CA Community






This Blog
Syndication

October 2008 - Posts

Economic Crisis Highlights Need for Information Governance

Published: October 31 2008, 06:10 AM | no comments
by Galina Datskovsky


The Charging Bull, the symbol of Wall Street. Photo by Flickr user David Prior. Creative Commons License.

The current economic crisis has all of us on edge. Everyday we have the pleasure of watching our investments and 401ks ride the rollercoaster that is Wall Street. Professionally we watch our employers tighten their belts and we naturally ask ourselves what does this mean to us as Legal, Compliance, Records and IT professionals? It is appropriate for us to take action and do everything in our power to help our companies respond to this new challenging environment. We want to insure that our businesses are well prepared to weather this storm and will be well positioned to gain momentum once the storm passes.

One natural consequence of any crisis like the one we are in today is an increase in oversight and likely the enactment of more regulations. This will translate to more complex records management requirements, retention policies and tighter governance. One may also expect more litigation and therefore more Discovery requests, making a consistent methodology for eDiscovery ever more essential. Regardless of who wins the election, more rules and regulations are inevitable. More government transparency and accountability is also likely. Especially if there is a change of control in the White House, look for many requests for discovery and many more FOIA requests.

What can you do as a professional responsible for Information Governance? You need to make sure you business has a solid information strategy to meet these demands. Here are some steps you can use to get started. First, it is critical to understand the compliance regulations that govern your business. These may include but are not limited to regulations, laws, industry standards (e.g. DoD 5015.2, ISO 15489) and organizational best practices.



  • Build a Team or Task Force to work on your policies and procedures. It should include not only your Compliance Officer and Records Manager but IT and Corporate Counsel. Build and review Records policies for retention and disposition, as well as discovery procedures for all corporate knowledge (records and non-records). Understand privacy and need to know limits, FOIA impacts. Review security infrastructure to secure information accordingly. For example, if you have sensitive documents, such as HR information in email and the HR professional moves to another department, do you have a way to secure the sensitive information that may be in his/her mailbox.



  • Identify IT Challenges such as email disruptions, disaster recovery, backup procedures and eDiscovery/ audit response.



  • Define your policies clearly and have a clear plan for phasing them in.



  • Educate your user community. Without education policy is meaningless.



  • Continued education is KEY in all areas including changing regulations, changing technology.



  • Establish continuous improvement process. This should be a living document, always checked for changes in the law, business practices etc...



  • Monitor and measure results "“ auditing is key. Make sure you have metrics to measure against.




With this outline you can get yourself ready to come out on top.
Share this post:  
Tags: , , , , , , , , , , , , ,
Leave a comment

 

By: Galina Datskovsky
Dr. Galina Datskovsky, Ph.D., CRM, is senior vice president and general manager of the Information Governance business unit within the Governance group at CA, responsible for the CA Message Manager and CA Records Manager product lines. She is also recognized as a Distinguished Engineer at CA, and joined...
Read More..

Video Blog: Discovery or eDiscovery?

Published: October 30 2008, 05:21 AM | no comments
by Pete Pepiton


Pete Pepiton discusses the difference between discovery and ediscovery.


































Download Video



Share this post:  
Tags: , , , , , , ,
Leave a comment

 

By: Pete Pepiton
Pete Pepiton is the eDiscovery Solutions Director, inside the Information Governance group at CA. Pete has 15 years of experience in delivering professional services, both as a practicing attorney and the owner of several document management companies, helping large corporate clients address, process...
Read More..

EuroSOX - Does it really exist?

Published: October 30 2008, 04:30 AM | 2 Comment(s)
by Yves Le Roux





Against a whole wave of financial scandals driven by fraudulent accounting practices that involved major US corporations such as Worldcom, Enron and Tyco, the US Senate and House of Representatives passed the Sarbanes-Oxley Act in 2002 to restore investor confidence and underwrite the integrity of financial information.








As a result, if you speak in the US about Corporate Governance, the answer will be immediately Sarbanes-Oxley Act (SOX). Consequently, the tendency has been to categorize any piece of internal control legislation as SOX. As an example, Japan's Financial Instruments and Exchange Law has come to be widely known as J-SOX. Similarly, we're hearing all kinds of talk about something called "EuroSOX." In my opinion this is a misnomer and I will try to explain why.








We Europeans started our quest for corporate transparency and accountability in 1998 in order to create a single financial market across the EU (European Union), four years ahead of SOX.








In order put an end to the "˜Tower of Babel' in financial reporting, improve competition and transparency and make the free movement of capital much easier, the EU decided in 2003 that all EU companies will have to prepare their consolidated accounts in accordance with International Accounting and Financial Reporting Standards (IAS and IFRS).







First, some terminology. "Subsidiarity" is a fundamental principle of EU law. According to this principle, the EU may only act and make laws where member states agree that the action of individual countries is insufficient. "Proportionality" is another fundamental principle of European law which states that the EU may only act to the extent that is needed to achieve its objectives, and not further.







Consequently, it is impossible for the EU to generate an overly prescriptive legislation such as SOX. The EU requires member states to achieve a particular result without dictating the means of achieving that result. This leaves member states with a certain amount of leeway as to the exact rules to be adopted.







SOX places the responsibility and accountability for the tracking of information that impacts financial performance very clearly upon the shoulders of the management teams of those businesses, with teeth that do bite "" the CEO and CFO can be fined, go to prison for up to 20 years, or both.







France, although also adopting a legislative, rules-based approach, does not require an explicit statement from management or the board of its responsibility for the internal controls system.







