Information Security

Data is not just critical to business it is core. It is the essence of a company’s function. Big data is a major part of that flow, and the more customer data that is out there, the more it needs protection.

As big data gathers momentum, incorporating security into planning and processes in the early stages of a project are becoming more important. The big data revolution is just getting started and will present major security challenges if its data management is not carefully planned.

Formerly the exclusive domain of IT, information security has now become the domain of everybody including content and knowledge managers.

Major retailers and government agencies have suffered data breaches, denials of service and destructive intrusions. Millions of individuals have been affected, and organizations are now forced to devote more resources to prevention and remediation. Everyone in a company, from consumers to CEOs, has become acutely aware of the hazards of failing to protect information.

Every business user and anyone accessing data needs to be aware of it. The advent of the mobile worker and the proliferation of cloud technology have added a new dimension.

People want to run their businesses on a tablet, and they can do that but information managers need to understand how to do it safely. Much of the data in an enterprise exists only at endpoints, which increasingly are mobile devices.

According to a study by IDC, 75% of the U.S. workforce is mobile, with most of those employees having more than one mobile device. But those devices are at risk: about five to 10% of laptops are lost each year, according to a study from Ponemon Institute, and about one-third of them contain unencrypted sensitive or confidential data. In another study, one in six respondents reported having a mobile device lost, stolen or destroyed. In addition, a lot of intellectual property is stored on mobile devices, and in the event of litigation, the company has to be able to locate it.

Despite the convenience of mobile devices, their use creates well-recognized conflicts with security, especially in the face of increased frequency of BYOD (Bring Your Own Device).

Even when users hold onto their devices, security is far from guaranteed. Data is becoming more dispersed and fragmented. Even when companies do not know where the data is flowing, they still have an obligation to protect it. Information sharing is the norm rather than the exception today, both among employees within an organization and with outside organizations.

Along with mobile devices, the supply chain is a point of vulnerability. Once supply chain information leaves your organization, you don’t know what is being shared and what is being protected. Tracking it is a massive task and has often been managed by departments well outside of IT, such as procurement. It’s not just information about material goods that enters the supply chain; intellectual property associated with the products also goes to third-party suppliers. Information, such as patent data or formulas for pharmaceuticals, is shared with lawyers and accountants.

Analyzing the risks to information in the supply chain can help focus resources on mission-critical data. Companies should work with their vendors to ascertain how they are protecting information, and to consider putting security requirements into the contracts they write with suppliers.

Business and IT should start with a conversation to explain what protection the company has in place and what measures are being taken. Then, the business side can work with IT to develop business cases based on the impact of their operations and illustrate the ROI for protection of their functions. That can help IT by showing the costs of downtime and clarifying what needs to be protected.

Technology can help overcome security problem. For example, an application can provide continuous backup, but users don’t know that it is running or the can also enforce encryption without the user’s awareness and remotely wipe laptops to clear the data. There are products which focus on encryption and tokenization, to secure the data itself rather than the network environment. Tokenization provides visibility to the flow of data without putting the data at risk.

A new product called Protegrity Avatar for Hortonworks is designed to secure individual data elements while managing and monitoring the data flow in Hortonworks, an enterprise Hadoop data platform.

In most cases, organizations need to deploy more than one security solution, because the threats are many and varied. Most companies use a best-of-breed strategy, picking out the strongest solutions for their needs.

Data security is about data protection, but it is also about continuity and availability. Protecting information with technology is important, but it is not a substitute for information governance within a company.

Achieving the right balance between business needs and information security requires a fundamental shift in attitude. Rather than thinking of data as something a company owns, business owners need to come to term with the fact that they are custodians of data that needs to flow and be managed.

A legislative proposal announced by the White House in mid-January is designed to increase data security by promoting information sharing, strengthening law enforcement for cyber crimes and requiring that data breaches be reported promptly.

Companies have been concerned about information sharing because of the risk of liability for violating individuals’ privacy. The bill addresses that issue by requiring compliance with privacy guidelines, including removal of unnecessary personal information. The legislation would simplify and standardize the requirements for reporting data breaches. Currently, the laws exist at the state level, but not all states have them, and those that exist are not consistent.

Whether defending their website from intrusions, keeping applications running or protecting data elements, organizations are faced with an increasing number of threats and a complex security environment. Awareness at every level of the extended enterprise will be essential to minimizing the adverse impact of security incidents.

