s a good reason the pundits and consultants are going through all this trouble to get our attention: poorly managed ESI poses very serious business and legal risks to an organization.

Maximizing value, minimizing risks

Solid information governance is always the best approach to maximizing records and information as business assets and minimizing business risks. ARMA International defines information governance as “a strategic framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use and dispose of information in ways that align with and contribute to the organization’s goals.”

Poor information governance will likely result in a data management disaster whereby records are lost, retained too long, disposed of improperly, made vulnerable to breaches, and subjected to other undesirable ends that weigh heavily on an organization’s bottom line and its reputation.

The explosion of ESI and the rigors of e-discovery have spawned many tools that promise to help organizations conquer the chaos of “too much information.” One evolving technology, called predictive coding, has proved useful for e-discovery and is gaining traction as a tool for managing information throughout its lifecycle.

Using predictive coding for e-discovery

The process of predictive coding is not new, but the technologies around it have been evolving rapidly to better address e-discovery, where the hours and dollars required to manually review thousands of documents in potentially thousands of locations can overwhelm some organizations. Using algorithms, predictive coding helps an organization get a better idea of what its data contains, thereby signaling its relevance to a particular e-discovery action.

Also of note, the courts are showing some level of comfort with the practice of predictive coding for e-discovery. In the 2012a Silva Moore v. Publicis Groupe et al. action, for example, the defendant proposed using predictive coding technology to cull more than 3 million documents. After the plaintiff objected to the methodology, U.S. Magistrate Judge Andrew J. Peck (Southern District of New York) ruled that while predictive coding is not a magical solution in all cases, “this judicial opinion now recognizes that computer-assisted review is an acceptable way to search for relevant ESI in appropriate cases.”

Last year, in Global Aerospace Inc. v. Landow Aviation LP, a Virginia circuit court allowed a defendant’s request to use predictive coding in a document review that would otherwise require 10 man-years of billable time.

Using predictive coding for information governance

Information professionals Leigh Isaacs and Doug Smith are among many who champion the use of predictive coding beyond the e-discovery arena.

Isaacs, director of records and information governance at Orrick, Herrington & Sutcliffe LLP in Washington, describes predictive coding in a recent Information Management article as “an evolving technology that combines people, technology and workflows to find key documents and identify and review large data sets.” It’s a machine-learning technology that teaches the computer program to predict how to classify documents, based on human guidance, and “the computer program then applies what it has learned to the universe of information.”

In the article, Isaacs explains how predictive coding increases information identification accuracy by pairing subject matter experts with predictive coding technologies. This pairing provides a solid foundation for defensible disposition and prevents content from being retained too long. The technologies can also help a company cull its data to identify valuable intellectual property; locate vital records and contracts that may have been misfiled; identify sensitive information for the purposes of protection and compliance; and much more.

Smith, business manager at Wiley Rein LLP in Ashburn, Va., says in another Information Management article that predictive coding offers an alternative to the manual, subjective process of coding and quality review, which is laden with inefficiencies and inaccuracies.

Predictive coding processes operate either through sampling or observing, both of which use human decisions as the calibrating mechanism, he explains.

Sampling is done by computer software that randomly selects a subset of electronic records and presents it to a human coder for review. The software monitors the coder’s decisions, notes the characteristics of the records that are coded — such as date, recipients and keywords — and then uses these recorded decisions to predict the value of the remaining documents.

In the observing process, the coding software monitors the decisions of human coders as they review records, and then predicts how a record will be coded before presenting it for coding. Next, it compares the predicted coding to the actual coding. Eventually, the software’s predictive coding process reaches the accuracy level that’s deemed acceptable based on pre-set policies.

If an organization lacks proper information governance and hasn’t conformed with the Generally Accepted Recordkeeping Principles®, its ESI will not be in a legally defensible condition. Predictive coding can help remediate the problem by creating a classification schema that identifies and categorizes the information that’s housed in unstructured or less-formal systems, Smith explains.

ARMA international joins Isaacs and Smith in encouraging legal, IT and information management professionals to work together to consider predictive coding as another solution in the information governance toolkit.

Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000+ global members and countless external customers the education, publications, and resources they need to be able to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to their organization’s goals.


April 15, 2013  5:16 PM

Eight principles of information governance and risk management

Ben Cole Ben Cole Profile: Ben Cole

(This blog post was written by Marilyn Bier, chief executive officer of ARMA International.)

Organizations depend on information to manage day-to-day operations, comply with regulations, gauge financial performance, and monitor strategic initiatives. They’re all critical business processes, and they all share an important trait: An accounting of each resides in an organization’s business records.

