Interesting video about data governance. This is the second video in our series, “5 Questions about Information Governance in 5 Minutes.” In this video IG experts answer the tricky question, “Who Should Own Information Governance?”
5 Questions about Information Governance in 5 Minutes: Who Should Own Information Governance?
April 17, 2013
Leave a Comment » | 
Application Hosting, Managed Service Hosting, Marketing | Tagged: Chief executive officer, Data Governance, Data management, Electronic discovery, Ernst & Young, Government, information governance, PR Newswire, Richard Susskind, UBS | 
Permalink
Posted by david ricketts
Data Retention in the Social Media Era
April 11, 2013A variety of industry research analystshave indicated that 3 of the top 10 priorities for IT in 2013 will be initiatives focusing on BYOD, cloud computing and business analytics obtained via Social Media. While these initiatives provide clear business benefits, they will challenge data retention and records management policies for most organizations.
BYOD, cloud computing and social media have a common thread – they all create data repositories that have been geared towards the non-IT consumer, where governance, management and retention have taken a backseat to ease of use. With the introduction of these technologies into the enterprise, companies are obligated to develop backup, archiving, and classification strategies to ensure that relevant data is available in the event of litigation and a discovery request.
The Federal Rules of Civil Procedure state that the moment a company receives a legal hold request they must not dispose of data without having a clearly defined and demonstrable retention and disposal policy. These policies cannot be developed and implemented in the midst of litigation as an opposing litigant could claim that destruction of data was intentional, resulting in damages and penalties awarded to the opposition.
In the article, eDiscovery Rules Applied to Social Media: What This Means in Practical Terms for Businesses, statistics show that the FRCP rules are being enforced— sanctions were ordered in 50% of the cases where sanctions were sought, with a few resulting in large monetary penalties. Needless to say, companies are compelled to comply.
While many companies have chosen the pack-rat approach – save and archive all of the data they manage, including customer data, personal data, etc., this approach is not practical due to everincreasing volumes of data, especially when considering the information generated by mobile devices and social media.
In the event that a company does need to develop a defined retention policy that takes these initiatives into account, their requirements should be part of a larger blueprint for securing their data, linking their retention strategies with governance and accessibility. These 6 steps provide some basic guidelines:
- Determine the age at which each type of data that has not been accessed would be considered stale – 1 year? 2 years? 5 years?
- Implement a solution that can identify where stale data is located based on actual usage (not just file timestamps)
- Automate the classification of data based on content, activity, accessibility, data sensitivity and data owner involvement
- Automatically archive or delete data that is meets your retention guidelines
- Automatically migrate data that is stale but contains sensitive information to a secure folder or archive with access limited to only those people who need to have access (e.g. the General Counsel)
- Make sure your solution can provide evidence (e.g. reports) of your defensible data retention and disposal policy
Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: Business, Business Analytics, classification strategies, Cloud computing, data repositories, Data retention, discovery request, Electronic discovery, Federal Rules of Civil Procedure, General counsel, Royal College of Physicians, social media | Permalink
Posted by david ricketts
At-Risk Exchange Data
November 12, 2012One of the more interesting benefits of last year’s launch of DatAdvantage for Exchange was the opportunities it presented to talk with different sets of people in our customers’ organizations. Where traditionally we’d worked mostly with security, storage, Windows or Active Directory teams, DatAdvantage for Exchange spurred meetings with messaging, e-Discovery and legal folks as well.
E-mail is a business-critical system, period. From an IT perspective, it may be the most critical system—most companies would rather lose their phones for a day than their e-mail. What that has meant for the Messaging folks in charge of Exchange is that simply keeping the lights on—making sure that emails are being delivered promptly and that the repository of stored data is available—has been far and away more important than access control. However, the consequence of focusing on availability rather than confidentiality or integrity has meant that a lot of the controls and auditing that should be in place are sorely lacking.
Data Governance and Exchange
Exchange is an interesting repository from a data governance perspective. The last time I wrote about using Varonis, I talked about how we can combine data classification with permissions exposure to identify the data that’s most at-risk on a file system or SharePoint site. Unlike a file share, the hierarchy is flat—everyone’s got their own mailbox, and it’s very easy to share out access rights to it. You can, for instance, give someone access to your inbox or calendar. With IT’s help, you can give them the ability to send email on your behalf, or even “as” you. Exchange is exactly like file shares in that mailbox access is reviewed periodically, mailboxes stay shared and users have send-as or send-on-behalf-of privileges for a long, long time.
What’s at Risk?
