may 2006 edocument retention. may 30th isaca presentation agenda: what is email archive/audit? the...
TRANSCRIPT
May 30th ISACA Presentation
Agenda:
What is Email Archive/Audit? The Current Environment The Ideal Compliant Email
Archive Proactive Approach - Live
Capture System Data Flow Adaptable Compliance
May 30th ISACA Presentation
What is an Email Archive
An offsite or onsite copy of company emails Automatically collected
In an intelligent fashion Stored securely Fully Searchable and Auditable
• Eliminating data collection/harvesting during eDiscovery• Admissible in court
May 30th ISACA Presentation
Agenda:
What is Email Archive/Audit? The Current Environment Data Retention Implementation The Ideal Compliant Email
Archive Proactive Approach - Live
Capture System Data Flow Adaptable Compliance
May 30th ISACA Presentation
The Situation Today
Business documents are being generated at such a rate that economic retrieval is extremely challenging.
During 2004, enough information was produced worldwide to fill 500,000 libraries of congress.
64 billion emails were sent in 2005 with 108 billion expected in 2008.
Global email traffic has grown to some 171 billion messages per day, of which 71 percent is spam.
The average corporate user sends and receives 113 email messages a day. That translates into nearly 300MB per month.*
By the end of the decade, that number is expected to grow to 160 messages and 417 MB per month.*
As much as 85% of all email data is due to attachments.*
Gartner Group: We spend as much as 20% of our time searching through our email and files.
*Radicati Group
A medium-sized company could exceed Google’s capacity within 2 years
The Library of Congress
May 30th ISACA Presentation
The Elephant in the Living Room
Let’s not forget why we have to be compliant –
THE THREAT OF LITIGATION
Only 30% of companies consider search and discovery to be a top priority when choosing an email archiving solution. Of these, 25% said that the main driver for search and discovery functionality was to expedite review and audit processes, and still more to reduce legal discovery costs.
Companies should be ready to do eDiscovery at all times
May 30th ISACA Presentation
War Stories
90% of U.S. corporations are involved in litigation and 20% of all companies are sued every year.
Bank of America was fined $50,000 per each email they failed to produce in court. Total penalty: $10 Million.
Morgan Stanley lost $1.45 Billion in damages and was sanctioned for its failure to preserve and produce certain electronic records.
The SEC piled on an additional $15 M penalty, so far…
US corporate financial restatements soared 28% from 2003 to 2004, and 10 to 30% of financial data is erroneous. The cost of erroneous data is $600 Billion in the US.
Schering Plough fined $500 Million for noncompliance in 2002
The typical large corporation paid $16 million in corporate governance costs.
The average company with over $1 Billion in revenues has 147 lawsuits and 48 different financial systems.
The average cost for companies with less than $1 billion in revenue increased by more than 230% since Sarbanes-Oxley went into effect.
May 30th ISACA Presentation
War Stories
However, by far the largest penalty for failing to complyis the devastating impact on
a company’s market capitalization
when shareholders find out that a company is not
compliant.
May 30th ISACA Presentation
Corporate Compliance Progress
From ARMA Survey 2005:
“Nearly one-half of the respondents (49%) areeither:
‘not at all confident’,
or only
‘slightly confident’,
that their organizationscould demonstrate that their electronic records wereaccurate, reliable and trustworthy.” (randomly selected logos)
May 30th ISACA Presentation
Agenda:
What is Email Archive/Audit? The Current Environment Data Retention Implementation The Ideal Compliant Email
