Common approaches to management. Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C.

Similar documents
Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Product Overview Archive2Azure TM. Compliance Storage Solution Based on Microsoft Azure. From Archive360

DIRECTIVE ON RECORDS AND INFORMATION MANAGEMENT (RIM) January 12, 2018

ARCHIVE ESSENTIALS: Key Considerations When Moving to Office 365 DISCUSSION PAPER

Manage as Records in SharePoint to Reduce Risk and Cost

ARCHIVE ESSENTIALS

IBM Content Manager Compliance Solution with IBM System Storage N Series SnapLock devices

Microsoft SharePoint Server 2013 Plan, Configure & Manage

Feature Set. Intelligent Archiving & ediscovery Software Solutions

Archive to the Cloud: Hands on Experience with Enterprise Vault.cloud

Before Searching for Solutions It s All About the Data

Management Case Study. Kapil Lohia

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Frequently Asked Questions: TransVault Migrator for Google

archiving with the IBM CommonStore solution

Veritas Enterprise Vault Setting up SharePoint Server Archiving 12.2

MOBIUS + ARKIVY the enterprise solution for MIFID2 record keeping

2 The IBM Data Governance Unified Process

4.2 Electronic Mail Policy

Top. Reasons Legal Teams Select kiteworks by Accellion

Overview of Archiving. Cloud & IT Services for your Company. EagleMercury Archiving

Start Now with Information Governance

WORKSHARE SECURITY OVERVIEW

BraindumpsIT. BraindumpsIT - IT Certification Company provides Braindumps pdf!

Symantec Document Retention and Discovery

Archiving Market Update

DAOS - IBM Lotus Domino Attachment and Object Service

Supersedes Policy previously approved by TBM

Managing Official Electronic Records Guidelines

Achieving effective risk management and continuous compliance with Deloitte and SAP

NARA RECORDS MANAGEMENT INITIATIVES FOR MORE EFFECTIVE ACCESS TO INFORMATION. SERI Educational Webinar Tuesday, September 9, :00 pm Eastern

Evaluator Group Inc. Executive Editor: Randy Kerns

UNCLASSIFIED. Mimecast UK Archiving Service Description

Information Technology Branch Organization of Cyber Security Technical Standard

Management: A Guide For Harvard Administrators

ISO TC46/SC11 Archives/records management

Exploring Data Governance. and Compliance. for. Office 365. Tony

Google Cloud & the General Data Protection Regulation (GDPR)

HPE ControlPoint. Bill Manago, CRM IG Lead Solutions Consultant HPE Software

Standard CIP Cyber Security Electronic Security Perimeter(s)

Management. Records Management Compliance

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Visual Classification: The Emerging Foundational Technology for Document-Related, Classification- Dependent Information Governance Initiatives

Google Message Discovery

Addendum 1. APPENDIX B - Technical Information / Requirements Records Management Solution Capabilities. Questions. Number

Sarbanes-Oxley Act (SOX)

Advanced Solutions of Microsoft SharePoint Server 2013

Advanced Solutions of Microsoft SharePoint Server 2013 Course Contact Hours

Advanced Solutions of Microsoft SharePoint 2013

LESSONS LEARNED FROM THE INDIANA UNIVERSITY ELECTRONIC RECORDS PROJECT. How to Implement an Electronic Records Strategy

Southington Public Schools

How to avoid storms in the cloud. The Australian experience and global trends

SECURITY & PRIVACY DOCUMENTATION

Backup and Archiving for Office 365. White Paper

Cloud Archiving & ediscovery Client System Implementation Requirements

Setting the Stage for Automatic Disposition

By John P Collins, JD DTI, Director of Information Governance & Office 365 Consulting

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

Twilio cloud communications SECURITY

SFC Interface Extranet User Manual

Steps to Eradicate Text Messaging Risk

DOCAVE ONLINE. Your Cloud. Our SaaS. A Powerful Combination. Online Services. Technical Overview ADMINISTRATION BACKUP & RESTORE

Three Common Techniques for E-Discovery Preservation

CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose

Category: Data/Information Keywords: Records Management, Digitization, Imaging, Image capture, Scanning, Process

SARBANES-OXLEY (SOX) ACT

Enterprise Vault Setting up SMTP Archiving 12.3

12 Minute Guide to Archival Search

Continuous auditing certification

Record Lifecycle Modeling Tasks

Developing a Research Data Policy

GDPR: A QUICK OVERVIEW

OVERVIEW BROCHURE GRC. When you have to be right

Help Your Security Team Sleep at Night

Enterprise Vault Overview Nedeljko Štefančić

Managing Born- Digital Documents.

