Using Good Governance to                              Manage Information Growth and                              Increase ...
Agenda Information - Issues         –    Growth         –    Regulations         –    Classification         –    Searchi...
There is an Information Explosion!             Worldwide information growth is relentless                                 ...
Regulations and Internationally Recognized     Best Practices and FrameworksSarbanes-Oxley Act (SOX) ~ PCAOB ~ SAS 94 ~ AI...
Fueling a Perfect Storm …                        Increased Number of Regulations                                          ...
The voice of the Analyst           “Searching for and analyzing information both consume           24% of the typical info...
Recent Analyst Comments Dissatisfaction with enterprise                                  Enterprise search is becoming a...
The cost of waste© Copyright 2009 EMC Corporation. All rights reserved.   8
Classification …When You Can Classify Using        Business Information                                                   ...
Classification …When You Can Classify Using           Taxonomic Classification The act of placing an object or concept in...
Classification When You Can Classify Using           Document Classification Document classification tasks can be divided...
What Do Businesses Want? Cost Savings and                                        Governance,                    Content Ac...
What are we actually looking for?                      Companies are beginning to realize that the full value            ...
Is there a solution? – GRC Governance is the culture, policies,  processes, laws, and institutions that define the  struc...
Big Buckets- What does it mean? Big buckets for classification and retention         – If we can use the big bucket theor...
How do we do this… Have the users involved with initial  classification         – Set boundaries         – Big buckets   ...
Has this been done? Catholic Health Initiatives – 4 year effort to centralize         –    Began with an information gove...
Case Study: Fortune 500 Energy Company Problem/Goals         – Improve the management of records for compliance         –...
Case Study: Fortune 500 Energy Company Results         – The business taxonomy was decided by the business to be         ...
What are the costs?          “Case in point: DuPont. After a large legal case, DuPont conducted          an analysis and f...
The Challenges– Need to establish ownership of the initiative         – Difficult in that it across the board         – Ne...
Get Involved with EMC CMA CommunitiesWhy should you join? Collaborate and share best practices Shape the direction of fu...
Using Good Governance To Manage Growth N Roi In A Down Economy
Upcoming SlideShare
Loading in …5
×

Using Good Governance To Manage Growth N Roi In A Down Economy

854 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
854
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Using Good Governance To Manage Growth N Roi In A Down Economy

  1. 1. Using Good Governance to Manage Information Growth and Increase ROI in a Down Economy© Copyright 2009 EMC Corporation. All rights reserved. 1
  2. 2. Agenda Information - Issues – Growth – Regulations – Classification – Searching Steps: – What do we do? – Big Buckets – Retention – Compliance© Copyright 2009 EMC Corporation. All rights reserved. 2
  3. 3. There is an Information Explosion! Worldwide information growth is relentless By 2011, the digital universe will be 10 x the size it was in 2006 70% of information is created by individuals but enterprises are responsible for the security, privacy, reliability, and compliance of 85% Your “digital shadow” is larger than the digital information you actively create about yourself© Copyright 2009 EMC Corporation. All rights reserved. 3
