2 Discussion and Homework

CHAPTER 12 INFORMATION GOVERNANCE

Information Governance for E-Mail & Instant

Messaging. ITS 833

Dr. Mia Simmons

Chapter Overview

■ This chapter will cover pages 241-251 in

your book.

■ This chapter discusses how E-mail and

Instant Messaging play a unique role with

Information Governance.

2

E-mail

■ Is the most common business software application and the

backbone of business communications today, and e-mail is the

leading piece of evidence requested during the discovery phase

of civil trials, so it is critically important to implement IG

measures for e-mail communications.

■ contains records, such as financial spreadsheets and

reports, product price lists, marketing plans, competitive

analyses, safety data, recruitment and salary details,

progressing contract negotiations, and other information that

may be considered as constituting a business record

3

Employees Regularly Expose

Organization s to E-Mail

Risk

4

The e-mail survey also found an overall lack of clear e-mail policies and weak communication of

existing guidelines. This means a lack of IG

This means that security, privacy, and records management issues must be addressed by first creating IG policies to control and manage the

use of e-mail

Top two frustrations:

users had with work e-mail were restrictions on mailbox size, which has a negative impact on e-mail

management, and the inability to send large attachments.

forces workers to use a personal account to send and receive

necessary files.

E-Mail Polices Should Be Realistic and Technology Agnostic

■ New IG guidelines and policies need to refer to technology in a generic

sense—a “technology-neutral” sense—rather than specifying proprietary

software programs or features

■ An example of a technology-agnostic policy directive:

– All confidential information must be encrypted before being

transmitted over the Internet.

■ Policy is neutral enough to cover not only e-mail and instant messaging

(IM) but also social media, cloud computing, mobile computing, and other

means of communication.

■ Policy also does not specify the method or brand of the encryption

technology, so the organization can select the best method and

technology available in the future without adapting the policy

5

E-Record Retention: Fundamentally a Legal Issue

■ Managing e-records is primarily a legal issue, especially for public and

heavily regulated companies

■ E-mail and e-record retention is “fundamentally a legal issue,” l

particularly for public or highly regulated companies.

■ It is essential for the organization’s legal department to take the lead in

determining precisely which types of email messages will be preserved,

exactly how and where data will be stored, and specifically when —if ever—

electronically stored information [ESI] will be deleted

6

Preserve E-Mail Integrity and Admissibility with Automatic Archiving

■ To offset this risk and ensure that spoliation (i.e., the loss of proven

authenticity of an e-mail) does not occur, all messages, both inbound

and outbound, should be captured and archived automatically and in

real time

■ E-Mail Archiving Rationale: Compliance, Legal, and Business Reasons

– Legal opponent may be driven to settle a weak claim when

confronted with indisputable e-mail evidence, and, in fact, “email

often produces supportive evidence that may help ‘save the day’ by

providing valuable legal proof” of innocence

■ Don’t Confuse E-Mail Archiving with Backup

– There is a big difference between traditional system backups and

specialized e-mail archiving software

– Fully one-third of IT managers state they would have diffi culty

producing an e-mail that is more than one year old

7

Preserve E-Mail Integrity and Admissibility with

Automatic Archiving

■ No Personal Archiving in the Workplace

– Self-managed email can result in the deletion of electronic records, alteration of email evidence, time-consuming searches for back-up tapes, and failure to comply with legal discovery demands

■ Are All E-Mails Records?

– Record documents a transaction or business-related event that may have legal ramifications or historic value.

– Three guidelines for determining whether an e-mail message should be considered a business records:

1. The e-mail documents a transaction or the progress toward an ultimate transaction where anything of value is exchanged between two or more parties

2. The e-mail documents or provides support of a business activity occurring that pertains to internal corporate governance policies or compliance to externally mandated regulations

3. The e-mail message documents other business activities that may possibly be disputed in the future, whether it ultimately involves litigation or not

8

Preserve E-Mail Integrity and Admissibility with

Automatic Archiving

■ Destructive Retention of E-Mail

– Destructive retention is an approach to e-mail archiving where e-

mail messages are retained for a limited followed by their

permanent manual or automatic deletion of messages from the

company’s network, so long as there is no litigation hold or the e-

mail has not been declared a record in accordance with IG and

records management policies

9

Instant Messaging

10

The first basic IM systems, which came into use in the

mid-1960s, had real-time text capabilities for routing

messages to users logged on to the same mainframe

computer.

