This final session at the ARMA Central Iowa Spring Seminar focused on enterprise social business software capabilities and considerations and described steps to capture social content as records.
12. “…fully networked enterprises are not only more likely to be market leaders or to be gaining market share but also use management practices that lead to margins higher than those of companies using the Web in more limited ways…”
21. Need separate accounts for most sites Many sites leveraging identity management Facebook Connect Twitter OAuth Identity management - commercial
22. Integration into identity infrastructure Ensure security and confidentiality Provide accountability Support for groups and ethical walls Access to other resources inside the organization Identity management - enterprise
23. Doesn’t exist for most sites Available for Facebook since Oct 2010 Some third-party services available Archiving - commercial
25. Some using FB Connect, Oauth Very little integration into line of business systems - today Integration with other systems - commercial
26. Allow import from other systems Allow export to other systems Integration with other systems - enterprise
27. Most commercial services offer very little in the way of analytics and auditing Some third-party services available, especially for Twitter Social “listening platforms” and CRM (sCRM) Auditing and reporting - commercial
28. Significant amounts of information available for reporting Who has done what What has been done to a particular article/item/etc. Any changes made to the system, security, etc. Auditing and report - enterprise 28
32. Is the information unique and not available anywhere else? Does it contain evidence of an agency’s policies, business, mission, etc.? Is the tool being used in relation to an agency’s work? Is there a business need for the information? Does it document a transaction or decision? Is it a record?
33. Commercial services will honor subpoenas Many will honor requests from law enforcement and government agencies May be limited in how much data they retain after an account is deleted Type of production will vary by provider Discovery and production
35. Our Twitter policy: Be professional, kind, discreet, authentic. Represent us well. Remember that you can’t control it once you hit “update.” Policy 2.0 – in 140 characters
38. Blog post Comments? Updates? Individual Tweet Links and shortened URLS? Wiki article The article? Its changes over time? It depends…. What’s the record? Prepare for discovery
42. Archive selected items locally Use search queries and monitoring Records management in brief Store selected items locally using search queries or RSS
43. Use the native backup to store locally Store locally using built-in tools
44. Use a third-party service to store locally Store locally using third-party service
49. Web 2.0 is here Prohibition is not a realistic option Web 2.0 tools can add significant value to the organization Lead your organization to use them effectively Conclusion
50. Jesse Wilkins, CRM, CDIA+ Director, Systems of Engagement AIIM International +1 (303) 574-0749 direct jwilkins@aiim.org http://www.twitter.com/jessewilkins http://www.linkedin.com/in/jessewilkins http://www.facebook.com/jessewilkins http://www.slideshare.net/jessewilkins For more information
51. “How Federal Agencies Can Effectively Manage Records Created Using New Social Media Tools”, Patricia Franks, Ph.D., IBM Center for The Business of Government, 2010 Guideline for Outsourcing Records Storage to the Cloud, ARMA International, 2010 Additional resources
52. “Managing Social Media Records”, U.S. Department of Energy, September 2010 http://cio.energy.gov/documents/Social_Media_Records_and_You_v2_JD.pdf “Best Practices Study of Social Media Records Policies”, ACT-IAC, April 2011 http://www.actgov.org/knowledgebank/whitepapers/Documents/Shared%20Interest%20Groups/Collaboration%20and%20Transformation%20SIG/Best%20Practices%20of%20Social%20Media%20Records%20Policies%20-%20CT%20SIG%20-%2003-31-11%20(3).pdf Additional resources
53. NARA Bulletin 2011-02, “Guidance on Managing Records in Web 2.0/Social Media Platforms”, October 2010 http://www.archives.gov/records-mgmt/bulletins/2011/2011-02.html “A Report on Federal Web 2.0 Use and Value”, National Archives and Records Administration, 2010 http://www.archives.gov/records-mgmt/resources/web2.0-use.pdf Additional resources
54. Florida Social Media Toolkit http://sites.google.com/site/flsocmed/ “Friends, Followers, and Feeds: A National Survey of Social Media Use in Government”, NASCIO, September 2010 http://www.nascio.org/publications/documents/NASCIO-SocialMedia.pdf Texas Dept of Information Resources Social Media Policy http://www.texas.gov/en/about/Pages/social-media-policy.aspx Additional resources