  4. 4. Regulations and Internationally Recognized Best Practices and FrameworksSarbanes-Oxley Act (SOX) ~ PCAOB ~ SAS 94 ~ AICPA/CICA Privacy Framework ~ AICPA Suitable Trust Services Criteria ~ SEC Retention of Records, 17 CFR 210.2-06 ~ SEC Controls and Procedures, 17CFR 240.15d-15 ~ SEC Reporting Transactions and Holdings, 17 CFR 240.16a-3 ~ Basel II ~ BIS Sound Practices for the Management and Supervision of Operational Risk ~ Gramm-Leach-Bliley Act (GLB) ~Standards for Safeguarding Customer Information, FTC 16 CFR 314 ~ Privacy of Consumer Financial Information Rule ~ Safety and Soundness Standards, Appendix of 12 CFR 30 ~ FFIEC Information Security~ FFIEC Development Acquisition ~ FFIEC Business Continuity Planning ~ FFIEC Audit ~ FFIEC Management ~ FFIEC Operations ~ NASD ~ NYSE ~ Recordkeeping rule for securities exchanges, SEC 17CFR 240.17a-1 ~ Records to be made by exchange members, SEC 17 CFR 240.17a-3 ~ Records to be preserved by exchange members, SEC 17 CFR 240.17a-4 ~ Recordkeeping, SEC 17 CFR 240.17Ad-6 ~Record retention, SEC 17 CFR 240.17Ad-7 ~ HIPAA (Health Insurance Portability and Accountability Act) ~ HIPAA HCFA Internet Security Policy ~ NIST Introductory Resource Guide for [HIPAA] (800-66) ~CMS Core Security Requirements (CSR) ~ CMS Information Security Acceptable Risk Safeguards (ARS) ~ CMS Information Security Certification & Accreditation (C&A) ~ FDA Electronic Records; ElectronicSignatures 21 CFR Part 11+D1 ~ Federal Energy Regulatory Commission (FERC) ~ North American Electric Reliability Council (NERC) ~ VISA CISP (Cardholder Information Security Program) ~ MastercardSDP (Site Data Protection) Program ~ American Express DSS (Data Security Standard) ~ PCI DSS (Payment Card Industry Data Security Standard) ~ FTC ESIGN (Electronic Signatures in Global and NationalCommerce Act) ~ Uniform Electronic Transactions Act (UETA) ~ FISMA (Federal Information Security Management Act) ~ FISCAM (Federal Information System Controls Audit Manual) ~ FIPS SecurityRequirements for Cryptographic Modules 140-2 ~ FIPS Guideline for the Analysis of LAN Security 191 ~ FIPS Application Profile for GILS 192 ~ Clinger-Cohen Act (Information Technology Management ReformAct) ~ National Strategy to Secure Cyberspace ~ GAO Financial Audit Manual ~ DOD ...Standard for Electronic Records Management Software...5015-2 ~ CISWG Report on the Best Practices Subgroup ~CISWG Information Security Program Elements ~ NCUA Guidelines for Safeguarding Member Information 12 CFR 748 ~ IRS Revenue Procedure: Retention of books and records 97-22 ~ IRS RevenueProcedure: Record retention: automatic data processing… 98-25 ~ IRS Internal Revenue Code Section 501(c)(3) ~ Federal Rules of Civil Procedure ~ Uniform Rules of Civil Procedure ~ ISO 15489-1 Informationand Documentation: Records management: General ~ ISO 15489-2 Information and Documentation: Records management: Guidelines ~ DIRKS: A Strategic Approach to Managing Business Information ~Sedona Principles Addressing Electronic Document Production ~ NIST ...Principles and Practices for Securing IT Systems 800-14 ~ NIST ...Developing Security Plans for Federal Information Systems 800-18 ~NIST Security Self-Assessment Guide... 800-26 ~ NIST Risk Management Guide... 800-30 ~ NIST Contingency Planning Guide... 800-34 ~ NIST ...Patch and Vulnerability Management Program 800-40 ~ NISTGuidelines on Firewalls and Firewall Policy 800-41 ~ NIST Security Controls for Federal Information Systems 800-53 ~ NIST ...Mapping...Information and...Systems to Security Categories 800-60 ~ NISTComputer Security Incident Handling Guide 800-61 ~ NIST Security Considerations in...Information System Development 800-64 ~ ISO 73:2002 Risk management -- Vocabulary ~ ISO 1335 Informationtechnology – Guidelines for management of IT Security ~ ISO 17799:2000 Code of Practice for Information Security Management ~ ISO 27001:2005 ...Information Security Management Systems -- Requirements~ IT Information Library (ITIL) Planning to Implement Service Management ~ IT Information Library (ITIL) ICT Infrastructure Management ~ IT Information Library (ITIL) Service Delivery ~ IT Information Library(ITIL) Service Support ~ IT Information Library (ITIL) Application Management ~ IT Information Library (ITIL) Security Management ~ COSO Enterprise Risk Management (ERM) Framework ~ CobiT 3rd Edition~ CobiT 4th Edition ~ ISACA IS Standards, Guidelines, and Procedures for Auditing and Control... ~ NFPA 1600 ...Disaster/Emergency Management and Business Continuity... ~ Information Security Forum (ISF)Standard of Good Practice ~ Information Security Forum (ISF) Security Audit of Networks ~ A Risk Management Standard, jointly issued by AIRMIC, ALARM, and IRM ~ Business Continuity Institute (BCI) GoodPractice Guidelines ~ IIA Global Technology Audit Guide - Information Technology Controls ~ ISSA Generally Accepted Information Security Principles (GAISP) ~ CERT Operationally Critical Threat, Asset &Vulnerability Evaluation (OCTAVE) ~ Cable Communications Privacy Act Title 47 § 551 ~ Telemarketing Sales Rule (TSR) amendment 16 CFR 310.4(b)(3)(iv) ~ CAN SPAM Act ~ Childrens Online PrivacyProtection Act (COPPA) 16 CFR 312 ~ Childrens Online Privacy Protection Act (COPPA) 16 CFR 312 ~ Drivers Privacy Protection Act (DPPA) 18 USC 2721 ~ Family Education Rights Privacy Act (FERPA) 20USC 1232 ~ Privacy Act of 1974 5 USC 552a ~ Telemarketing Sales Rule (TSR) 16 CFR 310 ~ Video Privacy Protection Act (VPPA) 18 USC 2710 ~ Specter-Leahy Personal Data Privacy and Security Act ~ ARPersonal Information Protection Act SB 1167 ~ AZ Amendment to Arizona Revised Statutes 13-2001 HB 2116 ~ CA Information Practice Act SB 1386 ~ CA General Security Standard for Businesses AB 1950 ~CA Public Records Military Veteran Discharge Documents AB 1798 ~ CA OPP Recommended Practices on Notification of Security Breach ~ CO Prohibition against Using Identity Information for Unlawful PurposeHB 1134 ~ CO Consumer Credit Solicitation Protection HB 1274 ~ CO Prohibiting Inclusion of Social Security Number HB 1311 ~ CT Requiring Consumer Credit Bureaus to Offer Security Freezes SB 650 ~ CTConcerning Nondisclosure of Private Tenant Information HB 5184 ~ DE Computer Security Breaches HB 116 ~ FL Personal Identification Information/Unlawful Use HB 481 ~ GA Consumer Reporting AgenciesSB 230 ~ GA Public employees; Fraud, Waste, and Abuse HB 656 ~ HI Exempting disclosure of Social Security numbers HB 2674 ~ IL Personal Information Protection Act HB 1633 ~ IN Release of SocialSecurity Number, Notice of Security Breach SB 503 ~ LA Database Security Breach Notification Law SB 205 Act 499 ~ ME To Protect Maine Citizens from Identity Theft LD 1671 ~ MN Data Warehouses; NoticeRequired for Certain Disclosures HF 2121 ~ MO HB 957 ~ MT To Implement Individual Privacy and to Prevent Identity Theft HB 732 ~ NJ Identity Theft Prevention Act A4001/S1914 ~ NY A4254, A3492 [no title]~ NV SB 347 [no title] ~ NC Security Breach Notification Law (Identity Theft Protection Act) SB 1048 ~ ND Personal information protection act SB 2251 ~ OH Personal information -- contact if unauthorized accessHB 104 ~ RI Security Breach Notification Law H 6191 ~ TN Security Breach Notification SB 2220 ~ TX Identity Theft Enforcement and Protection Act SB 122 ~ VT Relating to Identity Theft HB 327 ~ VA Identitytheft; penalty; restitution; victim assistance HB 872 ~ WA Notice of a breach of the security SB 6043 ~ EU Directive on Privacy and Electronic Communications 2002/58/EC ~ EU Directive on Data Protection95/46/EC ~ US Department of Commerce EU Safe Harbor Privacy Principles ~ ...Consumer Interests in the Telecommunications Market Act No. 661 ~ Directive On Privacy And Electronic Communications2002.58.EC ~ OECD Technology Risk Checklist ~ OECD Guidelines on...Privacy and Transborder Flows of Personal Data ~ UN Guidelines for the Regulation of Computerized Personal Data Files (1990) ~ISACA Cross-border Privacy Impact Assessment ~ The Combined Code on Corporate Governance ~ Turnbull Guidance on Internal Control, UK FRC ~ Smith Guidance on Audit Committees Combined Code, UKFRC ~ UK Data Protection Act of 1998 ~ BS 15000-1 IT Service Management Standard ~ BS 15000-2 IT Service Management Standard - Code