Published: December 30 2008, 10:30 AM | no comments
by Reed Irvin

We've all been hearing a lot during and after the campaign of President-elect Obama and his use of a BlackBerry constantly for communication with staffers and others. It's understandable why those responsible for managing electronically stored information (ESI) at the White House would do their best to dissuade the President-elect from using his BlackBerry, particularly when his safety is a concern. The constant polling that the device does to stay in touch with the mobile network can be followed and allow the device's whereabouts to be tracked. That's enough of a risk by itself.

But from an Information Governance perspective it takes on a whole new meaning. If anyone who knows anything about unstructured content and records management has his way, that BlackBerry will be turned off for the next 4 or 8 years. That's because according to the Presidential Records Act of 1978, all records of the President become the property of the government, and in the world of ESI that includes BlackBerry messages, text messages, instant messages (IMs) and anything else that might be used in the administration. Much like the Palin controversy, Information Governance will affect communications for government and political officials, simply because the public has a right to know. And since the record must be preserved, it opens up liability if there was ever a subpoena.

So President-elect Obama's people will probably take the easiest way out "“- no more BlackBerry for the Chief Executive.

But what about executives and other officers in companies that are governed by rules and regulations concerning Information Governance? Nobody's going to tell them they can't use these devices. That's where the real challenge comes in. How do you track all of these messages about who made what decision? All of this will need to be "discoverable" in the event of litigation. Corporate Records Managers, IT Managers and Compliance Managers all should take heed of this issue. It's not going away.


*BlackBerry image courtesy of Marvin Kuo.

Published: December 30 2008, 03:30 AM | no comments
by Galina Datskovsky

As we approach the end of the year I would like to pause and reflect on some of the key events. It has certainly been a difficult year. We had a contentious election, perhaps the most drawn out one in recent history. We witnessed a financial melt down, fueled by greed of everyone, from the homeowners to the big financial institutions. We have seen large institutions such as Lehman Bros disappear. Most recently we have seen incredible greed, corruption and lack of moral values from some of the most "respected" men in the finance world, such as Bernard Madoff.

Looking back on this year, what are the lessons learned?

1. There will always be greed and corruption, and therefore regulation is good and appropriate.




2. Unregulated vehicles are risky and should be shunned.




3. Governance overall, Information Governance and eDiscovery will be even more important in the new world of business




4. We will come out of this stronger, safer and with a better regulatory structure.




5. If something is too good to be true it probably isn't.




6. Making a quick buck can be risky and one should take responsibility for one's risky decisions.




7. A lesson learned from the big 3 automakers "“ build product that people want and your business will be much safer.




8. And finally, litigation attorneys will have a great 2009 "“ A great year for the eDiscovery marketplace.

Here at CA, we're looking forward to 2009 and to many ongoing opportunities to help our customers improve reliability and stability through better governance.

Published: December 29 2008, 06:30 AM | no comments
by Christopher Daugherty

COBIT® is a tried and true IT framework. It is very useful for IT practitioners as well as individuals who work with IT on controls and compliance. COBIT has existed since 1996, but has recently undergone a resurgence, the major catalyst being the Sarbanes-Oxley Act (SOX). SOX caused companies to leverage recognized frameworks such as COSO for the business controls and COBIT for IT controls. The following is a timeline for COBIT:

• COBIT - first published in 1996




• Version 3.0 - released in 2000




• Version 4.0 "" November 2005




• Version 4.1 "" May 2007




• Control Practices 4.1 - May 2007




• IT Assurance Guide - May 2007

I am fortunate to interact with many companies in different areas such as IT, finance, internal audit, and other groups focused on compliance and risk management. I am constantly asked what the value of COBIT is. I believe there are many uses of COBIT and ways to leverage it, depending on the individual, their job function, and ultimate objectives. As a general principle, I encourage organizations to leverage COBIT, ITIL, ISO, and other frameworks in the following manner:

• Recognized set of standards and principles for IT control practices




• Benchmark for common IT procedures and processes




• 
  General guidance on what and how IT can function
  




• Helps to "˜translate' control objectives into management actions




• Guidance on IT value propositions and risk drivers

Users of COBIT and other frameworks must understand these principles are not intended as a one size fits all guide to IT. COBIT is independent of industry, size, complexity, and technology. COBIT contains a plethora of information on how to establish, maintain, and improve IT practices to better support the business. It is a recognized "framework" for groups to adopt and leverage to enhance overall IT services and the controls/metrics for supporting those services.

Like others, I support the adoption of frameworks such as COBIT with some degree of caution. Professionals must understand how to apply these strategies to their own environment. I always stress that users must understand the business context of IT with a focus on risk. Lastly, the value of these kinds of frameworks is best determined by each individual organization. We recommend signing up as a user at www.isaca.org to obtain the COBIT documents and evaluate when, where, and how to apply the framework to your organization.

