Data-driven information governance use case: information compliance
An international bank was feeling the sting of a recent anti-money laundering investigation.
Although it had done nothing wrong, the data in question was difficult and expensive to find. As the bank was looking for solutions it realized a number of other areas needed similar solutions to find, classify, produce, and protect data. Particularly, the bank’s European counterpart struggled to identify personally identifiable information (PII) flowing to the US and impacted by the EU General Data Protection Regulation (GDPR).
DRINKING FROM THE FIRE HOSE?
A relatively small amount of data is ever audited or examined for compliance purposes—until a catastrophe happens. This can result from inaccessibility, lack of resources, or lack of urgency. Really, these all mean that the task of examining all an organization’s data is too voluminous. Nuix can expand the scope of any compliance audit program with some of the fastest tools and innovative technologies in the industry.
- Nuix Workstation: The Nuix Workstation engine is not limited in the number of processors you can throw at the problem or be tied to a SQL database to get the job done. You can assign many servers all pushing together to get through your data as quickly as you need, indexing and searching many terabytes per day if necessary.
- Elasticsearch: Add on top of that an advanced backend available as a database platform if search speed is critical and to tackle massive data volumes. Together, deep indexing and massive scalability can help you create, extend, deepen, and even migrate content to a data warehouse to make sure nothing is missed.
- Filtered Indexing: Nuix Data Finder searches and determines if the content is responsive before it commits to the index. You only need to store an index if it adds value; there’s no need to check out every book from the library when you need just one volume. Nuix Data Finder makes Nuix Workstation more efficient by only capturing regulatory-responsive data, producing an index with only 2-5% of your source content, depending on several variables.
- Speech Integration: ‘OCR’ your audio files to make them as searchable as everything else in your corpus of data. Nuix partnerships and technology integrations give you the ability to extract text from hundreds of hours of audio, especially helpful for large-volume, compliance-sensitive call centers.
INFORMATION COMPLIANCE IN NINE STEPS
Nuix shed light on the bank's dark data and helped it make fact-based decisions to move compliance forward
1. Identify your compliance criteria:
The first step in designing a compliant environment is choosing which compliance criteria are impacted by unstructured content. Your commitment to compliance is shown by how seriously you take it. Compliance is normally viewed as something that a regulatory agency enforces, but it can also come from internal business policies and needs, standards, compliance frameworks, and even best practices. The bank had never taken the holistic approach to identifying the impact of its unstructured content. The most obvious culprit is its personally identifiable information (PII) stores, but is that data more important than PCI, AML, or SOX data? Nuix provides the ability to capture and quantify content based on varied and complex queries across many data sources. Nuix file analysis can also answer questions like:
- Are you storing emails, multimedia, images, engineering drawings, or other compound documents that need special treatment? Does that require additional search or mitigation capabilities?
- Are you using databases on file shares to track information that could be holding risky content, including correspondence tracking, resolution coordination, case management, or contact lists?
2. Quantifying and prioritizing the effort:
The bank answered to several boards, regions, and political constituencies; it needed approval and authority to move forward. Educated guessing on the potential value of optimizing its compliance program was not enough to help it prioritize the effort. The answers to its strategic prioritization questions and their value resided in 25 years worth of electronic content saved on file shares and email systems. Nuix helped to quantify the answers:
- Who has been and is creating the information needed for compliance purposes, where are they storing it, and when and why is it being duplicated or lost?
- Since no one can do everything at once, which set of criteria for risk management and compliance should be addressed first, second, and third to provide the greatest amount of benefit?
3. Designing mitigation strategy:
Sure enough, the bank found that employees had been sometimes loose with their handling of clients’ credit card information. There were two parts to this—the individual documents or small short-term databases that were scattered across the shared drives and the more substantial client legacy databases that, even though they were controlled and purportedly secure, might have been unknowingly compromised or hacked. Mitigation, therefore, involved putting away the loose files (by deleting, compressing, encrypting, or securing them) and setting up a defensive perimeter to keep intruders out. A security solution for the bank also provided:
- Monitoring, detection, and protection of endpoint devices across the organization
- The ability to quickly respond to, investigate, and remediate malicious activity on the bank’s systems.
