IT Compliance Advisor

February 18, 2009  9:37 PM

Windows compliance: Resources on data retention and data protection

GuyPardon Guy Pardon Profile: GuyPardon

As any CIO or compliance officer knows, compliance affects multiple parts of IT infrastructure and the organization as a whole. Strategy, security, storage, networking, records keeping and human resources are all part of the mix. As an editor at, that means I scan the RSS feeds of all of TechTarget’s sites for relevant content, along with those of other compliance news sites from around the Web. Starting today, I’ll be posting a roundup of the resources I think you’ll find useful at this blog.

Recent research into the buying habits of you, our readers, showed that half of our midmarket CIOs are running Windows shops. That information comes as no shock to anyone. Most of the world lives on a Windows desktop, despite the recent inroads made by Mac OS X and Linux. There’s no question that heterogeneous computing environments are a concern for many a sysadmin. That said, Windows compliance is the crucial topic of the day.

So here’s a question for you: Are there unique issues that arise out of Windows compliance?

I’m certain that the answer is “yes” but I’d like to hear more about what system administrators, CCOs and CIOs are experiencing in their everyday working lives. Let me know what you think in the comments or at

In the meantime, here’s that roundup:

If you’re looking for a comprehensive resource, try The Windows Manager’s Guide to IT Compliance e-book. Chapter 1, for instance, offers best practices on establishing an event log audit trail, maintaining the event log, encrypting email or files and keeping an inventory of stored data. You can also download each of the three chapters separately:

Rebecca Herold has been a prolific contributor on the topic of Windows compliance as well. She’s an adjunct professor for the Norwich University Master of Science in Information Assurance program and is well into writing her 11th book. Her articles can be found at, and, of course, at (You’ll note she’s in our blogroll, down to the right.)

Earlier this month, Herold explained how to keep Windows shops in compliance with data protection laws. Protecting personally identifiable information is a key aspect of compliance in 2009, given new regulations coming down the (Mass) pike. Even if the Massachusetts data protection and encryption law deadline has been extended, it needs to be on your radar.

In past articles, Herold has also explored how to meet data retention compliance in a Windows environment. In her view, Windows managers must take an active role in learning data retention policies and creating procedures to support them.

Similarly, in her tip on meeting compliance requirements in a SharePoint Server environment, Rebecca suggests that before deploying SharePoint Server, IT managers should examine the compliance implications of using the collaboration tool in their Windows environment .

Herold also has written about how the service desk can help Windows shops meet SOX compliance objectives by using IT governance frameworks like COBIT and Microsoft Operations Framework.

Finally, if you’re still procrastinating on completing your IT compliance documentation, do it now.

Reblog this post [with Zemanta]

February 16, 2009  7:18 PM

Lowering the data leakage risk of USB storage

GuyPardon Guy Pardon Profile: GuyPardon

This is a guest post by John Rostern, Jefferson Wells’ Eastern Region Practice Leader for Technology Risk Management. His last post explained why regulatory compliance doesn’t always bring information security.

The ubiquitous nature and growing capacity of computer-removable media — USB hard drives, thumb drives and similar devices — puts the confidentiality, integrity and availability of corporate information at risk. Many organizations still do not include USB storage in their information security policies, and few security managers actively monitor or prevent their use by employees. Organizations need a security strategy that is both flexible and adaptable to deal with the evolving capabilities of these removable media devices.

Regulatory compliance has served to highlight the need to address the security issues created by the increased use of computer-removable media. The focus on risks related to “information leakage” through USB drives of all sorts is heightened by regulations and industry information security initiatives, such as the Payment Card Industry Data Security Standard for credit card companies and merchants.

In the United States, laws such as the Gramm-Leach-Bliley Act for financial companies and the Health Insurance Portability and Accountability Act for healthcare providers and insurers are putting pressure on companies to safeguard personal information stored on computers — or face penalties for security failures.

