Posts tagged ‘Records Retention’

Google continues to roll out new applications to make sharing information easier. Kudos to them for some really creative programming. From a security point of view, though, you have to wonder what they are thinking.

Their Google Apps Team Edition allows employees to sign up for the Google Applications without any assistance or oversight from IT. Team Edition contains the core applications and collaboration services like the word processor, spreadsheet, Start page, Talk instant messaging and calendar, but does not include Gmail.

In any regulated or litigious industry, this is a recipe for disaster. You might save a few bucks on word processing and spreadsheet software but you’re going to pay far more the first time you have to comply with an electronic discovery request or get into a dispute based on the Terms & Conditions of the application. No only are you putting your confidential data in someone else’s hands and trusting to the security of their data center with little or no evidence of their worthiness of that trust, you’re also still exposing all your data to the Google search indexing algorithms. (For more, see the Tip from April 2007.)

Luckily, you can block the worst aspects of the application/data sharing without having to block off all of the google.com domain. If your internet filter has a category for filesharing or for “Network Storage and Backup”, make sure that category is blocked. You should also strongly consider blocking any category about “Web chat” so you don’t have to worry about electronic discovery requests for instant messages that you didn’t properly control.
Read more about Google Apps latest attempt to bypass the business at ComputerWorld.com.


Update to Suing the scareware vendors (27 Oct 2008)
The Federal Trade Commission has gotten a restraining order against two companies who were marketing scareware software. It’s very good to see law enforcement successfully prosecuting these scammers. Remember, however, that there are lots more out there. Always be suspicious of pop-up ‘alerts’ and ads warning you about “illegal porn content” or “compromised software” on your computer. Read more at the FTC’s consumer alert page.

We talked last week about the problems of holding onto old documents. Microsoft just made the problem even more complicated.

In the Service Pack 3 (SP3) update for Office 2003, Microsoft is blocking a number of older file formats so they can no longer be opened by MS products like Word, Excel or Powerpoint. Microsoft is walking away from it’s commitment to backwards-compatibility because many of the older file formats had weaknesses that could be exploited by hackers to insert viruses and other malicious code into your computer. By disabling the older formats, Microsoft reduces the vulnerability of the Office applications to some of those kinds of attacks.

The problem is that if you are keeping old files in their native format as part of your records retention plan, you may no longer be able to open them. (Worse, if you get sued and have to turn over those documents, the courts don’t care about format compatibilities. You still have the document – it’s your responsibility to make sure that they can be opened and evaluated.)

Microsoft has two workarounds for this problem – neither very good.

The first involves modifying your registry settings so your computer can still open the older formats. That is a high-risk action and I do not recommend it. Not only does it defeat the security advantage of the change, any mistake when editing the registry settings can corrupt your entire computer. Even Microsoft warns against it saying “Serious problems might occur if you modify the registry incorrectly.” and “Modify the registry at your own risk.”

The second is to convert all your historical documents to the newer format. Microsoft has some automated tools to help but the conversion process is much more labor-intensive and error-prone than I think Microsoft wants to admit. I would seriously question the business case for converting any but your most critical of official records.

There is a third option which I consider far better. Take this opportunity to check those old documents against your retention policy and clean out the ones that you should have gotten rid of long ago. For the few that you must retain, make sure that you are keeping your business records in a stable format. Don’t save files in their native MS Word document format – convert them to pdf or even tiff. Those formats are simpler and have far fewer holes that a hacker could exploit. They’re also designed to remain readable across many generations of software.

Call your IT team for instructions on how to convert an old file to an updated format.


Addendum:
Bill Wilson at IIABA’s Virtual University published the tip above in his newsletter and received the following question.
What are the file extensions that Microsoft has abandoned? I think it would be very helpful to know as we would then be able to do searches for those file types stored on our system. Thank you.

As Bill pointed out to the caller, the file extensions alone will not tell you which file formats have been disabled since Microsoft continues to use the same file extensions for the newer versions of it’s software. (A Word document carries the .doc extension whether it’s Word 1.2, Word 2003 or any version in between.) Microsoft has a little bit more information about the changes here but no new answers.

You can read another article about the problem at wired.com.
Thanks to Bill for finding those extra links.