GUEST SPOT: Do you know where your records are?


By James Bone – jamesbone0129@gmail.com

Many practitioners of records management compliance are very familiar with best practice guides for implementing a records management program, risk assessments, and risk mitigation. The benefits have been espoused time and again by records vendors, auditors, and consultants. If you believe, as I do, that corporate records are an asset of the firm why then don’t we account for them with the same vigor as we do other assets? Why do we continue to have major breeches of personal customer information and critical business records?

Part of the answer lies in a new trend that makes it harder to keep track of data and account for corporate records in all of its manifestations. Virtualization is more than a trend: software programs out on the Internet somewhere serving the same function as hardware typically housed in your company’s data center.

Virtualization is the use of electronic applications and platforms to share, transport, and use data real-time, day and night. In this new environment do you know where your records are? The advent of cloud computing, Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) will continue this trend toward the democratization of data and records management. However, how do you maintain good controls when your critical data may be outsourced to vendors? When access to data is controlled in a “virtual locker” that may or may not be segregated? Let’s explore what our options are.

First let’s explore why this trend is growing. Businesses are faced with ever increasing challenges to save money and resources. Maintaining assets in-house is not longer a cost efficient solution. Secondly, young knowledge workers expect to have access to data wherever they are whenever they need it. The challenge of keeping customers, vendors, and associates “plugged-in” creates complex challenges for maintaining compliance with state, federal, and international regulations. In fact, regulations have not kept pace with the velocity of change in how records are handled in today’s virtual environment.

Even if you haven’t moved your records to a cloud platform there are critical steps you must consider while ensuring you protect your firm’s data. As you consider your risk assessment approach consider the following:

  • How is data used and shared across the firm? Is the data available on a “need to know” basis or does firm culture make data accessible to a large group of users?
  • Do you use secure data repositories with restricted access or has your corporate LAN drive become the storage facility of choice for critical business and customer data?
  • Do you know what data is shared between departments? Do business users understand what should or should not be shared between departments? Are there strict protocols for sharing data?
  • How is data shared internally and externally? If email is a critical application for sharing data how is this information protected? Using encryption technology is good but it may not be sufficient to ensure end-to-end protection of personal customer data.

External vendor assessment:
Below is a starting point for developing your own matrix of control points for assessing your virtual environment.

Security. Unauthorized access to sensitive business and customer data leaves organizations exposed to financial and regulatory risks. Assessing and monitoring storage capacity, location, and physical as well as application access is a critical first step in assessing the environment of external vendors.

Data Segregation. Data segregation should be understood. Does your data share a “virtual locker” with other customers? How does the vendor prevent unauthorized access from other customers?

Records Management. Are records retention and records destruction standards consistent with your industry? Does your vendor know this, and know what those standards are? Are there multiple backups of your data in multiple locations?

Vulnerability Scanning. Are network or vulnerability scans allowed? Are there formalized protocols in place to perform scans? What limitations (if any) exist? And how are vulnerabilities disclosed to you, the customer, and then mitigated?

Audit Trails. How can the company demonstrate the effectiveness of its controls for authorization, authentication, segregation of duties, program development and program changes? (Because in the event of a regulatory probe or litigation, you can bet that other parties will expect that you’re able to do so.) How robust are the vendor’s controls such as firewalls, encryption, monitoring reports, and denial-of-service software?

Seeking Help

If you still are uncomfortable with your own assessment, you can rely on a few industry standards to help ease your fears. First consider a SAS 70 SysTrust audit, which evaluates whether or not a specific system is reliable when measured against four essential principles: availability, security, integrity, and maintainability.

Additionally, ask whether the provider complies with the ISO 27001 or ISO 27002 standards, which govern information security. ISO standards aren’t formal assurance, but they do imply that the vendor uses a formal method of practice and a summary of controls that may be evaluated as part of the due diligence process.

Developing a comprehensive control framework and monitoring changes in the environment is a never ending process. Businesses monitor financial assets and annually assess its performance against corporate strategy. Records management should use similar measures of success. Ensuring the quality of these business assets is equally critical to ensuring you reach your strategic goals!


Former Chief Compliance Officer for Fidelity Pricing & Cash Management Services

James has managed and created operational risk management and compliance teams responsible for monitoring, assessing, and enhancing internal controls and regulatory compliance for diverse financial services operations including broker-dealer, investment management, and institutional operations.

He has experience working in front, middle, and back office operations, correspondent clearing, transfer agency, investment operations - Buy Side/Sell Side, as well as Institutional and Alternatives product development.

His goal is to join an organization that is a recognized leader in financial services that is focused on operational risk and governance consulting, a diversified financial services firm, or emerging start-up looking to implement creative solutions to complex operational and compliance challenges.

James’ Specialties Include:

  • Operational Risk management and Control functions
  • Investment Company Act of 1940
  • Investment Advisers Act of 1940
  • Sarbanes-Oxley
  • Material Compliance Matters
  • Alternative Products
  • GAAP
  • Enterprise Risk and Governance
  • Strategic Business Planning and Implementation
  • Business Continuity
  • Privacy Act - State and Federal
  • Money Laundering

back to top

Philosophy

William S. Horn

The purpose of RIM Education is to advance Records and Information Management (RIM) and eDiscovery knowledge around the globe. While RIM Education is presented by Cohasset Associates, we believe that a rising tide lifts all ships. Just as Cohasset Associates invites a multitude of other management consulting firms to join us side-by-side in speaking at the MER Conference each May, we strive to ensure that RIM Education maintains the same level of collaboration, objectivity and independence. Our goal is that not only our visitors, but the entire industry will benefit from the knowledge gained through RIM Education. Please help us share this knowledge.

Browser Compatability


FireFox   FireFox

RIM Education experience is optimized when using the latest Firefox or Internet Explorer browsers. Click the logos to download the latest browser of your choice.