Members of the European Union (EU) and companies doing business there are further regulated by increasingly stringent privacy laws.  The 1995 EU data protection directive provides regulatory guidance for the processing and transfer of personal information within and outside the EU.

Managing the risk presented by removable media has proven to be difficult for both security professionals and end users because the same features that contribute to the popularity of these devices create a complex security problem. The easy compatibility, small size and high capacity of these USB storage devices require both technical and procedural solutions.

In my experience dealing with clients of all sizes there seems to be a prevalence of point solutions.  Tactical solutions such as disabling or locking down the USB ports may provide a marginal improvement in security, but they do not address monitoring in situations where USB access is required by the business.  Tools that facilitate the management and reporting of such usage, when aligned with an overall policy regarding the acceptable use of removable media, provide the most effective basis for managing this risk.

Organizations should ensure that their overall security architecture includes a combination of technical and procedural countermeasures covering areas such as employee awareness, encryption and device hardening. The countermeasures developed to mitigate specific risks should be factored into both the risk assessment and the ongoing audit plan for the function. Tests to validate the existence and operational effectiveness of these countermeasures should be performed as part of scheduled audits. The results of such testing can positively or negatively affect the risk rating of a functional area.

This post is by John Rostern, Jefferson Wells’ Eastern Region Practice Leader for Technology Risk Management.
John Rostern is Jefferson Wells’ Eastern Region Practice Leader for Technology Risk Management. He has more than 27 years of diverse experience in information systems management, architecture, application development, technology, audit and information security.

Editor’s Note: The following four tips and articles offer additional advice and perspective on the risks of USB storage and methods to mitigate exposure.

February 12, 2009  3:38 PM

A-Rod’s steroid strikeout a lesson in e-discovery, preserving evidence

GuyPardon Guy Pardon Profile: GuyPardon

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

“The fact of the matter is that this would all have been prevented if they had just called and said, ‘Destroy the tests,’” said a baseball official, who spoke on the condition of anonymity because he was discussing drug-testing information. “All they had to do was make a call,” said the official. “There was nothing more complicated than that.”
Rodriguez Is Revealed, but What About Everybody Else?,” Michael S. Schmidt, Feb. 10, The New York Times

What do professional baseball and e-discovery have in common? A perfect setup for a joke — and for this story. But I’ll focus on crafting the story and leave the punch line to you (take your best shot in the comments).

In any case, these worlds came together in a fascinating way this week when Alex Rodriguez (a New York Yankee and the highest-paid player in baseball) admitted that he took performance-enhancing drugs in earlier seasons. Embedded below is A-Rod’s admission of use in an interview with Peter Gammons.

His admission followed a recent report in Sports Illustrated by Selena Robers and David Epstein, “Sources tell SI Alex Rodriguez tested positive for steroids in 2003.”

Stories involving baseball and steroids are nothing new, but this one is of interest to those working in information governance. It illuminates a critical question:

When are we legally required to preserve business information that we would normally destroy?

In this case, routine drug tests were administered by the baseball players’ union. Following the tests, in accordance with the union’s collective bargaining agreement with Major League Baseball, the test records would normally be destroyed. However, in this case the confidential test results were apparently not destroyed on schedule, and in fact were still in existence months later when the federal government came knocking and seized them. This has led many commentators to ask why the test results were not destroyed on schedule.

According to a statement by Donald M. Fehr, executive director of the players union, the test results were not destroyed because the federal government issued a grand jury subpoena about a week after the tests were conducted.

“The short answer is that in November, 2003, before that could take place, a grand jury subpoena for program records was issued.”
-Major League Baseball Players Association press release, Feb. 9

Some have suggested that the union should have been able to complete the destruction during the week between the test completion and the issuance of the subpoena. I don’t know anything about the internal procedures of the union, or what is entailed in the destruction process, so this may or may not be true.

The law supports Mr. Fehr’s point — that upon receiving a subpoena, the union could not destroy business records related to the subject of the subpoena, even if those records would ordinarily be destroyed in the ordinary course of business.

