These are 4 discussions posts responses, I need one response per post for a total of 4 responses. Must be APA format have at least 1 verifiable legitimate sources per response in-text citations, reference list .at least 150 words per responses
This is due by November 10, 2019 Sunday at 1 pm EST. Plagiarism free.
Discussion 1
#1
Carter
A problem solving culture gets together to handle to “root cause” of an incident, crises or disaster. The outcome is to come up with viable strategies on how to solve or prevent past, present and future hazards that might affect the area in which they live. A thorough analysis of all of the hazards that might affect their area is where the team should start. Then, they should make recommendations as to what needs to be done in order to assure the safety of all people. Such a culture can be integrated in various public safety organizations. A problem solving culture can be established in several ways.
-You can make sure that you have effective leadership.
-You can be up to date in the latest technology in public administration.
-You can develop policies that reflect today all hazards and have ready-appropriate responses to them.
-You can integrate your team with other operational organizations that will ensure an all-around safety team for you area.
In today’s society, encouraging all employees of the organization to participate is the best way to develop solutions to your problems. They need to be prepared and equipped to meet the problem-solving challenges. In turn, organizations should make substantial investments in developing the problem-solving skills of the employees. There is always more than one way to solve a problem. Having numbers working on that problem gives you more of an advantage in the decision-making process.
Reference;
Luckman, J & Verble, D. (2014) How a Problem-Solving Culture Takes Root
https://www.lean.org/LeanPost/Posting.cfm?LeanPostId=158
Satyendra. (March 19, 2016) Problems Solving Culture in the Organization
https://www.ispatguru.com/problem-solving-culture-in-the-organization/
#2
Chauca
A problem solving culture is established in a public organization only when they consistently seek out and solve their employees problems. For most people, that means undertaking a profound cultural change, which must begin from the top. Openness to talking about problems is important, talking about “issues” or “opportunities” rather than “problems” sounds like a good way to avoid sounding negative or critical. Great problem solving begins with the ability to acknowledge problems and a willingness to see them without judgment. Willingness to see problems wherever they may be is key to cultivating a problem solving culture. Before you can acknowledge a problem, you have to be aware of it. Identifying problems, particularly before they grow into a crisis, is a skill that can be learned. Understanding that small problems matter means most large organizations design their processes for managing big,.
These are 4 discussions posts responses, I need one response per p.docx
1. These are 4 discussions posts responses, I need one response per
post for a total of 4 responses. Must be APA format have at
least 1 verifiable legitimate sources per response in-text
citations, reference list .at least 150 words per responses
This is due by November 10, 2019 Sunday at 1 pm EST.
Plagiarism free.
Discussion 1
#1
Carter
A problem solving culture gets together to handle to “root
cause” of an incident, crises or disaster. The outcome is to come
up with viable strategies on how to solve or prevent past,
present and future hazards that might affect the area in which
they live. A thorough analysis of all of the hazards that might
affect their area is where the team should start. Then, they
should make recommendations as to what needs to be done in
order to assure the safety of all people. Such a culture can be
integrated in various public safety organizations. A problem
solving culture can be established in several ways.
-You can make sure that you have effective leadership.
-You can be up to date in the latest technology in public
administration.
-You can develop policies that reflect today all hazards and
have ready-appropriate responses to them.
-You can integrate your team with other operational
organizations that will ensure an all-around safety team for you
area.
In today’s society, encouraging all employees of the
organization to participate is the best way to develop solutions
to your problems. They need to be prepared and equipped to
meet the problem-solving challenges. In turn, organizations
should make substantial investments in developing the problem-
solving skills of the employees. There is always more than one
2. way to solve a problem. Having numbers working on that
problem gives you more of an advantage in the decision-making
process.
Reference;
Luckman, J & Verble, D. (2014) How a Problem-Solving
Culture Takes Root
https://www.lean.org/LeanPost/Posting.cfm?LeanPostId=158
Satyendra. (March 19, 2016) Problems Solving Culture in the
Organization
https://www.ispatguru.com/problem-solving-culture-in-the-
organization/
#2
Chauca
A problem solving culture is established in a public
organization only when they consistently seek out and solve
their employees problems. For most people, that means
undertaking a profound cultural change, which must begin from
the top. Openness to talking about problems is important,
talking about “issues” or “opportunities” rather than “problems”
sounds like a good way to avoid sounding negative or critical.
