IM Aware Session Email March 12, 2015 Panel Members Linda Borys - RIM Program Support Manager, Service Alberta. - With Information Management Branch for over 20 years. - Has been the Alberta Records Management Committee (ARMC) Secretary for about 10 years. - Provides guidance on the enterprise records management program. - Supports the enterprise applications used to manage Records Retention and Disposition. Schedules, and the movement of inactive records from storage to disposition. Ken Lummis - Manager of IT Security Policy. Responsible for Information Technology Security Policy for the Government of Alberta. - Security side of phishing. GoA IT Security have produced tip sheets on phishing and social engineering. Phishing goes beyond the theft of information; criminals are now using phishing emails to encrypt files which have caused downtime for the GoA in being able to access its information. Lori Lindquist - Strategic IMT Initiative Program Manager and Information Security Officer, Corporate Human Resources. - Lori Lindquist has 16 years of IT experience with the Government of Alberta primarily with Public Affairs Bureau and Executive Council. - She is knowledgeable regarding the policy and guidelines for acceptable and unacceptable activities regarding email (Use of Government of Alberta Internet and E-mail Policy) and social media. - As a Ministry Information Security Officer, she is responsible for managing security related risks and issues regarding GoA email usage.
Topic 1: From your perspective, what is the biggest obstacle for email? What piece of advice would you give to overcome that obstacle? Lori: Users are our biggest challenge. - Their ability to circumvent all rules creates a difficult environment to manage emails from a CHR perspective. The separation between business and personal email use can become complex; learning what can and can t be done with GoA email (i.e. whether they can be used for personal use, or whether they are FOIPable) is important. It s also important to note that they are GoA assets, and as such we have a commitment to the GoA to be professional; if the email accounts are not used in a professional manner, the Department has the ability (and the right) to monitor the accounts and follow up with disciplinary actions. - Becoming familiar with rules and regulations, such as social media rules and restrictions and any policies, is very important. Learning the rules is essential (i.e. be aware of copyright infringement, social media rules, and restrictions, or policies). - The Internet and Email Usage Policy outlines acceptable and unacceptable activities. - The Social Media Policy Ken: Security measures are our biggest challenge. - There are all sorts of malware, phishing scams, and ransomware. Filtering email becomes very important. - Users are our first line of defence. All of our systems are reactive. Testing of staff awareness is important. Linda: Managing information is our biggest challenge. - The volume of emails in our system is part of a bigger, more problematic picture, which is the lack of email retention policy. Most of our emails are transient, and can be deleted; only emails that document a business decision must be kept. - We need rules and regulations on email retention.
Topic 2: Speak to the evolving email environment and the evolving tools to mitigate risks. Lori: From a user perspective, managing identity will be essential to mitigate risks. We can use tools to define access and level of permissions. - Policy tools. - Knowing responsibilities. - Using responsibly. Ken: We must use the functionality we have, such as the preview pane. - Tip sheets and educational tools are available. - Presentations are available this can provide clarity on who to contact regarding email security. - Learning about integrity and accountability. Linda: We must use training to mitigate risk around emails. - Auto classification is coming and will help separate business emails from personal. - Integration of recordkeeping practices with different platforms will highlight the records component. - Automate classification and retention schedules.
Additional Questions: 1. What are the rules regarding Facebook and personal emails (personal usage on Government emails?) Ken: Facebook can be a source of malware. There is a risk of encryption and we should try to avoid using these webpages on government computers. Use your personal smart phone instead. 2. In the event of a phishing incident, what is the process that takes place? Lori: Send the phishing email as an email attachment to the GoA Service Desk, MISO, or notify your designated support team. Blocking the phishing site is first priority and letting everyone know is important. Ken: The security alerts process is a 30 minute window. They get notification, look at it (what s it doing, who it affects, what impact it will have), notify everyone, and then they fix it. 3. Is there a way to set a mandatory desktop training on email awareness (i.e. desktop cleaning day?) Linda: Not yet. 4. When is autoclassification integration coming? Linda: We have tools, but whether they are good enough hasn t been determined yet. In Microsoft office, there is autoclassification functionality, but there are issues with retention. 5. Where can I find basic rules for email is there a website? Linda: The information management website contains a managing Information Management at Work ecourse. There are no enterprise standards for emails just yet; this will entail collaboration between many groups. 6. Are emails records and do they have retention schedules? Linda: The what is information question falls into the same category as email, it needs policy to deal with it. The decision on what to keep/who keeps it-we must ask the same question of all media.
Closing Remarks: Lori: Think before you click! Take a step back and consider what you re doing. Linda: Think after you click! Consider what you should keep and what you should get rid of. Organize your emails. Take the Managing Information at Work ecourse. Ken: Think I am the first line of defence! Think about security.