Category Archives: Information Governance

soc2

Risk or Reward? The importance of SOC 2

Risk or Reward? The importance of SOC 2

By: Josh Markarian on August 9, 2017

As legal technology and advancements within areas such as cloud technology and software-as-a-service, clients are facing increased pressure to make sure their data is safe. Many companies resort to third party vendors to outsource services such as preserving and collecting ESI.

Unfortunately, recently third party vendors have been the source of some ugly data breach scenarios which can cause detrimental damage to both the client and the vendor. Not only will your reputation take a toll but you make encounter lawsuits and other large fines.

Service Organization Control “SOC” Reports

To best understand the implications of SOC Reports its best to understand the different types of SOC reports:

SOC 1

Type 1:  focuses on a description of a service organization’s system and on the suitability of the design of its controls
Type 2: contains the same opinions as a type 1 report with the addition of an opinion on the operating effectiveness of the controls

SOC 2

Focuses on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy.

Type 1: focuses on suitability of the design of a service provider’s controls over data
Type 2: centers on operating effectiveness of these controls.

SOC 3

Summary of a SOC 2 audit normally used for marketing purposes. There are less details in this report.

Why do you need a SOC 2 verified vendor?

The SOC 2 audit provides additional assurance regarding vendor controls that relate to operations and compliance relevant to one or more of the following five principles: security, availability, processing integrity, confidentiality and privacy. Not only will you be able to assure your clients of the safe guarding of their data, you will be able to comply with all of the data privacy and security laws.

TERIS | SOC 2 compliant with the highest level of security

Every employee HIPPA certified
Fingerprint reader for building entry
24/7 security surveillance cameras
Data stored in server room with a bank vault

vaultteris glass

Everything You Need To Know About The Arkfeld Conference 2016

One of the most important digital conferences in Arizona will be starting shortly. The ASU-Arkfeld eDiscovery and Digital Evidence Conference will take place in the Armstrong Hall on March 9-11, 2016, making it the fifth to date The three exciting days at ASU campus in Tempe will include stimulating information about the newest issues affecting electronic information, information governance and data analytics.

So what is The Arkfeld Conference? If you haven’t been following the latest news, The Arkfeld Conference is an annual conference taking place at the Sandra Day O’Connor College of Law. It is a Program run by attorney, author and educator, Michael Arkfeld, who believes that digital advances are very important to law professionals. William Kellerman describes Arkfeld as the ”intersection of law and technology”, in order to ensure effective education and competency among legal professionals.

Last year’s conference attracted over 150 professionals, including attorneys, service providers and counsel. The theme of ”Know the Law, Know the Technology” discussed a variety of eDiscovery issues and allowed a wide array of ideas and valuable networking opportunities for those attending.

At the fifth annual conference, Arkfeld has undertaken the theme, ”Respect the Past. Understand the Present. Shape the Future.” It will be intriguing to see exactly what technological advances will take place in order to shape the future. Some of the highlights advertised by Arkfeld include mock demonstrations on eDiscovery, as well as insights from some of this year’s featured speakers.

This is where we will be hearing from some interesting voices, including U.S. District Judges Shira Scheindlin of New York, Craig B. Shaffer of Colarado, and Xavier Rodriguez of Texas. Furthermore, we’ll be hearing insights from Technologist Steve Watson from Intel Corporation and the Associate Dean of WP Carey School of Business at ASU, Michael Goul. TERIS continues to be a long time sponsor of the Arkfeld Conference.

To register:

https://conferences.asucollegeoflaw.com/ediscovery2016/register/

What do you do, again? Information governance…explained.

By Mike Frazier | Director, Information Governance, TERIS

Untitled2I am routinely asked what I do; followed by the question – “and what is that?”  That’s when I launch into an explanation of information governance, only to be received with glazed over eyes or blank stares. Have you ever tried to explain IG to someone who doesn’t know much, or anything, about it and struggled to do so?  I certainly have; and it’s a conversation killer.  It’s not that I don’t know what IG is, or even that I can’t explain it.  It’s a matter of putting it into relatable terms, and not trying to explain too much.