Great problem solving begins with the ability to acknowledge
problems and a willingness to see them without judgment.
Willingness to see problems wherever they may be is key to
cultivating a problem solving culture. Before you can
acknowledge a problem, you have to be aware of it. Identifying
problems, particularly before they grow into a crisis, is a skill
that can be learned. Understanding that small problems matter
means most large organizations design their processes for
managing big, top-down strategic interventions.
https://www.mckinsey.com/~/media/McKinsey/Business%20Fun
ctions/Operations/Our%20Insights/The%20lean%20management
%20enterprise/Building%20a%20problem%20solving%20cultur
e%20that%20lasts.ashx
3. Discussion 2
#1
Crouch
"Whatever your reason is for being drawn to this profession,
please consider that the work you do does not just affect you,
but informs the interactions, impressions and expectations of
public servants overall" (Blessett, 2015) is a quote that shall be
used to reflect upon goals in day to day public safety
administration. Looking deeper into the understanding of this
quote, it carries meaning that public safety administrators must
take on responsibility of leaders for public servants working
beneath them. The way in which a public safety administrator
chooses to lead their subordinates carries a great impact on the
way in which public servants carry out their work as well.
Public safety leaders shall establish clear expectations and
goals, as well as inspire and empower the public servants to
have passion in the work in which they carry out. Public safety
leaders can reflect upon the goals established in the quote in
day-to-day administration of a public safety organization
through using effective leadership strategies and creating a
positive working environment for the public safety
organization.
Blessett, B. (2015). Considerations for public administrators.
PA Times. Retrieved from:
https://patimes.org/considerations-public-administrators-
rainbow/
#2
Ryan
The essence of Blessett’s statement reflects the understanding
that a public administrator is much more than just one’s self or
individual jurisdiction. Instead, the work has significance in the
public domain, which ripples long and far outside an individual.
This sentiment is consistent with the United States Air Force’s
motto of Service Before Self. Public administrators can best
emulate that attitude when they lead with integrity, regardless
4. of circumstances, and do not claim the outcome. The impact an
administrator has may not always be by a single significant
action, but instead, by the synergistic effect of many smaller
actions. Bassett (2015) writes as much when she says, “Use
choice points wisely. Consider the cumulative impacts of the
many small decisions...your decisions will have a significant
impact on the population served.”
Reference:
Blessett, B. (2015). Considerations for Public Administrators.
PA Times. American Society For Public Administration.
Retrieved from https://patimes.org/considerations-public-
administrators-rainbow/
241
E-mail is a major area of focus for information governance
(IG) efforts: It is the most common business software
application and the backbone of business com-munications
today, and e-mail is the leading piece of evidence requested
during
the discovery phase of civil trials, so it is critically important to
implement IG mea-
sures for e-mail communications.
Employees utilize e-mail all day, including during their
personal time, some-
times mixing business and personal use of e-mail. Social media
use has skyrocketed in
recent years and actually has surpassed e-mail for personal use,
but the fact remains
that in business, knowledge workers rely on e-mail for almost
all communications,
5. including those of a sensitive nature. A 2013 survey of 2,400
corporate e-mail users
worldwide found that nearly two-thirds stated that e-mail was
their favorite form
of business communication, surpassing not only social media
but also telephone and
in-person contact.1
These e-mail communications may contain discoverable
information in litigation, and a
percentage of them will be declared formal business records. E-
mail often contains records,
such as fi nancial spreadsheets and reports, product price lists,
marketing plans, com-
petitive analyses, safety data, recruitment and salary details,
progressing contract ne-
gotiations, and other information that may be considered as
constituting a business
record.
E-mail systems can be hacked, monitored, and compromised
and cause far-reaching
damage to a victimized organization. The damage may occur
slowly and go undetected
while information assets—and business value—are eroded.
In mid-2011, the “hacktivist” group AntiSec claimed
responsibility for hacking
a U.S. government contractor, Booz Allen Hamilton, and
publicly exposing 90,000
military e-mail addresses and passwords from the contractor by
posting them online.
It was the second attack on a government defense contractor in
a single week. 2
Booz Allen employees “maintain high government security
7. even stated it might pass
the security information on to other hackers.
