• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Data Management - NA CACS 2009
 

Data Management - NA CACS 2009

on

  • 684 views

North America CACS conference presentation on Enterprise Requirements for Data Management

North America CACS conference presentation on Enterprise Requirements for Data Management

Statistics

Views

Total Views
684
Views on SlideShare
682
Embed Views
2

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 2

http://www.slideshare.net 1
http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • MICHAEL ILM & ICM?ILM – Information Lifecycle Management is a sustainable storage strategy that balances the cost of storing and managing information with its business value. A well-executed ILM strategy will result in a more agile organization, reduce business risk and drive down both storage unit and storage management costs.ICM – Information Classification and Management – Implementing an information classification scheme is valuable for a number of reasons as it allows enterprises to utilize content-based access policies, apply appropriate retention intervals to data, demonstrate comprehensive adherence to policy for compliance purposes, and potentially protect sensitive content when it leaves the enterprise. Tools offer advanced features such as file-path metadata parsing, in-file content visibility, context category classification, file-classification tagging and policy-based management and tracking (Bill Reed, Data-classification best practices”, 1/18/2007).THE GLOBAL STATE OF INFORMATION SECURITY BY CIO AND CSO Magazines in partnership with PWC, 2008Mark Lobel of PWC says referring to security and data classification, “Doing this project is a lot of effort and unless there’s a regulatory need for it, many don’t do it.” The survey goes on to only 24% report that classifying the business value of data is part of their security policies, 68% classify their data by risk level at least periodically and 30% don’t ever classify their data.Continental Airlines has a three tier classification scheme, Tier One is anything that keeps planes aloft or money coming in, Tiers Two and Three is data that is still important, but not critical to revenue or safety.JEFF- FRCP
  • JEFF WILL TAKE PII/PHIMICHAEL – FISMA AND MDM – FISMA – Federal Information Security Management Act – The FISMA Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation.MDM – Master Data Management – Organizations must understand that improving their data—and building the foundation for MDM—requires them to address internal disagreements and broken processes. Staff must agree on exactly what constitutes a \"customer\" or a \"partner,\" and how to resolve any disagreements across business units. Departments and divisions need to agree on hierarchies of customers and products and how to resolve duplicate records across sources. Rather than a technology-focused effort, the project becomes one of political strategy and consensus building (Tony Fisher, “Demystifying Data Management”, CIO Magazine, April 2007)A key element of data management is tiered storage, placing the more current, valuable data on highend, highly accessible storage solutions, while storing the lower value, older data on lower cost storage solutions:Operational – Documents used for daily transactionsReference – Information occasionally checked for reference.Archive – Info you don’t need regularly.
  • JEFFDISS standards for destruction
  • JEFF
  • JEFFYES, this is definitely applicable to eDiscovery, but is the basis for all information management and applicable to any business. Reduce costs through proper management of your information and its relevance to your business. This is public domain tool
  • JEFFFocus on trust and how data has been misused. From predicting weather events, with massive amount of data and trust storm will not hit but does to the Market and Services and daily movement of information.
  • MICHAELFlawed decision support brought about by the exclusion of certain data or information such as from system or applications at newly acquired organizations or duplication of data or information.Legal exposure resulting from a opponent attorney uncovering email that should have been deleted and of whose existence your General Counsel had no knowledgeWhat is the performance impact of not archiving data on your primary system? How about the duration and cost of the daily backup process? How do the cost of the different storage options differ and do you have a strategy of storing the less frequently accessed data on the least costly storage medium?Regulatory compliance – are you monitoring access to your sensitive data to be able to identify a breach. California now has a 5 Day Breach Disclosure requirement and Massachusetts requirements include; Encryption of personal data stored on portable devices and while transmitted, conducting reasonable monitoring of systems in an effort to spot unauthorized activities; install firewalls, operating system patches and client level security tools that are reasonably up to date on all system; Develop a comprehensive data-security program that sets internal policies and specifies disciplinary measures for employees who violate them; Inventory all electronic and paper records to identify the ones that contain personal data.Has your organization classified its data, including the sensitive and critical data. Have provisions been made for resilience of the systems containing the critical data such as provided by a DRP and have standards and policies been enacted to ensure the protection of data classified as ‘sensitive’? Is there a Security Policy that more broadly requires and provides the resources for said standards, policies and associated procedures?
