SlideShare une entreprise Scribd logo

Case for Compliant IM

C
cmteti

Sep 20, 2011 Presentation - FCW Seminar –Using Content Management to Detect and Prevent Fraud

1  sur  22
Télécharger pour lire hors ligne
Making the Case for Compliant and Efficient Information Management Catherine Teti Managing Director, Knowledge Services and Chief Agency Privacy Officer U.S. Government Accountability Office . Page 1
The Importance of Information Management • Serving federal agency mission needs requires managing information. This can be done in any number of ways. One extreme is irrational, wasteful, and in violation of federal law. The other extreme is the ideal of efficient and effective management of information resources. • Federal information management responsibilities are guided by a number of laws and associated policies, standards, and regulations. Page 2
Federal Laws with IM Requirements • The Paperwork Reduction Act governs information collection and establishes a broad set of responsibilities for the management of information resources. • The Privacy Act governs the use of personal information by federal agencies. • FISMA, the Federal Information Security Management Act, requires agencies to protect their information and systems from misuse. • FOIA requires agencies to have processes to give the public access to agency records. • The Federal Records Act requires agencies to manage records needed for their operations and have processes to properly dispose or save older records. Page 3
Federal Laws and IM Requirements • Presentation focuses on three laws that affect federal agencies: • Federal Records Act • Privacy Act • FISMA • One law that affects public companies as a comparison: • Sarbanes Oxley Page 4
Federal Agencies’ IM Compliance: Federal Records Act and NARA Regulations • Requirements: • All agencies create records and must manage their records in accordance with the Federal Records Act (FRA) and must establish a records management program in accordance with 36 CFR Chapter XII. • Risks of Noncompliance: • Destroying records before the end of their agency-designated retention period. • SEC currently being investigated by NARA for improper destruction of records. • Penalties: • Penalty for destroying records before the designated disposal date is $2,000 fine and up to 2 years in prison. • Mitigation: • NARA conducts annual self assessment surveys; results are shared with OMB and Congress. Page 5
Federal Agencies’ IM Compliance: Privacy Act • Requirements: • Agencies must safeguard and restrain uses of personally identifiable information (PII). • Agencies must let the public know what PII they are collecting. • Risks of Noncompliance • Personal information is disclosed to unauthorized users and PII is compromised. • Use of PII is not limited to the original purpose for which it was collected. • Agency is sued for handling PII in violation of the act. • Penalties • Penalty for knowingly disclosing PII, maintaining a system of records without meeting notice requirements, or knowingly obtaining PII from an agency under false pretenses is a fine of up to $5000. • Mitigation • Review and revise system of record notices and provide training to agency staff handling PII. Page 6
Federal Agencies’ IM Compliance: Federal Information Security Management Act • Requirements: • Creates a single comprehensive information security law for the federal government. • Protects information and information systems’ integrity, confidentiality and availability. • Risks of Noncompliance: • Systems being vulnerable to attack. • Sensitive data being disclosed to unauthorized users. • Total loses of data or unauthorized destruction of data. • Mitigation: • OMB responsible for annual review of agency compliance. • Agency IG conducts annual evaluations of information security program for compliance. Page 7
Public Companies’ IM Compliance: Sarbanes-Oxley Act • Requirements: • Controls for public companies’ financial records. • Requires executive sign off and approval of financial records. • Risks of Non-Compliance: • Unable to provide current and accurate financial reports to the public. • Penalties: • Section 802 describes penalties for altering financial records; Fines and imprisonment up to 20 years for knowing and willful destruction of records. • Mitigation: • Signing officers are responsible for internal controls and evaluating internal controls. Page 8
All Organizations: E-Discovery • All agencies are subject to responding to e-discovery requests. • Formalized in the amended Federal Rules of Civil Procedures in 2006. • All Electronically Stored Information (ESI) stipulated in a subpoena must be preserved as part of a legal hold. • Organizations must be able to preserve and produce all ESI relevant to a discovery order. • Costs for e-discovery are continuing to skyrocket for organizations without proper information management. • Organizations’ inability to search for and locate relevant information is causing significant risk. Page 9
E-Discovery and Federal Agencies • Fannie Mae Securities Litigation • January 2009: Office of Federal Housing Enterprise Oversight (OFHEO) held in contempt of court for failing to respond adequately and in a timely fashion to a third-party subpoena. • Defendants sent OFHEO over 400 search terms which resulted in hits for 660,000 documents — 80% of OFHEO’s total email. • Ultimately cost over $6 million or 9 percent of OFHEO’s annual budget to settle case. Page 10