4. Pursuing your data evidence:
After the bank had performed compliance audits for data multiple times, it knew exactly what it was looking for across a number of different functions, but it still didn’t know how to do it efficiently. The Nuix Data Finder add-on to Nuix Workstation was the perfect tool for this problem. Nuix Data Finder automatically conducts information pursuits on a periodic basis across many servers, data centers, and sources, building a single complete collection in short order matching the specific compliance criteria desired. Nuix Data Finder also provides:
- Where data was found, when it was created, who created it, how it relates to other criteria, and enough details to figure out why it keeps appearing
- The ability to remediate issues the moment they are found (rather than waiting for the organization-wide index process to complete).
5. Purging old content:
There were a number of records classifications and purging capabilities that the bank could implement directly in Nuix. The fear of breaches and leaks was smaller 25 years ago, resulting in a large quantity of sensitive data residing in digital objects that had long been forgotten. Applying compliance to records management principles and defensibly removing the unneeded data lowered the bank’s risk. In addition to removing the ‘eTrash’, Nuix could help the bank mitigate some of the less-valuable expired content and reduce digital clutter:
- Where are there temporal (not event-based) files older than their retention period? These include computer logs, standard system reports, database outputs, and accounting data
- Which specific completed projects, comprising large numbers of files, could be isolated and removed?
6. Fixing process problems:
In the process of indexing and classifying content, the bank came across a number of file handling and storage management issues that it needed to address. It helps to be able to index and find critical data on an ongoing basis, but if there are recurring problems, you need to change the underlying processes and infrastructure, reducing risky or non-compliant data problems. Nuix helped identify other systemic issues:
- What happens to files that systems administrators moved in bulk, thus removing file ownership and creation dates? Which files are ‘owned’ by former employees?
- Why are specific reports from systems or processes being stored in unsecured locations?
7. Securing the border:
Security was next on the list for review and enhancement. Even if all the bank’s risky data is accounted for, losing sensitive data in a breach or attack can still cause terrible consequences. The bank plans to continually update its Nuix indexes and employ strategic defenses to:
- Limit its exposure to attacks by reducing its data stores to only include those records that it absolutely must retain, applying proper defensive technologies to protect that information and the systems storing it
- Monitor activity across its endpoint devices— workstations, servers, and mobile devices—to detect and block malicious activity as quickly as possible.
8. Tackling more formats:
A while back the bank realized the data that it managed for compliance purposes expanded beyond the traditional office content and databases that it previously monitored. The bank put together an audio team to deal with the 10,000 hours of audio files it collected and stored every day. Federal regulations required retaining the content, but it was used mostly for litigation discovery purposes on an as-needed basis. The staff in charge of compliance over the call center performed audits when they had the opportunity, but generally listened to only 2% of the recorded files. Occasionally, they had to outsource their work. This was clearly unacceptable. Nuix enabled the bank to include all its voice calls alongside emails, chats, and other communications seamlessly for auditing purposes. Nuix also:
- Allowed the bank to monitor conversations and topics in multiple languages across its regional hubs worldwide.
- Improved customer service by tracking and monitoring call sentiment and accuracy.
9. Tackling other information governance tasks:
The bank now knows that compliance support can address a number of information governance issues from a firm starting point and with appropriate representation within the organization. Next, the bank will be looking into other ways Nuix can help it answer the following questions:
- What are the benefits of an enterprise content and records management (ECRM) system?
- How does it perform due diligence on an upcoming merger with another bank?
- What is the best way to get access to content in its struggling email archive system?
- What risks does it face in consolidating its data centers?
- How can it best prepare for the inevitable need to perform digital forensic, incident response, or breach investigations?