e-discovery - social media & cloud-dec2011
Post on 17-May-2015
476 Views
Preview:
TRANSCRIPT
Maintaining, Preserving & Disposing of Data on Social Media
& Cloud Computing Platforms
Catherine TetiManaging Director, Knowledge Services
Chief Agency Privacy OfficerUS Government Accountability Office
December 1, 2011
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 2
Presentation Overview
• Challenges, issues and requirements that agencies need to be mindful of/address when moving into the cloud or using social media.
• Value Proposition• Risks and Requirements• Governance – effective information management and
oversight• GAO’s Experience• Additional References
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 3
Value Proposition
• What . . . • Problem will be solved?• Service enhanced?• Operational or resource efficiencies realized?
• Understand your audience/customer base• Multiple points of information dissemination (e.g., reposting
information to agency web sites)• OMB “Guidance for Agency Use of Third-Party Websites and
Applications”, M-10-23, June 25, 2010• Provide alternatives to 3d party websites/applications (i.e.,
public shouldn’t have to join a social media site to access agency information or services)
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 4
Risks and Requirements - Records
• Is a record required?• See Value proposition (why are you doing this in the 1st place?• Evidence of agency policy, decisions, mission• Original or repurposed content (is it already captured
elsewhere?)• Caution: Content vs. medium
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 5
Risks and Requirements – Capture/Retain
• Capture and retention• Preserving data that isn’t “owned” or controlled by your
agency - Do you (or should you) care?• What if – the cloud vendor goes out of business, the
agency changes contractors, you decide to stop using Facebook?
• Disposing of or destroying data at the end of its retention period (inclusion in terms of service)• Does it matter if you can’t dispose of it – i.e., potential lack
of control
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 6
Risks and Requirements – Security/Privacy • Security
• Potential for hacking or attacking systems and/or data • Privacy – Potential for inappropriate use of personal data
• What is captured (essential only) ? • Why? How is it used? • How is it secured? • User notification – collection and use• See also OMB M-10-23 requirements for
• privacy impact assessments • Agency privacy notices
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 7
Federal Agency Information Management Requirements• The Paperwork Reduction Act – information collection and
responsibilities for the management of information resources• The Privacy Act - use of personal information by federal
agencies• FISMA, the Federal Information Security Management Act -
requirements for protecting agency information and systems from misuse
• FOIA - public access to agency records• The Federal Records Act - requires agencies to manage
records needed for their operations and have processes to properly dispose of or save (historically significant) records
• NARA Bulletin 2011-02 - Guidance on Managing Records in Web 2.0/Social Media Platforms
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 8
E-Discovery Requirements
• Formalized in the amended Federal Rules of Civil Procedures in 2006.
• All Electronically Stored Information (ESI) stipulated in a subpoena must be preserved as part of a legal hold.
• Organizations must be able to preserve and produce all ESI relevant to a discovery order.
• Organizations’ inability to search for and locate relevant information is causing significant risk.
• Costs for e-discovery are continuing to skyrocket for organizations without proper information management.
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 9
Governance – The Key to Effective Information Management and Oversight • Different information – and mission - disciplines working together
for an integrated approach:• Records Management• Information Security• Information Technology• Legal• Privacy• Business owner(s)
• Realigning and re-engineering stove-piped management processes to create integrated and coordinated approaches to managing information across the information life cycle
• Oversight – capture/custodianship• Guidance – Who speaks for the agency
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 10
GAO’s Key Requirements for Effective IM
• Business Purpose• Align management with GAO business processes to meet
mission objectives• Organizational Commitment
• Ensure executive sponsorship and stakeholder buy-in• Governance
• Clearly define policy and requirements• Recognize constraints and limitations• Strive for user engagement and senior executive sponsorship• Information governance alliance among IT, records, legal,
information security, privacy, public affairs, business owners• Oversight
• Performance measures and accountability
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 11
GAO’s (Adaptive) Use of Social Media Tools• Information Dissemination
• Twitter (RSS feeds)• YouTube• Podcasts• Facebook• Flickr
• Information Sharing• Wiki (internal)
• All records are managed according to GAO IM policies
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 12
An Effective IM Program
• An effective IM program allows GAO to:• Retrieve: Easily retrieve relevant information in a timely
fashion• Access: Provide access to information to the right people
when it is needed• Audit: Able to identify anomalies and ensure compliance with
all applicable rules and regulations (FRA, FISMA, etc.)• Dispose: Ability to dispose of information in the normal
course of business when it is no longer needed in accordance with GAO’s retention and disposition policy
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 13
GAO’s Disposition Strategy
• GAO’s records disposition schedule applies to records regardless of format or media.
• Disposition strategy is comprehensive for all records types (paper, electronic, data sets, and other “stuff”) so it is applied uniformly across all media and formats.
• Ensures that GAO complies with all requirements, mitigates risk and exposure, saves storage space, is cost-effective, and allows for easier search and retrieval of remaining records.
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 14
GAO Reports on Information Management and Social Media• GAO-11-605: Social Media: Federal Agencies Need Policies and
Procedures for Managing and Protecting Information They Access and Disseminate
• GAO-10-838T: Information Management: The Challenges of Managing Electronic Records
• GAO-11-15: NARA: Oversight and Management Improvements Initiated, but More Action Needed
• GAO-08-536: Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information
• GAO-10-537T: Freedom of Information Act: Requirements and Implementation Continue to Evolve
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 15
Additional References
• OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
• Best Practices Study of Social Media Records Policies, ACT/IAC Collaboration and Transformation (C&T) Shared Interest Group (SIG), March 2011 ( www.actgov.org/SocialMediaRecords )
• NARA Bulletin 2011-02, Guidance on Managing Records in Web 2.0/Social Media Platforms, October 20, 2010
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 16
Questions?
Catherine Teti Managing Director, Knowledge Services,
Chief Agency Privacy OfficerUS Government Accountability Office (GAO)
tetic@gao.gov202.512.9255
December 1, 2011 Data Management Challenges – Social Media & Cloud Page 17
GAO on the WebWeb site: http://www.gao.gov/
ContactChuck Young, Managing Director, Public Affairs, youngc1@gao.gov(202) 512-4800, U.S. Government Accountability Office441 G Street NW, Room 7149, Washington, D.C. 20548
CopyrightThis is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.
top related