.
Page 1
Making the Case for Compliant and Efficient Information
Management
Catherine TetiManaging Director, Knowledge Services and
Chief Agency Privacy OfficerU.S. Government Accountability Office
Page 2
The Importance of Information Management
• Serving federal agency mission needs requires managing information. This can be done in any number of ways. One extreme is irrational, wasteful, and in violation of federal law. The other extreme is the ideal of efficient and effective managementof information resources.
• Federal information management responsibilities are guided by a number of laws and associated policies, standards, and regulations.
Page 3
Federal Laws with IM Requirements
• The Paperwork Reduction Act governs information collection and establishes a broad set of responsibilities for the management of information resources.
• The Privacy Act governs the use of personal information by federal agencies.
• FISMA, the Federal Information Security Management Act, requires agencies to protect their information and systems from misuse.
• FOIA requires agencies to have processes to give the public access to agency records.
• The Federal Records Act requires agencies to manage records needed for their operations and have processes to properly dispose or save older records.
Page 4
Federal Laws and IM Requirements
• Presentation focuses on three laws that affect federal agencies:• Federal Records Act• Privacy Act• FISMA
• One law that affects public companies as a comparison:• Sarbanes Oxley
Page 5
Federal Agencies’ IM Compliance: Federal Records Act and NARA Regulations• Requirements:
• All agencies create records and must manage their records in accordance with the Federal Records Act (FRA) and must establisha records management program in accordance with 36 CFR Chapter XII.
• Risks of Noncompliance:• Destroying records before the end of their agency-designated
retention period.• SEC currently being investigated by NARA for improper
destruction of records.• Penalties:
• Penalty for destroying records before the designated disposal date is $2,000 fine and up to 2 years in prison.
• Mitigation:• NARA conducts annual self assessment surveys; results are shared
with OMB and Congress.
Page 6
Federal Agencies’ IM Compliance:Privacy Act• Requirements:
• Agencies must safeguard and restrain uses of personally identifiable information (PII).
• Agencies must let the public know what PII they are collecting.• Risks of Noncompliance
• Personal information is disclosed to unauthorized users and PII is compromised.
• Use of PII is not limited to the original purpose for which it was collected.• Agency is sued for handling PII in violation of the act.
• Penalties• Penalty for knowingly disclosing PII, maintaining a system of records
without meeting notice requirements, or knowingly obtaining PII from an agency under false pretenses is a fine of up to $5000.
• Mitigation• Review and revise system of record notices and provide training to agency
staff handling PII.
Page 7
Federal Agencies’ IM Compliance:Federal Information Security Management Act• Requirements:
• Creates a single comprehensive information security law for the federal government.
• Protects information and information systems’ integrity, confidentiality and availability.
• Risks of Noncompliance:• Systems being vulnerable to attack.• Sensitive data being disclosed to unauthorized users.• Total loses of data or unauthorized destruction of data.
• Mitigation:• OMB responsible for annual review of agency compliance.• Agency IG conducts annual evaluations of information security
program for compliance.
Page 8
Public Companies’ IM Compliance:Sarbanes-Oxley Act• Requirements:
• Controls for public companies’ financial records. • Requires executive sign off and approval of financial records.
• Risks of Non-Compliance:• Unable to provide current and accurate financial reports to the
public.• Penalties:
• Section 802 describes penalties for altering financial records; Fines and imprisonment up to 20 years for knowing and willful destruction of records.
• Mitigation:• Signing officers are responsible for internal controls and evaluating
internal controls.
Page 9
All Organizations: E-Discovery
• All agencies are subject to responding to e-discovery requests.• Formalized in the amended Federal Rules of Civil Procedures in
2006. • All Electronically Stored Information (ESI) stipulated in a
subpoena must be preserved as part of a legal hold. • Organizations must be able to preserve and produce all ESI
relevant to a discovery order. • Costs for e-discovery are continuing to skyrocket for
organizations without proper information management.• Organizations’ inability to search for and locate relevant
information is causing significant risk.
Page 10
E-Discovery and Federal Agencies
• Fannie Mae Securities Litigation• January 2009: Office of Federal Housing Enterprise Oversight
(OFHEO) held in contempt of court for failing to respond adequately and in a timely fashion to a third-party subpoena.
• Defendants sent OFHEO over 400 search terms which resulted in hits for 660,000 documents — 80% of OFHEO’stotal email.
• Ultimately cost over $6 million or 9 percent of OFHEO’sannual budget to settle case.
