[webinar slides] developing a successful data retention policy

Underwri(enby: Presentedby:

#AIIMInforma(onIsYourMostImportantAsset.LearntheSkillstoManageIt.

DevelopingaSuccessfulDataReten(onPolicy

PresentedMarch22,2017

DevelopingaSuccessfulDataReten(onPolicy

AnAIIMWebinarPresentedMarch22,2017


CraigShogrenManager,

Informa-onGovernanceHBRConsul(ng

RichLauwersInforma-onGovernance

HPE

KellyHuckman,JDConsultant

IronMountain

Today’sSpeakers


CraigShogren

Manager,Informa(onGovernance

HBRConsul(ng

IntroducingourFeaturedSpeaker


We’re pretty sure we are not providing all responsive data, since we don’t know what

we don’t know!

Wereallydon’tevenknowwhatwehave,letalonewhereitis!

There is probably a lot of PII on our shared drives that we really need to purge. Could be devastating if we are ever breached.

Our workforce is so mobile, we know our employees are saving stuff to unsanctioned cloud storage. This ‘shadow IT’ will sabotage our efforts at comprehensive disposition.

I only have 24 hours to respond to a regulatory request, yet it will take me 4 times

that amount of time to sift through all the garbage.


http://info.aiim.org/developing-your-information-management-policies


WhyDoWeCare?

§  Compliance§  DiscoveryRiskandCost§  Privacy§  Efficiency§  StorageSavings§  CustomerService§  KnowledgeManagement/IP


ThePathForwardIsClear

•  DefineGovernanceRequirements

•  KnowWhereEverythingIs

•  EliminateUnnecessaryData(ROT)

•  UnburyTreasures


Organizational silos obstruct comprehensive approach

…ButLiTeredwithObstacles

!

! No internal sponsor / champion

! Lack of budget & resources

! Communication gaps

between Legal, IT and the

business

! “Software-as-Savior”

turns into “Software-as-Shelfware”

! Don’t know where the data is or what it contains

! Change management?

! Bleeding out


DefineWhatGovernsYourInforma(on

§  RetenVonanddisposiVonrequirements§  Privacyandsecurityrequirements§  FRCPrequirements(legalholds,etc.)§  IntellectualpropertyconsideraVons§  ISOstandards§  Businessrequirements


Founda(onalComponentsforDefensibility

§  IG/RIMPolicy§  Purpose,scope,objecVves,accountabiliVes,responsibiliVes,

standardsanddefiniVons

§  RecordsRetenVonSchedule§  Updatedregulatoryresearch§  AcVonable,understandable§  Comprehensive

§  Records,butwhatabouteverythingelse?



§  Privacy§  PII/PHI/PCIhandlingrequirements§  RetenVonlimitaVons§  CrossborderconsideraVons

§  PrivacyShield§  GDPR



§  InformaVonSecurity§  DataClassificaVonStandard

§  DataMapping/DataFlows

§  Technologies§  End-PointDetecVon,DLP,AccessControls,VirusDetecVon,BigData

SecurityAnalyVcs,Containment/IsolaVonTools,SecurityTesVng,etc.

§  BYODPolicies



§  LiVgaVonReadiness§  LegalHoldPolicy/Procedure§  eDiscoveryToolsandTechnologies§  LiVgaVonProfile

§  IntellectualProperty§  Training(ChangeManagement)

§  “But,we’vealwaysdoneitthatway!”


ThePathForwardIsClear

•  DefineGovernanceRequirements

•  KnowWhereEverythingIs

•  EliminateUnnecessaryData

•  UnburyTreasure


PreliminarySteps

§  IdenVfyandassesslocaVons/repositoriesofunstructuredcontent§  CollaboraVonsites,shareddrives,personaldrives,

documentmanagementsystems,contentmanagementsystem,email,physicaletc.)

§  FuncVonalrequirementsofcontent/recordsmanagementsystem

§  IdenVfy“contentplacementstrategy”§  IsthereclarityonhowtheretenVonscheduleappliesto

electronicdata?

§  Determinecontentassessmentmethodology


ContentAssessment

§  Manual§  User-Dependent

§  Technology-Enabled§  ITTools§  eDiscoveryTechnology§  FileAnalysisSoeware

§  Content§  Metadata


WhatisFileAnalysis?

TwoPrimaryLevelsofAnalysis§  FileSystemMetadata

§  IncludesinformaVonaboutindividualfiles§  Examplesincludecontextualmetadataaboutassociatedservers,volumes,shares,

folders,andidenVtyrelatedinformaVonsuchascompany/department/group/userpermissionsandownership;aswellasfilespecificmetadatasuchasfileowner,lastauthor,author,fileextension/itemtype,andcreate,lastmodified,andlastaccesseddates

§  FileContent§  IncludesinformaVonwithinindividualfiles§  Representsamuchmoregranularlevelofdetail,andsubsequentlyalargerdata

footprintandsupporVngsetofinfrastructurerequirements§  Repositories

§  Email,FileShares,ERM/EDM/ECMSystems,SharePoint,FilesyncandsharesitessuchasBox.netorDropbox,DataArchives,BusinessIntelligence(BI)/DataWarehouseEnvironments


Representa(veVendorsPrimaryUseCasesSupportedby2016ListVendors

•  AcVveNavigaVon•  AdlibSoeware•  BeyondRecogniVon•  Bloomberg•  Controle•  Cryptzone•  Druva•  Exterro•  SailPoint•  Titus

•  HPE•  IBM•  ZLTechnologies

•  CapaxDiscovery•  DataGlobal•  Egnyte•  IndexEngines•  Spirion•  STEALTHbits•  Varonis•  Veritas

Source:Gartner:MarketGuideforFileAnalysisSoeware(19September2016)Gartner’sNote:Thoughmostvendorssupportsomeelementsofeachusecase,vendorsarelistedintheabovediagramaccordingtothemajorusecasesupportedandwhatcustomersacquirethesoluVonfor.

Governance/PolicyManagement

RiskMiVgaVon

AnalyVcs

Efficiency/OpVmizaVon

•  Kazoup

•  Condrey•  Haystac


DemergerExample


ThankYou!

CraigShogrenManager

HBRConsulVng

[email protected]

312-638-5130

mailto:[email protected]


RichLauwersInformaVonGovernanceSubjectMa(erExpertHPE


IronMountain

IntroducingourSpeakers


HowDoWeBeTerConnectLegalRegula(onsandOpera(onalRequirementstoOurContent?

The first and last mile of retention

The First Mile: Retention

Considerations The Last Mile:

Policy Execution

Government regulations

Industry specific regulations

IT Operations Business Needs

Email Cloud

Desktop

Physical Content

SAP Structured

Repositories

Unstructured repositories

File Shares

Auto collection of laws

Translate to retention

rules

Centralized policy

Apply at scale

Audit logs

Connect


WhyHasConnec(ngtheFirstandLastMileofReten(onBeenSoDifficult?

Policy is not digitally connected to content

Appeared complex, time consuming, costly & hard to maintain

Origins of Records Management were paper not IT

Demand was for commercial off-the-shelf solutions

A lack of standards


GDPREnactedtoHelpProtectEUCi(zenDatafromRisk


WhatChallengesDoesGDPRCreate?

§  UnderstandofthescopeofPII

§  IdenVfyPII,determineformatlocateitwithinITrealestate

§  IsolateandclassifyPII

§  AppreciatetheretenVonVmesforpersonaldataandcontactinformaVon

§  Obtainandretainexplicitconsentofdatasubjects

§  LimitaccessofPIIbaseduponscopeofconsent

§  Facilitatethe“righttoerasure”ofpersonaldata


CreateaDataMap

•  MapbothPIIandNon-PIIdatasources

•  EstablishrelaVonshipsb/wdatasources/ownerswithrelevantRecordClasses

•  Representprocessingpurposesconsentedtobydatasubjects

•  IdenVfyPIIlocaVons,createane-discoverydatamap,andinformacoherente-commspolicyinasingleproject


Retention Schedule, Organization Structure,

Data Maps, etc.

Enterprise Content Management

Physical Content

Email

Unstructured repositories

SAP

Structured repositories

File Shares

Cloud

DigitallyConnectPolicytoContent


Mapping

ReportCompliance

GetConsent

Find GovernClassify

ManageDataInScope(PersonalData) SecurePersonalData

Security

RecordsRepository

Informa(onManagement&Governance

DataRepositories •  DataSecurity

•  Applica(onSecurity

•  SecurityIntelligence(BreachDetec(on)


CompleteGDPRPlaborm

AnalyseRecord

Repository

Classify

DataRepositories

Messaging

EmailFiles Read

SharePoint

Ac(on

ApplicaVons

DataWarehouses

DocumentManagement

DataArchiveSocialMedia

WebContent

Apply

Store

EligibleRecords

Declare

DataEncryp(on

Find Govern

ApplyReten(onRules

Compliance,LegalHold&Audit


Methodology

• Survey and confirm

•  Index metadata and content of documents

• Extract named entities (SSN, emails, phones…)

•  « ROT » analysis

•  « Technical » analysis (size, type, age…)

• Redundant • Obsolete • Trivial

• Creation of Categories based on entities, metadata and/or content

• Apply tags

• Move • Secure • Archive • Review


ContentManagerComponentOverview

Ingested Policy Center data stays in Content Manager

•  Retention laws, jurisdictions and vertical industry information is mapped

•  Policy Center is polled for updates •  Updates are ingested and managed

permanently

Content Manager is licensed perpetually

•  All components remain active •  Annual support renewal

• Connector that extracts and ingests Retention Requirements into Electronic Content Manager

• Mapping of data • Classifications • Retention schedules

HPE CM Policy Center

Connector

• Trained on existing content or BCS

• Holding node prior to classification

• Automatic folder creation

• Linked security & retention

HPE CM Auto-Classification

Module • Information lifecycle management

• Governance-based ECM

• Access defined by authorized seats

• Perpetual license + annual maintenance

HPE Content Manager

(ECM + Retention)


TakealookatwhatHPEhastoofferwww.hpe.com/soeware/scmHPEGDPRselfassessmenth(p://gdprcomplianceassessment.com

https://saas.hpe.com/en-us/software/secure-content-management?jumpid=va_v16q5hz7pw

http://gdprcomplianceassessment.com


ThankYou!


IronMountain

[email protected]

RichLauwersInformaVonManagementSubjectMa(erExpert

HPE

[email protected],Chicago

mailto:[email protected]

[email protected]


QUESTIONS?

You’vejusta(endedanAIIMWebinar.Whatnow?

Takeyourskillstothenextlevelbylearninghowtomap,design,capture,andautomateoperaVonalprocessesusinga

combinaVonofstrategies,andtechnologieswithAIIM’sTrainingCourses

www.aiim.org/training

http://www.aiim.org/training


AIIMistheCommunityforInforma(onProfessionals

AIIMbelievesthatinforma(onisyourmostimportantasset.Learntheskillstomanageit.

OurmissionistoimproveorganizaVonal

performancebyempoweringacommunityofleaderscommi(edto

informaVon-driveninnovaVon.

Learnmoreatwww.aiim.org

www.aiim.org