Risk Management of Digitized Data - PowerPoint Presentation

Slide1

Risk Management of Digitized Data

Sherry Gordon, Office of the Attorney General

This presentation is my personal opinion and not necessarily that of the Attorney General or the Office of the Attorney General.Slide2

Risk

Identify

Risk Tolerance – your department has a mission that may involve taking certain risks, but others are not advancing mission or even threatening missionAccess Expertise – Finance and Administration, Environmental Health and Safety, IT Security, Internal Audit, HRS, Research Compliance, Purchasing, People in your DepartmentBe Cognizant of Limits – Sort out what you can and cannot control – don’t waste resources trying on the things you cannot control. You may want to use resources to plan mitigating such events.Slide3

Identify

Hazards and Risks You can

Control

– Web page, e-mail, external digital storage, tech security Evaluate Risks – How likely is risk to occur and negative impact/damage if it does; define “red flags” for risksTake Action to Manage Risk – SOP Policy, Contingency Planning/ Identify solutions, Oversight, Training

Monitor

Risk – Review cost-benefit of risk mitigation; look for newly arising risks

Risk Slide4

Identifying Risk – Where do I start?

Ask

(questionnaires, staff meeting, or individually)

Some questions to consider: How are the web pages designed and vetted for copyright infringement?Do you have a way to identify and avoid responding to phishing?Are there “two signatures” for financial and resource purchase, receipt, payment, and inventory? Are portable digital storage devices encrypted?What information can you store on your desktop or laptop?How do you secure it?Slide5

Identifying Risk (continued)

Research

Observation

Expert evaluationSlide6

Prioritize the Risk

Impact

Probability of Occurring

Reasonably Certain to Occur

Likely

Possible

UnlikelyCatastrophic

Extremely High

Extremely High

High

High

Moderate

Critical

Extremely HighHighHighModerateLowModerateHighModerateModerateLowLowMinimalModerateLowLowLowLowSlide7

Consider Breaches of Personal Information / Confidential Data

Sensitive or confidential information at risk

Loss of data: consider proactive mitigation

Natural disaster (flooding, etc.)Accidental (stolen or lost external drives for example)IntentionalSlide8

Breaches and Risks to Confidentiality

Internal

Vulnerable storage – caches, history, recycle bins, the Cloud

Lack of security – unencrypted, weak password, access to the data too widespread Taking data and confidential records homeThe Cloud includes data sharing and transmission (does vendor have enough security)Slide9

Electronic Discovery and Spoliation

O

bligation

to preserve documents, including electronically stored information and electronic documents, when a person/entity reasonably anticipates litigation

Documents

must be preserved through expiration of the statute of limitations (including as extended by the claim period) which is measured generally by the last act underlying the claims. In many contexts (such as employment)

this can be a lengthy period. Slide10

How Do

Y

ou

Save the Electronic Record?Duty to preserve

Save traditional paper and

electronic documents (without altering the latter’s metadata);Save Outlook documents as PST files to avoid o

verloading Outlook files;Determine which experts, if any, are needed to help identify, preserve, collect, process,

and produce electronic evidence.Slide11

Electronic Documents – Know W

here

Y

ou Have ThemServers Online storageIndividual hard drives (work and possibly personal computers if used for state business)Thumb drives, backup drives, external storage devices

Tablets, hand-held devices

Text messages, pictures on cell phonesSlide12

Avoid Unprofessional Messages

Public record can be letter

, W

eb page, e-mail , voice message, browsing historyInformation maintained in electronic form is a public record – including the metadataMost people have a cell phone which can record conversations “on the sly” – such records hard to use in court, but easy to post to InternetSlide13

Top Four (4) E-mails

4.

[Employee] has started another brouhaha about his leave reports. I think it is much to-do about nothing. FYI.3. Understood, however, please understand that [he] was, in our opinion, making whatever self-serving statements he could, notwithstanding reality, because he got caught with his hand in the cookie jar again.  I do not believe that these were genuine perceptions.  They were defensive, self-serving statements.   

2.

Holy Cow! I didn't ever imagine you would call the police.Slide14

1.

I

do not agree.   Asking for a high level of fluency in English, when 99.9 percent of the work of the office is in English,

is not discriminatory, because we are not requiring “English only,” “unaccented

English,” or

“native fluency.” 

The work of [this office] is in English, not Spanish, Portuguese, Chinese or French. 

Top Four (4) E-mails Slide15

I do not agree.   

Asking for a high level of fluency in English

,

when

99.9 percent of the work of the office is in English

,

is not discriminatory, because we are not requiring

“English only,” “unaccented English,” or “native fluency.” 

The work of [this office] is in English, not Spanish,

Portuguese, Chinese or French

. 

DiscriminationSlide16

Web Page Risk

Not Accessible

Defamation

Infringement (being on the Web does not mean “public domain”)Image RightsPublic PerceptionsSlide17

CopyrightTrolls

We all want variety and interest on webpages, PowerPoints, and publications;

But do you want to pay $3690 per picture?Slide18

Demand letter

“

As

evidence of Masterfile’s copyright in the image related to this matter, I have attached a copy of Masterfile’s Certificate of Registration VA 1-220-538, issued to Masterfile by The Library of Congress, United States Copyright Office for the registration of Masterfile’s rights-managed image 700-00184687.”Invoice for $3690 was attachedSlide19

Questions