The attack did not stop there. Later that week, another federal
defense and FBI
contractor, IRC Federal, was hacked, databases were invaded,
the Web site was modi-
fi ed, and information from internal e-mail messages was posted
online. 4
Employees Regularly Expose Organizations to E-Mail Risk
A 2011 global e-mail survey, commissioned by a leading
hosted e-mail services pro-
vider, found that nearly 80 percent of all employees send work
e-mail to and from their
personal accounts, and 20 percent do so regularly, which means
that critical informa-
tion assets are exposed to uncontrolled security risks. 5
“Awareness of the security risks this behavior poses does not
act as a deterrent” (emphasis”
added). Over 70 percent of people questioned recognize that
there is an additional
risk in sending work documents outside the corporate e-mail
environment, but
almost half of “these same respondents feel it is acceptable to
send work emails
and documents to personal email accounts anyway.” According
to the survey, the
reasons for using personal e-mail accounts for work purposes
range from working on
documents remotely (71 percent), to sending fi les that are too
big for the company
mailbox (21 percent), to taking documents with them when they
leave a company
8. (18 percent), to simply not wanting to carry a laptop home (9
percent). The top two
frustrations users had with work e-mail were restrictions on
mailbox size, which has a
negative impact on e-mail management, and the inability to send
large attachments.
This second issue often forces workers to use a personal
account to send and receive
necessary fi les. If size limits are imposed on mailboxes and
attachments, companies
must provide a secure alternative for fi le storage and transfer.
Otherwise, employees
are pushed into risking corporate information assets via
personal e-mail. This scenario
not only complicates things for e-mail administrators but has
serious legal and
regulatory implications. Clearly, as stated by Paul Mah in his
“Email Admin” blog,
“email retention and archival becomes an impossible task when
emails are routed in a
haphazard manner via personal accounts.”6
This means that security, privacy, and records management
issues must be ad-
dressed by fi rst creating IG policies to control and manage the
use of e-mail. These
policies can utilize the e-mail system’s included security
features and also employ ad-
ditional monitoring and security technologies where needed.
The e-mail survey also found an overall lack of clear e-mail
policies and weak
communication of existing guidelines. This means a lack of IG.
Nearly half of the
respondents stated either that their company had no e-mail
policy or that they were
9. unaware of one. Among those aware of a corporate e-mail
policy, 4 in 10 think it
could be communicated better. Among companies that have a
policy, most (88 percent)
deal with the appropriate use of e-mail as a business tool, but
less than one-third
(30 percent) address e-mail retention from a security standpoint.
INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT
MESSAGING 243
Generally, employees are aware that sending work documents
outside of their
corporate network is unsafe, yet they continue to do so. It is
abundantly clear that e-mail
policies have to be updated and upgraded to accommodate and
manage the increasingly sophisticated
and computer-savvy generation of users who are able to fi nd
ways to work around corporate
e-mail restrictions. (These users have been dubbed Generation
Gmail. ) In addition, new
e-mail monitoring and security technologies need to be
deployed to counter this risky
practice, which exposes information assets to prying eyes or
malicious attacks.
E-Mail Polices Should Be Realistic and Technology Agnostic
E-mail policies as part of your IG program must not be too
restrictive. It may be
tempting to include catchall policies that attempt to tamp down
user behavior, but
such efforts cannot succeed. 7 An important step is consulting
with stakeholders to
10. understand their usage patterns and needs and then going
through a series of drafts of
the policy, allowing for input. It may be determined that some
exceptions and changes
in technologies need to be factored in and that some additional
technology is needed
to accommodate users while keeping information assets safer
and meeting compliance
and legal demands. Specifi cs of these policies and tools should
be progressively tight-
ened on a regular basis as the process moves forward.
These new IG guidelines and policies need to refer to
technology in a generic
sense—a “technology-neutral” sense—rather than specifying
proprietary software
programs or features. 8 That is to say, they should be written
so that they are not in t
need of revision as soon as new technologies are deployed.
Developing organization-wide IG policies is time consuming
and expensive; they are
a defensive measure that does not produce revenue, so
managers, pressed for performance,
often relegate policy making to the low-priority list. Certainly,
it is a tedious, diffi cult
task, so organizations should aim to develop policies that are fl
exible enough to stand
the test of time. But it is also necessary to establish a review
process to periodically revise
policies to accommodate changes in the business environment,
the law, and technology.
Here is an example of a technology-agnostic policy directive:
All confi dential information must be encrypted before being
11. transmitted over
the Internet.
