Wednesday, September 30, 2009

GTC East: Web 2.0

Last week, I attended two sharply contrasting GTC East sessions focusing on New York State government use of Web 2.0 technology. (i.e., Web tools and technologies that enable end users to post content online, customize how they receive Web content, and build and sustain online communities. Examples include blogs, social networking sites such as Facebook and MySpace, and RSS feeds.) Now that I’ve had a chance to mull over these presentations, I wanted to say a few things about them.

The first session, “Security: Getting Past ‘No’ -- How to Implement 2.0 without a Security Crisis,” heavily emphasized new life that Web 2.0’s interactive nature has breathed into all manner of old Web security threats: cross-site scripting, cross-site request forgery, widget attacks, SQL injection attacks, XPATH vulnerability, cross-scripting worms, and authentication and authorization vulnerabilities.

One of the panelists (sadly, I didn’t catch his name, which doesn’t appear anywhere on the GTC East 2009 Web site or print program) works for the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC). He noted that CSCIC is currently blocking third-party social networking sites pending analysis of their risks, costs, and benefits but stressed that other agencies needed to answer the following questions for themselves:
  • Can your employees safely use these sites?
  • Do you trust the creators of these sites to address security vulnerabilities appropriately?
  • Do all of the good things that social networking offers outweigh the risks?
These are crucial questions, and I’m glad that CSCIC is helping to ensure that New York State agencies don’t unwittingly wander into security minefields, but it struck me that the overall tenor of this session -- which also featured Ken Kaminski of Cisco Systems -- might feed the sort of “I don’t understand it, so I’m going to ban it” mentality that the “Emerging Technology: Open Source” panelists identified as a recurring problem. I’m really hoping that the agency information security specialists who sat in on this session are of the “assess and manage risk” school, not the “fear and resist change” one.

The other session, “Engaging Citizens Through Web 2.0” emphasized the benefits of Web 2.0. Andrew Hoppin, the CIO of the New York State Senate, highlighted its role in making the Senate more transparent and more participatory. The Senate Web site:
  • Uses a collaborative filtering process that highlights the most frequently accessed resources on the site’s home page.
  • Gives individual senators and committees complete control over the content that appears on their own pages, their own RSS feeds, and the ability to link to their Facebook pages, Twitter feeds, etc.
  • Allows citizens to comment on proposed legislation and upon comments left by other users of the site, which helps to ensure that popular ideas “float to the top. (staff remove hate speech, scatological language, etc., but keep moderation to a minimum, which ensures lots of public input -- check out some of the great comments concerning the Senate’s tumultuous recent past)
  • Provides social bookmarks that make it easy for citizens to post items of interest to Facebook, etc.
Hoppin and his colleagues are also popularizing the use of the “@nysenate” Twitter tag so that tweets relating to the Senate can be identified more readily.

After Jim Silvia of Laserfiche discussed how enterprise content management systems can, among other things, help governments create Web 2.0 applications and meet recordkeeping and other requirements relating to all types of government information, there was a lengthy question-and-answer session that focused largely on the Senate’s enthusiastic embrace of Web 2.0. Topics included:
  • Building support: The Office of the CIO had to go through a very lengthy consensus-building process governing the posting of content, and has carved out a few narrow areas in which re-use is prohibited; for example, information posted on the site cannot be used for fundraising or other political purposes. Whenever possible, the Office of the CIO “evangelizes” about new possibilities for citizen involvement.
  • Coordinated citizen campaigns: comments are tracked by IP address, so a small number of people can’t game the system by posting comments repeatedly or ranking each other’s comments favorably. It is possible for large, organized groups of citizens to deluge the Senate site with comments, but citizen groups have long engaged in letter-writing campaigns, etc., and it’s easy to figure out when a coordinated effort is taking place. Moreover, all citizen input has value.
  • Security (my question): The Office of the CIO has determined that third-party social networking sites support the Senate’s core mission of interacting with and soliciting input from citizens. It keeps systems housing restricted data separate from those that offer Web 2.0 capability.
  • The digital divide: some citizens lack ready access to or comfort with the Web, and Hoppin and his colleagues are exploring other ways to interact with citizens (e.g., telephone).
I think I’ve seen the future of New York State government’s Web presence -- and it looks a lot like the Senate’s current presence. Sorting out all of the records issues associated with Web 2.0 is going to be a challenge, but it should be kind of fun, too.

Saturday, September 26, 2009

Hudson River Fair

Stern of the replica ship Half Moon, Albany, New York, 26 September 2009.

Today, my friend Sean and I went to the Hudson River Fair, which was held in Albany's Corning Preserve to commemorate the 400th anniversary of Henry Hudson's voyage up the river that now bears his name. The event featured a little something for everyone. The Scions of Patria, a group of seventeenth-century Dutch colonial re-enactors offered cooking, metal-working, and other demonstrations Representatives of the Stockbridge-Munsee Band of Mohican Indians, which was relocated to Wisconsin in the early 19th century, discussed the group's history (we had a nice talk with a representative of the group's veterans organization) and offered traditional dance and drum performances. There were lots of musical performances and activities for kids (e.g., face-painting).

Of course, the star of the event was the Half Moon (Halve Maen), a modern replica of Hudson's ship. The Half Moon is usually docked in Albany at least 3 or 4 times each summer, but owing to the Hudson-Fulton-Champlain Quadricentennial, it hasn't spent much time in Albany this year. People waited in line as long as two hours in order to get a chance to tour the ship, and by the time we got there the ticket sellers were turning everyone away.

We then walked through the Corning Preserve, and I was struck yet again by the city's capacity to surprise me. I've lived in Albany for fifteen years and have seen the SUNY Central building, which occupies a prominent position in downtown Albany, on countless occasions. However, it never crossed my mind that it would be visible from the Corning Preserve.

We also passed the mysterious twin zigurrats of the city's present-day Hudson River Pumping Station facility. The original pumping facility is now home to a fine brewpub, the Albany Pump Station.

