1. Making the Case for Compliant
and Efficient Information
Management
Catherine Teti
Managing Director, Knowledge Services and
Chief Agency Privacy Officer
U.S. Government Accountability Office
.
Page 1
2. The Importance of Information Management
• Serving federal agency mission needs requires managing
information. This can be done in any number of ways. One
extreme is irrational, wasteful, and in violation of federal law. The
other extreme is the ideal of efficient and effective management
of information resources.
• Federal information management responsibilities are guided by a
number of laws and associated policies, standards, and
regulations.
Page 2
3. Federal Laws with IM Requirements
• The Paperwork Reduction Act governs information collection
and establishes a broad set of responsibilities for the
management of information resources.
• The Privacy Act governs the use of personal information by
federal agencies.
• FISMA, the Federal Information Security Management Act,
requires agencies to protect their information and systems from
misuse.
• FOIA requires agencies to have processes to give the public
access to agency records.
• The Federal Records Act requires agencies to manage records
needed for their operations and have processes to properly
dispose or save older records.
Page 3
4. Federal Laws and IM Requirements
• Presentation focuses on three laws that affect federal agencies:
• Federal Records Act
• Privacy Act
• FISMA
• One law that affects public companies as a comparison:
• Sarbanes Oxley
Page 4
5. Federal Agencies’ IM Compliance:
Federal Records Act and NARA Regulations
• Requirements:
• All agencies create records and must manage their records in
accordance with the Federal Records Act (FRA) and must establish
a records management program in accordance with 36 CFR
Chapter XII.
• Risks of Noncompliance:
• Destroying records before the end of their agency-designated
retention period.
• SEC currently being investigated by NARA for improper
destruction of records.
• Penalties:
• Penalty for destroying records before the designated disposal date
is $2,000 fine and up to 2 years in prison.
• Mitigation:
• NARA conducts annual self assessment surveys; results are shared
with OMB and Congress.
Page 5
6. Federal Agencies’ IM Compliance:
Privacy Act
• Requirements:
• Agencies must safeguard and restrain uses of personally identifiable
information (PII).
• Agencies must let the public know what PII they are collecting.
• Risks of Noncompliance
• Personal information is disclosed to unauthorized users and PII is
compromised.
• Use of PII is not limited to the original purpose for which it was collected.
• Agency is sued for handling PII in violation of the act.
• Penalties
• Penalty for knowingly disclosing PII, maintaining a system of records
without meeting notice requirements, or knowingly obtaining PII from an
agency under false pretenses is a fine of up to $5000.
• Mitigation
• Review and revise system of record notices and provide training to agency
staff handling PII.
Page 6
7. Federal Agencies’ IM Compliance:
Federal Information Security Management Act
• Requirements:
• Creates a single comprehensive information security law for the
federal government.
• Protects information and information systems’ integrity,
confidentiality and availability.
• Risks of Noncompliance:
• Systems being vulnerable to attack.
• Sensitive data being disclosed to unauthorized users.
• Total loses of data or unauthorized destruction of data.
• Mitigation:
• OMB responsible for annual review of agency compliance.
• Agency IG conducts annual evaluations of information security
program for compliance.
Page 7
8. Public Companies’ IM Compliance:
Sarbanes-Oxley Act
• Requirements:
• Controls for public companies’ financial records.
• Requires executive sign off and approval of financial records.
• Risks of Non-Compliance:
• Unable to provide current and accurate financial reports to the
public.
• Penalties:
• Section 802 describes penalties for altering financial records; Fines
and imprisonment up to 20 years for knowing and willful destruction
of records.
• Mitigation:
• Signing officers are responsible for internal controls and evaluating
internal controls.
Page 8
9. All Organizations: E-Discovery
• All agencies are subject to responding to e-discovery requests.
• Formalized in the amended Federal Rules of Civil Procedures in
2006.
• All Electronically Stored Information (ESI) stipulated in a
subpoena must be preserved as part of a legal hold.
• Organizations must be able to preserve and produce all ESI
relevant to a discovery order.
• Costs for e-discovery are continuing to skyrocket for
organizations without proper information management.
• Organizations’ inability to search for and locate relevant
information is causing significant risk.
Page 9
10. E-Discovery and Federal Agencies
• Fannie Mae Securities Litigation
• January 2009: Office of Federal Housing Enterprise Oversight
(OFHEO) held in contempt of court for failing to respond
adequately and in a timely fashion to a third-party subpoena.
• Defendants sent OFHEO over 400 search terms which
resulted in hits for 660,000 documents — 80% of OFHEO’s
total email.
• Ultimately cost over $6 million or 9 percent of OFHEO’s
annual budget to settle case.