Other jurisdictions focus on dividing responsibilities for establishing and maintaining the internal controls system between the board and the management of the company.







Many EU countries have opted for a comply-or-explain approach with varying degrees of strength. The comply-or-explain requirement generally obligates companies to comply with the provisions of a corporate governance code or else explain non-compliance.







As a consequence there are no pan-European requirements for specific internal controls and as a result, the "Euro" prefix should not be used.







Furthermore, the "SOX" suffix is not acceptable as there are at least as many differences as similarities between Sarbanes-Oxley and the various European legislations on related topics.







"EuroSox" is a commonly used term. But, it is misnamed and misused.








Share this post:  
Tags: , , ,
Leave a comment

 

By: Yves Le Roux
Yves Le Roux boasts nearly four decades of experience in information and network security, standardization, compliance and risk. Currently, he is CA’s GRC expert in EMEA, based in France, where he works with customers to develop strategic GRC programs and solutions. Yves is an active member of several...
Read More..

Proposed "Big Brother" Database Creating Uproar in the UK

Published: October 29 2008, 11:55 AM | no comments
by Chris Palmer


[caption id="attachment_157" align="alignright" width="204" caption="A model of the Government Communications Headquarters (GCHQ), where the planned database containing information on every email and phone call may be held."]
A model of the Government Communications Headquarters (GCHQ), where the planned database containing information on every email and phone call may be held.
[/caption]

Public debate over the UK Communications Data Bill has rightly centred on the issues of civil liberty vs. anti-terrorism and crime prevention, with the Outgoing Director of Public Prosecutions, Sir Ken Macdonald, stating in an Independent Opinion piece that:
"Technology gives the state enormous powers of access to knowledge and information about each of us, and the ability to collect and store it at will. Of course, modern technology is of critical importance to the struggle against serious crime. Used wisely, it can protect us."

but also that:
"We need to take very great care not to fall into a way of life in which freedom's back is broken by the relentless pressure of a security state."

However, this and other recent legislation, like the EU Data Retention Directive and MiFID (Markets in Financial Derivatives) do have serious implications for organisations, irrespective of these arguments "“ namely, that the volume of information to be retained and accessible for regulatory and other purposes is set to climb yet more sharply "“ as if it wasn't growing quickly enough already!

Presumably, personal information stored under any of these directives will also be subject to Data Protection and Privacy Rights, also enshrined in EU Law, so will be discoverable by the relevant individual, upon request, for payment of only a nominal fee "“ which in no-way reflects the costs to the organisation of finding and presenting that information in a timely manner.

So the message is clear: Information, particularly where it relates to individuals, must be well organised, accessible, yet secure, and disposed of "as soon as reasonably practical" when no longer required.

Sounds like Information Governance will become very popular!

Learn more:

Share this post:  
Tags: , , , , , , , ,
Leave a comment

 

By: Chris Palmer
Chris is a principal consultant with CA, having joined the company on the acquisition of MDY, in June 2006. He previously guided organizations in a wide variety of Financial Services industries to improve the effectiveness and efficiency of business and Knowledge Management initiatives, including records...
Read More..

More Security Problems at TSA

Published: October 29 2008, 11:22 AM | no comments
by Merritt Maxim

I have increasingly found certain US government web sites to be veritable treasure troves of timely relevant content for identity and access management (IAM) and governance, risk and compliance (GRC) issues.  The specific websites are those for the Offices of the Inspector General (OIG) for many federal government agencies.

The OIG serve a very important function in the US government in that they function to conduct internal investigations and audits to identify fraud, corruption or general mismanagement.  Almost every major US federal agency has its own OIG.  And while these offices are connected to the agencies that they audit, the OIG acts independently and has proven itself a useful weapon in fixing problems in the government.  As my last blog noted, these OIG investigators author very thorough and sobering reports, which are increasingly becoming must-reads for me (as well as a good source of inspiration for blog content!)

My latest report comes from the OIG for the Department of Homeland Security and is based on an in-depth review of physical security procedures about an agency the traveling public is all too familiar with-the Transportation Security Administration (TSA).

The actual report is here:

http://www.dhs.gov/xoig/assets/mgmtrpts/OIGr_08-92_Sep08.pdf

This is the TSA official response to the OIG report...

http://www.tsa.gov/press/happenings/oig_badges.shtm

Some specifics from this report have been reported and leaked previously, but the report identifies some crucial process breakdowns around the de-provisioning of TSA identity cards and uniforms.   TSA's physical access problems were compounded because TSA employees required badges issued from 2 entities-the TSA employee badge and a badge granting access to the secure areas of the airport (called a SIDA badge).  The OIG's report clearly identified process breakdowns where ex-TSA employees still possessed valid SIDA badges and could thus theoretically access secure areas of the airport facility. In a check of 5 unnamed airports, the OIG found 1,188 missing badges covering a period of 3 years.  And while these badges were all de-activated at the time of the OIG audit, these badges were not in the TSA's or the airport's possession.

The report found similar gaps in the return of TSA uniforms-nearly 50% of ex-TSA employees at the 5 selected airports had never returned their uniforms!

This report should serve as a reminder for all organizations to review their internal processes for physical security.  And while IAM technologies often focus on creating and suspending virtual access to applications and systems, the risk and threats posed by a poor physical security process should never be overlooked.  In fact, identity management solutions like CA Identity Manager can just as easily provision/de-provision employee badges as they can provision/de-provision access to an ERP system.

For those attending CA World next month, there will be a session that will talk about these same physical security issues and how CA technology is being utilized to address the problem.
Share this post:  
Tags: , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

More Posts Next page »