Posted By: Jonathan Brill on 31st December 2008
One of the problems with information management strategies we’ve seen is that they often start with a specific problem and let it have a disproportionate effect on the entire strategy. Considering how many different things are affected by an enterprise information management strategy, a plan built specifically for one business requirement is almost guaranteed to not be able to scale with other requirements.
According to John Linkous, there are a number of problems with this approach. He says, “The danger of this regulation-specific mentality is that the organization can fall back into the ‘checklist’ mentality, which promotes compliance over reducing risks and improving security.”
Picking out only one particular area of perceived threat still leaves an organization vulnerable to all the others. And what we’re seeing with the rapid growth of information is that additional problems can sneak up on a company. Companies with little perception of a data leakage problem are facing penalties in the hundreds of thousands of dollars for recovering lost or stolen data and the subsequent (and now required) notification of customers. Just one such incident can have a crippling and demoralizing effect on the business
Reacting to that with hastily purchased technology and not very well thought out requirements is almost worse however and can actually leave a company less secure than when they started by giving the impression of security without actually providing it.
The average business is going to be affected by a number of regulations that place restrictions on how long data is retained, how it’s secured, and how quickly it must be located. The challenge for any company is not in building a strategy that lets them meet requirements for one, but rather building a framework that lets them meet baseline requirements for all. Knowing that all regulations will require some mix of retention/disposition, access control, and discovery requirements is a start. Mapping the requirements along those planes is a solid step towards avoiding a knee jerk partial implementation of an information management solution that won’t scale.
Loading ...
Tags: access control, Compliance, data leakage, discovery, discovery requirements, enterprise, enterprise information management, Information Management, information management strategies, IT, regulation, regulations, restriction, risk, security
Classification, Compliance, data breach | Jonathan Brill | 
Comments (0)
Posted By: Jonathan Brill on 30th December 2008
Quiz Question of the Day:
Among the assets a corporation can place a value on and protect based on that value, Electronically Stored Information (ESI) can be:
- The most pervasive
- Have the greatest value range: from the most valuable asset in the corporation to the biggest liability
- Have the greatest range of lifecycle, can be copied endlessly and live forever or deleted instantly and irretrievably lost
- Be the most fluid and difficult to track
- All of the above
The answer of course is “All of the Above”. At once, our ESI can be the most or least valuable thing a corporation owns, have the longest or shortest lifespan, exist everywhere that there are people and computers, and flow in and out of our domain in any number of permutations and derivatives. At the end of every business day it would be fair to say that your business exists solely in its ESI. All the work produced, all the innovation, all the payables and receivables are all recorded in databases, emails, and their file-based derivatives.
So, if ESI is so important, why is there no standard way for managing and protecting it? Why aren’t there best practices that can be easily implemented and adhered to with proven off the shelf technology and skilled operators who can massage the prevailing best practices and best of breed automation technology into meeting specific business requirements? Is this challenge really so daunting that even the largest most well run companies have been caught by surprise so completely that they’ve been unable to meet this head on?
Yes. And it’s not like it will be the last time shifts in technology and business process will catch corporations by surprise. But in this case, being behind the curve could have more severe and pervasive consequences than say, not keeping up with the latest shipping software as one’s competitors. The corporation that leaves itself vulnerable to an unmanageable pool of ESI could fall victim in any number of any crippling areas; from IT storage costs growing at 40% per year to being more susceptible to eDiscovery which is currently growing at 50% per year, or simply falling out of compliance for any of the growing list of regulations that place restrictions on retention and disposition of ESI.
The culprit here is the relatively short amount of time companies have had to identify this as a problem area. For most of these companies, they just haven’t had the customary five to ten years to vet possible solutions and watch as early adopters run all possible solutions through their paces. Do they get a pass because we’re still early in the adoption curve? Sure. But that’s not going to help them in court.
Loading ...
Tags: Compliance, discovery, ediscovery, electronically stored information, esi, IT, Liability, regulation, regulations, restriction, software, storage
Compliance, E-Discovery, Information Management | Jonathan Brill | Comments (0)
Posted By: Travis Smith on 29th December 2008
As a follow up to my previous post regarding how companies are racing to become compliant, reports are now coming in about the first set of companies gaining their PCI DSS 1.2 compliance certifications. InterGlobe Technologies, one of the fastest growing companies in India, completed this certification just two months after PCI 1.2’s release date. So what is different about InterGlobe than the rest of the companies complaining about obtaining compliance?
Being a fast growing company usually means you have the funds available to get the best of the best. However, being compliant has as much to do with money as commitment to customers. According to InterGlobe’s CEO, two-thirds of travel transactions come in through the internet. With over one trillion dollars in travel transactions estimated per year, this leaves a lot of room for credit card fraud. What got InterGlobe to be PCI DSS 1.2 compliant in two months was not the sheer volume of travel transactions. What helped with their compliance was two-fold.. First, they were probably PCI DSS 1.1 compliant before starting on this trek. This brings up a point I have made time and time again. It makes things so much easier to be compliant in other areas. Second, the tools allowed a company with more than 2000 employees across the globe to complete more than 250 requirements in two months.
