More and more companies are finding themselves in the crosshairs of lawyers filing lawsuits against them. That’s become a concern for electronic information managers because the first thing those legal beagles want to sniff is a company’s data stores. That means anything stashed on your Exchange servers is fair game for them. Previous versions of Exchange were weak in preserving data to meet the “discovery” demands generated by lawyers or regulators. Microsoft has changed that, though, with Exchange 2010.

With the arrival of that version of Exchange, administrators at last have a way to preserve documents  that might be needed to fulfill legal obligations imposed on them by outside forces. Placing a hold on a mailbox preserves a user’s deleted and edited items, including email messages, calendar entries and tasks. The hold applies to both the user’s primary mailbox and archive mailbox.

In the RTM version of Exchange 2010, the only way to implement a litigation hold was through the software’s shell structure with a statement like Set-Mailbox -identity “Name” -LitigationHoldEnabled $true. With the arrival of the SP1 beta of the application, though, holds can be created through the Management Console or Control Panel.

To set up a hold using the Console, you go to a mailbox recipient’s configuration and right click on the mailbox to access its properties. From the properties screen, you drill down to the properties settings for the Messaging Records Management item. There you can activate your hold by checking the box beside Enable Litigation Hold. You can also add a URL for a web page describing your organization’s policy governing holds, as well as any comments you may want users to see when they access their mailboxes after a hold has been imposed on them.

Continue reading Exchange SP1 won’t trash your important stuff

In their February 2009 email blog for Travis County, Texas, written by Steven Broberg and Shawn Malone, as government records managers for Travis County, they were debating how best to create an email policy which would support over 4000 end users without adding more confusion about state directives and standards on records retention policies. They proposed three general directions for their email retention policy and asked readers for their feedback.

As I have seen in many enterprises, and as the authors have also noted in their blog, there is always resistance to change that will be encountered anytime new ideas are proposed especially in large enterprises where business processes that are not broken will be defended as not needing to change.

One of their options, “Maintaining the Status Quo”, offered the least resistance by end users to accept as a general direction for records management. And it was also, of course, the least costly. If end users are at the front end of this direction – and also the endorsers – then the back end opponents included: security specialists, lawyers, vendors, NARA, TSLAC, etc.

With option one it is very unlikely that the company could maintain that mode as sooner or later there would be a need for email records that would be the subject of electronic discovery procedures and legal litigation. “Maintaining the Status Quo”, in my opinion, is not a viable option but merely one to list as a possible, though not probable, general email retention direction.

Their second option was to allow every employee using email to be their own records keeper. This direction would include publishing a records management set of rules and guidelines that all email users would have to adhere to. And to assist the employees in staying within the guidelines of a company’s record management policy the IT department would provide tools and training. Continue reading E-Discovery Record Keeping

In Steve Bailey’s blog, http://rmfuturewatch.blogspot.com/, the author has written about his recent attendance at the European Conference on Archiving (ECA) in Geneva in April, 2010. Steve has observed that in previous years at the conference most discussions were about the technical complexities of digital archival, the many different approaches to digital archival practices and the ensuing problems associated with false assumptions.

In earlier years Information Records managers were also concerned with the durability and shelf life of digital media as compared to earlier technologies and referenced against the famous Domesday Book and our electronic counterparts of today.

This year, at the ECA, it was reported to have a different atmosphere with more conversations and subjects revolving around case studies further suggesting that the challenges of archiving digital content material have been met and are almost of a “routine” nature these days. So the question of “can” or “how” do we preserve data without future data loss – and this is of concern to email administrator and IT departments – is now a question of the past.

For email administrators and records managers the concerns of how do we protect our company from not losing data has been replaced with the concern of how do we manage this huge amount of data where no data or emails are in danger of being lost anymore. Indeed, new technologies such as cloud computing are allowing administrators to ask for new tools to help them manage this soon to become massive amount of data that is coming at them like a tidal wave of information that is growing exponentially.

In his blog post on this subject, Steve Bailey, raises the eight-hundred pound gorilla in the room question of what about the growing impact of the cloud and of how safe is it to have your company’s data, emails, company confidential information, etc. stored in the archives of the cloud. More so, he raises the question of how long before they lose that control and what happens then.

I agree with him that these are issues that records managers must plan for when they and their IT departments are working out the details during the initial planning stages of the who and how of data storage as it relates to a company’s data whether it be for emails, their attachments or much larger documents. Continue reading Record Keeping Maturity

The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

Continue reading Five ways to focus your workers on compliance

IT managers must account for many demands on their time and resources. Storage is always an issue and having to estimate the growth needs of the company and all the various departments can be a time-consuming and sometimes thankless job.

Estimating email storage needs can be started by making assumptions about the average size in bytes that attachments will require, the hours of day that the email servers will be the busiest and the number of users per email server. Those three variables multiplied together are a good starting point in estimating how much storage to allocate for email servers.

And the same computations can also be used when estimating how much storage to allocate for archiving purposes.

Archiving email messages can save an IT data center in many ways. Some of the reasons for archiving email messages include:

Continue reading 7 Reasons for Email Archiving

Encryption is an important component to an email system so choosing an encryption solution should be done carefully. What should be considered when evaluating an encryption protection scheme for an organization’s email system? Here are some suggestions to keep in mind.

One important consideration is whether or not a solution uses open standards. Since email is based on an open standard, there are advantages to basing any protection placed on top of it on open standards, too.

One advantage is open standards assure that data can be recovered in the future. If your vendor uses open standards, then you don’t have to worry about accessing your data should you decide to move to another provider in the future or should your vendor go belly up during the next recession.

