e-Discovery, information management and the legal aspects associated with enterprise data are hot topics for technology leaders to address with their business customers. But what information governance strategies are legally defensible? What compliance approaches work best in the long run? How can enterprises reduce risk when they save or delete data?
To answer these questions, along with several related security topics, I recently interviewed Jim McGann, who is VP of Marketing for Index Engines, a leading electronic discovery provider based in New Jersey.
Dan: Can you briefly describe your background and overall experiences dealing with e-Discovery?
Jim: In my over 20 years of specializing in information management, in which I frequently write and speak on topics that impact legal and compliance on corporate data, I have seen some paradigm changes in the way that organizations regulate and manage their data. In the last 5 years I have seen a shift in organizations to clean up the “data lake” that has been generated and to become more proactive in managing their data assets. It is important to defensibly delete data that no longer has business value and archive what is needed for legal purposes.
Within the first 15 years of my career, I worked with organizations on deploying technology aimed at generating information faster and storing large volumes. Back then, organizations could save anything and easily hide the content that could become a liability, but that won’t work these days. Lawyers and judges are more tech savvy and they won’t accept excuses about complexity and cost issues anymore.
Dan: What is Defensible Deletion and why is it important?
Jim: Defensible Deletion is a process within an overall information governance strategy that applies value-based decisions against organizations’ content. It aims to segregate the content between what is useful to the agency and what is not. This methodology guides disposal of valueless content to meet business, legal and regulatory requirements.
Dan: How does Defensible Deletion control long term risk and liabilities?
Jim: Implementing a defensible deletion strategy and methodology not only mitigates long term risks and liabilities related to enterprise data assets, but also saves time and expense in supporting ongoing litigation and discovery efforts, while reducing budget used for storing and managing content that is no longer useful. A large volume of the “unknown” data, such as files and email from employees that left the organization years ago, or aged data that is no longer managed by the user who owns it, can be easily purged with no legal or regulatory implications.
Dan: How does Defensible Deletion help with always changing regulatory and compliance policies?
Jim: Government agencies are now facing new and complex information management challenges. Not only legal issues, but also regulatory requirements such as the Federal Records Act (FRA), Federal Data Center Consolidation Initiative (FDCCI) and Freedom of Information Act (FOIA) are causing issues for every information management executive in the industry. Managing these regulations and also supporting legal requirements is complex, especially when the large bulk of data are on networks and hidden in legacy backup tape archives, which are expensive and time consuming to rummage through.
Managing data according to ever-changing regulatory and compliance polices is difficult. Enormous volumes of sensitive files and email are scattered about every organization. This data flows through massive networks and is cloistered away in proprietary repositories and archives, which makes access even more of a challenge. As a result, information management strategies are nearly impossible to design and deploy. Understanding and profiling this data is essential and will drive efficiency and management of the content.
Dan: What are the most common and high risk types of content repositories?
Jim: Breaking down the corporate content environment by repository type simplifies the plan of attack towards a defensible deletion methodology. Data repositories can be desktops, network servers, email servers and even legacy backup tapes. Managing each of these repositories presents a significant challenge, especially if you need to manage all of them at once. However, by breaking down the enterprise content environment and prioritizing by data that represents the most risk and liability to the company, the organization can create tiered classifications based on storage capacity and presumed risk. The highest risk data environments are typically email servers and legacy backup tapes. Email is the most common source of evidence produced for litigation and regulatory requests. Legacy backup tapes are a snapshot of everything, including email and files. Using this approach can make a monumental task much more manageable.
Dan: What is Data Mapping and how can governments use it for tiered storage via data classification?
Jim: Creating a data map of content will provide a greater understanding of what data exists and where it is located. A data map can provide information such as age of the data, last accessed or modified date, owner, location, email sender/receiver and even sensitive keywords. A data map will deliver the knowledge required to make “keep or delete” decisions for files and email. An actionable data map can then help you execute on these decisions and defensibly delete what is no longer required, and archive what must be kept. Data mapping can also be utilized to determine how to best store and manage data assets. For example, as a cloud on-ramping platform, a data map can help find content according to policies and migrate it to cloud storage.
Dan: What one action can CIO and CISOs take that would reduce enterprise risk in this area?
Jim: One action a CIO or CISO can take to reduce enterprise risk is to develop a plan that is achievable and measurable. The plan should have small-scale, incrementally applied projects that allow the organization to get started. The biggest risk information governance programs face is getting overwhelmed with the process and methodology. Once the organization has developed a strong understanding of what information it has and where that information is stored, it can then develop an overall information governance strategy that defines what a reasonable deletion methodology should look like.
My advice is to start small and work up to a master plan. A place to start could be with purging ex-employee data, or determining what data has not been accessed in 5 years and could be migrated to less expensive storage such as the cloud, or can eventually be purged. Getting started is the biggest challenge in a defensible deletion program, however even with a small start the organizations’ risk and expenses are positively impacted.
Dan: Thanks Jim for sharing your insights related to managing enterprise data. For more information, you can contact Jim at: email@example.com. Or, feel free to leave a question or comment below.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.