The Policy Survey Project, Fall 2011i.dell.com/.../solutions/...compliance-policy-survey-project-fall-2011.pdf · The Policy Survey Project – Fall 2011 ©2011 Osterman Research,

sponsored by Osterman Research, Inc.

P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USA Tel: +1 253 630 5839 • Fax: +1 253 458 0934 • [email protected]

www.ostermanresearch.com • twitter.com/mosterman

An Osterman Research White Paper

Published November 2011 onsored by

The Policy Survey Project SPON

WH

ITE

PA

PER

SP

ON

!!

The Policy Survey Project – Fall 2011

©2011 Osterman Research, Inc. 1

Executive Summary WHAT IS THE POLICY SURVEY PROJECT? The Policy Survey Project is a semi-annual survey program focused on the evolution of policies and controls around email, archiving and compliance. This semi-annual survey is designed to address the concerns of four key executive roles – Human Resources, IT, Legal and Operations – within organizations of various sizes. The goals of the program are three-fold: • Gauge the current state of corporate policies and the deficiencies or risks that need to be

addressed.

• Map the evolution of how policies and controls are designed, implemented and monitored over time.

• Understand the policy “temperature” in the corporate market as a reflection of the intent

to invest in better risk management technology, services and processes. OVERVIEW Virtually every aspect of messaging management must follow a set of policies that are dictated by corporate best practice, legal requirements, regulatory obligations or industry standards. For example, every organization should address a growing number of sometimes-difficult issues focused on their messaging infrastructure: • Which communication technologies are allowed in the workplace and which are not?

• How will personal devices used for work purposes be managed? • How will content be managed for long periods to satisfy legal, regulatory and other

requirements? • What constitutes “acceptable use” of corporate communications resources and what does

not? • Should different employees be subject to different policy requirements based on their role in

the organization? • To what extent does an organization have the right to dictate what employees tweet or post

on Facebook? The answers to these questions, and the technologies and practices that organizations implement to address them, are critically important to minimize corporate risk, maximize employee productivity and generally advance the cause of the organization. BACKGROUND AND METHODOLOGY During summer and early fall 2011, Osterman Research conducted a total of 472 online surveys with individuals in four functional areas: IT, Human Resources, Operations and Legal in organizations of various sizes. Most of the surveys were conducted with organizations in North America.



We made the decision to make this white paper a primarily quantitative discussion of the research findings, presenting the detailed results of the research in the form of the questions that were asked of the various groups and the research findings themselves. To make the data easier to access, we have color coded the graphics in this report to correspond with the groups that were surveyed, as shown in the following figure, although the groups surveyed are identified in each of the graphics in this report.

Human Resources IT Legal Operations

ABOUT THIS WHITE PAPER This white paper represents the first in a series of semi-annual reports focused on messaging policy-related issues. It was sponsored by Dell, information about which is provided at the end of this white paper.

Key Findings – Fall 2011 • A divergence of opinions

Our research found that there are significant differences of opinion between the various functions that we surveyed. We ascribe much of this to two important factors: a) a lack of communication between key stakeholders that arises primarily from lack of familiarity with other groups within a company, as well as b) divergent interests between the functions. For example, while legal may have a critical need to ensure that business records are retained for e-discovery, legal hold or regulatory compliance purposes; IT has a primary interest in the technology to preserve these records, not the reasons for which they are being retained.

• Basic security policies are widely implemented While virtually all organizations have deployed anti-malware and anti-spam technologies, we also found that 85% of organizations automatically update applications attached to email to protect them from viruses, malware and unwanted content. Moreover, nearly two-thirds of organizations give email users the ability to self service access for purposes of managing their quarantined spam, white lists, black lists, etc.

• Most organizations have implemented an acceptable use policy for email

Five out of six organizations surveyed have implemented an acceptable use policy for email. However, fewer have actually deployed a control system for this policy, such as through an employee signature or other formal acknowledgement program. The good news, however,



is that three out of four organizations have a documented and clearly understood process for dealing with breaches of the policy.