Another consideration when choosing an encryption solution is mobility. Mobility is important because email must be accessible to a variety of devices from anywhere. Wherever an organization’s workers travel, they’ll want to check their messages and an email encryption solution needs to accommodate that without creating any hassles.

A solid encryption solution should be able to use a mobile device’s native email application. You don’t want to force your workers to learn another interface for their mobile device or leave an email program they’ve become accustomed to in order to work with encrypted messages. Making things harder for users is a sure fire way to invite them to look for ways to circumvent the system. Those ways are almost always insecure and make your organization vulnerable to a raft of unsavory cyber types.

Continue reading What to look for in an email encryption solution

Better security is changing iPhone's image in IT departments.

While the iPhone’s “cool factor” has made it a hit among status conscious corporate executives, the mopho has been greeted with skepticism from the rank and file in the IT trenches. From their point of view, competing products like Research in Motion’s Blackberry and smartphones built on Microsoft’s Windows Mobile platform offer better security for their organizations. With the introduction of the latest version of the iPhone’s operating system, version 3.0, and iPhone Configuration Utility, version 2.0, IT resistance to letting Apple’s handset into the corporate tent seems to be weakening.

What has bugged IT folks in the past about the iPhone? For one thing, user profiles can’t be managed over-the-air as they can with a Blackberry and Blackberry Enterprise server or Motorola Good for enterprise servers. Another irritant is there’s no way to ensure that corporate policies on email, encryption, etc. have been installed or updated on the phones. What’s more, it’s difficult to preconfigure the units with settings for email, VPN access and such.

Apple’s update of the iPhone’s configuration utility, which gives network administrators a rich set of policy controls, has addressed some of those concerns and may be why IT doubters are relenting on their staunch opposition to the hardware.

For example, password entry into a phone can be required. The composition of the password, when passwords should be changed, rules on reuse of passwords and the number of failed password attempts before a phone automatically wipes out all the data on it can all be controlled by an IT department.

Specific content can be blocked on the phones, although that’s not true for specific applications. A workaround for that situation is to install all necessary apps when the phone is issued, then turn off the ability to install any more programs. The problem with that approach, however, is a user won’t be able to upgrade the existing apps on the phone.

Continue reading Security skeptics less skeptic about iPhone

So you’re thinking of acquiring a new email archiving tool and need to craft an acquisition and implementation strategy. Here are some things you may want to consider.

Regulations, rules, requirements and product warranties can make buying archiving tools a minefield. By consulting with your corporate legal and compliance people, as well as your company’s business managers, you can get an idea about where those mines are buried. Moreover, you can use your efforts to educate yourself about what requirements must be met by your new tools to build support and acceptance among your legal and compliance people.

When garnering information from legal and business colleagues, it’s important not to lose sight of your role as a technology advocate. While it’s critical to know what your new archiving tools must do to meet compliance and warranty demands, it’s also crucial that those unschooled in the intricacies of storage management understand basic concepts, such as the distinction between backups and archiving and the hard and soft costs attached to storage.

Keep in mind that your new archiving tools need to do more that meet compliance requirements if they’re going to be accepted by your users. After all, you don’t want to trade one headache–jumping through compliance hoops–for another–a disgruntled user base that sees your new technology as an impediment to its doing its job.

Continue reading Tips when making email archiving choices

Clark: "We hire attorneys for their IP and not their IT."

Electronic discovery has increased demands on storage systems, and that’s likely to continue.

According to Michael A. Clark, a managing director at EDDix LLC, an electronic discovery consulting firm, corporations with revenues greater than $1 billion is carrying around a caseload 150 active matters, 35 to 40 percent of which involve electronic discovery. With the new rules of Federal Civil Procedure adopted last December, he observed, “we’re going to see an ink blotting downward of electronic discovery to ever smaller matters.” He projects that within the next three years that 35 to 40 percent will move to 75 percent.

Finding information within the enterprise has always been a challenging task for legal ferrets, but those challenges have ballooned in recent times, according to Clark. “There are now not only more things to find, but more places to look for them than there had been before,” he said in a video interview posted at SearchStorage.com.

Finding information is a big challenge to operators of an enterprise network, but so too is deciding what should be stored and how long to store it, Clark noted.

“A number of corporations are devoting considerable resources to creating retention policies and then trying to enforce those policies,” he observed.

Continue reading E-discovery demands to double in three years

U.S. Appeals Court for Ninth Circuit.

Workers who use company email for disloyal activities may be targeted for administrative sanctions, but they’re not necessarily criminals under U.S. law, according to a recent decision by a federal court. The ruling by the Court of Appeals for the Ninth Circuit, which includes California, found that an employee for a residential treatment center for addicted persons in Nevada could not be prosecuted under the federal Computer Fraud and Abuse Act (CFAA) for emailing himself client files for use in a competing business after his employment was terminated from the center.

The case, LVRC Holdings v. Brekka, involves Christopher Brekka, who was hired by LVRC and worked at its Fountain Ridge facility in Nevada. Brekka’s duties included conducting Internet marketing programs and interacting with Web metrics company, LOAD, which LVRC employed to provide email, Web site, and related services for the treatment center. At the time of his hiring, Brekka owned and operated EBSN and EBSF, two consulting businesses that obtained referrals for addiction rehabilitation services and provided referrals of potential patients to rehabilitation facilities through the use of Internet sites and advertisements. According to the court, LVRC was aware of Brekka’s involvement with EBSN and EBSF when it brought him on board.

Continue reading Disloyal use of email isn’t a crime