This statement does not specify the technology to be used, or
the mode of trans-
mission. The policy is neutral enough to cover not only e-mail
and instant messaging
(IM) but also social media, cloud computing, mobile computing,
and other means of
communication. The policy also does not specify the method or
brand of the encryp-
tion technology, so the organization can select the best method
and technology avail-
able in the future without adapting the policy.9
E-Record Retention: Fundamentally a Legal Issue
Considering the massive volume of e-mail exchanged in
business today, most e-mail
messages do not rise to the level of being formal business
records. But many of them
do and are subject to IG, regulatory compliance, and legal
requirements for maintain-
ing and producing business records.
244 INFORMATION GOVERNANCE
Although often lumped in with other information technology
(IT) concerns, the
retention of e-mail and other e-records is ultimately a legal
issue. Other departments,
including records management and business units, should
certainly have input and
should work to assist the legal team to record retention
12. challenges and archiving
solutions. But e-mail and e-record retention is “fundamentally a
legal issue,”l
particularly for public or highly regulated companies.
According to Nancy Flynn of
the ePolicy Institute, “It is essential for the organization’s legal
department to take the
lead in determining precisely which types of email messages
will be preserved, exactly
how and where data will be stored, and specifi cally when —if
ever—electronically stored
information [ESI] will be deleted” 10 (emphasis added).
Since they are often shot out in the heat of battle, many times e-
mail messages
are evidence of a smoking gun in lawsuits and investigations. In
fact, they are the most
requested type of evidence in civil litigation today. The content
and timing of e-mail
messages can provide exonerating information too.
In January 2010, a U.S. House of Representatives committee
probing bailout deals
subpoenaed the Federal Reserve Bank of New York for e-mail
and other correspon-
dence from Treasury Secretary Timothy Geithner (former
president of the New York
Federal Reserve Bank) and other offi cials. The House
Oversight and Government
Reform Committee was in the process of examining New York
Fed decisions that fun-
neled billions of dollars to big banks, including Goldman Sachs
Group and Morgan
Stanley.11
This is just one example of how crucial e-mail messages can be
13. in legal investiga-
tions and how they play an important role in reconstructing
events and motives for
legal purposes.
Preserve E-Mail Integrity and Admissibility with
Automatic Archiving
Most users are not aware that e-mail contents and
characteristics can be changed—
“and rendered legally invalid”—by anyone with malicious
motives, including those
who are essentially “covering their tracks.” Not only can the
content be edited, but
metadata that includes such information as the time, date, and
total number of charac-
ters in the message can also be changed retroactively. 12
To offset this risk and ensure that spoliation (i.e., the loss of
proven authenticity
of an e-mail) does not occur, all messages, both inbound and
outbound, should be captured
and archived automatically and in real time. This preserves
legal validity and forensic
compliance. Additionally, e-mail should be indexed to facilitate
the searching process,
and all messages should be secured in a single location. With
these measures, e-mail
records can be assured to be authentic and reliable.
Managing e-records is primarily a legal issue, especially for
public and heavily
regulated companies.
14. INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT
MESSAGING 245
E-Mail Archiving Rationale: Compliance, Legal, and Business
Reasons
There are good reasons to archive e-mail and retain it
according to a specifi c retention
schedule that follows your organization’s IG policies. Having a
handle on managing
voluminous e-mail archives translates to being able to
effectively and rapidly search
and retrieve exactly the right messages, which can provide a
signifi cant legal advantage.
It gives your legal team more and better information and more
time to fi gure out
how to leverage it in legal strategy sessions. This means the
odds are tipped in your
organization’s favor in the inevitable litigation arena. Your
legal opponent may be driven
to settle a weak claim when confronted with indisputable e-mail
evidence, and, in fact,
“email often produces supportive evidence that may help ‘save
the day’ by providing
valuable legal proof” of innocence.13 This evidence may stop
frivolous lawsuits in their
tracks. Further, reliable e-mail evidence also can curtail lengthy
and expensive lawsuits,
and prevail. And if your company is public, Sarbanes–Oxley
regulations require the
archiving of e-mail.
Don’t Confuse E-Mail Archiving with Backup
All backups are not created equal. There is a big difference
between traditional system back-
15. ups and specialized e-mail archiving software.