of Practice ~ Canada Keeping the Promise for a Strong EconomyAct Bill 198 ~ Canada Personal Information Protection and Electronic Documents Act ~ Canada Privacy Policy and Principles ~ Argentina Personal Data Protection Act ~ Mexico Federal Personal Data ProtectionLaw ~ Austria Data Protection Act ~ Austria Telecommunications Act ~ Bosnia Law on Protection of Personal Data ~ Czech Republic Personal Data Protection Act ~ Denmark Act on Competitive Conditions andConsumer Interests ~ Finland Personal Data Protection Act ~ Finland Amendment of the Personal Data Act ~ France Data Protection Act ~ German Federal Data Protection Act ~ Greece Law on Personal DataProtection ~ Hungary Protection of Personal Data and Disclosure of Data of Public Interest ~ Iceland Protection of Privacy as regards the Processing of Personal Data ~ Ireland Data Protection Act ~ Ireland DataProtection Amendment 2003 ~ Italy Personal Data Protection Code ~ Italy Protection of Individuals with Regard to...Processing of Personal Data ~ Lithuania Law on Legal Protection of Personal Data ~Luxembourg Data Protection Law ~ Netherlands Personal Data Protection Act ~ Poland Protection of Personal Data Act ~ Slovak Republic Protection of Personal Data in Information Systems ~ Slovenia PersonalData Protection Act ~ South Africa Promotion of Access to Information Act ~ Spain Organic law on the Protection of Personal Data ~ Sweden Personal Data Act ~ Swiss Federal Act on Data Protection ~Australian Business Continuity Management Guide ~ Australia Spam Act of 2003 ~ Australia Privacy Amendment Act ~ Australia Telecommunications Act ~ Australia Spam Act 2003: A Practical Guide forBusiness ~ Hong Kong Personal Data (Privacy) Ordinance ~ Hong Kong Personal Data (Privacy) Ordinance ~ India Information Privacy Act ~ Japan Guidelines for Personal Data Protection in ElectronicCommerce, ECOM ~ Japan Handbook Concerning Protection of International Data, MITI ~ Japan Personal Information Protection Act ~ Korea Act on the Promotion of Information...Protection ~ Korea Act on theProtection of Personal Information...by Public Agencies ~ Korea Use and Protection of Credit Information Act ~ New Zealand Privacy Act ~ Taiwan Computer-Processed Personal Data Protection Law© Copyright 2009 EMC Corporation. All rights reserved. 4
  5. 5. Fueling a Perfect Storm … Increased Number of Regulations privacy, governance and security Pressure to Reduce Costs global financial meltdown Increased Business Risk competitive and virtualized markets© Copyright 2009 EMC Corporation. All rights reserved. 5
  6. 6. The voice of the Analyst “Searching for and analyzing information both consume 24% of the typical information worker’s time (9.5 and 9.6 hours per week, respectively), making these tasks relatively straightforward candidates for better automation. Each task costs the organization more than $14,000 per worker per year.” IDC, The Hidden Costs of Information Work, April 06© Copyright 2009 EMC Corporation. All rights reserved. 6
  7. 7. Recent Analyst Comments Dissatisfaction with enterprise  Enterprise search is becoming a search is increasing feature of larger information systems Our interviews and Web survey This category of software [information revealed that 60 percent of the access and analysis] is at a nexus of users of the organization’s change and consolidation in enterprise search system were dissatisfied computing. Therefore, it is becoming with it. These data are interesting part of a larger information-centric because when we conducted a software stack that may also include: similar study in 2006 for the third  Tools to manage the structure of information edition of the “Enterprise Search  Content management systems Report,” dissatisfaction was in  Collaborative tools, including wikis, blogs, and social networks the 50 percent range.  Etc. — The Gilbane Group, “What to Do When Your Enterprise — IDC, “Worldwide Information Access and Analysis Search System Doesn’t Work,” April 2, 2008, Stephen 2008 Top10 Predications,” pg. 1 Arnold, preface© Copyright 2009 EMC Corporation. All rights reserved. 7
