Friday, February 13, 2015

Thoughts on minimum and maximum retention

I've been considering some of the processes of defensible deletion. Basically, we have a few considerations for establishing a retention requirement:

  • stated retention requirement. Basically, you have to keep it due to some regulation.
  • limitations of action. A period during which an organization may face legal action so it might want records on hand for defense. It is about litigation strategy.
  • no stated retention. Many requirements tell you to retain stuff but then don't state how long.

Note that OMB basically limits retention to three years from creation unless there is an otherwise stated reason for doing so. So one could make the argument that three years is long enough. There are, however, some interesting challenges here.

Dan Michaluk of Hicks Morley wrote an interesting piece on retention and destruction. He notes that privacy legislation often puts a limit on maximum retention. The Ontario Privacy Commissioner, for example, has endorsed a 20-year retention period for credit records. In other situations, the OPC has struck down lengthy retention when there was no business critical reason for doing so (e.g., retaining personal information of departed employees on the off-chance they are rehired). The British Columbia OIPC challenged a retailer that permanently held on to the contact information of people who made merchanise returns. The OIPC found that the business purpose was valid but that it did not warrant permanent retention.

There's also the issue of retaining a document or record for too little time. In _Lewy v. Remington Arms_, a suit was brought against the arms company after a gun misfired. The suit claimed that the three year retention for complaints and gun examination reports was too short (i.e., limitations of action). The court noted that three years might be "sufficient for documents such as appointment books or telephone messages, but inadequate for documents such as customer complaints."

Another example is _Broccoli v. Echostar_ involving a company that purged email within 21 days. The challenge was that there was no effective holds process in place. The court noted that "under normal circumstances, such as policy may be a risky but arguably defensible business practice undeserving of sanctions."




Wednesday, February 11, 2015

Smallwood's book on Information Governance is actually pretty interesting. I particularly like his list of things to do to actually improve your overall IG maturity:

  • Assigning RM responsibilities to senior executive.
  • Hire or promote records managers
  • Develop policies and procedures
  • Develop training for all levels of staff
  • Identify requirements for records findability/accessibility
  • Define business processes
  • Develop audit process
  • Identify business activities for creation and storage of records
  • Assess security and access controls
  • Develop access and security control scheme
  • Implement systems to capture and protect records
  • Develop metadata scheme
  • Develop remediation plan and implement corrective actions
  • Develop enterprise classification scheme
  • Identify user search and retrieval requirements
  • Develop standard for managing the records lifecycle
  • Develop enteprise-wide retention schedule
  • Map retention schedule to classification scheme
  • Impelement an annual review process for record series and legal research
  • Develop training for classification scheme and retention schedule
  • Develop procedures for records disposition
  • Implement disposition processes
  • Develop audit trails for records transfers and destruction
Another possible issue that emerges is risk management. Can they log risk events? Can they build risk scenarios? We could also have a discussion about metrics: data loss from misplaced laptops, reduction in intrusion, reduce ediscovery costs, reduce adverse finding, expand information risk training, roll out of software or tools, etc.

e could also have a discussion about metrics: data loss from misplaced laptops, reduction in intrusion, reduce ediscovery costs, reduce adverse finding, expand ifnormation risk training, roll out of software or tools, etc.

Change management is another key area of concern.

Executive sponsor has some key concerns: budget, planning and control, decision making, expectation maangement, anticipation, approval.

Components of the IG team must include IT, RIM, risk reduction, executive sponsor, and IG program manager. Other business units could be involved including human resources, company communications, and business units. Also consider IT security, archivists, business analysts, knowledge management professionals, litigation support, process specialists, and project managers.

Align the plan with the overall strategic plan.

Assess trends: IT strategy, technology, user behaviours, archival formats, etc.

Assess the business environment. Are things booming? Is litigation becoming a bigger concern?

Assess legal, regulatory, and political factors. How much risk is acceptable? Is there impending legislation? What is the institutional appetite for risk?

