Upload
aiim
View
32
Download
3
Embed Size (px)
Citation preview
Underwri(enby: Presentedby:
#AIIMInforma(onIsYourMostImportantAsset.LearntheSkillstoManageIt.
DevelopingaSuccessfulDataReten(onPolicy
PresentedMarch22,2017
DevelopingaSuccessfulDataReten(onPolicy
AnAIIMWebinarPresentedMarch22,2017
Underwri(enby: Presentedby:
CraigShogrenManager,
Informa-onGovernanceHBRConsul(ng
RichLauwersInforma-onGovernance
HPE
KellyHuckman,JDConsultant
IronMountain
Today’sSpeakers
Underwri(enby: Presentedby:
CraigShogren
Manager,Informa(onGovernance
HBRConsul(ng
IntroducingourFeaturedSpeaker
Underwri(enby: Presentedby:
We’re pretty sure we are not providing all responsive data, since we don’t know what
we don’t know!
Wereallydon’tevenknowwhatwehave,letalonewhereitis!
There is probably a lot of PII on our shared drives that we really need to purge. Could be devastating if we are ever breached.
Our workforce is so mobile, we know our employees are saving stuff to unsanctioned cloud storage. This ‘shadow IT’ will sabotage our efforts at comprehensive disposition.
I only have 24 hours to respond to a regulatory request, yet it will take me 4 times
that amount of time to sift through all the garbage.
Underwri(enby: Presentedby:
Underwri(enby: Presentedby:
WhyDoWeCare?
§ Compliance§ DiscoveryRiskandCost§ Privacy§ Efficiency§ StorageSavings§ CustomerService§ KnowledgeManagement/IP
Underwri(enby: Presentedby:
ThePathForwardIsClear
• DefineGovernanceRequirements
• KnowWhereEverythingIs
• EliminateUnnecessaryData(ROT)
• UnburyTreasures
Underwri(enby: Presentedby:
Organizational silos obstruct comprehensive approach
…ButLiTeredwithObstacles
!
! No internal sponsor / champion
! Lack of budget & resources
! Communication gaps
between Legal, IT and the
business
! “Software-as-Savior”
turns into “Software-as-Shelfware”
! Don’t know where the data is or what it contains
! Change management?
! Bleeding out
Underwri(enby: Presentedby:
DefineWhatGovernsYourInforma(on
§ RetenVonanddisposiVonrequirements§ Privacyandsecurityrequirements§ FRCPrequirements(legalholds,etc.)§ IntellectualpropertyconsideraVons§ ISOstandards§ Businessrequirements
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ IG/RIMPolicy§ Purpose,scope,objecVves,accountabiliVes,responsibiliVes,
standardsanddefiniVons
§ RecordsRetenVonSchedule§ Updatedregulatoryresearch§ AcVonable,understandable§ Comprehensive
§ Records,butwhatabouteverythingelse?
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ Privacy§ PII/PHI/PCIhandlingrequirements§ RetenVonlimitaVons§ CrossborderconsideraVons
§ PrivacyShield§ GDPR
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ InformaVonSecurity§ DataClassificaVonStandard
§ DataMapping/DataFlows
§ Technologies§ End-PointDetecVon,DLP,AccessControls,VirusDetecVon,BigData
SecurityAnalyVcs,Containment/IsolaVonTools,SecurityTesVng,etc.
§ BYODPolicies
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ LiVgaVonReadiness§ LegalHoldPolicy/Procedure§ eDiscoveryToolsandTechnologies§ LiVgaVonProfile
§ IntellectualProperty§ Training(ChangeManagement)
§ “But,we’vealwaysdoneitthatway!”
Underwri(enby: Presentedby:
ThePathForwardIsClear
• DefineGovernanceRequirements
• KnowWhereEverythingIs
• EliminateUnnecessaryData
• UnburyTreasure
Underwri(enby: Presentedby:
PreliminarySteps
§ IdenVfyandassesslocaVons/repositoriesofunstructuredcontent§ CollaboraVonsites,shareddrives,personaldrives,
documentmanagementsystems,contentmanagementsystem,email,physicaletc.)