  • MICHAELOrigins of master data management were the single computer resource known as the mainframe, supporting all the applications and data files. Then came relational databases and associated data redundancy predated data normalization. This was fairly minor until the introduction of the personal computer and distributed computing – the client server environment. Everyone was their own administrator of their computer and frequently a relational database management system or RDBMS as it was known. Multiple RDBMS in multiple lines of business resulted in multiple instances of the same piece of data called by different names.The first driver of MDM – the ability to rationalize the definitions and meanings of commonly used business terms and concepts, while needing to be able to differentiate when two seemingly similar terms mean different things. The move to ERP applications such as SAP r/3 seems to be a move back towards the centralized model that was represented by the mainframe in the 1980s.Mis-configured data marts and warehouses.Improperly constructed Crystal reports and SQL QuerieseBOMs- Labor rates for labels on CD lead to misstatement of cost
  • MICHAELComputerworld article “Wall Street crisis brings lax e-discovery law enforcement to light” by Lucas Mearin, January 14, 2009This slide basically tell us that the laws are on the books, they just need to be enforced. This will change as organizations continue to lose private and proprietary data.
  • MICHAELAddressing data at rest is frequently involving encryptionFRCP: INTELL/AMD – If you put a policy in place you had better be able to demonstrate compliance and enforcement when the policy is not followed. Let Jeff step in with more details. Cost of none compliance is significant, averaging $50 per record by some estimate and up to $60 per record by others.
  • MICHAELHere are just a sample of the various regulations with which many of our organization must comply. Consider each state seems to have their own disclosure laws beyond the national and international regulations. While enforcement may have been lax in the past, recent system breaches and the economic crisis will likely lead to tougher enforcement of the existing laws.How can any organization accomplished compliance with the 44+ state and federal regulations/statutes without a data classification scheme that identifies where personal or private data resides, data on customers, vendors and employees?
  • MICHAELAn example of evolving regulatory landscape, no longer just talking about generalities. Now talking specific techniques and controls to managing these information systems. Periods of disclosure are shortening. Disclosure can lead to business closure.Massachusetts Law requirements include,Review Scope of security measures at least annuallyRegularly monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or use of personal information.Immediately terminating both the physical and electronic access of terminated employeesTaking all reasonable steps to verify that any third party service provider with access to personal information has the capacity to protect such personal information in the manner proved for n 201 CMR 17:00; and taking all reasonable steps to ensure that such third party service providers is applying to such personal information protective security measures at least as stringent as those required to be applied to personal information under 201 CMR 17:00
  • JEFFReason
  • JEFFSystem performance slowed by the vast amounts of data that have to be parsed to respond to queriesHigh availability storage media such as the kind used to store your most current and valuable data is also the most expensive medium. Costs can be reduced by archiving ‘older” data to the less expensive medium such as tape
  • JEFFStorage containers and mediaStorage media – Is it write once only? Federal requirements or FISMA for moderate and high impact federal systemsSecurity of data at rest?Security of data backed up onto tapeEnvironmental security of storage media both in the data center and at the offsite storage facility – do you assess these controls at the offsite facility?How are tapes secured while in transit to the offsite? Is it a carrier that specializes in tape transport? Annual inventory of offsite tapes?How are tapes controlled between locations?What are the risks of employees transporting tapes to offsite? Tapes and laptops stolen from employee vehicles…