However, a more interesting hypothetical question is this: Should the union have preserved the test results anyway, even without the subpoena? This is a question that trips up many organizations, and one that everyone working in information governance should be able to answer. Although I can’t answer this question for the players union, we can look at what the rules are and how they affect you.

The law is pretty clear on the issue. We generally have a duty to preserve potential evidence even before something “official” happens, such as receiving a subpoena. See, for example, Convolve, Inc. v. Compaq Computer Corp., 223 F.R.D. 162, 175 (S.D.N.Y. 2004), which states, “The obligation to preserve evidence arises when the party has notice that the evidence is relevant to the litigation or when a party should have known that the evidence may be relevant to future litigation.”

In other words, the requirement to suspend the destruction of evidence when you “should have known” or can “reasonably anticipate” litigation potentially starts the clock on information preservation much earlier than it would if you waited for a subpoena, a court order, or some other external event.

Many organizations fail to understand this requirement, and have paid the price in fines, sanctions and unfavorable litigation outcomes.

The takeaway? Make sure that your legal hold processes have a clear process for “triggering” a legal hold notice that ensure that evidence is properly preserved. Also, make sure that process kicks off the preservation early enough in the litigation or investigation cycle. The penalties for failure in this area can be stiff.

Reblog this post [with Zemanta]

February 12, 2009  4:59 AM

LegalTech 2009: The intersection of e-discovery and information governance

GuyPardon Guy Pardon Profile: GuyPardon

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

Last week I made the trek to New York to attend LegalTech — a big trade show and conference focused on technology for the legal community. I had never attended the show before, as I had always perceived it as a niche show that focused on an area of the market that wasn’t relevant to me, i.e., IT for law firms. However, this year at least, the themes of the show were much broader and directly relevant to everyone in the IT world. More specifically, a major theme of the show was the role that IT has in controlling the e-discovery monster.

For example, the keynote address was (quite cleverly, I thought) entitled, “You wanna go to court — get a lawyer; If you wanna avoid going to court — get a records manager.” The message was clear: The real problem in e-discovery is the way we manage (or mismanage) information on a day-to-day basis. If we (and by we, I mean everyone responsible for information, including IT) did a better job of managing information, then the pain and cost of having to sift through mountains of unnecessary, duplicative, outdated and unclassified information in the 11th hour during a bet-the-company lawsuit would be significantly reduced.

It’s a message that resonates with my clients, and a reason why so many organizations today are motivating IT and legal to work together to solve this problem.

Further evidence of e-discovery and information governance coming together at the show was found in Autonomy (an e-discovery software provider, among other things) announcing its acquisition of Interwoven (a content management vendor). The vision for this acquisition, as explained in a standing room-only luncheon presentation, was to provide software that helps companies with both ends of the problem. In other words, to manage information better on the business side so that when litigation hits, e-discovery is less costly and painful. It was a message repeated by other vendors across the show floor.

Another key theme that I observed at the show was the rising importance of tools that promise to automatically classify information — whether for information governance or e-discovery purposes. This has been emerging for several years but perhaps is starting to hit its stride. I think autoclassification technologies (about which I will write more later) will be an important part of the IT and information governance toolbox in the months and years to come, as we all look for ways to understand, use and manage our information assets better.

Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors and government institutions, and is an author, speaker and internationally recognized authority on a broad range of policy, compliance and management issues related to information governance and IT. Blair heads the information governance practice at Forensics Consulting Service LLC, and can be reached at or (403) 638-9302.

Reblog this post [with Zemanta]

February 10, 2009  4:08 PM

IT and legal up in a tree … d-i-s-s-i-n-g

Linda Tucci Linda Tucci Profile: Linda Tucci

Whatever their relationship in the past, IT and legal departments should probably be pretty tight these days given the expectation that financial regulations will intensify and litigation increase in the wake of the fraud, foreclosures, massive layoffs and other ills perpetrated by the greed of Wall Street financiers.

