Tuesday, September 02, 2008

Enterprise Users Should Not Be Records Managers

I found J. Timothy Sprehe's FCW article Seeking the records decider interesting. The whole article is worth reading, and it's short, but I'll post some excerpts to get the point across:

Like everyone else — including NARA — GAO assumes and accepts that employees will decide whether e-mail messages are federal records. It is fundamentally wrong to lodge decision-making for records management at the desktop PC level. It means the agency has as many records managers as it has e-mail users — a patent absurdity.

Managing e-mail at the desktop level is failing everywhere...

Records management works best when it happens in the background in a way that is transparent to employees...

Conventional wisdom says the technology for making e-mail management decisions at the software or server level is not yet mature. In my judgment, that mindset demonstrates a lack of imagination and an unwillingness to tackle old questions in new ways...

The Air Force is moving even further with the implementation of its enterprise information management strategy. Using proven commercial products, the Air Force is investing heavily in automated metadata extraction for all information objects, including e-mail messages, and populating an enterprisewide metadata registry. Air Force officials believe they can construct a rules engine that will use the detailed metadata to automate records management decisions, including retention and disposition schedules. Desktop PC users will see none of that.

Another beauty of the Air Force strategy is that it holds the promise of supplying an enterprisewide solution for e-discovery, which involves providing electronic documents for evidence in legal cases...

Agencies will never train their senior officials — let alone every rank-and-file user — to make well-informed decisions about e-mail records management. Why not accept that fact and experiment with new approaches that really work?

I agree with that sentiment. What's better, an automated system whose rules can be explained, tested, and agreed upon, or a policy that relies on interpretation and implementation by users?

This article reinforces one of the great recent security insights of our time, by Nitesh Dhanjani:

The job of information security is to make it harder for people to do wrong things.

Automatic background patch installation, automatic background backups and archiving, and related unobtrusive yet effective measures are the way forward. Users neither care nor are equipped to defend themselves, and they really shouldn't have to worry about being security experts.

Can anyone comment on the Air Force's approach?


iamnowonmai said...

I was under the impression that court rulings had said that businesses (and agencies) could not off-load their records retention responsibility on to the end-user?
Maybe I will have to check that. There is no rule or law that says that a user has to produce a document or e-mail. Only the agency.

/me shrugs

Ben Wright said...

Richard: I argue employees have a conflict of interest in deciding which e-mails to keep and which to destroy. --Ben http://hack-igations.blogspot.com/2008/04/reducing-volume-of-e-mail-archives.html

.iznogud said...

Even though I do not call myself an expert, but rather a security enthusiast, I'd agree. Postulate of security is obscurity (even from end users, they do not need to know all security measures undertaken for their sakes). And it is my favorite closed approach to administering the network: forbid everything, and allow only what is needed for work. They can surf through torrents of the web at home. Makes my life much simpler.

Allen Baranov, CISSP said...

Wow... this is amazing.

I had just the exact same idea about how to handle email.

I thought it was a "one-day-maybe" idea but it seems that is it being done already.

Good for the air-force.

Anonymous said...

I think that that best approach to retention of email records is to process them at the back end away from the user. In certain jurisdictions however (namely Australia) making copies of emails at a point before they are available to the end user (ie when they reach the destination email server) without the permission of the sender is considered interception under the TIA Act. So if you make a copy of an email at an email gateway for sending to a retention system, and you aren't acting under the protection of a warrant (with some other exceptions for law enforcement and national security agencies), its technically against the law. This applies even in corporate environments where the email gateway is under the control of the company and the employees have been advised that they have no expectation of privacy.

Just something to be aware of if you want to try this in Australia. Many people have raised the problems this poses for network security, and the law is being reviewed, however this wont happen overnight, so get legal advice if you at all unsure.

Anonymous said...
This comment has been removed by a blog administrator.