IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELOUISE PEPION COBELL, et al., ) ) Plaintiffs, ) v. ) ) GALE NORTON, SECRETARY OF ) No. 1:96CV01285 RCL THE INTERIOR ) (Hon. Alan L. Balaran, Special Master) et al., ) ) Defendants. ) ) INTERIOR DEFENDANTS' MOTION AND MEMORANDUM REGARDING PROPOSAL TO (1) RESTORE AND SEARCH RETAINED BACKUP TAPES CONTAINING E-MAIL; (2) IMPLEMENT REAL-TIME CAPTURE OF E-MAIL TRAFFIC AND INCORPORATION OF E-MAIL INTO A SEARCHABLE ARCHIVE; AND (3) REPLACE INDEFINITE RETENTION OF BACKUP TAPES CONTAINING E-MAIL WITH BACKUP OF SEARCHABLE E-MAIL ARCHIVE The United States, on behalf of the Interior Defendants, respectfully submits to the Special Master this consolidated motion and memorandum, with accompanying proposed order, regarding (1) restoration and search of retained backup tapes containing e-mail, (2) implementation of real-time capture of e-mail traffic and incorporation into a searchable archive; and (3) replacement of the indefinite retention of backup tapes containing e-mail with backup of the searchable e-mail archive (items 1-3 collectively, "E-Mail Proposal"). As described preliminarily in the February 20, 2002 letter to the Special Master and Counsel for the Plaintiffs and accompanying attachments, attached and incorporated by reference ("February 20 Letter"; see Exhibit 1), the Interior Defend_mts have been working to address discovery-related issues involving the search and potential production of e-mail from system backup tapes containing e-mail ("e-mail backup tapes"), as addressed in the Special[ Master's July 27, 2001 Opinion (entered July 30, 2001 and adopted by this Court on March 29, 2002) ("July 2001 Opinion"), and earlier related orders. The Interior Defendants have now developed the E-Mail Proposal and satisfied funding and legal requirements to a degree that permits the E-Mail Proposal to be presented formally for approval, rather than informally as was done in the February 20 LetterJ Because the cost of the E-Mail Proposal is significant (just the restoration of e-mail from retained e-mail backup tapes will cost millions of dollars) and because the Interior Defendants' implementation of the E-Mail Proposal is so closely tied to discovery-related issues in the current litigation, the Interior Defendants will await the Special Master's approval of the E-Mail Proposal before entering into a final contract with ZANTAZ, Inc. and beginning to implement the E-Mail Proposal. On August 8, 2002, Interior and ZANTAZ made a presentation regarding the E-Mail Proposal to the Special Master and to counsel for the Plaintiffs. See. Exhibit 2 (transcript of August 8 presentation). At that presentation, the Interior Defendants and ZANTAZ agreed that the Special Master's experts could contact ZANTAZ directly to discuss any ZANTAZ-related technical or security aspects of the E-Mail Proposal. On August 8, 2002, counsel for the Interior Defendants consulted with counsel for the 1The Interior Defendants recognize and acknowledge that, between their submission of the February 20 Letter and this Motion, the Plaintiffs filed a motion for an order to show cause why the Interior Defendants and other named individuals should not be held in contempt for the Office of the Solicitor's failure to preserve e-mail backup tapes ("Contempt Allegation"). This Motion addresses a different set of issues - restoration and search of e-mail from existing e-mail backup tapes and capture of future e-mail traffic - than does the Contempt Allegation, which has been responded to separately. This Motion is intended to be without prejudice to any rights, liabilities, or defenses that may be asserted by any party or named individual in connection with the Contempt Allegation. 2 Plaintiffs regarding this Motion, as required by LCvR 7.1 (m). Consistent with the August 8 presentation and the Special Master's request for a motion, counsel jointly agreed that this motion for approval of the E-Mail Proposal would be filed. BACKGROUND Basis for E-Mail Proposal In connection with the Plaintiffs' Third Formal Request for Production of Documents and related proceedings, the July 2001 Opinion denied a motion for a protective order that would have made it unnecessary for the Interior Defendants to search e-mail backup tapes for potentially responsive e-mails from the Office of the Solicitor. The Interior Defendants' backup systems were designed not for the search and retrieval of individual e-mails, but for the restoration of data in the event of a system failure. See, e.g., July 2001 Opinion at 4 ("[t]hese systems are backed-up.., onto a variety of tape media which are utilized to recover lost data in the event a catastrophic disaster causes the computer system to crash" (citing November 20, 1998 Declaration of Glenn Schumaker at ΆΆ 3, 4)). Because the Interior Defendants' existing e-mail backup system is not designed to accomplish the tasks required by the Special Master's orders, the Interior Defendants investigated their options and consulted with potential contractors regarding methods for searching e-mail backup tapes for responsive materials. The Interior Defendants ultimately' determined that the most cost-effective way to address the July 2001 Opinion and related orders and discovery issues would be to implement a completely new system for handling e-mail based on a searchable e-mail archive backed up, maintained, and administered off-site by a third-party contractor. The alternative was 3 a time-consuming, administratively burdensome, and expensive search of all retained e-mail backup tapes each time a discovery request from the Plaintiffs or a document request from the Special Master was received. See, e.g., July 2001 Opinion at 12 (noting Interior Defendants' calculations that one search of "206 tapes" for responsive e-mails "required over 700 hours of staff time, 350 hours of attorney review time, and cost more than $32,000" (citing July 12, 2000 Declaration of Sabrina McCarthy at ΆΆ 3-6)); Exhibit 2 at 8:2-8. Because the cost of restoring e-mail from existing backup tapes and incorporating that e-mail into a searchable e-mail archive depends on the number of e-mail backup tapes, the Department of the Interior ("Interior") tasked Ernst & Young with conducting a physical inventory of retained e-mail backup tapes for the purposes of developing a cost estimate. See, e.g., United States' Status Report to the Special Master ("Biweekly Report") of December 18, 2001 and its Attachment A; Biweekly Report of January 22, 2002 and its Attachment A. That physical inventory was conducted not only throughout the Office of the Solicitor (main and regional offices) but also throughout the other offices and bureaus statutorily identified as having trust responsibilities or otherwise believed by the Interior Defendants to have e-mail traffic relevant to Individual Indian Money accounts and the current litigation. See 25 U.S.C. § 4043(b)(1) ("Special Trustee shall oversee all reform efforts within the Bureau [of Indian Affairs], the Bureau of Land Management, and the Minerals Management Service relating to the trust responsibilities of the Secretary"), Exhibit 2 at 26:11-17. The identified Interior offices and bureaus are Bureau of Indian Affairs; Office of the Special Trustee; Office of Historical Trust Accounting; Minerals Management Service, Bureau of Land Management, Office of the Secretary; Office of the Assistant Secretary for Indian Affairs; Office of Hearings and Appeals; 4 and Office of the Assistant Secretary for Policy, Management and Budget (collectively, "Designated Offices"). 2 The physical inventory indicated that the Designated Offices had a total of 7,088 e-mail backup tapes that were generated between May 1, 1999, and November 30, 2001. The costs used to estimate the restoration portion of the E-Mail Proposal include the costs not only for those e-mail backup tapes but also for the post-inventory e-mail backup tapes that are generated by the Designated Offices from December 1, 2001 until implementation of the real-time capture of e- mail traffic eliminates the need to continue indefinitely retaining e-mail backup tapes (see section HI, below). Until the e-mail backup tapes are restored arid reviewed, however, there is no way of knowing the volume of unique, non-duplicative e-mail that will be present on those tapes, much less the volume of unique, non-duplicative e-mail that, when searched according to agreed-upon terms, will relate to issues in this litigation. The Interior Defendants determined that ZANTAZ - a company that works primarily with the financial services sector to provide investigation- and litigation-oriented e-mail archival solutions that comply with the rigorous e-mail retention, search, and verification requirements of the Securities and Exchange Commission standards, see Exhibit 1 at DEF0043318, 43329, 43337; Exhibit 2 at 5:16 - 7:8; Exhibit 3 (ZANTAZ handout from August 8 presentation) at 1, 3, 12 - was best positioned to provide the e-mail restoration, archive, and search capabilities sought 2Given the substantial cost of implementing the E-Mail Proposal and the fact that the Designated Offices are those most directly involved with the issues relating to this litigation, the Interior Defendants determined that the remaining offices; and bureaus (including Bureau of Reclamation, Fish and Wildlife Service, National Business Center, National Park Service, Office of Surface Mining, and United States Geological Survey) did not merit inclusion in the E-Mail Proposal. In addition, the Office of the Inspector General is not currently participating in the E- Mail Proposal. 