• Technology has been deployed to support acceptable use policies for email

Most organizations have deployed at least some capabilities in support of their acceptable use policies for email. For example, 86% can block or allow certain domains or senders: 66% have established filtering policies based on keywords or other parameters for inbound email: and 59% can apply filtering policies at the domain, group or user level.

• Many organizations do not have a formal email retention policy

Our research found that only 54% of organizations have implemented a formally documented email retention policy and have trained their employees on it. Representing more risk, however, is the fact that only 53% of organizations can guarantee that messages are being preserved for the time set in their retention policies, and that only 62% of organizations report that their message retention policies are applied to their corporate message stores as required by company policy.

• Content is often not stored in a central location

Only about one-quarter of organizations have implemented controls to prevent users from creating their own archives on a local storage device. While activities like e-discovery and data mining can still be effective on widely distributed data, many organizations have not implemented the tools to enable the necessary data gathering from distributed sources, making them vulnerable to an inability to produce all required data during e-discovery, early case assessment or regulatory audits.

• Most organizations do not use WORM storage for content archives

Our research found that only 36% of organizations have storage capabilities that support an archiving solution with Write Once Read Many (WORM) functionality. This is generally not a requirement outside of the financial services industry, but it can be considered a best practice to prevent tampering and erasure of critical business records.

• Many organizations do not readily encrypt content

Despite the availability of very good encryption capabilities both on-premise and in the cloud, only one-half of the organizations surveyed report that it is possible for their end users to encrypt sensitive messages or have their emails automatically encrypted based on content – in fact, only one-third of IT-focused respondents report that automatic encryption has been implemented. This represents not only a serious potential risk for unauthorized access to confidential or sensitive information, but also a potential for statutory violations in jurisdictions that require encryption, such as Nevada and Massachusetts.

• Many organizations cannot search security logs after a data breach

Our research found that 70% of organizations can search security logs following a breach of their email acceptable use policy, but 30% cannot. This leaves many organizations vulnerable to not being able to fully analyze the cause and extent of data breaches, increasing their risk of non-compliance.

• HR content filtering is deployed in only about one-half of organizations

Our research found that only 52% of organizations have implemented policies for automatic



detection and filtering of confidential HR information, such as salary information, Social Security numbers, address lists and similar types of sensitive content. Perhaps explaining the relatively low level of content filtering is that almost the same proportion of organizations have conducted and implemented a categorization of electronic information based on security and confidentiality levels. This reveals that many organizations have a great deal of work to do in the context of protecting their sensitive data assets.

• Filtering for other purposes is sorely lacking

Our research found that only slightly more than one-quarter of organizations are filtering outbound content that may be going to the domains of known competitors. This leaves organizations vulnerable to the loss of sensitive or confidential competitive information from disgruntled employees or those who send content to competing firms by mistake. Moreover, only 56% of organizations’ email systems support the filtering and quarantine of inbound or outbound content that could lead to legal disputes, such as insider knowledge, sexual or racial harassment, or inappropriate content in attachments.

• Monitoring and compliance are lacking

Most organizations surveyed are not filtering outgoing email based on keywords or lexicons for libelous, inappropriate or defamatory content. Moreover, only one-third of organizations have established automatic triggers that set off an alert when email policies are violated. Here again, this leaves organizations vulnerable to risks of non-compliance and legal culpability in the event of a data breach, sexually harassing content sent through email, or some other violation of corporate policy or the law. However, our research also found that most organizations have not even conducted a risk assessment for the types of digital content that are sent or received through their corporate email system, making them even more vulnerable owing to the lack of insight about traffic flows and associated risks.

