Information Management Blog

By Alex Thompson

With the increasing popularity of information loss there has been a few notable news stories in the last fortnight:

• It appears that some faith in PA Consulting remains (see here) – albeit for a project that has already suffered the loss of compact discs containing information on 25 million UK families;

• The senior intelligence official responsible for leaving top secret documents on the train has been charged (see here); and

• A quick reminder to check what kind of tip you’ve left the taxi driver (see here).

But what if information loss didn’t really matter?

Now I’m not about to suggest that leaving your mobile smart device in the back of a cab is a smart move but I attended a seminar the other day for an Information Rights Management (IRM) product that appeared to be a comprehensive solution to mitigating the risk that organisations face from information falling into the wrong hands. Oracle’s IRM software seals documents and emails, associates them with a policy and provides a digital signature to prevent unauthorised access. The solution also tracks and audits information outside of the organisation’s own network to enforce policies beyond the company firewall. Should business relationships change then information access rights can be changed accordingly and when retention policies kick in and the information is eligible for destruction, access rights are revoked entirely. In theory, memory sticks could be used with ease to transfer sealed data and should one end up in the wrong hands then there really shouldn’t be too much to worry about – the new ‘owner’ won’t have access to the rights management server – their only option being to wipe the memory stick and make a few pennies on ebay.

Obviously there are other solutions out there that are equably suitable and ultimately the choice of technology is dependent on requirements but it illustrates that electronic information can be safe to use if it is managed appropriately and solutions like that of Oracle’s IRM could prove to be a popular safety net for contractors that might be a little more nervous than they used to be when handling client information. Unfortunately IRM can’t protect those who want to follow in the steps of the intelligence official – perhaps it’s time that the ever so secure “TOP SECRET” stamp was reconsidered…

A quick “Did you know?” – 31% of organisations do not train their employees specifically about data security or protection of sensitive data (ARMA training survey 2007).

By Alex Thompson

Short of introducing airport style security at the office door, how do businesses tackle the problem of the memory stick? Threat of prosecution after information loss is one thing (see here) but surely the trick is to catch the problem at source? But having just “rules” in place is not enough and did not prevent one of the latest high profile cases of information loss at the Home Office by PA Consulting (see here), who have since suffered the consequences of their error.

On picking up a fellow commuter’s copy of the Guardian the other morning I noticed a letter from Les Bright in Devon who had commented on the latest incident of the memory stick in the night – “News that, once again, confidential information from the Home Office has gone missing, strikes a powerful blow against the paperless office. After all, when did we ever hear of people mislaying a room full of filing cabinets, or leaving one on a train?”. Interesting point Les but I’d like to draw your attention to an event back in June when a memory stick was not to blame and secret paper documents about Al-Qaeda and Iraqi security forces were left on the train by a senior intelligence official (see here).

So we have a problem here – neither the paperless nor the ‘papermore’ office seem to be working – and surely those businesses that are rapidly disabling all the USB connections on employee computers are only fire-fighting half of the problem? Has anyone asked why people are using memory sticks to transfer information or why paper files are being removed from their ‘secure’ locations?

There is clearly an information access requirement amongst users here that has either not be identified or has not been addressed appropriately and as such people are having to develop workarounds to policy in order to meet their needs. However I’m not suggesting that this is just a user requirements issue as there are clearly information security risks to be assessed also and this is where Information Management comes in.

Making information accessible and usable is key to appropriate Information Management but it is important to have a complete people, process and technology infrastructure in place that meets both business and user requirements. Businesses need to be looking at providing users with the ability to access information as their requirements dictate but within controlled environments that protect the information from loss and theft. A policy alone can not achieve this but an Information Management Infrastructure that is built around function and not form can mitigate risks and eliminate the need for users to develop workarounds to the policies and – if the conservatives are to get their way – putting themselves at risk of prosecution.

Of course one could leave the infrastructure as it is and employ additional security at the doors to check bags and pat down the pockets of staff leaving the office but I’ll leave this one for the Home Office risk assessors to consider.

By Patrick Thatcher

There is a widely accepted concept within information management; that being the main division for data is between structured and unstructured. Structured data being rows and columns of data within a database and unstructured being “the rest” of an organisation’s data. “The rest” being all documents including Office documents, PDF’s, emails and so on.

Traditionally and practically, organisations will have their structured data reasonably well managed (I guess that is why we call it structured data). However, the unstructured data is often wild and unruly. The most common method of taming the wild of the unstructured data is with one or a combination of Enterprise Content Management (ECM), Document Management (DM) and Records Management (RM).

All too often the chosen solution and the implementation journey is dramatically underestimated. The perception is simply to buy a product, install it and all will be well.

To quote a very old cliché; “If you fail to plan, you plan to fail”. This most certainly rings true for any project involving unstructured data. The most important work of an information management project must be done upfront, if possible prior to even purchasing a product. Should the product selection already been done; still more work is required prior to the solution roll out.

Some points may seem obvious, but please remember the following:

1. Ensure infrastructure is in place
2. Define all document / content types
3. Engage with all levels of the organisation
4. Pilot, prototype or model office is essential
5. Plan, plan, and plan

Where there is strong drive within organisations to manage unstructured data effectively. I would like to highlight that in order to reach the organised point there needs to be clear and concise structure surrounding the unstructured. Although unstructured data will never appear as rows and columns in a database; it should be approached with structure and order in mind.

By Patrick Thatcher

Social networking on-line has without doubt changed the way individuals, socialise, share information and even meet new people. Whilst all users have been merrily using this medium there has been a brewing undercurrent relating to who is responsible ocean of data. Who is ultimately responsible for the content that is generated every day?

A judge recently ruled on a liable case where an individual had created a false user profile on a popular networking site. The false profile defamed an ex-friend of the claimant. The judge ruled in favour of the claimant and the user responsible for creating the false profile was ordered to pay damages in excess of £20,000.

The defendant claimed that he had not created the profile, but admitted his PC had been used. The defendant claimed that friends had created the false profile during a party at his home. The judge ruled that the defendant was ultimately responsible for the PC which was used to create the profile; hence was liable in this case.

Although this should not spark a legal debate but rather remind us all of a few critical thoughts relating to our on-line presence:

1. Information is powerful
2. Use information responsibly
3. Individuals are responsible for content created
4. Ensure your electronic assets are secured appropriately

These basic ideas no doubt extend to all aspects of our electronic existence; be that socialising, blogging or working. Some basic rules and codes of conduct must be adhered to.

Let’s face it, we all need to be careful.

By Josef Elliott

There is a school of thought that all new “stuff” is invented in California and slowly migrates eastwards stopping only briefly on our shores on the way to mainland Europe, Asia and The Orient.  Let us for a moment consider the progress of e-Discovery and accept the fact that it is growing significantly in this country and is with us to stay.   Add to that the enormous costs involved -  Microsoft, it is claimed, spends $20m on e-Discovery per litigation (see article) – and it soon becomes obvious that all major organisations should be looking at ways of preparing themselves for this onerous task and working out how they can keep the costs down. 

Some of the most interesting thinking in the e-Discovery space is being done on the Electronic Discovery Reference Model (www.edrm.net).  To quote from the site:

“Launched in May 2005, the Electronic Discovery Reference Model (EDRM) Project was created to address the lack of standards and guidelines in the electronic discovery market - a problem identified in the 2003 and 2004 Socha-Gelbmann Electronic Discovery surveys as a major concern for vendors and consumers alike. The completed reference model provides a common, flexible and extensible framework for the development, selection, evaluation and use of electronic discovery products and services. The completed model was placed in the public domain in May 2006”

And the model looks like this: 

Now look at the first box – Information Management.  The great irony of this model is that it assumes that we are all managing our information before we embark on the e-Discovery exercise.  If this was the case, then our costs would be much lower.   E-Discovery costs are so high because most organisations do not have robust Information Management practices in place prior to a piece of litigation hitting.  Surely it’s better to spend more time managing information in order to save money identifying, preserving, collecting, processing, reviewing, analysing, producing and presenting?

Comments as always are welcomed.

By Josef Elliott

So the acquisition news today is that Interwoven have become the latest ECM vendor to snap up an e-Discovery player in the US with yesterday’s announcement that they intend to acquire Discovery Mining, Inc.  This follows Automony’s purchase of Zantaz, Seagate’s purchase of MetalLINCS, Iron Mountain’s purchase of Stratify and many others besides.  So what’s this all about, then?  What exactly is e-Discovery and why do the leading suppliers in the ECM and storage world feel the need to enter this market?

Well, the answer is partly about protecting what they’ve already got and partly about trying to get in to new markets.  E-discovery deals with the management and exchange of the electronically stored information (ESI) associated with litigation and Gartner’s latest Marketscope lists a whopping 29 vendors in this space.  And whilst the discipline has been around for almost 10 years, it has really taken off since the changes in the Federal Rules of Civil Procedure (FRCP) in December 2007. 

These changes increased the obligations with respect to the disclosure of electronically stored information (ESI) by widening the scope of what ESI needs to be disclosed and the format in which it should be produced.

What this means in effect is that the E-discovery tool becomes a major new repository of information in the organisation for the duration of the litigation (which may be many years) and for a significant time before and maybe after.  So now the “traditional” document management and storage vendors need an offering in this area to ensure they retain control of existing information and gain control of additional ESI not currently managed by them.  More documents, more storage, more licences and deeper embedding within the organisation.  Obvious, really.