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

WHEATON COLLEGE RETENTION POLICY May 16, 2013

ISO27001 Preparing your business with Snare

UTAH VALLEY UNIVERSITY Policies and Procedures

[your name] [your job title]

8/28/2017. What Is a Federal Record? What is Records Management?

Symantec Exam Administration of Symantec Enterprise Vault 8.0 for Microsoft Exchange Version: 6.0 [ Total Questions: 265 ]

Proofpoint Enterprise Archive for SEC and FINRA Compliance

Netwrix Auditor for SQL Server

Terms in the glossary are listed alphabetically. Words highlighted in bold are defined in the Glossary.

Information Security Controls Policy

Freedom of Information and Protection of Privacy (FOIPOP)

Content Management for the Defense Intelligence Enterprise

DATA STEWARDSHIP BODY OF KNOWLEDGE (DSBOK)

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

Motorola Mobility Binding Corporate Rules (BCRs)

Kunal Mahajan Microsoft Corporation

5/6/2013. Creating and preserving records that contain adequate and proper documentation of the organization.

Symantec Enterprise Vault

Chain of Preservation Model Diagrams and Definitions

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

RECORDS WWU: . WWU Archives & Records Management Tony Kurtz x3124 Rachel Thompson x6654

Transcription:

Common approaches to email management Presented at the annual conference of the Archives Association of British Columbia, Victoria, B.C.

Agenda 1 2 Introduction and Objectives Terms and Definitions 3 Typical Drivers 4 Suggested Considerations 5 Comparison of Approaches 6 Summary 7 Conclusion Deloitte LLP, Global Relay, and affiliated entities.

Objectives and Definitions

Introductions and Objectives What we hope you ll take away from this presentation. 1 Enable more informed conversations about email archiving approaches 2 Provoke further discussion about how we manage records of electronic communications Deloitte LLP, Global Relay, and affiliated entities. 4

Terms and Definitions What we mean by archive, archiving, and related terms in the context of electronic communications management. Archive (n.) A secure physical or digital container used for long-term storage, preservation, management, and retrieval of trustworthy and usable information. Archive (v.) The process of transferring a digital or physical object to an archive. In digital environments, archiving requires taking a copy of the digital object and its metadata. Journaling The process of capturing information about an electronic message while it is in transit (recording an incoming or outgoing email message (including metadata, main body and attachments) independently of the sender or recipient s email server s capture process. Discovery The process of retrieving and providing access to information in response to formal access to information request, litigation, investigation, or audit. Deloitte LLP, Global Relay, and affiliated entities. 5

Types of automated message archiving This graphic shows how journaling and capture from mailbox approaches differ architecturally. Journal Mailbox Archive Platform Capture by Journaling Email Server User Mailbox Capture from Mailbox ECM and Lineof-Business Applications Deloitte LLP, Global Relay, and affiliated entities. 6

Drivers, Considerations and Approaches

Typical Drivers What may lead organizations to implement email management technology and processes. Email contains information of value to individuals and organizations. Simply leaving it in an email system is frequently insufficient to meet business needs. User Access: Users want access to their email long after their mailbox has run out of space. Many firms have banned the creation and use of PST files. Business IP: As much as 85% of an organization s IP may be in email. This data needs to be preserved and leveraged by other systems or in workflows (for example FOI). Regulation: Legislation or regulation requires an organization to retain some or all email. Compliance requires centralized control and management of the email, to facilitate discovery and reporting. Policy: Similar to Regulation except policy is defined by the organization to meet a business need (for example, retain all email from senior management because of high risk of litigation). Costs: Typically, the type of storage required for active mailboxes is expensive, and splitting mailbox content into multiple storage tiers is difficult owing to mailbox system architecture. Deloitte LLP, Global Relay, and affiliated entities. 8

Common Approaches We will be discussing several types of technology and process approaches we see organizations take to manage email. 1. Journaling 2. Capture from Mailbox 3. Risk-Based 4. Manual Transfer to ECM System 5. Transparent Three-Zone Model Deloitte LLP, Global Relay, and affiliated entities. 9