More information on COBIT is available on the ISACA web site and on this resource page.

Do you have experience with COBIT? What have you found to be its greatest benefits? Are you seeing more companies leveraging frameworks like COBIT throughout the enterprise? Do you think there's been a resurgence?

Published: December 29 2008, 03:34 AM | no comments
by Chris Palmer

There's now no doubt that email archives need more governance:

·




The extent and frequency of discovery orders and regulatory audits, for which email is always a primary target, is growing all the time, with increasingly damaging effect, in the event of failure.

·




Those who installed email archives some years ago are now faced with the spectre of it being nearly full and creating a yet more challenging situation then they were faced with when they first installed it (particularly if they chose one that uses proprietary storage or compression algorithms, preventing easy migration!)

A prominent legal expert said in a seminar I attended recently that "the intelligent organisation (don't you just love how pejorative lawyers can make their statements!) keeps only two types of information: That required for legal, regulatory and accounting purposes; and that required for operational purposes. Everything else is a waste of storage and a potential smoking gun."

Email archives are fine for storing operational information for operational periods (commonly two to three years), but do not address the fundamental issue of the business value of the information: What should be kept for regulatory or audit purposes, what should be kept for operational reasons and what should be disposed of almost immediately, as spurious, such as non-business related emails and file attachments.

Records management delivers the required governance. The principles and processes it brings, in delivering policy, allows the business value to be objectively assigned and everything that follows from that (retention schedule, security, resilience, recoverability) to be applied.

So what is really needed is an email archive that has all the tools and high level policies that resolve IT's burning issues of storage, backup and DR, allow Users extended access to email (both in terms of overall volume and longevity) but that also integrates with a Records Management system that can manage the retention of business critical and operational information to the required degree for both regulatory and storage purposes "“ by assigning the business value of that information.

Of course, the two systems should work in a federated fashion, with other information repositories, so that other formats of related information (both physical and electronic) are equally well managed and exploit existing repositories, continuing to use the applications and infrastructure in which the organisation has invested and with which users are familiar.

Published: December 23 2008, 07:00 AM | 2 Comment(s)
by Allan Gajadhar

Like many other large organizations, the US Federal government captures an enormous amount of data. Perhaps unique to the feds however, is the scope and sensitivity of the data. For example, the Social Security Administration holds the master records for every person with a social security number, including contributions and payments, as well as a large amount of other personally identifiable information.

Additionally, the Veteran's Administration and the Department of Defense (DoD) hold sensitive information about current and former service men and women, and that does not even include all the actual military data about America and other countries' military capabilities.

In addition, the Centers for Medicare and Medicaid Services (CMS) process claims and pay individuals insurance claims for every recipient of Medicaid and Medicare in the country, managing the personal health records of tens of millions of Americans.

Obviously, the government has a very large security issue on its hands, one that literally impacts the health, safety and protection of everyone in the country. With the proliferation of security vulnerabilities in our information infrastructure, attacks by hackers and data breaches have become increasingly common. Indeed, in some cases, cyber attacks have been waged by hostile entities against military command and control infrastructure, DoD computers, congressional systems, etc.

With this in mind, one would expect a fairly robust, standard set of requirements for managing IT security. Fortunately, this is indeed the case. The Federal Information Security Management Act (FISMA) mandates a step-by-step process for assessing the risk to information systems, and a standard set of controls to apply that cover conceivably every possible contingency regarding the risk to information systems. The core document that defines these controls is the NIST 800-53: Recommended Security Controls for Federal Information Systems (NIST is the National Institute of Standards and Technology, better known for standardizing weights and measures, among other things.)

The 800-53 (recommended controls for information systems) is part of the 800 series of NIST publications, all around the topic of federal information security, Other publications in the 800 series also are mandated by FISMA, including 800-30, FIPS 199-200, etc.

These guidelines provide a step-by-step set of procedures to follow and are designed to protect systems and the information they house. Beyond the US Federal government, however, the 800-53 and related guidance have also been adopted by other large commercial organizations. The reasons for this vary, but include the need to follow Federal guidelines for insurance companies that process Medicare claims, which means that CMS mandates are also followed by these companies. Additionally, a number of state and local governments have adopted federal guidelines as a best practice, considering that NIST has defined a best practice for public sector.

In addition to the government and insurance companies, the Federal Reserve is also adopting a NIST-based framework.

All of these factors together point to the fact that the security framework defined by NIST is fast becoming a de facto industry standard in the same fashion as COBIT and ISO 27002. This is based on its widespread adoption beyond the Federal government and contractors, where it is mandated; to other entities as well.

Ultimately, true governance requires entities to make their own decisions regarding identifying risks, securing their own infrastructure, and a governance framework to implement that addresses all the various regulations, mandates and policies that govern them. With the 800 series, NIST has provided these organizations with a well-designed, scripted approach to achieving a secure IT infrastructure in the context of a risk-based framework.