Web 2.0, Knowledge Management and Professional Development

Mark Frydenberg

Mark Frydenberg is teaching a new, experimental class at Bentley University’s: CS 299 – Web 2.0: Technology, Strategy, Community. I am the experiment today, telling my story to his students.

The focus of my presentation will be how I learned about Web 2.0, started using it as a knowledge management tool and how I now use Web 2.0 for my professional development.

If you want to listen and watch, there will be a Ustream video. It should be on Checkmark’s Ustream at 11:20.

We will be watching the Twitter hashtag #cs299. Send any questions you want me to ask a roomful of college students learning about Web 2.0 by using CS299 in a Twitter post. Class starts at 11:20.

I gave them this reading list to give them some background on the topics I intend to cover. You can also see what the students have been doing by checking out their Class Blog and Discussions.

Below is the slidedeck I put together for the class:

The slides are mostly visual so you may find it more useful to see my notes that go along with each slide. The slides with the notes are available at JD Supra: Web 2.0, Knowledge Management and Professional Development.

Cloud Computing and Compliance

kelly-matt-smallCompliance Week editor Matt Kelly and I talked  about “cloud computing” and how such IT systems can affect compliance. Listen to the conversation. (Time: 8.5 min.; file size: 7.7 Mb)

Let’s try to define cloud computing a little better. It really encompasses a broad swath of services that can be put into three main groups. Infrastructure as a service provides virtual servers and data storage that users can configure. Platform as a service that lets developers write applications using hosted software and development tools. Software as a service which provides hardware and software applications So the provider hosts both the application and the data. that range from specialized functions, such as supplier information management, to desktop applications, such as word processing and spreadsheets.

You will listen to hear about the compliance issues:

Evening in the Cloud and Compliance

enterprise2

The The Evening in the Cloud session at the Enterprise 2.0 Conference was fun. David Berlind Editor-At-Large and General Manager of TechWeb was the moderator. I sat in the customer role beside Christopher Reichert of the MIT Sloan CIO Symposium. Sean Poulley VP Online Collaboration Services of IBM, Rajen Sheth Senior Product Manager of Google Apps, and Mike Feinberg Senior VP, Cloud Infrastructure of EMC each gave an eight minute pitch for their product.

If you read yesterday’s post (Compliance and Cloud Computing at Enterprise 2.0), you knew what my questions would be for the vendors. These three vendors represented big guns who I am sure have been asked those questions before. The session was obviously driven by vendors. Hopefully, my list of questions can be used by other attendees to quiz the vendors.

Google, IBM and EMC focused on the infrastructure aspect of cloud computing. From a compliance perspective, the application piece of cloud computing poses more of the issues. Maybe I will be able to tackle some of those issues with vendors when the Exhibition Hall opens on Tuesday.

Brenda Michelson live-blogged the session on her elemental links blog: @ Enterprise 2.0 Evening in the Cloud Panel discussion. It is as good a summary as I could have written.

The session was recorded and will be available on line at some point. I’llpost and update when I come across the recording.

Compliance and Cloud Computing at Enterprise 2.0

enterprise 2.0 conference

Monday night, I am heading over to the The Evening in the Cloud program at this year’s Enterprise 2.0 Conference. They asked me to help grill the vendors on compliance issue

More software and business operations are being pushed into the cloud.  Why buy the hardware and software when someone else will run them for you?

I thought I would put together my thoughts on some of the compliance issues I think about when it comes to cloud computing.

Records Management.

One aspect of records management is ensuring that important records are kept. Importance can be either because of a business need or a regulatory requirement. The other aspect is data destruction. Once that record is not important and no longer required to be kept, you want to make sure it is destroyed and destroyed forever. Multiple backups in multiple places of old records is huge headache when forced into e-discovery and the delivery of records as part of litigation.

Compliance Logs.

Whether you’re in the midst of an audit or an investigation, thorough logs are the key to proving compliance. So how do you prove your organization is (or was) compliant when you aren’t able to maintain logs? Audit trails must be auditable.

Terms of Service.

Consumers are used to clicking through the Terms of Service without reading it. Businesses will read it and want to negotiate it. If the vendor’s Terms of Service has a typical consumer provision allowing the vendor to unilaterally change it, throw that vendor out the door and don’t bother talking with them.

Investigations

You need to address how a forensic examination of the systems can be run as part of government or internal investigation of wrongdoing.

Geography

It is not truly a cloud. There are physical servers that are sitting in a building somewhere. That physical location subjects them to the law of that jurisdiction. There are obviously some countries that you do not want. (Anyone in North Korea?) There are also some questionable locations. There are some companies that don’t want their operations being run on servers located in China. You should not be surprised that some companies do not want their servers in the United States because of the confiscatory provisions of the US PATRIOT Act.

Data Privacy

Geography also implicates personal data privacy. If you are using the cloud service to host information about people (employees or customers) you need to think about how the service compliance with the multitude of personal data privacy laws. The most difficult is probably the EU Data Protection Directive.

Multi-User

If your information is combined with another company’s information on the same server, you risk being subject to their wrongdoing. There was a well-publicized raid of a server farm, with law enforcement seizing servers, shutting down businesses with their operations running on those servers.

Credit Card Processing

If you are processing payments, you need to be PCI DSS compliant. If the vendor asks what PCI means, throw them out.

Vendor should have a SAS 70 Type II Audit.