But a recent survey conducted by Osterman Research Inc. for Recommind Inc. suggests that the disconnect between IT and legal remains alarmingly entrenched. According to the survey, conducted in early January of 250 mostly IT enterprise employees, only 37% said IT and legal are working more closely together than a year before; 33% reported an “average” or “poor” working relationship between the departments.

While respondents generally held their legal departments responsible for policies concerning legal hold (73%), data retention (50%) and records management (47%), nearly three-quarters (72%) said that IT was expected to take the lead on all buying decisions. The disjunction no doubt will lead to many bad technology purchasing decisions, at a time when companies cannot afford to make mistakes.

Blind leading the blind

As the lawsuits come pouring in, expect more stumbles on e-discovery. The survey also showed that only 29% of IT respondents believe IT “truly understood” e-discovery technical requirements. A meager 12% expressed confidence in their legal teams’ understanding of the requirements. In any case, neither side is of much use when it comes to implementing e-discovery technology and initiatives: only 27% of respondents said IT is helpful in these projects; make that 12% for legal aid.

February 5, 2009  7:10 PM

IT budget available for regulatory compliance

mschlack Mark Schlack Profile: mschlack

Lip service or room service? Is IT going to get a real budget to put in and operate the systems needed for compliance with the Sarbanes-Oxley Act (SOX), HIPAA or whatever else is needed? Or will “economic downturn” be the magic spell that makes regulatory compliance go away? A recent survey of CIOs and other top IT managers by and suggests regulatory compliance management will not be a victim of recession.

Overall, 44% of respondents said compliance spending would remain the same this year as in 2008, and 41% said it would increase — including 13% who said it would increase by more than 10%. That’s much better than the overall IT budget picture — 37% said expenditures for compliance-related hardware, software and IT services would get a greater share of the budget.

Interestingly, it’s the industry-specific regulations that are most driving people, not SOX or Gramm-Leach-Bliley. As for what people are investing in, backup ranks first, followed by data protection/security tools and archiving. GRC software ranked sixth. I’ll be doing a more detailed article on in the next week or two, but the top line is that regulatory compliance management remains on the docket in most IT shops, adjusted for current realities.

February 3, 2009  3:12 PM

Corporate reporting: The next information governance frontier?

GuyPardon Guy Pardon Profile: GuyPardon

This is a guest post from Barclay T. Blair, author of Information Nation and head of the information governance practice at Forensics Consulting Solutions LLC.

“[S]unlight remains the best disinfectant for problems in our capital markets.”

– Christopher Cox, former chairman of the Securities and Exchange Commission (SEC), June 2008

Back before the failure of Lehman Brothers, the ouster of John Thain from a combined Bank of America/Merrill Lynch, and before a new president said we were “facing the greatest economic challenge of our lifetime,” the SEC began working on an initiative to improve public company “transparency by making disclosure information more accessible and easier to use.”

This 21st Century Disclosure Initiative published a report in January that proposes, among other things, requiring “tagging” of financial information so it is more interactive and useful, and moving away from a document-centric paradigm. The intent is to modernize the way that investors receive information about the companies in which they invest.

This initiative, which may or may not have legs under a new SEC commissioner, raises some interesting issues for information management and corporate governance.

It will be difficult for the SEC — or anyone else — to “shine some sunlight” onto the financial and governance practices of corporations until the corporations themselves take control of their information.

Most organizations today struggle to understand where all their information resides, what it is, how to get to it, or how long to keep it. Witness the astounding numbers and ugly battles (like the e-discovery dispute centered around the SEC’s delivery of 1.7 million documents involving the SEC) that routinely arise when organizations are asked to dig up digital information — especially email and office documents — in the context of electronic discovery.

The reality for most institutions is that the most valuable information resides in the least managed locations. How many companies still rely largely on spreadsheets and email to comply with the Sarbanes-Oxley Act?

