State of Washington



In preparation for a move to Office 365, the state of Washington evaluated how well OneDrive for Business (OneDrive) satisfies state requirements to store and handle documents and files. We assessed whether, or under what conditions, state documents and files should be stored on OneDrive to support the regular course of state business. Executive Summaryleft1524000Proceed with Caution as described below.Agencies should establish a limited number of approved locations to store files and documents. OneDrive for Business could be one of those when used according to this report’s recommendations. For Document Creation:Employees could create documents on OneDrive and collaborate with others to do so, subject to security restrictions in this report. For Document Use and Long Term Management: Completed documents used only by the employee can remain in the employee’s OneDrive workspace. All documents intended for use by other people should be stored on other approved platforms where the agency manages permissions and retention, such as File Shares, ECM, SharePoint, etc. Employees should think of OneDrive as their individual workspace, similar to MyDocuments on their PCs or their individual drive on a file share. Process for StudyBorrowing from agile methods, the team used user- stories to evaluate OneDrive for Business from the perspective of each of five major roles needed to manage electronic records. These roles include: the user, central account administrator, records manager, IT security, legal, and public disclosure.The team employed the records management concept of a record’s lifecycle shown below: The OneDrive evaluation was based on materials from the following previous official efforts: Online File Storage and Synchronization Master Contract RFP – for systems of engagement Enterprise Content Management Master Contract RFP – for a system of recordOnline File Storage Guidelines from the Office of the Chief Information Officer, 2012 – for systems of engagement The two RFPs and the Guidelines constitute the standard of care to manage state documents and files as core assets of government. They were collaboratively developed by a community of Washington state agencies and experts responsible for records management, public records requests, legal services, technology, IT Security, and privacy. They incorporated business and external regulatory requirements from numerous agencies. Along with this OneDrive evaluation, future storage and sharing tools can be evaluated by customizing and reusing the above RFPs and Guidelines. OneDrive Evaluation Team Members:Kristal Wiitala, DOR (prev. DSHS)Public Records, Information Governance, LegalAnita,?Wieland??OFMRecords ManagerMark Glenn, MIL Deputy CIOAlex Hamilton, MILCISOCynthia Whaley, MILPublic Records OfficerBernadette Petruska, MILProgram and Policy AnalystEric Dazell, ESDDesktop EngineeringDaniel Hoinowski, ESDApplication ArchitectRenee Linder, ESDCIORobert Page, ESDPublic Records OfficerLeslie Turner, SOSState Electronic Records ManagementChuck?Pfeil, SAODeputy of Performance Audit, State Records CmteMichelle Tuscher, ACBCIOJennifer Sciba, ACBDeputy DirectorEd Lukowski, WSSBIT ManagerMartin Singleton, ATGIT ConsultantFrank Welter, DRSNetwork TechnicianJay Walsh, DRSITS ManagerMichelle Blake, WSDOTArchitectAaron Munn, SAOCISOBruce Wirth, SAORecordsNancy Krier,?ATGAAG for Open Government, LegalAngie Ragan, DSHSEnterprise Cloud ArchitectPaul Cox, DSHSChief Enterprise ArchitectDavid Lee, DOHTechnical Resource DirectorPhil Brady, DFIPublic Records, Privacy, Legal Cynthia Jones, DFIInformation Governance, ECM ArchitectDave Kirk, DFICIOMatt Stevens, WaTech / OCSStatewide IT Security Will Saunders, OCIOStatewide ITJason McKinney, WaTechState IT ArchitectKaren McLaughlin, WaTechState IT ArchitectSteve Finney, MicrosoftState Account ExecutiveDavid Zarling, MicrosoftOneDrive SMEAbel Cruz, MicrosoftTechnology StrategistStephen Rose, MicrosoftOneDrive Marketing Chris McNulty, MicrosoftSharePoint MarketingIan Story, MicrosoftSharePoint EngineeringMany of these individuals are leading authorities for the state in their respective areas of expertise.Team Observations:Usability / Designed UseOneDrive for Business is a flexible home for an individual employee's documentsGreat for individual contributorsCollaboration with others MobilityUsabilityFlexibilityBasic hold/searchright81280020000It is based on SharePoint; it’s a piece of SharePoint allocated to an individual employee Global settings are centrally managed by the agency while employees manage permissions and other features Except for System Administrators, materials in an individual’s OneDrive for Business account are not visible to other employees unless they are specifically shared.?OneDrive for Business is different from the consumer version that you get with either a Microsoft account or internet email. Microsoft does not recommend the consumer version for state agency use.Central AdministrationMost systems administration, records management, and disclosure work is done in SharePoint, not OneDriveEvaluation team members found the administration functions intuitive, easy to use, and appropriately reachable from anywhere, once they know where the tools are locatedEvaluators were concerned about visibility of agency work product to other agencies, and about trusting WaTech as the central administratorThere were concerns over agency-configurable versus global controls and settings when addressing the needs of individual agencies; Provides many automatic retention rules, however, it can be easy to set up incorrect retention rules on event-based triggers (e.g. “six years after case is closed”) due to configuration complexity. Most state retention schedules are event-based - not based on the date of the record.SecurityAs with any cloud service, special care must be given when granting access permissions to other users, especially those external to agency. Otherwise, confidential documents (category 3 or 4) in the current or adjacent folders could be unintentionally exposed to unauthorized disclosure to other staff, agencies, or the public. Each employee manages permissions to their files and folders within their own OneDrive account. General global settings also apply.?The picture is improving:Good security controls protect in-transit and at rest documents Two-factor authentication is part of Office 365, but is not yet here to meet Washington’s needs. It does not yet integrate with SAW two factor authentication.Mobility and access to data on all devices is a benefitSome security features require special licensing options agencies do not currently have All data is automatically encrypted at rest and in transit. Records Management / RetentionGood audit log and maintenance to support integrity of records.Document versioning is available.Liked automatic application of retention rules, but event-based triggers such as "six years after case is closed" are dependent on workflows.Most retention schedules are event-based, not date of record.Retention capabilities exist (see Supporting Materials below) but a great deal of dependence rests on employees to store data and records properly. If not, these capabilities do not protect agencies.Focus / onus is still on the individual employee, enabling staff to continue lousy records practicesright111125 020000 OneDrive emphasizes “personal” folders still… perpetuates silos of information within work units as well as enterprise-wide“Unlimited” storage continues to build volumes of information/data without means of accountability or defensible dispositionOneDrive does not fix an agency’s lack of file organization and/or records management. Issue: Which agency has responsibility for shared records? One Drive does not provide much in the way of meaningful tools to enable better practices in this area.There are costs for migration of records and add-on tools.3752215285754000020000Public DisclosureE-discovery search results must be exported to different software to be refined, processed, redacted and published. More copies, more tools to purchase, more expense and complexity (as compared to email tools in use today). No method to review incremental search results and save progress within the search tool, nor to exclude duplicate results. Adequate discovery search not supported with our licenseWill still need to use Discovery Accelerator and vault for email.Lacks full Electronic Data Records Management supportEvaluators liked the ability to search multiple locations such as Skype and OneDrive in one sweep.Litigation holds may be placed at the account level, or placed via a search. These searches may be granular, but OneDrive does not permit holds to be applied or removed for individual items, resulting in over- or under-inclusion. “One more place to search; one more tool to learn. Storage and tool sprawl”The Public Records Act requires an agency to produce records it “prepares, owns, uses or retains” – regardless of how they are shared or stored. With cloud based systems like OneDrive, how will agencies produce documents they share but don’t own? State-endorsed systems must help agencies comply with the Public Records Act, or they should be discarded.Recommendations: How to use OneDrive for BusinessBased on observations of OneDrive and Washington’s requirements for employee usability, central administration, records management, IT security and public disclosure, the team makes the following recommendations on using OneDrive for Business: Employees should think of OneDrive as their individual workspace, similar to MyDocuments on their PCs or their individual drive on a file share (”Home Drive”). The types of files approved for storage in those locations could be stored on OneDrive. In all cases, agencies and employees should use OneDrive for Business and not the consumer version.For each phase of the document lifecycle, documents could be stored on OneDrive for Business and other storage systems as shown below. Creation Phase: - Employees could store documents on OneDrive for:Document creation/ editing, enabling a mobile, flexible workforceAd-hoc collaboration during creation (“hey look at my draft”) Sharing/collaborating on Category 1-3 files within an agency, or between agencies within the Office 365 tenantSharing/collaborating on Category 1-2 files outside the Office 365 tenantOther agency storage systems could be used as wellActive Use Phase: Documents and files intended predominantly for an individual employee’s use can be stored on the employee’s One Drive for Business workspace.Documents intended for dissemination or use by others inside or outside the agency should be stored on other approved platforms where the agency manages permissions and retention, such as File Shares, ECM, SharePoint, etc. Retention PhaseSame as Active Use phase above Some documents have complex retention triggers and calculations. Be sure to store these documents on systems that can meet these requirements. If an agency is thinking of moving all file shares to "the cloud"…OneDrive isn’t the tool for this purposeSharePoint can work, but presents governance challenges and limitations inherent in hierarchical folder structuresOur team’s records managers and security specialists expressed discomfort with this approach.Agencies choosing to use OneDrive for Business should develop policies and procedures on appropriate employee use, and incorporate best practices for records management, privacy, security and disclosure. OneDrive for Business, like other tools in this space, is in active development. New features are implemented on an ongoing basis. Examples include:Two Factor Authentication for collaborators outside the state enterprisePreservation policies that could help with records retention Important Take-AwaysAgencies appreciated the process of this study. "WaTech was listening."All documents are subject to retention, whether that is “transitory” where it is not required to be kept past its business use, or some other retention period as approved. Be sure to use storage systems that help agencies calculate and meet their retention and disposition requirements. OneDrive for Business presents a few implementation risks and opportunities:It must be distinguished from OneDrive (Consumer version), which comes pre-installed on Windows desktop operating systems. Microsoft marketing doesn't distinguish the products well.It continues to promote ad hoc, difficult to manage, folder and filing schemes on yet another storage system. This promotes agency waste, risk of public disclosure fines, theoretically unlimited storage capacity, and no cost drivers to encourage proper file management. It could allow employees to mingle personal data from personal accounts with state data and accounts with a simple drag-and-drop, unless carefully configured to prevent this. This presents a big risk to state agencies. Built-in sharing tools (both internal and external) are attractive but raise potential risks of inadvertent disclosure of confidential state data.Microsoft’s messaging regarding its different product offerings is unclear at best and must be addressed with agency employees, particularly with drawing the lines between OneDrive, SharePoint, and Office 365. The decision to allow external access may need to be a universal setting which all agencies may not agree on.Employee training across agencies is essential for most WaTech services that are employee facing and that manage state data. This will avoid security, records management, and public disclosure risks stemming from a lack of understanding and improper use. This would include OneDrive. WaTech and its customers should expect a significant effort when agencies start up any new statewide tools and systems, especially those that are employee facing and manage state data. This is not peculiar to OneDrive, but it’s sometimes overlooked in state IT.During public disclosure, agencies must notify another agency when they disclose “shared” documents belonging to another agency. Agencies should address this concern in data sharing agreements before it occurs.Supporting materialsEvaluation document (on )Written Responses (on )Picture Book with detailed evaluator comments (OneNote notebook OneDrive)MSFT white paper on securityWhat’s included in various O365 packages (MSFT)Overview of retention policies in Office 365 (MSFT)Overview of “Labels” in Office 365 (MSFT)Advanced Data Governance announcement for Office 365 (MSFT) ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download