static2.ftitechnology.comstatic2.ftitechnology.com/docs/toolkits/ig-for... · dear colleague, my...

The Information Governance Guide

for Compliance Professionals

Table of Contents

3INTRODUCTION

IntroductionFrom Jake Frazier, Senior Managing Director, FTI Technology

4INFOGRAPHIC

The State of Information Governance for CorporationsAn inforgraphic using data from the Advice from Counsel 2016 study

5WHITE PAPER

CGOC Information Economics Process Assessment KitWritten by Deidre Paknad, CGOC Founder, and Rani Hublou, CGOC Faculty

25

WHITE PAPER

Advice from Counsel: The State of Information Governance in CorporationsHow do you define information governance (“IG”)?

41WHITE PAPER

Identifying & Protecting the Corporate Crown JewelsBy Jake Frazier, Senior Managing Director, FTI Technology

53

BROCHURE

Reducing Cost and Risk with Information Governance & Compliance ServicesFTI’s information governance services produce practical and tangible benefits, including reducing the risks

and costs associated with corporate data.

61ARTICLE

Preparing For the Breach: A Look Into Essential Cyber IG PracticesBy Ricci Dipshan, Law.com

64

WEBCAST RECORDING

Advice from Counsel: Finding “Quick Wins” in Information GovernanceSpeakers included Jordan Williams, Senior Counsel, Litigation Group at NiSource, Inc.; Ari Kaplan of Ari

Kaplan Advisors; and Jake Frazier, Senior Managing Director at FTI Technology

Dear Colleague,

My name is Jake Frazier and I lead the Information Governance practice for FTI Consulting. I’m writing to share with you the valuable resource included with this letter, The Information Governance for Compliance Teams Toolkit.

Information Governance {“IG”) is demanding increased attention from the Compliance team. FTI recently conducted a survey wherein 73% of F1000 general counsel identified Compliance as being involved with IG and 23% said the compliance team leads IG efforts for their organization. Whether driven by regulatory requirements, data security concerns or internal investigations, you need ways to understand your organization’s data and minimize the risk associated with maintaining it.

If you want to find out more about practical, actionable IG, take a look through this toolkit. The survey I mention above starts on page 24, there is an IG self-assessment you can take on page 3, and many more resources for getting in front of your Information Governance challenges today.

Finally, if you have any questions or concerns about IG in your organization, feel free to reach out. I’d be happy to discuss them with you at any time.

All the best,

Jake Frazier Senior Managing Director

FTI Technology

[email protected]

www.ftitechnology.com

First City Tower | 1001 Fanin, Suite 3950 | Houston, TX 77002T: + 1 800 349 9990 | F: +1 713 353 5459 | ftitechnology.com

Corporate IG Initiatives:Survey respondents identified common roadblocks in developing and implementing an information governance program.

Top IG Challenges:Top roadblocks when developing & implementing an Information Governance program

“The scope of the project is a challenge. If it is too huge, it

can almost fall under the weight of itself.”

“Deciding what you are trying to address.”

“How to do it... It is hard to imagine all of the things we are supposed to imagine when we

try to develop this.”

TIE FOR 1ST & 2ND PLACE

Top 3 Initiatives:3RD PLACE

THE STATE OF INFORMATION GOVERNANCE

FOR CORPORATIONS

Human Behavior/New Tech . . . 26%Where to Begin?. . . . . . . . . . . . . . 26%Legacy Data. . . . . . . . . . . . . . . . . . 21%Resources. . . . . . . . . . . . . . . . . . . . . 17%Regulations . . . . . . . . . . . . . . . . . . . 8%Cyber Security . . . . . . . . . . . . . . . . 2%

Are you able to leverage e-discovery so�ware for information governance?

Do you have sta� in-house dedicated solely to

information governance?

Which departments are leading your information

governance?

Corporations Secure Data in 4 Ways:

YES24%

NO76%

Human Behavior/ New Technology

Finding Where to Begin Legacy Data

The initial challenge often is deciding where to begin.

Employees are working and collaborating in new ways.

Technology, both old and new, is a major roadblock.

44%YES

56%NO

PII-centric: Securing Personally Identifiable Infor-mation

IP-centric: Securing sensitive Intellectual Property

Data breach-centric: Protecting against security breaches

Partner-centric: Create secure systems for access by approved 3rd parties

LEGAL

COMPLIANCE

IT

RECORDS

INFORMATION SECURITY

2

3

4

5

1

Source: FTI Technology’s Advice from Counsel study, published April 2016. Survey of 25 in-house lawyers from Fortune 1000 corporations with e-discovery and information governance responsibilities.

Learn more at: www.�itechnology.com

Information Economics Process Assessment Kit

0100100101010100010110110101010101000101101010101010110010101010111001010010001010101010101001010101001001010101010101001010101010101001010101010110010101010101010100001011010101001010101010101010101010101010101010101010101001010101010100101101010101010100101010101010101011010101010101010010101010101011

101010101010100001011010101001010101010101010101010101010101010101010101001010101010100101101010101010100101010101010101011010101010101010010101010101011

0100100101010100010110110101010101000101101010101010110010101010111001010010001010101010101001010101001001010101010101001010101010101001010101010110010101010101010100001011010101001010101010101010101010101010101010101010101001010101010100101101010101010100101010101010101011010101010101010010101010101011100%

2 Information Economics Process Assessment Kit

Written by Deidre Paknad, CGOC Founder, and Rani Hublou, CGOC Faculty

© Copyright CGOC Forum LLC, 2013. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth, savings or other results. Do not copy, cite, or distribute without permission of the CGOC. For inquiries please contact us at [email protected] or go to www.cgoc.com for more information. Information Economics Process Assessment Kit

042313V2

About CGOCCGOC (Compliance, Governance and Oversight Council) is a forum of over 2200 legal, IT, records and information management professionals from corporations and government agencies. CGOC publishes reference guides and articles and conducts primary research; its Benchmark Reports have been cited in numerous legal opinions and briefs and its ILG Leaders Guide widely referenced and adopted by organizations. CGOC members convene in small working groups, regional meetings and its annual strategy summit to discuss information governance and economics, eDiscovery, data disposal, retention, and privacy. CGOC has been advancing governance practices and driving thought leadership since 2004. For more information go to www.cgoc.com.

“Companies should securely dispose of or de-identify personal data once they no longer need it, unless they are under a legal obligation to do otherwise.”

— The White House, Consumer Privacy Bill of Rights, Feb. 23, 2012

3

Improving Information Economics and Defensible Disposal of Unnecessary DataImproving information economics is an imperative for most organizations. As information volume rises rapidly, business users face greater challenges to extract value, IT costs for basic infrastructure rise beyond budgets, and legal risks and cost increase as well. To make way for new and more useful information, ensure businesses get value from data, control IT and legal costs, and lower risk and exposure, companies should dispose of unnecessary data debris.

As information ages, its value declines with time. Unfortunately, the cost to manage it is relatively constant and ediscovery costs and risks rise with time. When information is no longer needed, information “supply” exceeds information “demand”. This creates a widening gap between the value the information provides an organization and its cost and risk. Closing these gaps is important to legal, IT, security, privacy and business stakeholders. When processes and stakeholders are silo’ed and operate without a high degree of interlock and transparency, it is very difficult to tie actual need for information (demand) with information assets (supply).

Risk-to-

Value Gap

Cost-to-

Value Gap

Quantity

Time

Cost

Risk

INFO VALUE

Value

Business Need Regulator Need (TAX) No Need

$4M to store 1PB and app cost materially adds to run rateData storage consumes growing share of budget; sunsetting too slow

1 Source: Big data: The next frontier for innovation, competition, and productivity McKinsey & Company, 2011 Study2 Gartner e-discovery Report

BUSINESS LEGAL IT

Information volume doubles every 18-24 months in most organizations90% of the world’s information was created in the last 2 years1

It costs $18,000 to do e-discovery on 1 gigabyte2

e-discovery consumes as much as half of litigation budget


To improve information economics and enable defensible disposal of data debris, organizations need to understand and optimize eighteen processes that determine information value, cost and risk. An organization’s process capabilities and maturity determine its ability to understand and extract information value, align cost to value over time, minimize information and legal risk and lower total IT and legal costs.

This CGOC practitioners’ tool helps organizations understand and assess their process capabilities and current process risks; tools like the ILG Leaders Guide provide a roadmap to optimizing processes to improve information economics.

Quantity

!"#$%%

Archiving & Tiering Inflection Point: Align Cost as Value Declines

Disposal Inflection Point: Eliminate Cost When No Value

Analytics Inflection Point: Realize Value as Context Erodes

INFO VALUE

Minimize “run the shop” costs to increase investment in “grow the firm” activitiesCut total costs even as total volume rises

BUSINESS LEGAL IT

Leverage information for better decisionsDon’t waste budget on unnecessary IT or legal services

Meet e-discovery obligations cost effectively and efficiently for the enterprise

Manage conflicting privacy and regulatory duties

Three critical inflection points in information lifecycle drive value, cost and risk:

1. Analytics to maximize value as context erodes2. Archiving and tiering to ensure cost declines as value declines3. Disposal to ensure that when need is gone, there is no remaining cost Information lifecycle governance improves information economics for legal, business & IT

5

Processes Capability and Maturity

A clear understanding of process maturity levels and your organization’s current process capabilities and practices will help frame the work effort and change management required to improve information economics and achieve defensible disposal. The eighteen information economics processes incorporate the way an organization defines demand (what information is needed, why and for how long) and how it manages supply (what is provisioned, managed, decommissioned, and disposed).

At the highest level of maturity and capability, there is a closed loop between supply and demand, information cost is aligned with its value over time, and risk is limited or removed. More precise and rigorous legal holds and retention as well as consistent, defensible disposal is designed into processes at maturity level 4.

Level 1 is an ad hoc, manual and unstructured process performed differently by each practitioner; only the individual practitioner has access to the process facts or results. These processes are highly unreliable and difficult to audit.

Level 2 is a manual process with some consistency in how it is performed across practitioners within a particular function or department; only the department has access to the process facts and results, and often these are embedded in multiple spreadsheets and seldom accessed. These processes can be more reliable, but still very difficult to audit.

Level 3 is a semi-automated process performed consistently within a department with process facts and results readily accessible to departmental stakeholders. Stakeholders beyond the department who participate in or are dependent upon the process are not integrated. These interdepartmental processes are more consistent and can readily be audited; however audit results may reflect their lack of intradepartmental collaboration.

Level 4 is an automated and cross-functional process that is performed consistently with inclusion of dependent stakeholders across multiple departments. Process facts and results are readily available across organizations. These processes have the lowest risk, highest reliability and are readily and successfully audited.


Process Brief DescriptionProcess Risk or Immaturity Consequences

Level 1: Ad Hoc, Manual, Unstructured

Level 2: Manual, Structured

Level 3: Semi-AutomatedWithin Silo

Level 4: Automated and Fully Integrated Across Functions

YourLevel

A Employees on Legal Holds

Determining employees with information potentially relevant to an actual or anticipated lawsuit or government investigation.

Custodians are not identified and potentially relevant information is inadvertently modified or deleted.

Multiple custodian spreadsheets managed by the individual paralegal or attorney.

Custodian lists are kept in Word or Excel in a shared location or in a shared mailbox. Questionnaire mailed to custodians, responses compiled manually for collection /counsel follow up.

Systematic scope and selection by organization, people from current and historical organization data. Systematically track all custodians in all holds including multiple holds per custodian. Scope terminated/ transferred employees involved. Interviews are systematically done, responses compiled and responses are automatically flagged and escalated as appropriate.

Real-time update of custodian roles, transitions, responsibilities, automatic employee transition/transition alerts by attorney and matter; copy or cross reference custodian lists across similar matters. Scope is revisited and refined at least quarterly to release or include custodians. Individual responses to interview questions are propagated to hold scope and interview results shared with outside counsel to interview by exception. Level 3 capabilities.

B Data on Legal Hold

Determining information, records and data sources that are potentially relevant to an actual or anticipated lawsuit or government investigation.

Actual, rogue or IT managed data sources missed in hold execution, potentially relevant information is inadvertently modified or deleted.

Limited collection from data sources, custodian rather than information based; spreadsheet tracking/lists.

Identify data sources by organization; understand back up procedures. Questionnaire mailed to custodians, responses compiled manually for collection /counsel follow up.

Have linked legacy tapes and data sources to organizations and open holds/collections.

Automatically scope people, systems, production and back up data, information and records in holds; scope terminated employee data and legacy data/tapes where applicable. Scope is revisited and refined at least quarterly to release or include data. Can scope directly from a data source catalog shared with business liaisons, IT, Info Sec, and other data quality stakeholders with reliability. IT interviews are done both periodically and in matter context and responses are aggregated for individual matters and across the legal team.

C Hold publication

Communicating, syndicating and executing legal holds to people, systems and data sources for execution and compliance.

IT or employees migrate, retire or modify data because they lacked hold visibility.

Manual notices, confirmations, no escalations Description of information hold requires interpretation and manual effort to comply.

Centralize reply email box for confirmations, Process well communicated, all holds on intranet.

Systematically send notices and reminders, require and track confirmations, ability to manage exceptions, employees can look up their holds at any time. Communications tailored to recipient role (IT, RIM, employee).

Publish to system, propagate hold, automate hold enforcement. IT Staff have continuous visibility to current discovery duties, holds during routine data management activities; automatically flag records in appropriate systems. Holds are timely released and release syndication is done with same rigor as hold syndication. Level 3 capabilities.

D Evidence Collection

Fact finding and inquiry with employees with knowledge of a matter in dispute to determine potentially relevant information and its whereabouts and sources.

Collecting potential evidence in response to an agreed-upon request with an adversary or government agency.

Dynamic, diverse information facts not considered in preservation and collection planning, data is overlooked; no follow through on information identified in custodian interviews.

Collection failure from overlooked source, departing employee, incomplete prior collection inventory, communication and tracking errors.