§ FuncVonalrequirementsofcontent/recordsmanagementsystem
§ IdenVfy“contentplacementstrategy”§ IsthereclarityonhowtheretenVonscheduleappliesto
electronicdata?
§ Determinecontentassessmentmethodology
Underwri(enby: Presentedby:
ContentAssessment
§ Manual§ User-Dependent
§ Technology-Enabled§ ITTools§ eDiscoveryTechnology§ FileAnalysisSoeware
§ Content§ Metadata
Underwri(enby: Presentedby:
WhatisFileAnalysis?
TwoPrimaryLevelsofAnalysis§ FileSystemMetadata
§ IncludesinformaVonaboutindividualfiles§ Examplesincludecontextualmetadataaboutassociatedservers,volumes,shares,
folders,andidenVtyrelatedinformaVonsuchascompany/department/group/userpermissionsandownership;aswellasfilespecificmetadatasuchasfileowner,lastauthor,author,fileextension/itemtype,andcreate,lastmodified,andlastaccesseddates
§ FileContent§ IncludesinformaVonwithinindividualfiles§ Representsamuchmoregranularlevelofdetail,andsubsequentlyalargerdata
footprintandsupporVngsetofinfrastructurerequirements§ Repositories
§ Email,FileShares,ERM/EDM/ECMSystems,SharePoint,FilesyncandsharesitessuchasBox.netorDropbox,DataArchives,BusinessIntelligence(BI)/DataWarehouseEnvironments
Underwri(enby: Presentedby:
Representa(veVendorsPrimaryUseCasesSupportedby2016ListVendors
• AcVveNavigaVon• AdlibSoeware• BeyondRecogniVon• Bloomberg• Controle• Cryptzone• Druva• Exterro• SailPoint• Titus
• HPE• IBM• ZLTechnologies
• CapaxDiscovery• DataGlobal• Egnyte• IndexEngines• Spirion• STEALTHbits• Varonis• Veritas
Source:Gartner:MarketGuideforFileAnalysisSoeware(19September2016)Gartner’sNote:Thoughmostvendorssupportsomeelementsofeachusecase,vendorsarelistedintheabovediagramaccordingtothemajorusecasesupportedandwhatcustomersacquirethesoluVonfor.
Governance/PolicyManagement
RiskMiVgaVon
AnalyVcs
Efficiency/OpVmizaVon
• Kazoup
• Condrey• Haystac
Underwri(enby: Presentedby:
DemergerExample
Underwri(enby: Presentedby:
ThankYou!
CraigShogrenManager
HBRConsulVng
312-638-5130
Underwri(enby: Presentedby:
RichLauwersInformaVonGovernanceSubjectMa(erExpertHPE
KellyHuckman,JDConsultant
IronMountain
IntroducingourSpeakers
Underwri(enby: Presentedby:
HowDoWeBeTerConnectLegalRegula(onsandOpera(onalRequirementstoOurContent?
The first and last mile of retention
The First Mile: Retention
Considerations The Last Mile:
Policy Execution
Government regulations
Industry specific regulations
IT Operations Business Needs
Email Cloud
Desktop
Physical Content
SAP Structured
Repositories
Unstructured repositories
File Shares
Auto collection of laws
Translate to retention
rules
Centralized policy
Apply at scale
Audit logs
Connect
Underwri(enby: Presentedby:
WhyHasConnec(ngtheFirstandLastMileofReten(onBeenSoDifficult?
Policy is not digitally connected to content
Appeared complex, time consuming, costly & hard to maintain
Origins of Records Management were paper not IT
Demand was for commercial off-the-shelf solutions
A lack of standards
Underwri(enby: Presentedby:
GDPREnactedtoHelpProtectEUCi(zenDatafromRisk
Underwri(enby: Presentedby:
WhatChallengesDoesGDPRCreate?
