Your SlideShare is downloading. ×
20110518-4 ARMA Central Iowa Records Management 2.0
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

20110518-4 ARMA Central Iowa Records Management 2.0

706
views

Published on

This final session at the ARMA Central Iowa Spring Seminar focused on enterprise social business software capabilities and considerations and described steps to capture social content as records.

This final session at the ARMA Central Iowa Spring Seminar focused on enterprise social business software capabilities and considerations and described steps to capture social content as records.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
706
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Security issues are probably the ones most often cited. Every day seems to bring another high-profile data breach. It’s important to remember that in the overwhelming majority of these cases the breach is not due to third-party hackers – instead, it’s often done by someone on the inside such as a disgruntled employee or former employee whose access was not revoked. And the next most common avenue for breaking into an application is through social engineering – guessing users’ weak passwords like “password” or “12345”, etc. Many of the larger Web 2.0 services offer physical and logical security comparable to, if not better than, what the organization provides because there is no way for rogue employees to directly access the system, the database, etc. [twitter]Web 2.0 tools are perceived to be less secure but not always the case.[/twitter]
  • It may seem obvious that a Web 2.0 tool requires internet connectivity to work, but organizations do not always think through the ramifications of that. An employee for an organization that moves entirely to Google Apps and Gmail, for example, would not be able to do any work on a plane and would have to either buy an air modem or buy or find Wifi internet access. And if connectivity should drop in the middle of drafting a long report, it is entirely possible that any unsaved work would be lost. Some services can work offline and synchronize, but these are still few and far between. [twitter]Web 2.0 tools have to be connected to work – no connection, no access.[/twitter]
  • These are closely related to security issues but have a couple of additional ramifications in the Web 2.0 sphere:First, different jurisdictions have different privacy environments. Some are much more permissive while others restrict even the ability of their users to agree to lower security. This can create interesting privacy issues when you consider that multiple authors and users may be collaborating from different jurisdictions on a website hosted in yet another jurisdiction. Privacy also works differently at home vs. at the work place. The question then becomes, in an era of Web-2.0-enabled teleworking, whether from home or at the local Internet café, which set of rules applies? What about when the work is done on a user’s personal laptop and network vs. when the work is done on a work-provided laptop? Is this even relevant anymore if the data isn’t stored on the laptop but is instead stored in the cloud somewhere?[twitter]Privacy considerations – as noted earlier, plus issues with different jurisdictions and line blurring between home and work.[/twitter]
  • Another concern many organizations have regarding these tools is what happens if they go down? A key benefit of having the application onsite is that if it does go down, IT can be sent to fix it. This assumes of course that IT has the expertise and the bandwidth to address it and that it wouldn’t require additional assistance from someone offsite anyway. For the better tools, downtime is generally measured in hours per year; compare that with many of your onsite applications. [twitter] What happens if the tool goes down? Most tools’ uptime compares favorably with organizations’ IT shops.[/twitter]
  • And one of the biggest issues is what happens if the vendor itself goes out of business: Where’s your data, who has access to that data, can you get it back. In many jurisdictions privacy laws govern this; that said, how do you exercise those rights after the vendor closes shop, particularly if the vendor was located in another country?[twitter]One of the biggest issues is what happens to your data if the vendor itself goes out of business. SLAs are good but may not be sufficient.[/twitter]
  • Vendor lock-in. Certainly if the vendor closes shop, you’ll want to move your data to another vendor. But even if it doesn’t, you may decide that you want to migrate your data either to another commercial service or to an internal enterprise-friendly one. Some services make this much easier than others – and this is nothing unique to Web 2.0; integrators and vendors have long made lots of money migrating your stuff from another vendor’s application to theirs. But it is something to take into account. [twitter]Vendor lock-in can also be an issue, making it difficult to move your data to another provider.[/twitter]
  • The first step many organizations take to manage Web 2.0 is to try to block them. This is unrealistic for a number of reasons.
