Overview:

I just recently wrote an issue paper on the adventures of dealing with e-discovery and the impact of the amended Federal Rules of Civil Procedure (FRCP). The FRCP defines the rules of engagement for litigants in civil cases and as of last year the rules have been amended to extend the definition of discovery to include any electronically stored information (ESI). Much of ESI discovery is focused on either finding the smoking gun email ("you want to do what with me? To keep my job?") or

A typical evolutionary path for event and log management in an organization runs like this: paleolithic admin uses just eyes and brain to review logs, looking for evidence of misbehavior, misconfiguration, and mischance; crafty neolithic admin cleverly adds scripts to the mix and automates as much of the review as possible; later, the tools come from others rather than being made by his or her own

The Issue:

As the role of the CSO shifts from technical security expert to risk
mediator, manager and advisor, compliance is rapidly becoming the domain of
the CSO. In this role, the CSO is faced with the continual tug-of-war in the
corporation between legal, business and IT. To make matters worse, the CSO –
as Chief Risk Officer – is put in the position of keeping the company out of
trouble, without having any control over the direction or the company, or the
actions of IT, business and legal. The only way that the CSO can affect risk and
manage risk is through implementation of a strong compliance management
process. Compliance management is the heart of governance and risk
management and as such, it’s the main tool in the CSO tool box.

Compliance is a complex issue and it requires a unique combination of
technical, legal, business and management skills. Compliance itself requires
solving the equivalent of a multi-variable equation: regulations, control
frameworks and change. To achieve continuous compliance management, CSOs
must implement tools and processes that automate and streamline the
compliance management process. The first step is implementation of logging,
eventually culminating in the establishment of a continuous compliance
management solution that not only reports on what has happened, but
implements triggers, monitors and controls to prevent what is going to happen.

Read this Issue Paper:

The Issue:

As the role of the CSO shifts from technical security expert to risk
mediator, manager and advisor, compliance is rapidly becoming the domain of
the CSO. In this role, the CSO is faced with the continual tug-of-war in the
corporation between legal, business and IT. To make matters worse, the CSO –
as Chief Risk Officer – is put in the position of keeping the company out of
trouble, without having any control over the direction or the company, or the
actions of IT, business and legal. The only way that the CSO can affect risk and
manage risk is through implementation of a strong compliance management
process. Compliance management is the heart of governance and risk
management and as such, it’s the main tool in the CSO tool box.

Compliance is a complex issue and it requires a unique combination of
technical, legal, business and management skills. Compliance itself requires
solving the equivalent of a multi-variable equation: regulations, control
frameworks and change. To achieve continuous compliance management, CSOs
must implement tools and processes that automate and streamline the
compliance management process. The first step is implementation of logging,
eventually culminating in the establishment of a continuous compliance
management solution that not only reports on what has happened, but
implements triggers, monitors and controls to prevent what is going to happen.

Read this Issue Paper: The Path to Continuous Compliance Management

The Issue:

Information protection is one of the core disciplines of Information
Stewardship, alongside business continuity, information lifecycle management,
data quality management, and compliance. The purpose of Information
Stewardship is to enhance the value of information and reduce the risk to
information within the context of the business value. In other words, Information
Protection is only relevant in the context of the broader value of information.

Maximizing information protection must always be balanced against
maximizing the business value of information. The business value of information
is derived from the processing, transformation, sharing and dissemination of
information – the very activities that create risk! It is crucial to look at
information protection as one axis in a broader picture of investment and
innovation decisions: you cannot focus only on maximizing information
protection (maximizing security). After all, the best way to maximize the
protection of information is to lock it up and throw away the key – which of
course means that the information is then no longer available to the business.
Being a good steward of the information requires using security to enable
business functions but to minimize the risk of them as far as necessary.

Read this Issue Paper: Not an End In Itself: Information Protection and Return on Risk

This Issue Paper is available to registered users. Registration is free - please register for access.