  8. 8. The cost of waste© Copyright 2009 EMC Corporation. All rights reserved. 8
  9. 9. Classification …When You Can Classify Using Business Information Ownership Identification The Basics File Format Creator Name Version Owner(s) Size Related Transaction Last Updated By Date Related Content Objects Department Parent Object Division Child Objects Application Bar Code Tracking ID Project ID Radio Frequency ID etc. etc. Access Control Compliance Process Control Security Clearance Retention Policy Approval Status Access Control List Expunge Date Lifecycle Phase Browse Privileges Industry Regulation Flag Workflow Routing Read Privileges Corp Governance Flag Send To Rules Write Privileges Attorney-Client Priv Flag Next Approver Sharing Policy etc. etc. etc.© Copyright 2009 EMC Corporation. All rights reserved. 9
  10. 10. Classification …When You Can Classify Using Taxonomic Classification The act of placing an object or concept into a set or sets of categories (such as a taxonomy or a subject index), based on the properties of the object or concept. A person may classify the object or concept according to an ontology. Examples: – Library classification – Scientific classification of organisms – Classification of finite simple groups – Medical classification like ICD – Security classification – Folksonomy© Copyright 2009 EMC Corporation. All rights reserved. 10
  11. 11. Classification When You Can Classify Using Document Classification Document classification tasks can be divided into two sorts: – supervised document classification where some external mechanism (such as human feedback) provides information on the correct classification for documents, – unsupervised document classification, where the classification must be done entirely without reference to external information. and approaches based on natural language processing. – A recent notable use of document classification techniques has been spam filtering which tries to discern E-mail spam messages from legitimate emails.© Copyright 2009 EMC Corporation. All rights reserved. 11
  12. 12. What Do Businesses Want? Cost Savings and Governance, Content Access Operational Compliance and and Leverage Efficiencies eDiscovery Alignment of storage Enterprise-wide search and Leverage full range of price/performance based on discovery content for improved content value decision making Consistent retention policy Increased application enforcement Maximized user performance and improve productivity backup and recovery Elimination of unmanaged archives Reduced infrastructure and administrative costs© Copyright 2009 EMC Corporation. All rights reserved. 12
  13. 13. What are we actually looking for?  Companies are beginning to realize that the full value of information depends in large part on the policies and procedures that govern and control it’s use, access, analysis, retention and protection.  …and it is being done effectively© Copyright 2009 EMC Corporation. All rights reserved. 13
  14. 14. Is there a solution? – GRC Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed. Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events. Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures. Source: Michael Rassmussen, Corporate Integrity© Copyright 2009 EMC Corporation. All rights reserved. 14
  15. 15. Big Buckets- What does it mean? Big buckets for classification and retention – If we can use the big bucket theory for retention then why not also add in the classification requirements – Break up the silos  We think of retention as one issue  We think of classification as one issue  We think of taxonomies as one issue  We think of file structures as one issue  We think of disposition as one issue  We think of holds or e-discovery as one issue  Aren’t they all actually related? – Why not break the silos or try to minimize the silos  Use Classification to enable retention, listen to the end users and how they work.  Ensure that are checking with the end users so that they are not being overwhelmed  Ensure we are running disposition© Copyright 2009 EMC Corporation. All rights reserved. 15