  • Moving into mainstream
  • Technology often moves from the consumer space to the enterprise – consider everything from CDs to instant messaging. But often the technologies require very technology-savvy users, a bit of hacking about, and at least the tacit acceptance if not outright assistance of IT to implement. Web 2.0 is sometimes referred to as “Shadow IT” because it is so easy to implement and use without IT’s assistance. Many of these tools are free, or extremely low cost. The software that runs Wikipedia for example is open source (and therefore essentially free). It’s a complicated product – but if you don’t need that scalability and robustness, you can set up a very feature-rich yet intuitive wiki from pbWorks or Wikispaces for very low cost in about 15 minutes. And most of the other tools we discussed earlier are similar. [twitter] Web 2.0 is sometimes referred to as “Shadow IT” because it is so easy to implement and use without IT’s assistance.[/twitter]
  • The gatekeepers to the enterprise, whether IT or RM, are also challenged by the fact that There are so many of these tools and they change so quickly.You saw the Simplespark video earlier; this screenshot is for almost exactly a year ago. Since then 40% of the applications have shut down, but 60% more have been created (and again, these are just the ones listed through Simplespark). You can’t rewrite your policy quickly enough to address them all, and IT can’t block them quickly enough to keep them all out. [twitter]There are too many of these tools and they change too quickly for IT to be able to block them all.[/twitter]
  • And no matter how much technology IT implements and how many policies RM, legal, etc. write, it’s going to be difficult to block these technologies because almost everyone has a smart phone with a browser, applications, or both that can access them.[twitter]And it’s tough for IT to block or RM to regulate because everyone has their own smart phone with browser and/or apps for social media tools.[/twitter]
  • I’ve been a big proponent of these tools for a number of years, and as recently as a couple of years ago I suggested to a group of records managers that they might need to look at some of these tools for a number reasons including some I’ve already described. There was some discussion about the pros and cons, and then one woman said, “I’m sick of hearing about how we *have* to do this or that. There’s a reason it’s called work, and if new employees can’t work the way we tell them to, they can work somewhere else!” I thought back to a presentation at Office 2.0 2007, where someone from Morgan Stanley told us a story about demographics. It seems that this person’s high school reunion was coming up, and for a lark he looked to see how many of his class were on Facebook. Less than 10% of them were. He then decided to check subsequent classes of his high school to see how many of them were on FB, and checked them every three years from 1990 (his class) to 2003. By 2005 more than 95% of the high school class was on FB. His point was that at MS, about 10% of employees were part of that “Facebook generation”. But the demographics were such that within 5 years 35% would be, and within 8 years more than 50%. The moral of the story is not that you need a FB account. It’s rather that if you’re not part of the FB generation, you’re going to be outnumbered in the not-too-distant future. At some point you may work for one of them. And if you don’t understand how those users work and use those tools, you may find yourself irrelevant to the organization. [twitter]If you don’t like change, you're going to like irrelevance even less. Gen. Eric Shinseki, 11/8/2001[/twitter]
  • The first step is to determine whether or not something is in fact a record. Just as we know that most email messages are not records, for most organizations their Facebook fan page updates will not be records either. In other words, we have to ask the same questions about these tools that we’d ask about any other type of information:Does it document a transaction or a decision? If it does, it’s probably a record. Is it captured in another form? This is the biggest reason why most social networking sites like Facebook and Twitter wouldn’t need to be captured as records – in most cases they are being used as another transmission mechanism for information stored elsewhere. Now, just because it isn’t a record doesn’t mean it couldn’t be discoverable or a public record and subject to FOIA-type laws. Again, same considerations here as for other types of information. [twitter]Determine whether something is a record or not according to its content and context.[/twitter]