Suggested Considerations What organizations may want to consider when assessing email management approaches. Protection of privacy UX for standard UX for discovery and compliance Recordkeeping enablement Implementation and infrastructure The organization s ability to protect the personally identifiable information (PII) of internal and external stakeholders from unlawful disclosure and use. The ability of mailbox owners to find, organize, and use email messages and attachments as part of their regular work activities. The ability of legal and regulatory compliance teams to find, organize, and use email messages and attachments as part of discovery, audit, and investigation activities. The organization s ability to retain, protect, and provide authorized access to its personnel members business email in conformance to operational and legal requirements, and to dispose of the email when it is no longer needed. Includes managing disposition holds. The organization s ability to implement and maintain the email management technology in support of operational and legal needs. Deloitte LLP, Global Relay, and affiliated entities. 10

Approach 1: Journaling How it works: Captures all email subject to journaling rules at the same time it is sent or received Routes journaled content into an archive No direct impact on the retention of email in the user mailbox Does not significantly affect user experience associated with day-to-day use of email, since journaling is done transparently Applicable situations and environments: Financial services environments with keep everything mandates Scenarios where discovery is likely and risk of noncompliance is high Considerations: Protection of privacy UX for standard UX for discovery and compliance Recordkeeping enablement Implementation and infrastructure Only approved have Users continue to do all Depends on the archive. Records classification can On-premise and SaaS access to the archive and email activity in their mail More sophisticated search be integrated with the archive are available. their access to data can be client. Optionally, can tools than in email clients. standard user s mailbox. Journaling is very reliable restricted as required (e.g. be provided with access to Many tools have early case Retention schedules can be and there is little only to data within a specific only their own data in the assessment tools and automatically applied at opportunity for anything to legal case). The ability to archive and do manual supervision workflows the time of data capture. break. Reconciliation export data from the archive classification in the archive. integrated with the solution. Retention periods can be systems can validate 100% can be similarly restricted. Users search or browse altered during the data delivery of messages. Data folders for their data in a lifecycle, and manual and is archived in near real-time. manner similar to how they automated deletion is Small ask for standard navigate in their mail client. supported. Journalled data. can be transferred out. Deloitte LLP, Global Relay, and affiliated entities. 11

Approach 2: Capture from Mailbox How it works: Captures everything from the user mailbox automatically, subject to archiving rules (often age-based) Enables optimization of storage and emails system performance, but increases risk due to user control of mailbox (archived content may not be comprehensive) Mailbox owners use stubs or plugins to access archived content Applicable situations and environments: Scenarios where optimization of storage and e-mail system performance is the primary driver Low risk / low regulation environments Considerations: Protection of privacy UX for standard UX for discovery and compliance Recordkeeping enablement Implementation and infrastructure Only approved have The email client remains the Depends on the archive. Records classification can Mailbox integration is access to the archive and user interface. No need for More sophisticated search be integrated with the typically part of the archive their access to data can be to access the archive. tools than in email clients. standard user s mailbox. infrastructure. restricted as required (e.g. Plug-ins or folder structures Many tools have early case Retention schedules can be Implementation and only to data within a specific may be added to facilitate assessment tools and automatically applied at maintenance can be legal case). The ability to classification of messages supervision workflows the time of data capture. complex. The mailbox and export data from the archive and their attachments. integrated with the solution. Deleting data from the archive are typically can be similarly restricted. archive can also delete it synchronized once or twice from standard a day. Small ask for mailboxes. Archived data standard. can be transferred out. Deloitte LLP, Global Relay, and affiliated entities. 12

Approach 3: Risk-Based How it works: Combination Journaling and Capture From Mailbox approach with blanket retention rules based on the associated risk High-risk roles subject to journaling to prevent loss of information that could be subject to discovery General user population has Capture From Mailbox set-up to manage mailbox size and optimize infrastructure Applicable situations and environments: Highly litigious environments Situations where adoption is a challenge due to classification overhead Considerations: Protection of privacy UX for standard UX for discovery and compliance Recordkeeping enablement Implementation and infrastructure Only approved have The email client remains the Depends on the archive. Record classification can On-premise and SaaS access to the archive and user interface. No need for More sophisticated search be integrated with the archive are available. their access to data can be to access the archive, tools than in email clients. standard user s mailbox. Could require two different restricted as required (e.g. or to assign records Many tools have early case Retention schedules can be products to be deployed only to data within a specific classifications blanket assessment tools and automatically applied at depending on the specific legal case). The ability to retention schedules are supervision workflows the time of data capture. requirements. Small ask export data from the archive assigned. integrated with the solution. Retention periods can be for standard. can be similarly restricted. altered during the data lifecycle, and manual and automated deletion is supported. Journalled data can be transferred out. Deloitte LLP, Global Relay, and affiliated entities. 13

