cloud content management & governance…a primer l… · • 50tb of merger/acquisition data on...

Cloud Content Management & Governance…A Primer

San Antonio ARMA Chapter

2Cloud Content Management & Governance…A Primer

John P. Frost, CRM FAISenior Information Governance Specialist for Box

25+ years of Enterprise Content Management (ECM) and Information Governance (IG) experience including informationsecurity and content analytics

Roles Served:

• Corporate Records Manager

• ECM and Governance Technical Consultant

• Governance Technical Seller

• Worldwide Services Practice Lead

• Vice President of Sales and Operations

Certified Records Manager (CRM)

Fellow of ARMA International (FAI)

Customers Served:

• Global corporations

• Foreign governments

• Fortune 500 companies

Agenda /What is Cloud Content Management and Governance?

/Why Govern Cloud Content?

/Case Study 1: Small Cancer Smart Medicine Developer

/Case Study 2: Large Multi-National Bank

/Cloud Deployment Strategies and Best Practices for Governance

/ Summary and Questions

What is Cloud Content Management?


Cloud Content Management is . . .

/ The combination of centralized, cloud-native content services with advanced security and governance

/ Collaboration across the entire extended enterprise becomes seamless

/ The latest machine learning technologies help you maximize the value of every piece of content


Cloud Application Types

“We are not focused on building yesterday’s apps faster; we’re focused on building tomorrow’s apps faster.” —Johan den Haan, Mendix

• Cloud-Native• Built for cloud and mobile• Integration needed for most robust feature set• Generally stronger security and performance

• Managed Hosted Service• On-Prem solution that is virtually hosted• Built for On-Prem• Mobility may be limited


What Information Governance Encompasses

Source: IGInitiative.com


Operational Risk

Privacy Act (AU)

CobiTGramm-Leach-Bliley

California Consumer Privacy Act (CCPA)

Solvency II (EU)

Freedom of Information

HIPAA/HiTECHAnti-terrorism Act (UK)

US DoD 5015.2

Basel III (EU)PIPEDA

GB/T 35273-2017 (CN)

Tread Act

21 CFR Part 11

OSHA 1910.119

Companies Act (UK)Sarbanes-Oxley

ISO 9000 Quality

New York Cyber Regs

DOMEA (DE)ISO 15801 Legal Admissibility

ISO 17799 Information Security

GDPR (EU)

Audit

Computer Crime Law

MoReq2010 (EU)

AML / KYC

PATRIOT Act

FINRA 2210SEC 17a-4

IG ScopeWith Overlapping IG Drivers

ISO 15489 Records

Dodd-Frank 47 CFR Part 42

Privacy & Security

Geopolitical Specific Regulation

Industry Specific RegulationsGovernance

Risk

ITAR/EAR

Why Cloud Content Management and Governance?

10Presentation title: Go to first Master Slide to edit

“Cloud computing is often far more secure than traditional computing, because companies like Google and Amazon can attract and retain cybersecurity personnel of a higher quality

than many governmental agencies.”

Vivek Kundra, VP at Salesforce and former federal CIO of the United States


Why legacy content management no longer works…

Employees expect a digital workplace• Agile internal and external team collaboration

• Access to information anytime, anywhere on any device

• Support for work across a best-of-breed cloud stack

Businesses need to evolve in the digital age• Accelerate process across the extended enterprise

• Deliver modern digital experiences for customers

• Automate processes and drive efficiency with AI

Cyber threats and regulations are constantly changing• Protect the flow of content across the extended enterprise

• Shadow IT creating security and compliance gaps

• Address complicated global regulations (e.g., GDPR)


The wrong mix provides inefficiencies for business

Creation Internal collaboration Publishing GoverningExternal collaborationShare content with

an internal teamShare content with

partners and vendorsPublish to internal and external teams

Retain and govern content

Kick off process


Cloud is the Viable Option…

• Cost• Infrastructure (hardware, backup, storage, licensing)• Human Investment

• Security• Portability• Long-term growth and maintenance• Scalability• Transparent updates• Leverage location• Acceptance• “App” Culture


Cloud Usage


Cloud Initiatives

16Cloud Content Management & Governance…A Primer and Trends in the Industry

Information Lifecycle (or Zone) ModelComposition of information in an organization