  • MICHAELIntrinsic value of dataGarbage IN, Garbage OUT – GIGOData mgmt can establish data standards, valid value sthat reduce GIGOWhat about the reliability of your storage media?How do you monitor and ensure you have a good backup, periodic testing of backups? Replacement of tapes periodically?How do you manage flash memory, thumb drives: Protecting data in case of loss Preventing viruses
  • MICHAELSo we’ve talked abut protecting your data, just in case there are any questins about the vulnerability of yours or any organization’s data to a breach, take a look at the link on this pageYet more disclosure laws – 44+FISMAHIPAAETC.
  • POLL THE AUDIENCE ON WHO HAS CLASSIFIED DATA AND THE CLASSIFICATIONS THEY ARE USING
  • MICHAEL/JEFFDocument / Data Classification Description – Bring up template-Information System Categorization (formula for creating the classifications)Organization CriticalHighly sensitive internal documents e.g. pending mergers or acquisitions; investment strategies; plans or designs; that could seriously damage the organization if such information were lost or made public. Has very restricted distribution and must be protected at all times. Security at this level is the highest possible. Highly Confidential Information that, if made public or even shared around the organization, could seriously impede the organization’s operations and is considered critical to its ongoing operations (accounting information, business plans, sensitive customer information of banks, solicitors and accountants etc., patient's medical records and similar highly sensitive data). Such information should not be copied or removed from the organization’s operational control without specific authority. Security at this level should be very high. Proprietary Information of a proprietary nature; procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for proprietary use to authorized personnel only. Security at this level is high. Internal Use only Information not approved for general circulation outside the organization where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility. Examples would include, internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal. Public Documents Information in the public domain; annual reports, press statements etc.; which has been approved for public use. Security at this level is minimal.
  • MICHAELExecutive management must be on board to ensure you receive the support you need from those locations outside of HQBusiness case is productivity improvements realized through the associated initatives and improving the organization’s ability to quick respond to business opportunities.Selling the benefits – Improving data quality, reducing the need to for cross-system reconciliation, reducing operational complexity and simplifying the design and implementation (1) Master metadata simplifies application development. A master metadata repository captures the whole story of a data element’s use, instead how it is used in a single application, such as how data elements are used for different business purposes. (2) Simplify or otherwise standardize the process for unique identification or uniquely identifying a data record instead of by application. (3) Define and standardize across the enterprise many different kinds of master data servicesIdentification of Stakeholders, which will include senior management, clients, application owners, info architects, data governance and data quality practitioners, Metadata analysts, system developers and operations staff.Understanding the business needs is required to both cost justify MDM as well as integrate it into the existing application centrist data management.RACI –Responsible (those who do the work) , Accountable (signs off on R), Consulted and InformedGovernance of MDM - Oversight of master data involves the testing and where needed re-establishment of data quality.
  • MICHAELMetadata registry and management – All aspects of determining the need, planning , migration strategy and future state require a clarified view of the information about the data that is used within the organization – its metadata. A metadata registry provides a control mechanism or perhaps even a “clearing house” for unifying a master data view when possible, as well as helping to determine when that unification is not possible.Assessment to Identify data sets, primary & foreign keys, implicit relational structure and embedded business rules.Integration of existing master data such as person names, addresses, telephone numbers, product descriptions, etc. using tools to resolve the variations in representation of specific entities from disparate data sources.Assurance – MDM requires a high degree of confidence in the quality of the master data moving forward. Auditing and monitoring compliance with defined data quality standards coupled with effective issue response and tracking, along with strong stewardship within a consensus based governance model will ensure ongoing compliance with data quality objectives.Project Plan – RACI next step, identify task dependencies, interdependencies and the order of work.
