Published: June 30 2009, 10:43 AM | no comments
by Chris Palmer

The furor over the expenses claimed by Members of Parliament in England continues to rumble with several more resignations and the news that the police are to investigate a number of Members for possible fraud.

The original leaked information that ignited the issue was obtained (possibly illegally) by a well respected newspaper, which was bad enough for the reputation of the Houses of Parliament. But now, under the veil of the government's own long-planned attempt to be more open, the publication of those very expenses have been made available, but in heavily redacted form!

Unfortunately for the government and the reputation of MP's, this has now only served to highlight how censored the "˜official' records prove to be, with not just names and addresses removed (an understandable safety precaution) but whole swathes of detail about what was claimed redacted out by black over-printing.

Before the government released their version of the expenses, there were numerous revelations made by the Daily Telegraph of claims for mortgage payments (on properties that were in fact already fully paid for), dog food, toilet seats and even, in the case of one senior conservative member, moat cleaning. Yes, he lived in a house with a moat around it! These actions have greatly infuriated the British public and of course, to see those same claims released by the government, only instead with the damning information blacked out, has only added fuel to the flames.

What is the underlying lesson here?

Even if your organization keeps good records, really well, and have the resources and facilities to redact out information released under a Freedom of Information request, your Policy and the application of redaction needs to be realistic and acceptable to the regulating body "“ in this case, the British public "“ who are as near to revolution as the British will ever get!

Published: June 29 2009, 12:18 PM | no comments
by David Miller

Data Loss Prevention (DLP) solutions secure a company’s sensitive data and critical digital assets on endpoints (desktops and laptops), the network, message servers, and even stored data.  Comprehensive DLP solutions create a dilemma for organizations: what aspect of data loss do they address first?  This query may seem commonplace.  But because DLP identifies and controls highly sensitive data across the enterprise, this question is very important. 

As expected, the answer depends on various characteristics and goals of the firm asking the question.  A few considerations: 

• Do you know of data that you must protect now?  If you need to protect something specific – such as product design documents, proprietary models, or your customers’ personal information, you may decide to start using DLP to control the use or transmission of that particular data.
• Then, which type of use must you control?  There is email, Web, IM, FTP, moving data to removable media, printing data, and many other methods available to your end users that can result in data misuse and leakage.  To understand what to protect, you need to evaluate these against existing procedures.  If you’ve locked down USB ports, then perhaps you should first protect network-based transmissions or emails at the message server.  If the use of removable media is permissible, consider protecting against saving your high-risk data to them.
• Do you have high-risk users?  These can be executives with insider information, engineers with next-generation product designs, and even outsourced employees.  If so, consider using your DLP solution to focus on controlling their activity first, or at least differently than for other users. 
• Do you need to discover your data risks?  If so, that’s ok – and you’re not alone.  Here, DLP should be used to identify and discover sensitive data across the enterprise.  You must determine what systems to scan – content repositories (such as Microsoft SharePoint), network folders, and/or end-user desktops.  This can depend on how your end-users collaborate. 
• How will you support your DLP system?  If you will control use and transmission straight away, be prepared to handle the activity the system will detect.  This calls for the highest levels of detection accuracy so that your security and compliance resources will be used efficiently. 

Keep in mind – a DLP solution must be able to accommodate expansion beyond your initial deployment. 

How have you approached your DLP deployment?

Published: June 29 2009, 08:25 AM | no comments
by Greg Clark

I read a posting on the ARMA website (E-Discovery in the Cloud = Fog?) last week that discussed some of the challenges eDiscovery in the cloud presents and found it very timely with some recent announcements in the email archiving market. We all understand the benefits of services in the cloud "“ it is highly accessible, inexpensive (since you don't need to shell out for servers, and software), low or no maintenance and capital expenditures remain in check.

The article raises interesting questions when this paradigm is applied to the delivery of electronic discovery services. For example:

• What formats are available for production?




• How are litigation holds established, enforced, and audited?




• How is privileged information protected from unauthorized disclosure?




• Who owns the risk for ESI spoliation if something is accidently deleted or purged from a server out in the cloud?




• 
  If the search capabilities are not sufficient from the service provider will other 3^rd party tools be capable of accessing the data in the cloud?
  




• Can data stored on physical servers in a foreign country lead to jurisdictional issues? If so, can this hinder or limit your ability to produce information across borders?

The benefits of cloud computing are clear and they are not going away. But one should not blindly go into the cloud without asking how access, preservation and production along with chain of custody are established, tracked and controlled in these solutions "“ oh, and if something unexpected does happen, what are the terms of service?

Published: June 29 2009, 05:15 AM | 2 Comment(s)
by Sumner Blount

Measuring the level of risk in any organization is hard"¦..very hard. One metric that is often used are Key Risk Indicators (KRIs). These are numbers that are simple, hopefully easy to capture, and are used to indicate a certain level of risk to the organization. But, what does it actually mean if a KRI starts to increase, and how is the relationship between a KRI and the overall financial health of the organization established?