E-Discovery and Federal Agencies • Aguilar v. Immigration and Customs Enforcement (ICE) Division of the United States Department of Homeland Security • Court ordered ICE to produce metadata for emails, Word, PowerPoint and Excel files. • Certified the necessity of preserving metadata on the part of any entity who could become subject to subpoena or litigation. • Required that any party seeking to file a discovery request make specific their demands for metadata at the earliest possible moment. Page 11
What should an organization do with these requirements? • The big question for agencies is how to ensure they comply with all these requirements. • Good information management can help agencies comply in a coordinated manner. • The challenge of IM is realigning and re-engineering stove-piped management processes to create integrated and coordinated approaches to managing information across the information life cycle. Page 12
GAO’s Approach to Information Management • Almost all of GAO’s audit documentation is created electronically • Business requirements orientation: • “Cradle to grave” content management • IM embedded into GAO business processes • Cross-organizational collaboration • Users as stakeholders buy into the process • Industry standards and business policies integrated with IM • Generally Accepted Government Auditing Standards (GAGAS) and GAO Policy Manual Page 13
GAO’s Key Requirements for Effective IM • Business Purpose • Align management with GAO business processes to meet mission objectives • Organizational Commitment • Ensure executive sponsorship and stakeholder buy-in • Governance • Clearly define policy and requirements • Recognize constraints and limitations • Strive for user engagement and senior executive sponsorship • Oversight • Performance measures and accountability Page 14
An Effective IM Program • An effective IM program allows GAO to: • Retrieve: Easily retrieve relevant information in a timely fashion. • Access: Provide access to information to the right people when it is needed. • Audit: Able to identify anomalies and ensure compliance with all applicable rules and regulations (FRA, FISMA, etc.). • Dispose: Ability to dispose of information in the normal course of business when it is no longer needed in accordance with GAO’s retention and disposition policy. Page 15
GAO’s IM Policies • It is mandatory that all audit documentation is stored in GAO’s electronic records management system (ERMS). • IM policies incorporate GAGAS and GAO Policy Manual and work in conjunction with the agency’s Quality and Continuous Improvement Office. • All audit case files must contain a mandatory folder structure—an EMPF folder and evidentiary folder. • All data sets stored outside of ERMS must be managed in accordance with GAO’s retention policies, just like records stored within ERMS. Page 16
GAO’s Electronic Records Management System • Mandatory use for all audit work • Manages all audit documentation created and received in the agency • Comprised of three retention policy profiles • Tied to the records retention schedule • Profile metadata enhances searching for records • Allows for the management of physical records as well as large data sets that cannot be stored within the system • Requires that all business-related emails be retained in ERMS • Facilitates good record-keeping on the part of GAO employees, thereby minimizing agency risk and exposure Page 17
GAO’s Disposition Strategy • GAO’s records disposition schedule applies to records regardless of format or media. • In 2012, GAO will have its first disposition of electronic audit documentation. • Mandatory use of ERMS began in 2007. • Disposition strategy is comprehensive for all records types (paper, electronic, data sets, and other “stuff”) so it is applied uniformly across all media and formats. • Ensures that GAO complies with all requirements, mitigates risk and exposure, saves storage space, is cost-effective, and allows for easier search and retrieval of remaining records. Page 18
New Technology and Tools • Collaboration • Wikis and blogs • IM/Twitter • Networking • YouTube • Podcasts • Facebook/Linked In • All records are managed according to GAO IM policies. Page 19
GAO Reports on IM • GAO-10-838T: Information Management: The Challenges of Managing Electronic Records • GAO-11-15: NARA: Oversight and Management Improvements Initiated, but More Action Needed • GAO-11-605: Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate • GAO-08-536: Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information • GAO-10-537T: Freedom of Information Act: Requirements and Implementation Continue to Evolve Page 20
In Conclusion – Key Points • Information Management is key to complying with a number of federal laws and regulations, as well as an organization’s ability to proactively manage and respond to litigation holds and e- discovery requests • GAO cannot support its mission without effective IM • IM requires different information disciplines to work together for an integrated approach: • Records Management • Information Security • Information Technology • Legal • Privacy Page 21
Questions? Catherine Teti Managing Director, Knowledge Services, Chief Agency Privacy Officer tetic@gao.gov 202.512.9255 Page 22