• There are a variety of e-discovery vulnerabilities

In only one-half of organizations have employees been formally trained to understand the legal status that an email message holds in a court of law. On a more positive note, however, 82% of organizations believe they have the ability to meet the requirements of an e-discovery request for their email records, while 65% believe that an e-discovery request can be performed both rapidly and with a minimum of disruption to the organization. Interestingly, we found a discrepancy between what legal and IT respondents told us about their e-discovery capabilities. While 82% of legal-focused respondents believe that their organization has the ability to meet the requirements of an e-discovery request for email records, only 56% of IT-focused respondents believe that their organization has implemented the processes necessary to produce every required email in the event of an e-discovery request. This seeming disconnect may be due to a lack of communication between the legal and IT functions in many organizations (the missing “legal-IT handshake”), or it may be due to a lack of legal’s understanding of the tools that IT has deployed – or not deployed.

• Some e-discovery capabilities may be incomplete

We found that in 56% of organizations, IT believes it can satisfy all e-discovery requests as



if they were still in the system in native format, with none of the original header information altered and all metadata, such as tracking or status flags, kept completely intact. However, in four out of 11 organizations, IT does not believe it has the ability to satisfy e-discovery capabilities this completely. Moreover, only three out of five organizations believes its email capabilities provide adequate support for litigation holds, while only 54% believe that such a hold can be deployed confidentially across email, contact lists, task lists and calendar items. This leaves organizations vulnerable to spoliation of evidence, a serious problem given the severity of judgments handed down in a variety of cases in the recent past.

• Two-thirds of organizations have policies for auditing employee email

Our research found that slightly more than two-thirds of organizations have implemented clear policies that establish who can audit an employee’s email. Further, the same proportion of organizations has policies in place to prevent unauthorized possession of the personal archives of employees who are dismissed or voluntarily leave.

• Many are vulnerable to data loss from lost or misplaced mobile devices

More than 70% of organizations have established clear security policies to prevent the unauthorized access to email records that are stored on a laptop or smartphone if the device is lost or stolen. However, nearly 30% have not established these policies, making them subject to data breaches and other fairly nasty consequences arising from the loss of mobile devices. However, among organizations that have clear security policies to prevent the unauthorized access of email records present on a laptop or a smartphone if the device is lost or stolen, 79% of these organizations have formalized these policies and monitor their compliance.

• Two-thirds of organizations have email acceptable use training programs

Our research found that two-thirds of organizations have implemented a training program to make employees aware of the potential reputation damage that could ensue if email is misused. Further, three out of five organizations’ employees have been formally trained to understand the consequences of misusing the email system.

• Two in five organizations have not implemented email redundancy

Only three in five organizations have implemented redundancy into their email infrastructure. Given the critical importance of email as both a communications and a file transport infrastructure in most organizations, the lack of redundancy leaves organizations vulnerable to even minor outages caused by power disruptions or localized inclement weather.

• Disaster recovery planning needs some work

Our research found that four out of five organizations have a business disaster and continuity plans for their email systems, but that only 63% of organizations have implemented systems and procedures to restore their email system as documented in these plans. Among those organizations that have implemented systems and procedures to restore their email system, only 71% have documented and rehearsed their procedures.



Among organizations that have a business disaster and continuity plan for email, 22% report that it cannot restore service in less than 24 hours.

• Most organizations are not enforcing their code of business ethics

The vast majority of organizations surveyed have implemented a code of business ethics, but fewer than two in five organizations with such a code are enforcing it through email monitoring. This leaves organizations open to significant risk, not only because of the lack of monitoring, but also because of the disconnect between the implication of ethical behavior and the perceived lack of effort in enforcing it.

• Many organizations have an anonymous “whistle-blower” account

Our research found that slightly more than one-half of organizations have implemented an anonymous whistle-blower account for reporting suspected abuses.

SUMMARY Our research clearly demonstrates that organizations of all sizes have serious policy issues, both in a lack of sufficient policies to address key areas around retention, encryption, disaster recovery and other important areas; as well as in enforcement of the policies that they have developed.

