Recently in Compliance Category

Today's guest blogger is Ajay Madan.  Ajay heads the Quality Assurance division of FaceTime. He has several years of experience working on products related to Network Security and Compliance. He is actively involved in working with the product and support engineering teams in devising and implementing processes and methodologies that ensure a high degree of quality for FaceTime's products. He has been closely tracking the developments in the social media space, the business impact due to the same and shares some of his thoughts in this article.

Take it away Ajay.

In recent months, there has been an increasing media attention on social networking sites; and how this impacts business, compliance, security and so on. Some staggering statistics (which I reference later in this article) have been thrown in to demonstrate the crazy adoption rates of the social media.

Social media, it appears,  is here to stay and companies are now understanding that it's not about blocking access now, but realizing that controlling and enabling access is the way forward.. It would sound naive to assume leadership teams in companies haven't yet begun this process, some still block access, others are engaging with vendors that help manage and control the use of social media, and some are just giving it some more time. So in this post, I don't focus too much on the statistics or impact of social media but look at the next steps for companies who understand the need to manage social media.

There are several aspects for CIOs/Head of IT departments to consider while evaluating policies for social media as well as for evaluating solutions to manage social media usage in the network.

Compliance Considerations

FINRA in their recent webinar indicated that companies will not be given a compliance grace period because Social Media technology is new and evolving. FINRA has asked companies to not allow usage of Social Media if they cannot supervise it or the social media site does not support archival. Bottom line - Companies must retain, archive and retrieve to be compliant.

If you are in a regulated industry, such as the financial services sector, you need to consider tools that either allow you to block access to unsanctioned social media and/or invest in a solution that allows you to monitor, archive and review content posted through social media.

Security Considerations

Perhaps another key question in the IT manager's mind pertains to security, There can be several concerns in this area -

• Its possible that users may leak sensitive information about the company through a post on Twitter or Facebook Wall
• Users in a regulated industry sending information - perhaps patient information via Facebook or Twitter
• Users with, lets say, corporate Facebook accounts using foul language in their posts.
• The potential for hidden malware, Trojans and the like in applications, perhaps such as the myriad of games and applets on Facebook.

A solution for Web 2.0 should provide or extend security controls to social media to address such concerns.

Policy Considerations

Some industries require a rich policy framework or workflow that allows the following -

• Ability to be able to moderate posts on social media before they are allowed to be posted to the actual site
• Ability to capture or moderate content that matches certain lexicons or pre-configured policy elements.
• Workflow for compliance officers to review the posted content
• Workflow to archive content for long term storage by inter-operating with enterprise archival systems and easy retrieval.

Bandwidth Considerations

There are certainly organizations and industries that do not have compliance requirements for social media, but who do need controls on bandwidth consumption. The common problem today is that companies have no way to measure the amount of time employees spend on social networking websites and in the past this has been recognized as a huge problem as it potentially impacts productivity. Hence this could be a core requirement for many companies.

Consider looking at solutions that allow you to set bandwidth limits for usage of social media.

Existing Infrastructure Considerations

Many IT departments are wary of having multiple vendors for different communication modalities and for the ease of management prefer to select those that provide functionality across all the considerations I referenced - as well as being able to provide these functionalities across other communications modalities, like IM and Unified Communications.

Consider an Evolving Market

Social media is new technology and will continue to evolve. Companies should look at solutions providers who have expertise in real time communications traffic, at those who adapt quickly to new technologies and who consider social media as part of a communications strategy, not in isolation.

Finally, I want to plug the solution that I work on. I've been with this product since it's inception and have seen it grow to become the first Secure Web Gateway that combines features, functions and controls for social media alongside other communications modalities.  Our Unified Security Gateway is uniquely positioned to address all the considerations I outlined above and helps companies manage not just social media across a broad spectrum of requirements - but web traffic on the whole, and more than 4,000 web and internet applications, from IM to remote control tools, to P2P tools. 

Now, I'll leave you with some pretty phenomenal statistics if you know any of those folks who are looking the other way when it comes to adopting social media.

But do check back on March 2nd when we launch the results of our fifth annual survey - and let me know what YOU'RE doing with social media.