55. Compliance Building Social Media Policies Database http://www.compliancebuilding.com/about/publications/social-media-policies/ 57 Social Media Policy Examples and Resources http://www.socialmediatoday.com/davefleet/151761/57-social-media-policy-examples-and-resources Web 2.0 Governance Policies and Best Practices http://govsocmed.pbworks.com/w/page/15060450/Web-2-0-Governance-Policies-and-Best-Practices Additional resources
56. Social Media Governance policy database http://socialmediagovernance.com/policies.php “Analysis of Social Media Policies: Lessons and Best Practices”, Chris Boudreaux, December 2009 http://socialmediagovernance.com Additional resources
Editor's Notes
Security issues are probably the ones most often cited. Every day seems to bring another high-profile data breach. It’s important to remember that in the overwhelming majority of these cases the breach is not due to third-party hackers – instead, it’s often done by someone on the inside such as a disgruntled employee or former employee whose access was not revoked. And the next most common avenue for breaking into an application is through social engineering – guessing users’ weak passwords like “password” or “12345”, etc. Many of the larger Web 2.0 services offer physical and logical security comparable to, if not better than, what the organization provides because there is no way for rogue employees to directly access the system, the database, etc. [twitter]Web 2.0 tools are perceived to be less secure but not always the case.[/twitter]
It may seem obvious that a Web 2.0 tool requires internet connectivity to work, but organizations do not always think through the ramifications of that. An employee for an organization that moves entirely to Google Apps and Gmail, for example, would not be able to do any work on a plane and would have to either buy an air modem or buy or find Wifi internet access. And if connectivity should drop in the middle of drafting a long report, it is entirely possible that any unsaved work would be lost. Some services can work offline and synchronize, but these are still few and far between. [twitter]Web 2.0 tools have to be connected to work – no connection, no access.[/twitter]
These are closely related to security issues but have a couple of additional ramifications in the Web 2.0 sphere:First, different jurisdictions have different privacy environments. Some are much more permissive while others restrict even the ability of their users to agree to lower security. This can create interesting privacy issues when you consider that multiple authors and users may be collaborating from different jurisdictions on a website hosted in yet another jurisdiction. Privacy also works differently at home vs. at the work place. The question then becomes, in an era of Web-2.0-enabled teleworking, whether from home or at the local Internet café, which set of rules applies? What about when the work is done on a user’s personal laptop and network vs. when the work is done on a work-provided laptop? Is this even relevant anymore if the data isn’t stored on the laptop but is instead stored in the cloud somewhere?[twitter]Privacy considerations – as noted earlier, plus issues with different jurisdictions and line blurring between home and work.[/twitter]
Another concern many organizations have regarding these tools is what happens if they go down? A key benefit of having the application onsite is that if it does go down, IT can be sent to fix it. This assumes of course that IT has the expertise and the bandwidth to address it and that it wouldn’t require additional assistance from someone offsite anyway. For the better tools, downtime is generally measured in hours per year; compare that with many of your onsite applications. [twitter] What happens if the tool goes down? Most tools’ uptime compares favorably with organizations’ IT shops.[/twitter]
And one of the biggest issues is what happens if the vendor itself goes out of business: Where’s your data, who has access to that data, can you get it back. In many jurisdictions privacy laws govern this; that said, how do you exercise those rights after the vendor closes shop, particularly if the vendor was located in another country?[twitter]One of the biggest issues is what happens to your data if the vendor itself goes out of business. SLAs are good but may not be sufficient.[/twitter]
Vendor lock-in. Certainly if the vendor closes shop, you’ll want to move your data to another vendor. But even if it doesn’t, you may decide that you want to migrate your data either to another commercial service or to an internal enterprise-friendly one. Some services make this much easier than others – and this is nothing unique to Web 2.0; integrators and vendors have long made lots of money migrating your stuff from another vendor’s application to theirs. But it is something to take into account. [twitter]Vendor lock-in can also be an issue, making it difficult to move your data to another provider.[/twitter]
The first step many organizations take to manage Web 2.0 is to try to block them. This is unrealistic for a number of reasons.