Page 10
11. E-Discovery and Federal Agencies
• Aguilar v. Immigration and Customs Enforcement (ICE) Division
of the United States Department of Homeland Security
• Court ordered ICE to produce metadata for emails, Word,
PowerPoint and Excel files.
• Certified the necessity of preserving metadata on the part of
any entity who could become subject to subpoena or
litigation.
• Required that any party seeking to file a discovery request
make specific their demands for metadata at the earliest
possible moment.
Page 11
12. What should an organization do with these
requirements?
• The big question for agencies is how to ensure they comply with
all these requirements.
• Good information management can help agencies comply in a
coordinated manner.
• The challenge of IM is realigning and re-engineering stove-piped
management processes to create integrated and coordinated
approaches to managing information across the information life
cycle.
Page 12
13. GAO’s Approach to Information Management
• Almost all of GAO’s audit documentation is created electronically
• Business requirements orientation:
• “Cradle to grave” content management
• IM embedded into GAO business processes
• Cross-organizational collaboration
• Users as stakeholders buy into the process
• Industry standards and business policies integrated with IM
• Generally Accepted Government Auditing Standards
(GAGAS) and GAO Policy Manual
Page 13
14. GAO’s Key Requirements for Effective IM
• Business Purpose
• Align management with GAO business processes to meet mission
objectives
• Organizational Commitment
• Ensure executive sponsorship and stakeholder buy-in
• Governance
• Clearly define policy and requirements
• Recognize constraints and limitations
• Strive for user engagement and senior executive sponsorship
• Oversight
• Performance measures and accountability
Page 14
15. An Effective IM Program
• An effective IM program allows GAO to:
• Retrieve: Easily retrieve relevant information in a timely
fashion.
• Access: Provide access to information to the right people
when it is needed.
• Audit: Able to identify anomalies and ensure compliance with
all applicable rules and regulations (FRA, FISMA, etc.).
• Dispose: Ability to dispose of information in the normal
course of business when it is no longer needed in accordance
with GAO’s retention and disposition policy.
Page 15
16. GAO’s IM Policies
• It is mandatory that all audit documentation is stored in GAO’s
electronic records management system (ERMS).
• IM policies incorporate GAGAS and GAO Policy Manual and
work in conjunction with the agency’s Quality and Continuous
Improvement Office.
• All audit case files must contain a mandatory folder structure—an
EMPF folder and evidentiary folder.
• All data sets stored outside of ERMS must be managed in
accordance with GAO’s retention policies, just like records stored
within ERMS.
Page 16
17. GAO’s Electronic Records Management System
• Mandatory use for all audit work
• Manages all audit documentation created and received in the
agency
• Comprised of three retention policy profiles
• Tied to the records retention schedule
• Profile metadata enhances searching for records
• Allows for the management of physical records as well as large
data sets that cannot be stored within the system
• Requires that all business-related emails be retained in ERMS
• Facilitates good record-keeping on the part of GAO employees,
thereby minimizing agency risk and exposure
Page 17
18. GAO’s Disposition Strategy
• GAO’s records disposition schedule applies to records regardless
of format or media.
• In 2012, GAO will have its first disposition of electronic audit
documentation.
• Mandatory use of ERMS began in 2007.
• Disposition strategy is comprehensive for all records types
(paper, electronic, data sets, and other “stuff”) so it is applied
uniformly across all media and formats.
• Ensures that GAO complies with all requirements, mitigates risk
and exposure, saves storage space, is cost-effective, and allows
for easier search and retrieval of remaining records.
Page 18
19. New Technology and Tools
• Collaboration
• Wikis and blogs
• IM/Twitter
• Networking
• YouTube
• Podcasts
• Facebook/Linked In
• All records are managed according to GAO IM policies.
Page 19
20. GAO Reports on IM
• GAO-10-838T: Information Management: The Challenges of
Managing Electronic Records
• GAO-11-15: NARA: Oversight and Management Improvements
Initiated, but More Action Needed
• GAO-11-605: Social Media: Federal Agencies Need Policies and
Procedures for Managing and Protecting Information They
Access and Disseminate
• GAO-08-536: Privacy: Alternatives Exist for Enhancing Protection
of Personally Identifiable Information
• GAO-10-537T: Freedom of Information Act: Requirements and
Implementation Continue to Evolve
Page 20
21. In Conclusion – Key Points
• Information Management is key to complying with a number of
federal laws and regulations, as well as an organization’s ability
to proactively manage and respond to litigation holds and e-
discovery requests
• GAO cannot support its mission without effective IM
• IM requires different information disciplines to work together for
an integrated approach:
• Records Management
• Information Security
• Information Technology
• Legal
• Privacy
Page 21