Backups are huge dumps to mass storage, where the data is
stored sequentially and
not compressed or indexed. 14 It is impossible to search
backups except by date, and
even doing that would mean combing through troves of raw,
non-indexed data.
The chief executive may not be aware of it, but without true e-
mail archiving,
system administrators could spend long nights loading old tapes
and churning out
volumes of data, and legal teams will bill hourly for manual
searches through troves
of data. This compromises your enterprise’s legal position and
not only increases raw
costs but also leads to less capable and informed legal
representation. According to
one study, fully one-third of IT managers state they would have
diffi culty producing
an e-mail that is more than one year old. “A backup system is
no substitute for automatic
archiving technology”15 (emphasis added).
No Personal Archiving in the Workplace
Employees are naturally going to want to back up their most
important fi les, just as
they probably do at home. But for an overall IG information-
security program to be
effective, personal archiving at work must be prohibited. This
underground archiving
results in hidden shadow fi les and is time consuming and risky.
According to Flynn,
“Self-managed email can result in the deletion of electronic
16. records, alteration of email evidence,
time-consuming searches for back-up tapes, and failure to
comply with legal discovery demands”
(emphasis added). Also, users may compromise formal
electronic records, or they may
work from unoffi cial records, which therefore by defi nition
might be inaccurate or
out-of-date, posing compliance and legal ramifi cations. 16
Are All E-Mails Records?
Are e-mail messages records? This question has been debated
for years. The short
answer is no, not all e-mail messages constitute a record. But
how do you determine
246 INFORMATION GOVERNANCE
whether certain messages are a business record or not? The
general answer is that a
record documents a transaction or business-related event that
may have legal rami-
fi cations or historic value. Most important are business
activities that may relate to
compliance requirements or those that could possibly come into
dispute in litigation.
Particular consideration should be given to fi nancial
transactions of any type.
Certainly evidence that required governance oversight or
compliance activities
have been completed needs to be documented and becomes a
business record. Also,
business transactions, in which there is an exchange of money
17. or the equivalent
in goods or services, are also business records. Today, these
transactions are often
documented by a quick e-mail. And, of course, any contracts
(and any progressively
developed or edited versions) that are exchanged through e-mail
become business
records.
The form or format of a potential record is irrelevant in
determining whether
it should be classifi ed as a business record. For instance, if a
meeting of the board of
directors is recorded by a digital video recorder and saved to
DVD, it constitutes a
record. If photographs are taken of a ground-breaking ceremony
for a new manufac-
turing plant, the photos are records too. If the company’s
founders tape-recorded a
message to future generations of management on reel-to-reel
tape, it is a record also,
since it has historical value. But most records are going to be in
the form of paper,
microfi lm, or an electronic document.
Here are three guidelines for determining whether an e-mail
message should be
considered a business record:
1. The e-mail documents a transaction or the progress toward
an ultimate trans-
action where anything of value is exchanged between two or
more parties. All
parts or characteristics of the transaction, including who (the
parties to it),
what, when, how much, and the composition of its components,
18. are parts of
the transaction. Often seemingly minor parts of a transaction are
found bur-
ied within an e-mail message. One example would be a last-
minute discount
offered by a supplier based on an order being placed or delivery
being made
within a specifi ed time frame.
2. The e-mail documents or provides support of a business
activity occurring
that pertains to internal corporate governance policies or
compliance to
externally mandated regulations.
3. The e-mail message documents other business activities that
may possibly be
disputed in the future, whether it ultimately involves litigation
or not. (Most
business disputes actually are resolved without litigation,
provided that proof
of your organization’s position can be shown.) For instance,
your supplier may
dispute the discount you take that was offered in an e-mail
message and, once
you forward the e-mail thread to the supplier, it acquiesces. 17
Destructive Retention of E-Mail
Destructive retention is an approach to e-mail archiving where
e-mail messages are
retained for a limited time (say, 90 days or six months),
followed by their permanent
manual or automatic deletion of messages from the company’s
network, so long as
there is no litigation hold or the e-mail has not been declared a
19. record in accordance
with IG and records management policies. Implementing this as
a policy may shield
INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT
MESSAGING 247
the enterprise from retaining potentially libelous or litigious e-
mail that is not a formal
business record (e.g., off-color jokes or other personnel
violations).
For heavily regulated industries, such as health care, energy,
and fi nancial services,
organizations may need to archive e-mail for longer periods of
time.
Instant Messaging
Instant messaging (IM) use in enterprises has proliferated—
despite the fact that fre-
quently proper policies, controls, and security measures are not
in place to prevent
e-document and data loss. There are a variety of threats to IM
use that enterprises
must defend against to keep their information assets secure.
The fi rst basic IM systems, which came into use in the mid-
1960s, had real-time
text capabilities for routing messages to users logged on to the
same mainframe com-
puter. Early chat systems, such as AOL Instant Messenger, have
been in use since the
late 1980s, but true IM systems that included buddy list features
20. appeared on the scene
in the mid-1990s, followed by the release of Yahoo! and
Microsoft IM systems. The
use of these personal IM products in the workplace has created
new security risks. 18
More secure enterprise instant messaging (EIM) products can
be deployed.
Leading EIM installed systems include IBM Lotus Sametime,
Microsoft Offi ce Com-
munications Server, Cisco Unifi ed Presence, and Jabber XCP.
In the fi nancial sector,
Bloomberg Messaging and Reuters Messaging are leading
platforms.
By the year 2000, it was estimated that nearly 250 million
people worldwide were
making use of IM, and today estimates are that more than 2
billion people use IM, with
the addition of hundreds of millions of users in China.
As with many technologies, IM became popular fi rst for
personal use, then crept
into the workplace—and exploded. IM is seen as a quicker and
more effi cient way
to communicate short messages than engaging in a telephone
conversation or going
through rounds of sending and receiving endless e-mail
messages. The problem with
IM is that many organizations are blind to the fact that their
employees are going to use it one
way or another , sometimes for short personal conversations
outside the organization.r
If unchecked, such messaging exposes the organization to a
myriad of risks and gives
hackers another way to compromise confi dential information
21. assets.
Best Practices for Business IM Use
Employing best practices for enterprise IM use can help
mitigate its security risks
while helping to capitalize on the business agility and velocity
benefi ts IM can provide.
Best practices must be built in to IG policies governing the use
of IM, although “the
specifi cs of these best practices must be tailored for each
organization’s unique needs.”
A methodology for forming IM-specifi c IG policies and
implementing more
secure use of IM must begin with surveying and documenting
the proliferation of
IM use in the organization. It should also discover how and why
users are relying
on IM—perhaps there is a shortcoming with their available IT
tools and IM is a
work-around.
Typically, executives will deny there is much use of IM and
that if it is being
used, its impact is not worth worrying about. Also, getting users
to come clean about
248 INFORMATION GOVERNANCE
their IM use may be diffi cult, since this may involve personal
conversations and vio-
lations of corporate policy. A survey is a good place to start,
but more sophisticated
22. network monitoring tools need to be used to factually discover
what IM systems are
actually in use.
Once this discovery process has concluded and the use of IM is
mapped out, the
IG team or steering committee must create or update policies to:
decide which IM
systems it will allow to be used, how, when, and by whom;
decide what restrictions or
safeguards must be imposed; and create guidelines as to
appropriate use and content.
As a part of an overall IG effort, Quest Software determined
that a successful IM
policy will:
■ Clearly and explicitly explain the organization’s instant
messaging objectives.
Users should know why the organization permits IM and how it
is expected
to be used.
■ Defi ne expectations of privacy. Users should be made aware
that the organiza-
tion has the right to monitor and log all IM sessions for
corporate compli-
ance, safety, and security reasons.
■ Detail acceptable and unacceptable uses. An exhaustive list
of permitted and
forbidden activities may not be necessary, but specifi c
examples are helpful
in establishing a framework of IM behaviors for users.
■ Detail content and contact restrictions (if any). Most
organizations will want to
23. limit the amount of idle IM chat that may occur with family,
friends, and
other nonbusiness-related contacts. There may also be
additional issues
related to information confi dentiality and privacy. Some
businesses may
choose to block the distribution of certain types of information
via live IM
chat session or fi le transfer.
■ Defi ne consequences for violations of the policy. Users
should be advised of the
consequences of policy violations. Generally these should be
aligned with
the company’s personnel and acceptable use policies.
The use of a standard disclaimer, to be inserted into all users’
IM sessions, can
remind employees of appropriate IM use and that all chat
sessions are being moni-
tored and archived, and can be used in court or compliance
hearings.
