Accelerating out Executing RIM - ARMA Magazine · JULY/AUGUST 2013 INFORMATIONMANAGEMENT 1 4 IN FOCUSA Message from the Editor 6 UP FRONTNews, Trends & Analysis Z 22 Clearing the

AR

MA

INTER

NA

TION

AL V

OLU

ME 47, N

UM

BER 4

INFORMATIO

NM

AN

AG

EMEN

T JULY

/AU

GU

ST 20

13

Accelerating out of the Recession:

New Approaches to Executing RIM

Program StrategiesPage 27

Using Data Profiling to Mitigate 7 ‘Red Flag’ Information Risks Page 34

Page 22

IM_july_cover 2013_Layout 1 7/2/13 7:24 AM Page 1

JULY/AUGUST 2013 INFORMATIONMANAGEMENT 1

4 IN FOCUS A Message from the Editor

6 UP FRONT News, Trends & Analysis

Z

22 Clearing the Hurdles of International Technology ImplementationsJohn T. Phillips, CRM, CDIA, FAI

27 Accelerating out of the Recession: New Approaches to Executing RIM Program Strategies Bruce W. Dearstyne, Ph.D.

34 Using Data Profiling to Mitigate 7 ‘Red Flag’ Information RisksJim McGann

38 GENERALLY ACCEPTED RECORDKEEPING PRINCIPLES® SERIES The Principles Assessment as a Collaborative ToolJulie Gable, CRM, CDIA, FAI

42 RIM FUNDAMENTALS SERIESA 5-Step Strategy for Harnessing Global Information GrowthBrian Nowak

45 IN REVIEW Addressing Security Concerns: The Expanding Role of Information GovernanceAndrew Altepeter

47 AUTHOR INFO

48 ADVERTISING INDEX

DEPARTMENTS

FEATURES

SPOTLIGHTS

CREDITS

JULY/AUGUST 2013 VOLUME 47 NUMBER 4

22 27 34

Publisher Marilyn Bier

Editor in Chief Vicki Wiler

Contributing Editor Cyndy Launchbaugh

Art Director Brett Dietrich

Advertising Sales Manager Elizabeth Zlitni

Editorial Board Barbara Benson, Director, Records Management Services,University of Washington • Alexandra Bradley, CRM, President, Harwood Informa-tion Associates Ltd. • Marti Fischer, CRM, FAI, Corporate Records Consultant,Wells Fargo Bank • Paula Harris, CRM, Director, Global Records Management,Georgia Pacific • John Montaña, J.D., FAI, General Counsel, Montaña and Associ-ates • Preston Shimer, FAI, Administrator, ARMA International Educational Foun-dation Information Management (ISSN 1535-2897) is published bimonthly by ARMA Inter-national. Executive, editorial, and advertising offices are located at 11880 College Blvd.,Suite 450, Overland Park, KS 66210.

An annual subscription is included as a benefit of membership in ARMA International. Non-member individual and institutional subscriptions are $140/year (plus $25 shipping todestinations outside the United States and Canada).

ARMA International (www.arma.org) is a not-for-profit professional association and theauthority on managing records and information. Formed in 1955, ARMA International isthe oldest and largest association for the records and information management profes-sion, with a current international membership of more than 10,000. It provides education,publications, and information on the efficient maintenance, retrieval, and preservation ofvital information created in public and private organizations in all sectors of the economy.

Information Management welcomes submissions of editorial material. We reserve theright to edit submissions for grammar, length, and clarity. For submission procedures,please see the “Author Guidelines” at http://content.arma.org/IMM.

Editorial Inquiries: Contact Vicki Wiler at 913.217.6014 or by e-mail at [email protected].

Advertising Inquiries: Contact Karen Lind Russell or Krista Markley at 888.277.5838(US/Canada), +1 913.217.6022 (International), +1 913.341.3742, or e-mail [email protected].

Opinions and suggestions of the writers and authors of articles in Information Manage-ment do not necessarily reflect the opinion or policy of ARMA International. Acceptanceof advertising is for the benefit and information of the membership and readers, butit does not constitute official endorsement by ARMA International of the product orservice advertised.

© 2013 by ARMA International.

Periodical postage paid at Shawnee Mission, KS 66202 and additional mailing office.

Canada Post Corp. Agreement No. 40035771

Postmaster: Send address changes to Information Management, 11880 College Blvd.,Suite 450, Overland Park, KS 66210.

2 JULY/AUGUST 2013 INFORMATIONMANAGEMENT

GET MORE ONLINE

INFORMATIONMANAGEMENT

WWW.ARMA.ORG


Although governing the ex-plosive growth of informa-tion is a challenge all

organizations face, that challengeis multiplied exponentially forthose implementing informationtechnologies for operations in mul-tiple countries.

In our cover feature, JohnPhillips, CRM, CDIA, FAI, ad-vises readers about how to ad-dress infrastructure limitationsand the regulatory, legal, social,and cultural boundaries andnorms of other countries thatcould be impediments to success-fully implementing informationtechnologies that transcendgeopolitical borders.

Brian Nowak’s internationalorganization struggled with manyof these same issues. Despite thewide variations in the level ofrecords management sophistica-tion in his organization’s world-wide locations, its global recordsmanagement team was able to de-velop line of business liaisons andtransition tactical responsibilitiesto them. Read about how the teamfollowed “A 5-Step Strategy forHarnessing Global InformationGrowth,” to make this transitionand become more strategic.

Bruce Dearstyne, Ph.D., picksup on the theme of strategic lead-ership in his feature, “AcceleratingOut of the Recession: New Ap-proaches to Executing RIM Pro-gram Strategies.” Dearstynewrites that despite the challengesand risks inherent in our “disrup-tive, digital age,” the future is

viewed in this issue by Andrew Al-tepeter. The book introduces basicinformation governance princi-ples; outlines the major securityproblems and risks organizationsface; describes countermeasuresthat can be taken; introduces tech-nologies that can help protect in-formation assets; and providesstrategies for obtaining executivesponsorship, managing projects,and selecting vendors.

“Smallwood’s book gives read-ers a solid foundation for makinginformed governance decisionsand presenting them in a way thatupper management will find ap-pealing,” Altepeter writes.

What information challenges isyour organization facing? We’d liketo hear about them and develop ar-ticles that will help you conquerthem. E-mail [email protected] tell us how we can help. END

Vicki WilerEditor in Chief

promising for records and infor-mation management leaders whoare willing to try non-traditionalapproaches to traditional leader-ship strategies.

As the major characteristic ofour “disruptive, digital age,” ex-plosive information growth in-creases the costs and risks fororganizations that are often hardpressed to even identify what in-formation they have and where itis. In “Using Data Profiling to Mit-igate 7 ‘Red Flag’ InformationRisks,” author Jim McGann de-scribes how these organizationscan use data profiling technologyto create a data map that will en-able them to actively enforce andaudit compliance with their infor-mation governance policies, whichare critical to reducing costs andrisks.

With the same goal of helpingorganizations reduce costs andrisks, consultant John Isaza,Esq., FAI, uses “The PrinciplesAssessment as a CollaborativeTool.” Author Julie Gable, CRM,CDIA, FAI, interviewed Isaza todiscover and write about his tech-niques and tips for using thePrinciples Assessment tool toaudit and assess compliance withinformation governance policiesand procedures or to formulatenew programs.

Reducing information risks isthe primary theme of RobertSmallwood’s Safeguarding Criti-cal E-Documents: Implementing aProgram for Securing ConfidentialInformation Assets, which is re-

Mitigating the Risks of Explosive,Global Information Growth

A Message from the Editor

building a new system, MHS an-nounced it wanted to take a dif-ferent course. J. Michael Gilmore,the Pentagon’s director of opera-tional test and evaluation, wrotea memo to Deputy Secretary ofDefense Ashton Carter statingthat MHS preferred to buy com-mercial health IT software ratherthan develop systems that arebased on open standards as man-dated by President Obama in2009. He added that the depart-ment was preparing to distributea request for proposals.

That’s when the boss steppedin.

“I don’t think we knew whatthe hell we were doing,” Secretaryof Defense Chuck Hagel told aHouse Appropriations CommitteeDefense panel in April. That’swhy Hagel stepped in and took

MOBILE DEVICES

Do Tablets Havea Future inBusiness?

BlackBerry CEO ThorsteinHeins predicts that tabletswill not prove to be an ef-

fective business tool. “In five years I don’t think

there’ll be a reason to have atablet anymore; maybe a bigscreen in your workspace, but nota tablet as such. Tablets them-selves are not a good businessmodel,” Heins said in a recent in-terview reported by Engage.com.

Some attribute Heins’ some-what controversial remarks toBlackberry’s less-than-stellar ex-perience with PlayBook, its ver-sion of a tablet. The growth in theuse of tablets in the consumermarket has clearly seeped intothe business market, a trend thatsome experts believe will con-tinue with the changing demo-graphics of the workforce.

Gartner Inc. pre-dicts that business

purchases of tabletswill more than triplefrom 13 million units

sold in 2012 to 43 mil-lion by 2016. If Gart-ner is correct, thiswould, of course, in-crease the pressure onenterprises to support

tablets as business tools.Yankee Group has ex-

pressed a more moderate posi-tion. Its research shows a slowingof growth in 2012 and predictsthat tablet use in enterprises willflatten in 2013. Yankee Group re-searchers estimate that 30% ofemployees will use tablets atwork and about 80% of those de-vices will be employee-owned.Laptops will continue to be thepreferred computing method,supported by smartphones forcommunication. However, the re-search company does expecttablets to become increasinglypopular in retail and other cus-tomer-facing positions.

EHR

PentagonReassignsEHR Project

It’s never good news when theboss takes over your project.Just ask the Pentagon’s Mili-

tary Health System (MHS),which had been tasked withdeveloping a single integratedhealth records system (iEHR) forthe military, in conjunction withthe Veterans Affairs Department.

Nextgov reported in April thatafter having spent $1 billion on

News, Trends & Analysis


“personal responsibility” for theiEHR project. According toNextgov, he “deferred” the re-quest for proposals and quietlyreassigned the project to FrankKendall, undersecretary of de-fense for acquisition, technology,and logistics.

The proposals, which nevergot past the request-for-informa-tion phase, will be in Kendall’shands as Hagel works on theoverall plan for iEHR. The planwas expected in June.

E-DISCOVERY

ISO Moves Forward on E-Discovery Standard

Atechnical committee of the Interna-tional Organization for Standardiza-tion (ISO) has approved moving

ahead with a standard for e-discovery, as reported last month in LawTechnology News. The official title for the standard is ISO/IEC 27050:Information Technology – Security Techniques – Electronic Discovery.

Once completed, the new guidance standard will provide anoverview of e-discovery and electronically stored information, defineterminology, and address the technological and process challenges as-sociated with e-discovery. This will be the first release in what’s ex-pected to become a multipart standard that provides requirements aswell as guidance.

The new standard will reportedly incorporate elements from theU.S. Seventh Circuit Electronic Discovery Pilot Program, The SedonaConference®, various state-sponsored best practice guidelines, and con-tributions from other experts in the field. It is not intended to supersedeor contradict local laws and regulations.

Several countries’ ISO delegations support the project, including theUnited States, United Kingdom, China, Mexico, Belgium, Singapore,Norway, Mexico, South Africa, Italy, and the Republic of Korea. Com-ments and contributions on the working draft will be due by mid-Sep-tember and processed at the technical committee’s meeting in October.


At a recent panel discussionon e-discovery, three influ-ential judges agreed that

lawyers must take the lead on de-cisions of proportionality ratherthan rely on the judges, who areless familiar with the details of thecases.

The panel, titled "Judges Meetthe General Counsel Department,"was held at a consortium on litiga-tion, information law, and e-dis-covery. It focused on the proposedadditions to the U.S. Federal Rulesof Civil Procedure (FRCP) that con-cern e-discovery’s scope, limita-tions, and need for cooperation.

According to Law TechnologyNews, U.S. District Court JudgeShira Scheindlin was joined byMagistrate Judge James FrancisIV who, like Scheindlin, is from theSecond District of New York, andCircuit Judge Peter Flynn from theCircuit Court of Cook County inIllinois.

“How am I supposed to conductproportionality (hearings) – espe-cially right up front?” Scheindlinasked. “It’s very difficult to knowhow to vet things when I know lit-tle about the case and have so littletime.”

Flynn agreed: “Why would any-body ask the judge – who knowsthe least about the case – to makethe decisions?”

Flynn also cautioned against“discovery paranoia – the urge toturn over the next rock, no matterthe consequences. Proportionalityis an attempt to get people to thinkabout the [possible] costs of turningover the next rock.”

The judges also said preserva-tion should be viewed from a busi-ness perspective, not as a riskmanagement tool for litigation.

“If you make preservation deci-sions based on what might beneeded in litigation, you are going

to save everything, and that’s notgood for business,” Flynn stated.

Francis added that preserva-tion should be just one of the manyrisk determinations that lawyersmake throughout the litigationprocess.

Scheindlin said the courts maybe “moving to staying e-discoverypending a motion to dismiss,” thusweeding out cases that cannot pro-ceed.

The advisory committee to theJudicial Conference of the UnitedStates proposed significantchanges to the FRCP in January.Those changes included limitingthe number of production requestsand depositions, as well as theamount of time spent on deposi-tions. The committee also proposed

tight-ening thescope of discov-ery from any information “reason-ably calculated to lead to thediscovery of admissible evidence,”to relevant, non-privileged infor-mation that is proportional to thereasonable needs of the case.

Defense attorneys fear limitingdiscovery will put their clients at adisadvantage. The judges, how-ever, again contend that the keylies with the attorneys talking toeach other up front.