Ajay

Facebook

http://www.facebook.com/press/info.php?statistics

LinkedIn

http://techcrunch.com/2009/02/14/as-the-economy-sours-linkedins-popularity-grows/

Twitter

http://mashable.com/2009/01/09/twitter-growth-2008/

I read a short article in InvestmentNews today about a new social web site, LinkedFA, which is promoting itself as the "first and only Finra-compliant social networking site for financial professionals." I immediately thought to myself, how can a social networking site tout itself as Finra-compliant when Finra hasn't released its compliance guidelines yet? Finra postponed its introductory webinar until March.

Then I asked myself the larger question; why would financial professionals want a 'walled-garden' social media site in the first place? Doesn't that kind of defeat the objective? If you're a financial advisor, don't you want to be where your prospects are? A site dedicated to financial professionals is fine for connecting with people within your industry but it doesn't help you reach new customers.

Consider that there are currently more than 250 million Facebook users, 30 million Twitter users, and 25 million executives on LinkedIn. That's where the conversations are taking place. That's where you can reach customers and prospects.

Isn't it better to participate in this larger, open conversation taking place on the Web and develop best practices, with the help of technology, to make sure that those conversations are appropriately logged and accounted for? That's the best way to assure compliance, whether it's for Finra, the SEC, or some other regulatory agency.

Our financial services customers rely on FaceTime's IMAuditor and Unified Security Gateway to not only secure their networks, but to manage and log content for regulatory compliance.

That way they get the best of all worlds:

1) centralized control of online conversations stored on their own servers so they can be audited for compliance;

2) the ability to support any public social media site in a secure manner and 

3) the ability to allow their traders and other employees to use the application that is best suited to the job, whether that's Yahoo, Reuters, YellowJacket, Facebook or Twitter  - we don't mind, because, well, we support them all.

My team have put together a 30 minute briefing on "What you can stand to gain and lose with Social Media" - why not join them on January 27^th at either 10 eastern or 10 pacific?

Last month we announced that Check Point Software Technologies had purchased our application database for use in their products. According to Check Point, this technology will "... provide businesses unparalleled granular control over application usage and enable security administrators to prevent threats associated with the use of certain Internet applications. Check Point will offer this new level of security controls as a Software Blade that will be available for all gateways." (read their release here: )

This deal reaffirms our leadership in the Web 2.0 security space. More importantly, it highlights the growing need for network solutions that provide visibility and control at the application level not just at the port & protocol level. Check Point sees this need and will use our database to provide application level control. Application level control will become the price of entry in the Firewall market.

But beyond visibility and control, what enterprises are asking for is "enablement".

• How do I allow access to Facebook or LinkedIn and stay in compliance with FINRA or FERC or HIPAA or PCI or [insert your favorite regulation here]?

• How do I allow access to YouTube videos but not the inappropriate stuff?

• How do I allow access to blogs and wikis and webmail but ensure that confidential information if not getting posted?

Our customers realize they can't block access to the New Internet - they must enable it.

Which is why our mission statement reads "Secure & ENABLE the New Internet"

Today's guest blogger is Eric Young.  Eric is FaceTime's Sr, Director of Field Services, and works with FaceTime customers to implement leading edge security and compliance solutions for Unified Communications and Web 2.0.  Eric's worldwide role gives him an insight into the global requirements of organizations implementing real time communications technologies to enable their businesses and works closely with our product team to ensure that FaceTime solutions remain at the forefront of the industry.

Yesterday's solution doesn't address today's issues.

I was onsite with a customer recently completing our fifth competitive replacement within the Fortune 400 in the past 6 months.  As the customer was detailing all of the requirements the previous solution did not satisfy, it made me wonder, how are other customers of these competitors feeling they are operating in a compliant fashion? 

If you, as a compliance officer or legal counsel, cannot make sense of a group chat conversation, cannot actually view the content of a blocked message, or can't see what folks are trying to post to a social networking site; how can you possibly defend your organization from SEC fines or from a lawsuit in a court of law? 

Security technologies evolve quickly, especially in the area of real-time communications - but the adoption of tools like Unified Communications, Instant Messaging and social media has grown exponentially - in many cases even without the knowledge of either IT or compliance.

Regulation and compliance changes too, with the times.  Most recently I've seen FINRA starting to address the issue of social media and issuing guidelines to member organizations and individuals on how usage should be treated. 

We all understand there is a big difference between "logging" and "being compliant" but knowing there are still some banks and other highly regulated companies using these legacy solutions that were designed for technology of a few years back, it begs the questions:  What are the minimum requirements for security and compliance for Unified Communications, Instant Messaging and Social Media?