The next major step is to work with the IT staff to fi nd the
best and most
appropriate security and network monitoring tools, given the
computing environ-
ment. Alternatives must be researched, selected, and deployed.
In this research and
selection process, it is best to start with at least an informal
survey of enterprises within
the same industry to attempt to learn what has worked best for
them.
The key to any compliance effort or legal action will be
ensuring that IM records
24. are true and authentic, so the exact, unaltered archiving of IM
messages along with
associated metadata should be implemented in real time. This is
the only way to
Documenting IM use in the organization is the fi rst step in
building IG policies
to govern its use. Those policies must be tailored to the
organization and its
IM use.
INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT
MESSAGING 249
preserve business records that may be needed in the future. But
in addition, a policy
for deleting IM messages after a period of time, so long as they
are not declared busi-
ness records, must be formulated.
IG requires that these policies and practices not be static;
rather, they must be reg-
ularly revisited and updated to refl ect changes in technology
and legal requirements
and to address any shortcoming or failure of the IG policies or
technologies deployed.
Technology to Monitor IM
Today, it has been estimated that as much as 80 percent of all
IM used by corporate
employees comes from free IM providers like Yahoo!, MSN, or
AOL. These programs
are also the least secure. Messages using these IM platforms can
25. fl y around the Inter-
net unprotected. Any monitoring technology implemented must
have the capability to
apply and enforce established IM use policies by constantly
monitoring Internet traffi c
to discover IM conversations. Traffi c containing certain
keywords can be monitored
or blocked, and chat sessions between forbidden users (e.g.,
those who are party to a
lawsuit) can be stopped before they start. But this all
necessarily starts with IG and
policy formulation.
Tips for Safer IM
Organizations should assume that IM is being used, whether
they have sanctioned
it or not. And that may not be a bad thing—employees may have
found a reasonable
business use for which IM is expedient and effective. So
management should not rush
to ban its use in a knee-jerk reaction. Here are some tips for
safer use of corporate IM:
■ Just as e-mail attachments and embedded links are suspect
and can contain ma-
licious executable fi les, beware of IM attachments too. The
same rules governing s
e-mail use apply to IM, in that employees should never open
attachments from
people they do not know. Even if they do know them, with
phishing and social
engineering scams, these attachments should fi rst be scanned
for malware using
antivirus tools.
26. ■ Do not divulge any more personal information than is
necessary. This comes into play
even when creating screen names—so the naming convention
for IM screen
names must be standardized for the enterprise. Microsoft
advises, “Your screen
name should not provide or allude to personal information. For
example, use a
nickname such as SoccerFan instead of BaltimoreJenny.” 19
■ Keep IM screen names private ; treat them as another
information asset that needs
to be protected to reduce unwanted IM requests, phishing, or
spam (actually
spim , in IM parlance).
Records of IM use must be captured in real time and
preserved to ensure they
are reliable and accurate.
250 INFORMATION GOVERNANCE
■ Prohibit transmission of confi dential corporate information.
It is fi ne to set up a
meeting with auditors, but do not attach and route the latest fi
nancial report
through unsecured IM.
■ Restrict IM contacts to known business colleagues. If
personal contacts are allowed
for emergencies, limit personal use for everyday
communication. In other
words, do not get into a long personal IM conversation with a
spouse or teen-
27. ager while at work. Remember, these conversations are going to
be monitored
and archived.
■ Use caution when displaying default messages when you are
unavailable or away.
Details such as where an employee is going to have lunch or
where their child is
being picked up from school may expose the organization to
liability if a hacker
takes the information and uses it for criminal purposes.
Employees may be un-
knowingly putting themselves in harm’s way by giving out too
much personal
information.
■ Ensure that IM policies are being enforced by utilizing IM
monitoring and fi ltering
tools and by archiving messages in real time for a future verifi
able record, should
it be needed.
■ Conduct an IM usage policy review at least annually ; more
often in the early stages
of policy development.
CHAPTER SUMMARY: KEY POINTS
■ E-mail is a critical area for IG implementation, as it is a
ubiquitous business
communication tool and the leading piece of evidence requested
at civil
trials.
■ Nearly 80 percent of all employees send work e-mail
messages to and from
28. their personal e-mail accounts, which exposes critical
information assets to
uncontrolled security risks.
■ Meeting e-mail retention and archival requirements
becomes an impossible
task when e-mail messages are routed in a haphazard manner via
personal
accounts.
■ In developing e-mail policies, an important step is
consulting with
stakeholders.
■ E-mail policies must not be too restrictive or tied to a
specifi c technology.
They should be fl exible enough to accommodate changes in
technology and
should be reviewed and updated regularly.
■ Not all e-mail messages constitute a business record.
■ Not all e-mail rises to the level of admissible legal
evidence. Certain condi-
tions must be met.
■ Automatic archiving protects the integrity of e-mail for
legal purposes.
INFORMATION GOVERNANCE FOR E-MAIL AND INSTANT
MESSAGING 251
Notes
29. 1. “Research Finds that Restrictive Email Policies are
Creating Hidden Security Risks for Businesses,”
BusinessWire , March 9, 2011,
www.businesswire.com/news/home/20110309005960/en/Researc
h-
Finds-Restrictive-Email-Policies-Creating-Hidden .
2. Elizabeth Montalbano , “AntiSec Hacks Booz Allen, Posts
Confi dential Military Email,” Information-
Week , July 12, 2011,
www.informationweek.com/news/security/attacks/231001418?ci
d=nl_IW_dai-
ly_2011-07-12_html .
3. Ibid.
4. Mathew J. Schwartz, “AntiSec Hacks FBI Contractor,”
InformationWeek , July 11, 2011, www.informa-
tionweek.com/news/security/attacks/231001326 .
5. Quotes from this survey are from “Research Finds That
Restrictive Email Policies Are Creating Hid-
den Security Risks for Businesses.”
6. Paul Mah, “How to Reduce the Email Security Risks to
Your Business,” EmailAdmin , March 10, 2011,
www.theemailadmin.com/2011/03/how-to-reduce-the-email-
security-risks-to-your-business/ .
7. Blair Kahn, Information Nation: Seven Keys to
Information Management Compliance (Silver Spring, MD:
AIIM International, 2004), pp. 98–99.
8. Ibid, pp. 95–96.
9. Ibid.
10. Nancy Flynn, The E-Policy Handbook: Rules and Best
Practices to Safely Manage Your Company’s E-Mail, Blogs,
30. Social Networking, and Other Electronic Communication Tools
, 2nd ed. (New York: AMACOM, 2009), 20.s
11. Hugh Son and Andrew Frye, “Geithner’s E-mails, Phone
Logs Subpoenaed by House (update3),”
January 13, 2010,
www.bloomberg.com/apps/news?pid=newsarchive&sid=aGzbhr
SxFlXw ,.
12. Flynn, E-Policy Handbook , p. 37.
13. Flynn , E-Policy Handbook , pp. 40–41.
14. Nancy Flynn and Randolph Kahn, Email Rules, A
Business Guide to Managing Policies, Security, and Legal
Issues for E-Mail and Digital Communication (New York:
AMACOM, 2003), pp. 81–82.
■ Instant messaging use in business and the public sector has
become wide-
spread, despite the fact that often few controls or security
measures are in
place.
■ Typically as much as 80 percent of all IM use in
corporations today is over
free public networks, which heightens security concerns.
■ IM monitoring and management technology provides the
crucial compo-
nents that enable the organization to fully implement best
practices for
business IM.
■ Enterprise IM systems provide a greater level of security
than IM from free
services.
31. ■ Regular analysis and modifi cation (if necessary) of
business IM policies and
practices will help organizations leverage the maximum benefi t
from the
technology.
■ Records of IM use must be captured in real time and
preserved to ensure they
are reliable and accurate.
CHAPTER SUMMARY: KEY POINTS (Continued )
252 INFORMATION GOVERNANCE
15. Flynn, The E-Policy Handbook , p. 41.
16. Ibid., p. 43.
17. Robert F. Smallwood, Taming the Email Tiger: Email
Management for Compliance, Governance, & Litiga-
tion Readiness (New Orleans, LA: Bacchus Business Books,
2008). s
18. This discussion is based on Quest Software White Paper,
“Best Practices in Instant Messaging
Management” (October 2008),
http://media.govtech.net/Digital_Communities/Quest%20Softwa
re/
Best_Practices_in_Instant_Messaging_Management.pdf , p. 5.
19. M. Adeel Ansari, “10 Tips for Safer IM Instant
Messaging,” July 6, 2008, http://adeelansari.wordpress.
com/tag/safer-im-instant-messaging/ .