In addition, PayMate also received their PCI DSS 1.2 compliance certification. However they received it for m-commerce, meaning mobile payments. Mobile applications and technology is huge right now, but this probably isn’t relevant to everyone. For IT professionals, it doesn’t really matter how they get the credit card information, as long as they get it, and secure it. I again leave you with quote, this time from Arthur Schopenhauer, “Just remember, once you’re over the hill you begin to pick up speed.”
Loading ...
Posted By: MJ Knudsen on 23rd December 2008
Every day, knowledge workers arrive at their jobs, start up their computers and get busy. But what are the key factors to their success and efficiency? Well let’s see:
- Caffeine - check
- Comfortable chair - check
- A computer with all the trimmins’ - check
- Connection to the outside world (telephone and internet) - check
- Knowledge - check …….. Well, sort of.
There are tons of statistics online which point out how long the average knowledge worker spends per year searching for data in the enterprise. There are also several calculations which show how much all that searching costs a company per employee and across the entire organization. To give you an idea of the magnitude, here’s a sampling from an IDC white paper:
“IDC estimates that an enterprise employing 1,000 knowledge workers wastes at least $2.5 to $3.5 million per year searching for nonexistent information, failing to find existing information, or recreating information that can’t be found. The opportunity cost to the enterprise is even greater, with potential additional revenue exceeding $15 million annually.”
Therefore a knowledge worker will lose significant efficiency when they cannot find the data they need. Furthermore the problem grows as a business expands. More employees means more data being created, which is more data to search through, which takes more time to do so. As Doug Levitt pointed out in his blog post, The Information Explosion, by 2010 the “digital universe” will contain about 988 exabytes (that’s 1,035,993,088 terabytes), 80% of which will be unstructured data. With this quantity of data, finding what you need is like finding a needle in a hay stack. And although the MythBusters have proven that finding a needle in said haystack can in fact be done, it can be extremely time consuming. It’s the promise of Enterprise Search to resolve that, making finding information much more efficient.
With the time and money wasted by knowledge workers searching for information they need AND the excessive growth of that data; the problem is only going to get worse. So yes, enterprise search IS a big deal, but searching quickly with accurate results is even more important.
Loading ...
Posted By: Travis Smith on 22nd December 2008
Companies are racing to become PCI complaint to avoid fines before the deadlines pass for PCI DSS compliance. Wait a minute, compliance deadlines passed months ago. Unfortunately, IT departments move slower than molasses at the beginning of the year. Project length is typically measured in years. Yet companies are still complaining that they are having troubles keeping up with the ever-changing PCI DSS standards, which only get more (minor) updates every two years.
So let’s figure out why companies are falling off track. First, focusing only on the current version of the standard to comply with is just going to depress you. Get your company PCI DSS 1.1 compliant, and you are 90% of the way there to being PCI DSS 1.2 compliant. The PCI Security Council is anticipating the 2010 version to be 2.0, so you can probably expect even more changes than there were between the current and previous versions. It’s no secret that you should be, or should be close, to being PCI compliant by now. Sure, replacing 20 year old systems can get quite expensive. On the flip side, the fines imposed by not being compliant are greater. And an even greater cost than both is the negative image of leaked data.
In today’s world, IT managers know that nothing is 100%. You cannot be 100% compliant, you cannot be 100% secure, and you cannot replace 100% of your infrastructure. Be wary of anyone that tells you different. To bridge that gap, between replacing everything and replacing nothing, there is technology that can merge the two systems in order to transition into the future. This isn’t an easy task to handle, at least efficiently. With the growth of data exploding into record numbers year after year, keeping tabs on what you have and what needs to be protected is becoming an even bigger problem. When your company is PCI DSS compliant, the next step is keeping it that way. Make sure you keep tabs on what you are storing in your network. Know what you have, know what you need to protect, know what you need to get rid of. As G.I. Joe said, “Knowledge is half the battle.”
Loading ...
Posted By: Jonathan Brill on 19th December 2008
Earlier this year Patrick Di Justo wrote about Google’s MapReduce technology with this introduction:
“Used to be that if you wanted to wrest usable information from a big mess of data, you needed two things: First, a meticulously maintained database, tagged and sorted and categorized. And second, a giant computer to sift through that data using a detailed query.
But when data sets get to the petabyte scale, the old way simply isn’t feasible. Maintenance — tag, sort, categorize, repeat — would gobble up all your time. And a single computer, no matter how large, can’t crunch that many numbers.”
Unfortunately, this isn’t just a theoretical problem. In fact, the problem is even worse than Di Justo described. I’ve spoken to Records Managers whose storage data alone measures in the many petabytes, not just one. And they’re applying the very same classification methodology described in this passage – they’re just doing it inconsistently, manually, and in most cases, only on the most valuable (or precarious) data.