  • JEFF? DON’T FORGET TO USE HYPERLINKSMultiple perspectives
  • JEFFMessage Gate is one example of a tool that can be used to manage data leakage.Support tools can be used in determine the classification of data provided at no cost by the federal govt. through NIST.NIST SPECIAL PUBLICATION 800-30 – RISK ASSESSMENT PROCESS DEFINED
  • MICHAELEach organization knows how to use data required for their business processes, but very few look beyond meeting their day-to-day activities.During the next few slides will examine the requirements referenced here. We’ll talk about things like the Availability of data across the enterprise. Syntax and format in things like context sensitive help or a drop down from which you must select state if the country selected was the United States.
  • MICHAELWe talked some already about the cost of disclosure of private data and now we want to turn to the value of data itself.Does information empower us to do things differently. You bet you. Data can identify fraud and abuse or un-served or forgotten customers for which profit can be realized.Proper management of data in the form of classification enable us to minimize the cost of compliance through knowing where and in what forms private data is stored as well as transmitted, minimizing the cost of regulatory drivers.
  • JEFF
  • JEFF
  • MICHAEL?We talked on the Ten Most Critical Requirements for managing data about the importance of executive management buy-in and sponsorship. We mentioned having a team to establish Information Lifecycle Management or ILM, but also on-going governance of data management.A records coordinator would be a critical member of such as team.Another key aspect of retention schedules is to incorporate those requirements or said schedule into the BCP and DRP to ensure continuance of regulatory and operational compliance.
  • JEFF
  • JEFFPUBLIC SCHOOL EXAMPLE – IDENTITY THEFT VULNERABILITYNASA BY OIG
  • JEFF
  • JEFF
  • MICHAELIf there was a disaster on the last day of the month would your organization still be able to report their financials on time to SEC?Does your infrastructure have the capacity to take on additional data such as what might be required to integrate another organization into your own?Do you have a sufficient number of individuals designated as authorized to declare a disaster, so the loss of one does not preclude the company from restoring at the recovery site.The storage or archival of data needs to be in a format that will be readable for at least as long as retentions specifies.
  • MICHAELViewsof data – Different views for different people based upon their responsibilityOnline – What the users sees online may depend on whether they are a third party order taker, a vendor or a customer. Amazon as an example.Classification – electronic and hardcopy forms of documents and information clearly state how the document or information is classified?
  • MICHAELDoes your organization have a central data dictionary for data across applications and locatios, specifying its characteristics such as length, type and its classification. What level of security is required, where it can be stored (thmb drives) and does it need to be encrypted when transmitted.Do the above improves both the efficiency and effectiveness of both from an operational and regulator perspective.
  • JEFFBusiness definitions look at the business terms used across the organizations and the associated meaningsReference metadata – Detail data domains (both conceptual domains and corresponding value domains) as well as reference data and mappings between codes and values.Data element metadata – Focus on data element definitions, structures, nomenclature, and determination of existence along a critical path of a processing streamInformation architecture. Coagulates the representations of data elements into cohesive entity structures, shows how those structures reflect real world objects, and explores how those object interact within business processes.Data Governance management. Concentrates on the data rules governing data quality, data use, access control, and the protocols for rule observance (and processes for remediation of rule violations).Service metadata. Look at the abstract functionality embedded and used by the applications and the degree to which those functions can be described as stand-alone services, along with the mapping from service to client applications and at the top of the stackBusiness metadata. Capture the business policies that drive application design and implementation the corresponding information policies that drive the implementation decisions inherent in the lower levels of the stack and the mgmt and exe schemes for the business rules that embody both business and information policies.
  • JEFF
  • Alternate MICHAEL/JEFF