Archive Proactive Approach - Live
Capture System Data Flow Adaptable Compliance
May 30th ISACA Presentation
An Implementation Roadmap
1. Establish Policies for:a. Emailb. Unstructured Datac. Financial Reportsd. Training Materials, etc.
2. Identify data value for all data under management
a. Relational by subject areab. Content Managed as Related to
Relationalc. Email, Backup and Offsite
3. Dispose of non-regulated, low-value, low-access data with an appropriate audit trail.
4. Develop processes to periodically dispose of expendable data with audit and reporting systems.
May 30th ISACA Presentation
Establishing the Retention Policy
Establishing the Data and Information Retention Policy Preservation and Retention Retention Policy Preservation and Retention Duty
Compliance Litigation Creating Your Policy – This is not an IT Problem Document Destruction Retention Policy and The Litigation Hold Information Security
May 30th ISACA Presentation
Preservation vs. Retention Duty
Preservation - • Time: foreseeable dispute (shorter than retention)• Bases: rules, tort, inherent power• Breach: spoliation• Penalties: default or dismissal, evidence, fines
Retention - • Time: statute or regulation• Bases: statutes and regulations• Breach: spoliation• Penalties: default or dismissal, evidence, fines,
statutory penalties
May 30th ISACA Presentation
Purpose of Retention/Destruction
Retention - • Legal compliance• Litigation preparedness• Company’s reputation
Destruction• Reduce Operational Cost• Asset protection • Privacy
May 30th ISACA Presentation
Compliance
• 20,000+ statutes and regs require retention
• Consider impact of foreign retention requirements
• Harm of retention spoliation similar to harm of preservation spoliation
May 30th ISACA Presentation
Four Legs of Compliance
Compliance is the result of integrated Policies and Processes
The Policy - Information Records Management Policy is established by corporate Legal. Specific measure for compliance are tied to the policy. What’s the policy and how do you measure compliance?
The Leadership – The Policy is reflected in the visibility, adoption, enforcement and compensation by and for senior management. Does Leadership walk the walk?
The Technology – The Policy is reflected in all aspects of data management. IT is using and NOT establishing The Policy. Does the Procedure tie to the policy?
The Training – The Policy reflected in all aspects of training, education, procedure and compensation. Does everyone understand their responsibility, liability and consequences?
May 30th ISACA Presentation
The Compliance Team
The Compliance Team is Composed of:
General Counsel Compliance Officer Information Architect Application Architect Content and Messaging Manager Training Supervisor
The Compliance Team provides an enterprise understanding of data retention through:
Comprehensive understanding of corporate policy and procedures related to regulatory compliance.
Elimination a fragmented responses to regulatory inquiry Optimizes response to Litigation Discovery
May 30th ISACA Presentation
Statutes and Retention
SEC Rule 17a-4 Electronic Storage of Broker Dealer Records
Graham-Leach-Bliley Act - Financial Services Modernization Act -1999
Sarbanes – Oxley Act of 2002 FDA 21 CFR Part 11 DOD 5015.2 Department of Defense Health Insurance Portability and Accountability Act (HIPAA) Fair Labor Standards Act Occupations Safety and Health Administration (OSHA) Act Internal Revenue Service Reform Act Food and Drug Administration Health and Human Services
May 30th ISACA Presentation
Statutes and Retention
SEC Rule 17a-4 Electronic Storage of Broker Dealer Records
Retention – Minimum of 3 Years
Related to the retention of correspondence between the securities company and its customers.
Purchase and sale documents, Customer and associated persons’ records, Customer complaint records Written supervisory procedures
Additional rules have been established by both the NASD (sect 2210 and 3010) and NYSE(SECT 342 ) that require members to comply with SEC 17a-4 or risk fines by both the SEC and the members SRO.
May 30th ISACA Presentation
Statutes and Retention
"preserve the records exclusively in a non-rewriteable, non-erasable format.“ This requirement does not mean that the records must be preserved indefinitely. Like paper and microfilm, electronic records need only be maintained for the relevant retention period specified in the rule.
The electronic storage media must verify automatically the quality and accuracy of the storage media recording process; serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media; and have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member.
May 30th ISACA Presentation
Statutes and Retention
Graham-Leach-Bliley Act or Financial Services Modernization Act of 1999
Retention Period – 6 Years or “Best Practices”
Related to limited privacy protection against the sale of private financial information to third parties.
Personal financial information must be securely retained.
Customers must be advised of the policies in place for sharing personal financial data.
Customers must be able to easily opt out of the sharing of some financial data
May 30th ISACA Presentation
Statutes and Retention
Name - Health Insurance Portability and Accountability Act
Retention Periods Complaints – 6 Years Medical and Diagnostic Records – 6 Years Medicare Records – 5 Years Special Consideration for Minors Records must be retained for 2 years after a patients death
Relates to documents on uses and disclosures, authorization forms, business partner contracts, notices of your information practice, responses to a patient who wants to amend or correct their information, the patient's statement of disagreement, and a complaint record.
May 30th ISACA Presentation
Statutes and Retention
The Sarbanes-Oxley Act of 2002
Retention Period – 7 Years
Deals with the falsification, destruction, alteration of documents or data with the intent to impede, obstruct or mislead an investigation by any federal agency. Includes the destruction of materials used in the creation of audits or financial assessments
Applies directly to publicly held companies US Companies valued at over 100 million dollars will spend a
combined 2 Billion dollars on implementing SOX 4 Privately held companies with US ties are adopting SOX as
well.