As a key resource in the operation of any organization, records must be created, organized, secured, maintained, and used in a way that effectively supports the activities of that organization. This information facilitates operations, budgeting, and planning, and it documents compliance.

Identifying Information Risks

The risks are significant for those organizations with too much, too little, or incomplete information within their recordkeeping systems.

Numerous court rulings, for example, have established a legal demand that records be kept in accordance with legal requirements, that the records be accurate, and that organizations be accountable for ensuring their records and information are properly kept. Increasingly, organizations must defend their recordkeeping practices to courts, regulatory agencies, and other oversight organizations. In addition, organizations can be subject to excessive discovery costs for records that should have been disposed.

The transition from paper to predominantly electronic information has exponentially multiplied such challenges for organizations.

“When information was paper-based, organizations were likely to have detailed policies and procedures that ensured it was managed from its creation through the time it needed to be discarded or sent to archival storage,” says Paula F. Lederman, an information management consultant and principal with IMERGE Consulting Inc. and a contributor to Information Management magazine. “As organizations have shifted to electronic records, though, many have not managed their information with that same discipline because storage is cheap, stored information is invisible, and it is easy to keep everything. However, today’s exploding volumes of poorly managed electronic information present a number of risks and associated high costs, capturing the attention of C-level executives, particularly in legal, compliance, and risk management, and disputing the notion that keeping everything “just in case” is a good strategy.”

Unnecessary e-discovery costs, regulatory sanctions for being unable to produce required documentation, and poor business decisions based on incorrect or incomplete information are all risks that can be avoided by organizations with effective information governance processes.

Mitigating risks through information governance

To meet the challenge, organizations need to implement an effective information governance program, which is defined by ARMA International as “a strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.”

Like any critical business process, an information governance program should be defined, endorsed by executive management, communicated throughout the organization, and assessed regularly. The Generally Accepted Recordkeeping Principles® (the Principles) and its complementary Information Governance Maturity Model (Maturity Model) can be used by organizations of any size and in any industry sector to establish and monitor an effective information governance program.

Complying with the Principles assures the organization that its:

  • Information will be protected against loss. Its critical records will be backed up, protected, and easily accessible, allowing it to continue business in the event of a disaster.
  • Information will be available when needed. The organization will have systems and processes in place that will enable it to locate, retrieve, and disseminate information to the right people at the right time so it can be used for decision making, transacting business, and responding to litigation.
  • Information will be retained as required and disposed of when no longer required. The organization will have a records retention schedule that will ensure that information is being retained to meet its operational, legal, regulatory, and historical requirements and that it is disposed of in the normal course of business when its required retention has been met.
  • External investigation and litigation obligations can be met easily. Processes will be in places that ensure that all information that is relevant to litigation or regulatory investigation can be located, placed on legal hold to ensure its availability and integrity, and produced when needed.

The Principles were created with the assistance of renowned records and information management (RIM), legal, and IT professionals, who reviewed and distilled global best practice resources, including the international records management standard (ISO15489-1 Information and Documentation – Records Management), American National Standards, and court case law. The Principles were vetted through a public call for comment process involving the professional RIM community.

The Principles are:

1. Principle of Accountability — A senior executive (or a person of comparable authority) shall oversee the information governance program and delegate responsibility for records and information management to appropriate individuals. The organization adopts policies and procedures to guide personnel and ensure the program can be audited.

2. Principle of Transparency — An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties.

3. Principle of Integrity — An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.

4. Principle of Protection — An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, or essential to business continuity or that otherwise require protection.

5. Principle of Compliance — An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.

6. Principle of Availability — An organization shall maintain its records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

7. Principle of Retention — An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.

8. Principle of Disposition — An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.

Organizations should view the Principles as a map for a road that is safely winding through an operational and legal minefield that has always existed but has recently become even more treacherous. An organization that doesn’t adhere to the Principles is teetering on the edge of the minefield. By using the Maturity Model, organizations can track their progress in becoming more compliant, moving away from that dangerous edge and toward safety.

Marilyn Bier is chief executive officer of ARMA International, an authority on governing and managing information as critical business assets. As a not-for-profit professional association founded in 1955, it provides its 10,000+ global members and countless external customers the education, publications, and resources they need to be able to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to their organization’s goals.


March 22, 2013  5:42 PM

Alleged Microsoft FCPA violations prove anti-corruption controls vital

Ben Cole Ben Cole Profile: Ben Cole

Microsoft this week became the latest big-name U.S. company to be investigated for bribing foreign officials and violating the Foreign Corrupt Practices Act. The U.S. Department of Justice and the SEC are investigating a whistleblower’s allegations that Microsoft illegally offered kickbacks to Chinese officials to secure software contracts, according to a report first disclosed by the Wall Street Journal.