50%

15%

35% ROT (Purpose-Served)RecordsWork-in-ProgressOn Hold

1%

• CGOC – 70%

• AIIM – 40%

ROT


Value of InformationOver its lifecycle

Maximum usage includes:AnalyticsArchivingDisposal

Source: CGOC.com


Cloud Infrastructure (IaaS)Cloud Content Management and GovernanceAn Architecture

API Foundation (PaaS)

Governance

Security

Insights

ContentMetadata

Workflow

AI

AppsNative Integrations Customizations


Extend Compliance


Case Study 1

Small Cancer Smart Medicine Developer


Overview of Medical Governance

• Need to have Cloud Content Management solution as a System of Record

• 262,000 files (approximately 800 GB)

• Regulations – GDPR, SOX, 21 CFR Part 11, etc.

• Retention - Disposition


Solution Drivers

• Secure content needing governance• File shares – Limited standards, unknown amount of data


Tools of the Solution

• Box• Box Governance


Lessons Learned

• C-Level approval and support was critical• Governance leads should have training on the content platform as well as the governance

application• Build “playbooks” for tool usage for super users (records coordinators)• Ask vendor if there are existing guide resources that may be shared


Successes

• Over 400 users with content being governed• 800 GB of content being governed and growing• 80 retention policies deployed• 3 legal holds deployed• 7 security classification policies deployed


Case Study 2

Large Multi-National Bank


Overview of Bank Governance

• Assessment with ARMA Principles

• Governance Policy Updates

• Paper Process

• 2.5 Petabytes of Data

• Structured / Unstructured

• Regulations – GDPR, PCI-DSS, SOX, etc

• Retention - Disposition

*Source: Integro


Solution Drivers

• Structured vs Unstructured• Google mail – maintain and dispose – how?• Google sites – what needs to be retained and how?• SharePoint – 6 sites, 1 Terabyte• File shares – Limited standards, unknown amount of data• Retired systems – shut off hardware while maintaining data• Active data growth – mitigate slow response from systems

*Source: Integro


Tools of the Solution

• Cloud-Based on AWS• IBM Atlas Global Retention and Policy Schedule Management• IBM FileNet• IBM Enterprise Records (IER)• IBM StoredIQ• IBM Content Collector for Files & SharePoint (ICC)• IBM Content Classification (ICM)• IBM Content Navigator (ICN)• Navigator for Microsoft Office (NMO)• IBM InfoSphere Optim (Optim)• Estuate ArchLens• On-Premise• IBM Atlas Global Retention and Policy Schedule Management (DB on-prem)

*Source: Integro


Lessons Learned

• C-Level approval and support was critical• Culture shock is inevitable; sound change management needed• Involve the business and users in the process• People want to do the “right” thing• Kick off meetings for each new department streamlined the process• Naming conventions proved vital• Drop down menus keep metadata consistent as much as possible

*Source: Integro


Successes

• 50TB of merger/acquisition data on hold (9 years old)

• File Analysis indexed and identified data requested for litigation

• Locate PCI in shared drives

• PCI Certification made easier by using File Analysis to identify and move data to approved storage

• GDPR – anticipated future success with File Analysis

• Google – future phase leveraging Box Governance

*Source: Integro

Cloud Content Management and Governance…Strategies, Best Practices and Payback


Information Governance Strategy

• Align with Corporate Strategy

• Obtain Executive Support

• DEFINE what your organization will include with Information Governance

• Meet with LOB leaders to explain information governance, why its needed and how it will impact and ALIGN with them; Help paint the “big picture” for governance

• Build policies that are brief, but require minimal review long-term

• Agreement from Compliance, IT, Legal, Records Management, and Security on the policies and requirements necessary for content that is, or will be, stored in cloud content solution


• Define/Enhance governance (especially retention) strategy and policy before technology deployment

• If possible, Clean and Enrich your content/metadata BEFORE moving to the cloud

• Have a strategy to handle the content and records should your organization cancel the contract with the cloud content provider