One of my best friends from college was really into computers.  So much so that we gave him the nickname “dot com.”  He was always my go-to for all questions related to technology; and that turned out to be well founded as he went on to a great career at Microsoft.  My questions were fairly remedial, but he was usually gracious enough to field them anyway.  I mention him because he would always try to provide an analogy to help me understand the technology about which I was inquiring.  For instance, if I asked about network file shares I received an analogy to sharing a dresser with our buddies that held everyone’s clothes.

Usually, the more detail you try to fit into an analogy, the less analogous it becomes. He wouldn’t try to explain everything about network file shares in the analogy, just enough to help me understand the basic technology by putting it into easily relatable terms.  That helped to foster my interest in technology and gave me confidence to keep expanding my knowledge.  We were a good team – he helped me understand computers and technology, and I helped him understand what our Political Science professor was talking about when he predicted the US was headed for a hegemonic war with China within the next 50 years.

Two lessons I learned from my friend are particularly relevant in the context of explaining IG.  First, find a way to put it into relatable terms for people, without trying to explain it all.  Second, my friend once said that there are so many areas of focus within what we consider “information technology” that it’s not realistic to know it all.

The house that IG built

Implementing holistic IG is a lot like constructing a building.  The IG practitioner is analogous to the general contractor overseeing the construction of that building.  Our job is to marshal all of the subcontractors, who are experts in their respective fields, and provide oversight and direction to the entire project.  There are a lot of moving parts and the IG general contractor is necessary in order to make sure everyone is moving the same direction toward properly constructing the building to the plans that have been specified by the architects and builder (the organizational leadership).  As the general contractor, we must make sure the foundation is laid before the framing is done; and the foundation and framing are done before the electrical, plumbing, and HVAC, and so on down the line until the building is ready.

In my view, the IG general contractor needn’t be the foremost expert in any subcontractor’s specialty, but rather they must be knowledgeable about the fundamentals of each subcontractor’s area of expertise in order to understand where they fit into the picture, what should (and shouldn’t) be done, help to spot and troubleshoot issues, and understand how the actions of one subcontractor affect all of the others, and the project overall.  Each expert subcontractor knows his/her piece of the puzzle better than anyone; and they certainly know it better than the general contractor; but they usually only know and care about their specialty – not everyone else’s.

Without the oversight of the general contractor work gets done in silos, which are not harmonized across the building.  Imagine what the building’s integrity would be like if the framing crew erecting the building’s frame before the foundation was laid; or the electrician set out all the wiring before a frame was erected.  Each subcontractor is just doing what they are experts at doing; but without the marshalling of a general contractor those efforts may not be effectively contributing to the whole.  In fact, performing duties in silos without proper communication across the project will likely lead to duplicated work, disconnected and angry subcontractors, and builders who are ready to scrap the whole project. To bring it back to IG terms – it wouldn’t, for instance, make much sense for an organization to implement a new ERM system, with the intention of better managing their records, if they don’t have an up-to-date record retention policy and schedule ready at the configuration stage of the technology. Yet companies do this all the time.

This isn’t to say that the general contractor could do any of it without the expertise and work of the subcontractors.  Quite the opposite.  The specialists are vitally important, indeed necessary, to the completion of building.  The building project doesn’t work without them.  IG is more a matter of coordinating their efforts in context of a larger plan.

Furthermore, each building project has the same fundamentals – foundation, framing, plumbing, electrical, etc. – which can be shown to coincide with key information stakeholders in an organization that should be fundamental to any organization’s IG program.  Generally, the key information stakeholders are records management, legal, IT, privacy, lines of business, and compliance/audit (to the extent these roles exist in the organization).  I won’t attempt to analogize stakeholders to subcontractors.  I’m sure I wouldn’t do it justice, hopefully you get the idea.

Don’t try to be a know-it-all

The second take away in this summary lies in the breadth and depth of what information governance can cover.  My good friend once explained that typical enterprise “information technology” – whether it is basic desktop support, networking, enterprise architecture, information security, forensics, mobile and communications, archive and disaster recovery, or something else entirely – covers a lot of ground.  Each of those areas may be considered its own profession under the umbrella of IT.  The same distinction can be drawn in other stakeholder areas.  Take legal, for example – patent litigators and trust & estates lawyers are both attorneys practicing law, but they are vastly different specialties; and one likely knows little or nothing about the other.