If my practice is any gauge, most of them.

Regardless of what happens with the SEC’s initiative, most politicos seem to agree that we are heading into an era of increased regulation under the Obama administration. I would recommend that organizations try to get ahead of what’s coming by looking at their current information governance practices with an eye to improving internal transparency — before someone steps in to make them do it.

To this end, perhaps it is time to revisit document retention and management practices. Here are some questions to think about:

  • Are your valuable financial records being maintained in appropriate systems, or are there unmanaged copies in poorly controlled network drives and “drop boxes”?
  • What do your email practices look like? Is email retention controlled? Do your employees export email out of the email system into unmanaged locations?
  • How much important financial information (including the records that underpin financial information) resides in unmanaged, unsecured locations?
  • Are you using your backup tapes for archiving purposes? If so, do you understand the potential cost and risk should those tapes need to searched for SEC investigations or litigation?
Barclay T. Blair is a consultant to Fortune 500 companies, software and hardware vendors and government institutions, and is an author, speaker and internationally recognized authority on a broad range of policy, compliance and management issues related to information governance and IT. Blair heads the information governance practice at Forensics Consulting Service LLC, and can be reached at or (403) 638-9302.

February 2, 2009  7:41 PM

How will the Massachusetts Data Protection Law affect IT compliance?

GuyPardon Guy Pardon Profile: GuyPardon

The Massachusetts Office of Consumer Affairs and Business Regulation established a significant new regulations in 2008, 201 CMR 17.00: Standards for The Protection of Personal Information. The strict new data protection law was set to take effect on January 1, 2009.

After the shift in the nation’s macroeconomic climate and strong resistance by state business leaders, however, the deadline for compliance with the basic provisions of the law was extended to May 1, 2009.

I’ll be traveling to Waltham to try to livestream the state’s public hearings on the legislation. Assuming that no technical difficulties occur in our use of, you’ll be able to watch a webcast of the proceedings and ask question through the integrated chatroom. An archived version of the event will also be available for on-demand viewing.

We’re also preparing a podcast that will examines the new law from the perspective of a compliance software expert, a security expert and the Massachusetts Office of Consumer Affairs and Business Regulation MIS officer. You can expect the podcast to become available later this week.

Dr. John Halamka, CIO of CareGroup Health System and CIO/Dean for Technology at Harvard Medical School, provided some perspective on the relationship of the new MA data protection law to healthcare compliance on his blog.

UPDATE: Due to the expected 4-7″ of snow falling here in Massachusetts, the Greater Boston Network Users Group has cancelled today’s Q&A with David A. Murray, General Counsel and Gerry Young, CIO. Details are posted at the calendar at We’ll update you when the next hearing is scheduled.

Reblog this post [with Zemanta]

February 2, 2009  4:20 PM

Blogroll: IT Governance, Risk, and Compliance

GuyPardon Guy Pardon Profile: GuyPardon

Next up: Robert E. Davis, at IT Governance, Risk, and Compliance.

As a CISA, Davis has provided data security consulting and information systems auditing services to the Securities and Exchange Commission, the United States Enrichment Corporation, Raytheon Co., the Interstate Commerce Commission, Dow Jones & Co. and Fidelity/First Fidelity (Wachovia) corporations.

Davis joined ITKE recently and has focused initially on a series of blog posts that offer guidance on protecting critical data, noting how an information security governance framework can provide “essential information asset coverage.”

You can subscribe to IT Governance, Risk and Compliance here.

February 2, 2009  4:18 PM

Blogroll: Regulatory Compliance, Governance and Security

GuyPardon Guy Pardon Profile: GuyPardon

Just as the IT Compliance Advisor will introduce more bloggers as the weeks pass, we’ll also add more relevant blogs to our blogroll.

Today, we’ve added Regulatory Compliance, Governance and Security.

Recent posts include:

You can subscribe to Regulatory Compliance, Governance, and Security here.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: