Hillary Clinton Email Incident: Five Lessons Learned for Information Governance



Similar documents
MICROSOFT OFFICE 365 PRIVACY IMPACT ASSESSMENT. Western Student E-Communications Outsourcing

Recordkeeping Compliance: Retention and Beyond

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

John Essner, CISO Office of Information Technology State of New Jersey

Information Governance

How the Information Governance Reference Model (IGRM) Complements ARMA International s Generally Accepted Recordkeeping Principles (GARP )

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

WHITE PAPER Practical Information Governance: Balancing Cost, Risk, and Productivity

Contact: Henry Torres, (870)

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

From Information Management to Information Governance: The New Paradigm

White Paper. Enterprise Information Governance. Date Released: September Author/s: Astral Consulting.

The Challenge of Securing and Managing Data While Meeting Compliance

NAVIGATING THE MAZE LEGAL CIO ROUNDTABLE RETREAT March 3-5, 2013 The Boulders Hotel Carefree, Arizona CIO Roundtable Retreat

HIPAA Privacy Rule Policies

Preemptive security solutions for healthcare

UIIPA - Security Risk Management. June 2015

4.10 Information Management Policy

Governance, Risk, and Compliance (GRC) White Paper

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Records and Information Management

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

How To Protect Decd Information From Harm

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Information Governance in the Cloud

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Certified Information Professional 2016 Update Outline

RUTGERS POLICY. Approval Authority: Executive Vice President for Academic Affairs and Senior Vice President for Administration

Logging In: Auditing Cybersecurity in an Unsecure World

10 Steps to Establishing an Effective Retention Policy

1. Understanding Big Data

The X-Factor in Data-Centric Security. Webinar, Tuesday July 14 th 2015

Implementing Information Governance: A Best Practice Approach to Enable Compliance and Reduce Costs & Risks

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

CyberArk Privileged Threat Analytics. Solution Brief

Exhibit 2. Business Associate Addendum

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

Click to edit Master title style

Policy No: TITLE: EFFECTIVE DATE: CANCELLATION: REVIEW DATE:

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Gain control over all enterprise content

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Information Governance Policy

Newcastle University Information Security Procedures Version 3

Information Governance Strategy

Cybersecurity and internal audit. August 15, 2014

BUILDING DATA CENTERS: UNDERSTANDING THE RISKS. Managing Risk Maximising Opportunity.

Regulatory Compliance Requirements with VERITAS Enterprise Vault and Microsoft Windows Server Technologies

Security and Privacy Considerations for BYOD

White Paper on Financial Institution Vendor Management

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Guide to Information Governance: A Holistic Approach

Information Governance Policy

FULLY ENABLING BEST-PRACTICE STANDARDS THROUGH IMPLEMENTING NEXT GENERATION INTELLIGENT SYSTEMS 2013 WHITE PAPER

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Add the compliance and discovery benefits of records management to your business solutions. IBM Information Management software

Records & Information Management Policy

CCG: IG06: Records Management Policy and Strategy

University of Liverpool

Top 5 reasons to choose HP Information Archiving

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

FINRA Publishes its 2015 Report on Cybersecurity Practices

Data Security: Fight Insider Threats & Protect Your Sensitive Data

SECURITY RISK MANAGEMENT

RISK AND COMPLIANCE COMMITTEE CHARTER

California State University, Sacramento INFORMATION SECURITY PROGRAM

Information Security Program Management Standard

Management Standards for Information Security Measures for the Central Government Computer Systems

Can CA Information Governance help us protect and manage our information throughout its life cycle and reduce our risk exposure?

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Specific observations and recommendations that were discussed with campus management are presented in detail below.

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Information Governance Policy

EXECUTIVE STRATEGY BRIEF. Securing the Cloud Infrastructure. Cloud. Resources

Cyber security Building confidence in your digital future

Feature. Log Management: A Pragmatic Approach to PCI DSS

'Namgis Information Technology Policies

Analyzing HTTP/HTTPS Traffic Logs

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

Audit, Risk Management and Compliance Committee Charter

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

Draft Information Technology Policy

Top 5 reasons to choose HP Information Archiving

INFORMATION SECURITY California Maritime Academy

Rowan University Data Governance Policy

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Information Security Program CHARTER

VENDOR MANAGEMENT. General Overview

Operations. Group Standard. Business Operations process forms the core of all our business activities

Cloud Computing: Legal Risks and Best Practices

Legislative Language

Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape

Integrated archiving: streamlining compliance and discovery through content and business process management

How To Transform It Risk Management

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Transcription:

Hillary Clinton Email Incident: Five Lessons Learned for Information Governance Soo Y Kang, IGP, CIPP/US General Counsel / Director, Consulting Division Zasio Enterprises, Inc. March 2015 June 2015

Article Have you adopted an information governance program? Do you need to? As a concept and boiled down to its essence, information governance is the implementation of controls to manage information at the enterprise level to support its regulatory, legal, risk, environmental, and operational requirements. It creates synergy of information within the organization as a whole, rather than supporting the continuing existence of departmental silos that operate independently and in fulfillment of their own objectives. If there is doubt regarding the relevance or need for an information governance program, the recent Hillary Clinton email incident and headlines are instructive. As first reported by The New York Times, Mrs. Clinton used a private email account to conduct official business during her tenure as Secretary of State. On the heels of that report, The Associated Press further reported that the private email account was traced back to a private email server installed in Mrs. Clinton s home, registered under a pseudonym, on her own internet domain. The full ramifications from this event are yet to be determined; however, from a business perspective it stresses the significance of a good information governance program. Below are five lessons to be learned from this incident to protect your business and avoid being the next example in the headlines. Lesson 1: Be Proactive with Policies and Procedures Laws overseeing the preservation of government records have long been in existence. Yet, these laws have been outgrown by technology and the use of such technology in the work environment (i.e., employees use of private email to conduct business). This long overdue insufficiency was addressed in 2014 when President Obama signed the Presidential and Federal Records Act Amendments ( Amendment ), which now requires federal employees using private emails to either courtesy copy the official messaging account or forward a complete copy to the official messaging account of the user within twenty (20) days. Unfortunately, this postdated Mrs. Clinton s tenure as Secretary of State and, accordingly, failed to prevent this incident that otherwise might have been avoided with a more timely implementation. In the corporate environment, policies set the overarching framework with procedures to fill in the mechanics. Where these policies and procedures focus on technical matters (such as the performance or execution of work), they should be carefully crafted to align with your workforce and how it conducts business. This serves two critical purposes: (1) policies and procedures that do not reflect the actual practice of the employees will fail to address the attendant risks; and (2) if it is not catered to the employees practice, it will not be followed. Accepting that the use of private emails is an ubiquitous practice, the Amendment properly provides a workaround to achieve the overall objective preservation. Where the Amendment failed is in the timing of its implementation, which paved the path for the attendant risk to come to fruition.

Article Hillary Clinton Email Incident: Five Lessons Learned for Information Governance 3 Lesson 2: Know Your Legal Obligations Mrs. Clinton may not have been prohibited from using her private email to conduct official business, but her actions may still run afoul of other laws depending on whether she properly retained her official communications and whether those communications contained/transmitted confidential or sensitive information. With this in mind, it is important to understand all of your legal obligations pertaining to the various records and information kept, before deciding on a plan of action. In the context of information governance, it is no longer a simple question ofhow long you should keep the information. Instead, the type of information, location, who you are as a regulated party, industry guidelines, contractual obligations, and so forth all play into the obligations you have with respect to the information you maintain. These obligations will inform decisions on policies and procedures, security measures, and other actions that must be undertaken to ensure compliance. Lesson 3: Inventory Your Information Part and parcel with identifying the obligations that impact your business information is understanding what business information you collect and maintain. The proliferation of technology creates unique challenges to accomplishing this, as information is now being generated at rates previously unimagined. Regardless, getting a handle on your information is necessary to reap the value that can be gained through its use (i.e., data analytics, predictive analysis, etc.), and also to inform your compliance efforts. Various options are available for this purpose, but companies commonly employ the following tools: Records Inventory A records inventory identifies records created, received, and maintained within an organization that is of an official character. The main purpose behind a records inventory is to support the creation of a records retention schedule, which categorizes the records identified under a classification scheme and assigns a proper lifecycle. While the scope of the records inventory will differ based on the needs of the particular organization, it generally contains information related to ownership, location, description, the medium in which the record is preserved, whether the record is vital to the organization, if it contains personal information, and the operational needs for retaining. Data Map A data map is a tool that explains relationships between applications and systems with the objective of identifying where electronic information is stored within the organization. This is primarily driven by e-discovery; however, with new data privacy laws and consumer protection, data maps are also important in identifying where personal information resides. Due to the large number of repositories where electronic data may rest (e.g., email systems, shared drives, etc.), as well as the complexities introduced with different locations and use of third party vendors, the creation of a data map is a challenging but a worthwhile effort. The above two identified tools are the most common methods used to capture and gain insight on the records and information retained in the organization. Regardless of what tools are used, however, taking inventory of your information is essential, as it offers invaluable insight and provides the ability for the organization to identify exposures, support compliance and discovery efforts, and provide necessary information for the organization to make management decisions.

Article Hillary Clinton Email Incident: Five Lessons Learned for Information Governance 4 Lesson 4: Assess Your Security Measures Mrs. Clinton s use of her own private email and server raised questions regarding the adequacy of security measures in place to adequately safeguard her official communications. This is certainly a valid concern as we have recently been inundated with what appears to be never-ending reports of data breaches targeting information of governments, banks, retailers, and many more. These threats from external parties are only going to continue with attacks getting more sophisticated and complex. The fact of the matter is that increased connectivity brings increased risks. It is not a question of if you will be a subject of an external threat, but when. Are you taking adequate measures to mitigate these risks? The type of information being processed, transmitted, and stored, in conjunction with the degree of interaction with the network, employees, and third parties will dictate the appropriate level of security and privacy measures required. Begin by identifying your confidential information, intellectual property, personally identifiable information, and other sensitive materials. Then identify the type of tools that can be employed to protect the information and meet your legal obligations. These tools range from using modern internet security solutions, adding layers of encryption, and adopting artificial intelligence methods (e.g., machine learning, pattern recognition, fuzzy logic, data mining, artificial immune systems, intelligent agents, and so forth). In addition, with each new application or system that is incorporated into the corporate environment, assure that it has the necessary security/privacy features to suit your needs. Lastly, incorporate effective security behavior and grow the culture of information security as part of the business process. This requires you to not only grow awareness of problems, but offer solutions to your workforce. Lesson 5: Conduct Regular Review and Audits Mrs. Clinton s actions occurred during her entire tenure as Secretary of State, which raises questions regarding the State Department s procedures for review and audits. These procedures are critical to assure, pertinent to an information governance program, that the workforce: Demonstrates awareness of company objectives and goals related to information governance Is properly trained in information governance policies, practices, responsibilities, and solutions Is securing and protecting its information Is disposing of information and records correctly Has up to date policies and procedures (that timely considers new practices and technologies) This will also provide an audit trail to assure the reliability of information and prove that the practice to achieve compliance and quality are appropriately in place. Lastly, audits and review should occur on a regular basis and apply to the organization as a whole.

Article Hillary Clinton Email Incident: Five Lessons Learned for Information Governance 5 Conclusion Played out in the headlines, Mrs. Clinton s email incident focuses on the propriety of a public officer using private email to conduct official communications. The issues highlighted by this situation, however, extend beyond proper communication and preservation processes, but go to critical aspects of a sound information governance program. Understanding your employees work habits, your business information and its management, as well as security measures employed to protect that information, are all considerations that every organization, whether public or private, must carefully weigh. The world and how we work have irreversibly been altered by technology, and the siloed approach is no longer capable of effectively managing information in the current business, legal, and technological landscape. Accordingly, solutions for the management of information cannot be shifted to the employee or department, but requires collaboration throughout the organization as a whole. This is information governance breaking down silos and managing the information from an enterprise standpoint to maximize value while mitigating risks. Take heed and learn from the mistakes brought to light by this incident. Review and assess your information governance program or, if you have yet to implement, consider implementing. Soo Y Kang, IGP, CIPP/US Soo Kang is General Counsel and Director of Consulting for Zasio Enterprises, Inc. In his capacity as General Counsel, Mr. Kang is responsible for overseeing all aspects of the company s legal affairs. His principal areas of focus are: negotiation of licensing agreements, consulting agreements, NDAs, and other commercial contracts; counseling on employment matters; advising on intellectual property issues; and providing strategic guidance to the company s senior executive team. Zasio is the global expert in Information Governance, with concentration in the areas of information retention, content lifecycle management, and defensible disposal. With 30 years experience across all business sectors and a global footprint of more than 100 countries, our team of experts provides software and consulting services, including needs assessments, recommendations for best professional practice, global citation research, and related software for the enterprise-wide management of retention rules. In addition to the traditional media formats, these capabilities extend to each of the core areas of IG data privacy, social media and big data applications, BYOD, cloud computing, and other areas critical to the achievement of IG goals and objectives. Please contact us for a free consultation. Learn more at zasio.com/consulting 800.513.1000 consulting@zasio.com 2015 Zasio Enterprises, Inc. All rights reserved. ZEICS-A-081415-1 Rev. 1 August 2015

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information