Now expand this to include the rest of the potential IG stakeholders in an organization and you can see why it’s not feasible to be an expert in all of it.  In fact, I’ll go so far as to say that you should be wary of any IG practitioner who claims to be an expert across all of the representative areas.  Instead, I’d suggest looking for ones who have a good grasp of the fundamentals of each area (or most areas), who know what they know and (more importantly) what they don’t, and are able to marshal the expert stakeholders to construct the IG program.

It may be understood, but I think it’s worth mentioning in closing, that IG and IG practitioners are not a replacement for any of the information users or suppliers in an organization.  Rather, IG is an operational model that should be woven into the culture of an organization; and the IG practitioner is a facilitator and coordinator of that operation.  This model and these facilitators exist to help bridge disconnections among information users and suppliers in order to reduce risks and increase value for the organization.   After all, without the tenants, what’s the point of constructing the building?

The Corporate Supermarket

By Mike Frazier | Director, Information Governance, TERIS

grocery storeLet’s take a journey to the supermarket to do your weekly grocery shopping. Only, rather than the supermarket you’ve come to expect, with all of the products being neatly organized by store section, department, and aisle, we’ll be going into an alternate reality for a moment.  Imagine that the products on the shelves are strewn about the store haphazardly.  There are no signs above the aisles, and even when there are they don’t necessarily correspond to the products on the shelves.  The produce is mixed together – fruits and vegetables in and out of the refrigerators and other displays regardless of whether they should be cold or not.  The meats and seafood are comingled, some of it not refrigerated and they’re also creeping into the produce section.  Much of the produce appears well beyond its peak ripeness, some of the milk has soured, and much of the meat has “turned.”  The frozen foods look to be well organized and in good shape behind their freezer doors, but the doors themselves are padlocked to keep customers out.  But without a key it’s unclear whether those are the products you need or how you access them if they are.  There are shoppers scurrying around the store picking up random products, putting them in their baskets and walking out the door.  Some come back minutes later, drop the products they just left with, and pick up other products – they repeat this cycle a number of times, and none of them seem particularly phased by the way the store is being operated.  In fact, they seem to have accepted it as just the way things are.  Amazingly, there is also little to no effort being undertaken to organize the shelves and there isn’t much attention being paid to the checkouts either. The security guards look overwhelmed as they try to prevent shoplifting and keep some semblance of order.

Does this sound like a nightmare?  Would you continue to shop at a place like this or would you demand better?  Undoubtedly, none of us would want to make a repeat trip to this store.  In the consumer world this sort of disorganization and clutter would be intolerable.  Why then do we tolerate it in our corporate information management? The vast majority of organizations I talk to are struggling to keep up with the velocity and veracity of their corporate data.  They generally have some, or all, of the following common issues:

  • Unmanageable archive pst files on almost every users hard drive;
  • Network file shares that have little or no organization;
  • Retention policies and schedules that are not executed upon or enforced;
  • Silos of structured and unstructured data that are not uniformly managed;
  • Inefficient data preservation processes for litigation and rising eDiscovery costs;
  • Increasing data storage costs, shrinking IT budgets, and thinly stretched internal resources;
  • Content management software that was sold as the easy fix, only to find upon implementation that it is anything but;
  • Limited visibility into the information being created and stored across the enterprise; and
  • Data that is being kept well beyond any legal or regulatory requirement to do so.

Do any of these issues sound familiar?  If so, are you looking to clean up the mess or is everyone in your organization content to be corporate data shoppers that have accepted that this is just the way things are?  I’m here to tell you that there is a better way.  It will take commitment and accountability to get there, but at least you don’t have to do it alone – TERIS can help.  How?  Give us a call and let’s talk about it.

For more information about how TERIS consulting services can help you with your information governance strategy, please contact us at 512.476.3371, or mfrazier@teris.com.

Contact button

Information Governance: 3 Initial Steps on the Way to Success

Pages from Information Governance- 3 Initial Steps on the Way to Success_4 22 2014 (2)Lately, the phrase “information governance” has become one of those buzzwords that people toss around an awful lot without necessarily knowing exactly what it entails. Information Governance (“IG”) is more than virtual archives for old data or having rules about what employees can and cannot access from their work computers. Rather, IG is an enterprise-wide strategy and accountability framework for the management of all of an organization’s data – paper and electronic – not just a few aspects of a company’s data footprint.