  • Before we move on, a couple of points about discovery for these tools. First, commercial services will honor subpoenas and other types of appropriate requests from law enforcement or government agencies. Some are more forthcoming, others require formal written notice such as a warrant. Second, many of these services limit how much data they retain. In other words, a user’s Gmail account may have messages dating back several years. But if the user deletes his account, the technical ability of Google to provide access to that information may be very short-lived because Google doesn’t keep backups for long periods of time. Note that this is no different from an organizational email account where the inbox has not been subject to a litigation hold – users cannot delete their accounts, but they certainly could delete all messages ever sent or received from their inbox, and once the backups are gone, so are the messages. And what is produced and how will vary by provider. For a Gmail or Yahoo mail account, production as messages is quite likely; for Twitter, it could be provided as an XML stream, some type of spreadsheet, etc. [twitter] Web 2.0 services will comply with production requests but format, amount, etc. will vary.[/twitter]
  • As we just noted, the records management or communications policies (or both) should address the use of these tools. We’ll look at some examples of policies over the next few slides. At a minimum, the policy should address: Identity, relationship, and transparency – is the account official or unofficial?Security, confidentiality, and sensitive informationComments and responses to commentsResponding to others’ posts on commercial sitesAccuracy and ethicsMonitoring and auditing[twitter]Address these tools in the records or communications policies (or both). [/twitter]
  • Here’s a very succinct Twitter policy from a blog by an HR-focused law firm, GruntledEmployees.com. “Our Twitter policy: Be professional, kind, discreet, authentic. Represent us well. Remember that you can’t control it once you hit “update.””Pretty good, right? Now, you could argue that this policy is missing a lot of the stuff I just mentioned. But I don’t know that I agree – authentic, professional, discreet, represent us well – that’s pretty close. And regardless of what you think might be missing, I’d argue that if your employees follow this policy, you won’t have many issues with them. And note that this policy is itself Tweetable. [twitter] Policy 2.0 – in 140 characters, courtesy of gruntledemployees.com. http://is.gd/8BpjT[/twitter]
  • Prepare for discovery. This means having the same type of data map you have in place inside the organization, but with listings of all the services you use, the accounts used there, etc. At a minimum you should list any official use of services and official accounts. It also means understanding the process for getting at that information in the event of litigation, FOIA request, etc. The time to put that process in place is before the subpoena is received. For hosted tools, such as FB or Twitter, it may mean taking periodic snapshots of what is posted to them. Right now there aren’t a lot of tools that do this; one way that can be effective is to capture the RSS feeds generated by these tools. As updates are made, they are published through the RSS feed, which can be saved locally. It might also require working with the third-party vendor in the event that some information or some updates are not available through RSS – for example, web-based email. It’s also important to note that at least for commercial solutions there is very little ability to put or enforce legal holds or to prevent a user from deleting an account, at least without a subpoena and without doing it before the user knows to delete it. [twitter]Prepare for discovery in advance, including listing official use of services and accounts.[/twitter]
  • Finally, there are enterprise versions of every Web 2.0 application. These enterprise versions are often available to be hosted inside the firewall, meaning that security is much more robust. Access can be secured to them much more effectively. They can be integrated into the organization’s identity infrastructure – whether Active Directory or something else – such that any change, post, comment, edit, update, etc. can all be tracked and, more importantly, tracked to a specific named user. No anonymous postings here. Of course, you have to pay for an enterprise version, but what you’re really paying for is a level of peace of mind. And you still get many of the same benefits – ease of use, familiarity with the type of tool, rapid and agile collaboration across geographical and time boundaries, etc. You’re just getting a more secure and robust version of it. [twitter]Consider implementing enterprise versions. FB is FB, but internal tools might be more appropriate.[/twitter]
  • At this point I’d be pleased to entertain your questions. [twitter]Questions? @jessewilkins or here. No promises I’ll answer today but will try to answer.[/twitter]
  • In conclusion, Web 2.0 is not something coming down the road or over the horizon – it’s here today and is probably in your organization, whether you know about it or not. It is all but impossible to effectively prohibit them – and the tools can significantly improve an organization’s collaboration and knowledge sharing, thereby adding value to the organization. It is incumbent on records management professionals to step up and lead your organizations in the effective use and management of these tools.
