Page 1
Underwri(enby: Presentedby:
#AIIMInforma(onIsYourMostImportantAsset.LearntheSkillstoManageIt.
DevelopingaSuccessfulDataReten(onPolicy
PresentedMarch22,2017
DevelopingaSuccessfulDataReten(onPolicy
AnAIIMWebinarPresentedMarch22,2017
Page 2
Underwri(enby: Presentedby:
CraigShogrenManager,
Informa-onGovernanceHBRConsul(ng
RichLauwersInforma-onGovernance
HPE
KellyHuckman,JDConsultant
IronMountain
Today’sSpeakers
Page 3
Underwri(enby: Presentedby:
CraigShogren
Manager,Informa(onGovernance
HBRConsul(ng
IntroducingourFeaturedSpeaker
Page 4
Underwri(enby: Presentedby:
We’re pretty sure we are not providing all responsive data, since we don’t know what
we don’t know!
Wereallydon’tevenknowwhatwehave,letalonewhereitis!
There is probably a lot of PII on our shared drives that we really need to purge. Could be devastating if we are ever breached.
Our workforce is so mobile, we know our employees are saving stuff to unsanctioned cloud storage. This ‘shadow IT’ will sabotage our efforts at comprehensive disposition.
I only have 24 hours to respond to a regulatory request, yet it will take me 4 times
that amount of time to sift through all the garbage.
Page 5
Underwri(enby: Presentedby:
Page 6
Underwri(enby: Presentedby:
WhyDoWeCare?
§ Compliance§ DiscoveryRiskandCost§ Privacy§ Efficiency§ StorageSavings§ CustomerService§ KnowledgeManagement/IP
Page 7
Underwri(enby: Presentedby:
ThePathForwardIsClear
• DefineGovernanceRequirements
• KnowWhereEverythingIs
• EliminateUnnecessaryData(ROT)
• UnburyTreasures
Page 8
Underwri(enby: Presentedby:
Organizational silos obstruct comprehensive approach
…ButLiTeredwithObstacles
!
! No internal sponsor / champion
! Lack of budget & resources
! Communication gaps
between Legal, IT and the
business
! “Software-as-Savior”
turns into “Software-as-Shelfware”
! Don’t know where the data is or what it contains
! Change management?
! Bleeding out
Page 9
Underwri(enby: Presentedby:
DefineWhatGovernsYourInforma(on
§ RetenVonanddisposiVonrequirements§ Privacyandsecurityrequirements§ FRCPrequirements(legalholds,etc.)§ IntellectualpropertyconsideraVons§ ISOstandards§ Businessrequirements
Page 10
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ IG/RIMPolicy§ Purpose,scope,objecVves,accountabiliVes,responsibiliVes,
standardsanddefiniVons
§ RecordsRetenVonSchedule§ Updatedregulatoryresearch§ AcVonable,understandable§ Comprehensive
§ Records,butwhatabouteverythingelse?
Page 11
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ Privacy§ PII/PHI/PCIhandlingrequirements§ RetenVonlimitaVons§ CrossborderconsideraVons
§ PrivacyShield§ GDPR
Page 12
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ InformaVonSecurity§ DataClassificaVonStandard
§ DataMapping/DataFlows
§ Technologies§ End-PointDetecVon,DLP,AccessControls,VirusDetecVon,BigData
SecurityAnalyVcs,Containment/IsolaVonTools,SecurityTesVng,etc.
§ BYODPolicies
Page 13
Underwri(enby: Presentedby:
Founda(onalComponentsforDefensibility
§ LiVgaVonReadiness§ LegalHoldPolicy/Procedure§ eDiscoveryToolsandTechnologies§ LiVgaVonProfile
§ IntellectualProperty§ Training(ChangeManagement)
§ “But,we’vealwaysdoneitthatway!”
Page 14
Underwri(enby: Presentedby:
ThePathForwardIsClear
• DefineGovernanceRequirements
• KnowWhereEverythingIs
• EliminateUnnecessaryData
• UnburyTreasure
Page 15
Underwri(enby: Presentedby:
PreliminarySteps
§ IdenVfyandassesslocaVons/repositoriesofunstructuredcontent§ CollaboraVonsites,shareddrives,personaldrives,
documentmanagementsystems,contentmanagementsystem,email,physicaletc.)