We did get the chance to tour the Peacemaker, which was built in the 1980s for a Brazilian industrialist and which is now owned by the Twelve Tribes, a religious community with a substantial presence in the lower Hudson Valley. Members of the group were on hand to answer questions about the ship, which they see as a means of demonstrating their commitment to living and working in unity, and their lifestyle and beliefs (which have been the subject of controversy).

Part of the rigging of the Peacemaker. Tall ships are so beautiful . . . .

One of the Peacemaker's crow's nests, as seen from the upper deck.

We also caught most of the Skip Parsons Riverboat Jazz Band's top-notch set at Albany Riverfront Park, which is part of the Corning Preserve.

What a great day! According to my friend Edward, who periodically crews on the Half Moon and was helping to lead tours today (he's the fellow in the orange shirt standing at the end of the gangplank in the photograph above), there's talk of making the Hudson River Fair an annual event. Here's hoping . . . .

Thursday, September 24, 2009

GTC East 2009: open source

This afternoon, I attended a great GTC East session, “Emerging Technology: Open Source,” which featured former Pentagon CIO and current Sun Microsystems Federal COO Bill Vass and two State agency CIOs: Robert Vitello of the New York State Department of Labor and Andrew Hoppin of the New York State Senate. It’s always really encouraging to see government IT professionals champion the value of interoperability, collaboration, and novel ways of serving the public.

Bill Vass highlighted the advantages of open source software:
  • Better security. The national security community has embraced open source in part because all of the major proprietary vendors have outsourced their programming work to India, China, and Russia. Overseas programmers -- who are as talented as any coders out there -- can thus insert hidden code into commercial products. Proprietary vendors may tout expert certifications, but even experts can examine millions of lines of code. Open source code is fully open and can be reviewed completely by developer communities and others. Security should not be embedded in the code but managed outside of it.
  • Reduced procurement time. Procuring proprietary software requires a long lead time. However, with open source software, it’s possible to download the software, verify that it works, then procure support services.
  • No vendor lock-in or lock-out. Your data (i.e., your records!) won’t be trapped in a proprietary system, and you can secure support services from multiple vendors.
  • Reduced cost. Open source support contracts are sometimes more expensive than proprietary support contracts, but there is no cost of acquisition for open source software. Moreover, it’s often possible to get 90 percent of the functionality of proprietary software (i.e., the most heavily used features) for 10 percent of the cost.
  • Increased quality. Owing to the nature of the development process, open source code goes through about 3 times as many quality assurance reviews as proprietary code
Andrew Hoppin discussed how he and his staff use open source software to create a more transparent, more participatory, and, in particular, more efficient Senate. Use of open source results in cost savings, increased speed to deployment, absence of vendor lock-in, recruitment of top talent (the most talented people like to work with open source software), and leveraging of tax dollars and the innovation that comes with community-built software.

The Senate uses open source for server software (Linux, Apache), databases (MySQL), programming languages (PHP, Java), and platforms and applications (Drupal and WordPress for content management, SugarCRM or CiviCRM for relationship management, and RedMine, Trac, OpenAtrium for task management). It makes use of Creative Commons licensing and has developed some of its own open source software; its News 2.0 makes news clips available to the staff and to the public. The Senate also creates legislative data in open formats using open schemas and standards and publishes it as RSS feeds and with an API so that other can reuse it.

Robert Vitello noted that one way to defuse potential objections to use of open source is to note that, in all likelihood, one’s agency is already using it. Open source products are defined as such by their licenses, and many of the commercial products you’re currently using likely contain open source code. Most open source licenses specify that use of the code renders the product open source, but vendors don’t always realize this fact. When procuring software, the Department of Labor forces vendors to expose the licenses for all of the code embedded in their projects, and a lot of vendors were surprised to find that they were selling something that they really couldn’t.

Vitello also debunked a number of potential objections to the use of open source software:
  • In most instances, open source products offer functionality sufficient to meet one’s business needs.
  • A lot of people like commercial software because of product integration, but the integration isn’t that great, and open source communities can help to integrate software.
  • Open source doesn’t require extensive coding and programming knowledge. It depends on how much customization you want to do.
However, he also noted that in some instances, it might be possible but not practical to move from a proprietary product to an open source one; the move might require extensive research, staff training, and other work.

DOL uses Moodle for learning management, wikis, and used GForge to create, via which it distributes our open source software.

During the question-and-answer period, the panelists made lots of great points:
  • Proprietary software is generally built to enterprise scale, but open source software is built to Web scale (e.g., Google uses MySQL) and is thus highly scalable.
  • If you’re contemplating an open source solution, assess the size and health of the community that supports and develops it and determine who else is using it. Some communities are too tightly controlled, while others are too disorganized to be effective. Have your developers devote some time to interacting with the community.
  • Assess the skill sets of your employees and make your software choices accordingly. Open source tends to be fun, and people who love the technology love it; people who don’t love the technology want to administer contracts. Purchasing third-party support may also be an option.
  • Some vendors produce proprietary products that really do meet your needs. There is always a choice, and that choice should be driven by business need and what the payoff will be.
  • When submitting RFP’s, encourage open source providers to submit responses and educate you. Ask proprietary providers to do the same.
  • Many people respond to “scary” new things by banning them, but have no choice to embrace them hastily once they’ve become too popular to ban. The appropriate approach is to understand new things and to manage them.
I was particularly intrigued by something Robert Vitello discussed: DOL is thinking of using an open source application to create a virtual world on its CareerZone Web site, and could allow other agencies to build onto this virtual world. Virtual State Archives reading room: YES!

GTC East 2009: data security

Yesterday afternoon, I attended the “Security: Protecting All That Data” session, in which Simon Hunt of McAfee outlined how to implement a range of data security initiatives. Although it didn’t focus directly on records issues, it highlighted the overlapping interests of information security officers and records professionals.

Hunt began by furnishing an interesting overview of the current data security climate, which is characterized by increasingly stringent and complicated patchwork of laws specifying how governments and corporations must respond to actual or potential data breaches, proliferation of mobile data devices such as laptops, cell phones, and USB sticks, increasingly sophisticated forms of criminality. People used to write malware because they wanted to have fun and prove their intelligence, but now they do it to make money. There are gangs throughout the world that specialize in data theft, and others that specialize in leveraging stolen data. Moreover, toolkits that enable users to create or modify Trojan horse applications and viruses are now sold online; a good one costs approximately $1000.

Of the major data breaches that have happened in 2009, 31 percent were inadvertent, 50 percent were caused by some sort of outside action, 9 percent were the result of malicious action by staff, 2 percent the result of other staff actions, and 9 percent by unknown factors. Laptops, which were at the center of 17 percent of breaches, are the fattest target for thieves. Other breaches were the result of hacking (12 percent), Web attacks (11 percent), fraud-SE (11 percent), lost media (5 percent), e-mail (4 percent), and viruses (2 percent).

However, what I found most startling was that paper records account for a significant percentage of 2009 data breaches to date. Documents that were not disposed of properly comprise a whopping 11 percent of breaches, “snail mail” 6 percent, and stolen documents 3 percent. Moreover, a quick review of DataLossDB, which provided Hunt with his figures, indicates that 2009 has seen an unusually large percentage of breaches associated with improper disposal; in 2008, improper disposal accounted for only 4 percent of the breaches. My takeaway: archivists, records managers, CIO’s, and information security officers must stress the importance of safeguarding all types of records and information.

Noting that most organizations don’t focus on data security until they suffer some sort of breach and that insider theft increases when times are bad, Hunt emphasized that data security is a lot easier then many people think. He then outlined a series of proactive steps that can improve data security; although he mentioned several McAfee products that might help, most of his remarks seemed generally applicable.
  • Understand the risks you face: sit down and think about how data moves within your organization and identify stakeholders, potential allies (like records managers?) and possible barriers. You should figure out what’s valuable and how it might be attacked, and how much time and effort you’re prepared to devote to protecting it. Data at rest (e.g., on desktops, laptops, etc.) is easiest to protect, but data in motion (e.g., Web 2.0, file sharing, blogs) and data in use (e.g., USB sticks, DVDs) also need attention. Remember that data protection must be tightly woven into your business, that technology is not the hard part -- training and policy are the big challenges -- and that data protection is constantly evolving.
  • Encrypt your data. Non-encrypted data on laptops is a soft target, and governments and corporations that can’t account for a missing laptop are legally obligated to inform anyone whose information might have been on the laptop that their data has been stolen or exposed. Deploying hard drive encryption on all laptops and desktops is the easy fix. However, you need to manage it and to be able to prove that a lost device was encrypted. Encryption will take care of about 60 percent of the typical organization’s security issues and can be done in 2-4 man-weeks.
  • Manage your removable media. Portable media can also be encrypted and policies mandating use of encrypted USB sticks can help. Port control software that limits use of USB media is also an option. Encrypting USB sticks and other portable media will address about 20 percent of the typical organization’s security needs.
  • Identify your confidential data. Focus on the risk drivers specific to your organization, define the most critical vectors, and determine stakeholders’ needs. Too many security initiatives fail because people were stopped from doing what they saw as legitimate and necessary actions, so make sure you take their needs into account and provide training.
  • Deploy McAfee’s Data Loss Prevention. This software finds data, indexes it, determines who has access, implements prevention techniques (e.g., blocking or monitoring users who try to copy or print sensitive information) as dictated, and monitors the flow and use of data throughout an organization. According to Hunt, DLP will take care of an additional 18 percent of the typical organization’s data security needs.
Nice, succinct presentation. Hunt emphasized solutions more than products. He also drew our attention to an awesome image of a physical security failure, courtesy of FailBlog. I have the feeling that this image is going to make its way into lots of other presentations on security.

Wednesday, September 23, 2009

GTC East 2009: CIOs of the Year

Every autumn, the GTC East conference comes to Albany. Although it’s geared toward public-sector IT professionals, I’ve always found the sessions useful: they reflect the concerns and priorities of people who develop and maintain electronic records systems and let me to pick up snippets of technical information I might not otherwise obtain.

“Managing Technology in the Public Sector: CIO of the Year” featured three award-winning CIOs: Daniel Chan of the New York State Office of Temporary and Disability Assistance (OTDA), Kim McKinney of Broome County, and Ed Hemminger of Ontario County. They discussed three pressing issues -- workforce development, shared services, and creative partnerships -- and throughout the session discussed how they keep going in tough fiscal times. Many of their comments should resonate with government archivists and records managers.

Workforce development
  • Hemminger is reorganizing his unit and working with the New York State Department of Civil Service to reclassify positions. He is also dealing with the challenges of managing an older workforce: his staffers have immense knowledge and skill, but their recollections of old conflicts and slights are sometimes an obstacle.
  • McKinney actively recruits younger people, which means that she must examine how they communicate and assess the security and other challenges associated with allowing them to access, e.g., Web 2.0 sites. Some of her younger staff are connected to the open source community, and will periodically seek input from it -- to the county’s benefit. She’s also to create a project management position and focusing on ensuring that project staff transfer essential knowledge to permanent staff before they depart; however, owing to permanent staff shortages, this can be a challenge.
  • Chan is also seeking to cultivate new skills: he wants less emphasis on programming and more on thinking about enterprise architecture. He also wants staff to focus on project management and working with customers to identify business requirements; he is working with the Department of Civil Service to create a Business Analyst job title series (and I sure hope these Business Analysts will address records retention and e-discovery issues!) In addition, he’s leveraging open source technologies: financial hardship is forcing OTDA to cast aside its tendency to over-engineer solutions and to be more receptive to open source.
Shared services
  • McKinney noted that the Governor’s Office has offered local governments in New York State grant funding that enabled them to develop shared services. Broome County has centralized contract negotiations for several municipalities and is working on electronic payroll services for county and municipalities. The fiscal crisis has made localities a lot more receptive to sharing services; however, finding staffing to support these services is a challenge. McKinney emphasized that shared services and consolidation are different: in the former, one entity takes over everything and assumes all risk, whereas in the latter risk and responsibility are shared.
  • Hemminger is spearheading the installation of fiber optic cables that will connect all of Ontario County’s municipalities and which will lay the groundwork for sharing of GIS and other types of data and, possibly, consolidation of IT functions. Most of the county’s towns contract out their IT services, and the current fiscal climate actually provides new opportunities for developing shared services.
  • Chan stressed the importance of enterprise-level IT development and service-oriented architecture: the focus should be on developing robust services that multiple agencies can use and getting staff to buy into this model.
Creative partnership
  • Chan noted that in private industry, he often took on projects that were so large that no one entity could do them alone. When he moved into State government, he retained his focus on defining core aims and identifying people who could help realize them. He has found partners among vendors and among the other agency CIOs with whom he co-founded the Economic Security and Human Services Advisory Board. He emphasized the importance of having a forum that enables one to explain one’s challenges and seek input and help. No one forced the group into existence; it came together because its founders share common challenges and values.
  • Kim McKinney ensures that the vendors with which her unit repeatedly does business are deeply familiar the unit’s business needs and can offer effective solutions. Good vendors know that they need to do this, and they also supply information about what other localities and State agencies are doing. She also partners with the State: State projects are more successful when the localities are involved (which makes sense given that the state’s social service infrastructure is largely county-run and State-supervised). Finally, she draws upon the expertise of fellow members of the New York State Local Government Information Technology Directors Association (NYSLGITDA).
  • Ed Hemminger, the current NYSLGITDA president, echoed McKinney’s comments concerning State-local partnerships -- local governments are often the public face of State government application deployment -- and working with well-chosen vendors. He also advised attendees that they should eject from their offices any vendor trying to sell them products -- as opposed to solutions (having interacted with both types of vendors, I heartily concur). In addition, he noted that good partnerships are rooted in relationships: it’s important to know one’s partners and their needs and goals.
I was particularly struck by Hemminger’s closing remarks, which targeted IT professionals but are equally applicable to archivists: in times of scarce resources, we cannot afford to reinvent the wheel. Our own attitude as leaders is the only thing that is going to see us through, and we should try to look upon the current fiscal challenge as an opportunity.

Tuesday, September 22, 2009

BPE 2009: lessons learned from counterinsurgencies

One of the most fascinating presentations at this year's Best Practices Exchange was delivered by Eliot Wilzcek, who identified four main lessons that archivists and librarians charged with preserving electronic materials can draw from recent cultural and institutional shifts within the U.S. armed forces.

Lesson 1: digital preservation requires lessons learned. Eliot furnished an overview of the U.S. Army's "lessons learned" infrastructure. The Center for Army Lessons Learned takes in observations (descriptions of conditions), insights (issues caused by conditions), and lessons (potential solutions) captured in after-action reviews, operational records, interviews and incident reports, and other sources. It then combines this information with historical analysis to produce "lessons learned": validated knowledge and experience that produces a change in behavior.

He then discussed after-action reviews, which are conducted at every level of the U.S. Army and range from impromptu, unit-level sessions in the field to highly structured, formal processes that involve large numbers of people.

After-action reviews focus on four core questions:
  • What did we set out to do? (purpose of mission and criteria for success)
  • What actually happened? (past events)
  • Why did it happen? (reasons for success and failure)
  • What are we doing next time? (make fixes, and continue what works)
Their core characteristics include:
  • Thorough documentation of actions -- dedicated note-taker
  • Carefully defined scope
  • Skilled facilitation -- ideally, the facilitator has general knowledge but no stake in the discussion
  • Leaders who talk as little as possible and who willingly admit mistakes
  • No penalties for making mistakes or being candid
  • Focus on improvement, not assignment of blame
  • Focus on solvable problems and things that were done well
  • Part of an ongoing, frequent process -- instills a review-oriented ethos and helps people get better at the process
I really like the after-action review concept and ground rules. Many archivists and librarians have done informal "post-mortems" after wrapping up projects, but most of us aren't doing them systematically or formally documenting the outcomes -- which would certainly help to meet our institutions' knowledge management needs. I suppose an argument could be made that conducting frequent reviews of this sort takes too much time, but if military units in combat zones can do so, so can we.

Lesson 2: preservation requires integrated research and practice. Eliot noted that the U.S. Army and Marine Corps have a strong academic culture and that many officers have graduate degrees (e.g., General David Petraeus has a Ph.D. from Princeton). Moreover, people get a lot of experience in the theater, and the Army and Marine Corps capitalize upon it by turning them into educators. The armed forces nonetheless keep in mind that there are limits to the amount of time people should spend in the theater and make sure that they rotate out periodically.

Eliot asked whether archivists could emulate the armed forces and develop the capacity to rotate between work and research, and a couple of people noted that in some instances their colleagues had been given time to conduct needed research on behalf of their institutions. We also discussed other, more modest options for combining work and research: sponsoring regular meetings to discuss shared professional readings and creating reading groups in which each person read a different article, drafted a summary of the article s/he was assigned, and shared the summary with the other members of the group.

Lesson 3: Preservation requires air strikes. Eliot likened the counterinsurgency techniques developed by the armed forces to the findings that Susan Davis and Richard Pearce-Moses outlined in New Skills for a Digital Era: archivists will need both "soft" and technical skills and to connect their institutions to external resources. Counterinsurgency, which focuses less on hunting down insurgents than upon protecting the population, also requires a mix of soft and technical skills. It means more emphasis on talking to and living among people, and less emphasis upon shooting one’s gun. However, it still requires "kinetic operations" (shooting and shelling) and the ability to call on external resources (e.g., air strikes) when needed.

Eliot noted that there are few archives that will be able to preserve resources entirely on their own; even wealthy repositories are going to use tools developed by each other. We need the skills to call upon these external resources -- the archival/library equivalent of air strikes. However, even if we outsource all storage and management, we still need to do appraisal and do some ingesting work: trusted digital repositories cannot preserve what they don’t ingest, and they can’t turn junk into meaningful records.

Lesson 4: Preservation requires joint patrols. The U.S. armed forces have learned that external forces do not win counterinsurgencies. Host governments do, and U.S. forces are there to give them the training and time they need in order to win the loyalty of their people. Training the host nation’s military and, in particular, police to be trustworthy is key, and working jointly is essential. When the U.S. conducts joint patrols in Iraq and Afghanistan, the local representative leads; although local participants don’t do things as well as the U.S. forces do, it’s important to put a local face on the patrols.

Eliot reminded us that archives and libraries do not win the preservation war. Societies do, and archivists cannot assume sole responsibility for preservation. What does this mean Within a state government context, it means that "joint patrols" should be conducted by the state archivist and the state CIO. It also means that archivists (and librarians) working in many contexts will also have to ask themselves some unsettling questions. If we can't preserve records on our own, do we embrace a "post-custodial" approach? Do we train records creators to be preservationists if that means more records are “preserved” but not to our standards? There are no easy answers to these questions, but we sure do need to ask them.

Monday, September 21, 2009

BPE 2009: collaboration

Robert Vitello and Bill Travis detail the origins and goals of the New York State Economic Security and Human Services Advisory Board, Best Practices Exchange, 3 September 2009.

[I had hopes of wrapping up my Best Practices Exchange blogging last week, but life had other plans. I really wish I could say that I'm slow blogging, but unfortunately I'm merely late blogging -- and at present there's no manifesto for that.]

One of the most interesting Best Practices Exchange sessions I attended highlighted a couple of really productive collaborations.

The first presenter, Nancy Adgent of the Rockefeller Archive Center (RAC), discussed the Collaborative Electronic Records Project (CERP), which allowed the RAC and the Smithsonian Institution Archives (SIA) to develop tools for the preservation of e-mail.

Although the two institutions had some common strengths -- forward-thinking and pro-active directors, similar collecting policies, and above-average staffing levels -- they differed in their governance structures, level of authority over records creators, funding streams, staffing levels, and the e-mail formats for which they were responsible. They also had to contend with the challenges posed by physical distance, the need to develop a new knowledge base, various administrative and staffing problems, and the SIA's quasi-governmental status, which eliminated several sources of funding that the RAC could have otherwise pursued.

These differences and challenges forced the RAC and the SIA to develop e-mail tools that could handle a variety of of e-mail formats. It also exposed a number of issues that other archives might encounter: inadvertent changes wrought by global software upgrades pushed out to the SIA's networked CERP computers (but not the RAC's machines, which remained offline), and differences in the capacity of various virus detection applications.

Nancy then provided a brief overview of the tools that CERP uses to process e-mail, among them Aid4Mail, which converts Microsoft PST files to Microsoft .msg format and allowed staff to identify and remove non-record messages, and various tools that convert messages in various formats to the MBOX format, which CERP's parser converts to XML for preservation purposes. She also discussed how CERP and the E-mail Collection and Preservation (EMCAP) project, which also sought to use XML to preserve e-mail, developed a common XML schema.

Nancy made a really great closing point: odd couples can produce some good offspring! Even though the RAC and the SIA produced different guidance products tailored to the needs of their respective donor communities and their own institution-specific workflow processes, procedures, and forms, they developed and tested common tools for processing and preserving e-mail. And they look like really great tools! We're anticipating a transfer of e-mail pretty soon, and I'm really looking forward to giving CERP's parser a spin.

The next presentation was delivered by two New York State agency CIO's -- Bill Travis of the Office of Children and Family Services and Robert Vitello of the Department of Labor -- and focused on the work of the New York State Economic Security and Human Services Advisory Board. It underscored how shared problems can sometimes give rise to really effective collaboration.

Several years before the State CIO took office, the State had purchased a suite of out-of-the-box products that had been purchased to manage various human services programs and services. CIOs of agencies that were using these products had begun meeting to discuss that problems they encountered as they tried to make these products fit the State's county-administred, state-supervised model of service provision.

The agencies ultimately informed the State CIO that they would not use these products, and she accepted their decision. However, she also challenged them to develop an enterprise-wide approach. For years, the federal government has forced state human services agencies to construct IT silos, but the situation has changed in recent years, and there is real potential for cost savings is (the board's member agencies account for 70 percent -- approximately $1 billion per year -- of the State's IT expenditures)

The board has established a series of guiding principles:
  • Provide for interoperability using open standards and seamless data sharing through common enterprise systems.
  • Deploy an "Open New York" community approach to facilitate peer review and enhance quality control.
  • Leverage prior IT investments with software reuse when feasible to achieve greater cost efficiencies.
  • Implement agile systems development approaches to improve speed to market
  • Establish strong enterprise governance to ensure alignment of technology plans with business goals
  • Seek innovative collaborations to leverage State enterprise IT resources and assets
More information about these guiding principles is outlined in the board's January 2008 strategy document, and information about the board's work appears in its September 2009 progress report.

I was really struck by how Travis, Vitello, and the other board members were able to capitalize on their willingness to pool their expertise and share information. Thanks to this combination of characteristics -- plus strong support from the State CIO -- they've been able to make real headway, and it will be interesting to see how their work evolves. I get the sense that my employer will be well-positioned to do so: the board is just starting to focus on e-discovery and its relationship to records management.

Friday, September 18, 2009

White House looking to preserve social media records

I've been meaning to post this since late Wednesday night, but it's been a grueling week . . . .

A couple of days ago, Mashable reported that the Executive Office of the President has issued a request for proposals to capture and preserve all Presidential Records Act materials found on its Facebook, Twitter, YouTube, and all other third-party social media sites in "in a scalable, efficient and reliable manner.”

I found out about this RFP via Kate T. at ArchivesNext, who makes a very good point about how this bit of news has been disseminated. Thanks, Kate!

BTW, another Mashable post caught my eye: a couple of days ago, police nabbed a Pennsylvania burglar because he used the victim's computer to check his Facebook profile and forgot to log out before making off with the stuff he stole. Social media may make us better-informed, but it sure as heck isn't going to make us any smarter.

Wednesday, September 16, 2009

Capital Area Archivists: FDR Library/CIA visit, 9 October

Eleanor Roosevelt at the Franklin D. Roosevelt Library in Hyde Park, New York, 9 October 1949. Courtesy of the Franklin D. Roosevelt Library and Museum Web site; version date 2009.

In celebration of Archives Month, Capital Area Archivists of New York (CAA) has arranged a special trip to two repositories in Hyde Park, New York: the Franklin Delano Roosevelt Presidential Library and Museum, and the archives and special collections of the Culinary Institute of America.

Please join CAA for this fun day on Friday, October 9, 2009. This event is free to CAA members and $5.00 for non-members.

We will carpool from the Park and Ride Lot at Crossgates Mall (adjacent to the CDTA bus stop and food court entrance) in Guilderland, New York. Directions to Hyde Park will be provided.

RSVP and/or direct any questions to Amy Rupert [] by Wednesday, September 30th. When making your reservation, please indicate whether you are willing to drive and how many people you can accommodate.

8:00 a.m. depart from Crossgates Mall
9:30 a.m. film at FDR Library
10:00-11:00 a.m. Library and Museum tour
11:00-11:45 a.m. lunch (bring your own or eat at the café on site)
12:00-1:00 p.m. behind-the-scenes tour of Library and Archives
1:00-2:00 p.m. FDR home tour
2:30-4:00 p.m. Culinary Institute of America Special Collections tour
4:30 p.m. dinner at the Apple Pie Bakery Café
6:00 p.m. depart for return trip to Crossgates Mall
7:30 p.m. estimated time of return to Crossgates

Tuesday, September 15, 2009

BPE 2009: Did You Know ?

Dr. Melodie Mayberry-Stewart, the Chief Information Officer of New York State, spoke at the Best Practices Exchange on the morning of 2 September. She prefaced her talk, which concerned the State's Strategy for Openness and its Empire 2.0 social networking initiative, with this video, Did You Know ? 3.0.

The Did You Know ? series, which is jointly produced by The Economist and XPLANE, presents facts and statistics concerning recent changes in media, communications, and technology. They don't address concerns specific to electronic records archivists or digital librarians, but they provide a quick, compelling, and unnerving overview of the information ecosystem in which we exist.

Yesterday, XPLANE released Did You Know? 4.0. Thanks to Jean Green for posting this link on Facebook!

Sunday, September 13, 2009


Just in case you missed it: a couple of days ago, Federal Computer Week posted a long article about the U.S. National Archives and Records Administration's Electronic Records Archives (ERA) project, government watchdog groups' perceptions of it, and the electronic records challenges that the next Archivist of the United States will face.

This article is the cover piece of the current paper issue of FCW, and it's more detailed and more even-handed than most of the media coverage that ERA receives.

Saturday, September 12, 2009

Book review: The Man Who Loved Books Too Much

Allison Hoover Bartlett, The Man Who Loved Books Too Much: The True Story of a Thief, a Detective, and a World of Literary Obsession. New York: Riverhead Books, 2009.

This engagingly written book centers upon two men: John Gilkey, a well-mannered and breezily unrepentant thief who between 1999-2003 stole rare books, ephemera, and other materials (total value approximately $100,000) from dealers throughout the United States, and Ken Sanders, an iconoclastic child of the 1960s who, in his capacity as security chair of the Antiquarian Booksellers Association of America (ABAA), played an instrumental role in exposing Gilkey.

It also chronicles Bartlett’s own fascination with the world of rare book collecting, which began when complicated circumstances left in her possession a 17th-century Kräutterbuch (a German book of botanical medicine) that had in all likelihood been stolen. Although Bartlett’s forays into antiquarian book fairs and conversations with dealers and collectors don’t turn her into a collector, she comes to appreciate the value of books as aesthetic and sentimental objects and as tangible signs of the owner’s erudition and refinement.

Bartlett, who repeatedly interviewed Gilkey, quickly discovered that he was keenly attuned to the ability of rare books to impress others: unlike most collectors, who acquire books chiefly to satisfy their own desires, Gilkey wanted to assemble a collection that would serve as evidence of his knowledge and discernment. Although his collecting priorities shifted continually, he focused particularly upon books on the Modern Library’s list of the 100 best English-language novels -- a group of books sure to impress even the most casual observer. He rarely read the books he bought.

She also learned that Gilkey’s desire to assemble an impressive collection was coupled with a deep resentment of dealers, whom he saw as selfishly and unfairly standing between him and his dreams. This feeling was intensified by his initial clashes with dealers and the law: he initially wrote bad checks to obtain coveted books, and the resulting arrests and brief periods of imprisonment left him yearning for revenge against those he saw as having done him wrong. Even after he began using stolen credit card numbers to purchase books via telephone, he occasionally reverted to writing bad checks, and each stint in jail gave him time to think of new ways to obtain books.

At roughly the same time as Gilkey began making use of stolen credit card numbers, Ken Sanders unexpectedly found himself serving as the ABAA’s security chair. Before Sanders took over, members submitted paper theft reports, and the ABAA distributed copies of the reports whenever its next mailing went out -- which might be a full year afterward. Sanders, who for years had battled shoplifters at his Salt Lake City store, created an ABAA security listserv and then goaded the organization into creating a stolen book database and e-mail alert system. He was thus in a prime position to spot the wave of fraudulent telephone purchases targeting ABAA members rare book dealers, first in northern California and then across the nation, and to help set up the 2003 sting that exposed Gilkey as a major book thief.

Security-minded archivists and librarians who read The Man Who Loved Books Too Much will find a wealth of interesting information within its covers:
  • There are sharp divisions within the dealer community. Reputable dealers, many (but by no means all) of whom belong to the ABAA, which has stringent membership requirements, have little use for dealers who don't know the trade or who traffic in stolen goods.
  • Dealers have traditionally been deeply reluctant to report theft: no matter how inventive the thief, dealers often see theft as a sign of failure to exercise appropriate caution and fear the loss of their reputations. Moreover, the police have traditionally refused to take such thefts seriously and the courts have often been reluctant to punish book thieves, who are generally intelligent and well-mannered. As is the case within the archival and library communities, this dealers' attitudes seems to be changing, albeit at a slow pace.
  • Many reputable dealers despise eBay: they see it as a boon to sellers of stolen property, honest but ill-informed dealers who unwittingly misrepresent their goods, and unscrupulous sellers looking to rip off naïve buyers.
  • Although rare book dealers were Gilkey’s prime targets, visits to institutions such as the Huntingdon Library seem to have stoked his desire for books. Moreover, as more and more book dealers learned of his scams, he began stealing dust jackets and, in all likelihood, books from libraries.
  • As Bartlett learned as she attempted to restore the Kräutterbuch to its rightful institutional owner, embarrassment sometimes leads libraries to destroy evidence that a book has vanished from its their shelves. Moreover, in all likelihood, “every rare book is a stolen book”: countless numbers of old and rare books have been stolen, either a few days ago or a few centuries ago.
The ending of The Man Who Loved Books Too Much, which highlights Bartlett’s efforts to chronicle Gilkey’s life without altering its course and her discovery that she is indeed a passionate collector -- not of books but of stories -- may fail to satisfy many readers. The book is nonetheless entertaining and full of of interesting digressions about the world of book collecting and book thievery. Anyone interested in books, book collecting, or book theft ought to find it worthwhile.

Rare book dealers and cultural heritage professionals should note that at the time of this writing, John Gilkey is a free man. And he’s still interested in rare books.

Wednesday, September 9, 2009

2009 Capital Region Archives Dinner

Save the date: the Fourteenth Annual Capital Region Archives Dinner will be held at at the Franklin Terrace Ballroom in Troy, New York on Thursday, 8 October 2009.

The keynote speaker is award-winning author and journalist William Kennedy, known for his “Albany Cycle” of seven novels, one of which (Ironweed) received the Pulitzer Prize for Fiction in 1984 and in 1987 was made into the film of the same name starring Jack Nicholson and Meryl Streep.

Ever since his days as a journalist for the Albany Times Union in the early 1960s, Kennedy has been greatly influenced by documents found in archives and has blended history and memory to create a vivid Albany of the imagination. His archival research is also reflected in his deeply personal (and, IMHO, sublimely titled) history of the city, O Albany! Improbable City of Political Wizards, Fearless Ethnics, Spectacular Aristocrats, Splendid Nobodies, and Underrated Scoundrels.

Information about tickets will soon appear on the Archives Dinner Web site. Ticket requests can also be made to Hon. Kathleen A. Newkirk, Bethlehem Town Clerk, 445 Delaware Avenue, Delmar, NY 12054, 518-439-4955, extension 1183, or knewkirk[at]

Tuesday, September 8, 2009

BPE 2009: managing change

Fynette Eaton defines "change" and "transition," Best Practices Exchange, 3 September 2009.

Shortly after I became an electronic records archivist, I attended Partnerships in Innovation: Serving a Networked Nation, a conference sponsored by the U.S. National Archives and Records Administration (NARA). One of the speakers, a scientist who helped to develop the Open Archival Information System Reference Model said something that has stayed with me ever since: the greatest digital preservation challenges we face are not technological but sociological. In other words, conflicts over terminology, turf, roles, and responsibilities can be and often are the thorniest problems we face. As time passes, I'm increasingly convinced that he was right.

Fynette Eaton's exhilarating session at this year's Best Practices Exchange made me think about some of the sociological challenges that we confront within our own institutions. Using NARA's Electronic Records Archives (ERA) program, which will enable NARA to preserve and provide access to the archival records of federal government and to modernize its scheduling, accessioning, and other workflows, as an example, Fynette discussed the principles of change management. She emphasized that although most administrators fail to realize it, implementing new procedures and new technologies and overcoming resistance to change are fundamentally human resources, not technological, issues.

Fynette began by emphasizing the difference between change and transition (see above) and outlining the three phases of the transition process:
  • Ending: letting go of the old way of doing things and the sense of comfort, familiarity, and confidence in one's own expertise that comes with having mastered the old way, saying goodbye to the old way and one's old sense of self, and achieving some sort of closure.
  • In-between time: feeling as if one is lost in the wilderness. This phase is often difficult, but it also results in the generation of new ideas about how to do things and about the self.
  • New chapter: the sense that one has mastered the new way of doing things, often accompanied by a sense of personal and organizational renewal.
Not surprisingly, it's the process of transition, not the change itself, that people most often resist. The sense that one's identity and worldview are being questioned, the chaos of the in-between phase, and the risk of failure that accompanies any new beginning are all deeply unpleasant.

When I first became an electronic records archivist, I started thinking about what separated me from the colleagues who privately told me that they were glad they were still working with paper records or that they would retire within a few years. My colleagues consistently talked about their lack of comfort with technology or our (minor) differences in age, but more and more I came to realize that, in many instances, the most significant difference was my relatively high level of tolerance for chaos and uncertainty. I don't think I enjoy the transition process any more than anyone else, but I'm willing to live with it -- and to set the process in motion -- if I think that the stakes are high enough.

Of course, dealing with the immense and complex challenge of digital preservation requires more than a few librarians and archivists who can deal with a certain degree of chronic upheaval. This session was full of information about how to implement sweeping changes effectively and humanely.

Fynette identified the key success factors for implementing change:
  • Alignment of and visible support from the organization's executive team, including senior managers. Without visible, consistent support from the executive team, change won't succeed.
  • Formation of a change management team charged with planning and preparing for implementation of the desired change.
  • Consistent communication with employees, including early involvement of employees in pilot testing and other parts of the change process; research indicates that key points need to be communicated a minimum of seven times (!)
  • Frequent communication and negotiation with stakeholders, which for archives and libraries include end users and creators of records and publications.
She also detailed the greatest obstacles to change:
  • Employee and staff resistance.
  • Middle management resistance -- a significant factor at NARA.
  • Poor executive sponsorship.
  • Limited time, budget, and resources.
  • Organizational inertia and politics -- also in play at NARA.
Reviews and audits that track measurable progress can help overcome opposition from external stakeholders, and direct one-on-one contact and pressure from peers who accept the need for change can help to alleviate internal opposition; removing tools and systems that sustain "the old way" of doing things can also eliminate resistance, but this step should be taken only after everyone has been properly trained to use the new system.

Fynette devoted most of the session to NARA's efforts to manage the changes that accompanied the development of ERA, which ought to serve as a model for other cultural heritage institutions making similar changes.

NARA's change management team was responsible for:
  • Keeping NARA running while ERA was being built.
  • Building and sustaining the momentum needed to set changes in motion.
  • Dealing with the human dimension of organizational change.
  • Managing NARA's transition to a new and sustainable way of doing business.
The team, which developed a NARA-wide plan and compiled and continually updated a "global assessment" of progress, learned several lessons that are, in my view, broadly applicable:

1. Clarity and consistency of vision are essential. NARA leaders' perceptions of ERA's scope and mission were inconsistent and varied over time, and some leaders had difficulty sticking to decisions that had been made during earlier phases of the project. Averting endless review of past decisions -- which in some instances wa a form of resistance -- was particularly important.

2. A variety of users must participate in the testing and pilot phases of system development. Doing so helps to ensure that all users feel as if they have a voice and that problems are identified and solved before the system's agency-wide rollout.

3. Communications must be actively managed:
  • Staff needed reassurance that ERA's implementation would not cause NARA's operations to grind to a halt and that they would not lose their jobs as a result of the change. The team frequently met with staff and encouraged them to discuss their concerns. It also identified champions -- people who, regardless of their official position within NARA's hierarchy, had the respect of their colleagues and who could persuade others to support ERA.
  • External stakeholders, whose perceptions of NARA often differ sharply from NARA's perception of itself, also needed confirmation that ERA was on track. The team helped to bolster ERA's credibility by emphasizing NARA's extensive and ongoing involvement in cutting-edge digital preservation research. (I've always been deeply impressed with ERA's research component, and I was both stunned and amused to learn that NARA has actively nurtured this perception.)
Those of us who care passionately about digital preservation have no choice but to address the change management issues that Fynette Eaton highlighted. In the short term, change management might seem less important than finding and testing the technical tools needed to acquire, preserve, and provide access to electronic records and digital publications. However, if our senior managers and our colleagues don't buy into the changes in workflow and, in some instances, organizational structure that digital preservation requires, our institutions -- and archivy and librarianship -- will suffer greatly in the long term. NARA's started tackling some of the sociological challenges of digital preservation, and the rest of us have to do the same.

Sunday, September 6, 2009

ERM in OR, WA, and MN

I'm still taking a little break, but just in case you're at a loss for reading material, here's a brief but interesting article about how the states of Oregon, Washington, and Minnesota are addressing various electronic records management issues.

Saturday, September 5, 2009

Best Practices Exchange 2009

Group photo of Best Practices Exchange attendees, 4 September 2009.

The 2009 BPE wrapped up yesterday at around noon, and everyone seems to have been pretty happy with the way it turned out. Over the next few days, I'm going to post about various sessions and the many things I learned at this year's BPE. However, today I'm going to take it easy, catch up on a few things I've had to put aside during the past few weeks, and savor the spectacular weather.

Thursday, September 3, 2009

2009 Best Practices Exchange, day two

Morning session, Best Practices Exchange, 3 September 2009.

Although today was a lot less hectic than yesterday, at least for me, my head is still so full of ideas that I really can't blog at length about everything that transpired. As a result, I'm just going to pass on a couple of intriguing points made by this morning's speaker, Theresa Pardo of the Center for Technology in Government:
  • There is a growing need for people who have both information technology/computer science skills and domain knowledge (e.g., knowledge of the financial market), but universities are just starting to meet it.
  • People like to solve problems, but sometimes this approach isn't appropriate. For example, it's pretty easy to get funding for mobile devices that will enable child protection workers to intervene before a child is killed, but it's a lot harder to get funding for a data system that could identify troubling family developments before they reach crisis proportions. What we really need to do is manage child abuse and other tangled problems -- those problems that are poorly structured, resource- and information-intensive, involve multiple stakeholders, and are characterized by social and political complexity -- not as problems to be solved but as dilemmas that must be managed collaboratively.

Wednesday, September 2, 2009

2009 Best Practices Exchange, day one

Morning session, 2009 Best Practices Exchange, 2 September 2009.

I simply don't have much energy to assemble a post tonight: I'm one of the co-chairs of the Planning Committee, did quite a bit of emceeing, and delivered a presentation this afternoon. I'm worn out, and I'm headed off to bed very, very soon, so I'm simply going to share what was, in my view, the most intriguing and eminently practical idea of the day.

Tom Clareson of Lyrasis delivered an excellent keynote address that focused on the findings of several NEDCC and other surveys of digital preservation practices and policies in various types of cultural heritage institutions. The news was pretty sobering: most institutions don't even have basic policies governing metadata, quality control, etc. Tom heavily stressed that policies governing digitization, digital disaster recovery, and other facets of digital preservation, and asserted that institutions should devote attention to basic policy matters before trying to tackle, e.g., building a trusted digital repository.

I like writing policy, and I think Tom's absolutely right. However, I have all sorts of competing demands on my time, so I asked him how someone like me could balance the need to develop comprehensive policies and the need to do things like write series descriptions and identify mystery files.

Tom had a number of suggestions, but the first one he offered was utterly brilliant in its simplicity: have an intern shadow you for a week and write down everything you do, and you'll have the basics of a policy document. The more I think about it, the more it makes perfect sense: it's a low- to no-cost approach, and if your intern is both willing and able to ask "why?" all of the time, it forces you to make explicit all of the assumptions and experiences that guide your actions -- and may propel you to question some of those assumptions. Moreover, if you're any good at what you do, your intern will learn a lot!