Recommendations Although detailed recommendations about corporate policies must be made on a case-by-case basis, we can offer some high level recommendations about where improvements can be made in most organizations, particularly those that are quite large and/or that are geographically distributed: • The need for a “meet-and-greet”

Our research clearly demonstrates that IT, HR, Operations and Legal are not always fully informed about the activities and perceptions of one another. As but one case in point, our research indicated a significant difference in the perceived readiness for e-discovery between legal and IT. To begin to resolve these issues, all organizations should have at least occasional meetings between key members of key corporate functions. The goal of these meetings should be to establish – at a minimum – informal relationships so that managers of each function can know who to contact when they have questions or when issues arise.

• Use appropriate communication and social media channels

It is also important to implement the appropriate technologies to facilitate cross-functional communication. For example, implementing an internal social media capability that can enable employees to find one another based on a search of expertise, background, etc. can be invaluable in building bridges between functions within a company. For example, a tool like Lotus Atlas for Connections can build visual chains from one individual to another, facilitating introductions and communications in ways that traditional email or other tools cannot.



• Implement a comprehensive plan Finally, it is critical to develop a corporate plan for e-discovery, content management, digital rights management, content filtering, appropriate use of email and other tools, etc. The key here is a) to implement a plan at the corporate level instead of at individual functional levels, and b) obtain buy-in from all key stakeholders in IT, HR, Operations, Legal, senior management, outside legal counsel, and the like. Many organizations develop departmental plans that are not as integrated with one another as they need to be, leading to conflicts between larger organizational goals and the goals of the individual stakeholders. Moreover, it is critical to implement a feedback mechanism so that a) policies can be created, b) enforced, c) monitored and d) updated when needed.

Acceptable Use Policies KEY POINTS • Most organizations have acceptable use policies

Our research found that the vast majority of organizations have acceptable use policies (AUPs) in place, with five out of six HR organizations reporting that they have been implemented.

• However, these tend to be basic policies without significant underlying support

The research also found that among organizations that have these policies there is not as much underlying “support” as their should be. For example, while 84% of HR organizations report have an AUP, only 69% have systems in place for employee acknowledgement of them; only 76% have documented processes for dealing with AUP breaches; and

Create

Enforce

Monitor

Update



significantly fewer of these organizations’ IT departments have implemented specific controls around content protection and filtering.

• HR and IT need to be more in sync

Our research finds that HR and IT departments, while not completely out of sync with regard to AUPs, need to work more closely together so that content filtering and protection supports HR’s AUPs. Moreover, it is important for HR itself to work on implementing control systems for updating and ensuring compliance with AUPs.

“Has your organization implemented an acceptable use policy for email?” Human Resources n = 68 out of 70 total responses



“Have you implemented a control system whereby employees sign or otherwise formally acknowledge your organization's acceptable usage policy for email?” Human Resources n = 70 out of 70 total responses

“IF YOU HAVE AN ACCEPTABLE USE POLICY FOR EMAIL: Does a documented process exist for dealing with breaches of your Acceptable Email Usage policy and is it clearly understood?” Human Resources n = 59 out of 70 total responses



“IF YOU HAVE AN ACCEPTABLE USE POLICY FOR EMAIL: Has your organization implemented a process to update users on any changes to the acceptable email use policy?” Human Resources n = 59 out of 70 total responses

“Has your organization implemented a documented procedure for the creation of new user mailboxes and the permissions they should allow?” Human Resources n = 68 out of 70 total responses



“Have you implemented email filter settings to match your organization’s acceptable email usage policy to cover the following elements? Please check all that apply.”

IT, n = 122 out of 132 total responses

“In the event of an email acceptable use policy breach are you able to search security logs?” IT n = 132 out of 132 total responses



Policies Focused on Encryption and Sensitive Content KEY POINTS • Organizations are at serious risk

Our research clearly indicates that organizations are at serious risk for losing sensitive or confidential content through email and other communication tools.

• Key risk factors

Among the leading causes of risk to organizations in this regard is the fact that fewer than one-half of organizations have conducted a risk assessment for digital content flowing through their email systems, fewer than one-half are filtering email for potentially damaging keywords, and only one-third trigger alerts when email policies are violated.

