Recently in Compliance Category

The term Cloud Content Management has begun to appear with increasing frequency in the last few months. But what does it mean? And how is it different from Enterprise Content Management (ECM)?

Gilbane Group answers these questions in our latest Beacon, which it titled Cloud Content Management: Facilitating Controlled Sharing of Active Content. Here is how we briefly define Cloud Content Management and contrast it to ECM:

"Cloud Content Management is an emerging set of content sharing and management
practices and a supporting category of software built on an open, secure, cloud-based
platform. It is rapidly deployed and easily used to manage content, in any format, that is
actively shared among collaborators working both inside and across firewalls. Cloud
Content Management is complementary to Enterprise Content Management, which is more
focused on controlling access to static, unstructured content in TIFF, PDF, and office
productivity document formats as it is electronically captured, stored, distributed,
archived, and disposed."

The Gilbane Beacon explores the various facets of this definition and goes into much more detail as to how Cloud Content Management differs from, and complements, ECM. We urge you to download the Beacon (free registration required), read it, then return here to share comments.

In a Regulatory Notice released earlier today, the Financial Industry Regulatory Authority (FINRA) opined that brokerage firms and their registered representatives must retain records of all communications related to the broker-dealer's business that are made through public blogs and social media sites, such as Facebook, LinkedIn, and Twitter.

"Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110. SEC and FINRA rules require that for record retention purposes, the content of the communication is determinative and a broker-dealer must retain those electronic communications that relate to its “business as such.”

Brokerage firms will now be required to archive and make discoverable business-specific content produced by their employees. They will also have to establish and maintain procedures that ensure a supervisor has either approved an interactive electronic communication before it is posted, or that a "risk-based" method of post-communication review exists and is exercised.

"While prior principal approval is not required under Rule 2210 for interactive electronic forums, firms must supervise these interactive electronic communications under NASD Rule 3010 in a manner reasonably designed to ensure that they do not violate the content requirements of FINRA’s communications rules.

Firms may adopt supervisory procedures similar to those outlined for electronic correspondence in Regulatory Notice 07-59 (FINRA Guidance Regarding Review and Supervision of Electronic Communications). As set forth in that Notice, firms may employ risk-based principles to determine the extent to which the review of incoming, outgoing and internal electronic communications is necessary for the proper supervision of their business. "

In addition, FINRA's guidance states that all organizations under its purview must establish and communicate social media usage guidelines for their employees, and that those individuals must also receive employer-provided training on those guidelines.

"Firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised, have the necessary training and background to engage in such activities, and do not present undue risks to investors. Firms must have a general policy prohibiting any associated person from engaging in business communications in a social media site that is not subject to the firm’s supervision. Firms also must require that only those associated persons who have received appropriate training on the firm’s policies and procedures regarding interactive electronic communications may engage in such communications."

FINRA's guidance marks the beginning of a new era for financial services companies and their use of external social media. However, the Financial Services sector is not the only one that will be subject to regulation of communications made via blogs and other types of social software. An IBM Senior Product Manager related last week at Lotusphere that IBM customers in the Healthcare and Utilities industries were also beginning to ask about the management of user-generated and social content.

If your organization is currently required to comply with regulations pertaining to the use of email and instant messaging for business communication, expect to see similar requirements placed on your management of external blog and social media site posts in the near future. At some point, it is likely that these regulations will also be applied to internal communications conducted via enterprise social software.

Is your organization ready for this new era? Gilbane Group's seasoned advisors can help you prepare to manage user-generated and social content. Contact us today to learn how.

Suw Charman-Anderson posted a thoughtful piece with the title Businesses will live to regret their social media ignorance today.  Her main point is that organizations that do not deploy enterprise social software behind the firewall will lose control of information as it spreads through public social media.  This is an oft-heard refrain these days in the blogsphere.

Please don't misunderstand, I agree with Suw.  If businesses want to retain some control over their information, they should provide secure, enterprise-ready versions of the specific types of collaboration and communication tools that employees want to use.  For example, if the risk of information leakage via Twitter is too high, the organization should deploy an enterprise microblogging application on its own servers (or subscribe to a SaaS offering hosted by a trusted vendor.)