And, what are you doing about dealing with emerging technology?

For the fourth consecutive year, FaceTime has commissioned a survey of IT managers and end users to track the use of Internet-based applications - things like IM, Skype, P2P, social networking and other Web 2.0 apps. We also surveyed employee attitudes toward use of those applications and their impact on IT and the organization in terms of security, data leakage and compliance.

As in prior years, the research was conducted among a large sample of corporate IT managers and end users across all size organizations in North America, UK and Europe. The research study includes compiled data from more than 500 IT managers and end users. The results are quite revealing.

• Use of consumer oriented Internet applications has reached 97% of organizations, up from 85% in 2007 and, on average, companies report 9.3 applications in use by its employees on the enterprise network
• 73% of IT managers report at least one security incident as a result of Internet application usage; Viruses, Trojans and worms (59%) are most common, followed by spyware (57%) for a close second
• 37% of companies report an instance of non-compliance; 27% report accidental data leakage
• IT managers report an average of 34 incidents per month, and the largest companies project $125K monthly to remediate Internet usage related security, compliance and data leakage issues
• 51% of end users access social media sites at least once per day and  79% of employees use social media (Facebook, LinkedIn, You Tube) at work for business reasons
• Sixty-eight percent of IT managers have archiving and retrieval methods for corporate email. About half that many--31 percent--store IM communications. One in four has copies of audio conferences (25%), while slightly fewer (20%) archive corporate Web conferences
• If requested by corporate attorneys to reproduce IM communications--in the event of a lawsuit, for example--51 percent of IT managers could not do it. Thirty-eight percent because they have no such capabilities and 13 percent could do it but not in any practical time frame
• Unified Communications suites exist at about 29 percent of IT respondent organizations. Ten percent have deployed pilots to a limited number of users, while 19 percent have deployed UC for the majority of their endusers

We'll be delving into various aspects of this exhaustive survey in the coming weeks, to break down just what this data is telling us about what's happening on corporate networks and what it means to both IT managers and end users.

They say you can find anything on Google. Turns out it's especially useful when one is searching for personal data to crack a Yahoo! Web mail password.  

In the remote case you missed it: Vice Presidential candidate Sarah Palin's Yahoo! Webmail was hacked last week, and the contents were posted on Wikileaks.  Wired reported that the hacker easily broke into Palin's Webmail, hoping to find incriminating evidence that could derail her campaign.

We see this happen a lot. While IT installs email and IM archiving software, the workforce moves their personal and sometimes ill-advised communications to what I would call rogue channels. These channels include Webmail, public IM, Skype, and even Facebook. Employees think that management doesn't monitor or control these tools and it becomes an appealing place for improper or even illegal activity to occur.

Michael Osterman explained this well when he wrote about the lessons IT should learn from the Sarah Palin Webmail hack.

More examples of infamous rogue channel use in recent times include Senator Mark Foley, whose IM conversations with a intern cost him his job. Jerome Kerviel, the French banker who alledgedly cost his company $7B, and Scott Sidell, the former CEO who funneled client lists to himself through Webmail.

What are your employees doing thru Webmail, personal IM networks and social networking sites?

When I ask IT professionals the above question the majority respond (very confidently) that nothing rogue or unsanctioned is happening on their networks. Common responses include, "We block it with our firewall" or "we have a policy against it."  Then we deploy an evaluation unit and provide a report of actual employee initiated traffic and it becomes clear: hope is not a strategy. 

As customers move to adopt Unified Communications platforms from Microsoft, IBM and others, I believe the same issue will exist - employees will use personal systems and corporate sanctioned systems interchangeably.  IT will have the hard task of managing policies and controls consistently across this heterogeneous environment. 

... or even what it is?

Back in the old days, TV networks would run public service spots before the nightly news saying: "It's 10 pm, do you know where your children are?" The fact that the spots ran for twenty years in cities like New York points out that it is easy to lose track of stuff, even important stuff.  Which brings me to ESI--Electronically Stored Information.  Not that it is as important as your kids, but in the discovery phase of a big lawsuit, it might seem that way.  And, like kids, ESI can be surprisingly easy to lose track of.

ESI is the catch-all term for the digitally stored files of litigants in a federal case.  During the pre-trial discovery phase of a lawsuit, all ESI is subject to discovery, meaning it all has to be checked for relevant information that the other side has requested to help it prove its case.  Only the relevant files need to be actually given to the opposing party, but all ESI has to be checked to make sure all the relevant files have been located and handed over.  It sounds simple enough, but it is hard if you are not prepared in advance and a lot can go wrong. 