Moving into mainstream
Technology often moves from the consumer space to the enterprise – consider everything from CDs to instant messaging. But often the technologies require very technology-savvy users, a bit of hacking about, and at least the tacit acceptance if not outright assistance of IT to implement. Web 2.0 is sometimes referred to as “Shadow IT” because it is so easy to implement and use without IT’s assistance. Many of these tools are free, or extremely low cost. The software that runs Wikipedia for example is open source (and therefore essentially free). It’s a complicated product – but if you don’t need that scalability and robustness, you can set up a very feature-rich yet intuitive wiki from pbWorks or Wikispaces for very low cost in about 15 minutes. And most of the other tools we discussed earlier are similar. [twitter] Web 2.0 is sometimes referred to as “Shadow IT” because it is so easy to implement and use without IT’s assistance.[/twitter]
The gatekeepers to the enterprise, whether IT or RM, are also challenged by the fact that There are so many of these tools and they change so quickly.You saw the Simplespark video earlier; this screenshot is for almost exactly a year ago. Since then 40% of the applications have shut down, but 60% more have been created (and again, these are just the ones listed through Simplespark). You can’t rewrite your policy quickly enough to address them all, and IT can’t block them quickly enough to keep them all out. [twitter]There are too many of these tools and they change too quickly for IT to be able to block them all.[/twitter]
And no matter how much technology IT implements and how many policies RM, legal, etc. write, it’s going to be difficult to block these technologies because almost everyone has a smart phone with a browser, applications, or both that can access them.[twitter]And it’s tough for IT to block or RM to regulate because everyone has their own smart phone with browser and/or apps for social media tools.[/twitter]
I’ve been a big proponent of these tools for a number of years, and as recently as a couple of years ago I suggested to a group of records managers that they might need to look at some of these tools for a number reasons including some I’ve already described. There was some discussion about the pros and cons, and then one woman said, “I’m sick of hearing about how we *have* to do this or that. There’s a reason it’s called work, and if new employees can’t work the way we tell them to, they can work somewhere else!” I thought back to a presentation at Office 2.0 2007, where someone from Morgan Stanley told us a story about demographics. It seems that this person’s high school reunion was coming up, and for a lark he looked to see how many of his class were on Facebook. Less than 10% of them were. He then decided to check subsequent classes of his high school to see how many of them were on FB, and checked them every three years from 1990 (his class) to 2003. By 2005 more than 95% of the high school class was on FB. His point was that at MS, about 10% of employees were part of that “Facebook generation”. But the demographics were such that within 5 years 35% would be, and within 8 years more than 50%. The moral of the story is not that you need a FB account. It’s rather that if you’re not part of the FB generation, you’re going to be outnumbered in the not-too-distant future. At some point you may work for one of them. And if you don’t understand how those users work and use those tools, you may find yourself irrelevant to the organization. [twitter]If you don’t like change, you're going to like irrelevance even less. Gen. Eric Shinseki, 11/8/2001[/twitter]
The first step is to determine whether or not something is in fact a record. Just as we know that most email messages are not records, for most organizations their Facebook fan page updates will not be records either. In other words, we have to ask the same questions about these tools that we’d ask about any other type of information:Does it document a transaction or a decision? If it does, it’s probably a record. Is it captured in another form? This is the biggest reason why most social networking sites like Facebook and Twitter wouldn’t need to be captured as records – in most cases they are being used as another transmission mechanism for information stored elsewhere. Now, just because it isn’t a record doesn’t mean it couldn’t be discoverable or a public record and subject to FOIA-type laws. Again, same considerations here as for other types of information. [twitter]Determine whether something is a record or not according to its content and context.[/twitter]