What is especially valuable and somewhat novel in Suw's post is her recognition of the content management issues surrounding the use of public social media to share corporate information.  She writes,

"...you need to make sure you know how communications using these tools are going to be logged, archived, and made searchable. Mostly, archiving (or logging) is built in, so it shouldn’t be that difficult. Cross-archive search might be a little bit more interesting, but it’s worth your while because more time is wasted in re-finding information than in finding it in the first place."

Much of the dialog around enterprise social software has rightly been on connecting people to other people and the information and knowledge they possess.  The notion of using software to connect people to unstructured information hasn't gotten nearly as much attention in the Enterprise 2.0 discussion.  Perhaps content management is a dull topic in comparison to connecting people, but enterprise social software is essentially a content authoring tool and it has fueled growth in the amount of content created within an organization.

Traditionally, unstructured information has been housed in what most would call a 'document', but it also may be contained in a message authored in a microblogging, wiki, or instant messaging application.  Those messages must be stored, indexed, and searchable so that users can find valuable information after it has initially been documented and shared by the author.  The same content management principles that we've applied to corporate email must also be used to ensure the findability of information generated in and shared via enterprise social software.

What is your view on this issue?  Do you have horror stories or best practices to share?  If so, please do by adding a comment below.

Are you investigating technology for protecting your company's high-value documents and other intellectual property? Is better content security on your company's plate for 2008? Need to know the current state-of-the-art regarding enterprise rights management?

Gilbane Group is conducting a survey of companies that are investigating, adopting, and using rights management solutions for high-value enterprise content (contracts, HR policies, product strategies, regulatory compliance certifications, and so on). The results will be included in our upcoming study on Enterprise Rights Management: Business Imperatives and Implementation Readiness.

We are seeking input from IT, content management, and IT security professionals across multiple industries (excluding consumer media companies, which are outside the scope of this study). Some familiarity with enterprise rights management (ERM) or information rights management (IRM) is necessary (i.e., respondents need to have at least heard of the term).

The survey is online and takes about fifteen minutes to complete. In exchange for participation, qualified respondents will receive the aggregated survey results and the executive summary of the analysis. Respondents who fill out the survey in full and provide a valid email business address are also entered into a random drawing for a free one-hour phone consultation with the Gilbane ERM analyst team. Take the survey now. Contact us if you have any questions about the research or qualifications to take the survey.

Records management provider Iron Mountain is a company that has intrigued me for some time, as I've watched it morph from a regional to a global player in outsourcing services as well as one of the top best-of-breed RM players amidst the ECM suite and platform providers.

The company appears to have always placed great value on user education and sharing best practices as demonstrated via a continuously expanding Knowledge Center, complete with an "Ask the Expert" section. User interfaces and content breadth/depth within this area is impressive, as is the series of quarterly, role-based newsletters on various topics. Incorporating multimedia into this strategy via the Tour Center has clearly been a major investment.

So, when I ran across the latest campaign featuring one of my all time favorites, John Cleese, I figured I would check out the Friendly Advice Machine. I did not however, count on an inability to tear myself away from it.

Frankly, it is one of the best examples of customer experience techniques I have ever seen. (Adweek agrees.) Targeting mid- to senior-level IT and legal professionals, it is creative, usable, informative, and hilariously funny. It uniquely incorporates "next step" offers and calls to action that quite literally spurs your hand towards the mouse to find out "what's behind that icon?" It bolsters the brand management strategy rather than dilutes it.

Update: Yesterday's Stratify acquisition should help in the "bolstering" department as well....

Check it out -- especially the Dreaded Whitepaper offer -- and stay tuned. I'll be interviewing the company next week about the objectives and techniques that make this campaign stand out. In terms of global customer experience, I'll find out if Cleese has attempted to deliver it in Chinese.

With so much of our news focused on the Boston conference the last couple of weeks, you might have missed the publication of a new case study and a new white paper. Both are by Senior Analyst Leonor Ciarlone, and as usual, both are free. The case study is "The Global Customer Experience: Sun Microsystems’ Vision for the Participation Age", and is the topic of today's webinar. The white paper is "Eliminating the Fear Factor: Creating a Culture of Compliance", and a recording of the webinar covering this is available here.