E-DISCOVERY

Judges on E-Discovery: Keep It in Perspective


PRIVACY

UK Report: Health Care TooProtective of Patient Data

Alandmark report on patient information in health and social carein the United Kingdom has raised serious concerns about thebalance between protecting the confidentiality of patient data

and sharing to improve care, according to The Guardian.“Our conclusion is that the balance isn’t right,” wrote Dame Fiona

Caldicott, who authored the report. “People have become over-concernedabout protecting confidentiality.”

The UK’s former health secretary commissioned Caldicott, a highlyrespected psychiatrist and psychotherapist, to examine the issue in2012 following a report from the National Health Service (NHS) FutureForum that identified information governance as an impediment tosharing information, even if sharing would be in the patient’s best in-terest.

Caldicott contends that much of the problem can be attributed to alack of public education. “While there are professionals who are famil-iar with the issue of confidentiality, data sharing, and the various sys-tems in place at the moment, we are not sure that the public is givensufficient information,” she wrote.

“So I think one of the things is how we can help the public – and ofcourse that is a very varied group of people: some are patients, some

are carers, some are healthy but interested, and so on – to know moreabout what is going on in the new health and social care system.”

Caldicott and her team found many instances where IT sys-tems are not linked within hospitals; even fewer are linkedbetween hospitals and other parts of the NHS.

“I think that most NHS patients would be astonished toknow that their information doesn’t flow around the system,”

said Health Secretary Jeremy Hunt. He thinks that Caldicott’sreport provides “the intellectual framework” for approaching

better information sharing.

EHR

HHS Puts EHRVendors on Notice

The U.S. Department ofHealth and Human Serv-ices (HHS) is taking its role

seriously when it comes to certi-fying – or decertifying – elec-tronic health records (EHR)systems. It recently revoked thecertification of two systems de-veloped by EHRMagic Inc. after asix-month investigation thatstemmed from an anonymouscomplaint.

An agency spokesperson toldThomson Reuters the certifica-tions were pulled becauseEHRMagic-Ambulatory andEHRMagic-Inpatient did notmeet the “meaningful use” stan-dards. The standards were de-fined by the Centers for Medicare& Medicaid Services IncentivePrograms that govern the use ofEHRs and establish thecriteria that eligibleproviders and hospi-tals must meet to earnincentive payments. Thestandards are intended to helpensure access to complete and accurate information, which in turn

will empower patients to take amore active role in their healthmanagement.

There are about 1,800 certi-fied EHR software products avail-able. To qualify for the incentives,healthcare providers must use acertified program and be able toshow that the software fulfills themeaningful use requirement.

Henry Ward, an intellectualproperty and information technol-ogy lawyer, told Thomson Reutersthat HHS’ decision to revoke thecertification of the two products“doesn’t do a lot in terms of tellingthe software companies andproviders what constitutes mean-ingful use. [However,] it does pro-vide some context on what doesn’tconstitute meaningful use.” Moreimportant, he said, it putsproviders and software companies“on notice that the concept ofmeaningful use has teeth in it.”

There are three levels of mean-ingful use criteria. Stage one(2011-2012) focuses on data cap-ture and sharing; stage two (2014)on advanced clinical processes; andstage three (2016) on improvedoutcomes. Final rules for the sec-ond phase have met some push-back from the industry, which iscalling for more time for stage oneto ensure systems are working aswell as possible and to give moretime to ensure integration.


CYBERSECURITY

Privacy vs.Security:A Balancing Act

It’s back to the drawing boardfor the U.S. Congress in its ef-fort to draft cybersecurity legis-

lation that doesn’t sacrificeindividuals’ privacy. Had the mostrecent bill passed, it was headed fora veto by the White House.

“The president has been clearthat the United States urgentlyneeds to modernize our laws andpractices relating to cyber security,both for national security and thesecurity of our country’s business –but that shouldn’t come at the ex-pense of privacy,” wrote U.S. ChiefTechnology Officer Todd Park andCyber Security Coordinator MichaelDaniel, special assistant to thepresident, in response to an e-peti-tion opposing passage of the CyberIntelligence Sharing and ProtectionAct (CISPA).

Balancing privacy and securityalso emerged as an issue followingthe bombing at the BostonMarathon in April. The debate cen-ters on the question of whether thebombing could have been pre-vented if the government and law

enforcement could tighten its sur-veillance measures.

So where should the line bedrawn? That’s a question that un-doubtedly will be argued for sometime to come. It is also a global con-cern. The same debate is takingplace in New Zealand, for example.

The New Zealand Herald re-cently reported that RoyMorgan Research “soundedalarm bells that the gov-ernment’s response to thegrowing cyber-securitythreat may undermine lib-erties.” New Zealandershave become increas-ingly aware of thechallenges of balanc-ing security and pri-vacy as a result of theincreased use of new tech-nologies over the past couple ofyears.

“And with the debate ragingover proposed legislation to allowspy agencies and the police to con-duct cyber surveillance on NewZealand citizens, these are morerelevant than ever,” said Pip El-liott, chief executive of Roy MorganResearch. She added that the num-ber of citizens who said they wereworried about the invasion of their

privacy through new technologyhas increased from 54% to 62% overthe past decade; it raised two per-centage points in the last two years.

In the United Kingdom, thegovernment recently abandoned itsefforts to introduce legislation thatwould have given security servicessweeping powers to monitor Inter-

net activity. Opponents of the leg-islation heralded the move:“Nick Clegg [deputy prime

minister] has made theright decision for our

economy, for Inter-net security, andfor our freedom,”blogged the cam-

paign group BigBrother Watch.

“Rather than spendingbillions on another Whitehall

IT disaster that tramples overour civil liberties and privacy on anunprecedented scale, we shouldfocus on ensuring the police havethe skills and training to make useof the huge volume of data that isavailable.”

Discussions over the plan havecontinued. “The reality is that thetechnology changes fast and thatissue has not gone away,” DowningStreet told the Financial Times.

INFORMATION SECURITY

EU Delays Vote on Data Protection Again

The civil liberties committee of the European Parliament met in early May to discuss the latest draftof Europe’s Data Protection Regulation, expecting to vote at that time. Instead, after German Mem-ber of Parliament Jan Philipp Albrecht observed that more discussions were needed before the draft

was indeed final, the committee decided to delay the vote until the end ofMay.

PC Advisor reported that Albrecht, who is responsible for shepherdingthe legislation through to the final vote, said he believes that compromisescan be adopted with a broad consensus and be ready for the vote before thesummer recess in July.

The goal is to create one regulation that replaces 27 national data pro-tection and privacy laws. More than 4,000 changes to the draft text had beenput forward in Parliament. In the end, though, the commission predicts therevised regulation will save industry €2.3 billion ($3 billion U.S.) annually.


The best way to beat a hackeris to be a hacker. Seniors atthe Polytechnic Institute of

New York (UNY-Poly) are learninghow to be “white-hat” hackers, ex-perts with hands-on experience tohelp businesses and governmentagencies protect their data fromcyber attacks.

“It’s the new espionage,” EvanJensen, a senior at UNY-Poly, toldAssociated Press’s Jake Pearson.“Spies operate from behind key-boards now.” Jensen is one of theleaders of the university’s “HackNight” events where a group of stu-dents meet weekly to hone theirhacking skills.

Of course they aren’t reallyhacking; that would be illegal. Butprofessors and industry experts col-laborate to create exercises that em-ulate real-world hacking scenarios.Dan Guido, a cybersecurity expertand UNY-Poly’s very own “hackerin residence,” uses China’s 2011 at-tack on Google e-mail accounts –many of the details of which havebeen made public – as a case study.The students have to map out, stepby step, how the hackers accessed adesktop computer and broke intothe company’s network.

While Georgia Tech, Purdue,and Carnegie Mellon are wellknown for their cybersecurity pro-grams, some experts consider UNY-Poly to be among the best programsbecause of the hands-on, mission-

critical, cybersecurity skills thestudents are gaining, writes Pear-son. Not surprisingly, these stu-dents’ job prospects are extremelygood. A 2012 report conducted bythe SANS Institute, a cybersecu-rity training organization, statedthat the Department of Homeland

Security alone needs 600 cyber-security experts, preferably

with real-world training.Across the pond, two

universities will also offer grad-uate studies in cybersecurity thisfall in support of the UK’s nationalcybersecurity program. The gov-ernment’s National Security Strat-egy classifies the cyber attack onthe same tier-one level as terror-ism. The programs are being devel-oped by Oxford University and theUniversity of London’s Royal Hol-loway, thanks to a total of £7.5 mil-

lion (approximately $86 millionU.S.) in funding from the UK’s De-partment for Business, Innovation,and Skills and the Engineering andPhysical Sciences Research Coun-cil.

The BBC reported that the Ox-ford program will study security is-sues related to big data as well as“cyber-physical security,” “the ideathat cyber security and physical se-curity need to be addressed to-gether rather than separately.” Itwill also research computer verifi-cation systems. Royal Holloway’sprogram will work with about 30businesses and organizations in thesecurity field.

According to Keith Martin,director of Royal Holloway’s Infor-mation Security Group, this “repre-sents a significantly differentapproach to research training.”


Beware the Enemy Within

Arecent study of UK organizations revealed that 83% experienceda data security issue last year. The majority (58%) of those inci-dents came from within the extended enterprise and may have

involved employees, ex-employees, or trusted partners. The study, “The Enemy Within,” was conducted by Clearswift, a

cyber-protection software company. The survey focused on the internalthreats affecting UK organizations, a contrast to most studies that havezeroed in on external threats. Most internal threats are malicious at-tempts or stem from poor business processes or human error. Clearswiftmaintains they are due largely to a lack of awareness of security policyas well as the increasing use of personal devices for work purposes.

“Combine this with the increased uptake of cloud-based tools andreliance on the extended enterprise in a collabo-rative working environment and you have per-fect security storm conditions ahead,” warnsClearswift.

Organizations need to get serious about thisinternal threat, the report concluded, especiallybecause the survey discovered that half oflocal government bodies do not have theresources to deal with the problem.

CYBERSECURITY

U.S. and UK Universities: Welcome to Cybersecurity 401


ARCHIVES

UK LibrariesBuild DigitalArchive

Six legal deposit libraries inthe United Kingdom havebegun building an archive of

digital content. Regulations werepassed in April that allow the li-braries to collect and archive suchdigital content as websites, blogs,electronic journals, and other dig-ital publications. Specifically, thelegal deposit regulations give thesix libraries the right to receive acopy of every UK electronic publi-cation, “starting with freely acces-sible websites on the .uk domain,estimated at 4.8 million websites,”reported FutureGov magazine.

The libraries will employweb-crawling soft-

ware to store

snapshots of 200-500 websitesthat have been identified as beingimportant for research. Thesesites will be harvested on amonthly or weekly basis, whileothers will be captured once ayear. Publishers will also be ableto submit their material for de-posit using a secure deposit por-tal. According to FutureGov, apilot process has been developedto collect e-books in the ePub for-mat.

The six deposit libraries in-clude the British Library, the Na-tional Library of Scotland, theBodleian Libraries at Oxford Uni-versity, and the Cambridge Uni-versity Library. The content willbe available to researchers onlineand onsite via reading rooms ateach library. Results of the firstyear’s collection efforts are sched-uled to be available to researchersby year end.

“Legal deposit arrangementsremain vitally important,” said

UK Culture Minister EdVaizey. “Preserving and

maintaining a record ofeverything published pro-

vides a priceless resourcefor the researchers of todayand the future. So it’sright that these long-

standing arrangementshave now been brought up todate for the 21st Century,covering the UK’s digitalpublications for the firsttime.”

FACTOID: Legal de-posit regulations for printpublications have been in

place in the UnitedKingdom since

1662.

CYBERSECURITY

South AfricaInstitutesAustralian iCode

South Africa recently becamethe second country to imple-ment network-level protec-

tion for end users. The InternetService Providers’ Association(ISPA), South Africa’s Internet in-dustry body, developed the volun-tary code of practice, iCode, inconjunction with Australia’s Inter-net industry, which pioneered theapproach in 2010.

According to ISPA, the codewas designed primarily to protectthe privacy of end users, not vio-late it. “The network-level scan-ning that allows ISPs to detectsigns of infected machines does notin any way involve looking at whatusers are doing online.”

The code consists of four mainelements: a notification/manage-ment system; a standardized infor-mation resource; a comprehensiveresource for ISPs to access the lat-est threat information; and amechanism for reporting back tonational security agencies in casesof extreme threat.

“By providing plain-Englishcommunication about cyberthreats, as the iCode requires,ISPs will help inform the public.They will also help customers whoare frequently infected to developsimple and effective safety strate-gies,” the ISPA says.

ISPs that have adopted thecode will display a “trust mark” ontheir websites and other materials.

According to a recent study bythe Ponemon Institute andExperian Data Breach Reso-

lution, 52% of U.S. companies haveexperienced more than one databreach in the past two years.

If your company is like theoverwhelming majority of thosethat responded to the study, there’sa great deal you can do to be betterprepared for a data breach. For ex-ample, do you require employees’mobile devices (including smart-phones and tablets) to be tested forsecurity purposes before connectingto the company’s systems? ThePonemon study found that al-though 78% of companies allowedemployees to bring their own de-vices to work, one-third don’t re-quire they be tested; another 28%are not sure if they have such a re-quirement.

Nearly half (44%) of the re-spondents said their organizationeffectively authenticates and other-wise ensures appropriate access totheir information systems. Only43% said their organizationpromptly changes network accessrights when an employee leaves thecompany. This becomes even morealarming when only one-third ofcompanies are actively monitoringfor unusual traffic and other riskindicators.

