1 / 26

Email Governance, Compliance, and Archiving with discussions on Legal Hold

Email Governance, Compliance, and Archiving with discussions on Legal Hold. Contact: Suzanne Riddell Richard Glassman DataForeSight MessageGate 303.278.2150 714.325.9141 sriddell@dataforesight.com richardg@messagegate.com. September 21, 2006.

marged
Download Presentation

Email Governance, Compliance, and Archiving with discussions on Legal Hold

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Email Governance, Compliance, and Archivingwith discussions on Legal Hold Contact: Suzanne Riddell Richard Glassman DataForeSight MessageGate 303.278.2150 714.325.9141 sriddell@dataforesight.comrichardg@messagegate.com September 21, 2006

  2. Enterprise Email – readily distributed & flexible by nature Powerful mission-criticalcommunicationand collaboration tool High costs and significant risk

  3. Enterprise Email Governance Framework Collaboration and blending of best practices, technology and management Collaboration Compliance Blending Human Resources Best Practices Information Management Processes Internal Audit Technology Legal Management Records Management Continuous Improvement Security

  4. Experience Shows The Problem Is Real System Load Risk Outbound E-mail traffic Internal E-mail • 70-80% of total volume (without spam) • ~ 50% of volume is MS Office • 10-15% of volume is video, image, audio • Size of “forwards” 2x average • > 2% of E-mails contain private company, customer, or employee information • Customer information – Names, Addresses, Family Members, Driver License Numbers, SSN, DOB • Company Information - !0Qs, 10Ks (including notes), Sales Forecasts, Internal Correspondence, Quality Issues • Intellectual property, Company Private and Confidential Data, Board Meeting Notes, Legal Memorandums • Personal/ISP domains receive ~ 2% of traffic and ~4% of volume Storage / RetrievalCosts Productivity / Data Loss Archive • 25-45% E-mail traffic is readily identifiable as non-business • Retrieval is made difficult due to loss of context • False Positives are expensive and annoying Inbound E-mail Traffic • 60-80% is spam (unfiltered); ~ 15% filtered • Source of phishing and most virus attacks • Customers E-mail personal data to companies, often times by “legitimate” requests of employees

  5. For a company of 5,000 users . . . 900 releases of private information, daily 150 internal E-mails with inappropriate content, daily 150 employees fooled by each Phishing attack 3.4TB of stored non-business E-mails, yearly $473,000 for discovery of 90 days of E-mail for 100 employees incalculable loss due to stolen IP and brand damage Experience Shows The Problem Is Real System Load Risk Outbound E-mail traffic Internal E-mail • 70-80% of total volume (sans spam) • ~ 50% of volume is MS Office • 10-15% of volume is video, image, audio • Size of “forwards” 2x average • > 2% of E-mails contain private company, customer, or employee information • Intellectual property, SSN, DOB, Customer information, etc. • Personal/ISP domains receive ~ 2% of traffic and ~4% of volume Storage / RetrievalCosts Productivity / Data Loss Archive Inbound E-mail Traffic • 25-45% E-mail traffic is readily identifiable as nonbusiness • Retrieval is made difficult due to loss of context • 60-80% is spam (unfiltered); ~ 15% filtered • Source of phishing and most virus attacks

  6. E-Mail Governance, Compliance and Archiving The Approach: • Collaboration and blending of best practices, technology and management in the fields of Compliance, Human Resources, Information Management, Internal Audit, Legal, Records Management, and Security to PREVENT the risk of accidental and malicious release of company and customer information through the company’s E-mail network. • Blended layered approach that implements business rules • Administered by the business people in Compliance, Human Resources, Legal, and Records Management with significant input and balance from Information Management, Internal Audit and Security.

