Category Archives: news

Data Retention Survey Shows Companies Don’t “Do As I Say….”

Category : news

Data Retention Survey Shows Companies Don’t “Do As I Say….”

A June 2010 survey from Symantec shows an interesting split between attitude and actions when it comes to data retention and disposition. In fact, it shows that most organizations don’t follow their own advice. Most organizations (87%) believe a proper information retention strategy would allow them to delete unnecessary information. But, fewer than half (46%) actually have a formal information retention plan in place.

Such a practice has a number of negative consequences: the amount of money invested in storage capacity continues to grow, the amount of time it takes to backup servers and databases increases exponentially, and the additional storage increases the costs associated with legal hold preservation and production. As a result, these businesses spend far more time and money on the negative consequences of poor information management and discovery practices than they would by working to change them.

Brian Dye, vice president of product management, Information Management Group, Symantec, says, “Infinite retention results in infinite waste. The sheer volume of data is growing exponentially, so trying to keep everything consumes large amounts of storage space and demands too much of IT’s resources.”

The consequences of such practices are costly and harmful to the organization. Storage costs are skyrocketing as over retention has created an environment where it is now 1,500 times more expensive to review data than it is to store it. Also, backup windows are increasing while recovery times have become prohibitive. And, with the massive amounts of information stored on difficult-to-access backup tapes, e-discovery has become a lengthy, inefficient, and costly exercise.

The survey was conducted in June 2010 and is based on responses from 1,680 senior IT and legal executives in 26 countries.

Risky Business Posed by Printers, Scanners, Copiers

Category : news

Risky Business Posed by Printers, Scanners, Copiers

The U.S. Commerce Department’s National Institute of Standards for Technology (NIST) has released for free download “Risk Management for Replication Devices” (NISTIR 8023) as guidance for protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on printers, scanners, copiers, and other replication devices.

As has been noted in this newsletter before, these office machines may store documents, images, and other information that must be removed before being sold or traded to prevent exposing sensitive information to whomever subsequently gets possession of them.

The NIST publication identifies risks in three general categories:

  • General threats and vulnerabilities. Examples include manufacturer default passwords that could be used to gain unauthorized access to information, unencrypted data transmission or storage, and outdated or unpatched operating systems.
  • Network connectivity threats and vulnerabilities. Examples include open ports or protocols, unencrypted wireless connectivity, or access to other organizational assets through unprotected hop/relay points provided by the device.
  • Nonvolatile storage threats and vulnerabilities. Examples include failure to sanitize the devices before they are repurposed, unencrypted storage of information, or access to the device by third parties who could download data from memory while performing device maintenance.

The publication provides a series of countermeasures that can be implemented in the context of the system development life cycle to prevent and/or mitigate the impact of these risks. The system development life cycle has six key areas of focus: initiation, development/acquisition, implementation, operation/maintenance, disposal, and service contracts/lease agreements.

Of particular value in this publication are a security risk assessment template in table and flowchart format and a number of questions for assessing your organization’s use of copiers and scanners.

Employees Using ‘Tons’ of Cloud Services to Store, Share Files

Category : news

Employees Using ‘Tons’ of Cloud Services to Store, Share Files

Skyhigh Networks, whose mission is to help organizations discover what cloud services their employees are using, has released news that might unnerve many records and information managers and IT executives – or, more likely, affirm what they already suspect: employees are using “tons of different services to store and share files online.” A March 5 article on citeworld.com contains Skyhigh’s list of the top 50 cloud services that 500,000 end users – employees of clients like GE and Cisco – are using.

Skyhigh Networks, whose mission is to help organizations discover what cloud services their employees are using, has released news that might unnerve many records and information managers and IT executives – or, more likely, affirm what they already suspect: employees are using “tons of different services to store and share files online.”

A March 5 article on citeworld.com contains Skyhigh’s list of the top 50 cloud services that 500,000 end users – employees of clients like GE and Cisco – are using. Note that three of the following top-10 services enable online storage and file sharing:

  • Facebook (social network)
  • Dropbox (file sharing)
  • Google mail (e-mail)
  • Apple iCloud (file sharing)
  • LinkedIn (social network, recruiting)
  • Disqus (comments)
  • Salesforce (CRM)
  • Amazon Web Services (hosted computing platform for web apps)
  • Hotmail (e-mail)
  • Box.net (file sharing)

According to the article, Skyhigh’s goal isn’t to limit the use of online services but instead to give employees information to help them avoid high-risk services.

ARMA International points out that those using these services may also be storing their organizations’ records and information with them. For that reason, organizations’ policies should indicate whether using these services for business is acceptable and, if so, what the employee’s responsibility is to ensure the organization’s information is brought under corporate oversight in some manner.

Many times, employees’ use of such services indicates there is some business need that is not being addressed through the organization’s own infrastructure. These issues should be explored and appropriate guidance provided to employees. The ARMA International technical report Using Social Media in Organizations (ARMA TR 21-2012) provides guidance for developing and implementing policy, controls, and training to ensure that that information governance implications of using these technologies are addressed.

A.R.M.S

© Copyright 2020. All Rights Reserved