Duplicate spreadsheets of custodians and information in IT and Legal; multiple copies of collected data.

Centralized, version controlled spreadsheets of custodians and information; evidence server organized by matter folder but no inventory by custodian and data.

System log of collection requests by matter, issuer and collector. Collection logging is done by discovery staff in a shared system. An inventory of evidence is well managed and not overlooked in scoping other matters. Interview results and insights are used to inform the collection activity.

Interview results are automatically incorporated into custodian or data source specific collection instructions without rekeying. IT or collection staff can efficiently and automatically collect by custodian and content without re-logging the request or recollecting the same data. Collection data and chain of custody is automatically logged. IT and legal share complete transparency on collections and legal can monitor progress and process while IT can process work by custodian or data source efficiently. From their browsers, legal staff can collect directly from custodians and systems with precision. Evidence is not duplicated in multiple locations and it is timely disposed. Level 3 capabilities.

EEvidence Analysis & Cost Controls

Assessing information to understand dispute and potential information sources and for determining, controlling and communicating the costs of outside review of relevant information.

Material issues in dispute are poorly understood until after strategy established and expenses incurred. Excessive data causes litigation costs to exceed dispute value.

Over-collect from custodians, over scope custodians. No culling of clearly irrelevant information before sending to vendor or outside counsel. Don’t assess costs prior to collection and review; no cost baseline available.

High quantity of data for review. Some basic processes for culling of irrelevant information by basic means such as date ranges used in some cases. Estimate costs on the “big matters” in spreadsheets or by outside counsel.

Quantity of data reviewed from tightly scoped custodians, leveraging prior scoping histories. Consistent & enforced culling performed by preferred vendors utilizing objective criteria such as keywords, date ranges, file types, domain names & data sources. Discovery cost forecasts available as the hold is scoped, costs are calculated continuously.

Consistently limit scope of collection and review; early case assessment performed before collection for earliest/optimized matter resolution, advanced culling techniques employed leveraging visual analytics; defined & repeatable process for providing outside counsel early case assessment before processing, manage cost at portfolio level. Level 3 capabilities.

F Legal Record

Documenting the custodians and data sources identified, the legal hold and collection activities over multi-year matter lifecycle.

Unable to readily assemble, understand or defend preservation and discovery record. Failures in custodian and data source management. Preservation, collection detected long after occurrence and cause unnecessary remediation cost and risk.

Each attorney tracks their own matters, status.

Formal, but manual reporting of open holds; no summary reporting on interviews, collections, response.

Automated reminders and escalations, online audit trail, management reporting on discovery status, visibility within legal department across custodians, collected inventory, and matters.

Appropriate visibility across IT, Legal and Business; self-service dashboards for legal obligations, tasks, risk and cost reduction opportunities. Level 3 capabilities.

LEGAL

7






YourLevel


Determining employees with information potentially relevant to an actual or anticipated lawsuit or government investigation.

Custodians are not identified and potentially relevant information is inadvertently modified or deleted.

Multiple custodian spreadsheets managed by the individual paralegal or attorney.

Custodian lists are kept in Word or Excel in a shared location or in a shared mailbox. Questionnaire mailed to custodians, responses compiled manually for collection /counsel follow up.

Systematic scope and selection by organization, people from current and historical organization data. Systematically track all custodians in all holds including multiple holds per custodian. Scope terminated/ transferred employees involved. Interviews are systematically done, responses compiled and responses are automatically flagged and escalated as appropriate.

Real-time update of custodian roles, transitions, responsibilities, automatic employee transition/transition alerts by attorney and matter; copy or cross reference custodian lists across similar matters. Scope is revisited and refined at least quarterly to release or include custodians. Individual responses to interview questions are propagated to hold scope and interview results shared with outside counsel to interview by exception. Level 3 capabilities.

B Data on Legal Hold

Determining information, records and data sources that are potentially relevant to an actual or anticipated lawsuit or government investigation.

Actual, rogue or IT managed data sources missed in hold execution, potentially relevant information is inadvertently modified or deleted.

Limited collection from data sources, custodian rather than information based; spreadsheet tracking/lists.

Identify data sources by organization; understand back up procedures. Questionnaire mailed to custodians, responses compiled manually for collection /counsel follow up.

Have linked legacy tapes and data sources to organizations and open holds/collections.

Automatically scope people, systems, production and back up data, information and records in holds; scope terminated employee data and legacy data/tapes where applicable. Scope is revisited and refined at least quarterly to release or include data. Can scope directly from a data source catalog shared with business liaisons, IT, Info Sec, and other data quality stakeholders with reliability. IT interviews are done both periodically and in matter context and responses are aggregated for individual matters and across the legal team.

C Hold publication

Communicating, syndicating and executing legal holds to people, systems and data sources for execution and compliance.

IT or employees migrate, retire or modify data because they lacked hold visibility.

Manual notices, confirmations, no escalations Description of information hold requires interpretation and manual effort to comply.

Centralize reply email box for confirmations, Process well communicated, all holds on intranet.

Systematically send notices and reminders, require and track confirmations, ability to manage exceptions, employees can look up their holds at any time. Communications tailored to recipient role (IT, RIM, employee).

Publish to system, propagate hold, automate hold enforcement. IT Staff have continuous visibility to current discovery duties, holds during routine data management activities; automatically flag records in appropriate systems. Holds are timely released and release syndication is done with same rigor as hold syndication. Level 3 capabilities.

D Evidence Collection

Fact finding and inquiry with employees with knowledge of a matter in dispute to determine potentially relevant information and its whereabouts and sources.

Collecting potential evidence in response to an agreed-upon request with an adversary or government agency.

Dynamic, diverse information facts not considered in preservation and collection planning, data is overlooked; no follow through on information identified in custodian interviews.

Collection failure from overlooked source, departing employee, incomplete prior collection inventory, communication and tracking errors.

Duplicate spreadsheets of custodians and information in IT and Legal; multiple copies of collected data.

Centralized, version controlled spreadsheets of custodians and information; evidence server organized by matter folder but no inventory by custodian and data.

System log of collection requests by matter, issuer and collector. Collection logging is done by discovery staff in a shared system. An inventory of evidence is well managed and not overlooked in scoping other matters. Interview results and insights are used to inform the collection activity.

Interview results are automatically incorporated into custodian or data source specific collection instructions without rekeying. IT or collection staff can efficiently and automatically collect by custodian and content without re-logging the request or recollecting the same data. Collection data and chain of custody is automatically logged. IT and legal share complete transparency on collections and legal can monitor progress and process while IT can process work by custodian or data source efficiently. From their browsers, legal staff can collect directly from custodians and systems with precision. Evidence is not duplicated in multiple locations and it is timely disposed. Level 3 capabilities.

EEvidence Analysis & Cost Controls

Assessing information to understand dispute and potential information sources and for determining, controlling and communicating the costs of outside review of relevant information.

Material issues in dispute are poorly understood until after strategy established and expenses incurred. Excessive data causes litigation costs to exceed dispute value.

Over-collect from custodians, over scope custodians. No culling of clearly irrelevant information before sending to vendor or outside counsel. Don’t assess costs prior to collection and review; no cost baseline available.

High quantity of data for review. Some basic processes for culling of irrelevant information by basic means such as date ranges used in some cases. Estimate costs on the “big matters” in spreadsheets or by outside counsel.

Quantity of data reviewed from tightly scoped custodians, leveraging prior scoping histories. Consistent & enforced culling performed by preferred vendors utilizing objective criteria such as keywords, date ranges, file types, domain names & data sources. Discovery cost forecasts available as the hold is scoped, costs are calculated continuously.

Consistently limit scope of collection and review; early case assessment performed before collection for earliest/optimized matter resolution, advanced culling techniques employed leveraging visual analytics; defined & repeatable process for providing outside counsel early case assessment before processing, manage cost at portfolio level. Level 3 capabilities.

F Legal Record

Documenting the custodians and data sources identified, the legal hold and collection activities over multi-year matter lifecycle.

Unable to readily assemble, understand or defend preservation and discovery record. Failures in custodian and data source management. Preservation, collection detected long after occurrence and cause unnecessary remediation cost and risk.

Each attorney tracks their own matters, status.

Formal, but manual reporting of open holds; no summary reporting on interviews, collections, response.

Automated reminders and escalations, online audit trail, management reporting on discovery status, visibility within legal department across custodians, collected inventory, and matters.

Appropriate visibility across IT, Legal and Business; self-service dashboards for legal obligations, tasks, risk and cost reduction opportunities. Level 3 capabilities.


Process Brief Description Process Risk or Immaturity Consequences

Level 1: Ad Hoc, Manual, Unstructured Level 2: Manual, Structured Level 3: Semi-Automated

Within SiloLevel 4: Automated and Fully Integrated Across Functions

YourLevel

G

Master Retention Schedule & Taxonomy

Defining an information classification schema that reflects the organization structure; cataloging, updating, and mapping the laws that apply to each class in the countries in which the organization operates to determine regulatory record keeping obligations; establishing and managing a network of records liaisons to help establish what records may exist where. Potential separate process for Records Management: Managing physical and electronic records including their identification, retention, and timely disposition.

Company is unable to comply or demonstrate compliance with its regulatory record keeping obligations. Disparate nomenclatures for records make application of retention schedules/procedures difficult to apply and audit.

Define retention periods only for physical records. Rely on aggregations of similar laws and longest retention period to determine record keeping requirements.

Retention schedule updated to reflect physical and electronic records. Country schedules share a common taxonomy.

Established retention period for regulated information and information important from a policy perspective. The specific or actual laws that dictate retention periods are known and on clearly mapped to each record class so law changes can be easily traced and decisions readily defended on law. Electronic and physical records are sequestered and are both retained and disposed against the schedule.

Retention schedules reflect regulatory, policy and business value and encompass all information enabling them to be executed on records repositories, application and archived data, and physical records; legal holds can be applied by record class and suspend automated disposal. There is a shared library of country protocols for ediscovery, privacy, and retention to form a comprehensive view. Schedules align with and are systematically used to dispose of production and back up data whether structured, unstructured, electronic, physical, record or business information. Level 3 capabilities.

HDepartmental Information Practices

Using an enterprise information taxonomy, cataloging which information each business organization values, generates or stores by class, where they store it and how long it has utility to them; results in retention schedules for information and enables data source-specific retention schedules that reflect both business value and regulatory requirements

IT ‘saves everything’ which increases discoverable mass, complexity and legal risk; IT disposes of information of business value undermining enterprise operation. Procedures for retention/disposal difficult to articulate and defend and unapplied by LoB.

Departmental information management needs and habits for electronic and physical information are not visible to records management, IT or legal stakeholders (who have no knowledge of actual procedures, information, location, use, or value).

Inventories of departmental information management practices and source information are used to develop retentions schedules and coordinate physical records (via a network of records coordinators focused on physical records management).

Departmental liaisons work with their line of business to identify information of value, its duration of value and where it is managed; this informs more comprehensive retention schedules for all information (regulated, unregulated, electronic, physical). Business is able to request changes to master schedule and department/country schedules at the rate of business change.

Retention schedules are automatically executed across the information environment. Cost and benefit are weighed in determining retention periods and the enterprise impact is considered. Schedule changes are syndicated to IT and directly to systems for execution of both retention and disposition. When business objectives or laws change, schedules are updated and stakeholders notified. Legal and IT have transparency to what information each line of business has where and for how long to inform ediscovery and data management. Level 3 capabilities.

I

Realize Information Value

Gaining timely access to and ability to apply information in the course of their work, including the ability to harness information of quality as it ages and the ability to use relevant information with or without author context to maximize the enterprise value of information.

Important business decisions are made on missing information or poor quality information, resulting in poor decisions. Information is not used shortly after its creation because business has forgotten the source or location of information or can’t find it, resulting in cost without corresponding value.

Information is difficult to retrieve or search. After creator loses initial context, it is forgotten and no value is realized. Staff must mine, open and view files on their individual drives to find what they need and access to relevant information they didn’t create is exchanged via email.

Information for a group is organized in shared drives and collaboration sites. Employees must search multiple drives and collaboration sources to find what they need; relevant information is extracted by opening multiple files, emails, documents, or reports; structured and unstructured data must be harvested separately and manually correlated.

Application data and business process data can be searched by departmental staff in the course of their work from within the system.

Search and analytics enable employees to realize value and to apply information to decision making in real time even as context erodes across information sources and types; assertions on value and sources of information made in processes H and I are used to ensure availability and accessibility of information the business defined as valuable. The cost of information to the enterprise is consistent and appropriate over its lifecycle.

J

Secure Information of Value

Determining a schema for the various levels of information importance and the corresponding security needed; using an enterprise information taxonomy and network of liaisons across the business, cataloging which information each business organization generates or stores and assigning the appropriate security level; communicating these security needs to employees who generate, use, manage, and store information.

Information of value is not properly secured against internal security violations or external security breaches; entities can bypass or contravene security policies, practices, or procedures. Failure in securing information deeply heightens privacy issues if information accessed is not properly protected.

Has no policy for protecting valuable info and high would be has policy, maps security required to data source capabilities and enforces on data.

Each business unit defines their own information categories and assigns security level and attributes. Individual employees are responsible for understanding and applying security levels manually.

A common information taxonomy or categories are used across business units as basis for determining security levels and value attributes; this information is maintained in source or system accessible to information security staff. Some data is classified systematically.

Uses a common enterprise information taxonomy with processes H and I, shares liaison network and cataloging efforts, and results in a single view of applicable value and regulatory requirements for stakeholders by business area and information category. Enables security owners and systems owners to identify gaps between security required and data source capabilities to reduce exposure. Information is properly classified automatically and secured appropriately for its value. Execution of retention, privacy and security requirements can be efficiently executed without redundancy or conflicts.

KPrivacy & Data Protection

Assessing privacy duties by data subject and data location, including overlapping obligations for information and information elements and a means of communicating these requirements to those employees who generate, use, access, and store information.

Access, transport and use limitations are not understood by employees with information custody or collections responsibility and customers or employees rights are impacted.

Each country and business keeps a list of applicable privacy rules. Implementation is done locally and informally.

Privacy and data protection requirements are tracked in the privacy office and corporate policies are published on the intranet; implementation decisions are left to local business and system owners.

There is an accurate catalog of privacy laws and policies by country accessible to privacy. Policy communications are routine and semi-automated to records, business and system stakeholders. Critical systems are provisioned with some privacy controls.

Systems are provisioned with access, masking, and controls to protect privacy; information stakeholders in business, legal and IT have access to privacy constraints in real time; litigation has access to current privacy law and protocol and factors law into evidence collection/analysis plan; process is audited. Level 3 capabilities.

RIM

BUSINESS

PRIVACY

9

Process Brief Description Process Risk or Immaturity Consequences



YourLevel

G

Master Retention Schedule & Taxonomy

Defining an information classification schema that reflects the organization structure; cataloging, updating, and mapping the laws that apply to each class in the countries in which the organization operates to determine regulatory record keeping obligations; establishing and managing a network of records liaisons to help establish what records may exist where. Potential separate process for Records Management: Managing physical and electronic records including their identification, retention, and timely disposition.

Company is unable to comply or demonstrate compliance with its regulatory record keeping obligations. Disparate nomenclatures for records make application of retention schedules/procedures difficult to apply and audit.

Define retention periods only for physical records. Rely on aggregations of similar laws and longest retention period to determine record keeping requirements.

Retention schedule updated to reflect physical and electronic records. Country schedules share a common taxonomy.

Established retention period for regulated information and information important from a policy perspective. The specific or actual laws that dictate retention periods are known and on clearly mapped to each record class so law changes can be easily traced and decisions readily defended on law. Electronic and physical records are sequestered and are both retained and disposed against the schedule.

Retention schedules reflect regulatory, policy and business value and encompass all information enabling them to be executed on records repositories, application and archived data, and physical records; legal holds can be applied by record class and suspend automated disposal. There is a shared library of country protocols for ediscovery, privacy, and retention to form a comprehensive view. Schedules align with and are systematically used to dispose of production and back up data whether structured, unstructured, electronic, physical, record or business information. Level 3 capabilities.



IT ‘saves everything’ which increases discoverable mass, complexity and legal risk; IT disposes of information of business value undermining enterprise operation. Procedures for retention/disposal difficult to articulate and defend and unapplied by LoB.

Departmental information management needs and habits for electronic and physical information are not visible to records management, IT or legal stakeholders (who have no knowledge of actual procedures, information, location, use, or value).

Inventories of departmental information management practices and source information are used to develop retentions schedules and coordinate physical records (via a network of records coordinators focused on physical records management).

Departmental liaisons work with their line of business to identify information of value, its duration of value and where it is managed; this informs more comprehensive retention schedules for all information (regulated, unregulated, electronic, physical). Business is able to request changes to master schedule and department/country schedules at the rate of business change.

Retention schedules are automatically executed across the information environment. Cost and benefit are weighed in determining retention periods and the enterprise impact is considered. Schedule changes are syndicated to IT and directly to systems for execution of both retention and disposition. When business objectives or laws change, schedules are updated and stakeholders notified. Legal and IT have transparency to what information each line of business has where and for how long to inform ediscovery and data management. Level 3 capabilities.

I

Realize Information Value



Information is difficult to retrieve or search. After creator loses initial context, it is forgotten and no value is realized. Staff must mine, open and view files on their individual drives to find what they need and access to relevant information they didn’t create is exchanged via email.

Information for a group is organized in shared drives and collaboration sites. Employees must search multiple drives and collaboration sources to find what they need; relevant information is extracted by opening multiple files, emails, documents, or reports; structured and unstructured data must be harvested separately and manually correlated.

Application data and business process data can be searched by departmental staff in the course of their work from within the system.

Search and analytics enable employees to realize value and to apply information to decision making in real time even as context erodes across information sources and types; assertions on value and sources of information made in processes H and I are used to ensure availability and accessibility of information the business defined as valuable. The cost of information to the enterprise is consistent and appropriate over its lifecycle.

J

Secure Information of Value



Has no policy for protecting valuable info and high would be has policy, maps security required to data source capabilities and enforces on data.

Each business unit defines their own information categories and assigns security level and attributes. Individual employees are responsible for understanding and applying security levels manually.

A common information taxonomy or categories are used across business units as basis for determining security levels and value attributes; this information is maintained in source or system accessible to information security staff. Some data is classified systematically.

Uses a common enterprise information taxonomy with processes H and I, shares liaison network and cataloging efforts, and results in a single view of applicable value and regulatory requirements for stakeholders by business area and information category. Enables security owners and systems owners to identify gaps between security required and data source capabilities to reduce exposure. Information is properly classified automatically and secured appropriately for its value. Execution of retention, privacy and security requirements can be efficiently executed without redundancy or conflicts.

KPrivacy & Data Protection

Assessing privacy duties by data subject and data location, including overlapping obligations for information and information elements and a means of communicating these requirements to those employees who generate, use, access, and store information.

Access, transport and use limitations are not understood by employees with information custody or collections responsibility and customers or employees rights are impacted.

Each country and business keeps a list of applicable privacy rules. Implementation is done locally and informally.

Privacy and data protection requirements are tracked in the privacy office and corporate policies are published on the intranet; implementation decisions are left to local business and system owners.

There is an accurate catalog of privacy laws and policies by country accessible to privacy. Policy communications are routine and semi-automated to records, business and system stakeholders. Critical systems are provisioned with some privacy controls.

Systems are provisioned with access, masking, and controls to protect privacy; information stakeholders in business, legal and IT have access to privacy constraints in real time; litigation has access to current privacy law and protocol and factors law into evidence collection/analysis plan; process is audited. Level 3 capabilities.







YourLevel

LData Source Catalog & Stewardship

Establishing a common definition and object model for information and the people and systems with custody of it for use in determining, defining, communicating, understanding and executing governance procedures.

The type and nature of data in a system or process is poorly understood, leading to incomplete or inaccurate application of retention, preservation, privacy, and collection and disposition policy.

No common definition of data sources and data elements exists across IT, legal, business and records. No linkage of asset to the specific applicable business value or legal duties.

IT has an asset tracking system. IT does not have visibility to holds or retention schedules for any given asset.

IT maintains an asset database for its use; IT manually enters legal holds, business liaison and retention rules for each asset/system. Legal maintains its own data map for ediscovery purposes.

Shared data source catalog across IT, legal, records and business stakeholders which is used to express information assets and relevant business needs and legal obligations. Catalog as source of truth for provisioning and back up retention/disposition requirements and all back up, archiving and provisioning procedures and decisions are transparent in the catalog. Common definitions are used to describe duties, needs, stewards, employees, laws and lawsuits across ILM&G stakeholders.

M System Provisioning

Provisioning new servers and applications, including associated storage , with capabilities for systematically placing holds, enforcing retention schedules, disposing, collecting evidence, and protecting data elements subject to privacy rights.

Systems are unable to comply with or execute defined procedures for retaining, preserving, collecting, protecting and disposing of information, exposing the company to significantly higher costs and risks.

Retention, preservation, collection and/or disposition are not considered prior to provisioning.

Some systems are manually configured with capabilities to retain and collect, but policy and capability to dispose or preserve are lacking.

Some systems are configured to retain, dispose, preserve and collect data but schedules and instructions are manually applied and configured. Instructions from legal, records and the business on duties and values are communicated in disparate tools and techniques and must be reconciled within IT.

Systems are provisioned with protocol and technical capability to retain/dispose and hold/collect, including a properly authorized retention schedule and business value inventory. Systems are provisioned with the capability to archive data to lower cost storage at the earliest point in time, archive procedures are well defined and archives execute retention/disposition of approved schedules. Back up is used for disaster recovery only and does not function as long-term archive. Retention schedules, legal holds and collection requests are systematically propagated from their respective initiators; data source catalog is updated to reflect the provisioning, archiving and back up mechanisms.

NActive Data Management

Differentiating high value actively used data by the business from aging data of value to regulators only or less frequently accessed data; results in increased accessibility, security, privacy; aligns and enables data value with storage tiering by value.

New, valuable, aging, and useless data are commingled within the data source, its back up and its non-production instances. Business users waste their time sifting through debris to find what they need without success. IT costs soar. Organization is exposed to privacy, security and legal risks.

Data is managed over time as the system was provisioned and new, valuable, aging, and useless data are co-mingled within the data source, its back up and its non-production instances.

End user employees perform hygiene and clean up actions on file shares and systems to ensure function and access. IT performs basic back up and availability functions.

Some archiving is performed to batch off aging data and provide business users with faster access to more frequently used data. Archive approach varies by data source and business unit. Policies for retention, privacy and security are manually applied, if at all.

Data of high value actively used by the business is differentiated from aging data of value to regulators only or less frequently accessed data. Business users have ready access to high value data and spend no time sifting through debris to find it. Data is secured and retained based on its business value. Aging data with declining value is archived or moved to lower cost locations over time; unnecessary data is routinely disposed. Private data is masked based on policy. Back up data complies with the retention schedule and is not used as long-term archive alternative.

O Disposal & Decommissioning

Disposing data and fully decommissioning applications at the end of their business utility and after legal duties have elapsed.

IT is unable to dispose of data and decommission systems causing significant unnecessary cost and risk; IT improperly disposes of data causing unnecessary risk and legal or business expense.

IT ‘keeps everything’ because it has no systematic way to determine obligations or value.

Some systems are manually configured with capabilities to retain, hold, collect or dispose of data. Changes in legal requirements must be manually configured.

IT de-duplicates files and disposes of log files under its control. IT responds to business requests to decommission applications and works with legal on a manual review process to determine if any open legal matters may apply before decommissioning.

Data is automatically deleted at the end of its retention period when no legal hold has been specified; back up data is routinely and systematically overwritten. IT routinely analyzes the data source catalog to identify systems with low business value to proactively determine savings opportunities; IT can easily determine duplicative systems from the business value and taxonomy map for instance consolidation. IT performs routine disposal with transparent, reliable facts on preservation and retention obligations; looks up any asset or employee to determine value, current legal requirements.

IT

11






YourLevel

LData Source Catalog & Stewardship

Establishing a common definition and object model for information and the people and systems with custody of it for use in determining, defining, communicating, understanding and executing governance procedures.

The type and nature of data in a system or process is poorly understood, leading to incomplete or inaccurate application of retention, preservation, privacy, and collection and disposition policy.

No common definition of data sources and data elements exists across IT, legal, business and records. No linkage of asset to the specific applicable business value or legal duties.

IT has an asset tracking system. IT does not have visibility to holds or retention schedules for any given asset.

IT maintains an asset database for its use; IT manually enters legal holds, business liaison and retention rules for each asset/system. Legal maintains its own data map for ediscovery purposes.

Shared data source catalog across IT, legal, records and business stakeholders which is used to express information assets and relevant business needs and legal obligations. Catalog as source of truth for provisioning and back up retention/disposition requirements and all back up, archiving and provisioning procedures and decisions are transparent in the catalog. Common definitions are used to describe duties, needs, stewards, employees, laws and lawsuits across ILM&G stakeholders.


Provisioning new servers and applications, including associated storage , with capabilities for systematically placing holds, enforcing retention schedules, disposing, collecting evidence, and protecting data elements subject to privacy rights.

Systems are unable to comply with or execute defined procedures for retaining, preserving, collecting, protecting and disposing of information, exposing the company to significantly higher costs and risks.

Retention, preservation, collection and/or disposition are not considered prior to provisioning.

Some systems are manually configured with capabilities to retain and collect, but policy and capability to dispose or preserve are lacking.

Some systems are configured to retain, dispose, preserve and collect data but schedules and instructions are manually applied and configured. Instructions from legal, records and the business on duties and values are communicated in disparate tools and techniques and must be reconciled within IT.

Systems are provisioned with protocol and technical capability to retain/dispose and hold/collect, including a properly authorized retention schedule and business value inventory. Systems are provisioned with the capability to archive data to lower cost storage at the earliest point in time, archive procedures are well defined and archives execute retention/disposition of approved schedules. Back up is used for disaster recovery only and does not function as long-term archive. Retention schedules, legal holds and collection requests are systematically propagated from their respective initiators; data source catalog is updated to reflect the provisioning, archiving and back up mechanisms.

NActive Data Management


New, valuable, aging, and useless data are commingled within the data source, its back up and its non-production instances. Business users waste their time sifting through debris to find what they need without success. IT costs soar. Organization is exposed to privacy, security and legal risks.

Data is managed over time as the system was provisioned and new, valuable, aging, and useless data are co-mingled within the data source, its back up and its non-production instances.

End user employees perform hygiene and clean up actions on file shares and systems to ensure function and access. IT performs basic back up and availability functions.

Some archiving is performed to batch off aging data and provide business users with faster access to more frequently used data. Archive approach varies by data source and business unit. Policies for retention, privacy and security are manually applied, if at all.

Data of high value actively used by the business is differentiated from aging data of value to regulators only or less frequently accessed data. Business users have ready access to high value data and spend no time sifting through debris to find it. Data is secured and retained based on its business value. Aging data with declining value is archived or moved to lower cost locations over time; unnecessary data is routinely disposed. Private data is masked based on policy. Back up data complies with the retention schedule and is not used as long-term archive alternative.


Disposing data and fully decommissioning applications at the end of their business utility and after legal duties have elapsed.

IT is unable to dispose of data and decommission systems causing significant unnecessary cost and risk; IT improperly disposes of data causing unnecessary risk and legal or business expense.

IT ‘keeps everything’ because it has no systematic way to determine obligations or value.

Some systems are manually configured with capabilities to retain, hold, collect or dispose of data. Changes in legal requirements must be manually configured.

IT de-duplicates files and disposes of log files under its control. IT responds to business requests to decommission applications and works with legal on a manual review process to determine if any open legal matters may apply before decommissioning.

Data is automatically deleted at the end of its retention period when no legal hold has been specified; back up data is routinely and systematically overwritten. IT routinely analyzes the data source catalog to identify systems with low business value to proactively determine savings opportunities; IT can easily determine duplicative systems from the business value and taxonomy map for instance consolidation. IT performs routine disposal with transparent, reliable facts on preservation and retention obligations; looks up any asset or employee to determine value, current legal requirements.





YourLevel

P Legacy Data Management

Processes, technology and methodologies by which data is disposed and applications fully decommissioned at the end of their utility and after legal duties have elapsed.

IT is unable to associate data with business stakeholders or ensure legal duties are met, leading to oversight in collecting evidence and unnecessary legal and operating costs.

No hold release notification, no lookup ability.

eMail hold release communication from Legal to IT.

IT initiates a process with legal to “reverse engineers” legacy data holds to dispose of unstructured data or back up data.

Legacy data on disk and tape is dispositioned using legal hold inventory enriched with custodian and data sets subject to hold, data subject to ongoing regulatory or legal requirement is isolated and “surrounding” data is disposed; no additional legacy data is accumulated.

Q Storage Alignment

The process of determining and aligning storage capacity and allocation to information business value and retention requirements, including optimizing utilization targets, storage reclamation and re-allocation after data is deleted to link storage cost to business need for data stored.

Storage is over-allocated, misaligned with business needs and consumes unnecessary capital; IT is unable to reclaim storage and eliminate cost after data is deleted causing unnecessary cost.

No reliable means of determining storage requirements and inability to allocate/reclaim based on retention needs. Each DBA determines capacity and capacity is not revisited.

Intensive manual effort to achieve an accurate picture of storage capacity and cost; difficulty assessing and reconciling need, allocation and utilization. Charge backs are used but not reflective of cost facts or cost accounting.

Automated storage utilization reporting and charge back mechanism and transparency to refresh cycles across the inventory. Charge back reporting by tier and organization is reliable and fact based.

Storage is provisioned for new systems commensurate with retention schedules and archive protocols; refresh accounts for capacity availability from continuous deletion and decommissioning activity. Storage cost is weighed in retention schedule approval process and archive decision making; unit cost is available in data source catalog. Current and forecasted storage capacity and costs are transparent and align to business value and data retention schedules. Optimization practice captures benefit of deletion and decomm to avoid continuous capacity addition. Accurate charge back reporting by business unit and source and gap analysis to retention schedule, business value and information cost to inform business decision making on the costs/benefits of storing data over time.

R Audit

Testing to assess the effectiveness of other processes, in this instance the processes for determining, communicating, and executing processes and procedures for managing information based on its value and legal duties and disposing of unnecessary data.

Unable to demonstrate reasonable efforts to establish and follow governance policies and procedures increases sanctions risks, penalties and judgments and erodes customer trust.

Do not audit retention, holds, disposal processes.

Verifies that the global retention schedule is published and visible to IT and LOB.

Audits publication of records, privacy, disaster recovery, application lifecycle, and legal hold policies. Does not test execution of the policy.

Establishes and conducts testing procedures for records management, business value inventories, data sources, privacy requirements and legal holds such that information assets are properly defined and retained until their value expires and it is timely disposed when there is no longer a business need or legal duty. Sample tests of organizations and record class for retention and timely disposition. Establishes and conducts testing procedures for legal matters to ensure preservation duties are properly communicated and executed and holds are timely released. Tests data source catalog, back up data, and system provisioning to ensure ability to comply and actual policy adherence. Audits storage provisioning and procurement against retention/disposition/decom schedules.

IT

AUDIT

13




YourLevel


Processes, technology and methodologies by which data is disposed and applications fully decommissioned at the end of their utility and after legal duties have elapsed.

IT is unable to associate data with business stakeholders or ensure legal duties are met, leading to oversight in collecting evidence and unnecessary legal and operating costs.

No hold release notification, no lookup ability.

eMail hold release communication from Legal to IT.

IT initiates a process with legal to “reverse engineers” legacy data holds to dispose of unstructured data or back up data.

Legacy data on disk and tape is dispositioned using legal hold inventory enriched with custodian and data sets subject to hold, data subject to ongoing regulatory or legal requirement is isolated and “surrounding” data is disposed; no additional legacy data is accumulated.

Q Storage Alignment

The process of determining and aligning storage capacity and allocation to information business value and retention requirements, including optimizing utilization targets, storage reclamation and re-allocation after data is deleted to link storage cost to business need for data stored.

Storage is over-allocated, misaligned with business needs and consumes unnecessary capital; IT is unable to reclaim storage and eliminate cost after data is deleted causing unnecessary cost.

No reliable means of determining storage requirements and inability to allocate/reclaim based on retention needs. Each DBA determines capacity and capacity is not revisited.

Intensive manual effort to achieve an accurate picture of storage capacity and cost; difficulty assessing and reconciling need, allocation and utilization. Charge backs are used but not reflective of cost facts or cost accounting.

Automated storage utilization reporting and charge back mechanism and transparency to refresh cycles across the inventory. Charge back reporting by tier and organization is reliable and fact based.

Storage is provisioned for new systems commensurate with retention schedules and archive protocols; refresh accounts for capacity availability from continuous deletion and decommissioning activity. Storage cost is weighed in retention schedule approval process and archive decision making; unit cost is available in data source catalog. Current and forecasted storage capacity and costs are transparent and align to business value and data retention schedules. Optimization practice captures benefit of deletion and decomm to avoid continuous capacity addition. Accurate charge back reporting by business unit and source and gap analysis to retention schedule, business value and information cost to inform business decision making on the costs/benefits of storing data over time.

R Audit

Testing to assess the effectiveness of other processes, in this instance the processes for determining, communicating, and executing processes and procedures for managing information based on its value and legal duties and disposing of unnecessary data.

Unable to demonstrate reasonable efforts to establish and follow governance policies and procedures increases sanctions risks, penalties and judgments and erodes customer trust.

Do not audit retention, holds, disposal processes.

Verifies that the global retention schedule is published and visible to IT and LOB.

Audits publication of records, privacy, disaster recovery, application lifecycle, and legal hold policies. Does not test execution of the policy.

Establishes and conducts testing procedures for records management, business value inventories, data sources, privacy requirements and legal holds such that information assets are properly defined and retained until their value expires and it is timely disposed when there is no longer a business need or legal duty. Sample tests of organizations and record class for retention and timely disposition. Establishes and conducts testing procedures for legal matters to ensure preservation duties are properly communicated and executed and holds are timely released. Tests data source catalog, back up data, and system provisioning to ensure ability to comply and actual policy adherence. Audits storage provisioning and procurement against retention/disposition/decom schedules.


RIM

To support the business objectives of the ILG Program, the Legal organization will:

� Maintain an accurate inventory of legal obligations for information by case and scope of obligation including individuals involved, information scope (dates, terms, elements), and relevant records. The inventory should indicate whether the duties have been satisfied fully or partially and how.

� Precisely and timely define and clearly communicate specific requirements to preserve potential evidence to IT, records and business stakeholders for each matter including the individual employees, records and ranges of data that must be preserved as potential evidence.

� Provide real-time, continuous transparency to current legal obligations for information that can be readily understood and acted upon by stakeholders in IT, records and business units.

� Affirmatively communicate to and receive confirmation of compliance from employees, records managers or IT staff are relied upon to preserve information in their custody.

� Notify IT, records and business stakeholders when evidence for a particular matter no longer needs to be preserved.

� Ensure the defensibility of its process through complete, accurate, timely record keeping and closed loop communications with custodians, IT and records staff.

� Enable defensible disposal of information through precise, consistent and timely communication of obligations to individuals, IT and records staff when the duty arises and as it changes over the course of a matter.

� Work with Internal Audit to assess enterprise preservation procedures.

LEGAL

Roles and Responsibilities

As a part of the process maturity and improvement effort, responsibilities for each process owner should be defined to reflect the level of maturity, integrity and reliability required to achieve the cost and risk reduction goals. Each work stream will likely include policy revisions, process and practice improvements and technology to sustain better practices and ensure transparency and integration across stakeholder processes.

To support the business objectives of the ILG Program, the Records organization will:

� Author and distribute a records management policy and provide training materials to employees or contribute content to corporate ethics training program.

� Provide an information taxonomy that can be reliably used across business, IT and legal stakeholders to define and characterize business information and information required for regulatory obligations.

� Maintain an inventory of regulatory requirements for records updated annually and identify which laws apply to which classes of information by country or jurisdiction and business area.

� Provide actionable retention schedules that can be routinely and automatically applied by IT and business stakeholders on electronic information to ensure proper record keeping.

� Maintain a network of records liaisons across the business to coordinate and communicate policy, taxonomy and schedule needs and changes; provide management visibility on liaison status.

� Safeguard information of value to the business. Perform consistent, documented and precise collection and disposal (or cause to be collected and disposed) of electronic and physical records, regardless of their form, in accordance with the schedule.

� Ensure timely response to regulator inquiry, enable Internal Audit to test records and retention procedures on physical and digital records.

15

To support the business objectives of the ILG Program, the Lines of Business will:

� Ensure a business liaison for governance is able to participate in the Program and its processes. � Using online tools and taxonomy provided, participate in a bi-annual value inventory to articulate what information is generated by business teams or departments and the duration of its value to enable IT, records and legal stakeholders to manage accordingly.

� Work in concert with IT to optimize the archiving and storage of information based on its utility and management cost in the interest of shareholders, regardless of charge back procedures.

� As business processes and practices change, proactively initiate changes to the taxonomy, records and value procedures to reflect business practices and needs.

� Enable timely disposal of information without value and active participation in the governance program via business leader transparency and accountability for the total unit cost of information (its storage, management, and ediscovery).

� Participate in Internal Audit on business value inventory procedures.

To support the business objectives of the ILG Program, the Privacy organization will:

� Establish a catalog of privacy laws and policies that is accessible to litigation, records and IT staff. � Align with RM to associate privacy requirements during retention of records and business information. � Coordinate with litigation in advance of data preservation and collection to ensure that appropriate measures are used for data subjects and jurisdictions.

� Provide education and training to litigation, records, IT and line of business staff on current and emerging privacy obligations in the US and rest of world on a periodic basis.

� Enable Internal Audit to effectively test privacy procedures.

BUSINESS

PRIVACY

IT

To support the business objectives of the ILG Program, the IT organization will:

� Retain and preserve information based on its value to the business and legal obligations and according to procedures/ instructions provided by legal, RM and business, including aligning technique and technology to value.

� Dispose of information no longer needed to lower information costs and related risks. � Author and follow backup and disaster recovery policies that limit the retention of backup media to the shortest necessary period to effectively recover from a disaster or failure.

� Maintain an inventory of systems with current business value retention, record requirements and legal hold obligations for data contained in said systems or stores and ensure that staff involved in provisioning and decommissioning have access to this inventory in the course of their work.

� Establish and provide a common data dictionary for organization and department, data source, employee, information classification, system classification, law, lawsuit for use by legal, records, business and IT in the governance program execution.

� Provision new systems, servers and storage with automated or manual processes for imposing retention, preservation and disposition of information in the ordinary course of operation (revise SLDC policies, procedures).

� Align systems and stores with the value of information contained in them, including security, privacy, confidentiality, regulatory, business, and litigation requirements.

� Develop protocols for disposal of data and protocols for storage and disposal of customer data and PII (in concert with information security and privacy stakeholders).

� Enable Internal Audit to test retention/disposition, preservation/collection and privacy procedures.


Moderate risk requires frequent monitoring to prevent and detect; costly to correct or mitigate. Between 10% -50% likelihood

High risk requires constant monitoring and review, immediate escalation on failure or impending failure. 50% likelihood

Low risk does not require constant monitoring and is easy to prevent, detect, correct, defend. Less than 10% likelihood

Risk Heat Map

1. Using the 18 processes and their risks, consider your facts.2. Plot the current process risks on the graph by placing the letter for each process on the grid where it belongs. 3. Plot the risk level if your organization had level 3 and level 4 capabilities

PROCESS

A Employees on Legal HoldsB Data on Legal HoldC Hold publicationD Evidence CollectionE Evidence Analysis & Cost ControlsF Legal RecordG Master Retention Schedule & Taxonomy

H Departmental Information Practices

I Realize Information Value

J Secure Information of Value

K Privacy & Data Protection

L Data Source Catalog & Stewardship


N Active Data Management



Q Storage Alignment

R Audit

Likelihood to occur

Pote

ntia

l Im

pact

Highest Risk

17

1 Storage Infrastructure: Storing Data with No Utility

Excess storage cost (processes N and Q) resulting from over-accumulation and/or inability to delete data for lack of certainty on legal holds, regulatory requirements or business value. Costs correlate to capabilities in process A) scoping people on hold, B) scoping data on hold, C) publishing holds, G) master retention schedule, and H) departmental information practices.

2 Storage Infrastructure: Storing Data at Cost Higher than Value

Excess storage and infrastructure cost resulting from managing and storing data on storage tiers and price points in excess of information value, particularly aging data, non-production instances, and back ups. Costs correlates to capabilities in process H) master retention schedule, I) departmental information practices, M) system provisioning, and Q) storage alignment.

3 Applications: Instances without Business Value

Delayed or partial application decommissioning (process M and O) from inability to discern which data is required by legal, regulators and business. Cycle time delays lead to excess run rate. Costs correlates to capabilities in process A) scoping people on hold, B) scoping data on hold, C) publishing holds, G) master retention schedule, and H) departmental information practices.

