Safeguarding Critical E–Documents: Implementing a Program for Securing Confidential Information Assets

Praise for Safeguarding Critical E-Documents "This book is a great read for anyone in an organization who thinks of information as a strategic asset and needs to protect it. A clear, concise, and comprehensive view of a highly complex problem." Jeetu Patel , Chief Strategy Officer and Chief Marketing Officer, Information Intelligence Group, EMC Corporation "In today's highly competitive business environment, corporate- and state-sponsored espionage is a reality—yet many organizations fail to properly manage, govern, and secure their information assets. This book enables executives and managers at all levels to understand the various threats to their information assets. It provides a clear road map for policy and technology solutions as effective countermeasures." Craig Rhinehart , Director, ECM Strategy, IBM Software Solutions Group "Fantastically thorough and practical. This book provides a compelling and comprehensive blueprint to getting the security of electronic information done right, and for the right reasons . A worthwhile read for anyone with a stake in governing information." Julie J. Colgan , CRM, Director, Information Governance, Merrill Corporation "With reports that corporate espionage is on the rise and growing daily, this book is a must-read for professionals concerned with protecting their confidential information assets." Bud Porter-Roth , Principal, Porter-Roth Associates "There is no better or more timely book about information governance on theshelves today. Robert has penned a readable, actionable—and get this— enjoyable must-read book for information age executives." Thornton May , Futurist and Author of The New Know: Innovation Powered by Analytics

