Category: Information Governance
Information governance in the federal government
e-mail archiving & management
Several years ago, I arranged for a representative from the New York State Archives to provide training in e-mail and document retention for one of my government clients. The trainer did a fantastic job and here are a couple of takeaways she provided:
- Never use your personal e-mail account for official business.
- Never use your government account for personal communications.
- Never, ever send official, intra or inter-agency business e-mail to anyone’s personal account.
This organization also used an e-mail archiving system and was preserving every single e-mail that went in or out of the organization as required by published retention and disposition schedules for different government entities in the state. In other words, hayseed county and municipal governments all over the country have processes and procedures for preserving official, digital communications whereas the federal government seems to be completely lacking in this area.
Let’s take a look at a few examples of our federal government’s complete lack of information governance.
Avoiding FOIA requests
In 2013, the Associated Press reported on top Obama appointees using secret email accounts. Not only were high level appointees guilty of this, the president also engaged in this behavior. This is apparently occurring to some extent in the Trump Administration, as well. The most well-known case, of course, is Mrs. Clinton’s use of her own e-mail server which was used to send and receive classified information and demonstrated gross negligence – a criminal offense. Conveniently, “someone mistakenly deleted Clinton’s archived mailbox from her server and exported files.”
I spent four years in army intelligence during Ronal Reagan’s second term and my colleagues and I might still be breaking big rocks into smaller ones at Leavenworth had we been involved in these sorts of activities. While the high-profile culprits have all gone unpunished, Jake Tapper reported that “the Obama administration has used the 1917 Espionage Act to go after whistleblowers who leaked to journalists…more than all previous administrations combined.”
Then there is the case of two years of missing e-mails for Lois Lerner. Not only did her hard disk crash and need to be sent for destruction, but her Blackberry was mysteriously wiped clean after “congressional staffers began questioning her.” Coincidentally, five other employees who worked closely with Mrs. Lerner also lost e-mail related to the investigation when their hard disks crashed at around the same time. In addition to all this, Mrs. Lerner was also using a personal e-mail account for official business under the name of her dog.
Are you kidding me? You mean to tell me that the IRS has no archiving system or centrally managed mail server with 7 years of backups through which these tragically lost e-mails could have been restored? Had these shenanigans been exposed at a publicly traded company, we would have seen heads rolling and executives doing the perp walk on national television facing up to 20 years in prison under the Sarbanes-Oxley Act.
Missing text messages
Recently, the “premiere law enforcement agency in the world” had to forensically recover five months of missing text messages between investigators in a high-profile investigation. This was the result of a “technical glitch…that affected 10% of the FBI’s employees.” In this particular case, Andrew Napolitano calls for the release of all the raw data to the public; “The government works for us; we should not tolerate its treating us as children.” I completely agree.
Stolen national security documents
Then, there is the case of Sandy Berger, a former National Security Advisor, who stole classified information related to the 9/11 attacks from the National Archives. Don’t worry – he pleaded guilty to a misdemeanor in federal court and was severely punished with 100 hours of community service and a $50,000 fine. A breach of protocol allowed him to remove these documents and there have been a number of other thefts from the National Archives, as well.
In another high-profile case, former CIA Director General Petraeus gave classified information to his mistress/biographer, Paula Broadwell. He pled guilty to a misdemeanor and avoided prison time. In what can only be described as an Inspector Clouseau moment, the CIA boss and Ms. Broadwell were using the draft folder in a shared Gmail account to communicate with each other.
Recent, significant data breaches at federal agencies have included the NSA, IRS, OPM and the USPS.
Information governance by politicians
UK politicians are as clueless as our own when it comes to information security and governance. Apparently, British MPs routinely share login credentials with their staff members.
While the DNC isn’t a government agency, their inexplicable handling of hacked e-mails and the Imran Awan case provides insight into the casual disregard elected officials seem to have for information security and IT management.
In all of the examples I have covered here, the information belongs collectively to us – American citizens. It doesn’t belong to the miscreants who wantonly mismanage or attempt to it hide from us. These people aren’t our leaders, they are our employees and we have a right to know what they are up to. Radical truthfulness and transparency rather than radical secrecy should be the default stance for our well-paid politicians and government employees.
Governance is a top level function
Good information governance comes from the top, which is why ISO standards call for “top management” to be involved in development of governance policies and procedures for information and IT. When can we expect to see this in the federal government?
This article was first published on CIO.com at https://www.cio.com/article/3252850/government-use-of-it/information-governance-in-the-federal-government.html as part of the IDG Contributor Network.
© Copyright Jeffrey Morgan, 2018by
Information governance for counties and municipalities
What’s your municipal organization’s most valuable asset?