  • [twitter]These slides will be posted shortly to: http://www.slideshare.net/jessewilkins8511.[/twitter]
  • Transcript

    • 1. Records Management 2.0
      Jesse Wilkins, CRM
      May 18, 2011
    • 2. Web 2.0 considerations
      Records management 2.0
      Agenda
    • 3. Web 2.0 issues and considerations
    • 4. How do you know it’s accurate?
      You don’t.
      It isn’t.
      But it’s self-correcting.
    • 5. Security issues
    • 6. Connectivity issues
    • 7. Privacy issues
    • 8. Reliability pt 1: the tool
      System downtime
    • 9. Reliability pt 2: the vendor
      Vendor closure
    • 10. Vendor lock-in
      Vendor lock-in
    • 11. Prohibition is not realistic
    • 12. “…fully networked enterprises are not only more likely to be market leaders or to be gaining market share but also use management practices that lead to margins higher than those of companies using the Web in more limited ways…”
    • 13. The “Shadow IT department”
    • 14. There are too many of them
      They change too quickly
    • 15. Mobile access
    • 16. Change
    • 17. Commercial vs. enterprise social technologies
    • 18. Implementation model
      Identity management
      Archival and local storage
      Integration
      Auditing and reporting
      Cost
      Commercial vs. enterprise
    • 19. Web-based
      Apps
      Implementation model - commercial
      www.idsgn.org
      cybernetnews.com
    • 20. Hosted
      Application server
      Appliance
      Implementation model - enterprise
    • 21. Need separate accounts for most sites
      Many sites leveraging identity management
      Facebook Connect
      Twitter OAuth
      Identity management - commercial
    • 22. Integration into identity infrastructure
      Ensure security and confidentiality
      Provide accountability
      Support for groups and
      ethical walls
      Access to other
      resources inside the
      organization
      Identity management - enterprise
    • 23. Doesn’t exist for most sites
      Available for Facebook since Oct 2010
      Some third-party services available
      Archiving - commercial
    • 24. Support archiving and retrieval of system data
      Archiving - enterprise
    • 25. Some using FB Connect, Oauth
      Very little integration into line of business systems - today
      Integration with other systems - commercial
    • 26. Allow import from other systems
      Allow export to other systems
      Integration with other systems - enterprise
    • 27. Most commercial services offer very little in the way of analytics and auditing
      Some third-party services available, especially for Twitter
      Social “listening platforms” and CRM (sCRM)
      Auditing and reporting - commercial
    • 28. Significant amounts of information available for reporting
      Who has done what
      What has been done to a
      particular article/item/etc.
      Any changes made to the
      system, security, etc.
      Auditing and report - enterprise
      28
    • 29. But…
      Cost - commercial
      www.chaosaddons.com
    • 30. NOT FREE.
      Still cheaper than many other enterprise solutions
      Often available via subscription model
      Freemium
      Cost - enterprise
    • 31. Records management 2.0
    • 32. Is the information unique and not available anywhere else?
      Does it contain evidence of an agency’s policies, business, mission, etc.?
      Is the tool being used in relation to an agency’s work?
      Is there a business need for the information?
      Does it document a transaction or decision?
      Is it a record?
    • 33. Commercial services will honor subpoenas
      Many will honor requests from law enforcement and government agencies
      May be limited in how much data they retain after an account is deleted
      Type of production will vary by provider
      Discovery and production
    • 34. Address in policies
    • 35. Our Twitter policy: Be professional, kind, discreet, authentic. Represent us well. Remember that you can’t control it once you hit “update.”
      Policy 2.0 – in 140 characters
    • 36. Provide guidance
      Whether the tool & account is official or unofficial (add screenshot)
    • 37. Whether the account is monitored for actionable content (screenshot)
    • 38. Blog post
      Comments?