Data Management - NA CACS 2009 Data Management - NA CACS 2009 Presentation Transcript

  • SESSION 133 ENTERPRISE DATA MANAGEMENT REQUIREMENTS Michael Berardi, MS-CIS, CISA IT Audit Manager Energizer Holdings, Inc. Jeffrey Roth, CISA, CGEIT Director, Technology Risk Management Services RSM McGladrey
  • ACRONYMS TO KNOW ILM – Information Lifecycle Management ICM – Information Classification Management FRCP – Federal Rules for Criminal Procedures
  • ACRONYMS TO KNOW PII/PHI – Personally Identifiable Information/Personal Health Information FISMA – Federal Information Security Act MDM – Master Data Management
  • TERMINOLOGY AND FOUNDATION FOR RECORDS MANAGEMENT • DISS Destruction standards – Degaussing (NIST) – Physical destruction methods • Records management • Business records life cycle • Active data • eDiscovery • Sedona Conference
  • THE DATA MANAGEMENT CASE
  • ELECTRONIC DISCOVERY REFERENCE MODEL
  • THIS IS THE END GAME It has been said that “information is power,” and they who control the information control the power. Whether the information is broadcast on the evening news, printed in a newspaper, etched on stone tablets, or published on a USENET newsgroup or Internet Web page, we rely on information in our daily lives, and trust that most of the information we receive and process is accurate. Information Warfare and Security, Dorothy E. Denning, ISBN 0-201- 43303-6, Addison- Wesley, 1999 Originally published in Cisco's The Internet Protocol Journal, September, 1999
  • RISK FACTORS AND CONTROL CONSIDERATIONS
  • FLAWED DECISION SUPPORT Origins of Master Visibility across Data Management applications and the • Mainframe organization • Personal Computer and • Financials RDBMS • Customers • ERPs – SAP R/3 • Employees
  • LEGAL EXPOSURE OR OVER- EXPOSURE “Wall Street Crisis brings lax e-discovery law enforcement to light”, Jan 14, 2009 • Only 10-15% of US corporations have electronic records retention systems in place according to Gartner Inc as quoted • Debra Logan of Gartner went on to say “We need to have people in charge of managing information for the entire company. Today, everyone’s expected to manage their own data” • Federal Rules for Civil Procedure or FRCP
  • How Big is the Problem? • Headlines tout compliance allegations • FRCP: Intel/AMD We must address Stanley • FRCP: Morgan our data at rest and in motion… • FRCP: General Motors • SEC: UBS Securities The time SEC:sitting America side-lines has long • for Bank of on the past and HIPAA: Providenceare readily available to • the solutions Health & Services both control and monitor data flow from our • HIPAA: UCLA Health Systems • SOX: Neworganization government whistle-blower’s hotline • Cost = several thousand dollars to millions – Providence Health & Services: $100,000 settlement – Morgan Stanley: $15 Million fine 11
  • REGULATORY COMPLIANCE
  • REGULATORY COMPLIANCE (Cont.) • Massachusetts State Regulations – Encrypt personal data on portable devices or being transmitted on public or via wireless networks – Deploy secure user authentication and access control measures and conduct “reasonable” monitoring of systems in an effort to spot unauthorized activities – Develop a comprehensive data-security program that sets internal policies and specifies disciplinary action – Inventory all electronic and paper records to identify the ones that contain personal data
  • HUMAN FACTORS LEADS TO REGULATION
  • COST – STORAGE AND PERFORMANCE System Other costs performance? anyone? High availability storage media?
  • STORAGE • Environmental considerations – Light – Temperature – Humidity – Location – Floods, Hurricanes, Earthquakes • Storage containers • Storage media • Physical and logical security
  • DATA INTEGRITY • At in transit and rest – Creation of data has intrinsic risks • Data entry error (yes even hand written documents) • Data garbling during on-line entry – Media degradation – Microfiche – Photographs – Documents – Tape – CDs – Flash Memory
  • SECURITY – BREACH AND DISCLOSURE LAWS • List of security breaches, do you want to see your company’s name on this list? http://www.insideidtheft.info/breaches09.aspx? gclid=CIxitu6BqZkCFREhDQodGBzApg • Oregon law for Oregon employers of Oregon residents – Designate a security officer – Conduct a risk assessment – Assess safeguards to manage risks • HIPAA – Within 60 days
  • SO WE NEED IT, NOW WHAT? FIRST STEP – CLASSIFY DATA
  • CLASSIFICATION - YOU CAN NOT MANAGE WHAT YOU DON’T KNOW Organizational critical Highly Confidential Proprietary Internal Use Only Public Documents
  • TEN MOST CRITICAL REQUIREMENTS FOR MANAGING DATA Obtain executive mgmt sponsorship Identify and interview the stakeholders Understanding the business requirements Develop a Project Charter and RACI Governance of MDM
  • TEN MOST CRITICAL REQUIREMENTS FOR MANAGING DATA (CONT.) Metadata registry and management Assessment Integration of existing data Assurance Project Plan
  • CONSIDERATIONS IN CREATING DATA CLASSIFICATIONS • Multiple perspectives • Business requirements – Compliance – Analysis – Time to recovery Advancing Storage & Information Technology – SNIA - Educational http://www.snia.org/education/tutorials/2008/fall#data
  • CONSIDERATIONS IN CREATING DATA CLASSIFICATIONS (CONT.) • Tagging files by classification name • Automated classification tools • Availability, confidentiality, proprietary? • National Institute of Science and Technology Federal Information Processing Standards (FIPS) 199 and Special Publication SP800-60 volumes I and II
  • WHAT ABOUT DATA REQUIREMENTS?
  • DATA AND YOUR OPERATIONS • Defined data requirements – Context of data – Presentation – Syntax and – Protection format – Storage – Integrity – Retention – Classification – Destruction – Availability