A story on page 1 of the Nov 10 Wall Street Journal reports that the SEC is re-evaluting interpretation of Section 404 of the SOX rule, which dictates internal review and external auditing of financial reporting systems.

Citing pressure from "the nation's business lobby," the SEC is taking steps to allow a "more flexible reading," and intends to "propose guidance . . . to help companies and auditors interpret Section 404 in a way likely to save them time and money." The new guidance is expected next month.

See "Business Wins Its Battle to Ease A Costly Sarbanes-Oxley Rule" for details.

$25 billion.
That's the cost of compliance in the U.S. Securities Industry for 2005 according to the Securities Industry Association (SIA).

59 percent.
That's the percentage of respondents to a SearchStorage.com poll that did not know if they were in compliance because they could not figure out what they have to do.

$15 million.
That's the amount Morgan Stanley was fined for failing to produce tens of thousands of e-mails during SEC investigations from December, 2000 through through July, 2005.

No wonder compliance issues today = fear. They don't have to.

Compliance is about recordkeeping. The core issue is surprisingly clear -- focus on the lifecycle of paper and electronic communications – how information is created, routed, managed, accessed and archived.

Join us tomorrow, November 9, 2006 at 11:00am EDT for my panel discussion with Omtool CTO Thaddeus Bouchard and HP Financial Services Solutions Manager Joseph Wagle to discuss how to make compliance practices a seamless part of your business processes. Register here.

I am pleased to be able to offer 5 complimentary passes to the OCEG IT Forum being held at the Harvard Club in Boston on May 9th and 10th. I have already written about this conference in previous entries here – the conference focuses on the role of technology and the IT organization in governance, risk and compliance management.

This is not a technical conference – it is a conference on how all stakeholders can best utilize, prioritize and deploy IT and technology resources. Participation cuts across executive, line of business and senior technology roles and includes diverse perspectives including presentations from the CEO of Deloitte Consulting, CCO of Sun Microsystems, CSO of Bose, Sr. Director of IT Internal Audit from Microsoft, VP of enterprise risk research from Forrester and many more.

The registration fee is over $1,200 –this offer of complimentary registration offers educational and networking opportunity to the those that care about these issues. If you think you or someone in your organization would benefit –please email me directly at sebastian@gilbane.com.

(For full disclosure – I am the co-chair of this event and that is how I am able to extend this offer).

Digital Rights Management (DRM) gets a lot of bad press about its use and misuse, much of it well-deserved. But there is a less controversial use of DRM technology for corporate applications. "Enterprise DRM" complements content management, firewalls, and other technologies in helping to ensure that sensitive information such as confidential documents, email, and application data do not fall into the wrong hands or get used in ways it shouldn't. Much corporate content needs to be managed according to certain rules (having nothing to do with copyright) that are outside the scope of workflow processes, and organizations are paying attention.

Our upcoming Conference on Enterprise DRM at Gilbane San Francisco is the first event devoted exclusively to DRM for corporate applications. The conference, chaired by Bill Rosenblatt of DRM Watch, will be a unique opportunity to explore DRM technologies and how they apply to a wide variety of business environments and technology architectures; several vendors will be on hand to demo their solutions. The program will include several case studies of Enterprise DRM deployments in such applications as financial services, human resources, high-tech manufacturing, and distance learning. The program will also feature leading analysts, including Rosenblatt, Jarad Carleton of Frost & Sullivan, and Trent Henry of Burton Group who will present a framework for analyzing Enterprise DRM solutions.

Executives from Enterprise DRM vendors, including Adobe, Cloakware, EMC/Authentica, Essential Security Software, Fasoo.com, Intelligent Wave, Liquid Machines, SealedMedia, and WorkShare will offer insights into technology and the market. The conference will feature panel discussions on technology issues such as Enterprise DRM for mobile devices, secure inter-enterprise collaboration, and integration of Enterprise DRM with content management.

DRM Watch and Gilbane readers can get a special $100 discount off the eDRM conference price of $495 by registering online with discount code "drmwatch".