Future Proof – Protecting our digital future

http://www.flickr.com/photos/mnsc/2768391365/

For Information Awareness Month with its theme of better information = better business, we want to do a post on managing your information better in the cloud.

We are being contacted by a lot of government organisations who are wanting to move their email systems to the cloud.

Moving your email or any other business system to the cloud is a business decision and there are no legal impediments under the State Records Act to prevent you from doing this.

You do however have to make an informed decision with a full awareness of all potential risks and mitigation strategies to prevent these. In talking to government agencies moving to the cloud we are finding that they are doing excellent risk assessments to combat a lot of potential security, privacy and technical problems, but they are not asking a lot of questions about the potential information risks they might face.

Here are some pointers for building information risk assessments into your cloud email discussions.

Do not underestimate the complexity of email

Moving email to the cloud is possibly one of the most complex cloud projects to manage. This is because:

• Email is likely to document every different business process in your organisation
• Email is generated by virtually every staff member in your organisation and every user usually has full autonomy and user rights within the email system
• Email covers the gamut of corporate information risk, from the negligible (cake in the tea room at 10:30 – all welcome); to the high (I would like to complain about the conduct of my colleague); to the extreme (attached is the contract committing us to a $10 trillion project)
• Because email covers everything, there are so many different business rules that apply to the governance and management of email messages. Email systems contain information about multiple different business processes (possibly 100s of processes) and these are each covered by multiple business rules. Some of these rules will say that some emails can be deleted pretty much as soon as they are sent (see rules around cake email management), whereas other emails will need to be kept for 100+ years because they document how a Council repaired a bridge, or responded to a formal objection, or handled a disciplinary matter.
• Email is voluminous. The quantities of email messages that most organisations store on their email servers are massive. These data stores are generally unsorted and contain a massive mix of messages, some that  should have been deleted immediately and a much smaller proportion that are very significant to corporate operations or accountability and need to be kept for the very long term.

Email is still a core and critical business system

Research we are doing at State Records shows that the role and importance of email in all kinds of government business is not diminishing.

Despite the wide range of business systems, social media technologies and other applications out there, email is still a very dominant business platform. Email is still used as the driver of the vast majority of high level business decisions and is still used to perform a large number of business transactions internally and externally.  Policy, coordination, senior management and governance processes still use email as their dominant business system. Email is still where the information is.

Recordkeeping in email systems is not always managed well

We also know that in the 20+ years that email has been used in government and business more broadly, recordkeeping in email systems is generally not comprehensive. Many individual staff members are unlikely to capture relevant emails into corporate records systems.

Other staff may be willing, but they are often uncertain about what they emails they should keep and how and when and where they should keep them.

The risk

The risk then when moving to the cloud is that you are moving a high risk, multi transactional, multi-agent, poorly managed and massive dataset to a cloud environment where you need to pay for its ongoing storage.

Cloud solutions in and of themselves are therefore not a solution for email. They are a means of moving an existing problem off site.

Many cloud email systems can also deploy a rolling deletion policy which will, for example, auto delete all emails after 2 years. The risk here is that standard retention rules will be applied that give equal weighting to cake-based emails and emails about $10 trillion contacts.  Strategies need to be put in place to ensure you can keep what you need to keep and routinely destroy the information you no longer require.

The solution

There are of course strategic solutions you can deploy to take advantage of cloud email services while at the same time managing information risks and ensuring your organisation will have all the high value information it needs to support its ongoing operations.

A move to the cloud can be used as the perfect driver to implement effective information governance and control over your corporate information.

If you can deploy good and effective change management processes at the same time as the move to cloud, you can help to prevent the same problems from occurring again in the cloud environment.

An effective change management strategy should make it as easy as possible for staff to know which emails they have to capture and keep in your corporate records systems and which ones they don’t. Processes should be in place to make it as easy as possible for staff to then go ahead and act on this advice. Staff should be trained and monitored to make sure that that the information your organisation needs is actually being captured.

Your strategy needs to give you the surety that all your important business information is actually captured and managed and there when you need it. You simply want to know that the stuff you actually need is there.

Your solutions can be radical. For example, you can put a really good change and awareness program in place and then deploy a cloud based email systems that has a blanket 6 month purge cycle. This type of approach provides people with the knowledge and ability to do what they need to do as well as an impetus to actually do it (the emails will be gone after 6 months, so staff will be motivated to capture the stuff they need in a corporate records system). Busy staff don’t take the time to capture their emails as they should – this type of approach gives them a driver to do it, ideally in ways that are as simple as possible for them.