      Updates?
      Individual Tweet
      Links and shortened URLS?
      Wiki article
      The article?
      Its changes over time?
      It depends….
      What’s the record?
      Prepare for discovery
    • 39. Check the service level agreement
    • 40. Take a snapshot of record content
    • 41. Archive entire stream locally
    • 42. Archive selected items locally
      Use search queries and monitoring
      Records management in brief
      Store selected items locally using search queries or RSS
    • 43. Use the native backup to store locally
      Store locally using built-in tools
    • 44. Use a third-party service to store locally
      Store locally using third-party service
    • 45. Store locally using API
      Store locally using APIs
    • 46. Use Word or Notepad to draft content updates and save *that* as a record
      Draft content locally
    • 47. Implement enterprise versions
    • 48. Implement a compliance solution
      • And many others
    • Questions?
    • 49. Web 2.0 is here
      Prohibition is not a realistic option
      Web 2.0 tools can add significant value to the organization
      Lead your organization to use them effectively
      Conclusion
    • 50. Jesse Wilkins, CRM, CDIA+
      Director, Systems of Engagement
      AIIM International
      +1 (303) 574-0749 direct
      jwilkins@aiim.org
      http://www.twitter.com/jessewilkins
      http://www.linkedin.com/in/jessewilkins
      http://www.facebook.com/jessewilkins
      http://www.slideshare.net/jessewilkins
      For more information
    • 51. “How Federal Agencies Can Effectively Manage Records Created Using New Social Media Tools”, Patricia Franks, Ph.D., IBM Center for The Business of Government, 2010
      Guideline for Outsourcing Records Storage to the Cloud, ARMA International, 2010
      Additional resources
    • 52. “Managing Social Media Records”, U.S. Department of Energy, September 2010
      http://cio.energy.gov/documents/Social_Media_Records_and_You_v2_JD.pdf
      “Best Practices Study of Social Media Records Policies”, ACT-IAC, April 2011
      http://www.actgov.org/knowledgebank/whitepapers/Documents/Shared%20Interest%20Groups/Collaboration%20and%20Transformation%20SIG/Best%20Practices%20of%20Social%20Media%20Records%20Policies%20-%20CT%20SIG%20-%2003-31-11%20(3).pdf
      Additional resources
    • 53. NARA Bulletin 2011-02, “Guidance on Managing Records in Web 2.0/Social Media Platforms”, October 2010
      http://www.archives.gov/records-mgmt/bulletins/2011/2011-02.html
      “A Report on Federal Web 2.0 Use and Value”, National Archives and Records Administration, 2010
      http://www.archives.gov/records-mgmt/resources/web2.0-use.pdf
      Additional resources
    • 54. Florida Social Media Toolkit
      http://sites.google.com/site/flsocmed/
      “Friends, Followers, and Feeds: A National Survey of Social Media Use in Government”, NASCIO, September 2010
      http://www.nascio.org/publications/documents/NASCIO-SocialMedia.pdf
      Texas Dept of Information Resources Social Media Policy
      http://www.texas.gov/en/about/Pages/social-media-policy.aspx
      Additional resources
    • 55. Compliance Building Social Media Policies Database
      http://www.compliancebuilding.com/about/publications/social-media-policies/
      57 Social Media Policy Examples and Resources
      http://www.socialmediatoday.com/davefleet/151761/57-social-media-policy-examples-and-resources
      Web 2.0 Governance Policies and Best Practices
      http://govsocmed.pbworks.com/w/page/15060450/Web-2-0-Governance-Policies-and-Best-Practices
      Additional resources
    • 56. Social Media Governance policy database
      http://socialmediagovernance.com/policies.php
      “Analysis of Social Media Policies: Lessons and Best Practices”, Chris Boudreaux, December 2009
      http://socialmediagovernance.com
      Additional resources