Page 11
E-Discovery and Federal Agencies
• Aguilar v. Immigration and Customs Enforcement (ICE) Division of the United States Department of Homeland Security
• Court ordered ICE to produce metadata for emails, Word, PowerPoint and Excel files.
• Certified the necessity of preserving metadata on the part of any entity who could become subject to subpoena or litigation.
• Required that any party seeking to file a discovery request make specific their demands for metadata at the earliest possible moment.
Page 12
What should an organization do with these requirements?• The big question for agencies is how to ensure they comply with
all these requirements.• Good information management can help agencies comply in a
coordinated manner. • The challenge of IM is realigning and re-engineering stove-piped
management processes to create integrated and coordinated approaches to managing information across the information life cycle.
Page 13
GAO’s Approach to Information Management
• Almost all of GAO’s audit documentation is created electronically• Business requirements orientation:
• “Cradle to grave” content management• IM embedded into GAO business processes• Cross-organizational collaboration• Users as stakeholders buy into the process• Industry standards and business policies integrated with IM
• Generally Accepted Government Auditing Standards (GAGAS) and GAO Policy Manual
Page 14
GAO’s Key Requirements for Effective IM
• Business Purpose• Align management with GAO business processes to meet mission
objectives• Organizational Commitment
• Ensure executive sponsorship and stakeholder buy-in• Governance
• Clearly define policy and requirements• Recognize constraints and limitations• Strive for user engagement and senior executive sponsorship
• Oversight• Performance measures and accountability
Page 15
An Effective IM Program
• An effective IM program allows GAO to:• Retrieve: Easily retrieve relevant information in a timely
fashion.• Access: Provide access to information to the right people
when it is needed.• Audit: Able to identify anomalies and ensure compliance with
all applicable rules and regulations (FRA, FISMA, etc.). • Dispose: Ability to dispose of information in the normal
course of business when it is no longer needed in accordance with GAO’s retention and disposition policy.
Page 16
GAO’s IM Policies
• It is mandatory that all audit documentation is stored in GAO’s electronic records management system (ERMS).
• IM policies incorporate GAGAS and GAO Policy Manual and work in conjunction with the agency’s Quality and Continuous Improvement Office.
• All audit case files must contain a mandatory folder structure—an EMPF folder and evidentiary folder.
• All data sets stored outside of ERMS must be managed in accordance with GAO’s retention policies, just like records stored within ERMS.
Page 17
GAO’s Electronic Records Management System
• Mandatory use for all audit work• Manages all audit documentation created and received in the
agency• Comprised of three retention policy profiles
• Tied to the records retention schedule• Profile metadata enhances searching for records• Allows for the management of physical records as well as large
data sets that cannot be stored within the system• Requires that all business-related emails be retained in ERMS• Facilitates good record-keeping on the part of GAO employees,
thereby minimizing agency risk and exposure
Page 18
GAO’s Disposition Strategy
• GAO’s records disposition schedule applies to records regardlessof format or media.
• In 2012, GAO will have its first disposition of electronic auditdocumentation.
• Mandatory use of ERMS began in 2007.• Disposition strategy is comprehensive for all records types
(paper, electronic, data sets, and other “stuff”) so it is applied uniformly across all media and formats.
• Ensures that GAO complies with all requirements, mitigates risk and exposure, saves storage space, is cost-effective, and allows for easier search and retrieval of remaining records.
Page 19
New Technology and Tools
• Collaboration• Wikis and blogs• IM/Twitter
• Networking• YouTube• Podcasts• Facebook/Linked In
• All records are managed according to GAO IM policies.
Page 20
GAO Reports on IM
• GAO-10-838T: Information Management: The Challenges of Managing Electronic Records
• GAO-11-15: NARA: Oversight and Management Improvements Initiated, but More Action Needed
• GAO-11-605: Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate
• GAO-08-536: Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information
• GAO-10-537T: Freedom of Information Act: Requirements and Implementation Continue to Evolve
Page 21
In Conclusion – Key Points
• Information Management is key to complying with a number of federal laws and regulations, as well as an organization’s ability to proactively manage and respond to litigation holds and e-discovery requests
• GAO cannot support its mission without effective IM• IM requires different information disciplines to work together for
an integrated approach:• Records Management• Information Security• Information Technology• Legal• Privacy
Page 22
Questions?
Catherine TetiManaging Director, Knowledge Services,
Chief Agency Privacy [email protected]