Before we move on, a couple of points about discovery for these tools. First, commercial services will honor subpoenas and other types of appropriate requests from law enforcement or government agencies. Some are more forthcoming, others require formal written notice such as a warrant. Second, many of these services limit how much data they retain. In other words, a user’s Gmail account may have messages dating back several years. But if the user deletes his account, the technical ability of Google to provide access to that information may be very short-lived because Google doesn’t keep backups for long periods of time. Note that this is no different from an organizational email account where the inbox has not been subject to a litigation hold – users cannot delete their accounts, but they certainly could delete all messages ever sent or received from their inbox, and once the backups are gone, so are the messages. And what is produced and how will vary by provider. For a Gmail or Yahoo mail account, production as messages is quite likely; for Twitter, it could be provided as an XML stream, some type of spreadsheet, etc. [twitter] Web 2.0 services will comply with production requests but format, amount, etc. will vary.[/twitter]
As we just noted, the records management or communications policies (or both) should address the use of these tools. We’ll look at some examples of policies over the next few slides. At a minimum, the policy should address: Identity, relationship, and transparency – is the account official or unofficial?Security, confidentiality, and sensitive informationComments and responses to commentsResponding to others’ posts on commercial sitesAccuracy and ethicsMonitoring and auditing[twitter]Address these tools in the records or communications policies (or both). [/twitter]
Here’s a very succinct Twitter policy from a blog by an HR-focused law firm, GruntledEmployees.com. “Our Twitter policy: Be professional, kind, discreet, authentic. Represent us well. Remember that you can’t control it once you hit “update.””Pretty good, right? Now, you could argue that this policy is missing a lot of the stuff I just mentioned. But I don’t know that I agree – authentic, professional, discreet, represent us well – that’s pretty close. And regardless of what you think might be missing, I’d argue that if your employees follow this policy, you won’t have many issues with them. And note that this policy is itself Tweetable. [twitter] Policy 2.0 – in 140 characters, courtesy of gruntledemployees.com. http://is.gd/8BpjT[/twitter]
Prepare for discovery. This means having the same type of data map you have in place inside the organization, but with listings of all the services you use, the accounts used there, etc. At a minimum you should list any official use of services and official accounts. It also means understanding the process for getting at that information in the event of litigation, FOIA request, etc. The time to put that process in place is before the subpoena is received. For hosted tools, such as FB or Twitter, it may mean taking periodic snapshots of what is posted to them. Right now there aren’t a lot of tools that do this; one way that can be effective is to capture the RSS feeds generated by these tools. As updates are made, they are published through the RSS feed, which can be saved locally. It might also require working with the third-party vendor in the event that some information or some updates are not available through RSS – for example, web-based email. It’s also important to note that at least for commercial solutions there is very little ability to put or enforce legal holds or to prevent a user from deleting an account, at least without a subpoena and without doing it before the user knows to delete it. [twitter]Prepare for discovery in advance, including listing official use of services and accounts.[/twitter]
Finally, there are enterprise versions of every Web 2.0 application. These enterprise versions are often available to be hosted inside the firewall, meaning that security is much more robust. Access can be secured to them much more effectively. They can be integrated into the organization’s identity infrastructure – whether Active Directory or something else – such that any change, post, comment, edit, update, etc. can all be tracked and, more importantly, tracked to a specific named user. No anonymous postings here. Of course, you have to pay for an enterprise version, but what you’re really paying for is a level of peace of mind. And you still get many of the same benefits – ease of use, familiarity with the type of tool, rapid and agile collaboration across geographical and time boundaries, etc. You’re just getting a more secure and robust version of it. [twitter]Consider implementing enterprise versions. FB is FB, but internal tools might be more appropriate.[/twitter]
At this point I’d be pleased to entertain your questions. [twitter]Questions? @jessewilkins or here. No promises I’ll answer today but will try to answer.[/twitter]
In conclusion, Web 2.0 is not something coming down the road or over the horizon – it’s here today and is probably in your organization, whether you know about it or not. It is all but impossible to effectively prohibit them – and the tools can significantly improve an organization’s collaboration and knowledge sharing, thereby adding value to the organization. It is incumbent on records management professionals to step up and lead your organizations in the effective use and management of these tools.
[twitter]These slides will be posted shortly to: http://www.slideshare.net/jessewilkins8511.[/twitter]