May 30th ISACA Presentation
New SOX “Data” Sources
Website Records - Section 403 - Posting stock ownership changes
Internal Control Reports – Section 404 - Audit notes on how the internal control reports are created
Corporate Officer Certification – Section 302 – Who certified which reports and audits and when.
Complaints – Section 301 – The collection, retention and treatment of complaints, external, internal, anonymous as they relate to financial audit and disclosure. Also, a description of how the complaint was addressed.
Penalties – Section 906 – False certification can result in $5,000,000 in penalties and/or 20 years in prison.
May 30th ISACA Presentation
“…How much do we need to pay you to screw Netscape?...”
“…How much do we need to pay you to screw Netscape?...”
Warm Regards,
Bill GatesMicrosoft Corporation
Memorable I-Wish-I’d-Deleted-That Emails
May 30th ISACA Presentation
Memorable I-Wish-I’d-Deleted-That Emails
Memorable Wish-I’d-Deleted-That Emails:
“How much do we need to pay you to screw Netscape?”
“…Let’s clean up those files…”“…Let’s clean up those files…”
Fondly,
Frank QuattroneCredit Suisse First Boston
May 30th ISACA Presentation
Agenda:
What is Email Archive/Audit? The Current Environment Data Retention Implementation The Ideal Compliant Email
Archive Proactive Approach - Live
Capture System Data Flow Adaptable Compliance
May 30th ISACA Presentation
Requirements
I. Speed – The system must provide sub-second respond time for most queries.
II. Cost efficiency - The system must be inexpensive.
III. Regulatory compliance – The system must be conformant.
IV. Reliable – The system can never lose or corrupt data.
V. Litigation Readiness – Must be continually ready to produce documents with a verifiable Chain of Custody and no spoliation.
May 30th ISACA Presentation
Litigation-Ready System – The Hardware
Utilize a cluster-computing architecture as the basis for a Web-based solution
Excellent Price / Performance Excellent Scalability Excellent Reliability Extremely Fast Response
Times
May 30th ISACA Presentation
Litigation-Ready System – The Interface
Design an easy-to-use human interface
Minimize the learning curve Keep employee morale high Maximize productivity
May 30th ISACA Presentation
Litigation Ready System
Support most file types with real-time capture Export to major third-party litigation systems
Live capture, Outlook,
Lotus Notes, Financial Reports,
Excel,Word,PDFs…
Live capture, Outlook,
Lotus Notes, Financial Reports,
Excel,Word,PDFs…
TIFF/PDF
Other…
Minimize operational problems Optimize responsiveness to courts Handle exceptions Talk to other systems
May 30th ISACA Presentation
Agenda:
What is Email Archive/Audit? The Current Environment Data Retention Implementation The Ideal Compliant Email
Archive Proactive Approach - Live
Capture System Data Flow Adaptable Compliance
May 30th ISACA Presentation
A Litigation-Ready Archival Solution
Searchable / Compliant Email Archival Real-time data collection, Intelligent filtering for compliance
Benefits: Off-site email archiving Adaptable compliance Easy retrieval of emails for all users Continuous litigation readiness
Repository
Live capture of data
Live Capture
May 30th ISACA Presentation
Litigation-Ready Solution
Benefits:
Secure off-site email archive Compliance conformance Find any email quickly and easily Elimination of the data
collection/harvesting task Litigation readiness with chain of
custody and spoliation functions
Repository
Live capture of data
Live Capture
Support major email systems
Powerful SearchEmail/File Management
Full Access ControlWORM Archive
May 30th ISACA Presentation
Agenda:
What is Email Archive/Audit? The Current Environment Data Retention Implementation The Ideal Compliant Email
Archive Proactive Approach - Live
Capture System Data Flow Adaptable Compliance
May 30th ISACA Presentation
System Data Flow
MessageServers
Live CaptureLive Capture
Data Life Cycle
May 30th ISACA Presentation
System Data Flow
MessageServers
Data Life Cycle
Live CaptureLive Capture
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
May 30th ISACA Presentation
System Data Flow
MessageServers
Data Life Cycle
Live CaptureLive Capture
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