Recommandé

Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
Cloud primer
Cloud primerCloud primer
Cloud primer
Zeno Idzerda
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to Know
BoyarMiller
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
G Prachi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
Perry Slack
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 

Recommandé

Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
WilmerHale
 
Cloud primer
Cloud primerCloud primer
Cloud primer
Zeno Idzerda
 
What Every Attorney Needs to Know
What Every Attorney Needs to KnowWhat Every Attorney Needs to Know
What Every Attorney Needs to Know
BoyarMiller
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
cliff_rudolph
 
Data Privacy Introduction
Data Privacy IntroductionData Privacy Introduction
Data Privacy Introduction
G Prachi
 
Privacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and AvoidancePrivacy and Data Security: Risk Management and Avoidance
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
Presentation on Information Privacy
Presentation on Information PrivacyPresentation on Information Privacy
Presentation on Information Privacy
Perry Slack
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 
Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
Uc Man
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
Home
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
EMC
 
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
primeteacher32
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology Risk
William Gamble
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
Dione McBride, CISSP, CIPP/E
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2
MLG College of Learning, Inc
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
Glenn E. Davis
 
S719a
S719aS719a
S719a
ecommerce
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and Security
AnuMarySunny
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspective
Ann Treacy
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
Aurora Computer Studies
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologies
sidra batool
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
Greg Ezeilo
 
Data and software privacy
Data and software privacyData and software privacy
Data and software privacy
Integral university, India
 
[MU630] 005. Ethics, Privacy and Security
[MU630] 005. Ethics, Privacy and Security[MU630] 005. Ethics, Privacy and Security
[MU630] 005. Ethics, Privacy and Security
AriantoMuditomo
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
sp_krishna
 
Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...
Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...
Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...
Soil and Water Conservation Society
 
Agricultural sector company in india- DNUPONT INDIA
Agricultural sector company in india- DNUPONT INDIAAgricultural sector company in india- DNUPONT INDIA
Agricultural sector company in india- DNUPONT INDIA
ANOOP S NAIR
 
Watershed success stories phillips
Watershed success stories phillipsWatershed success stories phillips
Watershed success stories phillips
Soil and Water Conservation Society
 

Contenu connexe

Tendances

Tendances (19)

Privacy and personal information
Privacy and personal informationPrivacy and personal information
Privacy and personal information
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hr
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare Industry
 
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
BoyarMiller – To Shred or Not to Shred: Document Retention Policies and Spoli...
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Legal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology RiskLegal vectors - Survey of Law, Regulation and Technology Risk
Legal vectors - Survey of Law, Regulation and Technology Risk
 
Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1Data Privacy for Information Security Professionals Part 1
Data Privacy for Information Security Professionals Part 1
 
Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2Information Assurance And Security - Chapter 3 - Lesson 2
Information Assurance And Security - Chapter 3 - Lesson 2
 
74 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.1674 x9019 bea legal slides short form ged12.12.16
74 x9019 bea legal slides short form ged12.12.16
 
S719a
S719aS719a
S719a
 
Information privacy and Security
Information privacy and SecurityInformation privacy and Security
Information privacy and Security
 
Cyber Security from MN Government perspective
Cyber Security from MN Government perspectiveCyber Security from MN Government perspective
Cyber Security from MN Government perspective
 