One of the first things we do when we spin up DatAdvantage for Exchange for a customer is to run a report that shows them everywhere someone in the organization has access to a mailbox that isn’t their own.
Everyone has access to their own mailbox by default. It takes some sort of permissions change, though, either on the client (Outlook) side, or by the admin on the Exchange server, to grant someone access to another mailbox. One of things we’re seeing when we do this, by the way, it that the mailboxes that are without question most likely to have been shared are those that are probably considered the most valuable—those of the CEO and other high-level management. While native tools might let you manually (and somewhat painfully) check permissions on a mailbox-by-mailbox basis, Varonis gives you the ability to see where anyone has access to an object that’s not part of their own mailbox.
We take that risk assessment a step further, too, with another report that will show you where people are actually accessing data in mailboxes that don’t belong to them. For good or ill, these are probably the permissions you want to take a look at first from a governance perspective.
1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: Access control, Active Directory, data classification, Electronic discovery, Email box, governance perspective, Microsoft Exchange Server, Microsoft SharePoint, Microsoft Windows, Risk assessment | Permalink
Posted by david ricketts
What exactly is defensible deletion?
October 25, 2012Philip Favro of Symantec, in an article called Defensible Deletion: The Cornerstone of Intelligent Information Governance on the eDiscovery 2.0 blog, defines defensible deletion as “a comprehensive approach that companies implement to reduce the storage costs and legal risks associated with the retention of electronically stored information (ESI)”.
He goes on to say that organisations which have done this “have been successful in avoiding court sanctions while at the same time eliminating ESI that has little or no business value”
That is the point, of course, of the word “defensible” in this context. It matters most in the US, where everyone goes in fear of the sanctions bogeyman, apparently without regard to the terms of Rule 37(e) of the Federal Rules of Civil Procedure which reads as follows:
(e) Failure to Provide Electronically Stored Information. Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.
Most other jurisdictions can manage without this “safe harbor” because they do not have the same (alleged) reason to fear sanctions. I say “alleged” because if US companies paid more attention to Rule 37(e), they too could set about the deletion of material which is not presently the subject of a legal hold and which is not required for statutory or business purposes. It would help, too, if they read some of the sanctions Opinions which cause such dread to see how many of them were the consequence of the “routine, good-faith operation of an electronic information system”.
If you are short of ROI information to justify the work involved in a defensible deletion programme, try and calculate how much money was spent last year processing and reprocessing useless data for eDiscovery purposes, rejecting it time after time, at considerable expense. There’s a big chunk of ROI there.
Thanks to http://chrisdale.wordpress.com/
Leave a Comment » | Managed Service Hosting, Marketing | Tagged: Electronic discovery, electronic information system, Electronically Stored Information, Federal Rule of Civil Procedure, information governance, IPhone, Law, Legal hold, Symantec, United States | Permalink
Posted by david ricketts
E-Discovery in Cloud Computing – Are We Ready? No.
July 21, 2011When we talk to lawyers or their clients about their readiness for e-discovery in the cloud, we get (most of the time) a deer in the headlights reaction. Most of our clients are small to mid-sized, so it may be there is more readiness amongst large corporations and law firms.
I was interested to see a tweet from our friend Rob Robinson this morning, citing an unscientific survey done by Clearwell Systems in conjunction with Enterprise Strategy Group on this subject. Our own conclusions are equally unscientific, but they parallel what Clearwell and ESG found. Some of the highlights:
•Only 25% thought themselves ready for e-discovery in the cloud
•30% reported cloud applications in-scope for e-disovery in 2010
•60% anticipated the discovery of cloud-based applications in 2011
•27% considered social media in-scope for e-discovery in 2010
•59% considered social media in-scope for 2011
You can read more about the survey here.
It has been our observation that while businesses rush to put data in the cloud, they give very little thought to getting it back out. At a minimum, you would think that they would carefully consider the terms and conditions of their contracts with cloud providers. Our experience has been that they know the term of the contract and the price, but little else – and they almost never consider the need to get the data back. Cloud providers tend not to make it easy to get your own data – and sometimes there is a price tag attached.
Please see full article link below. Thank you
To view full article visit: http://ridethelightning.senseient.com/2011/06/e-discovery-in-cloud-computing-are-we-ready-no.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+sensei+%28Ride+The+Lightning%29&utm_content=Google+Reader
Leave a Comment » | Application Hosting, Managed Service Hosting | Tagged: Business, Cloud computing, Electronic discovery, Google Reader, Services, Social media | Permalink
Posted by david ricketts