Consider best practices, for example:
1. IG underpins RIM.
2. IG is a program, not a project.
3. Use frameworks and maturity models.
4. Defensible deletion is critical.
5. IG policies before enabling technology.
6. Secure documents through the entire lifecycle, regardless of where it lives (e.g., IRM)
7. Retention schedules and legal hold notifications are the basics.
8. Use a cross-functional team.
9. Consider applicable laws and regulations.
10. Build a risk profile.
11. Build a risk mitigation plan.
12. Develop metrics.
13. Audit the IG program.
14. Develop enterprise-wide retention.
15. Senior management must drive the program.
16. Redesign processes for information governance before deploying technology.
17. Deal with email.
18. Discourage personal archiving of email.
19. Dispose of email sooner rather than later.
20. Limit cloud use to low risk, low retention documents.
21. Manage social media.
22. Be familiar with international standards.
23. Metadata is part of IG.
24. Remember that some things must be kept forever.
25. Get executive sponsorship.

Tuesday, February 10, 2015

Personal Information Management, revisited

We have a few milestones in the PIM landscape, namely the various ARIST review articles. But what has been done since? Let's look at some of the citing articles. I have a significant availability bias in this review since I'll look at basically whatever Google can easily find.

First off, we have a dissertation by Kyong Eun Oh from 2013 called "The process of organizing personal information", completed under Nick Belkin. The proposed model has some standard steps: initiation, identification, temporary categorization, examination/comparison, selection/modification/creation, and categorization.

The lit review starts with Aristotle, who apparently stated that "every object of human apprehension" can be filed by: substance, quantity, quality, relation, place, time, position, condition, action, and passion. Categorization, however, is never easy. Wittgenstein, for example, articulated the notion of "families" of resemblance.

The review goes through the standard stuff about filers, pilers, non-filers, etc. It points to research that indicates that people organize personal files by task, topic, source, form, or time. Replication work basically indicates that these facets are quite stable but that people often create ad hoc categories to attain particular short-term goals.

One of the issues that emerges is that people are socialized into particular categorization efforts.

The research indicates that people often use a temporary filing location or tool. Sometimes stuff never emerges from this temporary place! Part of the issue might be fuzziness, that is, individual documents might belong to a variety of different categories so filing can be exceptionally difficult. Of course, members of a particular epistemic community might get socialized into different category interpretations.

Massey, et al. "PIM and Personality: What do our personal file systems say about us?"

People aren't completely rational in how they organize their files. Personality plays a role, particularly Openness and Conscientiousness.

Oh "What happens once you categorize files into folders?"

Spoiler alert: people keep things in the folder, move them to other devices, re-categorize them, or delete them... but what else could you actually do with files?

The decisions seem to be based on the particular use for a file and temporal condition. Basically, information curation is an ongoing thing particularly as people engage in ongoing sense-making activities.

Oh and Belkin "Understanding what personal information items make categorization difficult"

Categorization can be tough. You either force things into an existing category, put them into "miscellaneous", or revise the structure. Again, what else would you do?

Wilson "The full report of a study of IV in PIM: The applicability of instrinsic value in personal information management"

Interesting. The study really deals with the question of whether or not we should retain on original. In 1979 the US National Archives and Records Service (NARS) created a committee on Intrinsic Value based on a GSA mandate to microfilm all records and destroy originals. Intrinsic value is indicated by:

1. Physical form that may be the subject for study if the records provide meaningful documentation or significant examples of the form;
2. Aesthetic or artistic quality;
3. Unique or curious physical features;
4. Age that provides a quality of uniqueness;
5. Value for use in exhibits;
6. Questionable authenticity, date, author, or other characteristic that is significant and ascertainable by physical examination;
7. General and substantial public interest because of direct association with famous or historically significant people, places, things, issues, or events;
8. Significance as documentation of the establishment or continuing legal basis of an agency or institution;
9. Significance as documentation of the formulation of policy at the highest executive levels when the policy has significance and broad effect throughout or beyond the agency or institution.

Zhang and Twidale "Folders as workplaces and the impact on relationships between files"

The authors found that people tended to keep either "genre folders " -- collections of one type of document such as a tax form -- and "project folders" containing disparate collections grouped together for a purpose. Project folders are challenging because identification and membership are largely a function of context (i.e., every folder seems to operate under its own set of rules). As a result, users create ad hoc file naming conventions to convey that context. Sometimes names are about document status (e.g., the FINAL suffix) or about topic or about document type.

And then my browser died so I lost the rest...