Information Governance Strategy


Best Practices

• Level set on goals and objectives with ALL relevant groups and stakeholders during project kickoff• Consider dividing your organizational applications into Systems of Engagement and Systems of Record;

this will help determine how to apply retention• Retention in cloud systems needs to accommodate record and non-record content• Align on the vision for how the cloud content and governance tool will be used at your organization (i.e.

what business processes and content will be powered by cloud content management)


Best Practices

• Help stakeholders understand the available functionalities in each solution component and how they can be utilized to address immediate needs/pain points

• Conduct knowledge transfer and training with the users to properly enable them own their solution

• If migrating large volumes into the Cloud Content System, “clean” the content before migration/ingestion into the new system

• Test the solution build in a sandbox environment before production deployment. Even cloud solutions

have sandbox or “Test” environments

• Use simple, big bucket retention; use event-based calculation on critical records

• Destroy information when it meets its required obligation

• Unless government-mandated, do not have destruction approvals


Working with Cloud Providers

• Accessibility • Data Security • Data Location • Data Segregation • Data Integrity

• Data Ownership• Experience of SaaS Provider• Qualifications of Provider’s Staff • Financial Stability of Provider – Bankruptcy?


eDiscoveryData Reduction and IT Costs Risk Reduction

Actual Risk/Burden v Target Reduction for Period

Reduction of Discoverable Data Volume

Storage Volume and Cost by Business

ROI/Payback for Information Governance

Employee Efficiency

Better Work PerformanceBy Managing Storage and Over-Retention


• eDiscovery:

• $18,000 per GB for review and productionº

• Total Storage Volume (GB) X % Estimated Reduction X 1% (Estimated Content on Hold) X $18,000 = Total eDiscovery Savings Potential

• Breach Cost and Reputation Risk:

• Average cost of a data breach is $3.86M*

• # Documents Affected X $141*, OR

• # Customers X $151*

• Storage Costs Reduction:

• $2.5M/per year to store 1 PB plus cost significantly add to run rate

• Storage Cost X Storage Volume X % Estimated Reduction

• Employee Efficiency (Over-Retention)

• 4.5 hours /week spent searching

• 4.5 X # employees = Total Search Time (TST)

• % Efficiency Reduction (5%?) X TST = Total Efficiency Savings (TES)

• TES (hours) X Blended Hourly Employee Rate X 48 (weeks) = Total Employee Efficiency Savings ($)

ROI/PaybackThe Numbers

*. Source: Ponemon Instituteº Source: Rand Institute✤Source: IDC

✤

Cloud Content Management and Governance…Industry Trends


• Content is rapidly moving to Cloud and Cloud Content Management and Governance platforms; allowing for content to be governed from numerous systems

• eDiscovery is also moving fully to cloud• With the above trends, Cloud Access Security Brokers (CASB) and Data Loss Prevention (DLP) tools are

increasing in deployment and use.• File Analysis is allowing organizations to locate and remove redundant, obsolete and trivial (ROT)

information, locate and protect sensitive information and ensure intelligent data migration• Information Governance and Data Governance programs are merging into Unified Governance

programs

Trends in Information Governance United States


• Auto-Classification of information is becoming more prevalent, and eDiscovery is using A.I. and analytics for Technology-Assisted Review (TAR)

• Security and protection of information assets is the main focus• Robotics Process Automation (RPA) is gaining ground for repetitive tasks such as metadata assignment

to information• Blockchain is now being looked at and tested for content management and governance. While there is

a lot of hype, we are still a few years away from anything solid being deployed• Internet of Things (IOT) poses a huge information governance challenge around volume of data and

security and privacy of that data• Regulation around data privacy and governance is increasing worldwide; the concern to be addressed is

security and ETHICAL use of data

Trends in Information Governance United States


In summary . . . / Organizations are moving to cloud at a rapid rate

/ Clean your data before moving to cloud

/ These are two of many organizations successfully governing in the cloud

/ Know your cloud vendor

/ You will govern MORE than just records

/ Simple is the key

/ ROI is out there!

/ The industry is changing…keep up!

John [email protected]

<TRACK NAME>Next session:

Maximizing GDPR and Global Data Protection Compliance1:45 PM RM 2004/2006

On the exhibit floor:

• Visit our demo's of Relay

• Visit IBM on the Exhibit Floor

Visit us online:

• Box.com/Apps