I would argue that the innovation that will help them manage their petabytes of data won’t come in the form of a new method of classification, but in the form of better technology to automate the various parts of the process. Everything from better ways to populate the database, faster and more accurate tagging and sorting based on defined taxonomies, and large scale automatic sorting and categorizing according to business rules.
Companies already know how to classify their data; they just need some help with the heavy lifting.
Loading ...
Posted By: MJ Knudsen on 19th December 2008
According to an MSNBC article posted this morning, two Austin Peay State University computers were stolen, one of which had “Social Security numbers and names of hundreds of students.”
The article also indicated the computers were password protected, and university officials “didn’t believe” student information was accessed. For some reason, I don’t buy it.
Loading ...
Posted By: Tom Harrison on 18th December 2008
When the Federal Rules of Civil Procedure were amended just over two years ago, they required changes of how companies need to put legal holds on their documents when requested for litigation purposes. But a recent study, performed by Bayer Consulting for Deloitte, found that about 30% of 114 companies, varying in size and revenues, don’t have a formal legal hold policy. Sheri Qualters, of The National Law Journal, discussed the study in her article, “30% of companies still lack policies for preserving evidence for discovery.”
Qualters covers a few important points including how important it is for companies to adopt policies for legal holds on Electronically Stored Information (ESI). When comparing the cost of being caught without a legal hold policy with the cost of implementing one, the result is a no-brainer. “While the discovery process has become increasingly complex and therefore poses a significant challenge for corporate America, having no legal hold policy is a significant risk factor for companies.” says Jeff Seymour, a principal in Deloitte FAS’s analytic and forensic technology practice.
Another change to the FRCP that made legal holds more important was the recent addition of FRE 502, added on September 19, 2008. These rules set out to try to limit the litigation costs of e-discovery. This is yet another reason corporations should have policies for how to handle legal holds. In one of my previous blog posts about Apple’s legal hold process, or their lack thereof, I discussed how Apple allows their users to administer legal holds on their own ESI. This “legal hold policy” will surely come back and cause e-discovery problems for them in the future.
Real policies for legal holds need to be in place so that employees can’t tamper with potential “evidence” in litigation. Several cases have already shown that the penalties for tampering with and costs associated with being unprepared for ESI discovery greatly outweigh the cost of implementing a solution. The solutions on the market today can help corporations prepare for these new laws and keep them that way as the amount of stored ESI continues to grow.
Loading ...
Posted By: Doug Levitt on 16th December 2008
I was recently reading IDC’s latest update to its groundbreaking research which measures the amount of digital information created and replicated (see: “The Diverse and Exploding Digital Universe, An Updated Forecast of Worldwide Information Growth Through 2011”).
The updated study reports that – from 2007 through 2011 – a larger percentage of corporate information will “be subject to significant requirements” for information protection (growing from approximately 30% in 2007 to over 40% in 2011).
Protecting information is becoming a top management concern because the penalties associated with the mismanagement of sensitive data can be significant. It can include such things as: damage to shareholder value, brand damage, damage to customer loyalty, damage to employee relations as well as potential legal liability and possible fines.
As I wrote in another blog posting, information must be classified in order to be managed and, therefore, protected. The industry thought-leaders have identified classification as being the “secret sauce” of Information Management. In fact, Gartner wrote an article back in June 2007 on this very subject (see: “Data Classification Is a Vital First Step in Information Life Cycle Management”).
It sounds so easy. But is it? Well, it is if you have a handful of emails, documents and databases containing sensitive information. But it’s quite different when you start thinking about tens of millions or even billions of documents that are stored in heterogeneous systems throughout the world.
Read More…
Loading ...
Posted By: Travis Smith on 15th December 2008
On December 5, 2008, the PCOAB (Public Company Accounting Oversight Board) released a report outlining four years of audit inspections between 2003 and 2006. The report was based on a wide array of firms, large to small, from the east to west coast. What the inspectors found were “deficiencies in important audit areas” across the board, without any apparent correlation with company size. It appears to be a problem that every company needs to address.
This report comes at an awkward time for the Sarbanes Oxley regulation, as it is another piece of bad press for the act. A lot of high profile people have already gone on record against its effectiveness, pointing out the drop in the economy, drop in the number of IPO’s, increase in compliance costs, etc. All of those arguments have been relative and could not paint Sarbanes Oxley into the corner. However, the tides are turning and specific problems are pointed out with companies trying to be compliant.
Take a look at history, and governments do not go back on their word very easy. So it is safe to say Sarbanes Oxley is here to stay for awhile. What is the answer to getting Sarbanes Oxley compliant? First, the solution needs to be cheap. Too many sources have complained about the high cost of regulation. More importantly, is what the solution is and if it is actually a solution. Right now, nobody knows what that solution is. No single software solution is the Sarbanes savior. However I believe all of the ingredients are available to make a delicious Sarbanes Oxley soup.
Loading ...
