For the Record

Security Training Videos:

“For the Record”

by M. E. Kabay, PhD, CISSP-ISSMPAssociate Professor, Information Assurance
Dept. of Computer Information Systems
Norwich University, Northfield, VT 05663-1035 USA

This series of short reviews is intended to help security-awareness officers evaluate training videos for their training programs. The author and his employer have no financial interest in or involvement with the companies whose products are reviewed.

* * *

The training video “For the Record” from Commonwealth Films < http://www.commonwealthfilms.com > is subtitled, “Records/Information Management.” The story begins with “JPT Corporation’s” acquisition of “Essex Ltd” under investigation by the Department of Justice for possible violations of anti-trust laws. Executives pore over the demands from the DoJ for a multitude of documents. The question: can the company find the specific documents under subpoena? If the company fails to produce what is asked for, there can be months of delay and legal costs in the millions.

In theory, the records are supposed to be retained according to policy; well-organized so they can be retrieved easily; and reviewed periodically for scheduled destruction or archiving. The policies look good, but in fact many employees have deviated from those policies.

In the last 24 hours before the deadline, the managers realize that many people cannot locate the records they want; some employees destroyed data prematurely; others kept everything; and in some cases, there had been a physical disaster in a sector without backups.

In one interesting case study, “Ralph” is a pack-rat who uses a Last-In First-Out filing system. He has stacks of paper on his desk “organized” according to when he last used them. There is no order within the stacks, so he has to look at each document in turn until he finds what he wants. In addition to making a mess, Ralph’s style is insecure: anyone can see or borrow records from his piles. His computer files are equally messy: he says that he has “a few simple directories so that he can’t lose anything.” However, say the analysts, he can’t find anything either. His directories have hundreds of cryptically-named files without descriptions, and even Ralph has to open each one to see what it is – a dreadful waste of time.

In another case, an employee who is a control freak decides to delete correspondence from her hard drive because she thinks that a dealer’s accusations of unfair business practices would look bad to anti-trust investigators. However, this violation of the records retention policy raises a red flag because the deletions are selective – and relatively simple investigation is almost sure to turn up copies elsewhere: backups, a co-worker’s PC, or the correspondent’s computer. The picture created by this overzealous employee is the opposite of what she hoped: it makes the company look worse, not better. In addition, the control-freak chooses which files to back up and then stores the backups at her home – a clear violation of security principles. Her sequestered records, which she perceives as her own property, are not available to her colleagues when they need them.

A third employee cannot dispose of anything, regardless of policy. He sends absolutely everything to archives – every draft, every note, every temporary note, every memo. His computer matches his paper style: his disk has every version, every trial, every e-mail message he has ever created or received. As a result, sifting through his data to respond to the DoJ subpoena takes days – days that put the company at serious risk of failing to meet its critical deadline.

Finally, another employee illustrates what happens when you don’t do backups. She feels that backups are low priority, so she skips them. When the sprinklers go off in response to a minor fire, her equipment drowns and she loses everything on her workstation. Recovery is impossible and there are serious repercussions because of the missing files.

As usual with Commonwealth Films’ products, the video comes with a good one-page, double-sided pocket summary in PDF on the CD-ROM. The video was produced by Jennifer Wry, the writer was Webster Lithgow, and several industry experts provided technical assistance.

I know that it will seem uncritical, but yet again I have to say that I enjoyed this film; I liked the people, I enjoyed the case studies, and I think it succeeds in getting the message across in an entertaining and information-packed twenty-three minutes.

Commonwealth Films are in Boston; phone 617-262-5634.

* * *

Information about M. E. Kabay, PhD, CISSP-ISSMP< mailto:mekabay@gmail.com > is available at < http://www.mekabay.com/ >.