The Issue:

Information protection is one of the core disciplines of Information
Stewardship, alongside business continuity, information lifecycle management,
data quality management, and compliance. The purpose of Information
Stewardship is to enhance the value of information and reduce the risk to
information within the context of the business value. In other words, Information
Protection is only relevant in the context of the broader value of information.

Maximizing information protection must always be balanced against
maximizing the business value of information. The business value of information
is derived from the processing, transformation, sharing and dissemination of
information – the very activities that create risk! It is crucial to look at
information protection as one axis in a broader picture of investment and
innovation decisions: you cannot focus only on maximizing information
protection (maximizing security). After all, the best way to maximize the
protection of information is to lock it up and throw away the key – which of
course means that the information is then no longer available to the business.
Being a good steward of the information requires using security to enable
business functions but to minimize the risk of them as far as necessary.

Read this Issue Paper: Not an End in Itself: Information Protection and Return on Risk

The Issue:

Enterprise IT security is being pulled steadily towards a risk-based view of
the world. Companies need to understand their tolerance for risk, and embrace
technologies and practices that allow them to meet, but not exceed, that
tolerance. The disciplines of information stewardship provide a lens through
which the enterprise can focus its actions in information risk management. By
focusing on the discipline of information protection, it can choose where and how
to apply technologies, such as encryption, to maximize the return on risks of
information leak or theft. Focusing on data quality management can minimize
both the operational risks from inconsistent or incorrect data, and the legal risks
from lapses in compliance, inadvertent disclosure, or unintentional failure to
disclose information in court. Focusing on continuity mitigates risk from data
being unavailable due to natural disaster, systems break down, or attack.

Read this Issue Paper:

The Issue:

Enterprise IT security is being pulled steadily towards a risk-based view of
the world. Companies need to understand their tolerance for risk, and embrace
technologies and practices that allow them to meet, but not exceed, that
tolerance. The disciplines of information stewardship provide a lens through
which the enterprise can focus its actions in information risk management. By
focusing on the discipline of information protection, it can choose where and how
to apply technologies, such as encryption, to maximize the return on risks of
information leak or theft. Focusing on data quality management can minimize
both the operational risks from inconsistent or incorrect data, and the legal risks
from lapses in compliance, inadvertent disclosure, or unintentional failure to
disclose information in court. Focusing on continuity mitigates risk from data
being unavailable due to natural disaster, systems break down, or attack.

Read this Issue Paper: Information Risk Management in the Enterprise

When I was going over the parallels between the numeric-control vs record-playback (NC vs RP) machine tools, there was a significant point of dissimilarity that was glossed over: machine tool inputs are known. The variable there is what you want to make with the material, the genius of the trained master being in how best to get from untouched stock to finished product.

Overview:

SOA creates unique challenges for architecture and governance. SOA is a global phenomenon with local significance. As discussed in Volume 1, "Organizational and Operational Trends," organizations are launching SOA initiatives with the goals of greater business agility and flexibility. SOA facilitates these business goals through increased interoperability, faster integration of applications and services reuse. If one distills down the SOA message to one word, it must be agility. Unfortunately, agility is not a term widely used to describe architecture and certainly not a terms used to describe governance. In fact, rigidity and static are far more common descriptors. After discussing these issued with participants, it had become clear that to us that the same driving goals of SOA-Flexibility and agility-must also drive architecture and governance. For organizations to be successful, they must implement an agile architecture with agile governance.

Overview:

Service-oriented architectures (SOA) are poised to change dramatically how IT thinks and works in the enterprise, and how the enterprise thinks about IT as well. The shift from monolithic applications to loosely coupled constellations of collaborating software components is under way, with most of the enterprise IT executives with whom we spoke already having deployed at least a pilot SOA, and a few having completed the journey.

The shift is pervasive and promises to reduce the cost of integrating new systems into an existing infrastructure as well as the cost of building and maintaining software. It opens the door to fully integrating software provided by service providers – software as a service – into an infrastructure, rather than that being a separate and disconnected island of functionality.

In the first volume of this benchmark, we explore the basic organizational
and operational characteristics of the move to SOA: Why organizations pursue it (or choose not to), how much they are spending and how it is paid for, how IT and the enterprise organize around it, and what benefits they are seeing from it.