CompliantSearchableRepository
CompliantSearchableRepository
May 30th ISACA Presentation
System Data Flow
MessageServers
Data Life Cycle
Live CaptureLive Capture
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
CompliantSearchableRepository
CompliantSearchableRepository
Delete
May 30th ISACA Presentation
System Data Flow
Data Life Cycle
Live CaptureLive Capture
3rd-Parties:KVS, Ziplip,
MessageGate
MessageServers
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
CompliantSearchableRepository
CompliantSearchableRepository
Delete
May 30th ISACA Presentation
System Data Flow
Data Life Cycle
Live CaptureLive Capture
3rd-Parties:KVS, Ziplip,
MessageGate
MessageServers
NAS, SAN,other servers
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
CompliantSearchableRepository
CompliantSearchableRepository
Delete
May 30th ISACA Presentation
System Data Flow
Live CaptureLive Capture
Data Life Cycle
ASP orIn-House
Multi-PassWipe Delete
WORMOption
3rd-Parties:KVS, Ziplip,
MessageGate
MessageServers
NAS, SAN,other servers
FullyTailorable
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
CompliantSearchableRepository
CompliantSearchableRepository
Delete
May 30th ISACA Presentation
System Data Flow
Live CaptureLive Capture
Data Life Cycle
3rd-Parties:KVS, Ziplip,
MessageGate
MessageServers
NAS, SAN,other servers
Administer Cull Search ProduceAudit/Report
Multi-PassWipe Delete
WORMOption
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
CompliantSearchableRepository
CompliantSearchableRepository
Delete
ASP orIn-House
FullyTailorable
May 30th ISACA Presentation
Live CaptureLive Capture
Data Life Cycle
3rd-Parties:KVS, Ziplip,
MessageGate
MessageServers
NAS, SAN,other servers
Administer Cull Search ProduceAudit/Report
Multi-PassWipe Delete
WORMOption
Live Capture – LITIGATION HOLD
Ded
up
lication
Ded
up
lication
Intellig
ent F
iltering
Intellig
ent F
iltering
CompliantSearchableRepository
CompliantSearchableRepository
Delete
ASP orIn-House
FullyTailorable
May 30th ISACA Presentation
Agenda:
What is Email Archive/Audit? The Current Environment Data Retention Implementation The Ideal Compliant Email
Archive Proactive Approach - Live
Capture System Data Flow Adaptable Compliance
May 30th ISACA Presentation
Intelligent Filtering – Compliance and More
CapturedEmails,
Files, etc.
CapturedEmails,
Files, etc.
IFCondition
THEN
IFCondition
THENActionAction
Actions
Send an Email
Place into Folder
Adjust Permission
Level
Change Attribute
Delete
Etc.
Actions
Send an Email
Place into Folder
Adjust Permission
Level
Change Attribute
Delete
Etc.
Any SearchResult
File “Age”
Content
Boolean
Concept
Etc.
Any SearchResult
File “Age”
Content
Boolean
Concept
Etc.
Any file storedin the Repository
MultipleFile Types
Emails
Office Documents
Financial Reports
Etc.
Any file storedin the Repository
MultipleFile Types
Emails
Office Documents
Financial Reports
Etc.
May 30th ISACA Presentation
Thank You For Your Time
E. Casey Roche – Discovery Mining Inc.415-561-6780 X116
www.discoverymining.com
Suzanne Riddell – DataForeSight [email protected]
303-278-2150
May 30th ISACA Presentation
Return On Investment Considerations
Elements: Value of risk mitigation
Avoid detrimental affect of failure to comply on company’s market capitalization
Avoid potential penalties Missed deadlines, failure to produce
Cost of live capture versus simple tape back-up Tape restoration is extremely expensive Having live capture in place can save 50% to 80% in the
event of litigation 20% of all US companies are litigated against every year
Quantifiable Side Benefits Having a secure off-site archive Providing searchable email archive Avoiding the cost of data collection/harvesting
Time and money
May 30th ISACA Presentation
Backups vs. Archives
“But we have a backup!” …sorry, not enough.
Failings: No security No authenticity No search capability No easy restore No audit
…backups are a legal time bomb
“The defendants did not show any policy that defined what e-mail should be reduced to hard copy because of its importance.”
Murphy Oil USA v. Fluor Daniel
“The defendants did not show any policy that defined what e-mail should be reduced to hard copy because of its importance.”
Murphy Oil USA v. Fluor Daniel