Approach 4: Manual Transfer to ECM System How it works: Mailbox move messages and attachments to a corporate ECM system from the mail client Mailbox are responsible for assigning the appropriate records classification (and retention rule) Optimally, the ECM system is integrated with the mail client Applicable situations and environments: Lower risk / lower regulation environments Organizations with mature RM practices for non-email content Case management scenarios Considerations: Protection of privacy UX for standard UX for discovery and compliance Recordkeeping enablement Implementation and infrastructure Users need to have the ECM may provide a plug-in Compliance and ediscovery The ECM or email system Records classification appropriate permissions to for email client. Otherwise, have to be done either from needs to be designated as infrastructure is add data to the correct will use the ECM the email system or from the system of record for implemented as part of the location of an ECM system. interface for filing email within the ECM (or both). email, for a strong ECM system, with a plug-in If the system is not correctly: could be drag and This is a problem if the ECM recordkeeping regime to into the email client (or a configured correctly, they drop, pick list, or navigate a does not contain all email be managed. separate web interface). could view/access data that they should not. Read/write access (but not copy) is a configuration option. folder structure. Less disruptive if records classifications are applied in the background to usercentered folder structures. that must be kept to conform with recordkeeping policies. For example, while legal holds can be applied to content in the ECM system, they may cover all in-scope email. Standard will require training to learn the manual transfer and classification process. Deloitte LLP, Global Relay, and affiliated entities. 14

Approach 5: Transparent Three-Zone Model How it works: Combines automated capture from mailbox with additional manual classification to capture email with business value and formal records Leverages plugin integration to corporate ECM systems Based on zones : zone 1 (transitory), zone 2 (business value archive), zone 3 (formal records repository) Requires user interaction to identify and classify zone 3 email Email that do not put in zone 3 is copied to zone 2 for a set retention period Causes some adoption resistance when zone 1 deletion is introduced Applicable situations and environments: Highly regulated environments where user overhead is warranted Organizations with mature RM practices for non-email content Scenarios where a work email system is also used for personal communication Case management scenarios Considerations: Protection of privacy UX for standard UX for discovery and compliance Recordkeeping enablement Implementation and infrastructure Users need to have the appropriate permissions to add data to the correct location of an ECM system. If the system is not configured correctly, they could view/access data that they should not. Read/write access (but not copy) is a configuration option. Users need to decide whether email needs to be kept as a formal record (zone 3), or if it s enough to designate it as having business value (zone 2). Assisted by user-centered folder structures in the zone 3 repository. Compliance investigations and ediscovery may need to be conducted in more than one zone get a full view of responsive content. Record classification can be integrated with the standard user s mailbox. A blanket retention period will be applied to zone 2 email. Deleting data from the zone 2 archive can also delete it from standard mailboxes. Mailbox integration is typically part of the archive infrastructure with the addition of zones. Implementation and maintenance can be complex. Small ask for standard if they are already using the ECM system regularly. Deloitte LLP, Global Relay, and affiliated entities. 15

Conclusion

Conclusion Takeaways from our review of approaches. Email management is a solution to a business problem, not an IT problem Business enablement and regulatory/policy compliance need to define tools, not the other way around The correct email management solution for your organization should be driven by how you need to use and manage the archived data, not by the cost or ease of archiving the data in the first place. User experience is the key differentiator User experience is tied to the effort required to apply the right records classification to email (as well as to find and use email again) What s more important: designing around classification and retention rules, or what will actually do? Collaboration between business, RM, legal, compliance, IT is critical Deloitte LLP, Global Relay, and affiliated entities. 17

Thank you. Stephen Lazenby Head of Product Global Relay Contact: stephen.lazenby@globalrelay.net Jill Teasley Lead, Analytics & Information Management Consulting Deloitte Contact: jteasley@deloitte.ca Deloitte LLP, Global Relay, and affiliated entities.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback