Skip Navigation

Managing Records: Services for State Agencies: Newsletters

Newsletter: May 2010

Welcome to the May 2010 State Agency RMO newsletter!
 
In this issue:

  • Executive Records Symposium
  • CyberSecurity: Cloud Computing
  • Workshops
  • Other training opportunities


Executive Records Symposium

The New York State Archives Partnership Trust and the Albany Law School’s Government Law Center have joined forces on a two-day event focused on the need for effective record keeping by elected government executives.  Entitled Documenting Leadership: A Symposium on Public Executive Records in the 21st Century, the program is designed to explore the importance of the records generated by governors and other high ranking elected public executives, such as presidents, attorneys general, and mayors.  The symposium will be held on the Albany Law School campus, New Scotland Avenue, Albany, NY on May 20-21.

Panelists for the program are coming from throughout the nation and represent government, the media, academe, and law.  Among the presenters will be former U.S. Attorney General and former Governor of Pennsylvania Richard Thornburgh, nationally renowned Presidential historian Richard Norton Smith, and former NYS Comptroller Ned Regan.

Sessions will include: Public Policy and the Public Interest; Transparency, Executive Records, and the Media; Executive Records: Access and Disclosure; Access in the Digital Age; and Executive Records as Legacy.

The event is free and open to the public.  To register, go to www.albanylaw.edu/executiverecords/


CyberSecurity: Cloud Computing

This month’s cyber security missive from CSCIC is on the subject of cloud computing. For more information on how the use of cloud computing can impact records management, please contact the Archives.

What is Cloud Computing?

Cloud computing is a growing trend in information technology as organizations look for ways to save money and add flexibility to their operations.  Cloud computing, while still an evolving service, provides on-demand network access to a shared pool of computing resources such as networks, servers, storage and applications.  The pooling of resources allows the provider to rapidly scale to meet changing customer demands.  The service is typically provided through a large data center.  Cloud computing can be divided into three types: Software as Service, Platform as Service, and Infrastructure as Service.

  • Software as a Service (SaaS): Provides ready for use web-based applications such as email that are maintained centrally by a provider (e.g., Gmail, Salesforce.com).
  • Platform as a Service (PaaS): Provides programming languages and tools that can be used by application developers to create and deploy applications on the web.
  • Infrastructure as a Service (IaaS): Provides computing resources, such as virtualized servers and storage, whose usage is rented from a provider (e.g., Amazon EC2, Windows Azure).

In addition, cloud computing can be private, available for a single organization/group of users, open to the public, or some combination of these models. The growth in cloud computing is fueled by economies of scale. Cloud computing allows users to pay for what they need, when they need it.

What are the Security Concerns with Cloud Computing?

There are security and privacy concerns that must be considered before moving to cloud computing, including the following:

  • Vendor Security: Cloud computing customers rely on providers to implement appropriate security measures to protect the confidentiality, integrity, and availability of data. Be wary of providers who are reluctant to share details of their security architecture/practices with customers.
  • Isolation/Segregation:  Users access cloud computing resources via a virtual machine hosted on an unknown physical machine2. The physical machine may be shared with other users.  Providers must ensure that multiple customers do not interfere with each other, maliciously or unintentionally.
  • Data Location: Providers may have data centers located in other countries.  Be sure your vendor contract stipulates any restrictions you may have on the physical location of where your data is stored.
  • Management Interface: Customers access the cloud management interface via the Internet, thus increasing exposure to potential attack.
  • Reputation Sharing: Bad behavior by one cloud customer may impact others using the cloud. For example a customer engaging in spamming may cause a common cloud IP address to be blacklisted.
  • Provider Viability:  What happens to your organization’s applications and data in the event that the provider goes out of business?
  • Compliance: Placement of data in the cloud does not eliminate an organization’s need to meet legal and regulatory requirements such as PCI or HIPAA. Organizations will need timely assistance from cloud computing providers to fulfill investigation/audit requirements.

What Should Organizations Do?

Organizations should fully research the risks and benefits of cloud computing before moving to that environment. It is critical that security requirements are addressed in contractual agreements in advance.  In addition, there are steps organizations should take when using cloud computing:

  • Data Classification:  Consider the sensitivity of your data before making a decision of whether or not to put it in the cloud.
  • Encryption: Encrypt sensitive data before placing it in the cloud.
  • Authentication: Consider requiring multifactor authentication for access to cloud computing resources.
  • Vulnerability Assessment: Include a requirement for a security review or vulnerability assessment as part of the service level agreement with the provider.
  • Monitor: Require close monitoring of cloud computing resources by providers for unauthorized activity.
  • Backup:  Ensure that your backup data is not comingled with other customers.
  • Notification: Require providers to provide timely notification of any potential data security breach.


Workshops

Electronic Document Imaging
Date: 05/25/2010
Time: 9:30-1:00
Location: New York State Records Center, State Records Campus - Bldg. 21, Albany, NY

To register for this workshop, please visit our website:  http://iarchives.nysed.gov/WorkShops/workshopsServlet?owner=REG&cat=2


Other Training Opportunities

2010 CSCIC Cyber Security Conference
13th Annual New York State Cyber Security Conference
June 16 - 17, 2010 - Empire State Plaza

This two-day event features experts representing government, academia and industry from across the country and around the world. The Conference offers a variety of both technical and non-technical sessions, and is open to individuals in the public and private sectors. The program includes hands-on training for cyber security professionals as well as those in information technology, academia, law enforcement, the legal community and others who want to better understand the latest cyber security challenges we face and how to best address them.

http://www.cscic.state.ny.us/security/conferences/security/2010/index.cfm


That’s it for this month! Remember that we want to hear from you. Scheduling and Records Services is here to help make your job easier by answering questions, doing site visits, and providing training.

Jennifer O’Neill
joneill@mail.nysed.gov
(518) 473-2112
 
Sarah Durling
sdurling@mail.nysed.gov
(518) 473-6803

To report technical problems with this web site, please contact the New York State Archives at ARCHINFO@mail.nysed.gov.

The New York State Archives is part of the Office of Cultural Education, an office of the New York State Education Department. Privacy Policy - Terms of Use - New York State

Although imaging systems can store and quickly retrieve a large volume of documents, they can rarely be justified on that basis alone. To make optimal use of this technology, state agencies and local governments must first understand imaging technology.

This workshop will cover how document imaging systems work, as well as how to plan for and implement new imaging systems, maintain access to images over time, and ensure that these image files will be admissible in a court of law.