SAS 70 was designed to provide a highly specialized audit of an organization’s internal controls to ensure the proper handling of client data. SAS 70 Type II certification ensures that client data is protected in a data center that is using industry-leading best practices in information technology and security. Vendors that undergo a SAS 70 Type II audit are stringently evaluated on such elements as systems, technology, facilities, personnel management, and detailed processes for handling client data. At the end of a six-month process, vendors receive a comprehensive audit report that includes a description of their operational controls and a description of the auditor’s tests of operating effectiveness. At regular intervals after the initial audit, vendors go through additional audits to maintain their SAS 70 Type II status. In brief, SAS 70 provides assurance that a vendor has put in place comprehensive systems to ensure data security.

Of course, there are other issues.  Depending on your industry, some of these may be more of a concern than others.

References:

The Legal and Regulatory Implications of Internet Privacy

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP and Protiviti presented a webinar on the legal implications of social networking. These are my notes.

Rocco Grillo of Protiviti started off the presentation. Social networks have become part of many people’s day-to-day work. They have not replaced email, but are still robust communication tools. The first presenter offered the example of a Fortune 500 Company that wanted to shut down access to several social networking sites and make the use of them during working hours as a terminable offense. They found out that their human resources group used Facebook extensively as part of their recruiting program.

He moved on to social networking risks, pointing out the ability of these sites to include trojans or viruses to computers. (Although he did not offer any examples of how they offer any more of threat than other websites.) Rocco emphasized the importance to create policy and work with your company to craft one that takes into account how people in your organization uses these tools. Use of the sites is not an IT decision. You need to work with a larger group of stakeholders.

He noted the ability of profile spoofing on these sites. How do you know that the person behind that profile is that person? Avoid publishing common verification information like your date of birth or mother’s maiden name. Rocco shared some other scare stories.

Rocco did move on to balancing the risks with the benefits of the tools. Shutting down social networks does not remove the risks. You need a balanced strategy. These are powerful tools, but you need to make people aware of some of the risks.

Ben Duranske took over next. He is part of Pillsbury’s virtual worlds and video games practice. He pointed out that besides Second Life, many of these virtual worlds are pitched towards kids. Sites like Webkins and Club Penguin target a younger audience than Second Life. The roadblocks for virtual worlds are bandwidth, processing power, and ease of access. Since they are proprietary, virtual worlds are walled gardens and there is no standardization. These sites allow users to create things. There are real dollars involved and real money. The Terms of Service of these sites largely concede ownership of your content to the site and allow them to disclose lots of the information. They are very willing to respond to subpoenas requested the revelation of user identities.

Ben laid out some key concerns regarding privacy in mainstream virtual worlds and games:

  • Violation of Export Restrictions
  • Loss of Trade Secret Protection
  • Inadvertent Privacy Policy Violations
  • Destruction of Confidentiality Protections

He pointed out that he does not communicate with client in virtual worlds regarding their cases.

Since many of these sites are targeted at kids, you need to make sure you comply with the requirements of Children’s Online Privacy Protection Act (COPPA).

Wayne Matus of Pillsbury moved on to cloud computing. Your information and the things you are doing are not happening on your computer or server, but are actually somewhere else. He pointed out four principal types of cloud computing:

  • Internet-based services
  • Infrastructure as a service
  • platform as a service
  • software as a service

Why should lawyers care? The Fourth Amendment. It is not clear if those protections apply to cloud computing. Every man’s house is his castle. But is your piece of the cloud part of your castle? Do you have a reasonable expectation of privacy for this information up in the cloud?

In United States v. Miller, 425 U.S. 435 (1976), the Supreme Court held a government’s demand on a bank did not affect any 4th Amendment interest of its customer. In United States v. Ziegler (2007), the United States Court of Appeals for the Ninth Circuit acknowledged that an employee has a right to privacy in his workplace computer. The court also found that an employer can consent to searches and seizures that would otherwise be illegal.

You need to comply with the Patriot Act. You have some uncertainties as to what jurisdiction applies. You may not know where you information actually exists. There are lots of complex laws that limit the flow information: HIPPA, Tax returns, Attorney-Client privilege, Electronic Communications Privacy Act, Fair Credit Reporting Act, etc. Part of the problem is that many of the contractual agreements with the cloud computing providers do not adequately address many of these issues.

Wayne offered up some things to include in the terms of service:

  • Use of data
  • Location of data
  • Encryption
  • No change of terms
  • Destruction
  • Ownership (assignment)
  • Subpoena
  • Audit rights

Compliance and Cloud Computing

Sara Peters wrote an article on Security Provoked: How Can You Prove Compliance in the Cloud?

Whether you’re in the midst of an audit or a forensic investigation, thorough logs are the key to proving compliance with security regulations. So how do you prove your organization is/was compliant when you aren’t able to maintain logs? This is the nagging question that gnaws hungrily at my weary brain every time I ponder cloud computing.

I am a big fan of cloud computing from a sharing and information architecture perspective, it may not be the right answer for critical information that is subject to regulatory control.

Yet.

The folks at Google and other cloud computing providers are not going to let compliance issues fall through the cracks for long. Cloud computing can provide similar service and less cost. Who has better understanding of security, your IT staff or the folks at Google?

 

New Link to the article: http://www.informationweek.com/security/can-you-prove-compliance-in-the-cloud/229209812