§ FuncVonalrequirementsofcontent/recordsmanagementsystem
§ IdenVfy“contentplacementstrategy”§ IsthereclarityonhowtheretenVonscheduleappliesto
electronicdata?
§ Determinecontentassessmentmethodology
Page 16
Underwri(enby: Presentedby:
ContentAssessment
§ Manual§ User-Dependent
§ Technology-Enabled§ ITTools§ eDiscoveryTechnology§ FileAnalysisSoeware
§ Content§ Metadata
Page 17
Underwri(enby: Presentedby:
WhatisFileAnalysis?
TwoPrimaryLevelsofAnalysis§ FileSystemMetadata
§ IncludesinformaVonaboutindividualfiles§ Examplesincludecontextualmetadataaboutassociatedservers,volumes,shares,
folders,andidenVtyrelatedinformaVonsuchascompany/department/group/userpermissionsandownership;aswellasfilespecificmetadatasuchasfileowner,lastauthor,author,fileextension/itemtype,andcreate,lastmodified,andlastaccesseddates
§ FileContent§ IncludesinformaVonwithinindividualfiles§ Representsamuchmoregranularlevelofdetail,andsubsequentlyalargerdata
footprintandsupporVngsetofinfrastructurerequirements§ Repositories
§ Email,FileShares,ERM/EDM/ECMSystems,SharePoint,FilesyncandsharesitessuchasBox.netorDropbox,DataArchives,BusinessIntelligence(BI)/DataWarehouseEnvironments
Page 18
Underwri(enby: Presentedby:
Representa(veVendorsPrimaryUseCasesSupportedby2016ListVendors
• AcVveNavigaVon• AdlibSoeware• BeyondRecogniVon• Bloomberg• Controle• Cryptzone• Druva• Exterro• SailPoint• Titus
• HPE• IBM• ZLTechnologies
• CapaxDiscovery• DataGlobal• Egnyte• IndexEngines• Spirion• STEALTHbits• Varonis• Veritas
Source:Gartner:MarketGuideforFileAnalysisSoeware(19September2016)Gartner’sNote:Thoughmostvendorssupportsomeelementsofeachusecase,vendorsarelistedintheabovediagramaccordingtothemajorusecasesupportedandwhatcustomersacquirethesoluVonfor.
Governance/PolicyManagement
RiskMiVgaVon
AnalyVcs
Efficiency/OpVmizaVon
• Kazoup
• Condrey• Haystac
Page 19
Underwri(enby: Presentedby:
DemergerExample
Page 20
Underwri(enby: Presentedby:
ThankYou!
CraigShogrenManager
HBRConsulVng
[email protected]
312-638-5130
Page 21
Underwri(enby: Presentedby:
RichLauwersInformaVonGovernanceSubjectMa(erExpertHPE
KellyHuckman,JDConsultant
IronMountain
IntroducingourSpeakers
Page 22
Underwri(enby: Presentedby:
HowDoWeBeTerConnectLegalRegula(onsandOpera(onalRequirementstoOurContent?
The first and last mile of retention
The First Mile: Retention
Considerations The Last Mile:
Policy Execution
Government regulations
Industry specific regulations
IT Operations Business Needs
Email Cloud
Desktop
Physical Content
SAP Structured
Repositories
Unstructured repositories
File Shares
Auto collection of laws
Translate to retention
rules
Centralized policy
Apply at scale
Audit logs
Connect
Page 23
Underwri(enby: Presentedby:
WhyHasConnec(ngtheFirstandLastMileofReten(onBeenSoDifficult?
Policy is not digitally connected to content
Appeared complex, time consuming, costly & hard to maintain
Origins of Records Management were paper not IT
Demand was for commercial off-the-shelf solutions
A lack of standards
Page 24
Underwri(enby: Presentedby:
GDPREnactedtoHelpProtectEUCi(zenDatafromRisk
Page 25
Underwri(enby: Presentedby:
WhatChallengesDoesGDPRCreate?
