Sherry Gordon Office of the Attorney General This presentation is my personal opinion and not necessarily that of the Attorney General or the Office of the Attorney General Risk Identify Risk Tolerance ID: 571455
Download Presentation The PPT/PDF document "Risk Management of Digitized Data" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Risk Management of Digitized Data
Sherry Gordon, Office of the Attorney General
This presentation is my personal opinion and not necessarily that of the Attorney General or the Office of the Attorney General.Slide2
Risk
Identify
Risk Tolerance – your department has a mission that may involve taking certain risks, but others are not advancing mission or even threatening missionAccess Expertise – Finance and Administration, Environmental Health and Safety, IT Security, Internal Audit, HRS, Research Compliance, Purchasing, People in your DepartmentBe Cognizant of Limits – Sort out what you can and cannot control – don’t waste resources trying on the things you cannot control. You may want to use resources to plan mitigating such events.Slide3
Identify
Hazards and Risks You can
Control
– Web page, e-mail, external digital storage, tech security Evaluate Risks – How likely is risk to occur and negative impact/damage if it does; define “red flags” for risksTake Action to Manage Risk – SOP Policy, Contingency Planning/ Identify solutions, Oversight, Training
Monitor
Risk – Review cost-benefit of risk mitigation; look for newly arising risks
Risk Slide4
Identifying Risk – Where do I start?
Ask
(questionnaires, staff meeting, or individually)
Some questions to consider: How are the web pages designed and vetted for copyright infringement?Do you have a way to identify and avoid responding to phishing?Are there “two signatures” for financial and resource purchase, receipt, payment, and inventory? Are portable digital storage devices encrypted?What information can you store on your desktop or laptop?How do you secure it?Slide5
Identifying Risk (continued)
Research
Observation
Expert evaluationSlide6
Prioritize the Risk
Impact
Probability of Occurring
Reasonably Certain to Occur
Likely
Possible
UnlikelyCatastrophic
Extremely High
Extremely High
High
High
Moderate
Critical
Extremely HighHighHighModerateLowModerateHighModerateModerateLowLowMinimalModerateLowLowLowLowSlide7
Consider Breaches of Personal Information / Confidential Data
Sensitive or confidential information at risk
Loss of data: consider proactive mitigation
Natural disaster (flooding, etc.)Accidental (stolen or lost external drives for example)IntentionalSlide8
Breaches and Risks to Confidentiality
Internal
Vulnerable storage – caches, history, recycle bins, the Cloud
Lack of security – unencrypted, weak password, access to the data too widespread Taking data and confidential records homeThe Cloud includes data sharing and transmission (does vendor have enough security)Slide9
Electronic Discovery and Spoliation
O
bligation
to preserve documents, including electronically stored information and electronic documents, when a person/entity reasonably anticipates litigation
Documents
must be preserved through expiration of the statute of limitations (including as extended by the claim period) which is measured generally by the last act underlying the claims. In many contexts (such as employment)
this can be a lengthy period. Slide10
How Do
Y
ou
Save the Electronic Record?Duty to preserve
Save traditional paper and
electronic documents (without altering the latter’s metadata);Save Outlook documents as PST files to avoid o
verloading Outlook files;Determine which experts, if any, are needed to help identify, preserve, collect, process,
and produce electronic evidence.Slide11
Electronic Documents – Know W
here
Y
ou Have ThemServers Online storageIndividual hard drives (work and possibly personal computers if used for state business)Thumb drives, backup drives, external storage devices
Tablets, hand-held devices
Text messages, pictures on cell phonesSlide12
Avoid Unprofessional Messages
Public record can be letter
, W
eb page, e-mail , voice message, browsing historyInformation maintained in electronic form is a public record – including the metadataMost people have a cell phone which can record conversations “on the sly” – such records hard to use in court, but easy to post to InternetSlide13
Top Four (4) E-mails
4.
[Employee] has started another brouhaha about his leave reports. I think it is much to-do about nothing. FYI.3. Understood, however, please understand that [he] was, in our opinion, making whatever self-serving statements he could, notwithstanding reality, because he got caught with his hand in the cookie jar again. I do not believe that these were genuine perceptions. They were defensive, self-serving statements.
2.
Holy Cow! I didn't ever imagine you would call the police.Slide14
1.
I
do not agree. Asking for a high level of fluency in English, when 99.9 percent of the work of the office is in English,
is not discriminatory, because we are not requiring “English only,” “unaccented
English,” or
“native fluency.”
The work of [this office] is in English, not Spanish, Portuguese, Chinese or French.
Top Four (4) E-mails Slide15
I do not agree.
Asking for a high level of fluency in English
,
when
99.9 percent of the work of the office is in English
,
is not discriminatory, because we are not requiring
“English only,” “unaccented English,” or “native fluency.”
The work of [this office] is in English, not Spanish,
Portuguese, Chinese or French
.
DiscriminationSlide16
Web Page Risk
Not Accessible
Defamation
Infringement (being on the Web does not mean “public domain”)Image RightsPublic PerceptionsSlide17
CopyrightTrolls
We all want variety and interest on webpages, PowerPoints, and publications;
But do you want to pay $3690 per picture?Slide18
Demand letter
“
As
evidence of Masterfile’s copyright in the image related to this matter, I have attached a copy of Masterfile’s Certificate of Registration VA 1-220-538, issued to Masterfile by The Library of Congress, United States Copyright Office for the registration of Masterfile’s rights-managed image 700-00184687.”Invoice for $3690 was attachedSlide19
Questions