Privacy in simple
Privacy in simplePrivacy in simple
Privacy in simple
 
Personal privacy and computer technologies
Personal privacy and computer technologiesPersonal privacy and computer technologies
Personal privacy and computer technologies
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 
Data and software privacy
Data and software privacyData and software privacy
Data and software privacy
 
[MU630] 005. Ethics, Privacy and Security
[MU630] 005. Ethics, Privacy and Security[MU630] 005. Ethics, Privacy and Security
[MU630] 005. Ethics, Privacy and Security
 
Privacy & Data Protection
Privacy & Data ProtectionPrivacy & Data Protection
Privacy & Data Protection
 

En vedette

En vedette (6)

Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...
Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...
Syngenta Crop Protection’s Watershed Monitoring and Stewardship Program - Atr...
 
Agricultural sector company in india- DNUPONT INDIA
Agricultural sector company in india- DNUPONT INDIAAgricultural sector company in india- DNUPONT INDIA
Agricultural sector company in india- DNUPONT INDIA
 
Watershed success stories phillips
Watershed success stories phillipsWatershed success stories phillips
Watershed success stories phillips
 
Dhanuka agro - Asset Light Agro Chemical business
Dhanuka agro - Asset Light Agro Chemical businessDhanuka agro - Asset Light Agro Chemical business
Dhanuka agro - Asset Light Agro Chemical business
 
BASF Farmland Stewardship survey result
BASF Farmland Stewardship survey resultBASF Farmland Stewardship survey result
BASF Farmland Stewardship survey result
 
Rural Marketing Strategies
Rural Marketing StrategiesRural Marketing Strategies
Rural Marketing Strategies
 

Similaire à Case for Compliant IM

Implications of acts in organizations
Implications of acts in organizations Implications of acts in organizations
Implications of acts in organizations
Swarupa Rani Sahu
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
PECB
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
Craig Mullins
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3
Anne Starr
 
gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3
Anne Starr
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
TrustArc
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 

Similaire à Case for Compliant IM (20)

Implications of acts in organizations
Implications of acts in organizations Implications of acts in organizations
Implications of acts in organizations
 
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
BoyarMiller – What Every Attorney Needs to Know Regarding Document Retention,...
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Using international standards to improve US cybersecurity
Using international standards to improve US cybersecurityUsing international standards to improve US cybersecurity
Using international standards to improve US cybersecurity
 
Data breach protection from a DB2 perspective
Data breach protection from a DB2 perspectiveData breach protection from a DB2 perspective
Data breach protection from a DB2 perspective
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
Chapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptxChapter 3 - Lesson 2.pptx
Chapter 3 - Lesson 2.pptx
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Lesson 2-Identify Theft
Lesson 2-Identify TheftLesson 2-Identify Theft
Lesson 2-Identify Theft
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
Ppt
PptPpt
Ppt
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3
 
gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
 
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know Abo...
 
Gac, money flow, ds, ar, 2 26-14
Gac, money flow, ds, ar, 2 26-14Gac, money flow, ds, ar, 2 26-14
Gac, money flow, ds, ar, 2 26-14
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 