ARMA Generally Acceptable Records Principles

So, what is Information Governance? This question is really tough to answer. One starting point is to review the Information Governance Maturity Model.

The five-level model is fairly standard:

  • Level 1 (Sub-standard). IG and record keeping are not addressed at all, addressed minimally, or addressed in an ad-hoc manner. The primary concern here is legal/regulatory scrutiny.
  • Level 2 (In development). There's a "developing recognition" that there should be some focus on IG and records. Pratices are largely undefined or incomplete.
  • Level 3 (Essential). There are defined policies and procedures and there has been some implementation. The focus in primarily on risk and there are still opportunities for business improvement and cost control.
  • Level 4 (Proactive). There is a proactive IG program in place and it receives some continuous improvement. It does not, however, transform itself through the effective use of information.
  • Level 5 (Transformational). IG is integrated into its overall corporate infrastructure. 
One starting point could be to assess each descriptor in the governance model to determine where a particular organization currently stands and where it could/should be.




The model presents an approach for execution, basically:

1. Determine a target maturity level.
2. Determine the maturity level of current practices.
3. Based on the gaps, opportunities, etc., assess the risks and opportunities.
4. Determine priorities and accountability.
5. Monitor, assess, and improve (continuously).

The model is based on the following principles: accountability, transparency, integrity, protection, compliance, availability, retention, disposition.

Accountability. A senior executive oversees the program and there are effective policies and procedures in place.

Level 1.
No senior executive is responsible.
Records manager role doesn't exist.
No management of information assets.

Level 2.
No senior executive is responsible.
There is a recognized records manager role but it focuses on defined records, not on information as a whole.
Records management only addresses paper.
IT has de facto responsibility for ESI and records management is not involved.
Not systematic storage of information.
Organization has some awareness that it needs to govern information assets.

Level 3.
RM role is recognized and operates on an organization-wide basis.
RM includes electronic records.
RM is engaged in strategic information and records management initiatives.
Senior management is aware of RM program.
Enterprise wants to exapnd information governance program to the whole organization.
Organization has specific defined goals for accountability.

Level 4.
Organization has an information governance professional that also oversees records management.
RM is senior officer responsible for all aspects of the RIM program.
Stakeholder committee meets on a regular basis to review disposition and other RM issues.

Level 5.
Senior management and board put emphasis on IG.
Information governance leadership is part of the organization's governing body.
Organization has a process to ensure goals for accountability are routinely reviewed and revised.

Transparency. Business process and activities (including IG) are documented and the documentation is openly available.

Level 1.
Difficult to obtain time information about the business or records management.
Records and IM processes are not well defined or documentation is not available.
No emphasis on transparency.
Cannot support information requests, ediscovery, regulatory responses, FOIA, etc.
No controls for information disclosure.

Level 2.
Organization recognizes the need for process transparency.
Some transparency exists where it is mandated by regulation.
Organization has started to document both business and RIM processes.

Level 3.
Transparency in processes is taken seriously and information is available when required.
Policy regarding transparency in business and records and information management.
Employees are trained on the importance of transparency.
Defined specific goals related to information governance transparency.
Business and RIM processes are documented.
Organization can accomodate requests for information.

Level 4.
Transparency is an essential part of the corporate culture.
The organization monitors compliance.
Process documentation is monitored and updated consistently.
Information requests are managed through regular business processes.

Level 5.
Senior management considers transparency to be a key component.
Automation is in place to facilitate transparency.
Information requestors are consistently satisfied with the transparency.
Organization has processes to ensure that transparency goals are reviewed and revised.

Integrity. IG program ensures that information has a "reasonable and suiteable guarantee of authenticity and reliability."

Level 1.
No audits or defined processes for showing authenticity of information or records.
Organizational functions use ad hoc approaches for chain of custody and authenticity.
There is not guarantee of trustworthiness.

Level 2.
Some records and information have metadata to demonstrate authenticity.
No formal process for metadata or chain of custody.
Acknolwedgement that metadata and chain of custody are important but control is at the departmental level.

Level 3.
Formal process to ensure level of authenticity and chain of custody.
Data elements are captured to demonstrate policy compliance.
Defined goals for integrity.

Level 4.
Clear definition for metadata requirements for systems, applications, and records.
Metadata requirements include security and signature requirements.
Metadata definition process is part of the RM practice.

