may 2006 edocument retention. may 30th isaca presentation agenda: what is email archive/audit? the...

May 2006

eDocument RetentioneDocument Retention

May 30th ISACA Presentation

Agenda:

What is Email Archive/Audit? The Current Environment The Ideal Compliant Email

Archive Proactive Approach - Live

Capture System Data Flow Adaptable Compliance


What is an Email Archive

An offsite or onsite copy of company emails Automatically collected

In an intelligent fashion Stored securely Fully Searchable and Auditable

• Eliminating data collection/harvesting during eDiscovery• Admissible in court


Agenda:

What is Email Archive/Audit? The Current Environment Data Retention Implementation The Ideal Compliant Email




The Situation Today

Business documents are being generated at such a rate that economic retrieval is extremely challenging.

During 2004, enough information was produced worldwide to fill 500,000 libraries of congress.

64 billion emails were sent in 2005 with 108 billion expected in 2008.

Global email traffic has grown to some 171 billion messages per day, of which 71 percent is spam.

The average corporate user sends and receives 113 email messages a day. That translates into nearly 300MB per month.*

By the end of the decade, that number is expected to grow to 160 messages and 417 MB per month.*

As much as 85% of all email data is due to attachments.*

Gartner Group: We spend as much as 20% of our time searching through our email and files.

*Radicati Group

A medium-sized company could exceed Google’s capacity within 2 years

The Library of Congress


The Elephant in the Living Room

Let’s not forget why we have to be compliant –

THE THREAT OF LITIGATION

Only 30% of companies consider search and discovery to be a top priority when choosing an email archiving solution. Of these, 25% said that the main driver for search and discovery functionality was to expedite review and audit processes, and still more to reduce legal discovery costs.

Companies should be ready to do eDiscovery at all times


War Stories

90% of U.S. corporations are involved in litigation and 20% of all companies are sued every year.

Bank of America was fined $50,000 per each email they failed to produce in court. Total penalty: $10 Million.

Morgan Stanley lost $1.45 Billion in damages and was sanctioned for its failure to preserve and produce certain electronic records.

The SEC piled on an additional $15 M penalty, so far…

US corporate financial restatements soared 28% from 2003 to 2004, and 10 to 30% of financial data is erroneous. The cost of erroneous data is $600 Billion in the US.

Schering Plough fined $500 Million for noncompliance in 2002

The typical large corporation paid $16 million in corporate governance costs.

The average company with over $1 Billion in revenues has 147 lawsuits and 48 different financial systems.

The average cost for companies with less than $1 billion in revenue increased by more than 230% since Sarbanes-Oxley went into effect.


War Stories

However, by far the largest penalty for failing to complyis the devastating impact on

a company’s market capitalization

when shareholders find out that a company is not

compliant.


Corporate Compliance Progress

From ARMA Survey 2005:

“Nearly one-half of the respondents (49%) areeither:

‘not at all confident’,

or only

‘slightly confident’,

that their organizationscould demonstrate that their electronic records wereaccurate, reliable and trustworthy.” (randomly selected logos)


Agenda:





An Implementation Roadmap

1. Establish Policies for:a. Emailb. Unstructured Datac. Financial Reportsd. Training Materials, etc.

2. Identify data value for all data under management

a. Relational by subject areab. Content Managed as Related to

Relationalc. Email, Backup and Offsite

3. Dispose of non-regulated, low-value, low-access data with an appropriate audit trail.

4. Develop processes to periodically dispose of expendable data with audit and reporting systems.


Establishing the Retention Policy

Establishing the Data and Information Retention Policy Preservation and Retention Retention Policy Preservation and Retention Duty

Compliance Litigation Creating Your Policy – This is not an IT Problem Document Destruction Retention Policy and The Litigation Hold Information Security


Preservation vs. Retention Duty

Preservation - • Time: foreseeable dispute (shorter than retention)• Bases: rules, tort, inherent power• Breach: spoliation• Penalties: default or dismissal, evidence, fines

Retention - • Time: statute or regulation• Bases: statutes and regulations• Breach: spoliation• Penalties: default or dismissal, evidence, fines,

statutory penalties


Purpose of Retention/Destruction

Retention - • Legal compliance• Litigation preparedness• Company’s reputation

Destruction• Reduce Operational Cost• Asset protection • Privacy


Compliance

• 20,000+ statutes and regs require retention

• Consider impact of foreign retention requirements

• Harm of retention spoliation similar to harm of preservation spoliation


Four Legs of Compliance

Compliance is the result of integrated Policies and Processes

The Policy - Information Records Management Policy is established by corporate Legal. Specific measure for compliance are tied to the policy. What’s the policy and how do you measure compliance?