4 eDiscovery: Costs of Collection and Review

Excess ediscovery and outside counsel fees from over collection of data from lack of visibility to what data exists, inability to collect with precision, excess data across the information environment, and late case resolution with excess run rate legal costs or excessive ediscovery cost relative to case merits. Costs correlates to capabilities in process L) data source catalog, N) active data management, O) disposal, P) legacy data management, H) departmental information practices, G) master retention schedule as well as D) evidence collection and E) evidence analysis and cost controls.

Storage Cost Projection 5PBs at 40% Volume Growth with 20% Unit Cost Growth

105

118

132

148

165

110

124

138

155

88

99

111

124

85

95

106

119

59

66

74

83

40

60

80

100

120

140

160

180

2012 2013 2014 2015 2016

Do Nothing

Archive Everything

Virtualization

Tiering

Disposal

Cost Levers Process Drivers Scorecard1 2 3 4

N

Q

A

B

C

G

H

1 2 3 4

H

I

M

Q

1 2 3 4

M

O

A

B

C

G

H

1 2 3 4

L

N

O

P

G

H

D

E

83

103

128

156

191

234

286

350

14 18 25

34 46

63

86

116

2010 2011 2012 2013 2014 2015 2016 2017

Utilized Storage Cost and Volume

Forecast

Cost - $M

Size - PB

Storage Cost Projection 5PB’s at 40% with 20% Unit Cost Growth

Processing

Storage

Collection

Review

12.7

1.4

43.9

557.7

11.4

1.3

39.5

502.6

$615.8

$554.8

Comparison of 5 Year eDiscovery Process Costs

($M)

BAU ILG

S/W:

Middleware

Storage

Servers

TOTAL

Annual Cost for a Typical

Application1 per Year

(Thousands $) TOTAL

Apps not

eligible for

decom

Apps in

current

decom

effort

Applications


ILG Process Brief Description Maturity Scale Potential Risk of Failure Potential

ImpactLikelihood to Occur


Determining employees with information potentially relevant to an actual or anticipated lawsuit or government investigation 1 2 3 4 Custodians are not identified and potentially relevant information is inadvertently modified or deleted

B Data on Legal Hold Determining information, records and data sources that are potentially relevant to an actual or anticipated lawsuit or government investigation

Actual, rogue or IT managed data sources missed in hold execution, potentially relevant information is inadvertently modified or deleted

C Hold publication Communicating, syndicating and executing legal holds to people, systems and data sources for execution and compliance IT or employees migrate, retire or modify data because they lacked hold visibility

D Evidence CollectionFact finding and inquiry with employees with knowledge of a matter in dispute to determine potentially relevant information and its whereabouts and sources. Collecting potential evidence in response to an agreed-upon request with an adversary or government agency

Dynamic, diverse Information facts not considered in preservation and collection planning, data is overlooked; no follow through on information identified in custodian interviews. Collection failure from overlooked source, departing employee, incomplete prior collection inventory, communication and tracking errors

E Evidence Analysis & Cost Controls

Assessing information to understand dispute and potential information sources and for determining, controlling and communicating the costs of outside review of relevant information

Material issues in dispute are poorly understood until after strategy established and expenses incurred. Excessive data causes litigation costs to exceed dispute value

F Legal RecordDocumenting the custodians and data sources identified, the legal hold and collection activities over multi-year matter lifecycle

Unable to readily assemble, understand or defend preservation and discovery record. Failures in custodian and data source management. Preservation, collection detected long after occurrence and cause unnecessary remediation cost and risk

GMaster Retention Schedule & Taxonomy

Defining an information classification schema that reflects the organization structure; cataloging, updating, and mapping the laws that apply to each class in the countries in which the organization operates to determine regulatory record keeping obligations; establishing and managing a network of records liaisons to help establish what records may exist where.

Company is unable to comply or demonstrate compliance with its regulatory record keeping obligations. Disparate nomenclatures for records make application of retention schedules/procedures difficult to apply and audit



IT ‘saves everything’ which increases discoverable mass, complexity and legal risk; IT disposes of information of business value undermining enterprise operation. Procedures for retention/disposal difficult to articulate and defend and unapplied by LoB




J Secure Information of value




Assessing privacy duties by data subject and data location, including overlapping obligations for information and information elements and a means of communicating these requirements to those employees who generate, use, access, and store information

Access, transport and use limitations are not understood by employees with information custody or collections responsibility and customers or employees rights are impacted


Establishing a common definition and object model for information and the people and systems with custody of it for use in determining, defining, communicating, understanding and executing governance procedures

The type and nature of data in a system or process is poorly understood, leading to incomplete or inaccurate application of retention, preservation, privacy, and collection and disposition policy

M System ProvisioningProvisioning new servers and applications, including associated storage , with capabilities for systematically placing holds, enforcing retention schedules, disposing, collecting evidence, and protecting data elements subject to privacy rights

Systems are unable to comply with or execute defined procedures for retaining, preserving, collecting, protecting and disposing of information, exposing the company to significantly higher costs and risks



New, valuable, aging, and useless data are commingled within the data source, its back up and its non-production instances. Business users waste their time sifting through debris to find what they need without success. IT costs soar. Organization is exposed to Privacy, security and legal risks.


Disposing data and fully decommissioning applications at the end of their business utility and after legal duties have elapsed

IT is unable to dispose of data and decommission systems causing significant unnecessary cost and risk; IT improperly disposes of data causing unnecessary risk and legal or business expense


Processes, technology and methodologies by which data is disposed and applications fully decommissioned at the end of their utility and after legal duties have elapsed

IT is unable to associate data with business stakeholders or ensure legal duties are met, leading to oversight in collecting evidence and unnecessary legal and operating costs

Q Storage AlignmentThe process of determining and aligning storage capacity and allocation to information business value and retention requirements, including optimizing utilization targets, storage reclamation and re-allocation after data is deleted to link storage cost to business need for data stored

Storage is over-allocated, misaligned with business needs and consumes unnecessary capital; IT is unable to reclaim storage and eliminate cost after data is deleted causing unnecessary cost

R AuditTesting to assess the effectiveness of other processes, in this instance the processes for determining, communicating, and executing processes and procedures for managing information based on its value and legal duties and disposing of un-necessary data

Unable to demonstrate reasonable efforts to establish and follow governance policies and procedures increases sanctions risks, penalties and judgments and erodes customer trust

Process Score Card

LEGAL

RIM

BUSINESS

PRIVACY

IT

Level 1: Facts known only to individual practitioner Level 2: Facts accessible with difficulty by others within same practice

AUDIT

19

ILG Process Brief Description Maturity Scale Potential Risk of Failure Potential

ImpactLikelihood to Occur


Determining employees with information potentially relevant to an actual or anticipated lawsuit or government investigation 1 2 3 4 Custodians are not identified and potentially relevant information is inadvertently modified or deleted

B Data on Legal Hold Determining information, records and data sources that are potentially relevant to an actual or anticipated lawsuit or government investigation

Actual, rogue or IT managed data sources missed in hold execution, potentially relevant information is inadvertently modified or deleted

C Hold publication Communicating, syndicating and executing legal holds to people, systems and data sources for execution and compliance IT or employees migrate, retire or modify data because they lacked hold visibility

D Evidence CollectionFact finding and inquiry with employees with knowledge of a matter in dispute to determine potentially relevant information and its whereabouts and sources. Collecting potential evidence in response to an agreed-upon request with an adversary or government agency

Dynamic, diverse Information facts not considered in preservation and collection planning, data is overlooked; no follow through on information identified in custodian interviews. Collection failure from overlooked source, departing employee, incomplete prior collection inventory, communication and tracking errors

E Evidence Analysis & Cost Controls

Assessing information to understand dispute and potential information sources and for determining, controlling and communicating the costs of outside review of relevant information

Material issues in dispute are poorly understood until after strategy established and expenses incurred. Excessive data causes litigation costs to exceed dispute value

F Legal RecordDocumenting the custodians and data sources identified, the legal hold and collection activities over multi-year matter lifecycle

Unable to readily assemble, understand or defend preservation and discovery record. Failures in custodian and data source management. Preservation, collection detected long after occurrence and cause unnecessary remediation cost and risk

GMaster Retention Schedule & Taxonomy

Defining an information classification schema that reflects the organization structure; cataloging, updating, and mapping the laws that apply to each class in the countries in which the organization operates to determine regulatory record keeping obligations; establishing and managing a network of records liaisons to help establish what records may exist where.

Company is unable to comply or demonstrate compliance with its regulatory record keeping obligations. Disparate nomenclatures for records make application of retention schedules/procedures difficult to apply and audit



IT ‘saves everything’ which increases discoverable mass, complexity and legal risk; IT disposes of information of business value undermining enterprise operation. Procedures for retention/disposal difficult to articulate and defend and unapplied by LoB




J Secure Information of value




Assessing privacy duties by data subject and data location, including overlapping obligations for information and information elements and a means of communicating these requirements to those employees who generate, use, access, and store information

Access, transport and use limitations are not understood by employees with information custody or collections responsibility and customers or employees rights are impacted


Establishing a common definition and object model for information and the people and systems with custody of it for use in determining, defining, communicating, understanding and executing governance procedures

The type and nature of data in a system or process is poorly understood, leading to incomplete or inaccurate application of retention, preservation, privacy, and collection and disposition policy

M System ProvisioningProvisioning new servers and applications, including associated storage , with capabilities for systematically placing holds, enforcing retention schedules, disposing, collecting evidence, and protecting data elements subject to privacy rights

Systems are unable to comply with or execute defined procedures for retaining, preserving, collecting, protecting and disposing of information, exposing the company to significantly higher costs and risks



New, valuable, aging, and useless data are commingled within the data source, its back up and its non-production instances. Business users waste their time sifting through debris to find what they need without success. IT costs soar. Organization is exposed to Privacy, security and legal risks.


Disposing data and fully decommissioning applications at the end of their business utility and after legal duties have elapsed

IT is unable to dispose of data and decommission systems causing significant unnecessary cost and risk; IT improperly disposes of data causing unnecessary risk and legal or business expense


Processes, technology and methodologies by which data is disposed and applications fully decommissioned at the end of their utility and after legal duties have elapsed

IT is unable to associate data with business stakeholders or ensure legal duties are met, leading to oversight in collecting evidence and unnecessary legal and operating costs

Q Storage AlignmentThe process of determining and aligning storage capacity and allocation to information business value and retention requirements, including optimizing utilization targets, storage reclamation and re-allocation after data is deleted to link storage cost to business need for data stored

Storage is over-allocated, misaligned with business needs and consumes unnecessary capital; IT is unable to reclaim storage and eliminate cost after data is deleted causing unnecessary cost

R AuditTesting to assess the effectiveness of other processes, in this instance the processes for determining, communicating, and executing processes and procedures for managing information based on its value and legal duties and disposing of un-necessary data

Unable to demonstrate reasonable efforts to establish and follow governance policies and procedures increases sanctions risks, penalties and judgments and erodes customer trust

Level 3: Facts readily available and frequently used in departmental actions and decisions Level 4: Facts readily available and fully integrated across related enterprise processes, used by all stakeholders in decision and action.

Risk

Low Mod High

© 2016 FTI Consulting Inc. Advice from Counsel: The State of Information Governance in Corporations 1/16

THE STATE OF INFORMATION

GOVERNANCE IN CORPORATIONS

Advice from Counsel is Sponsored by:

© 2016 FTI Consulting Inc.Advice from Counsel: The State of Information Governance in Corporations2/16

INTRODUCTION

HOW DO YOU DEFINE INFORMATION

GOVERNANCE (“IG”)?

Is it a holistic policy document outlining an organization’s approach to managing enterprise data? Is it a series of discrete projects that

implement best practices in data security or storage optimization? Is it both of these, incorporating policy and tactical execution?

Many organizations struggle with the definition of information governance for a variety of reasons. Some lack executive support for IG, while others feel hampered from executing on small, tactical projects due to their legal or regulatory profile. Yet some organiza-tions have implemented IG projects and realized tangible benefits and real return on investment.

For this Advice from Counsel study, we set out to better understand the health and success of information governance programs within corporations. In late 2015, we interviewed 25 in-house lawyers under conditions of anonymity. Most of these lawyers are from Fortune 1000 corporations and have responsibilities that include some aspects of e-discovery and information governance. As always, we’ve

anonymized the quotes and feedback and are grateful for the input from the Advice from Counsel community.

We asked a wide range of questions to better understand how corporations are approaching information governance, key challenges, areas of success, and some of the basic mechanics they’ve adopted to develop and implement their program. The results clearly show that with a few exceptions, most organizations are in the early stages of information governance adoption. Yet these executives have strong advice on how best to begin and implement an IG initiative. From these results, organizations can better under-stand how their peers are successfully keeping an eye on the big picture while executing quick wins that help build momentum for broader IG initiatives.


Top Area of FocusWhen asked whether their organization had an information governance program, 76 percent of corporate respondents said yes. While there was a great deal of overlap in answers, respondents listed more than 30 areas of focus for their program. These areas span teams and needs, well-summarized by the Information Governance Reference Model (“IGRM”) graphic below. To give you a sense of the diverse answers, we’ve pulled out quotes and organized them by practice area and mission.

Information Governance Reference Model (IGRM)Linking duty + value to information asset = efficient, effective management

Duty: Legal obligationfor specific information

Value: Utility orbusiness purpose ofspecific information

Asset: Specific containerof information

Information Governance Reference Model / © 2012 / v3.0 / edrm.net

VALUE

Create, Use

DUTY ASSET

Dispose

Hold,Discover

Store,Secure

RetainArchive

UNIFIED GOVERNANCE

BUSINESSPro�t

ITEfficiency

LEGALRisk

RIMRisk

PRIVACY &SECURITY

Risk

PROCESS TRANSPARENCY

POLICY INTEGRATION

DUTY

P

ecure

TITE enffici cyCY

BUSINESS

“The company has historically had retail stores and then launched a completely separate retail website. It is now merging the two and integrating all of its information to create a single unified system. It is trying to get an omni-channel view on all of its business.”

“Data analytics”

PRIVACY & SECURITY

“Ensuring that non-public information is not released outside of the company.”

“Identifying which information needs the most protection and should not be on the network.”

LEGAL

“Organizing data to manage litigation costs.”

“Implementing an e�ective legal hold solution.”

IT

“Data accuracy and consistency in reportingfrom legacy systems.”

“Optimization of resources, including sta� and technology, to get be�er management data and understand the information environment.”






VALUE

Create, Use

DUTY ASSET

Dispose

Hold,Discover

Store,Secure

RetainArchive

UNIFIED GOVERNANCE

BUSINESSPro�t

ITEfficiency

LEGALRisk

RIMRisk

PRIVACY &SECURITY

Risk


POLICY INTEGRATION

DUTY

P

ecure

TITE enffici cyCY






VALUE

Create, Use

DUTY ASSET

Dispose

Hold,Discover

Store,Secure

RetainArchive

UNIFIED GOVERNANCE

BUSINESSPro�t

ITEfficiency

LEGALRisk

RIMRisk

PRIVACY &SECURITY

Risk


POLICY INTEGRATION

DUTY

P

ecure

TITE enffici cyCY






VALUE

Create, Use

DUTY ASSET

Dispose

Hold,Discover

Store,Secure

RetainArchive

UNIFIED GOVERNANCE

BUSINESSPro�t

ITEfficiency

LEGALRisk

RIMRisk

PRIVACY &SECURITY

Risk


POLICY INTEGRATION

DUTY

P

ecure

TITE enffici cyCY

RIM

“Discarding paper and physical records that have exceeded their retention period.”

“Implementing records retention schedules globally in all operating companies, including those they acquire.”


TOP AREA OF FOCUS

Data Security Emerges as the Top Driver for Information GovernanceWhile respondents shared areas of concern across the IGRM spectrum, data security was the #1 recurring theme across responses. This encompassed a number of different initiatives, and respondents talked about data security in four key areas:

Securing sensitive personally identifiable information for clients, patients and employees. Across all industries, respondents acknowledged a sense of responsibility for protecting the sensitive information of their customers and employees.

Securing sensitive company intellectual property.

Creating a tiered security network to protect against security breaches.

Developing protocols and systems to ensure secure access to the network for partners and other approved third parties.

The parsing of data security into four discrete buckets can help organizations undertake a large challenge: Protecting the organization’s data from internal and external threats and channeling that information into initiatives that are smaller, more focused and easier to accomplish. Protecting customers’ credit card informa-tion, for example, may require different technology and processes than authenti-cating the identity of employees trying to access the company’s “crown jewels” of intellectual property.


Top IG ChallengesRespondents identified common roadblocks in developing and implementing an information governance program. They can be grouped into four key areas:

Different Work Styles and New TechnologyNearly a third of the survey respondents said that the main challenge was that employees are working and collaborating in new ways that are enabled by the proliferation of cloud-based applica-tions. One respondent stated, “With the additional collaborative tools and mobile devices, access and egress points for data, and lack of employee awareness to sensitive information, it is becoming more complicated to control who has access to certain types of data and how we are sharing that information and with whom.” Some respondents focused on employee conduct and a need to develop processes and training that would help prevent employees from making poor information management decisions. Another commented on how the new technology produces “a level of disorga-nized complexity that does not follow a logical or natural taxonomy.” This can lead “beyond the realm of the business,” and employees then develop “business records that the legal team is unfamiliar with and unable to easily locate.”

Where to Begin?Nearly a quarter of all respondents said that with information governance, the initial challenge often is deciding where to begin. Organizational structure was mentioned several times as a barrier because “various parts of the company


own different elements of information governance.” As one respondent said, “I have a perspective only from the legal view. It is hard to imagine all of the things we are supposed to imagine when we try to develop this.” Others said it was daunting to prioritize when so many areas need attention. According to one respondent, “If the scope of the project is too huge, it can almost fall under the weight of itself.”

Data, Data, DataTwenty-five percent of respondents cited technology, both old and new, as a major roadblock to implementing IG. On the “old” side, legacy data may still be relevant but hard to store and retrieve. As one respondent said, “It is a challenge to adapt to 21st century systems from the 20th century world. Today, for example, we are dealing with litigation related to claims on life insurance policies that were written 50 years ago.” For others, it’s simply a matter of keeping up with increasing volumes across a global organization. One respondent said, “There are so many software systems and so many needs for information stored in so many different places and ways. The challenge is always coming up with something cohesive.”

At the same time, organizations are trying to manage rapidly evolving data ecosystems that span personal computers, mobile devices, social media and a myriad of cloud-based collaboration tools. According to one respondent,


“Information is not created in a pre-planned way, and with technology, new forms of information are organically being developed all the time. This produces a level of disorganized complexity that does not follow a logical or natural taxonomy.”

Respondents also expressed frustration about the headache posed by BYOD (bring your own device) work environments and especially social media. One respondent said, “Social media creates confusion about how the social media companies are maintaining information. As a result, it causes confusion at the cor-porations. Sometimes I think that those social media companies don’t have a clue about what they are doing with their information. For example, Snapchat does not always delete information even though it says it does.”

ResourcesFinding the appropriate IG resources was a key challenge for 25 percent of respondents. For some, it was a matter of mere numbers and “having enough people to do what needs to get done.” Many worried about how IG is an initiative that should include collaboration across teams within various functions, from information technology (“IT”) and records management to legal and the lines of business. The fact that “different parts of the company own different elements of information governance,” combined with “bureaucracy and a failure to receive buy-in from key stakeholders,” can hinder an IG initiative from the start.


The MechanicsWhen asked for specifics on staffing, costs and other details, respondents gave a wide range of answers, reinforcing the varying degrees of maturation across organizations.

STAFF

Do you have in-house staff dedicated solely to information governance?

For companies with resources solely dedicated to IG, the average number of staff is four. It should be noted that the majority of companies said they have at least one in-house person handling information governance, but this individual typically spans a few other areas, particularly IT, records management, e-discovery, and risk and compliance.

DEPARTMENTS INVOLVED

Which departments are involved in your information governance program? Please select all that apply.

Beyond these top groups, respondents also mentioned involvement from finance, human resources, operations and even the board of directors.

56%No

44%Yes

IT

Legal

Compliance

Line of Business Leadership

Information Security

Records Management

95%

95%

73%

55%

45%


Which department is leading your information governance program? Please select one.

Can you quantify how much you spend on information governance per year?

As respondents noted, this is an intricate calculation to make across teams and geographies. For those who were able to give an amount, the numbers spanned from $200,000 up to as high as $20 million per year.

Can you quantify any savings as a result of information governance policies or practices?

Interestingly, respondents made it clear in their comments that they believe their company has realized benefits, including cost savings, but that it was hard for them to quantify. Several cited the dispersed nature of the initiative as a major roadblock for calculating savings but indicated that establishing a return on investment is a goal for the program in future years.

5% Information SecurityRecords

Management

44%Legal

23%Compliance

18%IT

13%

72%No

28%Yes

88%No

12%Yes


Areas of SuccessCan you quantify any additional tangible benefits from your information governance program?

While many participants described their IG programs as nascent, with broad policies still in the works, most were able to see benefits from some focused, tactical IG initiatives. The top four benefits provided by respondents are:

Reduced storage costs.

As one respondent stated, “If you are able to maintain good document destruction practices, you will be saving on office space and storage costs, both on-site and off-site.”

Improved e-discovery processes, including legal holds, information retrieval and fewer documents sent to outside counsel for review.

Multiple respondents made comments about experiencing more efficiency. One respondent said, “We have greater efficiency in legal operations due to being able to find information more easily.”

24%No

76%Yes

1

2


Lower risk of a security breach.

Several individuals spoke of reducing the dataset to proactively protect against a breach. According to one respondent, “The reputational savings are not quan-tifiable because you cannot measure the reputational costs of doing it wrong. As a result, that would be a savings. We are getting it right so that our reputation is not tarnished.”

Improved internal awareness of data security and information governance goals.

A common refrain was, “Employees now understand what is involved in information governance and the nature of their responsibilities.”

In addition to the above four benefits, respondents provided a few additional comments that should be noted:

■ “The ability to execute contracts more consistently is a great benefit.”

■ “Streamlined communication is a real benefit.”

■ “Decluttering information projects and making the data cleaner [is a benefit]. For a large company, making sure everyone is relying on the same data source is critical.”

3

4


Advice from CounselIn total, information governance still is a relatively new initiative, and, while it poses a number of challenges — spanning technology, processes and culture — it is providing early adopters with some key advantages. For those just beginning to develop their own IG program, the Advice from Counsel community offers the following tips:

□ Secure executive buy-in. “A program of this kind takes time and money so you need someone at the top level of management who ’gets it.’ ”

□ Develop cross-functional teams. To avoid duplication and wasted time or money, “You need to get everyone talking with one another about what they are doing and what needs to get done.”

□ Secure your sensitive data. “Invest in people who know how to pro-tect data and how to use it effectively. Generating data is not very good unless you are ready to use it and can protect it.”

□ Don’t forget about data privacy regulations. “Beware of all the international data privacy regulations and their amendments. You must un-derstand that transferring data across borders is a very sensitive issue even when the company has operations abroad.”

□ Get outside help. For those in highly regulated industries, this was a recurring theme: “Work with professionals. Hire outside counsel and others who have been there before. Make sure they understand your business to ensure that what advice they give you is not off the shelf but suited to your situation… Each company’s facts and circumstances are different so take the time to work with someone who knows your business.”


□ Think about your end user. “Give people tools so they are not taking shortcuts that bypass your protocols. Make it easy to access information so people are not enticed to make poor judgments about protection of informa-tion, whereby you could have a breach.”

□ Don’t let perfect be the enemy of good. Several respondents discussed the importance of simplicity and basics: “Keep it as simple as you can. Base your program on business requirements as much as possible.” Another added, “Developing a complete map of what you have and where it is can be extremely time-consuming. We have incrementally become more aware of information that isn’t governed as much as we thought because it exists in siloes around the company. We didn’t realize that at the outset. I view e-discovery as finding answers to targeted/narrow questions — my obli-gation as in-house counsel is to focus on specific content. On the other hand, information governance leaders are looking at e-discovery from a big picture standpoint. They answer the broad questions. Working together, we try to draw some conclusions.”


AppendixAri Kaplan Advisors personally interviewed 25 in-house lawyers with responsibilities that include some aspects of e-discovery and information governance. Most par-ticipants are from Fortune 1000 corporations, and all spoke by telephone, under condition of anonymity, during October 2015.

Of this year’s participants, 84 percent develop and implement e-discovery tools and vendors; 76 percent select or implement information governance tools and vendors; 72 percent manage e-discovery software and service providers; 52 percent manage information governance software and service providers; 76 percent develop and implement e-discovery processes; and 96 percent develop and implement informa-tion governance processes.

Forty-four percent of participating organiza-tions had total annual revenues of $10 billion or greater, and 60 percent had 10,000 or more employees. In terms of litigation events over the past 12 months, 36 percent reported managing 100 to 499 litigation events, and 16 percent reported managing 500 or more litigation events.

4% Education

4% Media

4% Real Estate

4% Transportation

36%Financial Servicesincluding banking and

credit institutions, as well as insurance companies

16%Manufacturing

8%Retail

24%Energy & Utilities

By industry:


2014 revenues:

44%$10 Billion or Greater

Between $5 Billion and $9.9 Billion

Between $1 Billion and$4.9 Billion

Below$1 Billion

24%

12%

20%

12% 1‚000 to 4‚999

500 to 999

4% Fewer than 500 Employees

8% 8%

20%5‚000 to

9‚999

20%5‚000 to

9‚999

60%10,000

or More

44%Fewer

than 100

1‚000 or More

4% Unknown4% Between 500 and 999

12%

36%Between

100 and 499

Number of employees:

Number of litigation events in the past 12 months:


About Advice from Counsel Through in-person events, virtual meetings, webcasts, surveys and reports, Advice from Counsel helps e-discovery leaders share ideas and advice with peers in an open and collaborative forum. Begun in 2008 as an annual survey and report on top e-discovery trends, Advice from Counsel has evolved into an interactive community of e-discovery professionals working to strengthen the people, process and technology at the core of e-discovery. Advice from Counsel is sponsored by FTI Technology.

Identifying & Protecting

the Corporate Crown Jewels

By Jake Frazier, Senior Managing Director, FTI Technology

Anyone who owns a home understands they need a way to safely protect their family’s “crown jewels,”

such as key documents, jewelry and irreplaceable photos, from theft, loss and catastrophe. Solving this problem is typically simple: buy a safe. Somewhat more complicated is the process of finding and determining what to put in the safe. Should the title to the car go in there? What about passports? If I wear my Rolex once a week, is it worth bothering to keep in the safe the rest of the time? And those photos of my grandparents are in a box in the attic somewhere; I really should find them and put them in the safe.

Similarly, every organization has a set of crown jewels—information that is critical, unique or irreplaceable. And much like at home, the most difficult part of protecting them is not actually the repository, it is determining what information qualifies for this type of protection, and finding it, and moving it to a safer place.

This is in part because no single person or department can define what constitutes the crown jewels. That requires a multidisciplinary,

cross-functional approach. It must encompass information that would be devastating to have stolen, but may also include data that needs to be exempt from disposition and can’t be destroyed, such as executive emails under legal hold.

When identifying and protecting crown jewels, organizations must involve many stakeholders, determine the processes for keeping the data safe and create procedures for removing information that has lost its value. With the right tools and technologies, companies can keep their crown jewels from being lost or stolen.






VALUE

Create, Use

DUTY ASSET

Dispose

Hold,Discover

Store,Secure

RetainArchive

UNIFIED GOVERNANCE

BUSINESSPro�t

ITEfficiency

LEGALRisk

RIMRisk

PRIVACY &SECURITY

Risk


POLICY INTEGRATION

DUTY

P

ecure

TITE enffici cyCY

© 2015 FTI Consulting Technology, LLCIdentifying & Protecting the Corporate Crown Jewels2/12

Categorizing Critical Information

Data cannot be simply locked up and shut away. If that happens, it becomes useless. Think about heirloom jewelry. It was meant to be worn, but if it is kept inaccessibly in a safe deposit box at a bank downtown, it cannot be. Similarly, paintings may be extremely valuable, but storing them in a fireproof warehouse makes them less enjoyable.

At the same time, it is critical to determine what type of information requires protecting. For example, much like flammable household products, some information may not be considered crown jewels, but can quickly cause tremendous damage in the wrong hands. Sony Pictures Entertainment learned this lesson when it was hacked last year and lost control of the Social Security numbers of workers who had long since left the company.1

Crown jewels can be divided into several categories and can exist in multiple locations and different formats:

Information that may not be destroyed

Some information may need to be carefully maintained, not because it has intrinsic value but due to legal holds, regulatory requirements and other reasons.

This type of information can exist in many places within organizations, such as a file share, on an employee’s mobile device or on a hard drive. It must be protected from inadvertent destruction.

Some of these files may be old or exist in legacy formats. When moved to a secure location, this type of data needs

1 “Sony Pictures Reaches Settlement in Hacking Lawsuit,” Los Angeles Times, September 2, 2015. http://www.latimes.com/entertainment/ envelope/cotown/la-et-ct-sony-hack-studio-reaches-agreement-to-settle-with-plaintiffs-20150902-story.html


to be handled carefully, so that none of the metadata is altered. If no one at the organization knows what data exists and where it is, companies can easily find themselves with “dark data pools.” This can include decades-old paper files or microfiche that are in storage.

Items of actual value

Like real precious jewels, some corporate information is truly valuable. This can include customer lists, formulas, intellectual property, schematics, pricing templates and other types of information that provide competitive and strategic advantage. As in the Sony case, it can also include master copies of intellectual property (e.g. films not yet released).

Information that can be risky or dangerous in the wrong hands

Some information must be kept private, regardless of its actual value. Employee records are a good example of this, as are documents developed for regulators and documents that carry attorney-client privilege, or the Social Security numbers of the prior Sony employees. These documents are likely much more valuable

to outsiders than the company itself, and therefore must be protected carefully.

Information that can be risky or dangerous to keep in any hands

Some information can cause significant reputational risk if it isn’t protected. Other information can be very costly, particularly if it becomes potentially responsive in litigation. This was also a factor in the Sony hack.

Many organizations are confronting a relatively new problem, as their store of emails begins to stretch out for years and even decades. This can include emails sent and received by people who left the organization a long time ago. If these old emails contain keywords that have been identified as part of an e-discovery collection, those emails will end up in the document populations that must be reviewed. No one who is currently employed by the company may be familiar with the people or issues that have triggered the review. The document reviewers may not be able to determine if the emails are responsive, so they may need to produce them. Then the legal team has to answer questions about the emails. This can be enormously time-consuming and costly. It may also require companies to turn over meaningful documents to adversaries.2

2 “The Best Way to Use Data to Cut Costs? Delete It” CIO Insight, August 17, 2015. http://www.cioinsight.com/it-strategy/big-data/slideshows/the-best-way-to-use-data-to-cut-costs-delete-it.html


By hanging on to information that is of no use, companies may also misallocate information that is very valuable. It’s like buying an expensive sports car, and not being able to park it in the garage because of old furniture stored there.

The same tools that help organizations identify their crown jewels can also help find documents that no longer have any value and should be deleted. Valuable information should be stored under lock and key, while the junk should be tossed out.

Valuable information should be stored

under lock and key, while the junk should

be tossed out.


Identifying the Crown Jewels

Deciding what qualifies as a crown jewel or one of the other important data types can be challenging, even after defining what all the types are. For purposes of simplicity, in this paper we will group all of the various types of important data under the crown jewels moniker. When grouping data it is tempting to rely on the information technology department, but this is often not the best group to make this determination. (They will protect the information, but someone else needs to define what is important and worth protecting.)

When figuring out who should identify the information that needs protecting, it can help to think of a Venn diagram. Crown jewels can be found in three types

of groups that can overlap: information subject to legal holds; records that must be retained to satisfy regulatory requirements; and data that contains business value. Crown jewels can reside in any of these

three circles. The rest is information that can be deleted according to the schedule of the company’s records management program.

Generally, three different groups within companies

should identify the information: the legal department, the records management group and the businesspeople. But it’s not necessary to form another committee and bring representatives from each group together to review every potential piece of data. Instead, each group should be given access to the underlying database where

Information subject to legal

holds

Records retained to satisfy

regulatory requirements

Data that contains business

value


the records are kept, with each group having its own interface into the data. For example, the legal group’s interface can help it manage legal holds while records management’s interface assists it in tracking what information must be retained for which length of time as part of the company’s document retention policies.

One thing to keep in mind: important information is often kept together. Just as

you may have all your jewelry in a single drawer at home, your customer lists may all be in the same electronic file on a

drive shared by the marketing department.

From a strategic value point of view, the businesspeople should decide how long information should be retained,

based on the last date it was accessed. In other words, if people are looking at the information, it has value and should be retained.

Each group should be given access to the underlying

database where the records are kept, with each group

having its own interface into the data.


Keeping Information Safe

Once legal, records management and the businesspeople have determined what and where their crown jewels are, it’s time to develop the processes to keep that data safe. In parallel with tracking which employees are placing information in the central repository, it’s important to begin training.

When creating the repository for the crown jewels, organizations may be tempted to think of it similar to a home security system. Companies generally focus on designing systems to keep out external threats. However, homes are at a much higher risk from internal threats, such as housekeepers and other employees. When considering the process for securing critical information, organizations should look for tools that protect against threats like hackers, but they also need to figure out how to safeguard data from those inside the organization. These internal threats often come from those who aren’t deliberately malicious, but

who hoard valuable data and never release it into the company’s systems. Without a central repository to store the crown jewels, important information may exist that no one has visibility into or can find.

090

8070

6050

40

3020

10

When considering the process for securing critical information,

organizations should look for tools that

protect against threats like hackers, but they

also need to figure out how to safeguard data from those inside the

organization.


And such a repository must be much more sophisticated than a simple file share, which any one can access and copy or delete files anytime. Rather, the central repository should have more granular security such as authentication labels, different access tiers and permissions in order to better control access. It also requires more sophisticated storage and back up protocols than a standard file share.

Creating an audit and reporting trail is extremely important. When someone identifies information as a crown jewel, it should automatically trigger a set of steps to identify and preserve that information. Companies should also institute and maintain a hierarchy of important data, since not all valuable information is equally valuable. For example, information that falls under a legal hold should have the highest priority.

From a change management standpoint, companies probably should not attempt all of this at once, as employees will become overwhelmed, systems may fail and momentum will be lost. The first step should be to report on which information is worth keeping, and then identify where the information resides. Before deleting the data, it should be moved to a secret place as a fallback, in case there are issues when the new system is being instituted.

Once procedures are in place, the company should regularly review and tweak them when necessary. More efficient processes may be identified, new regulations regularly emerge and legal holds could close, allowing data to be deleted. However, the technology itself should be extremely flexible, with no limits to data that can be classified as crown jewels.


Creating Repeatable Processes Across Locations

All of this is challenging enough when companies only have one office or location. With multiple locations, the process becomes much more complicated. The terabytes and petabytes of data that companies today produce make it even harder to develop processes that are consistent and repeatable.

This is where technology comes in. Companies should consider factors such as using indexing rather than crawlers to find crown jewels. With e-discovery collection tools such a crawlers, the technology goes to files, opens them up, reviews them and then moves on. If someone at the company needs to revisit the file, the entire process has to begin all over again. Indexing presents a much smarter approach. With indexing technology, the system opens, scrapes and maintains information in an index, with a pointer to the file. (This is how Google works.) If updates are made to some files the next day, the system

knows when to skip files and when to review them. Indexing technology looks for additions, deletions and changes to files, and reindexes them every day. This enables a continuous process and keeps rules static until needed. That results in a much smaller expense.

The terabytes and

petabytes of data that companies today produce

make it even harder to develop processes that are consistent and repeatable.


Locking the Safe

Once information is identified and located, it is critical to secure it in the correct repository and otherwise continue to protect it. This includes ensuring repositories are built on WORM (write once, read many) storage, properly migrating data from legacy archives to cloud applications, having—and adhering to—a policy for archiving emerging data types, keeping messaging policies updated and developing a cloud strategy. The fact that companies may not have the technical or policy expertise to properly and cost-effectively manage all of these steps does not make them less important and there are third parties that can easily step in to help meet those challenges.

This is where the rubber meets the road and companies can see tangible results. It’s also one of the ways that information governance can be used to reduce cost and risk in real-world environments, by identifying and safeguarding the

company jewels. If companies aren’t doing this already, they need to start before their most valuable possession are stolen or lost. And if they need help, they must find it.

The fact that companies may not have the technical

or policy expertise to properly and cost-

effectively manage all of these steps does not make

them less important.


About the Author

Jake Frazier

Jake Frazier is a Senior Managing Director at FTI Consulting and is based in Houston. Mr. Frazier heads the Information Governance & Compliance practice in the Technology segment. Mr. Frazier assists legal, records, information technology, and information security departments identify, develop, evaluate and implement in-house electronic discovery and information governance processes, programs and solutions. These solutions are designed to produce the largest return on investment while simultaneously reducing risk.


Reducing Cost and Risk with Information Governance & Compliance Services

Exploding growth of corporate data, whether stored on servers, in the cloud or on employee devices, presents new challenges and opportunities for your organization.

As data volumes increase, these challenges include safely and defensibly:

� Updating litigation hold, preservation and e-discovery tools and processes for greater efficiency

� Ensuring proprietary data remains secure when employees leave, companies divest, or other similar circumstances

� Developing and implementing information governance policies that do not disrupt the business

� Storing sensitive data, including client information and proprietary intellectual property

� Disposing of old or redundant data to reduce storage costs and reduce risk

� Migrating data to cloud applications and remediating information within legacy applications

� Mining corporate data to find and act upon key information quickly

40% to 60%

The average year-over-year growth rate of corporate data.1

$3,212The average cost to store one Terabyte of data for one year.2

40%The percentage of all data that wil live in or pass through the cloud by 2020.6

$18,000The cost

to review one Gigabyte

of data.3

100,000

The number of companies that will store over one Petabyte of data by 2020.4 This is larger

than the printed collection at the

Library of Congress.5

$5.5 Million

The average cost of a data breach, or

about $194 per compromised record.7

1 Computerworld article: “Data Growth Remains IT’s Biggest Challenge, Gartner Says” by Lucas Mearian, November 20102 IT Key Metrics Data 2014: Key Infrastructure Measures: Storage Analysis: Current Year, by Jamie Guevara, Linda Hall and Eric Stegman, Gartner, December 13, 2013.3 RAND Study: Where the Money Goes, 20124 CSC Study “Data Revolution” 20115 High Scalability Blog post “How Big is a Petabyte, Exabyte, Zettabyte, or a Yottabyte?” September 20126 IDC Study: The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, April 20147 IBM and Ponemon Institute Research study: 2014 Cost of Data Breach Study: United States, May 2014

Scan and Quarantine Sensitive Data, including Personally Identifiable Information (PII) and Trade Secrets

Ensure your sensitive data is not falling into the wrong hands. FTI Technology can create new security safeguards for sensitive data that automatically alert information governance professionals of sensitive data not being secured before a breach, identify and remediate data, or scan for data on “BYOD” devices before employees leave the organization.

File Share Cleanup

All too often, organizations use file shares as the dumping ground for massive amounts of redundant, obsolete and trivial information. FTI Technology can align retention policies and legal holds to defensibly dispose of unnecessary data and reduce both cost and risk.

Litigation Hold and Preservation Optimization/ E-Discovery Readiness/ Meet & Confer Support

Many companies already have solid skills and existing technology for e-discovery, but are interested in improving performance against benchmarks, and in gaining efficiencies via adjustments to their existing processes, procedures and technology. FTI Technol-ogy can streamline your process, technology and workflow across matter management, litigation hold, identification, preservation, collection, analysis and review.

Divestiture Data Segregation

Whether for a divestiture, spinoff, large asset or line of business sale or liquidation, organizations may need to segregate previously shared data. This can be a complex process given today’s global, mobile and collaborative work environments. FTI Technology can appropriately segregate organizational information, document the process, and limit the risk of future third-party subpoenas charging that data is in the “possession, custody or control” of the wrong party.

Agile Solutions Reduce Cost & RiskFTI Technology’s Information Governance & Compliance Services provides the people, process and technology to deliver tangible business benefits for organizations. Our goal is to deliver concrete improvements with demonstrable value. We assist in developing, implementing and delivering information governance projects that reduce corporate risk, cut storage costs, secure data, improve the e-discovery process and enable faster and deeper insight into data. These projects include:

Backup Remediation

With FTI Technology, you can create a plan to systematically evaluate and reduce your preserved backup tapes, update your disaster recovery policy and include provisions to safely eliminate backups after a set period of time. This will trim storage costs and reduce the likelihood that these backups will be relevant to future legal matters, further driving up the cost of e-discovery.

Workstation & Forensic Image Remediation

If you frequently respond to preservation obligations, your forensic images can quickly accumulate. This stockpile of images can become a costly pool of ESI subject to discovery itself. FTI Technology can reduce your cost and expense by updating your master list of legal holds, scanning old forensic images for only the data that must be held, remediating any unneeded data and bringing this pool into better alignment with organizational goals. In addition, FTI Technology can work with you to refresh and enforce policies for managing workstations when employees leave or join the company.

Decommission and Dispose of Business Applications in a Defensible Manner

Business applications can contain extremely sensitive information, from trade secrets to Social Security numbers to credit card information. FTI Technology can migrate your data to new business applications and make sure your old application, and the data within it, are defensibly disposed.

Modernize Messaging Policies

Messaging is perhaps the most relied upon system in an organization, and many are close to the breaking point due to rapid data growth and outdated processes. Many organizations need to re-evaluate which mailboxes, archives and user email files (like PSTs) to journal, archive, or remediate. FTI Technology can develop and implement these policies, including auto-deletion and storage quotas, in the context of evolving technology and legal requirements. Setting and enforcing the right policies can increase end user satisfaction and productivity, while reducing risk.

Agile Solutions Reduce Cost & Risk (continued)

Social Media and Messaging Archive Migration and Remediation

Our team can work with you to better optimize or replace your existing archive, migrate legacy data to new platforms and safely remediate the old applications and the data contained within. In addition, FTI Technology ensures that data from social media and messaging platforms are aligned with legal hold or regulated retention policies.

Migration to Cloud Applications, including Office 365

Negotiating contracts with cloud providers that empower your organization to meet its Information Governance demands is often a complex process. For many organizations, porting over data from on-premises legacy systems to new cloud applications is a challenge as well. FTI Technology can migrate your data to the cloud, keeping important data security and retention policies in place, and without disrupting the business.

Find Key Data

As data volumes increase, corporations are challenged in finding important data, both structured and unstructured. With FTI Technology, you can find your valuable data through a combination of our award-winning analytics technology and experienced investigative team.

Enterprise Content Management (ECM) and SharePoint Migration and Decommissioning

FTI Technology can move your data to new ECM or SharePoint systems without disrupting the business, and make sure the old applications are appropriately decommissioned in a way that minimizes risk. This includes appropriately archiving and disposing of dormant repositories.

Voice and Audio Readiness

New regulations require corporations to archive and have easy access to voice and audio recordings. Our team can develop and implement a defensible voice and audio archiving policy in alignment with broader information governance initiatives.

Flexible Engagement Options FTI Technology’s Information Governance & Compliance Services are tailored to meet specific client needs. Whether you need a trusted advisor to assist with evaluating a new technology, a quick data migration project or a complete transformational service, FTI Technology can right size the approach for you.

PROJECTBASED

MANAGED SERVICE

Auditing & Continuous Improvement

Expert Witness Testimony, Af�davit and Other Regulatory & Tribunal Support

ROI & NPV-Based

Business Case Creation

Program & Process Design Optimization

Risk Assessment &

Maturity Model Benchmarking

Technology Requirement Creation & Technology

Solution Evaluation

Technology & Process

Implementation

Short Term Managed Service &

Training for Transition to

Client

Long Term Turnkey

Managed Service

FTI Information Governance & Compliance Services at Work

Securing Data in Dynamic Work Environments

Need: Technology company needed to ensure that outgoing employees left without taking the organization’s proprietary data with them.

Complications: Client employees in several locations required teams to be in multiple places at once. Deeply technical materials demanded a team with sophisticated understanding.

Result: The FTI Technology team developed a process that included interviewing departing employees to identify where specific documents resided, facilitating agreements between all parties regarding which documents should be deleted, collecting and remediating relevant documents and creating a detailed affidavit that outlined the process and included testimonials regarding its completeness and thoroughness.

Updating E-Discovery Processes for Greater Efficiency & Cost-Savings

Need: A Global 500 energy company needed updated e-discovery software to better manage growing data volumes and e-discovery requests.

Complications: Many of the company’s matters were on similar issues with overlapping custodians and the existing process and tools did not allow them to re-use attorney work product across multiple matters. In essence, they were “re-creating the wheel” each time they moved a case through the process, even though the case might have been 90 percent similar to 100 other just-completed cases.

Result: FTI’s Information Governance leadership assisted in updating the company’s e-discovery process, including documenting processes and requirements, evaluating offerings and deployment options, and developing best practices for greater data re-use.

Remediating IP upon the Divestiture of a Business Unit

Need: Two high-tech companies were separating from their partnership.

Complications: Employees from both organizations had IP for remediation across multiple networks, devices and physical locations.

Result: FTI Technology worked with internal counsel from both companies to develop and implement an action plan for identifying data for remediation. Prior to any actions, the parties agreed to generate copies of interest to the other party then deleted those documents from the other entity’s equipment. Once that process was complete, FTI Technology drafted a certification that outlined the methodologies and steps performed, underscoring those were performed with accuracy and completeness.

FTI Technology helps clients manage the risk and complexity of e-discovery and information governance. Our complete range of offerings, from forensic data collection to managed document review services, provides unprecedented flexibility to address any discovery challenge with confidence. Clients rely on our software, services and expertise to address matters ranging from internal investigations to large-scale litigation with global e-discovery requirements.

Trusted global leaders in information governance, e-discovery, & investigations

FTI Technology has over a decade of experience in information governance, e-discovery and investigations. Our global team includes forensic experts, corporate investigation specialists and technology and e-discovery professionals. In addition to publishing regular white papers, industry articles and books, FTI Technology professionals are actively involved with thought leader groups such as The Sedona Conference, EDRM and the e-Disclosure Information Project.

With more than 4,200 employees located around the world, we work closely with clients every day to anticipate, illuminate, and overcome complex business challenges in areas such as investigations, litigation, mergers and acquisitions, regulatory issues, reputation management and restructuring.

For more information:[email protected] www.ftitechnology.com

North America +1 866 454 3905

Europe +44 (0) 20 3077 0500

Australia +61 (2) 9235 9300

Hong Kong +852 3768 4584

© 2015 FTI Consulting Technology LLC.

It’s a situation every attorney dreads: You are sitting at your com-puter on what seems like a normal day, when suddenly the screen goes blank, replaced by a notice that your files are being held ransom or your most valuable data has been stolen out of your system.

In the immediate aftershock, myriad questions can run through your mind. But none is perhaps more important, more pressing, than—what’s next?

The answer, explains Jake Frazier, senior managing director at FTI Consulting, depends largely on what has come before.

“Pretty much what I see is that the work you do before the breach is most everything you can rely on once the breach happens. Once the breach happens, it’s really difficult to maneuver,” explains Frazier.

Preparing for the question of “what’s next?” ahead of time can at first seem like common sense, but it is too easy to underestimate the complexities and handicaps posed by an actual breach.

“We do these what we call table-top exercises, where basically we’ll come in and it’s like a war game simulation,” Frazier says. “And we’ll say we just learned the system has been comprised or this ransomware is happening, trying to encrypt things, so what do we do?”

Often when we work with clients who maybe have underestimated the difficultly of what would happen. They might say, ‘OK, first I’m going to email so and so,’ and we say ‘No,

you can’t email, email’s offline—now what?’ And then we just get blank stares and people immediately say, ‘OK, we don’t know what to do.”

The problem, Frazier explains, is that as cyberthreats have evolved, information governance programs have stayed the same.

“What information security histori-cally has done was focus on the fortress approach—how do we put walls up to keep people out. So that would be proxies, firewalls,

Preparing For the Breach: A Look Into Essential Cyber IG Practices

May 31, 2016

By Ricci Dipshan

encryption security event information management systems, etc.,” he says. “But as we’ve seen for the most part, that is not sufficient, people will get in one way or another, so the problem is once they get in through a backdoor or over the fortress wall, then they can just run amok.”

Triage and MirageBut this can only happen if data is out

in the open for cyberattacks to exploit. Paramount to any data breach prepara-tion is the golden rule of any information governance program: knowing where sensitive data resides. Yet this, of course, is much easier said than done.

“The key to a good IG policy,” explains Farid Vij, lead information governance specialist at ZL Technologies, “is hav-ing a complete understanding of your data at all times so that you can be in a proactive position during a data breach, which is the biggest challenge for enterprises today. There’s simply too much data.”

Thankfully, however, data breach preparedness doesn’t require an all-or-nothing approach.

“This isn’t about creating a basic data map; today, we have to get down to the content level of the document to iden-tify things like personally identifiable information, personal health informa-tion, and payment card information.”

What this comes down to is extracting the most sensitive information among the daily network traffic and regularly created or obtained files, and placing

them in repositories with security provi-sions and data backup options.

“That’s definitely one of our most pop-ular engagements right now,” Frazier says. He adds that in previous client engagements, “we were looking at the transactional data that had to do with account setup, and account numbers, things like that,” in which to create “a tiered approach where critical, private data goes off to other repositories that are much more secure, and your trans-actional data stays behind.”

While these repositories can have the usual layers of security such as “requir-ing stronger passwords and dual factor authentication,” Frazier notes that they can also provide “data masking.”

This entails scrambling data to create invalid credit card or Social Security numbers. These work as decoys to cyberattackers, while allow-ing developers to build and test apps using the information as well.

Careful SharingEqually as important and valuable

in data breach preparedness is con-trolling user access rights to these repositories.

“The key challenge with these breaches is often figuring out what data has actually been compromised and ironically, most organizations don’t know where to start,” says Vij. “Take Sony, for example. The majority of the risk and cost associated with the cyberattack was not the data that was directly hacked, but all the data

that the hackers got access to as a result of securing passwords and con-fidential information.”

But as Terrence Coan, senior direc-tor in the Law Firm Advisory practice at HBR Consulting explains, when it comes to delegating file access, the legal industry is ahead of the game.

“Law firms are obviously very orga-nized around client and matter, so there’s an implied hierarchy; if I know who is authorized to access a client matter, then when I file documents into the system by that client and mat-ter, the system applies the appropriate security to the matter team or to those who have reason or right to know.

Yet like any company in 21st cen-tury, law firms are also at the mercy of file shares, which while increasing employee efficiency and collabora-tion, potentially leave valuable data unsecured and accessible to all.

Frazier calls file shares “one of the least secure areas in a network, because it doesn’t have really rigid permissions. There are a lot of permis-sion profiles on file shares that we see called ‘everyone,’ which means anyone who is in the network can just navigate to the file shares and have access.”

He adds that such areas have been used as “dumping grounds,” where in a recent engagement with a client, Frazier and his team found “a few petabytes of data.” Such fileshares, he notes, can include “HR records, compensation statements, customer records, and permission forms to set

May 31, 2016

May 31, 2016

up direct deposits with routing num-bers and account numbers, and all kinds of really risky data.”

But like a potentially unsecure data-base, Coan says, file shares can be an easy fix. “We may lock those down and prevent people from filing to those locations going forward. While we may not delete the materials currently filed there immediately, we tell users that these locations are not an appropriate place to file materials, and if they do file materials on a network file share, we are going to purge them automatically within a defined period of time.”

Of Man or Machine?While breach preparedness seems

simple in theory, execution may be a whole other story.

“On almost every engagement, I’m asked by the clients, do you believe in a human approach where users are going to classify the data and put it in the right spot, or do you believe in a more automated scanning approach? And my answer is always yes — both,” Frazier says. “So it’s always a belt and suspenders approach that works best.”

Using scanning and AI technology even on computers not connected to the network, he adds, can allow companies to find, move or lock down critical files.

“But in the end,” says Coan, “it often comes down to users having to interact with the data to have context to what the data is saying. If they have personal experience with it, they can then make an informed decision where it goes.”

Admittedly, it can be difficult to trust employees — after all, the rise of shadow IT, fileshares, and poor digital hygiene have made insider threats more probable than external breaches.

But employees will always remain central to breach preparedness and must be kept up to speed through constant training, Coan advises.

“It’s always more going to be a situ-ation that they don’t train enough. And that’s because they can’t or don’t get the budget to do the necessary train-ing and education. … There has to be ongoing and routine training, there needs to be training for new employ-ees who are brought into the organi-zation, and there has to be refresher training of the entire employee popu-lation on some periodic basis. For example, every year or every couple of years, just to remind people about why this is important, why we are doing it and what we are expecting people to do.”

And more important, Fraizer notes, training works: “We find ultimately that through education and awareness, people do get better about how or when they use shadow IT such as cloud stor-age, or that they are more rigorous around defining who can access it and making sure that there are controls to minimize unrestricted access by some-body who shouldn’t have it.”

When developing a data breach pre-paredness plan, he adds, companies must also be careful not to set employ-ees up for failure by encouraging them towards shadow IT or other risky tech behavior.

“In a breach, when systems start getting shut down, knowledge work-ers have pressure to get their jobs done. If all of a sudden emails are not working because there’s a breach, it’s not unlikely that you’ll see users using Yahoo, Gmail, Dropbox, Google Drive and really anything they can get their hands on to continue to do their job.”

Companies, Frazier says, need to let “users know if there’s a breach, don’t go using other systems, and your manager will take into account any lost time due to this breach —an escape valve, so that the day-to-day pressure is alleviated a little bit while the breach remediation is happening.”

Reprinted with permission from the May 31, 2016 edition of LAW.COM © 2016 ALM Media Properties, LLC. This article appears online only. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or [email protected]. # 087-06-16-02

Recorded Webcast - Internet Connection Required -

RECORDED WEBCAST:

Finding “Quick Wins” in Information Governance

We asked a wide range of questions to better understand how corporations are approaching information governance. This includes their key challenges, areas of success, and some of the basic mechanics they have adopted to develop and implement these programs. The results clearly show that with a few exceptions, most organizations are in the early stages of information governance adoption. Yes these executives have strong advice on how best to begin and implement an information governance initiative. From these results, organizations can better understand how their peers are successfully keeping an eye on the “big picture” while executing “quick wins” that help build momentum for broader information governance initiatives.

Educational Objectives:

- The top four roadblocks in developing and implementing IG programs

- Areas of information governance success

- Top advice for organizations just beginning the process

Permalink: http://www.ftitechnology.com/resources/videos/finding-quick-wins-in-information-governance

http://www.ftitechnology.com/resources/videos/finding-quick-wins-in-information-governance



static2.ftitechnology.comstatic2.ftitechnology.com/docs/toolkits/ig-for... · dear colleague, my...

Documents