I think a useful approach is to view a KRI as a leading indicator of an area of risk to business performance. In effect, a KRI can predict downstream impacts on the business. Some examples of KRIs might be the:

• turnover rate of key IT admins




• amount of system configurations changes over time, and,




• availability level of key IT services.

But, how can we measure "impacts on the business"? Ultimately, of course, the business boils down to revenue, profit, and a few other key financial metrics as reported in the annual report. But, there are other, more immediate values that generally are impacted before these critical metrics. Sort of like the proverbial "canary in the coal mine."

This is where Key Performance Indicators (KPIs) come in. KPIs are non-financial leading indicators of business performance. If you wait until there is a measureable impact on your key financial metrics (profit) before taking action, your ability to correct the problem in a timely way is limited, at best. Example KPIs might be: your rate of on-time delivery, your rate of customer retention, quality of materials, etc. Each of these could cause, if left unchecked for a period of time, big changes in your financial performance. So, if you can identify an increasing KRI"¦"¦before it impacts a KPI"¦..before it impacts financial performance, you have gained a significant improvement in your overall governance model.

Let's look at an example to illustrate this point. Let's define a KRI as the "turnover rate of key IT administrators." If this rate increases significantly, it is likely that IT effectiveness will decrease. System downtime will probably go up, partners and distributors will have trouble getting their product information as needed, or placing their orders. So, define a KPI as the "Partner Order Rate," which is the rate at which your partners' orders are coming in, as compared to the historical average.

In another example, assume that your rate of IT changes increases for some reason. This could impact your ability to deliver services according to your contracts. This also will affect your ultimate revenue, as partners or customers start to cancel their agreements or contracts.

The relationship could be represented as follows:

Sounds simple, right? It's not. Deriving these indicators, and making sure that you understand the relationship between them, can be challenging. But, if you are going to manage risk to your business effectively, you need to understand what factors will impact it, and how you can identify trends before they become critical.

Published: June 26 2009, 11:29 AM | no comments
by Eric Lundgren

Microsoft SharePoint offers organizations a platform for rapid deployment of sites that can enable groups to more effectively communicate and share information. The challenge with solutions that offer such rapid impact is ensuring that some review and approval process is required to ensure maximum value for the organization"¦ and minimum risk. A checklist is a way to ensure a site deployment can meet business, compliance, risk and operational objectives before a site gains momentum.

What would you add to this checklist?

1. Business objectives: Ensure that the site is going to meet a need and that it is appropriate for SharePoint.

a. What is the premier business purpose for this site?

b. What is the current method of achieving this purpose?

i. Will this system replace an existing system?

ii. When can the existing system be phased out?

2. Operational planning: The data going onto a site can be substantial and the access and operational requirements need to be understood upfront.

a. Who is responsible for:

i. Access?

1. Users, roles and privileges

ii. The content?

1. Identifying what should be on the site

2. Escalation of issues with inappropriate use

iii. The site configuration?

iv. Aging and deletion of data?

v. Backup, Disaster recovery and availability

b. Growth Planning:

i. Number of users?

1. Location of users?

ii. Number of documents per day?

1. Average size of documents

2. Types of documents

iii. Life span of documents?

3. Protecting important business data: SharePoint sites become important locations for critical business documents, ensuring data stored exclusively on the site is protected and available to the business requires a plan.

a. Identify critical business documents

i. Which documents are important to the business?

ii. How long should they be kept?

iii. When do they become final?

iv. Who approved disposition?

v. Process for HOLDING if legal case surfaces?

vi. Process for purging when retention has passed?

vii. Who can change access under certain circumstances?

1. Document becomes sensitive

4. Life Span of Site: All sites need to be evaluated to ensure they still are active and serve the business purpose they deployed against. A SharePoint team should distribute and collect a survey of all sites that asks the following questions.

a. When should this site be retired?

i. Who is the current business owner of this site?

ii. Should this site be backed-up?

iii. How long should the site be stored on backup?

iv. Has this site been replaced by another system?

b. Which documents are needed long term?

i. How long are they needed?

ii. Who requires access to these documents?

iii. Have the Records Management team been involved/consulted in the retention of the documents?

iv. Where should they be kept?

1. Can these documents be kept on a replacement system/site?

v. Should the site be monitored for usage prior to shutdown?

1. Who will work with users to redirect them to new system/site/method?

It would be great to know if the questions on the sample checklist above may have been overlooked during the roll-out of SharePoint sites at your organization, or if you have other good questions to add to the checklist! I think we can all agree that a process, such as a checklist, for reviewing and approving SharePoint sites is a key step in ensuring the efficient and productive use of SharePoint at any organization.