Case for Compliant IM

  • 1. Making the Case for Compliant and Efficient Information Management Catherine Teti Managing Director, Knowledge Services and Chief Agency Privacy Officer U.S. Government Accountability Office . Page 1
  • 2. The Importance of Information Management • Serving federal agency mission needs requires managing information. This can be done in any number of ways. One extreme is irrational, wasteful, and in violation of federal law. The other extreme is the ideal of efficient and effective management of information resources. • Federal information management responsibilities are guided by a number of laws and associated policies, standards, and regulations. Page 2
  • 3. Federal Laws with IM Requirements • The Paperwork Reduction Act governs information collection and establishes a broad set of responsibilities for the management of information resources. • The Privacy Act governs the use of personal information by federal agencies. • FISMA, the Federal Information Security Management Act, requires agencies to protect their information and systems from misuse. • FOIA requires agencies to have processes to give the public access to agency records. • The Federal Records Act requires agencies to manage records needed for their operations and have processes to properly dispose or save older records. Page 3
  • 4. Federal Laws and IM Requirements • Presentation focuses on three laws that affect federal agencies: • Federal Records Act • Privacy Act • FISMA • One law that affects public companies as a comparison: • Sarbanes Oxley Page 4
  • 5. Federal Agencies’ IM Compliance: Federal Records Act and NARA Regulations • Requirements: • All agencies create records and must manage their records in accordance with the Federal Records Act (FRA) and must establish a records management program in accordance with 36 CFR Chapter XII. • Risks of Noncompliance: • Destroying records before the end of their agency-designated retention period. • SEC currently being investigated by NARA for improper destruction of records. • Penalties: • Penalty for destroying records before the designated disposal date is $2,000 fine and up to 2 years in prison. • Mitigation: • NARA conducts annual self assessment surveys; results are shared with OMB and Congress. Page 5
  • 6. Federal Agencies’ IM Compliance: Privacy Act • Requirements: • Agencies must safeguard and restrain uses of personally identifiable information (PII). • Agencies must let the public know what PII they are collecting. • Risks of Noncompliance • Personal information is disclosed to unauthorized users and PII is compromised. • Use of PII is not limited to the original purpose for which it was collected. • Agency is sued for handling PII in violation of the act. • Penalties • Penalty for knowingly disclosing PII, maintaining a system of records without meeting notice requirements, or knowingly obtaining PII from an agency under false pretenses is a fine of up to $5000. • Mitigation • Review and revise system of record notices and provide training to agency staff handling PII. Page 6
  • 7. Federal Agencies’ IM Compliance: Federal Information Security Management Act • Requirements: • Creates a single comprehensive information security law for the federal government. • Protects information and information systems’ integrity, confidentiality and availability. • Risks of Noncompliance: • Systems being vulnerable to attack. • Sensitive data being disclosed to unauthorized users. • Total loses of data or unauthorized destruction of data. • Mitigation: • OMB responsible for annual review of agency compliance. • Agency IG conducts annual evaluations of information security program for compliance. Page 7
  • 8. Public Companies’ IM Compliance: Sarbanes-Oxley Act • Requirements: • Controls for public companies’ financial records. • Requires executive sign off and approval of financial records. • Risks of Non-Compliance: • Unable to provide current and accurate financial reports to the public. • Penalties: • Section 802 describes penalties for altering financial records; Fines and imprisonment up to 20 years for knowing and willful destruction of records. • Mitigation: • Signing officers are responsible for internal controls and evaluating internal controls. Page 8
  • 9. All Organizations: E-Discovery • All agencies are subject to responding to e-discovery requests. • Formalized in the amended Federal Rules of Civil Procedures in 2006. • All Electronically Stored Information (ESI) stipulated in a subpoena must be preserved as part of a legal hold. • Organizations must be able to preserve and produce all ESI relevant to a discovery order. • Costs for e-discovery are continuing to skyrocket for organizations without proper information management. • Organizations’ inability to search for and locate relevant information is causing significant risk. Page 9
  • 10. E-Discovery and Federal Agencies • Fannie Mae Securities Litigation • January 2009: Office of Federal Housing Enterprise Oversight (OFHEO) held in contempt of court for failing to respond adequately and in a timely fashion to a third-party subpoena. • Defendants sent OFHEO over 400 search terms which resulted in hits for 660,000 documents — 80% of OFHEO’s total email. • Ultimately cost over $6 million or 9 percent of OFHEO’s annual budget to settle case. Page 10