• Encryption is lacking

Only one-half of organizations enable users to manually encrypt sensitive content, while only one-third automatically encrypt messages based on corporate policies.

• Sensitive content is not being detected and filtered

Moreover, sensitive content like HR documents are not being detected and managed when sent through email in nearly one-half of organizations. In fewer than one-third of organizations is content being scanned that might be going to competitors.

•

“Which of the following is true in your organization? Please check all that apply.”

Operations, n = 154 out of 162 total responses



“Has your organization conducted a risk assessment for the types of digital content being sent or received via email?” Legal n = 107 out of 108 total responses

“Is it possible for end users to encrypt sensitive messages, or can they be automatically encrypted if a certain keyword is detected?” Operations n = 160 out of 162 total responses



“Can your email system automatically trigger encryption of content based upon policies for sender, recipient or specific content?” IT n = 130 out of 132 total responses

“Has your organization implemented policies for automatic detection and filtering of confidential or sensitive HR documents (salary information, Social Security Number, address list)?” Human Resources n = 69 out of 70 total responses



“Has your organization conducted and implemented a categorization of electronic information based upon security and confidentiality levels?” Operations n = 132 out of 162 total responses

“Is your organization filtering outgoing messages that may be going to the domains of known competitors?” Operations n = 162 out of 162 total responses



“Will messages containing sensitive content only be released with formal and signed consent?” Operations n = 160 out of 162 total responses

Security Policies KEY POINTS • Basic security is reasonable

Our research found that the vast majority of organizations do a reasonable job at automatically updating against security threats like malware, viruses and spam. While there is always room for improvement in this regard, most organizations are doing a reasonable job here.

• Other areas need improvement

However, the security of content when employees leave the company or to protect content from unauthorized access are not as robust. For example, nearly one-third of organizations does not have clear security policies that spell out what happens when a mobile device is lost or stolen. Training programs could be better given that one-third of organizations report no such program to educate users about damage to the corporate reputation if email is misused.



“Are the applications attached to your email system automatically updated against security threats from virus, malware and unwanted content?” IT n = 132 out of 132 total responses

“Has your organization implemented clear policies for who can allow the audit of an employee's email?” Human Resources n = 70 out of 70 total responses



“In the case of employee dismissal or voluntary departure, are there policies in place to prevent unauthorized possession of personal archives?” Human Resources n = 69 out of 70 total responses

“Do you have clear security policies to prevent the unauthorized access to email records present on a laptop or a smartphone if the device is lost or stolen?” Human Resources n = 68 out of 70 total responses



“If you have clear security policies to prevent the unauthorized access to email records present on a laptop or a smartphone if the device is lost or stolen, are these policies written and monitored?” Human Resources n = 43 out of 70 total responses

“Have you implemented a training program to make employees aware of the reputation damage to your organization if your email system is (mis)used to send inappropriate or confidential content?” Human Resources n = 70 out of 70 total responses



“Do email users have the ability to self service access to manage their quarantined spam, white lists, black lists etc.?” IT n = 132 out of 132 total responses

Archiving and Backup Policies KEY POINTS • More organizations need email retention policies

Our research found that nearly one-half organizations do not have a formally documented email retention policy on which users have been trained. This, despite the fact that virtually all organizations have an obligation to retain email and other business records for long periods.

• Better processes are needed

Similarly, nearly one-half of organizations cannot guarantee that messages are retained for the length of time set in their retention policies, and more than one-third are not applying retention policies to message stores as required by company policy.

• Backup procedures are reasonably sound

Relatively speaking, however, IT backup storage procedures are being applied to reflect corporate policies in most cases.

• Users are not being managed properly

Our research also found that only about one in four organizations has implemented controls to prevent users from creating their own archives on local storage devices, resulting in potentially severe e-discovery problems if content cannot be identified and captured quickly.