5 by the Interior Defendants and to relieve the Interior Defendants of the burdens associated with retaining and searching an increasingly large number of e-mail backup tapes. ZANTAZ ran a small-scale pilot test in the Office of the Solicitor to verify that its archive was compatible with the Interior Defendants' various e-mail systems and also reviewed sample backup tapes in a number of different formats on a number of different media from the Designated Offices to ensure that their restoration process and real-time capture of e-mail traffic would be compatible with the Interior Defendants' e-mail systems. See, e.g., Biweekly Report of December 18, 2001; Exhibit 2 at 14:14-16; 34:4- 36:23. After completion of the inventory of e-mail backup tapes, the pilot test, and the review of sample e-mail backup tapes, the Interior Defendants and ZANTAZ developed a cost estimate for the E-Mail Proposal. Although the Interior Defendants had not been able to confirm the availability of the funding necessary to implement the E-Mail Proposal as of the February 20 Letter, that funding commitment is now in place in the form of Fiscal Year 2002 funds that will need to be obligated to a final contract as early as possible in September 2002. The Interior Defendants are now in a position to finalize the E-Mail Proposal, but they will not sign a final contract or begin implementation until the Special Master confirms that the E-Mail Proposal i) addresses the July 2001 Opinion and related orders regarding the search and production of e-mails from retained e-mail backup tapes and from future e-mail traffic; and ii) relieves the Interior Defendants of the financial and administrative burden of indefinitely generating and retaining e-mail backup tapes as soon as ZANTAZ has implemented its real-time capture of e-mail traffic and its own backup procedures, as discussed in section III, below. 6 Additional Considerations Because the E-Mail Proposal will involve a government contract, several additional considerations could affect the timing and implementation of the E-Mail Proposal, even after the Special Master's approval. 1. Decision to Procure the Services from a Sole Source - ZANTAZ - Rather than Through Competitive Bidding Given the specific technical requirements and the exigencies of this case, the Interior Defendants plan to enter into a contract with ZANTAZ as the sole source provider for all of the services described in the E-Mail Proposal rather than proceed with a competitive bidding process. The Interior Defendants have received the necessary internal clearances to proceed with a sole source procurement and do not expect substantive opposition to the procurement or to the use of ZANTAZ as the sole source provider, but any administrative or legal challenge could delay implementation of the E-Mail Proposal. 2. Privacy Act - 5 U.S.C. § 552a The Interior Defendants' current backup systems are not designed to allow the search for and retrieval of individual e-mails, but only to restore systems in the event of catastrophic failure. The Interior Defendants determined that the ZANTAZ e-mail solution - permitting the search of individual e-mails by a number of terms and parameters, including individual names - could constitute a new system of records for purposes of the Privacy Act. See 5 U.S.C..§ 552a(a)(5) (applying to "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual"). Because of the potential Privacy Act 7 implications, the Interior Defendants are required to provide public notice of the proposed system of records, allow for a comment period, and address any comments received before implementing the system described in the E-Mail Proposal. See 5 U.S.C. § 552a(e)(4), (11). The notice and comment portion of the Privacy Act process normally requires 40 business days: 30 business days for the Privacy Act notice requirement, plus an additional 10 business days required by the Office of Management and Budget ("OMB") in connection with Circular A-130 (although OMB has the discretion to waive that additional 10-day period). The Interior Defendants published the required Privacy Act notice in the Federal Register on July 12, 2002, see Exhibit 4, and also requested that OMB waive the additional 10-day period. The notice-and- comment period will close on August 23, 2002 ifOMB grants a waiver, and on September 9, 2002 otherwise. Although Interior does not expect any opposition to implementation of a new Privacy Act system of records in the form of the ZANTAZ searchable e-mail archive, any comments received during the notice period will need to be addressed and any subsequent administrative or legal challenges based on those comments could delay implementation of the E-Mail Proposal. To date, the Interior Defendants have not received any comments relating to the Privacy Act notice. 3. Statement of Work Interior has worked closely with ZANTAZ to develop a draft Statement of Work ("SOW"). See Exhibit 5 (Draft SOW dated August 8, 2002). Because of the cost and significant impact of undertaking the E-Mail Proposal, the draft SOW will not be finalized, a contract will not be executed, and funds will not be obligated until the Special Master approves the E-Mail Proposal. The final SOW and contract, as well as the final contract price, will need to reflect any 8 refinements or alterations that result from the Special Master's consideration of the E-Mail Proposal. To the extent that the scope of work or cost of the E-Mail Proposal is affected significantly by the process of obtaining final approval, that may impact the Interior Defendants' ability to fund and implement the E-Mail Proposal, because Interior cannot execute a contract for which committed funding is not yet available. See, e.g., 31 U.S.C. § 1341 (Anti-I)eficiency Act). THE E-MAIL PROPOSAL As discussed in the February 20 Letter, the E-Mail Proposal can be thought of as consisting of three steps. The first step - the physical inventory of e-mail backup tapes as necessary to estimate and allocate the approximate costs for the remaining steps - has been completed for the Designated Offices. The second step, discussed in section I, below, consists of restoring e-mail from those backup tapes, reducing multiple occurrences of an identical e-mail to a single unique e-mail ("de-duping'), uploading all unique e-mails to a searchable storage medium, and searching those unique e-mails using agreed-upon terms. The third step, discussed in section II, below, involves capturing all current and future e-mail traffic at the e-mail servers for each Designated Office and routing it to an off-site, searchable e-mail archive that will be backed up, maintained, and administered by ZANTAZ. Once this capture and archive have been verifiably implemented throughout the Designated Offices, the Interior Defendants would, as discussed in section III, below, be relieved of the burden of indefinitely retaining e-mail backup tapes and be allowed to return to the standard system backup and backup tape retention procedures. I. RESTORATION AND SEARCH OF E-MAIL FROM RETAINED BACKUP TAPES ZANTAZ will restore, de-dupe, and search the e-mails contained on the e-mail backup tapes retained by the Designated Offices - those tapes ah'eady inventoried for the period between May 1, 1999 and November 30, 2001, as well as those e-mail backup tapes that have accumulated since December 1, 2001, and that will continue to accumulate until the real-time capture and archive of e-mail traffic has been verifiably implemented. See Exhibit 1 at DEF0043319-43321, 43326-29; Exhibit 2 at 8:9-19; Exhibit 3 at 2, 4, 5; Exhibit 5 at Ά 3. Those unique e-mails will then be incorporated into an Interior Department e-mail archive that will be backed up, maintained, and administered by ZANTAZ on behalf of Interior. See Exhibit 1 at DEF0043323-25; Exhibit 3 at 2-4, 7, 11; Exhibit 5 at ΆΆ :3.2.6, 5.2.4, 5.2.5, 6.2, 6.5. A. Transportation and Handling of Backup Tapes The restoration and capture of all e-mail that may exist on the backup tapes from the Designated Offices will take place at ZANTAZ's headquarters in Pleasanton, California. ZANTAZ will dedicate a separate lab within its data center for this purpose, and the separate lab will have a single-door entrance controlled by biometric access (palm reader). Only those employees who are authorized to work on the project and who have signed the necessary non- disclosure and Privacy Act agreements will have access to the lab and to the backup tapes. See Exhibit 5 at ΆΆ 3.1.1, 8, 9, 11. For additional information regarding ZANTAZ's security policies and procedures, see Exhibit 1 at DEF0043330-36, 43338-400; Exhibit 3 at 7-12. Although ZANTAZ can work with either originals or copies of backup tapes, Exhibit 5 at Ά 3.1.3, ZANTAZ reports that a majority of its customers provide it with original rather than copies of backup tapes containing e-mails to be incorporated into ZANTAZ's searchable archive. 10 Like ZANTAZ's commercial customers, the Interior Delbndants have determined that it would be prohibitively expensive - and time consuming - to copy thousands of e-mail backup tapes and verify the integrity of each copy before providing it to ZANTAZ. As a result, the Designated Offices will provide original e-mail backup tapes to ZANTAZ for processing. ZANTAZ confirms that its commercial customers transport their original backup tapes to ZANTAZ for processing by using commercial carriers that allow shipments to be tracked dock to dock (for example, Federal Express or UPS). Given the sensitivities of e-mail-related issues in this case and the handling of potential IIM-related information, the Interior Defendants are currently trying to determine whether an alternative such as a direct courier or personal delivery from each location of the Designated Offices to ZANTAZ would be,' economically and practically feasible and - equally important - more reliable than shipment with an established and experienced commercial carrier. ZANTAZ and Interior will use a chain-of-custody procedure in which each tape to be sent to ZANTAZ from a particular office will be inventoried prior to packing and transport and will be confirmed by ZANTAZ immediately upon receipt. See Exhibit 1 at DEF0043320; Exhibit 5 at Ά 3.1.1. Interior will package its backup tapes for transportation as recommended by ZANTAZ and standard industry practice, generate a signed certification by the designated person that identifies each backup tape included in each package being transported, and provide a copy of the certification and shipping inventory to ZANTAZ, together with information about the method of transport. Upon receipt of a shipment of backup tapes, ZANTAZ will notify the originating office of receipt, inventory and verify the shipment, and notify the originating office of any exceptions. The backup tapes will be placed into fireproof safes, except when ZA2NTAZ 11 personnel are working directly with a particular backup tape. See Exhibit 2 at 19:7-11; Exhibit 5 at 3.1.1. ZANTAZ will only accept and process between 500 and 1,000 backup tapes at a time to allow close control of tapes and to ensure that all tapes can be properly secured and stored. Once a batch of backup tapes from a particular office or bureau have been processed and all e-mail has been captured from those backup tapes, ZANTAZ will return those backup tapes -- complete with a status report, index, and certification that all e-mails contained on those tapes were incorporated into a searchable archive - via commercial carrier or as otherwise instructed by Interior, to the originating office and to the authorized person assigned to handle the returned backup tapes. See Exhibit 5 at ΆΆ 3.1.4, 3.2.3, 3.2.4, 3.2.11, 3.3.3, 3.3.4, 3.3.7. ZANTAZ will coordinate with the Interior Defendants to operate on a Just In Time basis, so that backup tapes will be returned to the originating office after they have been processed, and additional tapes will be made available for ZANTAZ to process on a rolling basis. See id. at ΆΆ 3.1.3, 3.2.11. B. Restoration of E-Mail from Backup Tapes; ZANTAZ has previously reviewed the backup sy:;tems used by the Designated Offices and has confirmed that it will be able to use an automated, verifiable search of each backup tape to identify and capture a copy of each e-mail contained on that tape. Exhibit 2 at 34:4 - 36:23. No e-mail files will be removed or deleted from the original backup tapes. ZANTAZ's regular progress reports to the Interior Defendants will include a listing of all e-mail backup tapes that cannot be restored and searched using industry standard restoration and recovery techniques because of a problem with the media or with the programming. See id. at 35:11-23; Exhibit 5 at Ά 3.3.5. The progress reports will include the identifying information for the particular tape(s), 12 the efforts made to recover the contents, the nature of the problem (if known), and whether any other non-destructive or destructive methods of accessing the e-mail on the backup tape(s) exist. See Exhibit 2 at 35:11-23; Exhibit 5 at Ά7 3.1.4, 3.2.3, 3.2.4, 3.2.4.1, 3.3.5. The Interior Defendants will, in consultation with the Special Master,, determine how to handle any backup tapes that cannot be restored and searched by ZANTAZ. Once all e-mails have been isolated and captured from a particular backup tape, ZANTAZ will de-dupe the e-mails and incorporate all unique (i.e., non-duplicate) e-mails into a searchable archive. See Exhibit 5 at 77 3.1.2, 3.2.5, 3.2.6. Once all e-mail from all backup tapes for a particular Designated Office has been restored, the archive will be searched for e-mails responsive to specified search terms. See id. at 77 3.1.1, 3.2.5, 5.2.3, 6.2. Both the automated search process and the results can be certified by ZANTAZ. See Exhibit 1 at DEF0043319; Exhibit 5 at 77 3.2.6, 3.2.7, 3.2.9. The Interior Defendants propose that the parties, together with the Special Master, develop an agreed-upon list of search terms to be used for the e-mails restored from e-mail backup tapes, and that the search be, performed progressively as soon as e-mail restoration has been completed for a particular Designated Office (rather than waiting much longer until e-mail restoration has been completed for all Designated Offices). C. Priority of Restoration ZANTAZ plans to operate two shifts to complete the restoration process as quickly as possible, but it nevertheless expects that it will take from eight to nine months to complete its capture and search of e-mail from the e-mail backup tapes generated by all of the Designated Offices. The Interior Defendants propose that the restoration and archive of e-mail from backup tapes be completed for all locations of one Designated Office before beginning the process for 13 another Designated Office. The Interior Defendants also propose that the order of processing be prioritized according to which Designated Offices are most likely to have relevant e-mail traffic and which Designated Offices have previously been the focus of production requests. Thus, the Interior Defendants propose that ZANTAZ begin by restoring e-mail from backup tapes for the Office of the Solicitor, then continue in the following order: Bureau of Indian Affairs; Office of the Special Trustee; Office of Historical Trust Accounting; Minerals Management Service, Bureau of Land Management, Office of the Secretary; Office of the Assistant Secretary for Indian Affairs; Office of Hearings and Appeals; and Office of the Assistant Secretary for Policy, Management and Budget. II. IMPLEMENTATION OF REAL-TIME CAPTURE OF E-MAIL TRAFFIC AND INCORPORATION OF UNIQUE E-MAILS INTO A SEARCHABLE ARCHIVE ZANTAZ provides a system for capturing all internal and external incoming and outgoing e-mail traffic at each e-mail server and automatically routing it - via a protected pathway - to an off-site, secure, searchable e-mail archive that is backed lap, administered, and maintained by ZANTAZ. Exhibit 1 at DEF0043323-25; Exhibit 3 at :3, 5, 12; Exhibit 5 at ΆΆ 4-5. The Interior Defendants currently plan to use protected lines to route all e-mail traffic for the Designated Offices from Interior to ZANTAZ. The capture, routing, and archive of e-mails is invisible to e-mail users and does not require e-mail senders or recipients to take any special steps after the system is in place at the server. See Exhibit 1 at DEF0043324; Exhibit 2 at 17:10- 18:11; Exhibit 3 at 4; Exhibit 5 at Ά 5.1.2. Systems administrators for the Designated Offices do not need to do anything more than continue to monitor server activity using the procedures currently 14 in place. The ZANTAZ system captures all internal and external e-mail traffic at the mail servers for the Designated Offices and archives not only an exact copy of each unique e-mail and its attachment(s) but also all headers and routing information. See Exhibit 1 at DEF0043321-24, 43326-29; Exhibit 2 at 15:12 - 16:4, 27:21 -29:17; Exhibit 3 at 5, 6; Exhibit 5 at 7Ά 5.1.2, 5.2.1. For example, an e-mail sent by one user to 50 recipients, including 10 "cc:" and 5 "bcc:" recipients would be archived as a single e-mail with all ..........to. , cc. , and "bcc'". intbrmation intact, not as 50 copies of the same e-mail. Ifa user subsequently forwards that e-mail - with or without additional comments - that new e-mail will likewise be captured in the archive as a unique e-mail. Once a particular e-mail has been captured and routed to ZANTAZ, all identifying information is captured and encoded, a unique digital signature is added to disclose any later alteration or degradation, and the data are stored in two secure systems located in separate geographic areas. See Exhibit 1 at DEF0043324; Exhibit 2 at 6:18 - 7:3, 10:12-13; Exhibit 3 at 2, 4; Exhibit 5 at 77 5.2.1, 5.2.2, 5.2.4. Once the e-mails have been incorporated into the archive, ZANTAZ is responsible for backing them up according to the retention instructions issued by Interior. Exhibit 1 at DEF0043324-25, 43329; Exhibit 3 at 11; Exhibit 5 at Ά7 5.2.4, 5.2.5. Although ZANTAZ will be responsible for backing up, maintaining, and administering the e-mail archive on behalf of Interior, the e-mails themselves will remain the property of Interior. Exhibit 5 at Ά7 5.2.5, 6.5. Furthermore, should the contract with ZANTAZ be terminated, all archived e-mails will be returned in a format and media selected by Interior. I__d. Once archived, the e-mails can be searched based on a number of parameters (including 15 names, dates, and specific words or phrases appearing :in the body of the e-mail) and retrieved and provided to the Interior Defendants in the as-sent form. See Exhibit 1 at DEF0043326-28; Exhibit 3 at 3, 12; Exhibit 5 at Ά 5.2.3. Again, the search process and the results can be certified by ZANTAZ. Exhibit 1 at DEF0043319. The Interior Defendants propose that, fi_r future searches of captured e-mail traffic, the parties, together with the Special Master, develop an agreed-upon list of terms before starting each search. To control costs, the Interior Defendants will, in consultation with the Special Master, determine a reasonable period for restored and captured e-mail to remain "live," i.e., on-line and readily searchable. See Exhibit 2 at 44:1-17; Exhibit 5 at Ά 6.3. After that time, the e-mails will be loaded by ZANTAZ onto DLT tapes (which can be restored to a searchable archive and searched for an additional cost) and maintained by ZANTAZ in a secure storage facility. See Exhibit 2 at 44:19 - 45:9, 46:9-12; Exhibit 5 atΆΆ 6.3, 6.5. ZANTAZ can begin to implement the real-time capture of e-mail in the Designated Offices while the process of restoring and capturing e-mail from the backup tapes for the Designated Offices is underway. Implementation of e-mail capture and archive in a particular location will involve only minimal disruption and will allow the real-time capture of e-mail traffic to begin almost immediately. See Exhibit 1 at DEF0043329; Exhibit 2 at 17:3 - 18:11. ZANTAZ expects that implementation of the real-time capture and archive of e-mail in all locations of all of the Designated Offices could be completed in four to six weeks, barring any carrier-associated delays. Implementing the real-time e-mail capture and archive while restoration is underway will also allow the Interior Defendants to verify that e-mail traffic within the Designated Offices is 16 certifiably being captured in and retained by the ZANTAZ archive, and will, as discussed in section III, below, allow the Interior Defendants to be relieved of the cost and administrative burden of indefinitely retaining e-mail backup tapes and to return to their normal system backup and tape retention procedures. III. REPLACEMENT OF INDEFINITE RETENTION OF E-MAIL BACKUP TAPES WITH ZANTAZ BACKUP, MAINTENANCE, AND ADMINISTRATION OF THE SEARCHABLE E-MAIL ARCHIVE Because of the overall cost of the E-Mail Proposal and the burden associated with continuing to generate and indefinitely retain e-mail backup tapes, the Interior Defendants need confirmation that their verified implementation of the real-time capture and archive of e-mail traffic in the Designated Offices, together with ZANTAZ's undertaking to backup, maintain, and administer that archive of all unique e-mail traffic for the Designated Offices, see Exhibit 5 at ΆΆ 5.2.4, 5.2.5, 6.5, will relieve the Interior Defendants of the burdens of continuing to indefinitely retain e-mail backup tapes, see Exhibit 2 at 42:2 - 43:8. The e-mail archive implemented and managed by ZANTAZ will not only serve the same function as the Interior Defendants' indefinite retention of e-mail backup tapes but also provide the significant additional benefit of making those e-mails searchable, a capability that the Interior Defendants do not currently have with their retained e-mail backup tapes. Interior's ability to fund the E-Mail Proposal depends in large part on its ability to relieve its offices and bureaus of the cost and administrative burden of departing from standard system backup and retention procedures and indefinitely retaining backup tapes containing e-mail. Accordingly, the Interior Defendants move for an order relieving them of the burden of 17 indefinitely retaining e-mail backup tapes and allowing them to return to standard system backup and tape retention procedures according to the following process: (1) The Interior Defendants will provide the Special Master with two documents to confirm that e-mail capture has been implemented: (a) a letter from Interior declaring that it identified to ZANTAZ all mail servers providing e-mail to a particular Designated Office, and (b) a letter from ZANTAZ confirming that the real-time capture and archive of e-mail traffic has been implemented for all identified mail servers providing e-mail to a particular Designated Office and has operated for two weeks in accordance with ZANTAZ's standards for monitoring and documenting e-mail capture; (2) The Special Master will have two weeks from receipt of that letter from the Interior Defendants to verify or otherwise follow-up with the Interior Defendants and/or ZANTAZ regarding operation of the real-time capture and archive of e-mail traffic for that particular Designated Office; (3) Upon the earlier of the Special Master's approval or passage of the two- week period without any response from the Special Master, unless extended by order of the Special/vlaster for a particular Designated Office, that office will be released from any further obligation to indefinitely retain e-mail backup tapes and may return to its standard system backup and tape retention procedures; and (4) Compliance with these procedures will relieve Interior from indefinitely retaining e-mail backup tapes, and Interior will have no further e-mail backup and retention obligations relating to this case - apart from those performed by ZANTAZ - unless and until the contract with ZANTAZ is terminated or ZANTAZ otherwise notifies Interior that it is unable or unwilling to perform e-mail backup and retention on behalf of Interior. 18 CONCLUSION For all of the reasons stated above, the Interior Defendants request approval of the E-Mail Proposal. Two supporting declarations and a proposed order accompany this Motion. Dated: August 14, 2002 Respectfully submitted, ROBERT D. McCALLUM, JR. Assistant Attorney General STUART E. SCHIFFER Deputy Assistant Attorney General J. CHRISTOPHER KOHN Director7 ,4__ ,/')/'7 SANDRA P. SPOONER Deputy Director D.C. Bar No. 261495 JOHN T. STEMPLEWICZ Senior Trial Counsel PETER B. MILLER Trial Attorney Commercial Litigation Branch Civil Division P.O. Box 8"75 Ben Franklin Station Washington, D.C. 20044-0875 (202) 514-7194 19 CERTIFICATE OF SERVICE I declare under penalty of perjury that, on August 14, 2002 I served the foregoing Interior Defendants' Motion and Memorandum Regarding Proposal to (1) Restore and Search Retained Backup Tapes Containing E-mail; (2) Implement Real-time Capture of E-mail Traffic and Incorporation into a Searchable Archive; and (3) Replace Indefinite Retention of Backup Tapes Containing E-mail with Backup of Searchable E-mail Archive by facsimile upon: Keith Harper, Esq. Dennis M Gingold, Esq. Native American Rights Fund Mark Kester Brown, Esq. 1712 N Street, N.W. 1275 Pennsylvania Avenue, N.W. Washington, D.C. 20036-2976 Ninth Floor (202) 822-0068 Washington, D.C. 20004 (202) 318-2372 and by U.S. Mail upon: Elliott Levitas, Esq. 1100 Peachtree Street, Suite 2800 Atlanta, GA 30309-4530 Copy of the Motion, without attachments, served by facsimile on August 14, 2002; a complete copy to be delivered by hand the morning of August 15, 2002 upon: Alan L. Balaran, Esq. Special Master 1717 Pennsylvania Avenue, N.W. 12th Floor Washington, D.C. 20006 (202) 986-8477 Courtesy Copy by U.S. Mail upon: Joseph S. Kieffer, llI Court Monitor 420 - 7 th Street, N.W. Apartment 705 Washington, D.C. 20004 • . " gston IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELOUISE PEPION COBELL, et al., ) ) Plaintiffs, ) ) v. ) Case No. 1:96CV01285 RCL ) (Special Master Alan Balaran) GALE A. NORTON, Secretary of the Interior, et al.,) ) Defendants. ) ) ORDER REGARDING INTERIOR DEFENDANTS' E-MAIL PROPOSAL Upon consideration of the Interior Defendants' Motion and Memorandum Regarding Proposal to (1) Restore and Search Retained Backup Tapes Containing E-Mail; (2) Implement Real-Time Capture of E-Mail Traffic and Incorporation of E-Mail into a Searchable Archive; and (3) Replace Indefinite Retention of Backup Tapes Containing E-Mail with Back-Up of Searchable E-Mail Archive and attachments thereto (collectively, "E-Mail Proposal"), the Plaintiffs' response, and the August 8 presentation by the Interior Defendants and ZANTAZ to the Special Master and to counsel for the Plaintiffs, it is hereby ORDERED that the E-Mail Proposal is APPROVED for implementation by the Department of the Interior and ZANTAZ, and it is further ORDERED that the following offices and bureaus within the Department of the Interior shall be "Designated Offices" for purposes of implementing the E-Mail Proposal: Office of the Solicitor; Bureau of Indian Affairs; Office of the Special Trustee; Office of Historical Trust Accounting; Minerals Management Service, Bureau of Land Management, Office of the Secretary; Office of the Assistant Secretary for Indian Affairs; Office of Hearings and Appeals; and Office of the Assistant Secretary for Policy, Management and Budget; and it is further ORDERED that the Interior Defendants shall keep the Special Master informed regarding implementation of the E-Mail Proposal, including, but not limited to, i) issues that delay or otherwise adversely affect implementation of the E-Mail Proposal; ii) notification of the date on which the Department of the Interior enters into a final contract with ZANTAZ for services related to the E-Mail Proposal; iii) status of the restoration, archive, and search of retained backup tapes for the Designated Offices; and iv) status of implementation of real-time capture of e-mail traffic within the Designated Offices and incorporation of that e-mail traffic into the searchable e-mail archive backed up, maintained, and administered by ZANTAZ; and it is further ORDERED that the Interior Defendants shall coordinate with the Special Master and with counsel for the Plaintiffs to determine the search terms to be used to search for e-mail that has been restored to the archive from the retained backup tapes for the Designated Offices; and it is further ORDERED that implementation of the real-time capture and archive of e-mail traffic, when certified by the Department of the Interior and ZANTAZ and confirmed by the Special Master, will relieve the Department of the Interior of any obligation to indefinitely retain backup tapes containing e-mail traffic and will allow the Department of the Interior to follow its normal system backup and tape retention procedures as long as the real-time capture and archive of e-mail traffic remains in effect. August _, 2002 Special Master Alan Balaran 2 Copies to: SANDRA P. SPOONER JOHN T. STEMPLEWICZ PETER B. MILLER Commercial Litigation Branch Civil Division P.O. Box 875 Ben Franklin Station Washington, D.C. 20044-0875 facsimile 202-514-9163 DENNIS GINGOLD MARK KESTER BROWN 1275 Pennsylvania Ave. NW, 9th Floor Washington, DC 20004 facsimile 202-318-2372 KEITH HARPER Native American Rights Fund 1712 N Street NW Washington, DC 20036-2976 facsimile 202-822-0068 ELLIOTT H. LEVITAS Kilpatrick Stockton 1100 Peachtree St., Suite 2800 Atlanta, GA 30309-4530 facsimile 404-541-3280 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELOUISE PEPION COBELL, et al., ) ) Plaintiffs, ) v. ) ) GALE NORTON, SECRETARY OF ) No. 1:96CV01285 RCL THE INTERIOR ) (Hon. Alan L. Balaran, Special Master) et al., ) ) Defendants. ) ) DECLARATION OF W. HORD TIPTON REGARDING PROPOSAL TO (1) RESTORE AND SEARCH RETAINED BACKUP TAPES CONTAINING E-MAIL; (2) IMPLEMENT REAL-TIME CAPTURE OF E-MAIL TRAFFIC AND INCORPORATION INTO A SEARCHABLE ARCHIVE; AND (3) REPLACE INDEFINITE RETENTION OF BACKUP TAPES CONTAINING E-MAIL WITH BACK-UP OF SEARCHABLE E-MAIL ARCHIVE 1. My name is W. Hord Tipton, and I am Acting Departmental Chief Information Officer for the Department of the Interior. 2. In that capacity, I am familiar with the E-Mail Proposal developed by the Department of the Interior and ZANTAZ for (i) the restoration of e-mail from retained backup tapes containing e-mail and the incorporation of that restored e-mail into a searchable archive, and (ii) the capture of e-mail traffic in a searchable archive to be backed up, maintained, and administered off-site by ZANTAZ. 3. In that capacity and given my familiarity with the E-Mail Proposal developed by the Department of the Interior and ZANTAZ, I attended and participated in the August 8, 2002 presentation to the Special Master and counsel for the Plaintiffs regarding the E-Mail Proposal. 4. In that capacity and given my familiarity with the E-Mail Proposal developed by Attachment A Defendants' Motion Re: ZANTAZ E-Mail Proposal the Department of the Interior and ZANTAZ, I have reviewed the Interior Defendants' Motion and Memorandum Regarding Proposal to (1) Restore and Search Retained Backup Tapes Containing E-Mail; (2) Implement Real-Time Capture of E-Mail Traffic and Incorporation of E-Mail into a Searchable Archive; and (3) Replace Indefinite Retention of Backup Tapes Containing E-Mail with Back-Up of Searchable E-Mail Archive ("Motion"). 5. The factual assertions made by and regarding the Department of the Interior in connection with the E-Mail Proposal at the August 8 presentatior/and in the Motion are correct. I declare under penalty of perjury that the foregoing is true and correct. Executed on August 14, 2002 W. Hord Tipton// U IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ELOUISE PEPION COBELL, et al., ) ) Plaintiffs, ) v. ) ) GALE NORTON, SECRETARY OF ) No. 1:96CV01285 RCL THE INTERIOR ) (Hon. Alan L. Balaran, Special Master) et al., ) ) Defendants. ) ) DECLARATION OF THOMAS E. PRIOR REGARDING PROPOSAL TO (1) RESTORE AND SEARCH RETAINED BACKUP TAPES CONTAINING E-MAIL; (2) IMPLEMENT REAL-TIME CAPTURE OF E-MAIL TRAFFIC AND INCORPORATION INTO A SEARCHABLE ARCHIVE; AND (3) REPLACE INDEFINITE RETENTION OF BACKUP TAPES CONTAINING E-MAIL WITH BACK-UP OF SEARCHABLE E-MAIL ARCHIVE 1. My name is Thomas E. Prior, and I am Director of Sales for ZANTAZ, Inc. 2. in that capacity, I am familiar with the E-Mail Proposal developed by the Department of the Interior and ZANTAZ for (i) the restoration of e-mail from retained backup tapes containing e-mail and the incorporation of that restored e-mail into a searchable archive, and (ii) the capture ore-mail traffic in a searchable archive to be backed up, maintained, and administered off-site by ZANTAZ. 3. In that capacity and given my familiarity with the E-Mail Proposal developed by the Department of the Interior and ZANTAZ, I attended and participated in the August 8, 2002 presentation to the Special Master and counsel for the Plaintiffs regarding the E-Mail Proposal. 4. In that capacity and given my familiarity with the E-Mail Proposal developed by the Department of the Interior and ZANTAZ, I have reviewed the Interior Defendants' Motion Attachment B Defendants' Motion Re: ZANTAZ E-Mail Proposal _O'd 0E68 92_E ]_SL dO_.:EO i_O-l_I-6nv Aug-14-02 03:21P 781 326 8930 P._3 and Memorandum Regarding Proposal to (1) Restore and Search Retained Backup Tapes Containing E-Mail; (2) Implement Real-Time Capture of E-Mail Traffic and Incorporation of E- Mail into a Searchable Archive; and (3) Replace Indefinite Retention of Backup Tapes Containing E-Mail with Back-Up of Searchable E-Mail Archive ("Motion"). 5. The factual assertions made by and regarding ZANTAZ, Inc. in connection with the E-Mail Proposal at the August 8 presentation and in the Motion are correct. I declare under penalty of perjury thal the foregoing is true and correct. :_ )I1 Executed on August 14, 2002 ___"_j/_i_J//_ _" Thomas E. Prior U.S. of Justice Department Civil Division Commercial Litigation Branch P.O. Box 875, Ben Franklin Station Washington, D.C. 20044 Peter B. Miller Tel. 202-307-0184 Fax 202-307-0494 peter.miller@usdoj.gov By Hand: 1100 L Street NW, Room 10104, Washington, DC 20005 February 20, 2002 BY HAND DELIVERY Alan L. Balaran Dennis M. Gingold Special Master 1275 Pennsylvania Ave. NW, 9th Floor 1717 Pennsylvania Ave. NW, 12th Floor Washington, DC 20004 Washington, DC 20006 Re: Cobell v. Norton - Information regarding Interior's proposed solution for complying with e-mail retention, search, and production requirement,; Gentlemen: As we first informed you in our September 26, 2001 letter and then updated in subsequent biweekly reports, Interior has been working with a potential contractor to develop a solution for compliance issues relating to e-mail retention, search, and production. Because of the funding requirements and intervening issues in the case, including the contempt proceedings and the IT security issues, the work has not progressed as rapidly as we had hoped. The proposed e-mail solution can be described as a three-step process. The first step - a physical inventory of e-mail backup tapes retained pursuant to earlier orders in this case - is necessary to determine and allocate the approximate costs for the remaining steps, which are priced according to the quantity of back-up tapes involved (second step) and the volume of data being archived (third step). The second step consists of restoring e-mail backup tapes, reducing multiple occurrences of an identical document to a single unique document ("de-duping"), and uploading all unique documents to a searchable e-mail archive. The third step involves capturing all current and future e-mail traffic at the server level and routing it to an off-site, third-party administered, searchable e-mail archive. The first step - physical inventory- is now close enough to completion for Interior to estimate the approximate costs associated with implementing the second and third steps in each of the designated offices and bureaus. As reported in prior biweekly reports, the potential contractor for the second and third steps ran a no-cost pilot test of the searchable e-mail archive in the Office of the Solicitor. In addition, that potential contractor has also received sample e-mail backup tapes from the designated offices and bureaus and confirmed that its archival system is compatible with the different types of hardware and software used to generate the e-mail backup tapes. Exhibit 1 Defendants' Motion Re: ZANTAZ E-Mail Proposal Interior currently estimates that the second step of the proposed e-mail solution- restoration, data transfer, de-duping, and uploading to a permanent, searchable archive - will cost roughly $4.1 million for the e-mail backup tapes generated for the Office of the Solicitor, Bureau of Indian Affairs, Office of the Special Trustee, Office of the Secretary (including OHTA and PMB), Minerals Management Service, Bureau of Land Management, and Office of Hearings and Appeals. Interior estimates that it will cost roughly $900,000 per year to capture and archive e-mail traffic going forward for those same offices and bureaus. Interior is now attempting to obtain the funds necessary to finance the remaining two steps of the proposed e-mail solution and will make every effort to obtain the full funding necessary .for the project. If the estimated $5 million is not immediately available, however, Interior plans to implement the proposed e-mail solution in offices and bureaus on a prioritized basis as funds become available, beginning with the Office of the Solicitor (including e-mail backup tapes from five Bureau of Reclamation servers that, until recently, provided e-mail services for Solicitor's offices in the field), the Bureau of Indian Affairs, and the Office of the Special Trustee. We emphasize that we do not yet have a funding commitment for the last two steps of the proposed e-mail solution. Because of concerns relating to the Anti-Deficiency Act, 131 U.S.C. § 1341, we can neither enter into a contract for the second and third steps of the proposed e-mail solution nor accept anticipatory performance of work until a funding commitment is in place. As a result, it is premature to file a motion seeking formal approval of the proposed e-mail solution. Nevertheless, because the proposed e-mail solution is driven by the demands of the current litigation and will be expensive to implement, we believe it important, in advance of'the funding commitment, to provide you with the status and the details of the proposed e-mail solution in the hopes that any issues regarding implementation and compliance can be raised and addressed proactively. Please communicate any concerns you have about this proposed e-mail solution as soon as possible. As funding becomes available and the proposed e-mail solution is implemented, we would then be able to address the discovery- and production-related aspects of the prior orders regarding e-mail. As soon as e-mail backup tapes for a particular office or bureau are restored and uploaded to a searchable archive, the potential contractor would conduct a search - using mutually agreed search terms based on outstanding discovery requests and on information requests from the Special Master- of all restored e-mails for that particular office or bureau to identify potentially responsive materials. Once the e-mail archive has been implemented in an office or bureau and all e-mail traffic is being captm'ed on a real-time basis - as verified by the Special Master (or his IT consultan0 - we will then ask the Special Master to relieve that particular office or bureau of its obligation to continue generating and retaining e-mail backup tapes indefinitely, on the grounds that all unique e-mails from the retained e-mail backup tapes will have been transferred to and incorporated into a searchable archive and that all future e-mail traffic will be captured and incorporated into a searchable archive. This prospective relief is crucial to Interior's ability to finance and implement the proposed e-mail solution, because this third-party administered e-mail archive will allow the affected offices and bureaus to eliminate the cost, labor, and time associated with generating and retaining e-mail backup tapes as required by the current litigation. qD 3 The accompanying attachments provide information regarding the potential contractor, ZANTAZ, and its e-mail archival system. ZANTAZ is a company that works primarily with the financial services sector and provides e-mail archival solutions that comply with the rigorous e-mail retention, search, and verification requirements of the Securities and Exchange Commission. Attachment A (DEF0043317-43337) provides a general overview of ZANTAZ and its e-mail archive. More detailed information regarding ZANTAZ's safeguards and security practices is provided in Attachments B (Executive Summary, "Information Security and Safety"; DEF0043338-43343), C ("ZANTAZ Production Security Policy"; DEF0043344-43399), and D ("Background Verification Policy"; DEF0043400). These attachments are ZANTAZ- generated documents, some of which are sensitive, and we request that circulation and discussion of this letter and its attachments be limited to the Special Master and his team and counsel for the Plaintiffs and their litigation team (including experts). After you have had a chance to review these materials, we would be happy to arrange a meeting with Interior and ZANTAZ to discuss the proposed e-mail solution. Sincerer, /!, .,/] _, P_ter B. Miller cc: Jim Cason Sabrina McCarthy Regina Lawrence Tom Prior Attachment A ...... DEFoo43317 ....................... : ," , .......... ,'i " .:!_. " " ,. i ZANTAZ Background' i • .( ...._' ..... .. " _,, _. ". . I > ZANTAZ is the largest outsourced service provider that delivers secure;,storage archiv_hg_and i r.; instantaneous retrieval solutions for electronic messages and all related attachments > ZANTAZ's mission is to help companies and agencies comply'"with their legal, audit and regulaiory ",_ obligations to capture, restore, retrieve and secure archiving of vast amounts of data, cost ............... efficiently .... _ ......... / / .......... ! _, ZANTAZ responded to the demand by the SEC, wl_ich stated_ in 1997 that "Originals of all communications received and copies of all communica_tions sent" must be archived. Since that time, all broker/dealers have been required to keep email as a general part of their books and records business practice. ZANTAZ delivers an outsourced, compliant, records keeping service that focuses on solving the records keeping problems around email and their attachments. The ZANTAZ Digital Safe was designed to meet the stringent SEC requirements, for secured document archival and retrieval of all electronic correspondence. ZANTAZ first received funding in 1998. Our prestigious list of clients include; Morgan Stanley, Bank of America, Salomon Smith Barney, Cantor Fitzgerald and ETrade. _, ZANTAZ ensures that our customers are complying with the books and records requirements for the SEC and the NASD and all court ordered document production, t l _, ZANTAZ responds to the need of any federal agency that demands that electronic messages be m archived and maintained as federal documents. -!1 c_ ’o ’o 'i" ., / .:' . _... Tape Restoration and Docume;nt : :,,:ii ::: .... , Production forall; Back-Up:Tapes .... • . ;. ..... , . _- ;"-,,. T . '... .... " ...i :' "- • _\ . , -. ,.