The problem with IM is that many organizations are blind to

the fact that their employees are going to use it one way or another , sometimes for short

personal conversations outside the organization

Best Practices for Business IM Use

■ A methodology for forming IM-specific IG policies and implementing more secure use of IM must begin

with surveying and documenting the proliferation of IM use in the organization.

■ Quest Software determined that a successful IM policy will:

– Clearly and explicitly explain the organization’s instant messaging objectives.

– Define expectations of privacy. Users should be made aware that the organization has the

right to monitor and log all IM sessions for corporate compliance, safety, and security reasons.

– Detail acceptable and unacceptable uses. An exhaustive list of permitted and forbidden

activities may not be necessary, but specific examples are helpful in establishing a framework

of IM behaviors for users.

– Detail content and contact restrictions (if any). Most organizations will want to limit the

amount of idle IM chat that may occur with family, friends, and other nonbusiness-related

contacts.

– Define consequences for violations of the policy. Users should be advised of the

consequences of policy violations.

11

Tips for Safer IM

12

JUST AS E-MAIL ATTACHMENTS AND

EMBEDDED LINKS ARE SUSPECT AND CAN CONTAIN

MALICIOUS EXECUTABLE FILES, BEWARE OF IM ATTACHMENTS TOO.

DO NOT DIVULGE ANY MORE PERSONAL INFORMATION

THAN IS NECESSARY.

KEEP IM SCREEN NAMES PRIVATE ; TREAT THEM AS ANOTHER INFORMATION

ASSET THAT NEEDS TO BE PROTECTED TO REDUCE

UNWANTED IM REQUESTS, PHISHING, OR SPAM

(ACTUALLY SPIM, IN IM PARLANCE)

PROHIBIT TRANSMISSION OF CONFIDENTIAL CORPORATE

INFORMATION.

RESTRICT IM CONTACTS TO KNOWN BUSINESS

COLLEAGUES. IF PERSONAL CONTACTS ARE ALLOWED FOR EMERGENCIES, LIMIT

PERSONAL USE FOR EVERYDAY COMMUNICATION

USE CAUTION WHEN DISPLAYING DEFAULT

MESSAGES WHEN YOU ARE UNAVAILABLE OR AWAY.

ENSURE THAT IM POLICIES ARE BEING ENFORCED BY UTILIZING IM MONITORING AND FILTERING TOOLS AND

BY ARCHIVING MESSAGES IN REAL TIME FOR A FUTURE

VERIFIABLE RECORD, SHOULD IT BE NEEDED.

CONDUCT AN IM USAGE POLICY REVIEW AT LEAST

ANNUALLY ; MORE OFTEN IN THE EARLY STAGES OF POLICY DEVELOPMENT.

Chapter Summary ■ E-mail is a critical area for IG implementation, as it is a ubiquitous business

communication tool and the leading piece of evidence requested at civil trials.

■ Nearly 80 percent of all employees send work e-mail messages to and from their personal e-mail accounts, which exposes critical information assets to uncontrolled security risks.

■ Meeting e-mail retention and archival requirements becomes an impossible task when e-mail messages are routed in a haphazard manner via personal accounts.

■ In developing e-mail policies, an important step is consulting with stakeholders.

■ E-mail policies must not be too restrictive or tied to a specific technology. They should be flexible enough to accommodate changes in technology and should be reviewed and updated regularly.

■ Not all e-mail messages constitute a business record.

■ Not all e-mail rises to the level of admissible legal evidence. Certain conditions must be met.

■ Automatic archiving protects the integrity of e-mail for legal purposes.

13

Information Governance

Chapter 12

Complete Week 11 Objectives