Level 5.
Formal process for introducing new records-generating systems and processes, including metadata, authenticity requirements, and chain of custody.

Protection. A reasonable level of protection for records and information that are confidential, privileged, secret, classified, essential for business continuity.

Level 1.
No consideration for information protection.
Haphazard storage of information and records.
Access controls -- if any -- are assigned by the author.

Level 2.
Some protection of assets.
There is a policy for records and information that require protection but the policy doesn't provide clear guidelines for all media types.
Employee training isn't formalized.
Policy doesn't address the sharing of protected information among internal and external stakeholders.
Access controls implemented by content owners.

Level 3.
Formal written policy for protecting records and information.
Confidentiality and privacy considerations are well-defined within the organization.
Chain of custody is defined.
Employee training is available.
Records and information audits are conducted only in regulated areas of the business. Audits in other areas are at the discretion of the functional area.
Organization has defined goals related to records and information protection.

Level 4.
Automated systems provide for protection of information.
Employee training is formalized and documented.
Compliance auditing occurs on a regular basis.

Level 5.
Senior management and the governing body put emphasis on the protection of information.
Audit information is regularly examined and there is continuous improvement.
Information disclosure or loss is rare.
Initial protection goals have been met and there is a process of routine review and revision.

Compliance. The RIM program complies with laws and regulations.

Level 1.
No clear understanding of what the organization needs to keep.
Information isn't systematically managed.
Information management occurs at the department level based on their local understanding.
No oversight or guidance for defensible disposition or IG.
No process for information production processes.
Significant exposure to adverse consequences.

Level 2.
Organization has identified some rules and regulations.
Organization has introduced some compliance policies but they are not complete.
No accountability or control processes.

Level 3.
The organization has identified key compliance laws.
Information cration and capture are generaly carried out in accordance with RIM principles.
The code of business conduct is integrated into the overall IT structure.
Compliance is valuded and measurable.
Hold process is integrated into IM and discovery processes.
Organization has defined compliance goals.
Organization has reduced exposure due to poor information management and governance.

Level 4.
Organization has automated the capture and protection of information from key systems/repositories.
Records are linked with metadata to demonstrate compliance.
Lack of compliance is monitored and remedied.
Records of training and audits are available.
Legal, audit, and information production processes have defined roles and repeatable processes integrated into the IG program.
Organization is at low risk of exposure due to poor information management.

Level 5.
Importance of compliance is recognized at the snior management/governing body levels.
Auditing and continuous improvement is monitored by senior management.
Roles and processes for IM and discovery are integrated.
Processes are well-developed and effective.
Organization has pratically no expsure due to poor information management.
Initial compliance goals have been met and there is a process of routine review and revision.


Availability. Information records should be available in a timely, efficient, and accurate manner.

Level 1.
Records and information is not available when needed.
It is unclear who is responsible for information retrieval.
It requires time to find the correct version (current, final, signed, etc.), if it can be found at all.
There are no finding aids such as indices, metadata, etc.
Information requests are difficult because it's unclear where information resides.

Level 2.
Records and information retrieval mechanisms are in place in some parts of the organization.
It's possible to distinguish records, duplicates, and non-records where there are retrieval mechanisms.
There are some policies on where to store information but the policies aren't consistently applied throughout the organization.
Responding to information requests is difficult due to inconsistent information storage.

Level 3.
There is a standard for the stroage and protenction for records and information.
There are defined policies for handling records and information.
Retrieval mechanisms are consistent and effective.
It is generally easy to determine where to find final and authentic versions of information.
Information request processes are defined and systematic.
Existing systems and infrastructure facilitate information availability.
Organization has specific goals related to records and information availability.

Level 4.
IG policies have been communicated to employees.
Guidelines and inventories of systems and associated information assets.
Records and information is available when required.
Systems and controls are in place for information requests.
Holds and information requests are automated.

Level 5.
Senior management/governing body support processes to upgrade records and information availability.
Training and continuous improved is available across the organization.
There is a measurable ROI for records and information availability.
Initial availability goals have been met and there is a process of routine review and revision.

Retention. Information and records are kept for an appropriate amount of time considering legal, regulatory, fiscal, operational, and historical requirements.

Level 1.
There is no documented records retention schedule or policy.
Applicable rules and regulations defining retention are not identified or centralized.
Retention guidelines are haphazard.
Employees either keep everything or dispose of records and information based on their own business needs.

Level 2.
A retention schedule and polices are available but do not get reviewed, don't apply to all information, or are not well known.
Retention schedule and policies are not updated or maintained.
No trainin on the retention schedule is available.

Level 3.
The organization has a policy for retention.
The retention schedule is consistently applied throughout the organization.
Employees are knowledgeable about the retention policy and their individual responsibilities.
The organization has specific goals related to retention.

Level 4.
Employees can classify records and information appropriately.
Retention training is in place.
Retention schedules are regularly reviewed and there is a revision process.
Records and information retention is a major organizational objective.

Level 5.
Retention is important at the senior management/governing body level.
Retention is applied to all information in the organization, not just records.
Information is consistently retained for an appropriate period of time.
Initial retention goals have been met and there is a process of routine review and revision.

Disposition. Provides for secure and appropriate disposition of records and information.

Level 1.
There is no documentation of the processes for transferring or disposing records or information.
There is no process for suspending disposition.
Different departments have different approaches to holds and disposition.

Level 2.
Prelimary guidelines for disposition.
Realization of the importance of consistent holds or suspended disposition.
No auditing or enforcement of disposition.

Level 3.
Procedures for records and information disposition and transfer.
Policy and procedures for holds.
The policies and procedures might not be consistent across the enterprise.
Organization has defined specific goals related to disposition.

Level 4.
Disposition procedures are understood by all and regularly applied.
The disposition process is defined, understood, and consistently applied.
Records and information in all media are disposed in an appropriate manner.

Level 5.
Disposition processes cover all records and information in all media.
Disposition is automated and integrated into all applications and supporting systems.
Disposition processes are consistent and effective.
Disposition processes are regularly evaluated and improved.
Initial disposition goals have been met and there is a process of routine review and revision.

Training 2014/02/6 #007

Review

There's a belt test coming up at the end of the month so we are reviewing some of the old content. I'm glad that we did because I had forgotten a whole bunch.

After some basic movements we did some wrist grab defense. Basic elbow power works for most breaks but you have to remember to drop your hips, move your body, etc. For two-on-one, it's probably best to "shake your own hand" (i.e., reach in with your other hand to facilitate elbow power). There are also a few options with the cross wrist grab with nikajo being perhaps the best option. Again, move your hips. There's also the issue of feet. In gyaku hanmi (i.e., mirror image) it is perhaps best to use a turning movement: confirm the grip, turn, bar the elbow.

Within the basic movements we talked a bit about entering movements and the use of sokumen irimi nage. Basically, it's a cross-step-body-change in front of your opponent followed by a deep step forward (i.e., to the side and behind your opponent) so that your same side shoulder is basically in their sternum. If you start with a left-forward stance, you cross-step so that your right foot is in front of your opponent and your hands are towards their left shoulder, you take a deep step with your left foot, and then turn, pushing your opponent over your outstretched leg.

YouTube helps with this one!

UPDATE -- We've played around with a few extensions to the basic grab breaks. A good cue is to turn your wrist to get things moving. After elbow power, you can also get the muay thai plum and initiate a throw from there.

Labels: ,

Information governance and retention schedules

I'm grinding through some Information Governance material to make sure that my views are still consistent with various trade organizations, etc. I came across an interesting presentation from Winston and Strawn LLP.

They describe the steps in IG:
- Identify a core team
- Identify priorities
- Conduct assessment
- Draft policies/schedules
- Identify tool sets
- Design implementation plans
- Education
- Compliance

These steps are largely consistent with ARMA's GARP maturity model and DACUM model.

Records retention is key.


Classification is also important. Manual methods provide better "accuracy" (92%) but there is a gap for "consistency"(<50 a="" accurate="" also="" are="" automated="" automatic="" but="" completely="" consistent="" cost="" difference.="" doc.="" document="" in="" is="" less="" logic.="" manual="$0.17" methods="" p="" per="" than="" their="" there="" while="">

Lots of users will not participate in manual classification. When they do, they are inaccurate and inconsistent leading to effective accuracy of about 50%.