Following a breach, most or-ganizations could improve how wellthey communicate the incident totheir customers. Just 30% of com-panies actually train their cus-tomer service representatives onhow to answer questions about abreach.

“Based on the findings of thisresearch, many organizations arelosing opportunities to reduce therisk of negative opinion and loss ofcustomer trust by not focusing oncommunications with victims,” thesurvey report concluded.

Clearly there is a lot of room forimprovement in the majority ofU.S. companies. A good place tostart, according to Corporate Coun-sel, is by addressing many of thegaps highlighted here.

Cyber-liability insurance maybe advisable as well, especially forsmaller companies. Symantec re-ported in April that cyber attackson businesses with fewer than 250employees increased 31% in 2012following an 18% increase in 2011.This is testament to the reality thatsmall businesses typically don’thave adequate security infrastruc-ture for protecting financial infor-mation, intellectual property, orcustomer data.

An article in CFOmagazine re-ported that small businesses inhigh-risk industries, such as hightechnology, financial services, andhealth care, are “taking out insur-ance policies to bolster their protec-tion from the potentially crippling



How Well Prepared Are You for a Data Breach?

costs that can accompany databreaches and other cyber attacks.”

Larger organizations tend tohave a risk manager and a strongIT department to help reduce therisk and liability. Smaller compa-nies, on the other hand, may onlyhave a chief financial officer or chiefoperating officer that doubles as arisk manager.

According to Ethan Miller, anattorney at Hogan Lovells, cyber-li-ability insurance policies usuallycover costs incurred by first-partyclaims, such as the loss of trade se-crets and intellectual property.They also cover damages a com-pany pays when involved in a third-party claim. Miller told CFO thatmost policies also include business-interruption coverage in case of adenial-of-service attack wherebythe insurance company would pro-vide payment reimbursement forexpenses related to such an attack.Such costs, he said, “can sometimesbe a life-or-death issue for smallercompanies.”

Cyber-liability insurance poli-cies are not a solution; they are onlya way of minimizing the financialdamage. Companies still need todiligently manage their cybersecu-rity risk, including implementingsound data-protection protocolsand employee education. “[T]he in-surance company is going to de-mand you take these protections aspart of the application, so as a prac-tical matter you can’t become com-placent or you’ll violate the policy,”Miller stressed.


PII

Millennials: Online Privacy Is Dead

Anew study by the University of Southern California (USC) suggeststhe Millennial generation (ages 18 to 34) has a concept of privacydifferent from that of their parents and grandparents.

Millennials are more willing to allow companies to track them or ac-cess their personally identifiable information (PII) if they re-

ceive some benefit, such as coupons. Indeed, 51% ofMillennials said they would share PII with compa-

nies as long as they got something in return; 40%of those older than 35 felt the same way. Theyounger respondents are also more open to tar-geted advertising and, not surprisingly, aremore active on social media than their elders.

“It’s not that they don’t care about [onlineprivacy] – rather they perceive social media as

an exchange or an economy of ideas, where shar-ing involves participating in smart ways,” said

Elaine Coleman, managing director of media andemerging technologies for Bovitz, the research firm that con-

ducted the survey with USC.

INFORMATION TECHNOLOGY

Britain’s MI5 Scratches New DigitalRM System

MI5, Britain’s top intelli-gence agency, abandonedits multi-million dollar IT

project that would have integratedintelligence data and analysis acrossall the government departmentsthat feed into the agency. The proj-ect goal was to make the agency bet-ter equipped to deal with new globalsecurity threats.

The new system would havepulled together intelligence gather-ing and searches of paper archivesusing the latest digital technologyby the beginning of the 2012Olympics in London. Despite the adding of IT experts and the hiring of ateam of expensive consultants, the project floundered, leaving the agencywith its outdated system. The Inquirer reported that earlier this year theproject was re-evaluated and the decision made “to admit failure and re-start with a new generation of IT specialists,” a decision that is estimatedto result in losses of £90 million (more than $1 billion U.S.).

Before leaving his position, Sir Jonathan Evans, MI5’s former direc-tor general, reportedly told the Commons Intelligence and Security Com-mittee that the project’s delay was acceptable as the system was noturgently needed.


CYBERSECURITY

U.S. Navy IsSerious AboutCybersecurity

Despite budget cuts and thesequester and other fund-ing obstacles, the U.S. De-

fense Department’s cyberprogram has continued unabated,according to Admiral JonathanGreenert, the chief of naval oper-ations, who spoke to Reuters.

“The level of investment thatwe put into cyber in the depart-ment is as protected or as focusedas it would be in strategic nu-clear,” Greenert said. “It’s rightup there in the one-two areaabove all other programs.”

The effort makes sense, con-sidering how heavily the U.S.Navy depends on computer net-works and satellites to coordinatepersonnel, ships, and planes.

“Many people who look at thefuture of warfare say it’s bound tostart in cyber. The first thingyou’d want to do is shut downtheir sensors, interrupt theirpower grid, confuse them…andpresumably guard against thatkind of thing and recognize it ifit’s starting,” he added.

Greenert’s comments came

shortly after the Pentagon filedits report with Congress that ac-cuses China of trying to breakinto U.S. defense computer net-works. In addition to China,Greenert said Iran has a “delib-erate and emerging” cyber capa-bility, Russia is “very advanced,”and North Korea is in the “devel-opment stage.”

As part of its contingencyplanning in case of a seriouscyber or physical attack on mili-tary and intelligence satellites,the Navy is looking at using high-frequency relays employed dur-ing the Cold War. The energyblasted from ships by radar andsatellite is like a beacon, the ad-miral explained. Reducing theelectronic signature is a key partof the Navy’s cyber strategy.

Using radar in targeted pat-terns, changing frequencies, andshorter pulses are also part of theplan, along with shutting downthe systems quickly when in“mission control mode.”

“It’s like quitting smoking,”Greenert said. “You’ve got tolearn to get off this addiction toconstant information to and from.Going off the grid can be a goodthing.”

PII

Australian PrivacyCommissioner:Get Ready Now

Australian businessesand government agen-cies need to get seri-

ous about privacy, warnedthe nation’s privacy commis-sioner and attorney general.

A recent survey conductedby McAfee revealed that 59%of the employees responsiblefor managing customers’ per-sonally identifiable informa-tion (PII) were unaware orunsure of the changes

contained in the Australian Pri-vacy Act. The new regulations,which become effective nextMarch, levy large fines –$340,000 for individuals and $1.7million for corporations – if con-sumer PII is not adequately pro-tected.

The privacy commissionerand attorney general havewarned businesses that theyneed to prepare now for the im-pending changes, reportedZDNet.

Honorary Associate ProfessorTerry Beed, from the Universityof Sydney Business School, as-serts that a lot of consumer infor-mation is being gathered byresearchers in a way that doesn’tmeet the code that governs datacollection. Market research toolsare readily available to individu-als or firms who have no back-ground in market and socialresearch and therefore may notuse the data correctly or ethi-cally.

“The ground is changingunder our feet,” said Beed. “Therehas been an explosion in theamount of personal data beinggathered in the digital environ-ment, and it has revolutionizedthe way we go about marketinggoods and services.”


INFORMATION TECHNOLOGY

Data Management New Top IT Concernfor Accounting Pros

According to a recent study, managing and retaining data rose to thetop of the list of IT concerns for accounting professionals in theUnited States and Canada. Second on the list for both countries is

securing the IT environment, which had been the primary concern citedfor the previous nine years.

These were the key findings of the 2013 North America Top Technol-ogy Initiatives Survey conducted by the American Institute of CertifiedPublic Accountants (AICPA) and the Charter Professional Accountants ofCanada (CPA Canada). Nearly 2,000 accounting professionals participatedin the survey, which was designed to “dive further into the core concernsand priorities” that AICPA members have regarding IT. This was the firstyear the survey was conducted jointly in the United States and Canada.

“While survey respondents see data as a key differentiator for busi-nesses, they are less confident in their organizations’ ability to success-fully address several underlying technology priorities than they were ayear ago,” according to AICPA’s press release announcing the results of thestudy. Last year, the majority of U.S. respondents reported they were suc-cessfully meeting goals in eight of 10 top initiatives; this year, it was onlytwo initiatives – data management and security.

“The good news is that accounting professionals in both the UnitedStates and Canada feel comfortable in handling what they view as theirtwo top priorities for [2013] – data management and IT security,” saidJeannette Koger, director of member specialization and credentialing forthe AICPA.

Ranking of Top Technology Initiatives, U.S. and Canada (Percentage shown is respondents’ confidence level for successfully addressing this priority)United States

1. Managing and Retaining Data (55%)

2. Securing the IT Environment (51%)

3. Managing IT Risks and Compliance (47%)

4. Ensuring Privacy (45%)

5. Managing System Implementation (44%)

6. Preventing and Responding to Computer Fraud (44%)

7. Enabling Decision Support and Analytics (37%)

8. Governing and Managing IT Investment and Spending (38%)

9. Leveraging Emerging Technologies (27%)

10. Managing Vendors and Service Providers (47%)

Canada

1. Managing and Retaining Data (57%)

2. Securing the IT Environment (56%)

3. Enabling Decision Support and Analytics (33%)

4. Managing IT Risks and Compliance (57%)

5.Governing and Managing IT Investment and Spending (38%)

6. Ensuring Privacy (53%)

7. Managing System Implementation (47%)

8. Leveraging Emerging Technologies (22%)

9. Preventing and Responding to Computer Fraud (47%)

10. Managing Vendors and Service Providers (42%)

Source: AICPA and CPA Canada’s “2013 Top Technology Initiatives Survey”

Amazon Apple AT&T Comcast Dropbox Facebook FourSquare Google LinkedIn Microsoft MySpace Sonic.net SpiderOak Twitter Tumblr Verizon WordPress Yahoo!


PRIVACY

Apple’s Privacy Headache Intensifies

Apple is taking heat for itsprivacy policy in both Ger-many and the United

States. On April 30, a Berlin courtruled that Apple’s privacy policy vi-olates Germany’s privacy law.Apple must either change its policyor appeal the decision.

In 2011, the Federation of Ger-man Consumer Organisations(VZVB) accused Apple of “unfaircontractual clauses” in its privacypolicy, according to PCWorld.com.The company eventually changedfive of the 15 clauses that werecited by VZVB, but the federationwas not satisfied. In 2012, VZVBfiled a lawsuit against the softwaregiant. In response, Apple commit-ted to changing two additionalclauses, but the VZVB contendedthe policy still violated Germanlaw. The court agreed.

Apple’s German privacy policy,which is similar to the U.S. policy,gives the company broad and un-specified use of customers’ private

information. It also allows Apple touse the personal information forthe issuance of gift cards. Germanlaw, however, requires that a com-pany advise customers of exactlywhat personal information wouldbe used and for what purposes.

As of press time, Apple had notcommented on whether it wouldappeal the decision or change itspolicy accordingly.

Meanwhile, in the UnitedStates, privacy watchdog groupElectronic Frontier Foundation(EFF) blasted the technology giantfor its lack of transparency with itsprivacy policies. According to theEFF, Apple could be freely givingup user information to the govern-ment. Apple was one of four com-panies the EFF cited for its lack oftransparency; the others wereAT&T, Verizon, and MySpace.

EFF cited the four after evalu-ating 18 companies on six criteria: • Whether a warrant was required

for content of communications

• Whether the firm tells usersabout government data requests

• The availability of publishedtransparency reports

• Published law enforcementguidelines

• A public record of fighting foruser privacy rights in the courts

• Whether the firm supports effortsin Congress to protect privacyrights

The news for Apple wasn’t allbad, though. EFF recognized it andAT&T for being members of theDigital DueProcess coalition,a group that ad-vocates for userprivacy issuesin Congress.Only Twitterand Sonic.netreceived goldstars for allsix criteria.END

Requires a Tells users Publishes Publishes law Fights for Fights forwarrant for about gov’t transparency enforcement users’ users’ content data reports guidelines privacy rights privacy rights

requests in courts in Congress

Who has your back?

Source: Electronic Frontier Foundation “Who Has Your Back?” reports: 2011, 2012

MOTIVATE!

EDUCATE!

THE PREMIER EVENT IN INFORMATIONGOVERNANCE BROUGHT TO YOU BIGGER,BETTER, AND MORECOLORFUL!

· Catch FRANK ABAGNALE at the Opening General Session

· TECHNOLOGY IN THE SPOTLIGHT will focus on businesssecurity for information governance professionals

· NEW! Featured Track Sessions

· NEW! Lunch with the Experts

· EDUCATION TRACKS for Technology Solutions, Business Value, and Legal and Compliance

· Find your SKILL LEVEL to tailor the conference experience YOU need

· A Town Hall Meeting with THE SEDONA CONFERENCE®

· Take advantage of PRE-CONFERENCE SESSIONS

VIVA!ARMALASVEGAS2013Conference & Expo, October 28-30The Venetian Congress Center

Register today! www.arma.org/conference

ARMA LIVE! Conference & Expo 2013offers inspiring speakers to MOTIVATE,the best in the business to EDUCATE, and cutting-edge best practices andtechnology tools to STIMULATE your quest for career growth. Here are afew highlights for you to look forward to:

STIMULATE!· See the industry’s EMERGING TECHNOLOGIES at the ARMA Expo

· Cheer on colleagues at the AWARDS LUNCHEON

· The 2013 WELCOME PARTY is a Venetian masquerade

· PUB CRAWL cocktail reception on the Expo Hall Floor

· A perennial favorite, the CANADIAN PARTY

SAVE $100with the Early Bird Discount!

FULL CONFERENCE REGISTRATION $1,199 $1,099 $1,449 $1,349

Want to save even more? See how when you register at www.arma.org/conference.

Register by Sept. 16 Member Non-Member

WE’RE WHEELIN’ AND DEALIN’ UNTIL SEPTEMBER 16!


Making an action plan that addresses the infrastructure limitations and the regulatory,legal, social, and cultural boundaries and norms of the countries where an enterprisewishes to expand is critical to successfully implementing information technologies globally.

John T. Phillips, CRM, CDIA, FAI


mplementing technology-based information manage-ment (IM) systems can be a nightmare. Yet, candid ven-dors of IM systems will be very clear that how thetechnology is implemented is at least as important toits success as the product’s capabilities; complete accessto all of the product’s features is required for the organ-

ization to fully realize its benefits. Technical issues are to be expected; implementing a

new technology may require operating systems upgrades,software integrations, accurate data migrations, and moremodern hardware or networking infrastructures.

Well-known human factors to be attended to includetraining for the application interface, planning for the sys-tem rollout, and gaining buy-in for organizational adoptionof the technology.

All of these issues must be thoroughly addressed to getmaximum return on investment from any system imple-mentation. And, extending an implementation to interna-tional business environments will compound thesechallenges.

ture to support electronic records management.As another example, the authors of The Global In-

formation Technology Report 2013 – Growth and Jobs ina Hyperconnected World write that “Asia is home tosome of the world’s wealthiest, most successfuleconomies in the world and also to some of its poorest.Unsurprisingly, a similarly profound diversity charac-terizes Asia’s digital landscape, thus making it impossi-ble to draw a uniform picture of the region. The mostdigitized and innovative nations – the Asian Tigers – onthe planet are next to some of the least-connected ones.Nowhere else does the regional digital divide run asdeeply as it does in Asia.”

Locating Servers/DataIf an international enterprise wants to share data

among employees in U.S., European, and Asia/Pacificcountries, it may be a challenge to decide where it lo-cates the servers, software, and data.

Most businesses are not comfortable with public dis-

I

… implementing a new technology may require operating systems upgrades, softwareintegrations, accurate data migrations, and more modern hardware or networking infrastructures.Technology Infrastructure Issues

Implementing “global technology” – any informationprocessing and storage technology that can reach acrossgeopolitical boundaries – throughout an internationalenterprise can make both the goals and the impedi-ments to achieving those goals vastly more complex.

Determining Network ReadinessInternational network readiness is critical to information

technology implementation and varies drastically amongregions and jurisdictions.

In many geographic locations, there is an absence ofnetworking infrastructure, supportive technology ven-dors, or trained personnel. Organizations must deter-mine whether it is best to send trained individuals tosites where servers and applications will be located orto train local individuals in IT systems maintenance.

The correct decision may depend on whether thereare trained and educated individuals in that location al-ready who can receive additional training to become sys-tem administrators. How these questions are answeredcan have a major impact on system performance.

Unfortunately, the implementation of these tech-nologies is very inconsistent around the globe. For in-stance, India is a good example of a country whererecords are valued, but it is swamped in managing paperrecords, due in part to a lack of technology infrastruc-

cussion of these issues in great detail. However, in “offthe record” talks, some admit they often segment datain database applications so that specific data will bestored in a distributed manner across different serversto allow compliance with the laws and regulations gov-erning the origin of that data.

The unfortunate consequence of that approach isthat some data may not be seen in the results of queriesinitiated from locations that do not share a mutuallyagreed-upon understanding of the compliance regula-tions of the country where the data is stored.

More common is that many enterprises separateboth data and applications so there are fewer technicalcomplexities. It is easier to generate reports that arecountry-specific based on the origin of the data in thereports and then subject the reports themselves to com-pliance scrutiny. Thus, U.S., European Union (EU),China, India, and Middle Eastern business locationsmay have different servers, applications, and databases.

In addition, operating systems and applications oftenare implemented in different languages. The very defi-nition of a record, a document, and data can vary amongcultures, as can the concepts of responsible recordkeep-ing. It can be easier to avoid too many interpretations oflanguage and culture across political and regional influ-ences by having data stored in a particular country ac-cording to its customs, linguistic nuances, and laws.


Using the CloudThere is much discussion today about processing and

storing information in “the cloud.” For instance, usingGmail, Google Docs, or similar services typically meansconfiguring an application and data storage space on a re-mote disk drive accessible over an Internet connection thatappears as an extension of a local computer.

According to the Google website’s “Google Apps forBusiness,” “Google Apps is a cloud-based productivity suitethat helps you and your team to connect and get work donefrom anywhere on any device.” Note that it says “any-where.” Although users are expected to conform to local se-curity policies and electronic records retention rules fortheir work environments, it may be difficult to implementthose policies and practice those procedures in cloud envi-ronments where the organization has little control overdata storage and access.

financially and legally responsible for compliance.Unfortunately, that is not the case in many other coun-

tries, where there are growing problems with softwarepiracy and copyright violations despite occasional well-pub-licized prosecutions. Software piracy is an internationalconcern, especially regarding western-created software inuse in China.

Kenneth Rapoza, in his July 22, 1012, Forbes article “InChina, Why Piracy Is Here to Stay,” wrote,“Piracy goesback to the China world view that individual rights don’tmatter. The courts have never evolved to protect innova-tive individuals.”

Microsoft CEO Steve Ballmer was quoted in a January21, 2011, Network World article as saying that “90% of Mi-crosoft software users in China didn’t pay for it.”

So, if an organization decides to expand its scope of busi-ness where there are cultural and legal system barriers to

… it may be difficult to implement … policies and … procedures in cloud environmentswhere the organization has little control over data storage and access

basic trust and accountability, it should not expect its ownintellectual and corporate properties to be respected.

Similarly, where there is not a uniform set of legal andregulatory expectations for hardware, software, and net-working systems operations and ownership, the organiza-tion may have difficulty protecting the data in its ownservers and systems.

If an organization is planning to expend capital and re-sources where the technology assets may be at risk, it maybe unable to convince investors, customers, and decision-making executives that an implementation will be suc-cessful.

Information Use IssuesIt’s one thing to worry about the consequences of in-

vesting in hardware and software infrastructure to be usedinternationally by employees, but it’s another matter en-tirely to be concerned about how those employees createand share content within those systems.

Because countries have varying perspectives about in-formation and records, they will have varying attitudes to-ward personal and business information that is stored incomputers and transmitted across networks. In addition,what is permissible in some countries and cultures may beunsupported or a violation of others’ laws.

Transmitting Info Across BordersOf particular interest is the matter of storing and trans-

mitting data within communications systems and largedatabases, especially with respect to transmitting infor-mation across international political borders. Because at-titudes and regulations on the use and privacy of personally

Dealing with Big DataIT systems’ architectural dilemmas with storage com-

munications or the location of servers can wreak havocwith new software technologies that support concepts like“big data.” The very essence of big data technology is tocross-search databases and derive meaning from data ac-cumulations from many sources by using advanced searchalgorithms to analyze information.

In fact, big data is often used to detect trends in cus-tomers or markets and, therefore, it can be particularly fo-cused on personally identifiable data, thus running afoul ofconflicting information governance statutes.

Clear understanding of the data and the metadata usedto describe big data database content is critical, as is know-ing precisely where each data element is stored. Unfortu-nately, Internet domain extensions, such as .us, .ca, or .eu,cannot be relied upon because computers do not always rec-ognize regional boundaries even when these domain ex-tensions are present, and the unscrupulous can deviseways to circumvent these limitations.

Protecting Intellectual PropertyThe growing challenge of software piracy is a good ex-

ample of the starkly different perspectives among countriesabout technology use. Most individuals in western, eco-nomically well-developed countries understand and gener-ally respect the system use requirements specified insoftware manufacturers’ end user license agreements(EULAs), which users must accept for the software to beactivated. Because these are contractually binding agree-ments, individuals in western nations generally pay at-tention to these “boundaries.” They know they can be held


ally think about their content with respect to their own in-formation management, governance, or security policies.Rarely do they consider the receivers’ information man-agement policies or their countries’ laws or regulations – orthat these messages could be re-transmitted and used in-ternationally far beyond their original intent.

Complying with End-User AgreementsAlthough software EULAs do not typically contain

clauses that limit the content type and nature of the infor-mation that is created or stored, acceptable use policies(AUPs) for remote computing platforms, such as those of-fered by Google, Facebook, and other social media vendors,often impose limits.

These AUPs do not typically garner a high level of at-tention and compliance by end users, who often feel theycan create and share “their” information any way theywant. These free and freewheeling information-creationand -sharing environments often seem to encourage per-sonal expression and communication with few restrictions,in stark contrast to the limitations described by the AUPs.

For instance, the first three of eight restrictions inGoogle Cloud Platform’s AUP are:

“Customer agrees not to, and not to allow third parties(including End Users) to use the Services:• to violate, or encourage the violation of, the legal rights of

others (for example, this may include allowing End Usersto infringe or misappropriate the intellectual propertyrights of others in violation of the Digital MillenniumCopyright Act);

• to engage in, promote or encourage illegal activity;• for any unlawful, invasive, infringing, defamatory or

fraudulent purpose (for example, this may include phish-ing, creating a pyramid scheme or mirroring a web-site);…”

Users in various countries will have different interpreta-tions about what “illegal activity,” and “violate, or encouragethe violation of, the legal rights of others” mean. It may notbe clear to them whether these terms are defined accordingto U.S. law (where Google’s corporate headquarters is located)or according to the laws of the country where the employeesand customers reside or use these technologies.

These matters make it clear that it’s crucial to retainexpert counsel who speak the language, understand thebusiness environments and cultural norms, and can assistdirectly in disputes within the legal and regulatory frame-works of the countries that would be a part of the expandedenterprise.

Rolling out information technologies requires a consen-sus from the parties involved that these risks will be ad-dressed during implementation so misunderstandingsabout the appropriate use of technology are few. Having in-dividuals to represent an organization overseas who have“boots on the ground” can be invaluable.

Making a Global TechnologiesAction Plan When enterprises are moving business processes over-seas or planning to take advantage of foreign operationsites and employees, a specific plan to addressinternational IM technology implementation issues will becritical to the success of those initiatives. Technologies,IM policies, applicable laws, regulations, and culturalnorms must be evaluated by a cross-enterprise team ofinformation users, compliance experts, and ITprofessionals. Consider taking these actions:

1. Identify and technically characterize the extent andspecific infrastructure of each technology to be used,such as e-mail and social media.

2. Identify the locations where data may be stored orshared among users and characterize the content.

3. Identify the applicable laws, regulations, IM standards,and cultural norms that may have an impact on recordsmanagement or technology use in the countries ofinterest.

4. Identify records management consultants and servicevendors with experience and existing services in thecountries of interest.

5. Identify law firms with international legal systemexpertise that are familiar with relevant laws, regulatoryguidelines, and cultural expectations.

6. Create a matrix of these factors.

7. Form a technology implementation team whereinindividuals take responsibility for creating portions of aglobal technology implementation compliance plan thatwill address all issues.

identifiable information vary dramatically among coun-tries, some organizations maintain separate servers andnetworks in an attempt to identify and manage informa-tion appropriately within specific geopolitical boundaries.

In addition, communications media, such as e-mail, textmessages, and social media, enable cross-border data flowsand data storage at the initiation of computer users whooften have little knowledge of the end use or storage locationof the information they are creating and transmitting.

When people create e-mails or text messages, they usu-


Protecting Information PrivacyPosing particular dangers during international imple-

mentation of technologies are the varying cultural andgeopolitical infrastructures that bear on information cre-ation, storage, and use.

A good example is the extreme difference between Eu-ropean and U.S. laws on the privacy and control of per-sonal data. U.S. citizens have little control and voice inenterprises’ use and reuse of their personal data for busi-ness purposes, whereas there are strict rules in Europe onthe use of personal information for commercial purposes.

The EU is subject to Data Protection Directive95/46/EC that protects individuals with respect to the col-lection, processing, and storage of data. It strives to achievea comprehensive balance between protecting personal dataand allowing the free flow of information within the EU.Europeans are often concerned with how data created inthe EU could eventually be transmitted to the UnitedStates and misused according to EU regulations.

That is because U.S. laws tend to regulate the use ofpersonal information only in specific circumstances. Forinstance, the Privacy Act of 1974 protects informationgathered on individuals working within the federal gov-ernment framework, but it does not apply to the privatesector. The Health Insurance Portability and Accountabil-ity Act (HIPAA) governs restrictions on health informa-tion, but it is focused primarily on medical records. And,the Gramm-Leach-Bliley Act governs how financial insti-

tutions create policies to share data about customers be-tween those businesses.

Obviously, it can be difficult to determine how to inte-grate and navigate all of these overlapping or conflictinglegal and regulatory mandates. So a U.S.-EU Safe HarborDirective was developed by the U.S. Department of Com-merce and the European Commission to bridge “differencesand provide a streamlined and cost effective means for U.S.organizations to satisfy the (EU) Directive’s ‘adequacy’ re-quirement.”

If an organization is going to do business in Europe, ei-ther by creating data there or creating it in the UnitedStates and exchanging it across national boundaries, itmust be able to comply with the requirements of the busi-ness environment.

Planning for SuccessAll of these factors have a direct impact on the manner,

means, and feasible extent of implementing technologiesacross international enterprises. Organizations must ad-dress the types of risks described above to negotiate the im-plementation hurdles that can arise. Planning thoroughlyto address the expanded enterprise challenges of interna-tional projects is critical to achieving success in imple-menting information technologies globally. END

John T. Phillips, CRM, CDIA, FAI, can be contacted [email protected]. See his bio on page 47.

Your Connection to RIM Products and Services

BUYER’S GUIDEONLINE!Whether you’re looking for a software solution, recordscenter, or archiving supplies the Records and InformationManagement Buyer’s Guide is the place to start.ARMA International’s online listing of solution providers putsthe power of purchasing at the click of your mouse.

www.arma.org/buyersguide


Accelerating out of the

Recession:New Approaches to Executing RIM Program Strategies The volume, velocity, variety, and value of informationassets organizations are creating and receiving providea platform for information governance professionalsto step up to a more strategic leadership role.

Bruce W. Dearstyne, Ph.D.

he recession is ending, the economy is recovering, and enter-prises are bouncing back. The future looks promising – par-ticularly for records and information management (RIM)program leaders who are willing to try nontraditional ap-proaches to meeting the challenges posed by the current “dis-ruptive” forces in information management.

Challenges of the Disruptive, Digital Age In “Top 10 Technology Trends Impacting Information Infrastruc-

ture, 2013,” Gartner Inc. describes several of these disruptiveforces, including big data, an expanding information infrastruc-ture, and new strategies for assigning value or risk to informationassets.

The report stresses there are big opportunities and risks goingforward: “Significant innovation continues in the field of infor-mation management (IM) technologies and practices driven bythe volume, velocity and variety of information, and the hugeamount of value – and potential liability – locked inside all this

T

that data can provide.” According to Mellon, the leader

has no safety net and needs to knowwhen to take risks, make tough de-cisions, ensure implementation, andassume responsibility if things gowrong. Being quicker and more fluidin making decisions will pay off.“Whereas some dither, you move toaction,” she writes.

Build Resilience into Programs. The recession has also pro-

vided insights through experienceabout cushioning against and bounc-

ungoverned and underused informa-tion.”

Additionally, the report empha-sizes that “practically all informa-tion assets must be available fordelivery through varied, multiple,concurrent and, in a growing num-ber of instances, real-time channelsand mobile devices.” Because ofthese ongoing “disruptions,” it’smore important than ever to be ableto share and repurpose informationfor “multiple context delivery anduse cases,” the report suggests.

Taking non-traditional ap-


on the impact of the program and itsservices, and they build pride thatcan help sustain the program inhard times.

• They foster a culture of experimen-tation and innovation that predis-poses people toward trying newthings in hard times.

• They practice what Resilience calls“adhocracy,” which is characterizedby “informal team roles, limitedfocus on standard operating proce-dures, deep improvisation, rapid cy-cles, selective decentralization, theempowerment of special teams, anda general intolerance of bureau-cracy.”

• They prepare staff members for diffi-cult times by providing training thatencourages people to imagine possi-bilities, display inventiveness in prob-lem solving, and develop alternativeswhen traditional approaches arethreatened or curtailed. When faced with adversity, they

resist the temptation to hunkerdown or retreat. They develop plansfor fighting cutbacks. If budgets arecut, they present a clear sense of pri-orities and a plan for reducing pro-grams in a way that focuses onessentials, minimizes reductions toessential services, and cushions im-pact on staff.

Develop Effective Strategies. Mission and vision statements

are essential, experts agree, but it cantake too long to develop and refinethem. In the meantime, particularly intimes of fast-paced change, unforeseenopportunities may have passed, or un-foreseen crises may have arrived. A.G.Lafley and Roger Martin in Playing toWin suggest we move faster by short-ening discussions of mission and vi-sion, reducing lengthy planning, andfocusing more on strategy, “an inte-grated set of choices” that positions theorganization to “create sustainable ad-vantage and superior value.” This bookand other recent literature describestrategy on a fast track:

1.

Taking non-traditional approaches to theseven traditional strategies describedbelow will help RIM programs adapt to,

and shape, this complicated future.

2.

3.

ing back from adversity and unan-ticipated events. In the book Re-silience: Why Things Bounce Back,authors Andrew Zolli and AnnMarie Healy define resilience as“the capacity of a system, enter-prise, or a person to maintain itscore purpose and integrity in theface of dramatically changed cir-cumstances.”

Resilience varies from program toprogram, but resilient enterpriseshave these traits:• They proactively monitor their en-

vironments, seek out potentiallydisturbing information, identifypotential disruptions, and look forearly warning signals that theprogram may not be meetingstakeholder expectations.

• They build in flexibility and safe-guards against disruption, suchas redundant systems, full staf-fing levels, robust IT systems,and backup capacity for storingrecords.

• They promote a culture of sharedpurpose and values that focuses

proaches to the seven traditionalstrategies described below will helpRIM programs adapt to, and shape,this complicated future.

Apply a High-Visibility, Decisive Leadership Style.

Until recently, many leadershipauthorities encouraged a deliberate,extensively consultative style. Theleader, they proclaimed, needed tobuild consensus and be sure all is-sues were resolved, resourcesaligned, and stakeholders fully sup-portive before taking action.

Newer literature, more attuned tothe fast-changing, post-recessionworld, advises less consultation anddeliberation and more accelerateddecision-making, even when the ev-idence is incomplete or ambiguous.In fact, the more innovative the pro-gram, the less likely it is to have in-controvertible evidence beforedeciding whether to change course.

“Eat the uncertainty,” advises LizMellon in Inside the Leader’s Mind,and beware of “the spurious comfort

Feature Traditional Lean

Strategy Business plan Business modelImplementation-driven Hypothesis-driven

New-product process Product management Customer developmentPrepare offering for market Get out of the office following a linear, step-by-step plan and test hypotheses

Engineering Agile or waterfall development Agile developmentBuild the product iteratively or fully Build the product iteratively and specify the product before building it incrementally

Organization Departments by function Customers and agile development teamsHire for experience and ability Hire for learning, nimbleness, and speedto execute

Financial management Accounting Metrics that matterIncome statement, balance sheet, Customer acquisition cost, lifetime cash flow statement customer value, churn, viralness

Failure Exception ExpectedFix by firing executives Fix by iterating on ideas and pivoting

away from those that don’t workSpeed Measured Rapid

Operates on complete data Operates on good-enough data

What “Lean Startups” Do Differently Organizations that follow the “lean startup” approach take a view that differs from traditional ones. The following chart illus-trates these changes. Developed by Steve Blank, it appears in “Why the Lean Start-Up Changes Everything,” Harvard BusinessReview, May 2013.


than beginning with a business plan,they start with the search for a model.Quick rounds of experimentation andfeedback reveal what works. Thenewer approaches emphasize breakinglarge projects into smaller ones, bring-ing in new ideas, experimenting,adapting, using what works, andlearning quickly from unsuccessful ini-tiatives.

Eric Ries in The Lean Startup em-phasizes shortened development cy-cles, extensive customer engagement,and continual feedback in the develop-ment of new services and products.The book advances these two concepts:1) validated learning, which means totry an initial idea and quickly measureit to see if it moves toward the goal of

• Develop a “winning aspiration” – aconcise statement of what the pro-gram seeks to be and what “win-ning” or success will look like.

• Define the distinct or unique valuethe program offers – what it doesthat no one else can do, and why thatis important. For RIM programs,that might be risk management,legal defensibility, cost savings, ororganization of records and informa-tion for quick access.

• Define issues, but don’t get boggeddown. Move quickly to define two ormore mutually exclusive optionsthat could resolve each issue. Thatmoves the discussion to strategiesand solutions rather than problemsand obstacles.

• Specify the conditions for success.For each possibility, what must betrue for it to be strategically sound?

• Test for feasibility, distinctiveness,and customer satisfaction on smallpilot projects, if possible.

• Identify barriers and obstacles.• Determine what management capa-

bilities and systems are required.

Speed up Innovation. Traditional project management

often involves substantial projects, ex-tensive planning, intensive manage-ment, and strict definitions of success:on time, within budget, and withinproject specifications. Newer ap-proaches are more pragmatic, improv-isational, iterative, and faster. Rather

4.

capabilities and limitations.• Conduct discussions of key issues

that need decisions by bringing indiffering viewpoints, encouragingspirited, constructive debate, andrespecting dissenting opinions.Staff and customers are key par-ticipants, but involving otherareas, such as IT, counsel, andmedia, may bring in fresh per-spectives.

• Keep goals in mind, but encouragediscussion of new ways of reachingthem. Judgment Calls describesthis as “following a strong compassbut often in unpredictable andeven nonlinear ways.”

Monitor and Adapt CIOs’Strategies.

RIM programs are not alone ingearing up for the volatile post-re-cession, information-centric world.They can learn from others who arebeing buffeted by the winds ofchange, especially chief informationofficers (CIOs). There is a naturalconnection – some RIM programs

make everyone feel engaged (at-tached to the program, willing togive extra effort), enabled (empow-erment is the norm; initiative is val-ued), and energized (having a senseof well-being and drive).

Use a ‘Culture of Participation.’ Staff input is essential for fast-

paced, customer-focused innovation,but Thomas Davenport and BrookManville in Judgment Calls advocategoing further to get the best solutions.Leaders need to make decisions in atimely way, they explain, but often thisinvolves creating processes and sys-tems for finding the best means ofquickly gathering and processing in-formation.

The book recommends “the powerof leveraging colleagues, partners,and ‘networks of learning,’ tradingaway absolute power and hierarchyfor more facilitative leadership thatengages a broader and diverse mindfor the challenges of today’s morecomplex business environments.”Tactics include:

5.


building a sustainable program; and2) to pivot, or make a “structuredcourse correction designed to test anew fundamental hypothesis aboutthe product [or] strategy.”

Peter Sims recommends “little bets”– discrete “concrete actions taken todiscover, test, and develop ideas thatare achievable and affordable.” Thesecan result in “small wins” you canbuild on and extend, or “failingquickly to learn fast” from small, ex-perimental projects. You can then usethe insights to modify the idea or trysomething entirely different. (For ad-ditional perspectives, see the sidebar“What Lean Startups Do Differently.”)

RIM programs that are agile andadaptive need motivated and empow-ered staff. Leaders need to solicitideas from employees who interactwith customers every day and, there-fore, are in the best position to discernemerging needs and opportunities.

Additionally, since RIM programmanagers cannot anticipate everyeventuality, it is useful to empowerstaff to make on-the-spot decisionsand use workarounds to meet cus-tomer needs. Hiring employees whoare inclined toward innovation is anessential prerequisite. Setting cleargoals and empowering people to reachthem – by allowing a fair amount ofleeway in how they do their work –are helpful tactics.

Teresa Amabile and Steven Kram-er’s book The Progress Principle ex-plains that “a sense of progress” is akey motivator. On days when work-ers sense they’re making headway orwhen they receive support that helpsthem overcome obstacles, their emo-tions tend to be positive and theirdrive to work even harder is high. Ondays when they feel they’re wastingtheir time, encountering roadblocks,or fighting red tape, their motivationand engagement tend to be the low-est. Amabile and Kramer advisemanagers to clarify goals, ensurethat workers’ efforts are properlysupported, use minor problems and

setbacks as learning opportunities,and provide positive feedback andrecognition.

Adrian Gostick and Chester Eltonin All In advance the idea of “a cul-ture of belief” that includes articu-lating a “burning platform” coremessage about the urgency of thework, treating staff as colleaguesand talented partners rather thanemployees, broadly sharing informa-tion, establishing accountability,and continuously expressing appre-ciation and recognition.

They advise leaders to aim to

• Define goals in ways that are quan-tifiable, where possible, and usedata and analytics to make deci-sions.

• Identify model programs and bestpractices by monitoring blogs, so-cial media, and other electronicdiscussion formats.

• Engage customers in more exten-sive and creative ways through di-alog, recognizing they may find itchallenging to articulate theirneeds in the complicated informa-tion arena, and they may need ex-planation of the program’s

6.

Setting clear goals and empoweringpeople to reach them – by allowing a fairamount of leeway in how they do theirwork – are helpful tactics.


are in CIOs’ offices, and many workwith CIOs on a daily basis. SomeCIO strategies are worthy of emula-tion, such as visibly supporting en-terprise goals, demonstrating valueat the CEO level where it may beunder-appreciated, and cooperatingwith other offices in pushing theircompanies into new customer, prod-uct, and service areas. CIO magazine’s 2013 “State of the

CIO Survey” highlights the need toalign with enterprise goals, marketthe IT department to give the busi-nesses a better idea of its capabili-ties, and position the office as abusiness peer that develops, not justenables, business strategy.

This entails pushing the programinto new areas with new partner-ships in support of evolving enter-prise priorities. Gartner’s “2013 CIOAgenda” notes that “IT must adaptby extending its role in the enter-prise … hunt for new digital busi-ness opportunities, and harvestvalue from business process changesand extended products/services.”Likewise, RIM programs must huntfor new opportunities.

Stepping up to the Challenge RIM programs are well positioned

to capitalize on the growing impor-tance of digital information in busi-ness, education, government, andthe lives of individuals. They havestrong capabilities in issues that areincreasing in importance, such as re-tention and disposition of records,legal applications, risk manage-ment, and privacy.

But RIM programs should expect– and welcome – change, sometimesgradual and incremental and othertimes rapid and transformational.Leading that change in a positiveway is one of the greatest challenges– and opportunities – we face. END

Bruce W. Dearstyne, Ph.D., can becontacted at [email protected] his bio on page 47.

Recent Useful Leadership BooksAmabile, Teresa and Steven Kramer. The Progress Principle: UsingSmall Wins to Ignite Joy, Engagement, and Creativity at Work.Boston: Harvard Business School Publishing, 2011.

Baldoni, John. Lead With Purpose: Giving Your Organization aReason to Believe in Itself. New York: Amacom, 2012.

Andersen, Erika. Leading So People Will Follow. Hoboken, NJ: JohnWiley & Sons, 2012.

Collins, Jim and Morten T. Hansen. Great by Choice: Uncertainty,Chaos, and Luck – Why Some Thrive Despite Them All. New York:Harper-Collins Publishers, 2011.

Davenport, Tom and Brook Manville. Judgment Calls: 12 Stories ofBig Decisions and the Teams That Got Them Right. Boston: Har-vard Business School Publishing, 2012.

Duggan, William. Creative Strategy: A Guide for Innovation. NewYork: Columbia University Press, 2013.

Gostick, Adrian and Chester Elton. All In: How The Best ManagersCreate a Culture of Belief and Drive Big Results. New York: FreePress, 2012.

Lafley, A.G. and Roger L. Martin. Playing to Win: How Strategy ReallyWorks. Boston: Harvard Business School Publishing, 2013.

Mellon, Liz. Inside the Leader’s Mind: Five Ways to Think Like aLeader. Harlow, UK: Pearson Education Limited, 2011.

Menkes, Justin. Better Under Pressure: How Great Leaders BringOut the Best in Themselves and Others. Boston: Harvard BusinessSchool Publishing, 2011.

Ries, Eric. The Lean Startup: How Today's Entrepreneurs Use Con-tinuous Innovation to Create Radically Successful Businesses.New York: Crown Publishing Group, 2011.

Sims, Peter. Little Bets: How Breakthrough Ideas Emerge fromSmall Discoveries. New York: Free Press, 2011.

Zolli, Andrew and Ann Marie Healy. Resilience: Why Things BounceBack. New York: Free Press, 2012.

The Only 3 Letters That MatterIf you’re ready to take your career in records management to the next level,there are only 3 letters that matter. Becoming a Certfied Records Manager showsthat you’re ready for today’s complex and changing information environment.

Stand Out The CRM designation shows a solid mastery of records management

Confidence You’ll prove your ability to apply records and information management knowledge

Career Opportunities It’s the well-known competitive advantage you need in business today

For more information, call 877.244.3128or visit www.ICRM.org

®


oday’s records and information management (RIM)professionals are tasked with mitigating the risks thatcome along with ever-changing regulations and esca-lating threats to information security, all while con-trolling exponentially growing data costs.

More like detectives than RIM professionals, theyare charged with uncovering sensitive records, such as Out-T

USING DATA PROFILING TO MITIGATE7 ‘RED FLAG’ INFORMATION RISKS

Data profiling technology can help an organization identify what electronic information it has andwhere it is located, which is the first step to ensuring that information governance policies areapplied to it, reducing the organization’s costs and mitigating its seven greatest information risks.

Jim McGann

look personal storage table (PST) e-mail archives and agede-mails created by former employees, unencrypted files con-taining personally identifiable information (PII), and copiesof contracts and research data lost within network fileshares.

But before they can find and manage this data, theymust determine what information exists across the enter-


prise, where it exists, and who created it. To address therisks that come with not knowing this, some RIM profes-sionals are using data profiling.

Data Profiling DefinedData profiling examines data from all sources and col-

lects metadata-level information on the content to create asearchable and reportable repository about the information,identifying such things as the information’s owner, age, typeof file, location, date last accessed or modified, and whetherit is a duplicate.

Data profiling allows RIM professionals to create a mapof what data exists and where, so they can actively enforceand audit compliance with the information governance poli-cies that dictate the use, disposition, retention, and man-agement of corporate data, protect the firm’s assets, andmanage long-term risk.

This helps organizations control costs and risks, as wellas address the seven greatest issues – red flags– that havea critical impact on their electronic records systems today:PII, hidden PSTs, user shares, departmental servers, legacybackup tapes, aged data, and large multimedia files.

The Information Governance LandscapeThe volume of information is exploding. More and more

business information is digitized, and users create data 24/7as they carry their office in their pockets. It is estimated thatdata growth is reaching unprecedented levels, with Gartnerstating in its June 2012 research report “Organizational Col-laboration and the Right Retention Policies Can MinimizeArchived Data and Storage Demands” that the volume isgrowing 40% to 60% annually. The numbers are nearly im-possible to comprehend and rising each year. Technologyteams are keeping up with this data growth by increasingstorage capacity.

The data environment also has become more complex;for example, copies of user content are typically replicatedand archived many times to ensure it is never lost, leavingrecords managers with multiple versions of the same messto clean up.

Archives that were created to store specific importantdata, such as content preserved for legal holds and docu-ments required for compliance, have become bloated un-structured repositories where other data is put in and neverseen again. Highly sensitive information becomes lost in theshuffle and largely unmanageable.

The Legal, Regulatory ClimateOver the past decade, e-discovery has provided an ex-

pensive learning lesson for some organizations. They havespent significant time and resources identifying sensitiveuser data and collecting it to support active litigation. It isnot unusual for a single litigation to cost hundreds of thou-

sands or even millions of dollars. The Searle Civil Justice In-stitute’s 2010 “Litigation Cost Survey of Major Companies”found that for the period 2006-2008, the average Fortune200 company that responded to the survey paid average dis-covery costs of $621,880 to $2,993,567 per case.

Ten years ago, it was fairly easy to claim that specificcontent was not easily found within the complex corporateinfrastructure and, therefore, it was “inaccessible,” or itplaced an “undue burden” on the party being asked to pro-duce it for litigation.Today, this argument is less success-fully used.

Judges, opposing counsel, and expert witnesses have allbeen educated on and have a better understanding of thecorporate data environment. Today, it is a high-risk propo-sition to enter a court without the requested data, as thereis a good chance for the judge to admonish or even issue finesand sanctions for not producing it.

Data profiling examinesdata from all sources andcollects metadata-levelinformation on the content

Beyond the growing demand to produce information fore-discovery, compliance and regulatory requirements havebeen increasing, resulting in renewed emphasis on RIMstrategies. These growing and evolving regulations – such asrequirements to encrypt sensitive records or archive specificclasses of correspondence – require significant updates tocorporate policies and new strategies for data managers.

As a result of these issues, organizations are taking afresh look at policies and implementing information gover-nance strategies, such as using data profiling, that areaimed at protecting them from risk and liability by provid-ing them knowledge they need to make proper decisions.

Data Profiling and PolicyCorporate data policies are complex.For many organi-

zations, the complexity stems from their attempts to definepolicies without having adequate knowledge about whatdata exists. Policies are created, but they can’t be enforcedor monitored.

By default, then, many organizations are leaving it up toend users to implement the policies. But users tend to neg-lect making decisions about data, opting to keep it forever“just in case” they might need it. Very few know such thingsas how PST files are made, where they go, or what the con-sequences of sending a client’s credit card number throughan e-mail could be.


Along the way, needed information gets lost in the shuf-fle. Over time, research and intellectual property data agesand becomes difficult to leverage. This hidden data, whichhas value but cannot be found within the infrastructure, isnot tapped to help support current users.

As knowledge workers leave the organization, their datatypically remains scattered about the network infrastruc-ture. Since the owner is no longer around to manage thiscontent, it quickly gets lost; current users don’t even know itexists.

Data profiling helps both sides of the informationquandary. Using it, content can be searched, found, andleveraged to support business needs, and it can be purged,encrypted, or secured to mitigate risks.

compliance teams are often surprised to find this hidden e-mail during high-profile litigation. Auditing for PSTs helpslegal teams evaluate these highly sensitive e-mail archivesand determine disposition.

User SharesOrganizations typically set up network shares where

users can store files and other content. These shares oftengrow to the point where managing the content is impossi-ble. With data profiling, this mystery content can be ana-lyzed and an action plan defined. For example, data profilingcan find all data that has not been accessed for a specificlength of time, allowing it to be moved off this environmentor even purged if it has no business value.

Departmental ServersProfiling the content on shared servers and desktops

within a network that was created by a department that fre-quently works with valuable content, such as intellectualproperty, consumer information, or research data, is a logi-cal place to begin. This will provide the knowledge requiredto determine its disposition; much of the data may bearchived for long-term retention or secured to protect sensi-tive intellectual property.

Legacy Backup TapesBackup tapes contain copies of all existing user files and

e-mails amassed over time. In the past, these were often con-sidered burdensome to access, so courts did not alwaysdemand for it to be produced for litigation. However, tech-nology now makes this content reasonably accessible and,thus, a corporate liability if not managed according to policy.Organizations are now cleaning up this content based on adata profile and preserving only what has value.

Aged DataProfiling aged data – that which is more than seven

years old and has not been accessed for a long period – willreveal what and where it is, allowing it to be moved to lessexpensive storage platforms, migrated to the cloud, archivedwith related documents, or purged if its retention is nolonger required.

Large Multimedia FilesChances are that audio, video, and photo files are not

putting organizations in legal jeopardy unless there is a pos-sibility of copyright infringement, but they could be affectingstorage budgets. User shares likely are packed with personalfiles from employees watching movies or searching throughvacation albums during breaks or downloading music li-braries to listen to while working. These personal media fileshave no business value but are being managed and backedup daily. Locating them enables organizations to audit how

s

… personal media fileshave no business value but

are being managed andbacked up daily

1

s

2

s

7

s

6

s

5

s4

s

3

The 7 Red FlagsThe profiling process begins by becoming aware of the

greatest threats to data breaches, compliance issues, andbloated storage budgets. As described below, these seven redflags will have the most immediate and critical impact onan organization’s management of electronic records.

PIIPII includes credit card and Social Security numbers

that, if lost, could put customers at risk. Organizations usu-ally have privacy policies that prohibit sending PII throughe-mail and mandate the encrypting of all files containingPII, but that doesn’t mean they are being followed. Organi-zations are responsible for safeguarding this information,and any violations – such as of the requirements of the U.S.Health Insurance Portability and Accountability Act or theFair and Accurate Credit Transactions Act – make them fi-nancially and legally liable.

Hidden PSTsMicrosoft Outlook allows users to create PSTs and store

messages, contacts, appointments, and other information ontheir hard drives or a network server. PSTs, much like PII,usually have a policy surrounding them that isn’t readilyenacted or enforced. The truth is, most non-IT personnelprobably don’t know what PSTs are, let alone that they arecreating them. Managing PSTs can be challenging; evenfrom an IT standpoint, finding PSTs is difficult. Legal and


much space these files are using, purge them from storage,and develop policies governing the use of company re-sources to play or view and store them.

Data Profiling and Disposition Data profiling helps organizations understand and

manage the needs of their information governance policiesby ensuring the policies are followed with the proper ac-tion and data dispositions. It finds the red flags beforebreaches or litigation can. It often prevents problems andsaves valuable storage costs.

Data profiling is one of the best resources that RIM pro-fessionals have to support information governance policies.It provides a deeper understanding of assets and is the keyto being able to control risk and liability. Without a data

profile, it’s nearly impossible to manage mystery contentand enforce policy.

Common dispositions include moving essential contentto an archive, preserving data for legal holds, removing du-plicate content, encrypting sensitive data, migrating to lessexpensive storage, and purging data that has no businessvalue.

No longer should data remain on networks unmoni-tored and unmanaged with uncontrolled growth. Usingpolicy as the foundation and data profiling as the sup-port, organizations can leverage and manage data moreeffectively. END

Jim McGann can be reached at [email protected]. See his bio on page 47.

ARMA International has created specially priced packages of recommended resourcesto help you study for the Certified Records Manager (CRM) exam.

Available Study Packs:

• Part 1: Management Principles and the Records and Information Management Program

• Part 2: Records and Information: Creation and Use

• Part 3: Records Systems, Storage, and Retrieval

• Part 4: Records Appraisal, Retention, Protection, and Disposition

• Part 5: Technology

• CRM Mega-Pack (combined version of all CRM Study Packs)

CRM candidates (or potential candidates) should also consider enrolling in ARMAInternational’s online Essentials of RIM Certificate Program; completing this programwill help establish a great foundation for passing parts 1-5.

Get details at www.arma.org/learningcenter.

Available online in the ARMA Bookstore!

Studying for the CRM? ARMA International’s CRM Study Packs

www.arma.org


John Isaza, Esq., FAI – a 24-yearveteran attorney with a dozenyears of records and information

management (RIM) experience whoworks for international law firmRimon PC – regularly uses the Gener-ally Accepted Recordkeeping Princi-ples® (the Principles) and the Infor-mation Governance Maturity Model(Maturity Model) in his work forclients. (See www.arma.org/principlesfor more information about the Princi-ples.)

The majority of his time, about65%, is spent doing compliance assess-ments and audits of existing programs,and the rest is devoted to formulatingnew RIM and/or information gover-nance programs.

One of Isaza’s main tools for ac-complishing this work has been ARMAInternational’s automated PrinciplesAssessment tool. His first-hand expe-rience has yielded several insights onhow to use this tool most effectively inreal-world environments and providesmany lessons learned that will be use-ful for RIM practitioners.

Conducting the AssessmentThe Principles Assessment is a

computer-based tool that provides anautomated way to determine how anentity’s information managementpractices measure up against the Ma-turity Model.

The tool requires answers to 100questions related to the eight princi-ples: accountability, transparency, in-tegrity, protection, compliance, avail-ability, retention, and disposition. Byselecting the answer that most closely

The Principles Assessment as a

Collaborative ToolJulie Gable, CRM, CDIA, FAI

matches the current situation, thePrinciples Assessment will calculate ascore for each principle. The scorescorrelate to levels ranging from 1 to 5,with 1 being substandard and 5 beingconsidered transformational. ThePrinciples Assessment can be used fora single department, a division, or theentire organization.

As with all tools, there are tipsand techniques that can enhancethe usefulness of the assessment.Isaza’s solid consulting experience hasyielded several pointers that he gen-erously shares here.

Involve Others“Don’t just do it all yourself,” cau-

tions Isaza. In situations where therecords manager performs the entireassessment, there is the risk of ratingtoo high or too low on various programaspects, and the outcome will be sub-jective and, therefore, less credible.Isaza advises that the best way to en-sure objectivity is to get responsesfrom others in the organization. Howto do this can be challenging, though.

“Don’t think that you can just sendthe tool to everyone in the firm andhave them answer questions on their


challenging because of slow responsetime in some environments,” saysIsaza. Providing the selected questionson PowerPoint or by other means maymake for a smoother, more productiveexperience in a live setting.

Scoring – Each workshop partici-pant chooses a response for each ques-tion. The results are averaged toarrive at a score (from 1 to 5) for howthe organization is doing in that par-ticular principle. For example, if 10workshop participants choose answersto questions about the Principle ofAvailability that range from level 2 tolevel 4, the average might be a level 3for that principle. There may be mul-tiple workshops with different partici-pants in each, depending on the size ofthe organization.

In addition, Isaza and the recordsmanager each completes his or herown scoring. Isaza then averages hisrating and the records manager’s,using this as an additional workshopsession. To arrive at the overall rating,Isaza’s methodology is to average thescores from each workshop for eachcategory. He notes that comments arecaptured during the process and thathe supplements the workshops withsome individual interviews as well.

Balance Effort with Need Concerns about accuracy need to

be balanced with practical considera-tions. Approaching an assessment as

an audit can be cost prohibitive, ad-vises Isaza. Asking to see documen-tary evidence for every aspect of eachprinciple generally puts a strain on or-ganization resources and may not nec-essarily yield better data than themultiple opinions available in theworkshop setting.

Another consideration is to recog-nize that the degree of rating accuracyin a collaborative setting will probablybe just fine for the purpose of the as-sessment. Attempting to get very sci-entific or statistical with the ratingscan also be expensive and more thanis actually needed for the organiza-tion’s purpose.

Using the ResultsThe assessment scores provide a

way for those at all levels of the or-ganization to understand how the firmis doing in regard to information man-agement. Many times Isaza is dealingwith chief executive officers and direc-tor-level management. Assessment re-sults are often delivered with asupplemental report identifying majortechnology, people, policy, and riskconsiderations based on the assess-ment outcome and observations.

Set Metrics “One of the most useful outcomes

of the Principles Assessment and theMaturity Model is the ability to setbaseline metrics that can be tracked

own,” advises Isaza. Many questionsseem to be redundant from one princi-ple to the next, but they actually havea different context and may need clar-ification for those who are not involvedwith RIM as their primary responsi-bility. “What’s more,” says Isaza,“Each question must be answered be-fore going on to the next, and peoplewill not necessarily be able or willingto do this.”

Use Facilitated WorkshopsIsaza has found that workshops

can be an ideal setting for a collabora-tive use of the Principles Assessment,and his experience with four clients indiverse industries – automotive, non-profit, insurance, and financial serv-ices – has proven that this approachworks.

A workshop is a way to gather sev-eral people in a single place and pollthem for their opinions and percep-tions of RIM. The workshop settingalso offers a relaxed atmosphere wherediscussion and informal RIM educa-tion can take place.

Preparing – Advance preparationis key, however. Isaza notes, “If youchoose a workshop setting, recognizethat you will need to do some prepara-tion. First, and most importantly, youwill need to have someone with RIMknowledge in the room to help with ex-planations where needed.”

According to Isaza, it is unrealisticto expect to get through the tool’s 100questions in a workshop lasting anhour and a half. The best practice is forthe RIM manager to spend time ana-lyzing which questions should be pre-sented to the workshop group andwhich can best be answered in ad-vance. Given the limited time avail-able for most workshop participants, itpays to select the questions that de-liver the biggest return. Isaza alsonotes that some questions and pro-posed responses may profit from beingsimplified for better understanding.

“Using the tool in real time before alive workshop audience can also be

John Isaza: A Career Overview

John Isaza, Esq., FAI, is a leader in Rimon PC’s Corporate Gover-nance and Records and Information Management practice areas.Rimon is an international law firm with offices in the United Statesand Israel. The firm’s name is the Hebrew, Arabic, and Aramaicword for pomegranate, a traditional symbol of excellence, commu-nity, and innovation, the firm’s three core values.

A lawyer for 24 years, Isaza has been in the records and informa-tion management (RIM) field since 2001, and his prior experience in litigation, corporatelaw, and investment banking serves him well in his current position. His work has includedengagements in oil and gas, financial services, government, technology, insurance, food,entertainment, manufacturing, automotive, and legal services sectors. In addition to hislaw degree, Isaza holds a real estate license and several securities industry licenses.


over time. These become somethingthat the organization can use to gaugeimprovement, to base future audits on,and most importantly, to communi-cate to the C-level suite what the folksin information management aredoing,” says Isaza.

Furthermore, Isaza notes, “If youoverlay the factors significant to a par-ticular industry, you can put togethera roadmap for future activity and setpriorities that make sense for that or-ganization within that industry.”

Plan, Prioritize ActivitiesFor example, one of Isaza’s finan-

cial services clients had completely ac-ceptable ratings in the areas ofintegrity, protection, and compliance,but recognized the importance of theseprinciples given the increasing regula-tion, the growing amount of personalinformation associated with its work,and the reputation risk associatedwith its industry. Even with accept-able scores, this client sought recom-mendations that would take theorganization to higher levels of matu-rity in these areas.

In another example, the law de-partment of a national non-profit, al-ready aware of certain challenges withavailability, retention, and dispositionwithin the department, was able toidentify and prioritize areas for im-provement and to take positive stepsthat would boost scores almost imme-diately. For this client, immediatesteps included hiring a records man-ager, revising old retention schedules,

and putting technology in place to fos-ter secure storage, collaboration, re-mote access, and other Principles-guided capabilities.

Benchmark Against OthersWithin the corporate world, there

are ways to judge one organization’sperformance against that of others inthe same industry segment. Financialratios, for example, measure suchthings as an organization’s ability tomeet its short-term debt or its overalleffectiveness based on the returns gen-erated on sales and investment. Fi-nancial analysts expect to see suchratios fall within a certain range forsegments such as manufacturing orretail.

Although there are no such indus-try benchmarks for information man-agement, consultants are oftenknowledgeable about what similarfirms in a given industry have done re-garding information management. Inthe absence of industry metrics, theycan be a source of general guidance re-garding what project priorities shouldbe in terms of a Principles-based ac-tion plan.

In addition, consultants often haveaccess to multiple layers of manage-ment and can be useful in raisingawareness at the highest levels of thefirm. While consultants will not di-vulge the names of their clients or pro-vide specific details of any client’sprogram, they can provide a generalidea of how your organization com-pares to others.

Increasing the Score“For many organizations, scores

increase dramatically by increasingthe role of RIM in decision makingand improving communication be-tween departments,” Isaza says.“For example, information technol-ogy (IT) may rate itself a 5 in one as-pect, but the law department mayrate IT only a 2, simply because IThas not communicated the steps ithas taken to ensure a higher level ofmaturity.”

Another item that can immedi-ately boost scores, says Isaza, is theestablishment of an informationgovernance committee as a way toincrease senior management spon-sorship and communications.

“On the other hand, clients aresometimes surprised at the numberof things they hadn’t thought of.Folks in IT may not be as aware ofthe principles of retention and dis-position because they are in chargeof transporting data, he notes.“Sometimes they are surprised athow much there is in terms of spe-cific rules and laws.”

Assessing Your OrganizationUsed in a workshop setting, the

Principles Assessment tool can be anexcellent way to focus attention,guide understanding of the MaturityModel, and produce a credible pic-ture of an organization’s informationmanagement practices. The work-shop itself is an opportunity to raiseRIM awareness and provide educa-tion on the foundations of a stan-dards-driven RIM program. Thefacilitated workshop is also an ex-cellent way to cross organizationlines and to begin taking a cross-dis-ciplinary, collaborative approach tomanaging contemporary informa-tion issues and concerns. It’s defi-nitely worth a try. END

Julie Gable, CRM, CDIA, FAI, can becontacted at [email protected] her bio on page 47.

“For many organizations, scoresincrease dramatically by

increasing the role of RIM in decision making and

improving communication between departments.”

BULLETIN BOARDVendors, Products & People

Records Management Software and Consulting Services

Zasio’s powerful suite of intuitive records manage-ment software lets you effectively manage both yourphysical and electronic records, regardless of where they arelocated—on-site and/or off-site. Whatever the size of your organization orthe scope of your records management needs, Zasio has the solution.

To choose the right solution for you, visit our website and download the Versa-tileTM Selector Guide! www.zasio.com.

RSD recently announced IGaaS™, or InformationGovernance as a Service. Whether governinginformation stored on premise or within the cloud,IGaaSM provides all services for in-place information governance including:policy definition, information classification, policy enforcement, informationaccess, life-cycle management, audit, and compliance. For more information,please watch our complimentary on-demand webinar “The Future of Informa-tion Governance is Here: IG as a Service” at www.rsd.com/webinar-igaas.

Downstream Data Coverage Downstream Data Coverage offersprofessionalliability cover-age thatspecificallyaddresses therisks associ-ated with NAID-certified companiesthat provide data-related services.Call 877.710.2498 to learn more.

DHSDHS Worldwide Software Solutionsrecently held its 2013 Total RecallUser Conference in San Antonio,Texas, with nearly 50 in attendance.During the conference, DHSannounced exciting news andinnovative developments, includinga completely redesigned andresponsive company website.For more information please visitwww.dhsworldwide.com.

NAIDNAID is the non-profittrade association forthe secure destruc-tion industry, whichcurrently representsmore than 1,900member locations

globally. NAID’s mission is to promotethe proper destruction of discardedinformation through education, theNAID ’em initiative, and encouragingthe outsourcing of destruction needsto qualified contractors, includingthose that are NAID-certified.www.naidonline.org.

Xact Data Discovery (XDD) is an inter-national discovery and data manage-ment company providing forensiccollections, processing, hosting, doc-ument review, project management,paper discovery and records man-agement and governance consultingservices. XDD offers an exceptionallevel of customer service, with a keenfocus on communication to ensureclients know where their data isthroughout the entire discovery lifecycle. www.xactdatadiscovery.com.


Our global records managementand compliance departmentfaced a huge challenge: han-

dling the explosive growth in informa-tion being received from businesseslocated around the world – the resultof both organic and inorganic growthdue to the acquisition of a comple-mentary financial entity. We realizedthe company needed a global approachto records management; playing itstraditional role, our records manage-ment team simply could not supportthe needs of our growing global com-pany.

In transforming our team fromthat traditional to a more strategicrole, we established objectives, tookactions, and learned lessons thatshould be of value to other organiza-tions struggling to harness the ever-widening pools of information they

must manage efficiently in their dailycourse of business.

Program AssessmentFirst, we took a critical look at our

current processes and the future of in-formation management. We foundthat our global records managementteam was primarily focused on thetransactional elements of recordsmanagement, such as preparing itemsfor offsite storage, reacting to internalbusiness units’ needs, and respondingto crisis requests.

These were all complicated by thewide variation in the level of recordsmanagement sophistication amonglines of business and locations in var-ious countries, and dealing with thesetasks left very little time to prepare forexponential information growth or tocoordinate our efforts globally. We de-

termined that to provide much greatervalue to the company, we needed toshift our records management team’sfocus from transactional to the strate-gic components of information man-agement.

Strategic ObjectivesWe focused on five strategic ac-

tions to harness, use, and control in-formation: 1. Consolidating retention schedules

throughout our worldwide opera-tions

2. Establishing processes and methodsfor universal information subjectcategorization and indexing

3. Aligning access to and managementof both paper-based and electronicinformation

4. Creating processes to continuouslysolicit stakeholder feedback regard-

A 5-Step Strategy for HarnessingGlobal Information Growth

Brian Nowak

RIM FUNDAMENTALS


ing information management, in-cluding from within the institution,operational lines of business, re-gions and country management,legal, audit, and other corporatefunctions

5. Establishing a truly global informa-tion management strategy

Action StepsBecause of our growth, there was a

widespread realization that we neededa more comprehensive way to manageinformation, and our internal environ-ment was primed for change. Thatmade it easier to “sell” the need tochange our team’s approach from task-oriented to strategic.

There were certainly growingpains along the way, but we began totransform ourselves into internal con-sultants by taking the following fivesteps.

1. Establish Line of Business Liaisons.

The first step in becoming morestrategic and consultative was to es-tablish liaisons from each of our eightlines of business that were headquar-tered throughout the world with sub-sets at the regional and, in some cases,country levels.

Our department had establishedgood relationships with these lines ofbusiness, which helped pave the wayfor our successful outreach to them.Our conversations and presentationsabout the importance of managing,using, and retaining information forbusiness efficiency, productivity, andregulatory compliance, coupled withwhat lines of business owners and re-gional management already knewabout their needs convinced them toassign their employees to liaison roles.

After the first line of businesscame on board, the others followed suitin rapid succession with minimal, if

RIM FUNDAMENTALS

any, concerns about their “turf.”These liaisons played a pivotal

role in executing our new globalrecords management strategy. Theyknew their operations intricately andwere better suited to manage the dailyrecords management tasks, such ascontracting with local serviceproviders who could dovetail servicesto satisfy our global information andrecords management strategic goals.

Ultimately, the liaisons took onadditional responsibility for recordsmanagement, and in a number ofcases, they had notable expansions ofresponsibilities. For example, the roleof a liaison in the UK who was veryeffective in watching over and caring

for records was expanded to provideexpertise throughout our Europeanregion.

2. Provide Education and Support.

With the liaisons’ relieving theglobal records management teamfrom transactional responsibilities,the team had time to consult and ed-ucate the lines of business and re-gions about more strategic things,such as retention schedules, privacy,and compliance.

We structured our robust educa-tional sessions through individualmeetings, “lunch and learns” forlarger groups, and telephone confer-ences for folks in regions outside theUnited States. We also supported theliaisons with project managementand direction.

With these liaisons in place, ourglobal records management team nowcould concentrate its focus on strate-gic projects designed to integrate glob-ally sourced information into acohesive resource, transforming ourrecords management function into onethat could accommodate and sustainour growing worldwide business while

complying with myriad regulationsworldwide.

3. Establish Corporate Department Liaisons.

We also needed to establish addi-tional relationships in functional de-partments, such as legal, audit,compliance and IT – all corporate func-tions with operations in the lines ofbusiness and regions. Like in the linesof businesses, personnel in these func-tions shared the realization that some-thing needed to be done to handle andmanage information for our expandedand growing business; each had avested interest in doing so.

4. Partner to Develop the Strategic Plan.

The functional department li-aisons became strategic partners inthe development of the global recordsmanagement strategy; their inputand involvement were critical inmaking it successful. They welcomeda collaborative approach to deter-mining how to manage informationon a global basis. They knew the im-portance of doing so and appreciatedthe opportunity to help establish theprocesses.

Each member brought a uniqueperspective, which we debated untilreaching agreement about our globalstrategic direction. As an example,we identified and discussed the is-sues related to electronic recordsmanagement, which previously hadbeen considered the IT department’sconcern.

With the rapid expansion of thebusiness, IT had an immediate andpressing issue: how to manage – es-pecially for retention and regulatorycompliance – tens of thousands of e-mails generated and received world-wide every day. IT needed help andwelcomed the opportunity to have

Because of our growth, there was a widespread realization thatwe needed a more comprehensive way to manage information …


input into the strategy and tactics tocarry it out.

Previously, the company did nothave a forum for lines of business andfunctional departments to expressideas and concerns related to infor-mation management. This new forumallowed the team to work together toestablish the priorities for the globalstrategy.

5. Take the Lead.Although it was broadly acknowl-

edged that we needed to get a handleon our global information growth to

giving the lines of business and func-tional departments the opportunity toparticipate in the development of thestrategy created buy-in. No one likesa mandate from corporate!

2. Establishing a global strategy doesn’t mean everything is done in one manner.

This was particularly evident aswe expanded beyond the U.S. borders.This concept goes beyond simply ac-commodating differences in culture,language, and country records reten-tion laws.

subject matter experts in informationmanagement, became a more valuedresource to the company, and devel-oped stronger working relationships.

4. Change is not easy. We had numerous growing pains

during the transformation, some ofwhich affected members of our staff.Transforming our organization to meetever-growing global responsibilitiesrepresented a sea change for our teamas it became more strategic and shiftedtactical processes to the lines of busi-ness.

… the results of our efforts improved dramatically as we broughtthe lines of business and functional departments into the process.

be effective, no single functional de-partment took the lead in addressingthis concern. This created a leader-ship void into which the globalrecords management team gladlyjumped! With our former transac-tional responsibilities managed bythe liaisons, our team was able to ac-cept the responsibility for managingthe project and completing its priori-ties.

Lessons LearnedThe transformation process that

allowed us to accomplish our globalrecord management strategy re-quired hard work and perseveranceand generated a number of take-aways and lessons learned:

1. A group decision will take longer, but the results will be better.

There was a temptation to believethat we had all the answers and didn’tneed input from others. But, the re-sults of our efforts improved dramat-ically as we brought the lines ofbusiness and functional departmentsinto the process.

Not only were the decisions bet-ter, but the scope of records manage-ment expanded to informationmanagement, taking into account allinformation. Even more important,

One of our initial strategies was touse one global records managementprovider in all the countries where wewere operating. The provider was theincumbent in the United States, andwe were under the impression that itwas positioned to meet our globalneeds. Some of the benefits weexpected included global access to ourinformation, singular account man-agement, consistent operating proce-dures, and reduced expenses.

However, as we tried to mandatethis approach with our regions andcountries, we found the provider didn’thave the ability to service some coun-tries, as we had expected. We ulti-mately adopted an approach thatinvolved a global strategy in terms ofmanaging and maintaining informa-tion, but provided local flexibility tomake decisions on things like choosingthe optimal provider for that location.

3. You must be willing to step up and take the lead. As we met with the lines of busi-

ness and functional departments, itbecame very apparent that our rolewould expand if we were willing totake the lead on the various priorities.By taking the lead, we assumed muchmore enriching and strategic job re-sponsibilities, showed ourselves as the

Some team members were morecomfortable with the transactionaltasks of records management, so wehelped place them in new roles thatmore closely matched their inter-ests. The majority, however, em-braced and thrived in anenvironment that included challeng-ing work assignments and interac-tion with all levels of employeesacross many countries.

The Bottom LineThe transformation of our global

records management team involvedhard work and dedication. Our teammembers took a critical look at ourcurrent organization and responsibil-ities and realized we were not pre-pared for the information explosionthat had become part of the com-pany’s daily operations. We createdpartnerships with internal stakehold-ers, taking advantage of their collec-tive thoughts and considering theirneeds. Through the efforts of the en-tire team, we created a global recordsmanagement team that has enrichedjob responsibilities and adds truevalue to the organization. END

Brian Nowak can be contacted [email protected]. See hisbio on page 47.


Over the past decade, cybersecurity has become a majorconcern in the public con-

sciousness. From WikiLeaks, to state-sponsored attempts to steal valuableintellectual property, to highly publi-cized retail companies’ credit cardbreaches, information professionalsface a constant barrage of threats totheir organizations’ information.

These threats erode an organiza-tion’s ability to prosper and threatenAmerican competitiveness as a whole.While traditionally, information pro-fessionals have focused on helping theorganization meet legal, regulatory,and business requirements, theequally pressing concern of securinginformation assets provides them newopportunities.

Protecting these assets are notonly the responsibilities of the firewalladministrators, network architects,and others who sit in IT. In his bookSafeguarding Critical E-Documents:Implementing a Program for SecuringConfidential Information Assets,Robert F. Smallwood argues an im-portant piece of this strategy must beinformation governance.

While acknowledging that thereare several competing definitions of in-formation governance, Smallwoodcharacterizes it as an interdisciplinarysubset of corporate governance: themelding of records management, ITgovernance, e-discovery, business con-tinuity, disaster recovery, informationsecurity, and privacy. Its ultimateaims are to manage and control theoutput of IT through policies and toolsthat control access to and use of infor-mation.

Although Smallwood is not thefirst to use this definition of informa-tion governance, it is a relatively newapproach that greatly expands thescope of what until quite recently hasbeen a field primarily rooted in thedisciplines of records managementand e-discovery.

Smallwood’s book is divided intofive parts. He first outlines the majorsecurity problems and risks organiza-tions face and introduces basic infor-mation governance principles. In PartII he describes the risks and counter-measures that can be taken for spe-cific platforms, such as unstructuredcontent, e-mail, instant messaging,social media, mobile devices, andcloud computing. Part III is devotedsolely to e-records management is-sues, specifically defining and pro-tecting vital records and long-termpreservation of electronic records.Part IV introduces technologies thatcan help protect information assets,such as encryption, digital signatures,data loss prevention tools, and infor-mation rights management. The finalpart of the book provides strategiesfor obtaining executive sponsorship,managing projects, and selecting ven-dors.

Readers will find helpful the con-crete steps the book gives for rollingout and maintaining a secure envi-ronment for information assets. Eachchapter has text boxes that outlinekey points and chapter summariesthat reinforce the main takeaways.

Non-technical readers will findSmallwood’s descriptions of informa-tion governance technology tools easyto understand. Appendices give stan-

Safeguarding Critical E-Documents: Implementing aProgram for Securing Confidential Information Assets Author: Robert F. SmallwoodPublisher: John Wiley & SonsPublication Date: 2012Length: 263 pagesPrice: $75ISBN-13: 978-1-118-15908-8Source: www.arma.org/bookstore

Addressing Security Concerns: The Expanding Role of Information GovernanceAndrew Altepeter

dards for digital signatures, regula-tions for records management, andlists of technology and serviceproviders. Chapter endnotes providereaders with additional resources.

In total, Smallwood’s book givesreaders a solid foundation for makinginformed governance decisions andpresenting them in a way that uppermanagement will find appealing.

The book would be strengthened bya more robust discussion of the “low-tech” ways organizations can help se-cure their environment, such asemployee training, awareness presen-tations, newsletters, portal messaging,and office posters; these are all impor-tant pieces of an information protec-tion program.


The book also largely neglects themost common entryways of databreaches, such as phishing and socialengineering scams, although Small-wood does devote some discussion toinsider threats, such as careless ormalicious employees. Nevertheless,more emphasis should be given to thefact that while technology is necessaryto secure information, employee vigi-lance is the first step.

Despite these omissions, Safe-

guarding Critical E-Documents is animportant call to arms for informationprofessionals. To stay relevant, theprofession must expand beyond theestablished business justifications ofimproved efficiency, regulatory com-pliance, and legal retention require-ments. Protecting information fromsecurity threats is a way to add signif-icant value to the organization by ad-dressing a concern that is on the mindof every executive in the country.

For American businesses to staycompetitive with the rest of the world,organizations must continually bevigilant in protecting their informa-tion assets. Proper information gov-ernance policy and controls areimportant elements in any securitystrategy. END

Andrew Altepeter can be reached [email protected]. See hisbio on page 47.

Like Your Favorite Drive Thru …Only Better. Who has time between 9 to 5 to slip away for career development?

Us either.

ARMA International's online courses offer convenient and flexible trainingon YOUR schedule. From RIM and Generally Accepted RecordkeepingPrinciples® to professional development, our online courses allow you tokeep on top of your game and get ahead of the field, at a time and placethat is most convenient for you.

Slippers optional.

Open 24 hours a day, 7 days a week, 365 days a year.

See what’s available at www.arma.org

Learning Center


Contact Information

Clearing the Hurdles of International TechnologyImplementations page 22John T. Phillips, CRM, CDIA, FAI, is a management con-sultant with Information Technology Decisions. Withmore than 30 years of experience in many varied infor-mation and technology management professional posi-tions, he currently assists clients in developingcomprehensive records management programs, espe-cially with electronic records management issues andtechnology systems selection. Phillips recently served asix-year term on the National Archives and Record Ad-ministration’s Advisory Committee for the ElectronicRecords Archive. He can be contacted at [email protected].

Accelerating out of the Recession: New Approachesto Executing RIM Program Strategies page 27Bruce W. Dearstyne, Ph.D., has more than 30 years of ex-perience as a practitioner, professor, and consultant inrecords, archives, and related information work. He isthe author of numerous articles and several books, in-cluding Managing Records and Information Programs,published by ARMA International. He can be contactedat [email protected].

Using Data Profiling to Mitigate 7 ‘Red Flag’Information Risks page 34Jim McGann is vice president, Index Engines. He has ex-tensive experience with e-discovery and informationmanagement in the Fortune 2000 sector. McGann is afrequent writer and speaker on the topics of big data,backup tape remediation, electronic discovery, andrecords management. He can be reached at [email protected].

The Generally Accepted Recordkeeping Principles®Series: The Principles Assessment as aCollaborative Tool page 38Julie Gable, CRM, CDIA, FAI, is president and founder of GableConsulting LLC. She has more than 25 years of experiencespecializing in strategic planning for electronic records man-agement, including business case development, cost-benefitanalysis, requirements definition, and work plan prioritiza-tion. In 2003, she was named a Fellow of ARMA Interna-tional. Gable has authored numerous articles and frequentlyspeaks at national and international conferences. She holdsa master’s degree in finance from St. Joseph’s Universityand a bachelor’s degree in management from Drexel Uni-versity. Gable can be contacted at juliegable@ verizon.net.

RIM Fundamentals Series: A 5-Step Strategy forHarnessing Global Information Growth page 42Brian Nowak is general manager for RhinoDox, a data man-agement and archival supplier for companies and govern-ment organizations of all sizes. He has more than 10 yearsof experience as an information management solutionsprovider and practitioner. Nowak can be contacted [email protected].

Addressing Security Concerns: The Expanding Roleof Information Governance page 45Andrew Altepeter is an information governance analyst atMotorola Solutions Inc., where he is responsible for recordsmanagement and IT audits for Sarbanes-Oxley and Pay-ment Card Industry compliance. He has previous experiencein records management and institutional archives. Altepeterearned a bachelor of arts degree in history from MarquetteUniversity and a master of arts degree in public history fromLoyola University Chicago. He can be reached at [email protected].

Altepeter Dearstyne Gable McGann Nowak Phillips


15, 17 Access Sciences800.242.2005 – Intl. 904.213.0448 –www.accesssciences.com/SharePoint

13 DHS Worldwide Software800.377.8406 – Intl. 904.213.0448 –www.dhsworldwide.com

3 Downstream Data Coveragewww.downstreamdata.com

33 Institute of Certified Records Managers877.244.3128 – www.ICRM.org

BC Iron Mountainwww.ironmountain.com/advantage

19 NAID www.naid-em.com

29 Paralegal Today877.202.5196 – www.paralegaltoday.com

IBC Recall888.RECALL6 –www.recall.com

IFC RSDwww.rsd.com

5 Xact Data Discovery877.545.XACT – www.xactdatadiscovery.com

9 Zasio Enterprises Inc.800.513.1000 Opt. 1 – www.zasio.com

Thinking aboutadvancing your career?ARMA International’s CareerLink hashelped hundreds of members find newand exciting positions in the informationmanagement profession.

The Job Board lists current openingsfrom companies around the globe. Youcan find valuable esources and tools tohelp your career evolve.

Create your confidential profile and getstarted today at www.arma.org/careers.

Contact Information