§ UnderstandofthescopeofPII
§ IdenVfyPII,determineformatlocateitwithinITrealestate
§ IsolateandclassifyPII
§ AppreciatetheretenVonVmesforpersonaldataandcontactinformaVon
§ Obtainandretainexplicitconsentofdatasubjects
§ LimitaccessofPIIbaseduponscopeofconsent
§ Facilitatethe“righttoerasure”ofpersonaldata
Underwri(enby: Presentedby:
CreateaDataMap
• MapbothPIIandNon-PIIdatasources
• EstablishrelaVonshipsb/wdatasources/ownerswithrelevantRecordClasses
• Representprocessingpurposesconsentedtobydatasubjects
• IdenVfyPIIlocaVons,createane-discoverydatamap,andinformacoherente-commspolicyinasingleproject
Underwri(enby: Presentedby:
Retention Schedule, Organization Structure,
Data Maps, etc.
Enterprise Content Management
Physical Content
Unstructured repositories
SAP
Structured repositories
File Shares
Cloud
DigitallyConnectPolicytoContent
Underwri(enby: Presentedby:
Mapping
ReportCompliance
GetConsent
Find GovernClassify
ManageDataInScope(PersonalData) SecurePersonalData
Security
RecordsRepository
Informa(onManagement&Governance
DataRepositories • DataSecurity
• Applica(onSecurity
• SecurityIntelligence(BreachDetec(on)
Underwri(enby: Presentedby:
CompleteGDPRPlaborm
AnalyseRecord
Repository
Classify
DataRepositories
Messaging
EmailFiles Read
SharePoint
Ac(on
ApplicaVons
DataWarehouses
DocumentManagement
DataArchiveSocialMedia
WebContent
Apply
Store
EligibleRecords
Declare
DataEncryp(on
Find Govern
ApplyReten(onRules
Compliance,LegalHold&Audit
Underwri(enby: Presentedby:
Methodology
• Survey and confirm
• Index metadata and content of documents
• Extract named entities (SSN, emails, phones…)
• « ROT » analysis
• « Technical » analysis (size, type, age…)
• Redundant • Obsolete • Trivial
• Creation of Categories based on entities, metadata and/or content
• Apply tags
• Move • Secure • Archive • Review
Underwri(enby: Presentedby:
ContentManagerComponentOverview
Ingested Policy Center data stays in Content Manager
• Retention laws, jurisdictions and vertical industry information is mapped
• Policy Center is polled for updates • Updates are ingested and managed
permanently
Content Manager is licensed perpetually
• All components remain active • Annual support renewal
• Connector that extracts and ingests Retention Requirements into Electronic Content Manager
• Mapping of data • Classifications • Retention schedules
HPE CM Policy Center
Connector
• Trained on existing content or BCS
• Holding node prior to classification
• Automatic folder creation
• Linked security & retention
HPE CM Auto-Classification
Module • Information lifecycle management
• Governance-based ECM
• Access defined by authorized seats
• Perpetual license + annual maintenance
HPE Content Manager
(ECM + Retention)
Underwri(enby: Presentedby:
TakealookatwhatHPEhastoofferwww.hpe.com/soeware/scmHPEGDPRselfassessmenth(p://gdprcomplianceassessment.com
Underwri(enby: Presentedby:
ThankYou!
KellyHuckman,JDConsultant
IronMountain
RichLauwersInformaVonManagementSubjectMa(erExpert
HPE
[email protected],Chicago
Underwri(enby: Presentedby:
QUESTIONS?
You’vejusta(endedanAIIMWebinar.Whatnow?
Takeyourskillstothenextlevelbylearninghowtomap,design,capture,andautomateoperaVonalprocessesusinga
combinaVonofstrategies,andtechnologieswithAIIM’sTrainingCourses
www.aiim.org/training
Underwri(enby: Presentedby:
AIIMistheCommunityforInforma(onProfessionals
AIIMbelievesthatinforma(onisyourmostimportantasset.Learntheskillstomanageit.
OurmissionistoimproveorganizaVonal
performancebyempoweringacommunityofleaderscommi(edto
informaVon-driveninnovaVon.
Learnmoreatwww.aiim.org