  16. 16. How do we do this… Have the users involved with initial classification – Set boundaries – Big buckets – What do you really need them to complete Once the classification is done – Then leverage the system to complete the process – User Involved additional classification – System applied policies through workflow or other automated process Further Review – Once the information has been “classified” does it require further review. – Periodic reviews?© Copyright 2009 EMC Corporation. All rights reserved. 16
  17. 17. Has this been done? Catholic Health Initiatives – 4 year effort to centralize – Began with an information governance committee – Consolidation now saves $75M annually – One system to track information – Business side has seen tangible benefits  All procurement and contracting is maintained on a single tehnology platform which is accessible across the enterprise Other organizations that are in the process – Sunoco – Intel – Chubb Corporation Economist Intelligence Unit, The future of enterprise information governance – The Economist© Copyright 2009 EMC Corporation. All rights reserved. 17
  18. 18. Case Study: Fortune 500 Energy Company Problem/Goals – Improve the management of records for compliance – Improve eDiscovery costs – Improve business process efficiency© Copyright 2009 EMC Corporation. All rights reserved. 18
  19. 19. Case Study: Fortune 500 Energy Company Results – The business taxonomy was decided by the business to be two levels, a cabinet for Environmental and then document type. Reducing the number of folders from more than 10,000 to 53. – The retention schedule that was created previously by traditional methods required updating. – The solution use the minimal amount of metadata and effort (i.e., auto-populated properties and filtered lists) to capture a document, move it to its appropriate folder in the business taxonomy, apply the appropriate Code of Conduct security and link to the appropriate retention schedule classification, all automatically.© Copyright 2009 EMC Corporation. All rights reserved. 19
  20. 20. What are the costs? “Case in point: DuPont. After a large legal case, DuPont conducted an analysis and found that 50% of the documents reviewed were kept beyond the required retention period. They had a policy in place, but they didn’t enforce it. DuPont estimates it cost $12 million to have attorneys review all those old documents . . . documents that they wouldn’t have had to review for the legal matter if they had only followed their own policies. .”  Cost of eDiscovery – 75 million documents provided for document review in a litigation – 39 million documents were past their retention period (57%) – $12 million spent in discovery on documents past their retention© Copyright 2009 EMC Corporation. All rights reserved. 20
  21. 21. The Challenges– Need to establish ownership of the initiative – Difficult in that it across the board – Need to ensure that all groups are reprsented in the discussions – IT, RM, Legal, C Level Executives, Infrastructure, Desktop,– Ongoing senior management commitment is key– Once the policies are developed – Then we need to determine how to implement without impacting the users– Ultimately this is about our end users – What is the impact to them , how will they use the system– Communication© Copyright 2009 EMC Corporation. All rights reserved. 21
  22. 22. Get Involved with EMC CMA CommunitiesWhy should you join? Collaborate and share best practices Shape the direction of future EMC products Network with innovators across the globe, 24/7 Join now by going to: community.EMC.com/go/Documentum community.EMC.com/go/SourceOne developer.EMC.com/Documentum developer.EMC.com/XMLtech community.EMC.com/community/labs/d65Come to the CMA booth, #131, or the ECN Lounge, booth #440 to register today.© Copyright 2009 EMC Corporation. All rights reserved. 22

×