The correct answer is information, but you wouldn’t know it by observing the casual, haphazard manner in which information is managed in many county and municipal operations. Information is often the least valued and least understood asset in local government organizations.
Tangible assets such as buildings and equipment are insured and can be replaced with relative ease. If your data vanishes, you may never be able to replace it. A breach of confidential information can never be made right and your organization’s reputation will be tarnished for years to come. Litigation that results from poor information management can cripple your organization, and the cost of discovery alone often forces organizations to settle.
The core problem
Does your municipal organization have a formal information governance (IG) program?
Most municipal entities don’t have IG programs and consequently lack institutional, enterprisewide understanding of their information assets. The root of the problem is a dearth of leadership in information management that starts with senior executives and elected officials. In many cases, there are departmental managers who do understand their own information universes, but those individuals rarely carry enough clout to influence the decision-making processes at the enterprise level.
“Jeff, hold the phone! We already have a records management program and a CIO. We’re on top of this.”
Information governance isn’t records management, although records management is a subset of IG. Robert Smallwood provides an excellent definition of information governance: “Security, control and optimization of information.”[i] He takes it a step further and writes “Information governance is policy-based control of information to meet all legal, regulatory, risk, and business demands.”[ii] These two statements sound simple, but if you ponder their meanings a bit, they have enormous implications not only for information management in your organization, but for the way in which your entire organization is managed.
The role of the municipal CIO
In my experience, municipal IT operations are often poorly aligned with the business divisions they support and silos are an endemic problem in such organizations. I don’t want to paint with too broad a brush because there are plenty of CIOs who do understand their organizations’ business and information requirements. However, in municipal government, such people are rare.
While the title chief information officer implies a deep understanding of information, many municipal CIOs function more as technology directors and sometimes they more closely resemble purchasing managers or other roles. Since there is no universal definition of a CIO’s role, it is not reasonable to expect that they all come to their job with a clear understanding of information governance. Moreover, municipalities can have several dozen lines of business, each with its own set of complex regulatory requirements, so asking your CIO to be a Master of the Universe may be asking too much.
The solution: What IG can do for your organization
If you don’t have an IG program, I encourage you to start one. I am talking about creating an ecumenical view of your organization’s information assets and aligning that view with your business requirements at every level of your organization. Establishing such a program will allow you to build a superstructure that includes the following:
- Enterprise information management and strategic planning: auditing, risk management, records retention, metadata standardization, storage, FOIA, defensible deletion, eradication of silos and more.
- Enterprise information security (infosec) and cybersecurity: Develop policies, processes and procedures for security that are aligned with your organization’s risks and requirements. Create a culture of security in your organization. Vastly decrease security risks.
- IT service management (ITSM): Improve IT services by aligning them with the organization’s business requirements as determined by the IG committee. IT governance is often treated in county and municipal government as if it is somehow separate, but IT may be more productive if it is treated as a component of an overarching information governance program.
The IG committee
I am not a proponent of management by committee, but in a county or municipal setting with many lines of business, an information governance committee is appropriate not only to oversee information policies and procedures, but to provide guidance and oversight for IT operations as well. The makeup of your municipal IG committee will resemble the following:
- An executive sponsor: Preferably the county executive, city manager or similar role.
- An elected official: A county commissioner, city council member, etc. The primary governing board must be key part of IG team.
- The municipal attorney.
- A human resources official.
- An IT professional.
- A risk management specialist.
- A records management staffer.
- Representatives from other key departments, potentially including law enforcement, corrections, nursing home services, public health, mental health, social services the county recorder, etc.
References and resources
Following are links to some resources for more information about developing an IG program.
ARMA International, a not-for-profit association for professionals specializing in governing information as a strategic asset.
Information Governance Initiative, a forum for information governance professionals.
AIIM, a nonprofit membership organization for information professionals.
Institute for Information Governance, a provider of training in the fields of information governance and electronic records management.
EDRM, a provider of resources related to e-discovery and information governance. Part of the Duke Law Center for Judicial Studies.
“Defining the Differences Between Information Governance, IT Governance and Data Governance,” by Robert Smallwood, Aug. 18, 2014. Retrieved April 17, 2017, from the AIIM website.
Information Governance for Executives, by Robert Smallwood. Bacchus Business Books, 2016.
[i] Smallwood, Robert. Information Governance for Executives, 2016
[ii] Smallwood, Robert. “Defining the Differences Between Information Governance, IT Governance and Data Governance,” 2014
This article first appeared on CIO.com at http://www.cio.com/article/3192530/security/information-governance-for-counties-and-municipalities.html
© Copyright Jeffrey Morgan, 2017by