Foreword xiii Preface xv Acknowledgments xvii PART I THE PROBLEM AND BASIC TOOLS CHAPTER 1 The Problem: Securing Confidential Electronic Documents 3 WikiLeaks: A Wake–Up Call 3 U.S. Government Attempts to Protect Intellectual Property 5 Threats Persist across the Pond: U.K. Companies on Guard 5 Increase in Corporate and Industrial Espionage 6 Risks of Medical Identity Theft 7 Why Don’t Organizations Safeguard Their Information Assets? 8 The Blame Game: Where Does Fault Lie When Information Is Leaked? 9 Consequences of Not Employing E–Document Security 10 Notes 11 CHAPTER 2 Information Governance: The Crucial First Step 13 First, Better Policies; Then, Better Technology for Better Enforcement 13 Defining Information Governance 14 Accountability Is Key 16 Why IG Is Good Business 17 Impact of a Successful IG Program 18 Critical Factors in an IG Program 19 Who Should Determine IG Policies? 22 Notes 23 PART II INFORMATION PLATFORM RISKS AND COUNTERMEASURES CHAPTER 3 Managing E–Documents and Records 27 Enterprise Content Management 27 Document Management Principles 28 The Goal: Document Lifecycle Security 29 Electronic Document Management Systems 29 Records Management Principles 31 Electronic Records Management 31 Notes 33 CHAPTER 4 Information Governance and Security for E–mail Messages 35 Employees Regularly Expose Organizations to E–mail Risk 36 E–mail Policies Should Be Realistic and Technology Agnostic 37 Is E–mail Encryption the Answer? 38 Common E–mail Security Mistakes 39 E–mail Security Myths 40 E–record Retention: Fundamentally a Legal Issue 41 Preserve E–mail Integrity and Admissibility with Automatic Archiving 42 Notes 46 CHAPTER 5 Information Governance and Security for Instant Messaging 49 Instant Messaging Security Threats 50 Best Practices for Business IM Use 51 Technology to Monitor IM 53 Tips for Safer IM 53 Notes 55 CHAPTER 6 Information Governance and Security for Social Media 57 Types of Social Media in Web 2.0 57 Social Media in the Enterprise 59 Key Ways Social Media Is Different from E–mail and Instant Messaging 60 Biggest Security Threats of Social Media 60 Legal Risks of Social Media Posts 63 Tools to Archive Facebook and Twitter 64 IG Considerations for Social Media 65 Notes 66 CHAPTER 7 Information Governance and Security for Mobile Devices 69 Current Trends in Mobile Computing 71 Security Risks of Mobile Computing 72 Securing Mobile Data 73 IG for Mobile Computing 73 Building Security into Mobile Applications 75 Best Practices to Secure Mobile Applications 78 Notes 80 CHAPTER 8 Information Governance and Security for Cloud Computing Use 83 Defining Cloud Computing 84 Key Characteristics of Cloud Computing 85 What Cloud Computing Really Means 86 Cloud Deployment Models 87 Greatest Security Threats to Cloud Computing 87 IG Guidelines: Managing Documents and Records in the Cloud 94 Managing E–Docs and Records in the Cloud: A Practical Approach 95 Notes 97 PART III E–RECORDS CONSIDERATIONS CHAPTER 9 Information Governance and Security for Vital Records 101 Defining Vital Records 101 Types of Vital Records 103 Impact of Losing Vital Records 104 Creating, Implementing, and Maintaining a Vital Records Program 105 Implementing Protective Procedures 108 Auditing the Vital Records Program 111 Notes 113 CHAPTER 10 Long–Term Preservation of E–Records 115 Defining Long–Term Digital Preservation 115 Key Factors in LTDP 116 Electronic Records Preservation Processes 118 Controlling the Process of Preserving Records 118 Notes 121 PART IV INFORMATION TECHNOLOGY CONSIDERATIONS CHAPTER 11 Technologies That Can Help Secure E–Documents 125 Challenge of Securing E–Documents 125 Apply Better Technology for Better Enforcement in the Extended Enterprise 128 Controlling Access to Documents Using Identity Access Management 131 Enforcing IG: Protect Files with Rules and Permissions 133 Data Governance Software to Manage Information Access 133 E–mail Encryption 134 Secure Communications Using Record–Free E–mail 134 Digital Signatures 135 Document Encryption 137 Data Loss Prevention Technology 137 The Missing Piece: Information Rights Management 139 Notes 144 CHAPTER 12 Safeguarding Confidential Information Assets 147 Cyber Attacks Proliferate 147 The Insider Threat: Malicious or Not 148 Critical Technologies for Securing Confidential Documents 150 A Hybrid Approach: Combining DLP and IRM Technologies 154 Securing Trade Secrets after Layoffs and Terminations 155 Persistently Protecting Blueprints and CAD Documents 156 Securing Internal Price Lists 157 Approaches for Securing Data Once It Leaves the Organization 157 Document Labeling 159 Document Analytics 161 Confidential Stream Messaging 161 Notes 164 PART V ROLLING IT OUT: PROJECT AND PROGRAM ISSUES CHAPTER 13 Building the Business Case to Justify the Program 169 Determine What Will Fly in Your Organization 169 Strategic Business Drivers for Project Justification 170 Benefits of Electronic Records Management 173 Presenting the Business Case 176 Notes 177 CHAPTER 14 Securing Executive Sponsorship 179 Executive Sponsor Role 180 Project Manager: Key Tasks 181 It’s the Little Things 183 Evolving Role of the Executive Sponsor 183 Notes 185 CHAPTER 15 Safeguarding Confidential Information Assets: Where Do You Start? 187 Business Driver Approach 187 Classification 188 Document Survey Methodology 189 Interviewing Staff in the Target Area 190 Preparing Interview Questions 192 Prioritizing: Document and Records Value Assessment 193 Second Phase of Implementation 194 Notes 195 CHAPTER 16 Procurement: The Buying Process 197 Evaluation and Selection Process: RFI, RFP, or RFQ? 197 Evaluating Software Providers: Key Criteria 202 Negotiating Contracts: Ensuring the Decision 207 More Contract Caveats 210 How to Pick a Consulting Firm: Evaluation Criteria 211 CHAPTER 17 Maintaining a Secure Environment for Information Assets 215 Monitoring and Accountability 215 Continuous Process Improvement 216 Why Continuous Improvement Is Needed 216 Notes 218 Conclusion 219 Appendix A: Digital Signature Standard 221 Appendix B: Regulations Related to Records Management 223 Appendix C: Listing of Technology and Service Providers 227 Glossary 241 About the Author 247 Index 249

ROBERT F. SMALLWOOD is a Partner and Executive Director of the E-Records Institute at IMERGE Consulting. One of the world's most respected authorities on e-records and document management, he has published more research reports on e-records, e-documents, and e-mail security issues over the past five years than any other person or organization. His research and consulting clients include Johnson & Johnson, IBM, Apple, MillerCoors, Ricoh Americas Corporation, South Carolina Retirement Systems, Dallas Independent School District, U.S. FDA, National Archives and Records Administration, Transportation Safety Board of Canada, Canadian Parliament, Supreme Court of Canada, Canada Mortgage and Housing Corporation, and National Archives of Australia, among others.