% : > Restore and maintain all back-up tap ..... : . . ,... All electronicmessages and attachments are restored to their original format .... ................... _" All documents are maintained, stored, protected, and kept in a readable format > Audit Support Services for document production:' " Search on any key words, phrases, or terrns in the body of the email text > Original documents and attachments are located, validated, authenticated and then retrieved ;_ All requested documents are moved into an audit repository '> Authorized users view only the requested documents _-- Audit results are password protected, shipped to DOI in an electronic format of one's choosing, viewed online by authorized personnel _.. Copy of Audit results maintained by Zantaz ), Third party implementation attesting to completeness and accuracy of any and all documents EJ Ill -rl o o _ M ........ P_ __" O0 (,D U PR 0 CO bO ° 0 ; , . j Meets the Strictest Requirements forErnail ."i-.,..i Archival • . ........ ..... ' , ::\!i L " " Ensures the integrity, authenticity and completeness of all messages sent or received Onany In ' ....... " teriOr. " : ° Server by: .... _- Capturing and retaining all email recipients , , ._ > Maintains all indexes and identifies all "bcc and cc",."addresses on all emails ................... " _" Capturing all email messages and securely archives in their original format." . ..... " > Any message sent or received, from any Interior mail server, is captured,at ther0uter level ensuring that no message is lost, deleted, or destroyed, > Capture and archival is automatic requiring no human intervention Capturing all document history .. ' - >' Retains all modifications, responses, attachments and edits of every email _, Capturing all Internet and Gateway header information > Complete routing history is preserved > •Audit logs detail the complete audit of the path the message took, when sent, to whom, from whom, CC, BCC, subject, attachments and body _" Capturing and securing all attachments > Maintains original attachments _* Available for viewing in their original format > Capturing and maintaining all topic information > Subject headings are maintained as part of the original email Ability to process and store enormous volumes of emails and attachments with unlimited retention periods > No document is deleted or destroyed All information is available online for immediate retrieval m "11 O0 / .. ,._.'._ ,, , ._), " "4 Retrieving all Electronic CorrespOtidence • _ ................ " • ' i " . " 7' ',\%1 _- Provide timely retrieval across the entire document set by bureau or across bureaus Ability to search all historical and live information , .................................. _, Retrieval by authorized persons presenting themselves to a secure web Site Upon authentication, requests are passed toa search engine that accepts an intuitive set of search criteria _ v _, Search results are available within seconds of submission 0 When required document is found, the original version, along with all of its delivery information, can be viewed, mailed to retriever, downloaded or printed Ability to integrate into other document management systems; provides a single, transparent portal for all archived documents U rl"l "rl o m _ glj ww-.w _, .l_.,_l o_ 0.) I',O ! verables to DOI ............. ZANTAZ Deli .... : " . • ' ' > Outsourced solution, archived to two redundant sites, where, the infrastructure is immediately ....\ operational, secure and in place '.. • .,,, Automatic emaU capture, archival and retrieval of all emails moving forward,, while minimizin'g the need for manual operation and reducing the risk of human error Expertise, experience and capacity to start implementing now > Audit services for the discovery process and document production > Guarantee the integrity and completeness of the information being stored and retrieved > Show how and where it is stored and secured > Document the policies and procedures used to manage and secure this information _, Present the experience and abilities of those responsible for input, handling, storage and auditing of this information > Demonstrate and validate the security and audit functions _. Produce regular, certified progress reports _. Assist Interior with a manageable course to follow and provide a road map for future discovery O rrl -rl o £,o i_) t.A) ! _,,. ........ '.",....... ,.:t,..., ...i./"_". .,.. " ,_ ,, , • ., ._,,_’:.. _" : i;,:_ ........_ ..... . • • . '"", ii _ ' .... , .......... ...,..neUh_ abl : ............ .... "< .... ' ZANTAZ er es .to" . ._,,.i..: ........ :..:.:, ' ' i ' " " ..... : '" ":'_:; ........ ' ,' , , J...,. .... " " " , ...L ,i i "'- "%\ ate ' \ ....... ./ ...... ....... \ f > Ability and capacity to respond immeai ly . :. .... • ",\ ! > Implement a system that ensures that all emails delivered to or received from any of Interior's .......... "' mail sewers are captured, stored and archived in a secured, tamper proof environment and ...... that all documents can be produced upon demand _ ' ..ii ....... .... .. " v _, Minimized risk because of proven solution, success'fully in use with infrastructure in place now, ° currently supporting some of the world's largest fir_ancial services firms > Create a single source of all electronic messages and attachments, with a common browser interface across all emails for the entire agency, creating a cross-agency coordination of information resources _, Minimum impact on IT resources for archiving all emails and attachments, very little code is installed on the email servers, all service and operational requests are handled by ZANTAZ > Automatic capture, storage, and back up of all messages moving forward, minimizing human intervention and improving archival procedures, ensures that no emails are lost or unavailable for later retrievai > Reduced costs and risks with no capital outlays; no need to upgrade or add additional hardware or software > Integrates with other document management systems rrl "1-1 o t_ ! .." ; . _.. ,, - ,..?L:_-_. I .. .,., ... / .' i ,.- " L." HOW DIGITAL SAFE WORKS: i. _.! RING DATA.... : ....• "_" :_*_ CAPTU • ..... "'_' = / ... - .. . f ,." f .......... Department of Interior All email sent and received through DOI mail server is captured Digital Safe Replication Send emall & =d_serv_(s)_k. Object captured Redundant "Mirrored" attachments f _ _ & _3r I.t._p_t oo _ routed systems In remote geographic location • _ '_'_'c_ ° ' _ : : t e Digitally labeled data Is stored in secure IBM DB2 database m "T1 ._b '' CO r_3 01 , ! '.. _ _ ._ _ ......_ .__!-,",_ ,.ii _ i View/Retriewe....Document_... _ ,ii_"_ ., .....,_.._: _ ’’lOdtF3' Se_f_ b_’k Ce _c_r_ _5_ttllD. Attz/butes Frem: Janet CollU_, < jcol]_%s@your company.corn > To: ' ' =ales@_Bour_company.com, < =alv=@,your_compauy, com > CC" The original email s_.=t: Fw: NewT==c_ark=u Job Dcscnp=o_ Data: Feb 28 21:53:32 G_'T+00:00 is returned with all header _., _,,.,,p_.. • ,,o,.o,,, ,.,.._._.o information, and attachments _ E.=_o=, Ti_ _ the la_test job description E'or our hot =ales job. Pl’=e mak= any comments soon -- th_ w_l be posted at the end or'the weekl C_ -;c -rl o ._. _:-_ ;_ BAIItJP'IPA_II_," ' [ndP,,Wql lUWUldgL o.) (..,.) i',3 :..:. ..4/.,.'" "_I , • " " ' - /" [ " ;........ _. : ... ..._i "b. _ i, _ "'" . ._" ,. / ." • _:_.';., _ ._ _i • . i ''_ "'.. • "'L i.i:'.i_I! ,' ..... ' ' / 4 "_ "" """ "" "*::_' " " " E' V ew Attachmen -.- ,-,, P.tlzibutes From:To: Jzo.el:_,s_jes( _ _jJobTitle: Director of FlnanclaJ Markets ........... I CC: I __ , :_ub_ect: F"_J': _ Primary Function: , All attachments are_'_,,_,_ _ ,,,_YOU will be responsible for selling the company s Intemet-based services thall captured and stored along I-_-,_ _ _%hive. and retrieve business critical-transactions, This will involve conductir with the original ernail E "=u_ ca_ for new account development and grov_ of existing Oigitat Safe custon ,,,__...c.al market, the financial indusl_,. You will work within established busine ........................__--,,-i,.,,_ boundaries and be responsible for meeting established sales quotas. You wl I the financial industry' to identiPy and determine the suitability of prospective cl l_ l’.vp.,Wone, and provide technical product and business information and/or demonstrate t the buying decision. Position involves working with Engineering to define cus i._ the lastestjt requirements and formulate a winning business and technical solution. We a_ t soon -- this will be I for a Sales Professional who can identify and handle complex issues as they / requiring a higi_ level of expertise in decision mal_ng, project managing, and ~1C I against the competition. ' m iiii ,i 0 C,,,,,D ,,,,,,,I 1 _. _" ' ."; ' ' ' ........ :* '=" " " '";"" ...... ...... "" ;. i .' , , ,.. ". ? Capt nd 'j ' ures a Logs all Headers:,:,. Information ..... " Recetued: Froa mailB3-oak.ptlot.net (localhost [127.0.0.1]) by zipcode.zantaz.co_ _| ........... (8.9.3/8.9.3) l_l:h E$HTP id LARt7339 For ; Thu, 16 Dec 1999 11:20:19 -MOO (PST) Received: J| From dsal.zanl:az.com (dsOl.zantaz.com [206.109.kS.20]) by mailo3-oak.pilot.net t_ith ESHTP ld _| LRRB63kg For ; Thu, 16 Dec 1999 11:20:18 -_SOO (PST) Received: (From nobod_Ltocalhost) by _| dsOl.zantaz.coM (8.8.8-$un/8.8.8) id TRA15323 For sshankSzaotaz.coN; Thu, 16 Dec 1999 H 19:19:k9 GHT Receiued: From smtpl.zdlists.coll (localhost [127.0.0.1]) O_) zlpcode.zantaz.coR ,11 (8.9.3/8.9.3) u*th ESHTP _d ffRAO0536 For ; Tue, lk Dec 1_99 22:23:03 -_OO (PST) Hessage-Id: _| <199_1215_23._R|_$6_z_pcode.zantaz,con> Received : Frow lv5 (10.11.4k.13) by || sntpl.zdlJsts.con (L$HTP For V|ndows HT ul.lb) with SNTP tO (3.OOOOS765_sltCp1.zdlists.com>; || Tue, 14 Dec 1999 22:$9:51 0500 Date: Toe, 14 Dec 1999 22:3_;:19 gSOg To: sshankBzantaz co_ || Frow: PC Week" Errors-To: bounce-pcueek inbox-27097568zde_a_l zdlisCs co_ Subject: Heet the _| Financial Fast Trackers Reply-To : pcueek_inboxBzdemaJ1.zdlists.cpn List-$ubs©rtbe: ]| I_allto:pc_leek_lnboxGIzdelwail.zdllsts.co_?su_Ject:subscrlhe List-onsubscribe ; II .ilto : pc.eek_inboxlBzdemat1 zdl][st s cor_?subject unsubscr ]TLbe _ Ii ---- ,elco, l:o PC *el’ [nSox Direct For ,ece,er 1,. 1999 ..... __......