  • 11. E-Discovery and Federal Agencies • Aguilar v. Immigration and Customs Enforcement (ICE) Division of the United States Department of Homeland Security • Court ordered ICE to produce metadata for emails, Word, PowerPoint and Excel files. • Certified the necessity of preserving metadata on the part of any entity who could become subject to subpoena or litigation. • Required that any party seeking to file a discovery request make specific their demands for metadata at the earliest possible moment. Page 11
  • 12. What should an organization do with these requirements? • The big question for agencies is how to ensure they comply with all these requirements. • Good information management can help agencies comply in a coordinated manner. • The challenge of IM is realigning and re-engineering stove-piped management processes to create integrated and coordinated approaches to managing information across the information life cycle. Page 12
  • 13. GAO’s Approach to Information Management • Almost all of GAO’s audit documentation is created electronically • Business requirements orientation: • “Cradle to grave” content management • IM embedded into GAO business processes • Cross-organizational collaboration • Users as stakeholders buy into the process • Industry standards and business policies integrated with IM • Generally Accepted Government Auditing Standards (GAGAS) and GAO Policy Manual Page 13
  • 14. GAO’s Key Requirements for Effective IM • Business Purpose • Align management with GAO business processes to meet mission objectives • Organizational Commitment • Ensure executive sponsorship and stakeholder buy-in • Governance • Clearly define policy and requirements • Recognize constraints and limitations • Strive for user engagement and senior executive sponsorship • Oversight • Performance measures and accountability Page 14
  • 15. An Effective IM Program • An effective IM program allows GAO to: • Retrieve: Easily retrieve relevant information in a timely fashion. • Access: Provide access to information to the right people when it is needed. • Audit: Able to identify anomalies and ensure compliance with all applicable rules and regulations (FRA, FISMA, etc.). • Dispose: Ability to dispose of information in the normal course of business when it is no longer needed in accordance with GAO’s retention and disposition policy. Page 15
  • 16. GAO’s IM Policies • It is mandatory that all audit documentation is stored in GAO’s electronic records management system (ERMS). • IM policies incorporate GAGAS and GAO Policy Manual and work in conjunction with the agency’s Quality and Continuous Improvement Office. • All audit case files must contain a mandatory folder structure—an EMPF folder and evidentiary folder. • All data sets stored outside of ERMS must be managed in accordance with GAO’s retention policies, just like records stored within ERMS. Page 16
  • 17. GAO’s Electronic Records Management System • Mandatory use for all audit work • Manages all audit documentation created and received in the agency • Comprised of three retention policy profiles • Tied to the records retention schedule • Profile metadata enhances searching for records • Allows for the management of physical records as well as large data sets that cannot be stored within the system • Requires that all business-related emails be retained in ERMS • Facilitates good record-keeping on the part of GAO employees, thereby minimizing agency risk and exposure Page 17
  • 18. GAO’s Disposition Strategy • GAO’s records disposition schedule applies to records regardless of format or media. • In 2012, GAO will have its first disposition of electronic audit documentation. • Mandatory use of ERMS began in 2007. • Disposition strategy is comprehensive for all records types (paper, electronic, data sets, and other “stuff”) so it is applied uniformly across all media and formats. • Ensures that GAO complies with all requirements, mitigates risk and exposure, saves storage space, is cost-effective, and allows for easier search and retrieval of remaining records. Page 18
  • 19. New Technology and Tools • Collaboration • Wikis and blogs • IM/Twitter • Networking • YouTube • Podcasts • Facebook/Linked In • All records are managed according to GAO IM policies. Page 19
  • 20. GAO Reports on IM • GAO-10-838T: Information Management: The Challenges of Managing Electronic Records • GAO-11-15: NARA: Oversight and Management Improvements Initiated, but More Action Needed • GAO-11-605: Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate • GAO-08-536: Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information • GAO-10-537T: Freedom of Information Act: Requirements and Implementation Continue to Evolve Page 20
  • 21. In Conclusion – Key Points • Information Management is key to complying with a number of federal laws and regulations, as well as an organization’s ability to proactively manage and respond to litigation holds and e- discovery requests • GAO cannot support its mission without effective IM • IM requires different information disciplines to work together for an integrated approach: • Records Management • Information Security • Information Technology • Legal • Privacy Page 21
  • 22. Questions? Catherine Teti Managing Director, Knowledge Services, Chief Agency Privacy Officer tetic@gao.gov 202.512.9255 Page 22