james dawson, csslp®, igp® · the digital universe paradox $-$1.00 $2.00 $3.00 $4.00 $5.00 $6.00...
TRANSCRIPT
James Dawson, CSSLP®, IGP®Director Forensic Technology
KPMG LLP
2
Governance Risk: Privacy's Fit within the Data Lifecycle
(ISC)2 Educational Session 4337Wednesday, September 14, 2016
3:30 PM-4:30 PM
Where does privacy fit within the Data Lifecycle?This presentation will outline privacy within the entire data lifecycle, from creation to data destruction. The presentationwill include details on compliant data privacy around the full universe of information governance needs, including the rightto be forgotten. Attendees will learn practical and simple record data element controls to meet global privacy where theremay be conflicts in recordkeeping retention requirements. The presenter will detail how to effectively manage privacy,confidentiality and conflicting retention requirements imposed upon large and unmanageable information volumes whencertain data elements must be redacted to meet global privacy requirements. The presentation will incorporate specificindustry knowledge and leading practices that have led to actionable recommendations for Fortune 100 organizations.
Learning Objectives» Understand traditional "secure" data management addresses only 5 percent of corporate information.
» Understand WORM and what is data garbage that is redundant, obsolete or trivial (ROT).
» Where does privacy it within the Data Lifecycle?
3
“Why is privacy important in the data lifecycle?”
“The Why”
Ris
k
Value
Other Useful Data or Files that may include
PII
70% ROTRedundant, Obsolete
or Trivial Data
First differentiate between what is private (or contains PII) and what is Garbage
1% is on legal hold
4% is subject to regulatory or Legal retention requirements
25% has business intelligence value
Leaving 70% as ROT (Garbage)
Data Governance programs do not address 90-95% of an organization’s data! There is no holistic view to information governance. In Global 1,000 companies at any given time:
The point: Do not get too far into your security program untilyou can find and eliminate garbage, then do the hard work.
All Structured, Unstructured Data Electronically Stored Information (ESI)
Potentially Governable Information, Records and
Business Intelligence
Secure Data and Records
“Keep everything” strategy is bad business
eDiscovery cost
eDiscovery costs average $10 million per TB of reviewed
documents.
IT storage and backup cost
Storage costs averages about $5 million per PB of data
stored.
Information overload
Users waste 30 minutes a day (16 days a year) searching for
documents.
Privacy and security threats
Over 169 million personal records were exposed in 2015
(with an average cost per record of $154), stemming from 781
publicized breaches across the financial, business, education,
government and healthcare sectors
Sto
rage
Re
qu
ire
me
nts
(TB
)
1 2 3 4 5 6 7 8 9 10Year
45
40
35
30
25
20
15
10
5
0
Data Security Cost with or without Destruction
$0
$500,000
$1,000,000
$1,500,000
$2,000,000
$2,500,000
$3,000,000
2015 2016 2017 2018 2019 2020
Yearly Cost with or without Destruction
With Destruction No Distruction
The Digital Universe Paradox
$-
$1.00
$2.00
$3.00
$4.00
$5.00
$6.00
$7.00
$8.00
$9.00
2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
Falling Costs, Rising Investment
Cost per GB Total Investment
we and Source: IDC, The Digital Universe in 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East (Dec. 2012)
$9,000
$8,000
$7,000
$6,000
$5,000
$4,000
$3,000
$2,000
$1,000
What Causes Data Garbage?
Dispersed Content
Undefined Records and non-records
Inability to find definitive content
Critical content dispersed across the enterprise
Isolated Application & Data silos
No record code assignment
Disconnected applications
Inconsistent data quality
Standalone Processes
Spaghetti processes
Manual workarounds
Rework of ROT
Broken Collaboration
Tribal knowledge
Inability to preserve institutional memory
Lack of professional networks
Information governance helps our clients achieve tangible benefits
— Curtail information growth – by reducing redundant, obsolete and trivial data
— Improve efficiency – by improving accessibility, increasing responsiveness and reducing time to find business critical information
— Reduce costs – by reducing costs of storage and eDiscovery
— Reduce risks – by improving protection against inadvertent data deletion, breaches and by improving protection of privacy
Manage information growth
Be
ne
fits
Reduce costs Reduce risksImprove efficiency
Industry Problem, Need and Challenges
Unsupervised administration of regulated records accompanied by unrestrained data growth resulting in the accumulation,
retention, and mismanagement of vast quantities of physical and electronic data.
The Problem
The Need
The Challenges
Address unrestrained data growth and retention of required regulatory and business records, in both paper and electronic formats, across
different types of physical and electronic media, while increasing business value and decreasing associated costs and risks.
■ Lack of policies and procedures around the management
of information throughout its life cycle (creation, storage, use,
retention and disposition)
■ Inaccurate application of regulatory and legal mandates and
record retention schedules that address records across
functions
■ Lack of clear definition and enforcement of records and
information governance policies or procedures
■ Difficulty responding and adhering to regulatory, legal and
operational demands for immediate record productions
■ Defensible reduction of records
■ System and storage media limitations holding records and
data
■ Inability to guard against privacy, confidentiality and
intellectual property breaches in customer data
■ Inability to curtail Electronic Stored Information (ESI) data
growth and costs
■ Difficulty finding and sharing business-critical content to
improve decision making and preserve institutional memory
■ Increased technology costs and overall operational costs
due to lack of standardization
The True Cost of WORM for Private Data (not just hardware costs)
» But this 1 TB costs …. Storage Tier TCO/TB/Year WORM TCO/TB/Year
Primary/Tier 1 $12,000 - $16,000 $60,000 - $80,000
Mid-Tier $6,000 - $8,000 $30,000 - $40,000
Archive $1,000 - $2,000 $5,000 - $10,000
60%
15%
8%
7%
7% 3%
Staffing
Downtime - userproductivityIT staff training
Server hardware
Source: Awaiting Confirmation
“How does Privacy fit in the data lifecycle?”
“The How”
The Vision and Scope of Information Governance:
The VisionDevelop a consistent global information governance program that will empower your client’s
business teams to manage (protect, retain and delete) information assets as required by
law, regulation and business needs so that cost are reduced and risks are mitigated
Goal
Protect Information
Goal
Retain Information
Goal
Delete Information
• Assign security, privacy, sensitivity, and retention classification to data
• Develop and publish global policies and schedules
• Retain data per its lifecycle
• Delete data at the end of its lifecycle
Means of Achievement
Operating
ModelGovernance
Technology
SecurityPolicy &
Schedule
People and
Change
The Scope
The Tactics Metrics and
Controls
Determine the PII Data Elements
Publish the purge report to the
retention archive
Identify Workday data set by leaving Employee ID
Confirm that the Employees is not on
Legal Hold
1A
Request Data Report for terminees
Template de-identification process be made available within the self-service
purge tool
Design on-line Self Service Templates2e
Review report of purged PII
Request any re-purge of missed PII
Identify days to implement purge(i.e. 30 Days)
Workday Determines Data to Remain
Confirm Statistical Crew Data to remain
2b
Mark Remaining Data elements
Memorialize the Disposition Action1B
Workday Assess Crew Data Set(s)2A
Identify PII Data Elements
Tag to be purged Data elements
Respond to Workday with any exceptions
Workday Builds Historical Reference
Add remaining reference data to Smart Client overall Historical data set
2c
Catalog purge elements
Design WD24 Enhancements2d
Develop integration strategies for Self-
service
Communicate the PII purge in a report to
Management
Request Reporting3A
Archive the Workday Report3b
2. Workday De-Identification and Purging
1. Employees Leaving 3. Verify Purge
Inform Workday or any process changes
List and process steps needing adjustment
Prepare the support ticket to Workday to have PII data permanently purge
Submit the “de-identify personal information” request to Workday Support
These tasks are the responsibility of
Workday Support
Privacy's Fit within the Data LifecycleData Elements in WorkDay
Page 16
Define the Capabilities: What does your client need to Protect, Retain, and Delete Information on a global scale?
Metrics and ControlsSpecific metrics, controls and reporting requirements that are needed to justify spend or cost
avoidance and foster protection, retention, and deletion compliance at all levels of the organization.
Policy and ScheduleThe Global Policy and Master Retention Schedule memorialize the standards, principles,
procedures, and expectations for managing information assets.
Operating ModelHow the Information Governance capabilities, initiatives and services are to be
delivered to manage information assets consistently.
TechnologyThe tools and infrastructure necessary to delver Information Governance goals and capabilities.
People and ChangeThe personnel, communication, and training necessary to facilitate program
adoption and continuous improvement enterprise-wide.
GovernanceHow Information Governance initiatives are developed and managed globally.
Governance guides the Information Governance journey and removes organizational hurdles over time.
Me
ans
of
Ach
ieve
me
nt
Key Components of Global Information Governance
Policy and ScheduleThe Global Policy and Master Retention Schedule memorialize the standards, principles,
procedures, and expectations for managing information assets.
Operating ModelHow the Information Governance capabilities, initiatives and services are to be
delivered to manage information assets consistently.
TechnologyThe tools and infrastructure necessary to securely delver Information Governance goals and
capabilities. Supporting systems to be archived on write-once, read-many media or “WORM”.
People and ChangeThe personnel, communication, and training necessary to facilitate program
adoption and continuous improvement enterprise-wide.
GovernanceHow Information Governance initiatives are developed and managed globally.
Governance guides the Information Governance journey and removes organizational hurdles over time.
Steps
Setup governance bodies
Governance will be key to reposition decision making with the business.
Recommended governance bodies include:
1. IG Executive Committee – Provides overall guidance for IG.Balances priorities across business units and acts as the approving body for major Information Governance expenditures. Re-orients strategy when needed.
2. Senior Advisory Group– Develops new Information Governance initiatives and directs resources to pipeline.Builds and maintains the initiative pipeline. Galvanizes support within the business lines and regional entities. Provides staff and support as necessary.
3. Working Group – Provides inputs and insights to set overall strategy & direction. Assesses new proposals for compliance to technology blueprints and standards. Notifies Senior Advisory Group when triggers such as request for funding appear.
4. IG Leader and Staff – Oversees and manages the performance of Information Governance program delivery and provides an ongoing health check of the entire delivery portfolio.
• Formalize and setup governance bodies including booking of meetings in calendars, setting agenda, etc.
• Establish decision making, exception, and escalation procedures within each governing layer.
• Produce standard templates for status updates.
• Catalog the specific problems the Information Governance group is seeking to solve (this list will drive the initiative pipeline)
Quick Wins:
Leverage an existing global governance model that already exists at your client.
• Option 1 – Join an existing global program and utilize the group’s pre-existing sponsorship, budget, and meeting structures; or
• Option 2- Use other global programs at your client as a reference model. Find out what works and what doesn’t.
Working Group
Governance
ITRecords Liaisons
Information Governance Executive Committee
Privacy Security
Legal
Senior Advisory Group
Internal Audit
LOB Liaisons
IG Leader and Staff
Body Membership Meeting Cadence
ILG ExecutiveCommittee
C-Suite executives within Corporate --CFO, CIO, CHRO, General Counsel
Executive Committee meets with Advisory Board once or twice a year.
Senior Advisory Board
Business line leaders within Corporate
Advisory Board meets with Working Group once a month.
Working Group Business line and functional experts within Corporate and Local Markets
Meets once every two weeks initially.
Next steps
Establish global policy
A global policy will be a first step to maturing the Information Governance program. The global policy should provide a clear definition of “Record” and “Non-Record” and address critical topics such as:
• The purpose of the policy
• The scope of the policy
• Relationship to other applicable policies
• Roles and responsibilities
• General guidelines applicable to all countries
• Retention and storage standards
• Protection standards
• Deletion and disposition standards
• Training requirements
• Definitions
• Compliance timeline
• Compliance monitoring, reporting, and enforcement standards
• The regular update of the policy
Establish global retention schedule
A single global Records Retention Schedule of approximately 300 to 350 record categories, which addresses every aspect of the record/non-records lifecycle:
• Retain
• Clearly define a retention period that applies globally (or regionally) to records and non-records.
• Identify the system on which the information is stored and enable automated retention.
• Protect
• Assign security, privacy, sensitivity, and retention classification to each record/non-record category. Embed the classification definition in the policy and schedule so it is easy to follow.
• Example: “1” = Non-sensitive (No PII). “2” = Sensitive (Credit Card Numbers, Passport Number). “3”=Highly (Sensitive, SSN, Ethnicity, Medical Information).
• Delete
• Clearly identify time and event based triggers for the retention period start and end.
• Delete non-records and records per their retention lifecycle identified on the retention schedule that are not on Legal Hold.
• Develop a global retention and disposition policy that spans record and non-record lifecycles.
• Develop the global retention schedule.
• Secure corporate level approval of the policy and schedule.
• Conduct global policy and schedule acceptance meetings.
• Solidify global policy and schedule acceptance and assign accountability to regional points of contact.
• Publish the policy and schedule.
Quick Wins:
• Adapt and adopt an updated records management policy for global use.
• Re-appropriate the record inventory created during the GERRP initiative where possible and reconcile it with the US and German Record Retention Schedules to create a foundational Global RRS.
Policy and Retention Schedule
Next steps
Centralized Model - Corporate Information Governance guides,
implements and maintains all aspects of information management.
The centralized Information Governance function based in Germany
owns the requirements, outcomes, and implementation of the
Information Governance strategy. Corporate Information Governance
will issue policy directives and rationalize business requirements across
the all global business units. Corporate Information Governance will
implement the strategy and maintain ongoing ownership of all
Information Management systems and ongoing Information
Management tasks.
Hybrid Model - Corporate Information Governance guides the information
management strategy; other Corporate Functions and Country level functions
operationalize the strategy.
Corporate Information Governance will remain focused on strategy and
results. Corporate Information Governance will issue policy directives, while
country level Information Governance functions operationalize the
directives. The Corporate Information Governance function rationalizes
requirements and consults with Country level Information Governance
functions in implementing them.
• Adopt a hybrid model
leveraging US Information
Governance team and build
out appropriately-sized
operational models for
other countries.
• Establish clear lines of
communication and
governance processes
between corporate and
country teams.
• Develop processes for
standards exceptions and
escalation to handle
conflicting corporate and
country priorities.
Quick Wins:
• Leverage current US
Information Governance
team structure as a
template for building out the
global hybrid operating
model.
Operating Model
Pros Cons
• Local countries achieve cost savings as Corporate’s involvement grows (economies of scale).
• Functional requirements are rationalized across regions.
• IG corporate makestechnology selection decisions and establishes uniform environment across systems.
• Centralized approach can produce a great deal of cultural pushback.
• Centralized approach has high staffing requirements within the corporate Information Governance function.
Pros Cons
• Country level Information Governance function enjoys some autonomy.
• Corporate Information Governance function can pivot efforts towards less mature markets as needed.
• Easily scalable to “pure” Centralized model if desired.
• Utilizes labor within other regional entities (Labor arbitrage).
• Divergent and redundant
technology environments
could proliferate.
• The hybrid model, as
currently envisioned, can
only push out standards.
The team will not be
responsible for
implementing policy,
strategy, or technology.
Next steps
Capabilities
Information governance across the following nine key capabilities should be included in the scope of the program
1. File Shares – Leverage file shares for non-record storage only. Do not allow record storage on file shares. Enforce via global policy and perform quarterly audits.
2. Email Management – Develop Email records and archiving requirements. Develop reference architecture to manage emails and records content
3. Content Management and Archive– Establish requirements and reference architectures for storing electronic documents and records. Systems archived on write-once, read-many media or “WORM”.
4. Physical Records– Develop technology architecture to manage physical records
5. Mobile and Social Content– Develop policies and architectures to manage mobile and social media (yammer, wikis, and networking sites)
6. Defensible Deletion– Establish requirements and build out reference architecture for defensible deletion
It is critical for your client to understand the effect of IG on Security. We recommend your client:
• Establish information lifecycle requirements and policies that easily scale to the new capabilities.
• Establish how a records/non-records will be declared, secured, retained, discovered and deleted within each system.
Additionally we recommend that your client:
• Incrementally develop requirements and reference architectures for key capabilities such as content management, auto-classification, and defensible deletion.
File
Shares
Managem
ent
Content
Managem
ent
Mobile
and
Social
Cloud /
Collabora
tion
Physical
Records
Internet &
Web Content
Management
Desktop
Auto-
classifica
tion
Defensibl
e Deletion
Policy and
Schedule
Technology
Next Steps
Sell Up
Sell Information Governance to your client Leadership Senior buy in is critical. Change management starts with the executives. Educate them on the problem, explain the solution, and unravel the costs. Highlight the positive impact of IG.
Justify the investment in Information Governance in terms of Risk, Utility, and Value and seek approval to move the program forward.
RiskA properly executed Information Governance program proactively mitigates breach and disclosure impact.
Sell Across
Identify allies and generate support. Identify key personnel within your client’s business lines and local markets.
Explain their role within Information Governance and enable contribution.
Explain how each stakeholder can contribute to Information Governance within the context of their own function at your client (Cite specific tasks and business processes directly relevant to their day-to-day work and demonstrate “what is in it for them”).
Highlight the Positive Impact of IG.• New Drug Development: “IG is here to take the
pain out of information management, so your client’s scientists can focus more on drug development and less on compliance issues.”
Sell Down
Sell Information Governance to your client employee community
In reality, Information Governance is one large change management project.
Establish commitment from the employee community early on. Generate buzz and ask for feedback through a “Roadshow” campaign. Make the employee community feel a sense of ownership in the program’s development.
Conduct town halls, interviews and surveys within all levels of the organization.
Develop community commitment
As new initiatives are complete, continuously track progress and reward high performing individuals, departments or business units.
• Clearly define roles and responsibilities of embedded Information Governance Change Leaders and Champions within the business units/functions.
• Create a stakeholder tracking catalog to identify key stakeholders and determine targeted strategies to ensure their highest level of engagement.
• Assign accountability for Information Governance functions to appointed resources.
• Develop specialized training for record coordinators.
• Develop high-level training standards for each Information Governance initiative.
• Mandate each region to create training material as new initiatives are rolled out.
People and Change
Next Steps
Establish Baseline
• Assess where you are to establish benchmarks:• Data volume • Millions in Cost Savings• IT costs• eDiscovery costs• Risk control and mitigation process costs
across legal, records, privacy, business and IT
• Define the specific cost and risk reduction quarterly and/or yearly objectives and fiscal milestones for achievement per Information Governance initiative.
• Establish audit, compliance and testing metrics such as inventory counts, growth rates, classification rates, training rates, disposition of inactive records reductions.
Measure Progress
• Mandate global adoption of baseline testing methodology, requiring all regions to submit metrics on a quarterly basis.
• Conduct analysis of policy adherence on a quarterly basis, measuring Information Governance program success over time.
• Leverage findings to assist the Advisory Board in prioritizing the initiative pipeline over time and report to leadership during oversight committee meetings.
• Continuously track and maintain an estimate of cost reduction and cost avoidance.
• Establish program benchmarks.
• Embed reporting mechanisms throughout the Information Governance processes.
• Perform yearly Information Governance program audit.
Metrics and Controls
Data Governance Recommendations» Take out the garbage (destroy the ROT data)
• Get rid of ROT before you begin the heavy lifting of protecting your critical data assets
» Make Information Governance a continuous process.
• To realize true long-term benefits from the IG, adoption should not be viewed as another technology implementation project, but rather a transformative journey spanning from strategy through execution.
» Drive Information Governance Adoption from the top.
• Decentralized operation will hamper successful operationalization of IG. Organizations should manage Information Governance centrally, with a senior-level team that oversees the transformation process and guides strategic decisions to the larger employee community. Leaders at the highest level of your client should visibly promote and support the Information Governance program.
» Focus on strong leadership and engagement.
• Cultural alignment through all levels of the organization is essential to managing the change associated with Information Governance program adoption. Executive management should work to establish an aligned corporate culture at the outset, focusing first on getting the buy-in and support of cross-functional business leaders.
» Avoid silos.
• Information Governance succeeds when organizations are able to easily embed information management practices (protection, retention, and deletion) into every aspect of the business. Silos hamper global adoption, but collaboration powers it. Legal, Business, IT, and Records Management should work side by side on all IG-sponsored initiatives.
» Measure success.
• Your client must develop realistic and measurable outcomes for its Information Governance program. These measured outcomes must tie back to key business objectives and clearly indicate success or failure.
• A value-added, metrics-driven approach to Information Governance enables the organization to stay focused on achieving strategic goals and understand when milestones have past.
» Continue to take out the garbage.
• Cleaning up unnecessary data is not a one time thing. Think of it as a corporation brushing it teeth each morning. Data Governance must be a continuous regular event in the success of the organization.
Reasons, Costs and RiskPaper transactions are 24 times more expensive to process than electronic (AIIM)
Paper-Based Transaction Costs
30% of all employees’ time is spent looking for documents (Boston’s Delphi)Finding Documents
$2.75 million sanction: Failure to comply with “print and retain” policy for email. Plus, exclusion of
testimony (U.S. v. Philip Morris (2005))Compliance Failure
$20 million verdict in punitive damages: Judge instructs jury that they can presume the email
destroyed was damaging (Zubulake VI v. UBS (2005))Destruction Policy
$15 million SEC sanction and judicial adverse inference: Deliberate failure to produce all emails and
attachments (Coleman Holdings v. Morgan Stanley (2005))Policy & Delegation of
Authority
Average processing cost (for eDiscovery) is $1,800 per GB and overall GB cost for compliance or legal
recordkeeping is $10,000 per GB (Forrester)Average
Processing Cost
$25 million to fully review 100,000 tapes to determine relevance to discovery or compliance requests
(EMC)Review Costs
$250-$325 per hour for outside counsel to review documents and determine relevance to case (EMC)Inspection Costs
(Source)
Cost Unit
Cost Unit
Future Risk
Future Risk
Future Risk
Cost Unit
Cost Unit
Cost Unit
What can be saved by managing privacy?
GB of unnecessary Data Reduced each year after plan is implemented: 500 GB
Cost to maintain ROT per GB: $1,000 (Cost per GB per yearof Data in global enterprise)
Cost to maintain unnecessary Records per GB: Mostly obsolete: $10,000 (Cost per GB per year of Record or Discovery Data in global enterprise)
Of the data collected to be deleted, Percent of Data that is ROT 95% (30/70 percent split Records to ROT respectively)
Yearly savings: $725,000 Per Year
Savings after 5 years: $3,625,000 Over 5 Years
Number of Regulatory Exams per year (global regulators): 16 4 exam in 4 global regions
Number of Global Active Matters: 50 Matter workload annually
GB of Data per Matter not collected due to project: 30 GB (data not collected or entered into matter workflow)
Cost to maintain unnecessary Records per GB: $10,000 (Cost per GB of Record or Discovery Data in global enterprise)
Number of Leavers per Country (Employees per year) 4 Employees per country
Number of customer Leavers per country 1,000 Customers leaving per country
Number of Secondary or Support Systems that should be on WORM: 4 Systems
Estimated Cost Avoidance (avoiding Fines or Penalties): $3,600,000 Based on Recent SEC Fines for failure to use WORM storage
Yearly savings for maintaining an IMHO: $4,500,000 First year
Savings after 5 years for successful and continuous IMHO: $22,500,000 Over 5 Years
Savings Opportunities: Over-Retention
$0
$500,000
$1,000,000
$1,500,000
$2,000,000
$2,500,000
$3,000,000
$3,500,000
$4,000,000
2012 2013 2014 2015 2016 2017
U.S. Legal Entity – Equities Orders Disposition Cost Avoidance Opportunity
+6 Disposed +3 Disposed
- Cost optimization is a strategic enterprise initiative
- Retention policies are maintained but structured data has not been classified
- Legal holds are not directly tied to systems or records
- Data is growing at a rate of 57% a year
- Lack of desire to make sizable capital investment in “solve world peace” software solutions
Cost Avoidance Opportunity■ Savings at the individual application or database level may not be very compelling, but when
aggregated across tens, hundreds or thousands of applications or databases, the opportunity is significant
■ Peer project case study – Tactical and simplistic approach to optimizing technology storage spend and generating sustainable cost avoidance
– 7% storage cost avoidance identified on production databases using conservative +6 disposition due to 17a3/17a4. Effective archiving strategy would have allowed for 17% savings (Regulation limit for trade confirms and tickets is 3 years)
– Does not include savings associated with eDiscovery, legal costs and settlements, regulatory compliance, IT administration, loss of productivity/performance and allocations (such as software, real estate, power, etc.)
Situation
Savings Opportunities - Details» Savings at the individual application or database level may not be compelling, but when aggregated across tens,
hundreds or, thousands of applications or databases, the opportunity is significant.
Cost Driver Characteristic Common Responses Savings Opportunity Benefits
Redundancy
Copies of reference data across disparate environments
Application rationalization$500-$1000 per app server
■ Improved process and reporting accuracy
■ Improved data quality
■ Centralization of support resources
■ Rationalization of tools
■ Simplified data ecosystem
Copies of transactional data Data rationalization
$5,000-$10,000+ per database
Data mart sprawl Data strategy
Unrestricted end-user entitlementsEnterprise maintained access methods
Over Retention
Unenforced retention limitsDisposition framework, contract and process
Up to 30-50% of storage costs
■ Reduced eDiscovery costs
■ Reduced external legal expenses
■ Reduced legal exposure
■ Reduced BAR costs
■ Reduced risk of inadvertent disclosure
Slow or nonexistent release of legal holds Legal hold workflow process
Over engineered backup and recovery (BAR) keeping copies of data for all production systems
BAR Strategy
Definition of Data as a Record
“Records – documents or information, in any format,
created, transmitted or received in the course of your
client business, and included in the Records Retention
Schedule because they must be kept for legal,
accounting, tax or other regulatory or compliance
requirements, or an approved business need.”
Everything else is GARBAGE!
The Design Strategy
Record Format
Structured
Option # 1 (System or Archive
Report Out)
Option # 2 (Systems of Record)
Unstructured
Option # 1 RM enabled
Option # 2 RM not enabled
Use native RM functions
Use manual process or migrate or move records to a
RM enabled system
Application of Retention
• Apply to report/• Apply to system • Apply to data
Dispose
Option # 3 (Online)
RRS mapping to source system
Unstructured and structured electronic data
30
The information contained in this presentation is of a general nature and is notintended to address the circumstances of any particular individual or entity. Althoughwe endeavor to provide accurate and timely information, there can be no guaranteethat such information is accurate as of the date it is received or that it will continue tobe accurate in the future. No one should act on such information without appropriateprofessional advice after a thorough examination of the particular situation.
Restriction on Disclosure and Use of Data – This document contains confidential orproprietary information, the disclosure of which would provide a competitiveadvantage to others; therefore, the viewer or recipient shall not disclose, use, orduplicate this document, in whole or in part, for any purpose.