Alternatively, solutions can be tailored. You could implement a general six month retention period for the majority of staff accounts, but implement a longer retention period for management level accounts, or auto-ingest the email from designated senior staff into your corporate records system.

A solution too is getting a real understanding of the email sitting in staff accounts. Sit down with a variety of different staff across your organisation. What types of information are they keeping in their email accounts? What are the different levels of risk or corporate value that apply to this information? You can use these assessments as the basis for developing specific guidance and advice to individual staff or business units. For example, after looking at some sample email accounts, you could develop procedures for a specific unit to say: ‘ Dear Staff of Unit X – We are moving our email accounts to the cloud. A rolling 6 month deletion policy will be applied which means that any email older than 6 months will no longer be accessible to you. To prevent key business information from being lost and to ensure Unit X has the information it needs for business management, client support and reporting, all staff MUST follow these email management procedures. Emails about accounts payable must be saved to (specify location). Emails about property assessments must be saved to (specify location)….

Your ideal situation should be that:

• emails identified by business staff as high value records that need to be kept are routinely saved to your corporate records system. Once saved in this system, the copies in the cloud system could be deleted. The copies in your records system will be kept and managed for the length of their appropriate business and legal retention periods, thereby mitigating any business and legal risks.
• emails that are duplicates, ephemeral, facilitative, not involved in any approvals or decisions and not needed for accountability or corporate information are routinely deleted.

What is not a solution – standard retention periods

Generic, catch all retention periods are not a solution to the challenge of managing cloud email.

To manage their email and to attempt to resolve some of the challenges outlined above, some organisations are looking to create an email archive or backup that they will keep for a predefined 2, 5, 7 or 10 year period and then purge.

Applying a standard retention rule to all email messages, however, is simply not a solution. It is just a means of creating a whole new legacy data collection for your organisation to manage in 2, 5, 7 or 10 years time. It is very unlikely that your corporate legal or risk teams will, in 2, 5, 7 or 10 years time, let you dispose of your email archive because they will be well aware of the core high risk, high value information contained in there.

Your organisation will suddenly be responsible for sifting through the legacy, purging what should have been purged, saving what should have been saved and doing the management you should have initiated 2, 5, 7 or 10 years ago, instead of creating a data dump.

So please, save yourself the time, money and effort and do something proactive now. Stop the creation of a whole new legacy data problem before it happens. Be proactive, be strategic and manage your information well.

Applying standard retention periods like this to email accounts will also put you in breach of the State Records Act.

What is not a solution – email archiving or journaling systems

Many organisations say that they are looking at cloud-based email archives  and email journaling systems because of their discovery functionality. This statement implies that the organisations already have identified risks and issues with email identification and management in response to discovery orders. The archiving or journaling systems will help in the short to mid term with email identification for discovery purposes, but by themselves they will not help to resolve underlying poor email management and consequent information risk issues.

Rather than passively deploy these types of systems for their catch-all capacity, actively use them as management tools. Many can deploy business rules, or link to workflows or positions or classifications to help identify what is important and what is not important. Taking the time to investigate, configure and deploy this functionality can pay significant dividends in the medium to long term.

Alternatively, deploy the corporate records systems you already have more effectively. Train staff to capture, identify and manage key email records in these systems and to not leave them in their personal internal or cloud based email accounts.

We should heed the example of some large organisations that are turning off their email archives. For similar discovery-based reasons, a number of big organisations with high risk business operations have been using internally hosted email archives to help store their large volumes of email data for a number of years now.  In recent months, some of these organisations have decided to turn their email archives off and stop their use of this technology.

They are doing this because these email archives have become unsustainable data stores. They have become too expensive to keep because new servers were having to be brought online too regularly to support the ever-expanding volumes of data.  The email archives were used to catch all email content. This unmanaged ‘ archive’ is regarded by management as too unregulated and too high risk to delete, so the organisations are stuck in the difficult position of having massive volumes of amalgamated high risk and low risk legacy email going back 6+ years to sift through, separate and manage.

With this recent experience behind them they have decided now to deploy effective change management to ensure staff manage their email right the first time. Staff will now be trained to capture what is needed into their corporate records systems and delete the rest.

In summary…

State Records does not have any problem with email moving to the cloud, as long as your information risks are understood and responded to. It really puts your business at risk if they are not. Email is a high risk business system and unless a move to the cloud is handled well, these risks can be magnified and become exceptionally costly in the medium to longer term.

In moving to the cloud, a lot of IT risks are very well assessed and managed, but the information risks are not, and these risks can have very long consequences. So really do assess your information risks when moving to cloud email and implement genuine management strategies to mitigate them and to maximise your business potential.