---_ ............................... ..MI PC Week lnBo_ Direct: deZiuecs the latest ne_s, reuieu_ and Header Information Features ’o keep IT professionals up-to-date and in the know. IF it happens out: there, you11 Find it in here All mail header and routing Visit our hone page at http://wv zdnet co_/pcweek/ information is captured and _md catch Up on the latest headlines at archived This shows a _ttp://_m_.zdnet.cal_pcueek/ftlters/nevst. complete audit of the path the i--.......-:--_--- .......-_-_-------................-............ message took when sent. Heet the F:l.nanc:Lal Fast Trackers -- _ All Date, To, From, CC, BCC, , _To st:a_l on top in ;in isscreasingly ceaq_etitiue and Subject Body plus [_ |_arket. these Financial serutces COl_oanies are message routing information is Icranktng up their e-Ilustness initiat_ues, viewable. ° t.o co Co: ! Summary :/":: .... " ' '' '.. E i '/ , ':"" " _. " "4 • . , ................... i /_ ". .... . . "_'\; : i > ZANTAZ is a trusted third party provider" of outsourced archival services, with a !].lstory oF;'.\ successfully implementing solutions to WailStreet under the strictest of rules and regulations:r... ; t imposed by the Securities and Exchange Commission.. " ' ....... ' ".-\i ....... I ) ZANTAZ delivers immediate, demonstrable results to {he Department of Interior in.amatter of weeks; it is a secured outsourced service, where the •system, architecture.end expertise is in place now and available. ZANTAZ can restore all back-up electronic messages and attachments to their original format and provide complete search results on any terms or words required for document production. ZANTAZ automatically captures all email traffic on any designated mail server. _. ZANTAZ ensures the complete and consistent capture of al! emails sent or received by Interior, without the need for human intervention and nightly back ups. _, ZANTAZ ensures the integrity, security and authenticity of all captured electronic messages and stores them in an offsite, secured facility that was audited and approved by some of the world's most trusted securities firms. ZANTAZ treats all electronic messages as protected and secured federal documents. EJ rri "11 O_ ’0 /i j_';_ "ii • ........ .... _'•" Overview ..... / • _ -% . ........ :_ ',.: .,, . > People ' ,. : ....... .: .... ",. > Employee background checks .i. ' ' ..... "'_,, ' '\,j _' Two person rules in place for specific tasks .. ; ....,, _ ............ User awareness programs and training ' " ;_ Graduated levels of authority for customers and ZANTAZ supp0rt ,J........ ............. / , ,. • _* Process Separation of corporate and data center networks ;_ Accommodate VPN, private circuits (F/R, ATM) Secure retrieval of data via SSL )- "Defense in Depth" firewall architecture 0 Product All media tracked via database > Data segregation _" Geographically diverse sites _' WORM media U m -1-1 o .... i CO GO GO E). / ". ." ... -!Q" 7-:' , i ,. ,' .., Security Ove . contmue d , ' ,.:., , • - , .... ..... '",,\" ! / : i | / .. ," "'"'! , _ ",%, i Disaster Recovery , > > Remote replication of data to geographically diverse sites " _ .... > Redundant lines, multiple carriers .,:.: ............... > Level 0 backups completed nightly onproduction servers ..... > Database transaction logs backed up and mirrored > Retention period for backup tapes (as required for customers) > Offsite media storage facility (Fire safes in data center for intermediate storage prior to transfer) > Hot swap parts and standby servers stocked at each data center > Disaster Recovery procedure tested quarterly rrl "1"1 ° (,o ! i Έ :. ,j ,, . ,,o ,•• . 0 _ i._. r "_.. .. • DataCenter >" Architecture ' ::: _i .... _, Ceiling tiles are non-shedding / • \J Walls built up to roof ." ................ _. Floors are not raised _ " ,.j ....... Anti-static tiling " _, Numerous emergency features "Red" phone >" EPO switch Fire Suppression Physical Security _" Access Controlled Zone Protected with PIN and biometrics ,_ Camera surveillance >, On-site security monitoring _, No customer access to secure areas Frl "11 ° CO c.o h3 v O '_ . i/' "'": .;" ,' . i._., : .' ' ; '" /' _ , .... .... ..i _: " "., " • +: '_, ,,. ,..,. , ,, ; ..... ' ; , . "X\' ,, , ," _,, ........ ; ." '+ '"_\ _i > Electrical : r" ._ '.. , / ..... ++"+ ./ +.,-' ...... Multi-grid power to site / + t g 252kw feed to data center / " _, End-to-end UPS protection > 500kwOnan generator :_ w/48-hour external tank Entire building protected with K-rated transformer ANSI C62.41-rated transient voltage suppression 1 t O ITI "11 ++ + o _ + S C:' " .... p:, :; co 0.) O3 O3 ' _. _"' "* ( 'l Έ • ' "_ .. - ' " ,;' ' • I Data Center " '': .... '" ;. ,.-.. . , . _" Fire Suppression , , _ ., ......._ FM-200 ._ ............ / .... ..,_" ,, _._................... / >" Sprinkler system backup ," > 30-sec delayed action with reversible trip _. HVAC ;_ Data Center equipped with four 20-ton dual-compressor CompuAire HVAC i units 0 >" HVAC designed to cope with 4x the national average heat load for Data Centers 13 > HVAC units are on generator circuit, so will remain operational during extended ITI -t'l power outages 0 4nil -,...w-,_ _ _ (.o ! • . . _ ) . _ ,. _\ ...' Network Operations center ___,_ ........ __, .... ':. • !_ . - ..... _'\ . , . . ,. ! > 7 X 24 X 365 Monitoring ..... _ .... .. _\ >" Security, Network, Configuration, Capacity, Environment ,:....._ii ..... • ..... .,\._ •" / .2 . . > Monitoring Tools ;_ HP Openview, MRTG, NOCOL, Scripts "_ Other third party tools under evaluation ,_ Notification _, Paging w/automated escalation m "1"1 0 • _,_., _ _'_' .1_ _" _ _'_ G rug O1 / , ii Έ _:....-/ii,,.'.,.=,_,c , , .... ::J , • . j . , . ,, Support Center ...... I I /tfft,,g g I t.pCt I _ Our mission is total customer satisfaction by '_",-_._,, meeting and exceeding customer needs .... . ...... " ...... and expectations. . ........ ._ ...... 7 x 24 x 365 > Integrated Telephone System > Customer Relationship Management D m 0 '._ " " - B 4_ Go Go GO ’D Third Party Audits _"_ \ ,j _ IP_T'I" .... PACKARD J I Fxpulding Possibilitie_ I S_SMrm_ E,_TRADE" SunTone Certification 0 rrl "n o ;il .,,,,rw..,,, ,w,mw, c,,) cA) ",,I INFORMATION SECURITY AND SAFETY WITHIN THE ENVIRONMENT OF THE DIGITAL SAFE TM AS PROVIDED BY ZANTAZ May 10, 2001 EXECUTIVE SUMMARY William E. Bankert Ph.D., Founder and Chief Security C)fficer of ZANTAZ, Inc., has released a report on security policies, procedures and practices used by ZANTAZ to protect client information captured and archived within the Digital Safe infrastructure. The Paper incorporates information contained in various Securities Standards Manuals of ZANTAZ, which have been created by the Security Committee of ZANTAZ. These manuals reflect the actual operating procedures of ZANTAZ as related to the security and safety of client data. BACKGROUND The convergence of computer and communications technologies has made possible the development and rapid growth of the electronic commerce marketplace. The marketplace has facilitated the ability to generate very large amounts of data regarding business transactions and communications. At the same time it has created a need to capture and archive the information in a manner in which the data is quickly available and useable by the appropriate parties. This need has created several challenges and concerns; * the system must be scaleable, it must allow for virtually unlimited amounts of data to be captured, archived and retrieved; • the system must be available to virtually an unlimited number of users; • the system must be access_le from almost anywhere; • the system must supply intuitive search and relrieval of information with near instantaneous response; , the system must be cost effective; • the system must accomplish all of this while maintaining the integrity and security of the data at levels that far exceed what the user organization would provide while still providing ease of access for authorized users; During the development of The Digital Safe the above criteria were used as part of the specification and product requirements documents. While each item was important to the development of the Digital Safe service at ZANTAZ, this document is focused on the safety and security requirements, procedures, policies and practices. Attachment B DEF0043338 DEVELOPMENT OF THE REPORT This paper is created to answer the question, why should I believe that ZANTAZ and its Digital Safe provides a truly safe and secure environment in which to archive my important and sensitive data? The Paper is based on the ZANTAZ Security Committee's Internal Standards Manuals, which document and reflect the actual policies, procedures and practices of ZANTAZ. These policy and procedure manuals have been created to ensure a consistent and constant application of the policies and procedures to ensure that the highest level of security and safety is afforded to customer data at all times. For the purpose of this Paper safety and security have been divided into logical sub- groups. Safety into; 7X24X365 operation, disaster recovery, fire protection, and environmental control HVAC. Security into; physical plant security, personnel access, network security, software or application security, intrusion detection, third party security audits. OUTSOURCING First we must address the question why outsource this activity in the first place. In addition to the main motivation of cost savings, there are actually security and safety reasons for outsourcing the archiving of mission critical data. Safety - From the safety side, even ifa company had the technical ability to design and build an internal system, it is extremely unlikely the company would want to incur the cost associated with making the facility completely redundant and mirrored. Without such redundancy there is no real safety for the data. Just backing the data up and storing it off- site does not mean it will be available when it is needed, or that it can even be found. Security - There are historical issues that support outsoureing of this activity. In the overwhelming majority of all cases involving the theft or misuse of information from a company, commonly known as industrial espionage, the thefts is perpetrated by an employee of the company. Employees of the company generally know what information is valuable and who would be willing to pay for the information. Data arehived by ZANTAZ is much more secure from misuse than data stored on a client's site. DEF0043339 SUMMARY OF POLICIES, PROCEDURES AND PRACTICES SAFETY The safety of information is the assurance that the owner, or authorized person, will