Overview:

In Nemertes' latest research benchmark, "Service Oriented Architectures
and Applications," a resounding 90.6% of participants say that compliance requirements directly affect their SOA. In fact, we know
that compliance requirements directly affect all aspects of IT.

The data center is the new castle, and the botnet hordes are coming for it

New Data Center Strategies Newsletter, By Andreas M. Antonopoulos, Network World, 2/6/07

One of the main findings from Nemertes’ security research in 2005 and 2006 was that the security perimeter is eroding.

With all the connections to partners, suppliers and customers and all the mobile workers, it was almost impossible to define a clear perimeter outside the data center. So the data center has become the retrenched position for most security defenses. The data center has become like the castle keep: a central hardened tower, the most defended area and the location of the most prized possessions.

The Issue: A New World to Secure

Data centers today are truly “new” from every perspective: facilities, storage, management, computing, and networking. Although data centers have existed as long as enterprise computing itself has, a confluence of economic, enterprise, and technological changes is driving a major metamorphosis in data center design and implementation. This, in turn, is determining how data center and security professionals approach the problem of securing the data center and the enterprise network from threats, internal and external.

By Andreas M. Antonopoulos, SVP and Founding Partner, Nemertes Research, Feb. 22, 2007

The announcement on Feb. 21 that Cisco Systems (NASDAQ:CSCO) plans to purchase privately-owned XML-appliance vendor, Reactivity, spotlights the increasing importance of XML as an application integration protocol and the need for application-level security and management tools in the network.

Reactivity makes appliances that accelerate the adoption of XML Web services and SOA software development by helping to deploy, control and manage XML application interfaces and data streams. The acquisition complements Cisco's Application-Oriented Networking offerings and strengthens its security portfolio.

Overview

The enterprise is in a strange new position when it comes to providing its employees with the tools they need to perform their duties.

On the one hand, the tools continue to become, or come to rely on, information systems. Companies and industries convert processes that were paper-based (such as medical records management) to be all-digital. Physical tools (like packaging machines on a factory floor) continue not only to be driven by ever more sophisticated automation, but also are increasingly tied into the rest of the IT infrastructure by supply-chain management or other software.

By John E. Burke, Principal Research Analyst, 11/09/06

A new regime for handling discovery of electronic documents in civil cases goes into effect in December and will potentially ease some of the burdens of managing e-discovery while pushing organizations to improve their enterprise information stewardship.

In 2005, the Supreme Court’s Judicial Conference Committee on Rules of Practice and Procedure proposed amendments to the rules surrounding discovery to deal directly with “electronically stored information” (http://www.uscourts.gov/rules/Reports/ST09-2005.pdf, pp. 27 ff.) The biggest and most important change is to recognize electronically stored information (ESI) as a separate category in discovery, distinct from documents and objects. With that distinction understood, many other rules are amended to account for issues of the speed and volume of automated production of information, varying degrees of recoverability, and the ephemeral nature of much information in systems. The parties in litigation are now required to discuss e-discovery during their general discovery conference in the 60 – 90 days after complaint is served, and to include e-discovery concerns in their discovery plans. They must also describe the type and location of ESI with which they will support their claim or defend themselves.

By Johna Till Johnson, President; and John Burke, Principal Research Analyst, Nemertes Research Inc.

Aug. 25, 2006

IBM's (NYSE: IBM, http://www.ibm.com) recently announced intent to purchase ISS (Nasdaq: ISSX, http://www.iss.net) for $1.3 billion in cash highlights the increasingly high profile of information stewardship in general, and information protection in particular.

ISS dramatically augments IBM's existing information management and security capabilities, and IBM says the acquisition will enhance its managed security services and address the growing need for information protection.

IBM is right, but isn't being bold enough

If you would like to receive our full Impact Analysis, sign up for our weekly newsletters.