The importance of global anti-corruption programs was the topic of a presentation at the sixth annual Marcus Evans Enterprise Risk Management Conference held in Chicago earlier this week. Presenters noted that bribery and corruption investigations have increased dramatically in recent years, with companies such as Wal-Mart and Tyson Foods being charged with FCPA violations.

With more companies expanding global operations, sweeping controls are necessary to prevent bribery and maintain ethical business practices — and avoid FCPA violations in the process, ERM conference presenters said. This can be difficult, however, especially for large corporations with numerous foreign partners.

Microsoft Vice President and Deputy General Counsel John Frank referred to this difficulty in a blogged response to Microsoft’s alleged FCPA violations. Although Frank did not comment specifically on the allegations, he said that as Microsoft continues its business expansion throughout the globe, “legal and ethical standards” are a huge priority for the company.

“Compliance is the job of every employee at the company, but we also have a group of professionals focused directly on ensuring compliance,” Frank wrote in the blog post. “We have more than 50 people whose primary role is investigating potential breaches of company policy, and an additional 120 people whose primary role is compliance.”

As Frank notes in the blog, it’s impossible to say that there will never be any wrongdoing in a company as large as Microsoft. The company’s proactive approach, however, provides a great example for other companies. Presenters at the ERM conference in Chicago said companies can at least demonstrate good faith by having an ethics and compliance program in place that allows the business to pounce on such allegations quickly with their own internal investigations. This proactive approach, as well as a cooperative and transparent relationship with regulators, proves to investigators that high-ranking members of the organization know what is going on and are taking steps to fix the problem.

In addition to potentially garnering at least some sympathy from investigators when it comes to doling out punishment, the proactive, “we will not stand for this” approach could offset reputation damage stemming from these and similar allegations. This is increasingly important as more companies expand global operations — especially when these operations are in regions with lax corruption and anti-bribery controls.

Unsavory employees, rogue third party agents and corrupt officials will always have the potential to create legal concerns for companies all over the world. As the Microsoft case shows, it’s better to be prepared rather than hoping it doesn’t happen. Your bottom line — and business reputation — could depend on it.


February 22, 2013  6:05 PM

China hacking allegations puts lack of U.S. cybersecurity in spotlight

Ben Cole Ben Cole Profile: Ben Cole

U.S. cybersecurity — or the lack of it — was big news this week, as President Barack Obama’s recent issuance of cybersecurity-related executive orders coincided with reports that China has systematically made cyberattacks against American interests.

Since 2006, a Chinese military unit within the People’s Liberation Army has been using cyber-espionage to steal “confidential data from at least 141 organizations across multiple industries,” according to a report from Alexandria, Va.-based security firm Mandiant Corp. Mandiant’s findings, first reported in the New York Times, allege the Chinese hackers targeted wide-ranging sectors — many with operations in the United States — including information technology, military contractors, aerospace, chemical plants, telecommunications and scientific research. The Chinese government denies the reports.

The China hacking allegations came shortly after President Obama issued an executive order titled “Improving Critical Infrastructure Cybersecurity.” The cybersecurity executive order stated that “repeated cyber intrusions” requires operators of critical U.S. infrastructure to improve cybersecurity information sharing and the implementation of risk-based standards. Following the Chinese hacking allegations, the Obama administration also announced new efforts to protect against U.S. intellectual property theft.

But is the executive order enough to protect U.S. interests? Part of the reason the order was necessary is due to several failed attempts in recent years to pass a sweeping piece of cybersecurity legislation. Past U.S. cybersecurity bills have been thwarted by privacy groups and those representing businesses — including the very vocal U.S. Chamber of Commerce that argued the bills would put undue costs and regulations on industry.

Both the privacy and bottom line-related arguments could be perilous in the face of the Chinese hacking allegations, as well as other recent high-profile hacks of Apple, Facebook and the New York Times itself. It’s just common sense that hackers are usually seeking trade secrets, business information and personally identifiable information. This is all information that would ultimately degrade online privacy and business interests for those organizations and individuals that are being hacked.

If businesses and privacy groups don’t realize the need for U.S. cybersecurity after recent attacks against the country’s interests, the entire nation will continue to face these threats. As hackers and their targets get more sophisticated, a comprehensive, cooperative approach to the nation’s cybersecurity will be necessary. Of course, privacy and costs will have to be considered when developing the rules. But until at least some cybersecurity rules are outlined, online security for all Americans remains vulnerable.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: