The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

Continue reading Five ways to focus your workers on compliance

Clark: "We hire attorneys for their IP and not their IT."

Electronic discovery has increased demands on storage systems, and that’s likely to continue.

According to Michael A. Clark, a managing director at EDDix LLC, an electronic discovery consulting firm, corporations with revenues greater than $1 billion is carrying around a caseload 150 active matters, 35 to 40 percent of which involve electronic discovery. With the new rules of Federal Civil Procedure adopted last December, he observed, “we’re going to see an ink blotting downward of electronic discovery to ever smaller matters.” He projects that within the next three years that 35 to 40 percent will move to 75 percent.

Finding information within the enterprise has always been a challenging task for legal ferrets, but those challenges have ballooned in recent times, according to Clark. “There are now not only more things to find, but more places to look for them than there had been before,” he said in a video interview posted at SearchStorage.com.

Finding information is a big challenge to operators of an enterprise network, but so too is deciding what should be stored and how long to store it, Clark noted.

“A number of corporations are devoting considerable resources to creating retention policies and then trying to enforce those policies,” he observed.

Continue reading E-discovery demands to double in three years

The administrator may appropriately be tasked with administering, or at least overseeing, the process of email archiving, if for no other reason than the fact that end-users are not likely to do it themselves. The process of archiving emails, if left to individual end-users, would be chaotic at best. Uniform standards must apply, and archiving needs to be done according to a rule-based procedure; without such a rule-based procedure, the enterprise risks falling out of compliance with one or more legislative mandates.

But there are two pieces to the archiving puzzle: Putting things into it, and taking things out of it. The first part can be largely automated and done according to a set of rules that specify that emails get archived after a certain period of time. But as for the other end—searching the archives—that’s another story entirely.

Continue reading Self-service retrieval

While the rest of us are struggling under threat of penalty to comply with an ever-increasing array of security-related regulations, the federal government itself is failing miserably in practicing what it’s been preaching.

The GAO issued a report this week on how government agencies have been responding to the Federal Information Security Management Act of 2002 (FISMA), which requires government agencies to create agencywide information security programs with supporting security architectures.

The report concluded that out of 24 government agencies, 23 of them had inadequate authorization controls, and 22 said that information security was a “major management challenge.” The agencies also came up short in several other security-related areas, and poor IT security continues to be seen throughout government. According to the report, all 24 agencies have reported multiple security incidents wehre sensitive information has been either lost or stolen. Continue reading Agencies fizzle on FISMA compliance

If you are subject to compliance with a regulation like HIPAA or Sarbanes-Oxley, you need to know your own internal systems are safe and secure and customer data is kept private, and you also need to know that the systems of your partners are equally protected.

That’s the hard part of compliance. You have control over how you implement security and impose email protections inside your own company, but you have less control over companies that are separate from yours but within your sphere of influence.

A study recently showed that 20 percent of security professionals are “cheating” to pass an audit, especially if it is a self-audit. In such audits, which are ran largely on the honor system, you attempt to satisfy your compliance requirements by providing a checklist to your partners that have access to your systems or data. The partner verifies that they have done certain things, or have implemented certain precautions, and sends the list back. All bases are covered, right? Not always–without an external auditor, there is no validation, and there may be a risk of falling out of compliance.

PST (Personal Storage Tables) can be a nuisance and a cause of some difficulties. There are plenty of how-to’s out there on how to manage them, tweak them, and manipulate them, but the best strategy of all is to avoid them altogether.

The PST files can be stored either on the Exchange server or locally. The immediate advantage of local storage of the PST files is that it provides an easy and readily accessible location for old emails. But although a great many email environments are set up for local storage of PST files, it goes without saying that the local storage option is a bad idea that offers very little in the way of protection against disaster, loss, or attack.

However, with more companies falling under the purview of one or more compliance-related legislative mandates, usage of PST files must be revisited. If there is a retention requirement that calls for storing emails for a certain period of time, it’s pretty easy to get around that requirement. Electronic discovery may also be a problem if PST files are used and stored locally, even temporarily.

Continue reading Reduce dependency on PST files

Sarbanes-Oxley, a set of rules that were put in place to combat corporate scandals, fraud, and improper financial reporting, has had a big impact on how corporations do business, and the impact reaches all the way across the board. While SOX is targeted at the money guys on the top floor, ultimately, it’s the IT guys in the back office that are responsible for implementing it and keeping the suits on the straight and narrow.

The most relevant part of SOX is the internal controls requirement, which mandates that several controls be put in place with regard to how financial reporting is done. At first glance, it would seem that email doesn’t pertain, but in reality, it does: SOX isn’t just about how financial data is stored, it’s also about how it’s transmitted–and a good Sarbanes-Oxley audit will almost always suggest security enhancements to the email infrastrucure to include encryption, and more rigorous adherence to policy and good practices. IT is mostly concerned with section 404 of the Sarbanes-Oxley Act, which deals with internal controls and how they are enforced.

Continue reading Sarbanes-Oxley and email security

In-the-cloud storage got a setback last week when both HP’s and Yahoo’s online storage services were shut down for good. HP’s Upline has had a rocky past, with the young service having experienced numerous problems and delays, and reports of malfunction and inappropriate access. Of course, there is no shortage of other cloud vendors taking their place–and the ads are full of “Do you need an alternative to Upline” come-ons.

We’re still hearing rumors, and most recently, “confirmed rumors”, that Google’s Gdrive is ready to roll. Gdrive sounds revolutionary in design. It wil supposedly offer unlimited storage–allowing you to actually store the entire contents of your hard drive in the cloud. Local and online files are synchronized through a web interface so for example, you could start working on a project at the office, and then later on pick it up at an Internet cafe–or even on your smartphone. Gdrive will also be integrated with other Google applications and services. The security ramifications are immense though, and there’s as of yet no word as to how security would be provided. I’m not so sure I would want my entire hard drive replicated in the cloud. Also, it would seem doubtful that users who have to comply with various regulations regarding storage and backup would be able to take advantage of it, but we’ll wait to see on that one.

Before moving to an online backup environment, it would be important for a corporate user to review their data retention policy and any compliance requirements they face, and make a judgment as to whether in-the-cloud backup could adequately meet those policies and requirements.

Started in 2005, the Electronic Discovery Reference Model (EDRM) Project was created to address the lack of standards and guidelines in the electronic discovery market.  EDRM is a great reference tool to develop guidelines and standards for ediscovery consumers and service providers.  EDRM helps reduce the cost, time and manual work associated with ediscovery.

Referencing the  accompanying EDRM diagram on their web site, the 8 areas lay out a structured foundation for facilitating the implementation of an archiving software solution.  This makes life easier with providing all the players standard guidelines, as part of the archiving and information retrieval process related to legal and government requests.

We will cover a cursory overview of EDRM.

Information Management
Getting your electronic house in order to mitigate risk and expenses should electronic discovery become an issue. This covers the initial creation of electronically stored information all the way through its final disposition.

Identification
This refers to the process of learning the location of all data which a company has a duty to preserve and potentially disclose in an upcoming  legal proceeding.

Preservation
Preservation for electronic discovery has become a complicated, multi-faceted, steadily-changing concept in recent years.  Certain suggested standards and guidelines have been emerging to provide checklists for those preparing to respond to electronic requests for production.

Collection
The acquisition of electronic information, which is  tagged as potentially relevant in the identification phase. Continue reading EDRM Guides Archive Strategy

Could you imagine having to spend a budget-busting $6 million on e-discovery for a case to which you were not a party? That’s exactly what happened to the Office of Federal Housing Enterprise Oversight (OFHEO) – and the costs amounted to 9% of its annual budget. Ralph Losey, a lawyer specializing in e-discovery, has posted an excellent overview of the case to his blog, but here’s a quick summary:

OFHEO regulates the Federal National Mortgage Association, commonly known as Fannie Mae. In 2003, OFHEO examined Fannie Mae’s accounting and financial practices and conculded that it had manipulated its reported earnings in order to artificially the performance-related bonuses paid to its executives. Fannie Mae reached a settlement with OFHEO in which it agreed to take remedial action to address the recommendations made by OFHEO and pay a $400 million civil penalty. Matter closed – or so OFHEO thought. But not so.

OFHEO’s report prompted a civil action by Fannie Mae’s customers. Fannie Mae’s executives subpoenaed OFHEO records claiming that those records would help their defense by demonstrating that they “had been completely transparent with OFHEO,” that “OFHEOhad approved Fannie Mae’s accounting and compensation practices,” and that the OFHEO investigation was “was politically motivated and biased.” OFHEO’s counsel agreed to provide the documents by a specified date with the Fannie Mae executives being able to specify the search terms.

Continue reading E-discovery costs can bust your budget