When the e-discovery rules changed in late 2006, there was a lot of commotion about it, and a lot was written about the need for companies to have their ESI organized and well maintained in order to be able to respond to the tight discovery timelines set by the new rules. I don't think that message has really sunk in though.  And now that the rules are no longer "new," and the commotion has died down, it is easy for companies to lose track of whether they have really prepared to meet the current e-discovery challenges.  Yes, the e-discovery market is growing nicely, but more spending is not assurance that the companies really understand all the risks or even the problems they are trying to solve. 

As the resident lawyer at FaceTime, I am occasionally asked to talk about e-discovery issues with customers, or on a panel. Sometimes I can tell that a person I'm speaking with just doesn't want to have to deal with instant messaging in e-discovery, even when IM is used for business purposes in their company. To them, the most obvious way not to deal with it is to make it go away, or more precisely, to take the position that IM logs are not business records and therefore will not be saved. 

No saved IM records, no IM ESI, problem solved. 

There are undoubtedly circumstances where this is a sound policy, but what I've seen is that such a position is most often taken without enough attention to the reality of how easily IM logs are stored in hard-to-find places, and how difficult it is to effectively enforce a "no IM records" policy when employees use IM for business purposes and may need to refer to those logs the way they refer back to e-mail.  The company falls into the trap of mistaking its ESI policy, what the company wants its ESI to be, with the reality of what its ESI actually is -- i.e., what is actually saved, either inadvertently or surreptitiously against policy. 

The resulting danger is that the ESI is there, but the company doesn't know it exists until too late. My recommendation is usually that if IM is used for business, then it will generate business records that should be maintained and be treated on par with e-mail records for e-discovery purposes.

If the IM-savvy, and sometimes IM-dependent, companies that FaceTime deals with are still coming to terms with IM logs in regard to e-discovery, then I have to believe that companies in general have not moved much beyond e-mail archiving, if they have a proactive e-discovery solution at all.  To me, that's like being happy that one of your kids is watching TV with you at 10 pm. and forgetting about the one you haven't seen since yesterday.

I recently did a podcast interview with Michael Osterman of Osterman Research for Messaging News.

Here at FaceTime, we're immersed in unified communications every day. We talk to our customers about what they hope to get out of UC, what modalities (messaging, VoIP, Web Conferencing, etc.) they are deploying first, and how they are struggling with internal issues regarding architectural considerations, alignment with business processes, IT ownership and more. Sometimes I get too close to these issues, so it's nice to step back and think about how to answer questions like the ones Michael presented in a way that provides a broader market perspective.

I hope I did that in this podcast and I hope you have time to listen to it. For those of you with time constraints, here are some of the points we talked about:

• UC is entering the workplace in much the same way as the original PCs, or more recently, wireless access points. Users are downloading consumer-oriented UC-like applications like Skype, and  reaping collaboration benefits.
• Most organizations aren't deploying UC with multiple modalities all at once. They are starting with presence and  IM and extending to Web Conferencing and VoIP - putting policies in place that can be extending across future modalities once they are deployed.
• Productivity through collaboration is typically the #1 driver for deploying UC, but cost savings and employee attraction and retention are close seconds.
• More avenues are available to bring information into the organization and more options for employees to communicate outside the company. This means that security and compliance are top concerns when deploying UC.
• IT wants effective management and control of all these communications options, but the bottom line is that forward thinking IT professionals want to add value - they are motivated by enabling employees to be productive and contribute to the success of the company.
• When an organization rolls out UC they often find it exists in a heterogeneous environment that includes "rogue" consumer applications that do not go away. It's not uncommon to have 8-15 rogue applications (IM clients, file sharing tools, social networks etc.) running on the enterprise network. They may not all be bad, but they're not visible and not sanctioned.

Bottom line, management is looking for two things: strong ROI from its UC platform and a way to control the universe of consumer-oriented applications that employees bring onto the network. We see a range of company policies - lots of companies are experimenting and don't want to shut things down if it can provide a competitive advantage through better employee collaboration. Others are in an industry with stricter requirements and need to block or closely manage certain apps.

I'd love to hear how your company is dealing with unified communications, both the consumer and enterprise versions. Does the above ring true for you?