The Leadership – The Policy is reflected in the visibility, adoption, enforcement and compensation by and for senior management. Does Leadership walk the walk?

The Technology – The Policy is reflected in all aspects of data management. IT is using and NOT establishing The Policy. Does the Procedure tie to the policy?

The Training – The Policy reflected in all aspects of training, education, procedure and compensation. Does everyone understand their responsibility, liability and consequences?


The Compliance Team

The Compliance Team is Composed of:

General Counsel Compliance Officer Information Architect Application Architect Content and Messaging Manager Training Supervisor

The Compliance Team provides an enterprise understanding of data retention through:

Comprehensive understanding of corporate policy and procedures related to regulatory compliance.

Elimination a fragmented responses to regulatory inquiry Optimizes response to Litigation Discovery


Statutes and Retention

SEC Rule 17a-4 Electronic Storage of Broker Dealer Records

Graham-Leach-Bliley Act - Financial Services Modernization Act -1999

Sarbanes – Oxley Act of 2002 FDA 21 CFR Part 11 DOD 5015.2 Department of Defense Health Insurance Portability and Accountability Act (HIPAA) Fair Labor Standards Act Occupations Safety and Health Administration (OSHA) Act Internal Revenue Service Reform Act Food and Drug Administration Health and Human Services



SEC Rule 17a-4 Electronic Storage of Broker Dealer Records

Retention – Minimum of 3 Years

Related to the retention of correspondence between the securities company and its customers.

Purchase and sale documents, Customer and associated persons’ records, Customer complaint records Written supervisory procedures

Additional rules have been established by both the NASD (sect 2210 and 3010) and NYSE(SECT 342 ) that require members to comply with SEC 17a-4 or risk fines by both the SEC and the members SRO.



"preserve the records exclusively in a non-rewriteable, non-erasable format.“ This requirement does not mean that the records must be preserved indefinitely. Like paper and microfilm, electronic records need only be maintained for the relevant retention period specified in the rule.

The electronic storage media must verify automatically the quality and accuracy of the storage media recording process; serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.



Graham-Leach-Bliley Act or Financial Services Modernization Act of 1999

Retention Period – 6 Years or “Best Practices”

Related to limited privacy protection against the sale of private financial information to third parties.

Personal financial information must be securely retained.

Customers must be advised of the policies in place for sharing personal financial data.

Customers must be able to easily opt out of the sharing of some financial data



Name - Health Insurance Portability and Accountability Act

Retention Periods Complaints – 6 Years Medical and Diagnostic Records – 6 Years Medicare Records – 5 Years Special Consideration for Minors Records must be retained for 2 years after a patients death

Relates to documents on uses and disclosures, authorization forms, business partner contracts, notices of your information practice, responses to a patient who wants to amend or correct their information, the patient's statement of disagreement, and a complaint record.



The Sarbanes-Oxley Act of 2002

Retention Period – 7 Years

Deals with the falsification, destruction, alteration of documents or data with the intent to impede, obstruct or mislead an investigation by any federal agency. Includes the destruction of materials used in the creation of audits or financial assessments

Applies directly to publicly held companies US Companies valued at over 100 million dollars will spend a

combined 2 Billion dollars on implementing SOX 4 Privately held companies with US ties are adopting SOX as

well.


New SOX “Data” Sources

Website Records - Section 403 - Posting stock ownership changes

Internal Control Reports – Section 404 - Audit notes on how the internal control reports are created

Corporate Officer Certification – Section 302 – Who certified which reports and audits and when.

Complaints – Section 301 – The collection, retention and treatment of complaints, external, internal, anonymous as they relate to financial audit and disclosure. Also, a description of how the complaint was addressed.

Penalties – Section 906 – False certification can result in $5,000,000 in penalties and/or 20 years in prison.


“…How much do we need to pay you to screw Netscape?...”

“…How much do we need to pay you to screw Netscape?...”

Warm Regards,

Bill GatesMicrosoft Corporation

Memorable I-Wish-I’d-Deleted-That Emails


Memorable I-Wish-I’d-Deleted-That Emails

Memorable Wish-I’d-Deleted-That Emails:

“How much do we need to pay you to screw Netscape?”

“…Let’s clean up those files…”“…Let’s clean up those files…”

Fondly,

Frank QuattroneCredit Suisse First Boston


Agenda:





Requirements

I. Speed – The system must provide sub-second respond time for most queries.

II. Cost efficiency - The system must be inexpensive.

III. Regulatory compliance – The system must be conformant.

IV. Reliable – The system can never lose or corrupt data.

V. Litigation Readiness – Must be continually ready to produce documents with a verifiable Chain of Custody and no spoliation.