§ UnderstandofthescopeofPII
§ IdenVfyPII,determineformatlocateitwithinITrealestate
§ IsolateandclassifyPII
§ AppreciatetheretenVonVmesforpersonaldataandcontactinformaVon
§ Obtainandretainexplicitconsentofdatasubjects
§ LimitaccessofPIIbaseduponscopeofconsent
§ Facilitatethe“righttoerasure”ofpersonaldata
Page 26
Underwri(enby: Presentedby:
CreateaDataMap
• MapbothPIIandNon-PIIdatasources
• EstablishrelaVonshipsb/wdatasources/ownerswithrelevantRecordClasses
• Representprocessingpurposesconsentedtobydatasubjects
• IdenVfyPIIlocaVons,createane-discoverydatamap,andinformacoherente-commspolicyinasingleproject
Page 27
Underwri(enby: Presentedby:
Retention Schedule, Organization Structure,
Data Maps, etc.
Enterprise Content Management
Physical Content
Email
Unstructured repositories
SAP
Structured repositories
File Shares
Cloud
DigitallyConnectPolicytoContent
Page 28
Underwri(enby: Presentedby:
Mapping
ReportCompliance
GetConsent
Find GovernClassify
ManageDataInScope(PersonalData) SecurePersonalData
Security
RecordsRepository
Informa(onManagement&Governance
DataRepositories • DataSecurity
• Applica(onSecurity
• SecurityIntelligence(BreachDetec(on)
Page 29
Underwri(enby: Presentedby:
CompleteGDPRPlaborm
AnalyseRecord
Repository
Classify
DataRepositories
Messaging
EmailFiles Read
SharePoint
Ac(on
ApplicaVons
DataWarehouses
DocumentManagement
DataArchiveSocialMedia
WebContent
Apply
Store
EligibleRecords
Declare
DataEncryp(on
Find Govern
ApplyReten(onRules
Compliance,LegalHold&Audit
Page 30
Underwri(enby: Presentedby:
Methodology
• Survey and confirm
• Index metadata and content of documents
• Extract named entities (SSN, emails, phones…)
• « ROT » analysis
• « Technical » analysis (size, type, age…)
• Redundant • Obsolete • Trivial
• Creation of Categories based on entities, metadata and/or content
• Apply tags
• Move • Secure • Archive • Review
Page 31
Underwri(enby: Presentedby:
ContentManagerComponentOverview
Ingested Policy Center data stays in Content Manager
• Retention laws, jurisdictions and vertical industry information is mapped
• Policy Center is polled for updates • Updates are ingested and managed
permanently
Content Manager is licensed perpetually
• All components remain active • Annual support renewal
• Connector that extracts and ingests Retention Requirements into Electronic Content Manager
• Mapping of data • Classifications • Retention schedules
HPE CM Policy Center
Connector
• Trained on existing content or BCS
• Holding node prior to classification
• Automatic folder creation
• Linked security & retention
HPE CM Auto-Classification
Module • Information lifecycle management
• Governance-based ECM
• Access defined by authorized seats
• Perpetual license + annual maintenance
HPE Content Manager
(ECM + Retention)
Page 32
Underwri(enby: Presentedby:
TakealookatwhatHPEhastoofferwww.hpe.com/soeware/scmHPEGDPRselfassessmenth(p://gdprcomplianceassessment.com
Page 33
Underwri(enby: Presentedby:
ThankYou!
KellyHuckman,JDConsultant
IronMountain
[email protected]
RichLauwersInformaVonManagementSubjectMa(erExpert
HPE
[email protected] ,Chicago
Page 34
Underwri(enby: Presentedby:
QUESTIONS?
Page 35
You’vejusta(endedanAIIMWebinar.Whatnow?
Takeyourskillstothenextlevelbylearninghowtomap,design,capture,andautomateoperaVonalprocessesusinga
combinaVonofstrategies,andtechnologieswithAIIM’sTrainingCourses
www.aiim.org/training
Page 36
Underwri(enby: Presentedby:
AIIMistheCommunityforInforma(onProfessionals
AIIMbelievesthatinforma(onisyourmostimportantasset.Learntheskillstomanageit.
OurmissionistoimproveorganizaVonal
performancebyempoweringacommunityofleaderscommi(edto
informaVon-driveninnovaVon.
Learnmoreatwww.aiim.org