By Melanie Turek, Sr. Vice President, Nemertes Research Inc
April 21, 2006

The news that Novell [NASDAQ: NOVL] will acquire privately held e-Security, Inc., spotlights the need enterprises have for automated compliance solutions. According to Nemertes’ benchmark, “Information Stewardship: Holistic Data Management in the Enterprise,” 86% of IT executives say compliance is a “vital” issue for them and their organizations, yet only 23% say their companies deploy technology specifically designed to help them in their compliance efforts.

The main reason companies don’t implement compliance tools? They’re not convinced the solutions exist to help them. IT executives want out-of-the-box applications that make it easy to define policy, track usage, manage reports, and meet auditing deadlines.

Almost two-thirds of the IT executives who participated in Nemertes’ benchmark, “Information Stewardship: Holistic Data Management in the Enterprise,” say archiving—and the related logging and auditing capabilities—are “vital,” and 24% consider them “very important.” And yet, only 21% of participants are using technology to help with their retrieval efforts, despite the fact that this is an onerous process for most.

Although the majority of IT executives consider their organizations to be “very” or “extremely” successful at information retrieval, six percent say they’re completely unsuccessful at it. This is a problem not just for compliance, but also for legal discovery, during which companies may be required to produce electronic records in a timely fashion. Companies that can’t face steep fines, among other headaches.

If you would like to receive our full Weekly Update, sign up for our weekly newsletters.

By Melanie Turek, Senior Vice President, Nemertes Research Inc.

March 31, 2006

News of a lawsuit between Morgan Stanley and one of its former employees proves a good example of why companies need to give more than technical consideration to the policies they put in place for e-mail and IM archiving. When asked, 90% of IT executives say they consider e-mail and IM messages to be corporate information, according to Nemertes benchmark, “Information Stewardship: Holistic Data Management in the Enterprise.” On the other hand, only 50% of companies include messaging as part of their compliance efforts—and then very often, they only include e-mail and not IM. For those companies, however, archiving is about more than just technology.

‘Information Stewardship’ Huge Issue for IT Execs in 2006,
But Many Enterprises Lag In Strategies

NEW YORK, NY, Dec. 19, 2005– Eighty-seven percent of IT executives say information stewardship – managing and setting policies for every byte of data in the enterprise – is vital to their organizations, according to a ground-breaking research benchmark from Nemertes Research. Yet only 40% rank information stewardship as important when it comes time to put money and resources behind it. Most do not have a person or group dedicated to managing information stewardship. And fewer than half of IT professionals have done actual return-on-investment calculations regarding the process.

* Electronic discovery to drive storage consolidation

By Andreas M. Antonopoulos, Network World, 11/08/05

In the last few years, many legal cases have hinged on a forgotten, incriminating e-mail that was pulled out of a mountain of electronic evidence.

By Melanie Turek, Nemertes Research Inc.

May 10, 2005

IBM’s (NYSE: IBM) recent acquisition of Ascential Software (NASDAQ NM: ASCL), a leading provider of data-integration tools, highlights Nemertes’ identification of the critical role information stewardship plays in the enterprise. Information stewardship includes information protection (encryption, identity management, anti-malware, etc.); logging & auditing (records retention, compliance); data-quality management (data validation); and information-lifecycle management/BCPDR. Never has it been more critical to businesses worldwide, as government regulations, increased customer awareness, and the need for business agility increase pressure on companies to secure, manage and use their data wisely.

By Johna Till Johnson, Nemertes Research Inc.

May 6, 2005

Time Warner Inc.’s (NYSE: TWX) recent announcement that it lost sensitive data (including names and social security numbers) for 600,000 of its employees highlights the need for enterprises to create effective information stewardship policies. Time Warner’s data was on backup tapes maintained by storage facility provider Iron Mountain Inc. (NYSE: IRM), and was apparently lost in transit to the storage facility. Other companies that have recently suffered high-profile data losses include Bank of America (NYSE: BAC), which in February lost backup tapes containing credit-card records for more than a million government employees, and ChoicePoint Inc. (NYSE: CPS), which the same month was attacked by identity thieves who gained access to sensitive customer data.