Litigation-Ready System – The Hardware

Utilize a cluster-computing architecture as the basis for a Web-based solution

Excellent Price / Performance Excellent Scalability Excellent Reliability Extremely Fast Response

Times


Litigation-Ready System – The Interface

Design an easy-to-use human interface

Minimize the learning curve Keep employee morale high Maximize productivity


Litigation Ready System

Support most file types with real-time capture Export to major third-party litigation systems

Live capture, Outlook,

Lotus Notes, Financial Reports,

Excel,Word,PDFs…

Live capture, Outlook,

Lotus Notes, Financial Reports,

Excel,Word,PDFs…

TIFF/PDF

Other…

Minimize operational problems Optimize responsiveness to courts Handle exceptions Talk to other systems


Agenda:





A Litigation-Ready Archival Solution

Searchable / Compliant Email Archival Real-time data collection, Intelligent filtering for compliance

Benefits: Off-site email archiving Adaptable compliance Easy retrieval of emails for all users Continuous litigation readiness

Repository

Live capture of data

Live Capture


Litigation-Ready Solution

Benefits:

Secure off-site email archive Compliance conformance Find any email quickly and easily Elimination of the data

collection/harvesting task Litigation readiness with chain of

custody and spoliation functions

Repository

Live capture of data

Live Capture

Support major email systems

Powerful SearchEmail/File Management

Full Access ControlWORM Archive


Agenda:





System Data Flow

MessageServers

Live CaptureLive Capture

Data Life Cycle


System Data Flow

MessageServers

Data Life Cycle


Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering


System Data Flow

MessageServers

Data Life Cycle


Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering

CompliantSearchableRepository



System Data Flow

MessageServers

Data Life Cycle


Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering



Delete


System Data Flow

Data Life Cycle


3rd-Parties:KVS, Ziplip,

MessageGate

MessageServers

Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering



Delete


System Data Flow

Data Life Cycle



MessageGate

MessageServers

NAS, SAN,other servers

Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering



Delete


System Data Flow


Data Life Cycle

ASP orIn-House

Multi-PassWipe Delete

WORMOption


MessageGate

MessageServers


FullyTailorable

Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering



Delete


System Data Flow


Data Life Cycle


MessageGate

MessageServers


Administer Cull Search ProduceAudit/Report


WORMOption

Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering



Delete

ASP orIn-House

FullyTailorable



Data Life Cycle


MessageGate

MessageServers


Administer Cull Search ProduceAudit/Report


WORMOption

Live Capture – LITIGATION HOLD

Ded

up

lication

Ded

up

lication

Intellig

ent F

iltering

Intellig

ent F

iltering



Delete

ASP orIn-House

FullyTailorable


Agenda:





Intelligent Filtering – Compliance and More

CapturedEmails,

Files, etc.

CapturedEmails,

Files, etc.

IFCondition

THEN

IFCondition

THENActionAction

Actions

Send an Email

Place into Folder

Adjust Permission

Level

Change Attribute

Delete

Etc.

Actions

Send an Email

Place into Folder

Adjust Permission

Level

Change Attribute

Delete

Etc.

Any SearchResult

File “Age”

Content

Boolean

Concept

Etc.

Any SearchResult

File “Age”

Content

Boolean

Concept

Etc.

Any file storedin the Repository

MultipleFile Types

Emails

Office Documents

Financial Reports

Etc.

Any file storedin the Repository

MultipleFile Types

Emails

Office Documents

Financial Reports

Etc.


Thank You For Your Time

E. Casey Roche – Discovery Mining Inc.415-561-6780 X116

www.discoverymining.com

Suzanne Riddell – DataForeSight [email protected]

303-278-2150


Return On Investment Considerations

Elements: Value of risk mitigation

Avoid detrimental affect of failure to comply on company’s market capitalization

Avoid potential penalties Missed deadlines, failure to produce

Cost of live capture versus simple tape back-up Tape restoration is extremely expensive Having live capture in place can save 50% to 80% in the

event of litigation 20% of all US companies are litigated against every year

Quantifiable Side Benefits Having a secure off-site archive Providing searchable email archive Avoiding the cost of data collection/harvesting

Time and money


Backups vs. Archives

“But we have a backup!” …sorry, not enough.

Failings: No security No authenticity No search capability No easy restore No audit

…backups are a legal time bomb

“The defendants did not show any policy that defined what e-mail should be reduced to hard copy because of its importance.”

Murphy Oil USA v. Fluor Daniel

“The defendants did not show any policy that defined what e-mail should be reduced to hard copy because of its importance.”

Murphy Oil USA v. Fluor Daniel

may 2006 edocument retention. may 30th isaca presentation agenda: what is email archive/audit? the...

Documents

email data

email messages

email archiveaudit

isaca presentation agenda

financial data

court slide

isaca presentation war

email archiving solution