Galaxy Consulting has 18 years experience in information security and governance. Please call us for a free consultation.

Yammer and SharePoint

Enterprise social network vendor Yammer was a large and fast growing player when Microsoft acquired it in late 2012. Yammer has users in more than 150 countries, and the interface is localized into more than 20 languages.

At its core, Yammer is a micro-blogging service for employees to provide short status updates. Whereas Twitter asks, “What’s happening?” Yammer asks, “What are you working on?”

Over the years, Yammer’s functional services have expanded a bit to include the ability to express praise for co-workers, create polls, share documents and provision smaller discussion groups. In practice, however, some of those supplementary services aren’t as rich or well-integrated into SharePoint as you might find in competing products.

And you can find a lot of competing products: from collaboration suites that offer tightly integrated social networking services to supplemental “social layer” offerings that compete directly with Yammer.

For this reason, it would be good to ask this question: Is Yammer truly the best social layer for your enterprise?

When Microsoft acquired Yammer shortly before releasing SharePoint 2013, the deal sent shock waves through the marketplace. Soon Microsoft started recommending that you hide SharePoint’s native social services in SharePoint and use Yammer instead.

Microsoft now promotes Yammer as a social layer over all your Microsoft systems, especially Office 365. Yammer usage can explode within an enterprise that heretofore offered no micro-blogging services, let alone any enterprise social network. People happily check in and often find new or long-lost colleagues in the first few days and weeks.

Yammer boasts a huge customer community. Customers get access to the quite sizable Yammer Community Network, where licensees share their successes, problems, questions and tips with the community as a whole. A small but growing apps marketplace rounds out the picture of a vibrant ecosystem around Yammer.

Smaller departments use Yammer to stay in touch, but enterprise-wide conversations typically decrease. Usage also drops off when employees struggle to place the service within the regular flow of their daily work. Yammer becomes yet another place you have to go, rather than a service you exploit as part of your regular workflow.

In a mobile environment, Yammer and SharePoint usage entails at least two separate native clients.

Yammer has key application: social questions and answers. When a user starts to type a question, Yammer uses a real-time search to auto-suggest already asked questions. That is useful and helps to eliminate duplication in content.

However, there are no ratings for answers and the original questioner cannot declare an authoritative answer. Search is not really ideal, so as answers build, they become harder to leverage, especially given the scarcity of curation services. Yammer works less for knowledge management and more for really simple, quick responses to simple questions.

Another Yammer key social application: communities of practice. Groups are either public or private. You might also have separate groups in Exchange and SharePoint (via Delve), as well as Communities in SharePoint.

There is single sign-on to Yammer with Office 365.

Larger enterprises find Yammer better suited as a supplement to formal collaboration and social networking efforts rather than as the center. Its simplistic handling of files and limited search facilities limit Yammer’s ability to serve as much more than a simple micro-blogging service.

If you are looking for pure micro-blogging services to communicate across your enterprise and are not looking for ready-to-use applications tailored for specific goals and processes, Yammer offers an obvious alternative to consider, especially for those whose SharePoint plans rest primarily on the Office 365 edition.

Galaxy Consulting has experience with all versions of SharePoint and with Yammer. Please contact us today for a free consultation.

E-Discovery and its Stages

Every organization should take necessary steps to be prepared for E-Discovery. What is E-Discovery?

Electronic discovery or E-Discovery refers to discovery in legal proceedings such as litigation or government investigations where the information is sought is in electronic format. This information is often referred to as electronically stored information or ESI.

Electronic information is considered different from paper information because of its intangible form, volume, transience, and persistence. Electronic information is usually accompanied by metadata that is not found in paper documents and it can play an important part as evidence. For example, the date and time a document was written could be useful in a copyright case. The preservation of metadata from electronic documents creates special challenges to prevent its destruction.

E-Discovery Stages

Identification

The identification phase is when potentially applicable documents are identified for further analysis and review. Failure to issue a written legal hold notice whenever litigation is reasonably anticipated, will be deemed grossly negligent. This is why it is very important to implement legal holds on specific electronic information.

Custodians who are in possession of potentially relevant information or documents should be identified. To ensure a complete identification of data sources, data mapping techniques can be used. Since the scope of data can be overwhelming in this phase, attempts are made to reduce the overall scope during this phase, such as limiting the identification of documents to a certain date range or search term(s) to avoid an overly burdensome volume of information to be on legal hold.

Preservation

A duty to preserve begins upon the reasonable anticipation of litigation. During preservation, data identified as potentially relevant is placed in a legal hold. This ensures that data cannot be destroyed. Care should be taken to ensure this process is defensible, while the end-goal is to reduce the possibility of data destruction. Failure to preserve data can lead to sanctions. Even if the court rules the failure to preserve as negligence, they can force the accused party to pay fines if the lost data puts the defense at an undue disadvantage in establishing their defense.

Collection

Once documents have been preserved, collection can begin. Collection is the transfer of data from a company to their legal counsel, who will determine relevance and disposition of data. Some companies that deal with frequent litigation have software in place to quickly place legal holds on certain custodians when an event (such as legal notice) is triggered and begin the collection process immediately. The size and scale of this collection is determined by the identification phase.

Processing

During the processing phase, native files are prepared to be loaded into a document review platform. Often, this phase also involves the extraction of text and metadata from the native files. Various data sorting techniques are employed during this phase, such as de-duplication. Sometimes native files will be converted to a paper-like format (such as PDF or TIFF) at this stage, to allow for easier redaction labeling.

Modern processing tools can also employ advanced analytic tools to help document review attorneys more accurately identify potentially relevant documents.

Review

During the review phase, documents are reviewed for responsiveness to discovery requests and for privilege. Different document review platforms can assist in many tasks related to this process, including the rapid identification of potentially relevant documents, and the sorting of documents according to various criteria (such as keyword, date range, etc.). Most review tools also make it easy for large groups of document review attorneys to work on cases, featuring collaborative tools and batches to speed up the review process and eliminate work duplication.

Production

Documents are turned over to opposing counsel, based on agreed-upon specifications. Often this production is accompanied by a load file, which is used to load documents into a document review platform. Documents can be produced either as native files, or in a paper-like format (such as PDF or TIFF), alongside metadata.

Types of ESI

Any data that is stored in an electronic form may be subject to production under common E-Discovery rules. This type of data can include email and office documents, photos, video, databases, and other file types such as raw data.

Litigators may review information from E-Discovery in one of several formats: printed paper, "native file", or a paper-like format, such as PDF files or TIFF images. Modern document review platforms accommodate the use of native files, and allow for them to be converted to PDF and TIFF files. Some archiving systems apply a unique code to each archived message or chat to establish authenticity. The systems prevent alterations to original messages, messages cannot be deleted, and the messages cannot be accessed by unauthorized persons.

Because E-Discovery requires the review of documents in their original file formats, applications capable of opening multiple file formats would be very useful.

In order to prevent data to be inadvertently destroyed, companies should deploy which properly preserves data across companies, preventing inadvertent data destruction.

Proper retention and management of electronically stored information (ESI) is crucial in every organization in order to be able to comply with E-Discovery process. Improper management of ESI can result in a finding of evidence destruction and the imposition of sanctions and fines.

We helped many organization in their E-Discovery preparedness in the last 17 years. We can do the same for you. Please call us for a free consultation.

12 Steps in Knowledge Management

User centered design is important for successful knowledge management. This design can also be called design thinking. Design thinking can help with process architecture, tools, and a knowledge sharing culture. These are important points for knowledge management improvement:

1. The emphasis on emotion and empathy of user would have a great impact, focus on experimentation and testing before scaling and confidence even in the face of uncertainty. Thus, buy-in for KM initiatives increases when adequate empathy has been shown to employees concerns and if participatory design elements have been used to come up with the knowledge management architecture and processes.

2. Design thinking includes a progressive approach to dealing with failure. Mistakes are treated as learning experience toward a final solution. That can help organizations by celebrating not just successes and best practices, but also failures as a source of learning. Many organizations have a repository of best practices.

3. In their haste toward project completion, many companies focus only on the results and final products. Design thinking allows for creation of extra levels of documentation along the project which may reveal new insights of value to subsequent project teams.

4. Through immersion and interaction, design thinking places a greater emphasis on conversations and thus uncovers deeper information about employees, customer and business partner expectations and aspirations. The use of customer personas also helps bring more holistic insight into the business modeling process.

5. By focusing first on minimum viable products and then full features, design thinking can help avoid features overload and large failed projects. Knowledge management can help in this regard in capturing best practices of frugal product and service development.

6. Design thinking and agile approach can be deployed right at requirements gathering stage and not just design and deployment stages. Organization can have conversations with users at the early stages and even help them question their understanding of the problems and solutions. Better alignment can be brought and lead to new ways of knowledge creation.

7. With its user centered design philosophy, design thinking brings about better interaction between a company and its employees and customers, particularly in an increasingly digital world where all kinds of assumptions are being made about customer's aspirations and problems. Organizations should work on improved formats of communication and knowledge sharing.

8. By repeatedly questioning basic assumptions behind problems, design thinking helps to structure problems in a more effective manner so that more appropriate solutions emerge. Knowledge management should include not only solving problems in a better and more efficient way, but also choosing which problems to solve.

9. Design thinking blends top-down and bottom-up approaches to problem solving, which can help overcome some problems in those KM initiatives that are top-down or led by higher levels of management without adequate factoring of users input or those initiatives where there is full users input with no management support.

10. Find the balance between design thinking and actual design. There are times when employees need to strictly adhere to established strategy, and there are times when fundamental operating assumptions should be questioned in light of changing circumstances and context. Thus the best practices certainly play a big role and design thinking can help come up with the best practices.

11. Design thinking is not just for designers or product developers. It has been used for better design of information portals, vision alignment in technology companies, more meaningful users experience, effective customer service, deeper users engagement in planning and collaboration on projects.

12. Design thinking is the key to innovation in many organizations. Involving users in the design project would also help user adoption of the knowledge management initiative.

Intent to introduce design thinking ideas in knowledge management should be followed by deep research of users and customers information creation and information seeking behavior. Interaction with them will yield very helpful ideas which should be integrated and tested repeatedly until an effective design of knowledge management can be finalized and deployed.

Galaxy Consulting has 18 years experience in applying design thinking in knowledge management. Please contact us for a free consultation.

E-discovery and Legal Processes

When a company has a much stronger handle on the status of each legal hold, the less effort and less financial strain it will be on the company in case of a litigation.

Data must be protected during e-discovery just as it does when it is a part of any other business activity.

The degree of security risk depends on the nature of the data. Standard business contracts might not be highly sensitive and thus create minimal risk, but exposure of intellectual property that represents the crown jewels of a company could be a major risk.

Data that attackers go after most often, such as credit card and bank account information, is not frequently subject to e-discovery requests, but other types of highly sensitive data such as executive communications, strategic projections and financial performance data are often found in litigation.

Unfortunately, the business people who are in the best position to understand the risk value of the data are not those who are responsible for ensuring its protection during the discovery process. This function is carried out by the IT department or by the legal department. And so it is important for internal stakeholders to communicate effectively. Companies need to focus on protecting their most important and valuable data. Not everyone in a company will agree on what that is, but it’s essential to have this conversation.

Some companies have been using manual methods for legal holds until just a few years ago. Legal holds are required when a company might reasonably expect litigation and therefore should not delete information that might be relevant to the litigation.

Managing legal hold helps minimize the risk of financial and other court sanctions for failing to preserve data. Data is scattered throughout companies and has become progressively more difficult to manage. Companies are dealing with big data, data in shared repositories such as Box.com, data on mobile devices, and so on.

People tend to keep everything. When legal hold is used effectively, companies can meet their preservation duties, then do targeted collections as needed in the case. Good hold process plus targeted collections can significantly reduce the amount of information that must be reviewed by attorneys, which accounts for 70% of e-discovery costs. It is important it to check the information of terminated employees to see if it might be subject to hold.

Another value proposition in using an automated legal hold solution that is integrated with collections and first-pass review is the ability to re-purpose a collection. The same collection and review tagging could be used again by adding only the incremental data generated since the original one.

Several trends are contributing to strong growth in the e-discovery market, including the ever increasing amount of litigation, greater volumes of data and a move toward adding in-house e-discovery capabilities. Each product has particular strengths, and that wide array offers options that can be used very selectively or in conjunction with each other to meet a company’s goals.

In addition to a group of large e-discovery vendors, many smaller vendors have products that are working well for their customers.

Once a set of documents is located that may be responsive to the e-discovery request, it needs to be searched. The effective use of human skills in conjunction with computer capabilities is a key ingredient in winnowing down the volume of data that needs to be reviewed by attorneys or other legal professionals. Technology-assisted review (TAR), also called predictive coding, is a method for training a computer to spot documents that may be relevant and distinguish them from those that are not.

One of the tools to consider is Catalyst Insight.

Catalyst Insight is a secure cloud-based platform where clients can search, review, mark and produce documents. It can be augmented with Insight Predict, a predictive ranking TAR 2.0 solution that uses continuous active learning (CAL) to speed the review process by allowing technology to work alongside the judgments that human reviewers make. The solution brings the most relevant documents to the top of the list rather than working in a linear fashion.

The company’s TAR 2.0 software is specially designed for e-discovery. With TAR 2.0, attorneys and legal professionals who are subject matter experts do the initial coding for relevancy. Each of their judgments about the relevancy of a document is fed back to the system as a means of "training" to identify others that also might be relevant.

TAR 2.0 allows new coding to be immediately incorporated into the algorithm for searching the document repository so that it is correctly tuned to the current problem domain.

As a cloud product, Legal Hold Pro is quick and easy to launch, and is updated frequently. There is no burden on the IT staff for software maintenance.

In general, cloud providers understand that a data breach poses an existential threat to their business. If they lose a client’s information, especially in a sensitive context such as financial or legal activities, the reputation damage can be severe.

The well established companies understand this. Nevertheless, it is important to discuss with the provider what measures they are taking to protect your sensitive data. There has been quite a bit of fear about the cloud, but for the most part, data can be as safe in the cloud environment as it would be within the organization so long as best practices around access controls and other security measures are employed.

In the future, more sophisticated technology will allow such actions as the reuse of attorney judgments, checking for outliers and monitoring the repository for problems in advance This kind of proactive strategy will help companies reduce their risk exposure and speed up e-discovery.

Personas and Content Strategy

"Personas" are imperative for content strategy. "Personas" tool comes from user experience area. "Personas" is a composite sketch of a key segment of your audience. "Personas" are realistic descriptions of your target audience.

"Personas" help to bring richness to otherwise statistical data. They provide greater depth and context to generic target audience groups by focusing on one character who embodies the predominant qualities of the larger group. Personas enrich different content data with more qualitative information that is extremely important for all content decisions.

"Personas" answer such questions as: What are the common goals of a target audience? What is their information seeking behavior? What are their frustrations? What are their strengths and weaknesses? What is a typical user scenario? Why they access content?

These questions would have huge impact on types of created content, where it is published, how it is published, how it can be found, how it is governed. Thus personas present critical information that inform the planning, creation, management, and evaluation of content. This would help to plan a better user experience.

Examples of personas could look like this:

- mechanical engineers;

- marketing and sales professionals;

- attorneys.

These groups of people, as an example, would have different goals in their work style and the content which they create and use.

A "persona" can also include demographics such as age and gender, the stage of life the person is in, goals they have, and challenges they may face.

There are three main principles in creating "Personas":

Location

This is not about geography, this is about understanding where your audiences are digitally active. You need to know which content they use, what they read, which social networks they use, etc.

You also need to understand what devices they are using, and ensure that your content is being delivered in a way that is accessible on that device.

Motivation

Different consumers are motivated by different things. Some value new content, others value historical content, while many are interested in overall content on a given topic.

Finding this motivation will ultimately drive the direction of your content.

Participation

Different audience groups interact with content in different ways and for different purposes.

You need to understand not only what content your audience consumes, but how they consume it, how they engage with it, and how they respond to it.

This is ultimately about choosing your message and tone for each audience group depending on their current need.

"Personas" have valuable effect on the conversations and requirements gathering from key stakeholders. Content stakeholders are scattered between a variety of different departments and their content needs are different. This approach would help the overall content strategy by directing content stakeholders expertise and efforts towards creating content management model and its governance. Content strategy ensures that that enterprise content management is going to be effective.

Without personas, you may only be guessing what content your audience needs instead creating and managing content which your audience is actively seeking. Documenting your personas, even if it is done in a quick way, is key to keeping everybody focused on the same audience.

You may have multiple personas that you are targeting, but the content you write should be directed to a specific audience (persona) and serve a purpose which can be measured.

Personas are critical component in an organization’s overall content strategy.

Galaxy Consulting has over 17 years experience in creating content strategy for the effective content management. We have always created "personas" and found it to be very effective. Contact us today for a free consultation.