Why does IG matter at all? Quite simply, today’s businesses operate in the era of big data where data volumes are growing exponentially and organizations are struggling to effectively manage it. The “Keep everything” mindset puts organizations on an unsustainable path.

Mike Frazier, TERIS Director, Information Governance

For more information about how TERIS can consult with you to create an information governance strategy please contact Mike at 512.476.3371, or mfrazier@teris.com. To view and download a copy of the entire white paper please click here.

Basic Principles to Establish an Information Governance Policy

contentInformation Governance programs are a growing and critical component of how organizations manage their data and records. Understanding information governance and the information lifecycle is important because data impacts all areas of an organization, including regulatory compliance, litigation, continuous improvement processes, IT infrastructure, and business strategies, to name a few.  Additionally, an effective information governance program can help an organization understand what information it finds valuable, thereby enabling it to leverage the new capabilities provided by modern technology. For instance, twenty years ago if documents were requested in discovery a categorical document collection and review was undertaken. Today, eDiscovery technologies allow specificity with regards to file types, servers, formats and versions of documents; not to mention the additional efficiencies that may be gained through the use of analytic and clustering tools.

Basic principles of establishing a good information governance policy include:

  • Take time to understand where your organization is currently situated with its governance programs and strategies.
  • Identify what types of data and information are important to the organization and its industry.
  • Design and implement effective data retention policies and schedules so that the important information is preserved in accordance with regulatory requirements and business need, and the rest can be properly and defensibly disposed of in due course.
  • Train employees on the organization’s data policies, and how to correctly handle information.
  • Executive sponsorship and top-down support of the information governance model established.  While this is listed last here, executive buy-in is possibly the most critical component differentiating successful information governance programs, and those that fail.

An organization should have full awareness of how its information and records are being created, used, stored and managed (including what that information contains), and deleted. Additionally, only maintaining “clean” data and defensibly disposing of the redundant, outdated, and trivial data, in accordance with a well-established information governance policy, can be worth its weight in gold if it becomes necessary to retrieve data in response to litigation or government investigation.  That, however, is a topic for another day.

If you would like more information about information governance or how information governance consulting services from TERIS can assist you, please contact us!

Contact button

5 Reasons Why Information Governance Compliance Is Critical to General Counsel

Information governance, or IG, is the effective management of any information that an enterprise creates, stores or transmits, particularly in digital format. This includes the project on the office desktop to the work email that’s accessed from a personal mobile device. Having a successful IG plan in place can be a tremendous benefit to any organization. Yet, IG is more than just a workplace productivity tool;  establishing and maintaining IG compliance is critical to general counsel as well, for five very important reasons.

1. Assurance of Meeting Document Retention Guidelines 

One of the motivations for putting information governance in place at all is to ensure that counsel is not backed into the position of representing clients who may have violated any applicable document retention guidelines. IG policy should cover the entire lifecycle of any intellectual property, from inception to deep storage, protecting projects and information at every stage from hazards such as data corruption or unauthorized access.

2. Streamlined eDiscovery

The discovery process is typically the most involved and time-consuming (not to mention the most expensive) aspect of any litigation action. In the event of legal proceedings that do necessitate ediscovery, having an information governance policy already in place allows general counsel to more easily find applicable evidence and data, granting a tremendous savings on billing to clients as well as limiting lengthy time investment for counsel.

3. Clear Chain of Custody

When establishing a chain of custody for any file, document or email, information governance removes any doubts the court and opposing counsel may hold over the possibility of alteration or tampering, either during copying or analysis. Case loss to something as simple as mishandling of digital evidence can be devastating for general counsel, and is largely preventable with comprehensive IG.

4. Defensible, Repeatable Processes

With an information governance policy in place that is already well-established and fully documented, general counsel is far less challenged in proving defensible, repeatable processes during litigation. An established chain of custody contributes to this stability, as does tracking data lifecycles to ensure that any document retention guidelines are being met.

5. Flag Potential Hot Spots Prior to Litigation

Considering the possibility for legal concerns while developing information governance policy helps identify potential hot spots. For example, email correspondence delineating contract negotiations would be invaluable in a wrongful termination suit, while an intellectual property case could be resolved simply by presenting applicable digital documentation in court. Complying with IG policies ensures that any necessary documentation and data will be available to counsel in a short amount of time, and with a minimum of scrambling.