  7. E-Mail Governance, Compliance and Archiving E-Mail Governance, Compliance and Archiving should also consider - • Storage and retrieval • Consistent with company’s policies and procedures for Records Management (paper) • Supports New Federal Rules of Civil Procedure effective December 1, 2006 • Consistent with all Federal, State, and Regulatory laws

  8. E-Mail Governance, Compliance and Archiving E-Mail Governance, Compliance, and Archiving must also consider - • Messaging audits • Can you prevent the accidental release of E-mails containing unacceptable material? • Can you prevent the intentional release of E-Mails containing company confidential data and information? • Can you stop E-mails? • Do you allow videos, images, and music files to be transmitted through your company E-mail network? • Can you intercept E-mails prior to delivery to recipient for review by a manager? • Do you have a “gentle way” to remind users of unacceptable E-Mails prior to them sending? In employees’ annual reviews, do you review E-mail acceptable use policy (EAUP)? • Do you allow Instant Messaging for all employees? • Do you allow Blogging for all employees?

  9. E-Mail Governance, Compliance and Archiving • 47% of electronic records are not included in company retention policy • 49% of companies do not have effective litigation hold processes • 65% of surveyed companies report that litigation hold records do not cover E-mail systems • 71% report that IT Departments oversee the retention of electronic records

  10. Questions Compliance Managers Ask Regarding The Management E-mail Records And Attachments? • Do you have a documented, distributed, and practiced E-mail acceptable usage policy (EAUP)? • Does your policy allow employees to use E-mail for personal use? • If so, do your employees have an expectation of privacy? • If not, do you inform employees that personal E-mails are the property of the company? • How do you manage the risk of an employee communicating to their HealthCare providers? • Sending personal and confidential information? • Sending health related information?

  11. Questions Compliance Managers Ask Regarding The Management E-mail Records And Attachments? • Does your policy allow employees to forward company E-mail to personal E-mail addresses? • for work they want to complete at home on their home computer? • If not, how do you prevent? How do you audit? • Does your policy allow employees to forward E-mails and associated documents outside the company marked: • “Internal Use Only”, • “Company Private”, • “Company Confidential and Private” • If not, how do you prevent? How do you audit?

  12. Questions Compliance Managers Ask Regarding The Management E-mail Records And Attachments? • Are spreadsheets, Word documents, PowerPoint and other business-related content routinely incorporated into or attached to E-mails? • How do you prevent these E-mails from leaving the company? • How do you eliminate the risk, for example, of the Draft 3Rd Qtr 10Q from being inadvertently released from the company? • In other words, someone types in the wrong E-mail address?

  13. Questions Compliance Managers Ask Regarding The Management E-mail Records And Attachments? • If your staff communicates with customers via E-mail, how do you prevent the accidental release of information to an unauthorized person? • In other words, someone types in the wrong E-mail address? • Do administrative assistants have access to their bosses’ E-mail – • Read incoming E-mail? • Delete E-mail? • Reply to E-mail “as the boss”? • Write and send E-mail “as the boss”?

  14. Questions Compliance Managers Ask Regarding The Management E-mail Records And Attachments? • Does the company communicate with attorneys and accountants via E-mail? • If so, are there automated business processes in place to prevent the release of company data and correspondence? • Does the company’s senior management, Board of Directors, attorneys and financial executives communicate via E-mail? • If so, are there automated business processes in place to keep the confidentiality of E-mail correspondence and guarantee that E-mails cannot be forwarded, cc, and bcc?

  15. Questions Compliance Managers Ask Regarding The Management E-mail Records And Attachments? • Does your company stop employees from sending or receiving music files? video files? image files? • If certain employees have a need, can you distinctly support those employees? • Does your company conduct regular training on E-mail use (policies and procedures), business record retention and security? • Would it be helpful… • For all concerned if employees could be reminded in a non-intrusive manner the proper use of E-mail? • Eliminate inadvertent violations that result in unwanted terminations of employees? • Automatic, intuitive, and systemic safeguards of company data?

  16. Questions Compliance Managers Ask Regarding The Management E-mail Records And Attachments? • Does compliance, legal, human resources, security, audit, and information technology meet regularly to develop, review, implement and update the strategic E-mail risk management plan? • Is your plan a layered approach? • Can Audit easily examine E-mail flowing through the company? • Can Security monitor outbound, inbound and internal E-mail for a specific user(s) in a non-intrusive manner? For a Department? • Is there a process in place for legal hold of E-mails and associated attachments? Can employees or management delete their emails “forever”. • Is there a process in place to categorize E-mail prior to archiving? • Is there a separate policy for VPs and above for unlimited retention of email and another policy for employees for 30, 60, 90 day retention?

  17. Meeting The Standard Of Reasonableness In The Corporate E-mail Compliance • Designate effective E-mail management as a corporate “core value”. • Adopt rational guidelines on creation and use. • Validate considered guidelines with interdisciplinary teams drawn from Compliance, Legal, Human Resources, Internal Audit, Security, IT and Functional Units. • Amend EAUP, training programs, and Corporate Polices to reflect a commitment to compliance. • Select an appropriate archiving approach consistent with compliance goals. • Prioritize and approach implementation in phases as defined in a program planning document.

  18. Questions to ask when considering the management and Archival of email records and attachments? • How many litigation or investigation obligations can you predict? • Has relevant data been properly identified and preserved? • What is the time, difficulty, and cost of (including business disruption) to recover and retrieve email and attachments? • Are you confident in your general archival and retrieval capabilities?

  19. Legacy Archival Strategies • “Save Nothing” • Employees and external parties have copies of “deleted" email, leaving indefensible artifacts. • Hard to reconcile with evolving retention requirements. • Inexpensive - reduced storage. • Ease of management. • “Save Everything” • “Technically” compliant with RM requirements, but accurate and timely retrieval is impossible. • Substantial storage costs - most expensive approach. • Using back-up system as storage makes search, retrieval, and verification of completeness nearly impossible.

  20. Legacy Archival Strategies • “Selective Retention by Employees” • Case law standards frequently change “retroactively” so even if employees get it exactly right, it might not be right when the lawsuit hits. • Costs of training, monitoring, and discipline may dwarf storage cost savings. • Compliance is theoretically achievable. • All responsibility rests with employee. • Introduces significant risk to the Corporation - “The efficacy of the compliance program relies upon the commitment and execution of your least effective employee”.

  21. Achieving Reasonable Assurance: an Effective Archival Strategy • Policy-Based Retention or Manual Retention • Effective compliance and risk management. • Accurate and timely search and retrieval. • Substantially reduced storage costs. • Categorization and search criteria required. *Filtering is defined as the identification and understanding of email content, context, and meta-data and the application of disposition criteria.

  22. Archive Categorization: Classification Concepts • Accuracy is a measurement of the effectiveness of policy design and creation against defined criteria relative to intent. • Classification (Taxonomy) is a derivative of an objective assessment of an organization’s business practices, information systems, cultural drivers, security practices, risk tolerance, and industry sector. • Classification improves over time assuming oversight, organizational commitment, and effective management • Classification evolves with changes in business climate, technology, and culture.

  23. Archive Categorization: Classification Guidelines • Classifying corporate email and associated attachments based on business risk, data volume, content, and context is good business. • Regulatory drivers, corporate policies, and litigation preparedness. • Protection, storage, recovery, and transmission mechanisms are determined by the value of the data. • Classification reduces the cost of over-protecting data. • Improves corporate decision making by tightening the intelligence and decision making loop. • Not all email has the same value or risk profile.

  24. Establishing Classification • How many are necessary? • What controls are necessary for each classification? • What are the roles and responsibilities associated with each classification? • Resist the urge to over-classify or to create special cases with unique and transitory classifications. Too much granularity will cause the system to collapse under its own weight. • Each classification should have easily identifiable characteristics. • There should be little or no overlap between classifications. • Classifications should address email data from creation to disposal.

  25. Establishing Classification • Review for compliance • Regulated and Non-Regulated • SEC, SOX, International • New Federal Rules of Civil Procedure effective December 1, 2006 • Attorney-Client Privilege, legal hold, discovery • HR and Ethics • Retention management (dynamic evolution) • Content and context disposition • Category search • Case assignment and forensic investigation • Encryption and Classified Management

  26. Enterprise Email Governance Framework Collaboration and blending of best practices, technology and management Collaboration Compliance Blending Human Resources Best Practices Information Management Processes Internal Audit Technology Legal Management Records Management Continuous Improvement Security

More Related