  • PROTECTION – POWER WITH NO SHIELD • If information is power, then do we treat it as a key asset? • Based on classification we can implement incremental security controls in line with data value. • Regulatory drivers (GLBA, HIPAA, EU Privacy laws, etc.)
  • PROTECTION – POWER WITH NO SHIELD (CONT.) • What about hardcopy data? • Locations of output/presentation devices (printers, CRT/LCD screens, logs, etc.) • Protection in transit and at rest (cover sheets, encryption, etc.) • Brakes are what enables a race car to go fast
  • RETENTION SCHEDULES • How long is long enough? – Federal agencies and their contractors must follow national archives standards – Corporate regulations require varied retention periods – Investigations and Litigation how ever long it takes and some. Courts and lawyers will set these requirements
  • RETENTION SCHEDULES • Based on classification (internal and regulatory) a records coordinator position should be established to train the management team, maintain policies related to records management, and monitor records retention activities (creation through destruction). • Part of Business Continuity and Disaster Recovery Planning
  • DESTRUCTION Many forget that hard drives must be properly destroyed prior to disposal (reference National Association for Information Destruction)
  • DESTRUCTION • Expectations – Proper EPA permits and certifications – Hard drives are identified by serial number and are stored in secure uniquely number containers in a secure storage area prior to shredding. – Immediately prior to shredding, the number of hard drives in each container are counted and matched against the original physical inventory count. – The start and finish time of each shredding project is logged.
  • DESTRUCTION • Expectations (continued) – The shredded particles are sent through a powerful degaussing station providing the ultimate in data destruction security. – The shredded particles for each destruction project are weighed. The particles are placed in a uniquely numbered large recycling container. – Record the lot and their weights contain in each recycling container. – The filled containers are weighed and sent to metal refineries. We receive a destruction certificate from the refiners listing the unique container number and its weight.
  • DESTRUCTION • Do not forget shredding of sensitive hard copy document, photos, and other records must provide assurance that this data cannot be reconstructed by third parties. • Tapes, CD, Floppies, and flash memory need to be addressed
  • AVAILABILITY – DAY LATE A DOLLAR SHORT • If data can not be accessed in a timely manner it is of little or no value. • What controls are in place to ensure the following: – Ability to access required documents and electronic data feeds for month end closing, sales meetings, customer service activities. – Infrastructure capable of providing data per service level agreements – Off-site storage services provide adequate access to archived documents, tapes, and other records – Legacy system data able to be accessed through software emulators
  • PRESENTATION • This is an often forgotten part of data management. • During development of data extract programs, end user considerations are not adequately addressed, resulting in additional design of proper data formatting and summarization – Would we give the same Trade Accounts Payable report to the CFO as the AP clerk? – How about on-line display for customers and suppliers? – Electronic and Hardcopy reports have proper watermarking per data classification requirements?
  • SYNTAX AND FORMAT • A corporate data dictionary with the organization’s data syntax rules, data classification scheme and security levels. • This process improves the quality of management decision making by making sure that reliable and secure information is provided, and it enables rationalizing information systems resources to appropriately match business strategies. PO2 Define the Information Architecture CobiT 4.0
  • UNDERSTANDING METADATA • Business Definitions Data • • Reference metadata Data element metadata • about • • Information architecture Data governance management Service metadata data • Business metadata
  • SECURITY AND DATA CENTER CONCERNS • Do you know where your sensitive data is? – In SAP R/3 – In Oracle – In Peoplesoft – In JD Edwards – On the backup tape stolen or lost in transit • What is being stored on laptops, memory sticks and backup hard drives? • Encryption
  • DATA MANAGEMENT SUMMARY Significant risk factors organizations face daily Qualitative and quantitative for data management being a full-time commitment The ten most critical rqmts. for managing data Considerations for creating data classifications Understanding Metadata Regulatory requirements and data availability Security and environmental data concerns
  • SOURCES • MASTER DATA MANAGEMENT by David Loshin of Knowledge Integrity, Inc., Morgan Kaufmann OMG Press, copyright 2009 • Informationweek – “Records Retention: Practice What You Preach” by Andrew Conry-Murray on June 7, 2008 • Computerworld: “Wall Street crisis brings lax e-discovery law enforcement to light” by Lucas Mearin, January 14, 2009
  • SOURCES • Network World – “Data-classification best practices” by Bill Reed on January 18, 2007 • CIO Magazine • CFO Magazine • Sun Microsystems White Paper, “Best practices in data classification of information lifecycle management”, October 2005
  • QUESTIONS AND COMMENTS? JEFF ROTH, CGEIT, CISA Director Technology Risk Management Services RSM McGladrey jeff.roth@rsmi.com Michael Berardi, MS-CIS, CISA IT Audit Manager Energizer Holdings, Inc. Michaela.berardi@energizer.com