“Has your organization implemented a formally documented email retention policy and have your employees been trained on it?” Operations n = 159 out of 162 total responses

“Is policy information stored in a central directory service where it is secure and backed up?” IT n = 131 out of 132 total responses



“Can you guarantee that messages are being preserved for the time set in your organizations retention policy?” IT n = 131 out of 132 total responses

“Are your message retention policies applied on your message stores as required by company policy?” IT n = 130 out of 132 total responses



“Are your message retention policies applied on your message stores as required by company policy?” IT n = 130 out of 132 total responses

“Are your IT backup storage procedures applied to reflect your organization's policies?” IT n = 131 out of 132 total responses



“Have you implemented the controls to stop users from creating their own archives on a local storage device?” IT n = 129 out of 132 total responses

“Does your storage system support an archiving solution with Write Once Read Many storage capability that is non-erasable and tamper proof?” IT n = 130 out of 132 total responses



E-Discovery and Litigation Support Policies KEY POINTS • More training is in order

We found that only in one-half of the organizations surveyed are employees being formally trained to understand the legal status of email, despite the fact that email is now routinely used as evidence in legal actions of all types.

• E-discovery capabilities could use work

Despite the fact that more than four in five organizations claims it can meet the requirements of an e-discovery request for records, significantly fewer claim that such a response can be met with rapidity and minimal disruption.

• A disconnect between legal and IT

Interestingly, while 82% of legal respondents told us that their organization can meet e-discovery requirements for email, only 56% of IT departments told us they can produce any required email in the event of e-discovery. This clearly represents an disconnect either in the understanding of the two functions, or in the interpretation of what satisfied a full and complete response to e-discovery.

• Litigation holds need work

Only three in five legal departments told us they have the technology to implement a legal hold, putting these organizations at serious risk in legal cases of all types.

“Have your employees been formally trained to understand the legal status that an email message holds in a court of law?” Legal n = 108 out of 108 total responses



“Does your organization have the ability to meet the requirements of an e-discovery request for email records?” Legal n = 107 out of 108 total responses

“If so, can this response be performed both rapidly and with minimal disruption?” Legal n = 101 out of 108 total responses



“Have you implemented the processes to able to produce any required email in the event of an e-discovery request?” IT n = 130 out of 132 total responses

“Can all e-discovery results be produced as if they were still in the system in native format, none of the original header information altered, and all metadata like tracking or status flags kept completely intact?” IT n = 129 out of 132 total responses



“Does your organization’s email technology and systems provide support for litigation holds?” Legal n = 105 out of 108 total responses

“Can a litigation hold be confidentially deployed, and can it include support for email, contacts, to do lists and calendar items?” Legal n = 107 out of 108 total responses



“Does your email system support the filtering and quarantine of information (sent or received) that could lead to legal disputes. Common examples include insider knowledge, sexual or racial harassment and inappropriate content in attachments.” Legal n = 105 out of 108 total responses

Disaster Recovery and Business Continuity Policies

KEY POINTS • Disaster recovery plans are in place, but...

Four out of five operations respondents reported that there is an email-focused disaster recovery and continuity plan in place for their corporate email systems, but significantly fewer IT departments report that the required systems and procedures have been put in place to support these plans.

• Email outages can be lengthy

Our research also found that nearly one-quarter of organizations report that their disaster recovery and business continuity plans and technologies will not restore email within 24 hours, revealing a serious gap in both the plans and technology implementations within many organizations.



“Does your organization have a disaster and continuity plan for your email systems?” Operations n = 153 out of 162 total responses

“Have you implemented systems and procedures to restore your email system as documented in your organization’s disaster or business continuity plans?” IT n = 121 out of 132 total responses



“If you implemented systems and procedures to restore your email system as documented in your organizations disaster or business continuity plans, have you documented and rehearsed the procedure?” IT n = 80 out of 132 total responses

“If your organization has a business disaster and continuity plan for your email systems, will it restore service in less than 24 hours?” Operations n = 115 out of 162 total responses



Management Policies KEY POINTS • Automatic disclaimers are not as common as they should be

We found that only slightly more than one-half of organizations can automatically append a disclaimer on all outbound emails.

• Organizations are at risk of copyright violations

Moreover, we found that only about one-third of organizations have implemented filters to prevent copyrighted materials from being accepted into or distributed using the corporate email system. This puts organizations at serious risk of violating others’ copyrights and adds to corporate risk exposure significantly.

“Has your organization implemented an anonymous whistle-blower account for reporting suspected abuses?” Human Resources n = 70 out of 70 total responses



“Have you implemented automatic appending of email disclaimers on all outbound sent items?” Legal n = 107 out of 108 total responses

“Have your employees been formally trained to understand the consequences of misuse of the email system?” Legal n = 104 out of 108 total responses



“Has your organization implemented filters to prevent copyrighted content from being accepted into or distributed using your email system?” Legal n = 106 out of 108 total responses

Miscellaneous Issues KEY POINTS • Most have implemented a code of business ethics

The good news is that the vast majority of organizations have implemented a code of business ethics, thereby mitigating their risk on a number of levels. However, only about two in five organizations can enforce their code through email monitoring.

• Monitoring and management could be improved

Our research also found that most organizations have implemented redundancy, documented procedures for regular system maintenance, and monitoring for system availability. However, we believe these figures should be much close to 100% than they are given the mission-critical nature of email and other communication and content management systems.



“Which of the following is true in your organization today? Please check all that apply.”

IT, N = 123 out of 132 total responses

“Has your organization implemented a Code of Business Ethics?” Human Resources n = 65 out of 70 total responses



“If your organization has implemented a Code of Business Ethics, is it enforced through email monitoring?” Human Resources n = 47 out of 70 total responses



Sponsor of This White Paper The right storage strategy can transform data into a strategic asset — not an IT maintenance headache. Companies are coping with an onslaught of digital information that’s growing at exponential rates. But not all data deserves the same treatment. As the deluge continues, it’s time to reduce the uncertainty and costs of data management. Intelligent Data Management (IDM) solutions from Dell can help. Smarter Solutions: Intelligent Data Management With the right tools, you can achieve enormous storage efficiencies. Open, capable and affordable IDM solutions from Dell can help you: • Control expense — Enable your IT staff to implement a

comprehensive data management strategy to access, prioritize, preserve and protect data at an affordable, predictable and sustainable cost.

• Create value — Transform data from an unsustainable burden into a valuable strategic

asset.

• Increase efficiency — Optimize data placement across storage tiers.

• Manage data growth — Make smart decisions about where and how you store data.

• Keep data accessible — Ensure data is readily available to meet compliance and business unit requirements.

• Reduce risk — Eliminate costly data loss, deduplication errors, access problems and backup challenges.

• Protect against disaster — Create data copies that can be cost-effectively stored and quickly recovered.

• Address long-haul business requirements — Expand performance and capacity simultaneously — and without disruption — over time.

Intelligent Data Management Dell’s new Email and File Archive solution helps customers manage the information that is the lifeblood to their organizations. Dell’s end-to-end solution capabilities can help customers address storage optimization and compliance requirements, while alleviating burdens related to design, implementation, and ongoing management through: • Pre-configured reference architectures that ease solution design, while allowing for needed

customization based on customer specific requirements.

Dell, Inc. 300 Innovative Way

Suite 201 Nashua, NH 03062

+1 800 WWW DELL

www.dell.com



• All ongoing maintenance and support from a single point of contact, including hardware and software (ISVs included).

• Storage platforms that support massive scalability and ease of use, to protect customer investments and enable them to keep up with rapid data growth.

Dell’s approach maintains customer choice with backup and archiving software providers, preferred consumption model (cloud or on-premise) and the services needed to optimize their IT environment and comply with data retention requirements. © 2011 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader’s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, “Laws”)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.

Documents

The Policy Survey Project, Fall 2011i.dell.com/.../solutions/...compliance-policy-survey-project-fall-2011.pdf · The Policy Survey Project – Fall 2011 ©2011 Osterman Research,