be able to retrieve and use the information in a timely manner, whenever they need it. This means that not only the data must be safe from destruction or damage, but that the entire infrastructure required to retrieve and present the data must be available at all times. LIGHTS OUT OPERATION In order for a data center to be truly capable of 7X24X365 operation is must be able to function in what is commonly referred to as "Lights Out" environment. This means that the data center does not need to have any personnel on premise or even actively monitoring the data center to be completely operational. Even though the ZANTAZ digital Safe facilities are capable of"Lights Out" operation they are monitored 24X7X365. DISASTER RECOVERY Disaster recovery covers everything from simple power outages to major natural disasters such as earthquake, fire, storms, etc. In many cases these issues can be addressed by simply having a backup power supply. For that reason ZANTAZ facilities are equipped with Uninterrupted Power Supplies (UPS) that are in turn backed up by on-line diesel generators. But there is much more that needs to be done to assure recovery, quickly from a disaster. These include multiple communication lines, redundant facilities with data duplicated at both facilities, seamless fail-over capability from one system to another. These are all attributes of the ZANTAZ Digital Safe facilities. FIRE PROTECTION Fire protection in a data center such as the Digital Safe is both critical and expensive. The preferred system for use in data centers today is FM200 gas systems. This system removes the oxygen from the environment long enough to extinguish a fire. It is not harmful to humans, and the oxygen is released back into the atmosphere in a short enough time that occupants of the affected room can survive. ENVIRONMENTAL CONTROL Another critical factor in a data center is the environment itself. Temperature and humidity must be kept in a fairly tight tolerance. ZANTAZ accomplishes this through the use of very large HVAC systems, typically 40 to 80 tons of HVAC. DEF0043340 D To ensure the constant availability of the environmental controls, the HVAC system is also serviced by the UPS system and generator. SECURITY When addressing the issue of security as it pertains to information one must acknowledge that there are many areas of vulnerability. Failure to address each and every area means that there is virtually no security. It is the perfect example of the axiom, "the chain is only as strong as its weakest link." For that purpose, the various areas of vulnerability are addressed individually in this paper. It is also true that levels of security must be flexible to meet the need and the functionality of each individual customer. The more sensitive the data the higher the security bar should be set. PHYSICAL PLANT Physical plant security encompasses several areas and functions. First and most obvious is general access to the facility. Access to ZANTAZ facilities is carefully monitored and controlled. Only authorized persons are allowed to enter a ZANTAZ facility. The control under which a person is allowed to enter a ZANTAZ facility varies depending on the person's access authority. All ZANTAZ employees are issued employee picture badges. The badges must be worn in plain view at all times when inside a ZANTAZ facility. The badges are both color coded and electronically coded to allow access to only areas within the ZANTAZ facility that the employees are authorized to enter. Any area within a ZANTAZ facility that allows even the slightest opportunity for an attempt to access client data requires not only electronic badge access but in addition a two factor biometric access control. There are currently six levels of access within ZANTAZ facilities ranging from Visitor (Escorted), to actual access to the Digital Safe Data Center. ZANTAZ also employs state of the art intrusion detection devices to detect unauthorized access. These include entrance monitoring devices, multifunction motion detectors, CCTV (recorded), offsite alarm reporting, anti tailgating detection devices. Additionally, ZANTAZ employs trained receptionists and security officers to monitor entrances. All visitors to ZANTAZ who have a bona-fide need to enter the secure areas of the facility are required to sign in and must be escorted by an authorized ZANTAZ employee at all times while in the secured area. Exceptions to this are, contractors and vendors that have undergone the required background investigation and have signed the appropriate non-disclosure agreements. DEF0043341 PERSONNEL ACCESS Access to secure areas within ZANTAZ is limited based on the job function of the individual. A person is granted access to an area only if their job function requires that they have access to that area. The actual access is controlled by the badge system described above, Tailgating, the act of following an authorized person into a secure area, is controlled through the use of CCTV and motion detectors. NETWORK SECURITY External network connections - Just as described in the general security section, it is important to understand that there must be an ability to apply different levels of external network security. depending on the needs of different customers. As an example, some customers will be satisfied with a low level of security such as logon, password on a SSL site. While another customer may require a dedicated circuit such as a frame relay, a T-I, a T-3, etc., or at minimum a VPN. While some customers may require simple logon and password at an SSL site others may require hard or soft tokens, certs., digital signatures and encryption. ZANTAZ will support the level of security required by the customer. At a minimum ZANTAZ will provide logon/password at an SSL site with IP address verification at HTTPS servers. ZANTAZ SMTP servers will require at a minimum, domain name cheeks with IP address verification prior to storing data. All externally connected networks (The Digital Safe) are protected by secure router architectures and multiple firewalls. In addition to the external firewalls each server within the Digital Safe is behind it own firewall. Each Digital Safe is made up ofmultiple servers. Internal networks - Each of the internal networks within ZANTAZ is discrete and separate form other networks within ZANTAZ. While there is a protocol for administration to share data with engineering, and engineering to share information with operations and QIA testing via controlled gateways, N O internal network, other than customer technical support, is in any way connected to the Digital Safe network. DEF0043342 SOFTWARE (APPLICATION) SECURITY The software application system of the Digital Safe is a three tier system with the front end "protocol gateway" communicating with the other tiers through CORBA only protocol. Each tier is "clamped down". (i.e. All non-CORBA ports are closed down, such as TelNet, RSH, RCP, etc.). Every document stored is time-stamped with a secure source hooked up to a UTC (Universal Coordinated Time) antenna by Tree 'lime. Additionally, every document is digitally signed with a private key component ofa PKI pair. The private key is then discarded. Only the public key component is kept to demonstrate that the data has not been tampered with in the future. SOFTWARE AND O/S SECURITY Access to the engineering systems is tightly controlled through a dual metric system using logon, password, and hard token devices. ATTEMPTED UNAUTHORIZED ACCESS DETECTION All activity pertaining to the use of the Digital Safe is logged and reviewed. Any attempt to retrieve information from the Digital Safe will result in a billable activity that is shown on the customer's activity log. THIRD PARTY SECURITY AUDITS In addition to all of the security procedures described in this paper ZANTAZ realizes the need for a third party audit and review of the policies, procedures, and activities on a regular basis to ensure that security is constant, consistent and maintained at the levels expected by our customers. In order to insure this ZANTAZ engages the services of a third party security auditing company to do quarterly audits and assess all areas of ZANTAZ security. A written report of the auditors finding may be made available to the customers or prospective customers of ZANTAZ. CONCLUSION Organization that use the Digital Safe service provided by ZANTAZ to archive their sensitive and critical information will find it not only very cost effective when compared to the cost of building and maintaining there own system but actually much safer and more secure than anything they could provide in-house. DEF0043343 Productton Security Policy Manual 11115/2000 ZANTAZ Production Security Policy (ZPSP) Published Date: November 2000 Revised Date: December 14, 2000 OPS-312-1 ZANTAZ Private Information 1 Attachment C DEF0043344 Production Security Policy Manual 1111,5/2000 Name of Standard: Production Security Policy Manual Effective Date: February 2000 Applicable to: All ZANTAZ Entities, Agents, Employees, Contractors, or Vendors involved in the development, implementation, maintenance, and use of business information at ZANTAL ZANTAZ Related Security Policies & Standards: Corporate Security Policy Manual, Februarf 2000, Revised December 2000 ZANTAZ Related Publieatiom: Employee Handbook Responsible party and doetmaent owner: Bill Bankert, Chief Security Officer ZANTAZ 5671 Gibraltar Drive Pleasanton, CA 94588 This document contains proprietary information and is not to be dis_buted outside ZANTAZ except in accoxdazge with existing classification standards and contrac_ally documented agreements. Copyright © 2000 ZANTAZ- All rights reserved. This document may not be repreduted in any form, in whole or in part, without the prior permission of ZANTAZ. 'C)PS-312-1 ZANTAZ Private Information 2 DEF0043345 Production Security Policy Manual 11115/2000 TABLE OF CONTENTS 1 INTRODUCTION 5 1.1 GENERAL POLICY STATEMENT 5 1.2 PURPOSE 5 1.3 SCOPE 6 1.4 AUDIENCE 6 1.5 DOCUMENT CHANGES AND FEEDBACK 6 2 SECURITY AWARENESS 8 2.1 INDWIDUAL AWARENESS 8 2.2 ORGANIZATIONAL AWARENESS 8 3 SECURITY CLASSIFICATION 10 3.1 INTRODUCTION 10 3.2 GENERAL GUIDELINES l0 3.3 SECURITY LEVELS l0 3.3.1 Classification RESTRICTED 10 ' 3.3.2 Classification CONFIDENTIAL 11 3.3.3 Classification PRIVATE 12 3.3.4 Classification PUBLIC 13 3.4 Classification UNKNOWN 13 3.5 INFORMATION HANDLING BY LEVEL 14 3.6 SECURITY DOMAINS 18 3.7 SECURITY ZONES 20 4 COMPUTER USE 23 4.1 ACCEPTABLE USE GUIDELINES 23 4.2 BANNERS 23 5 AUTHORIZATION AND ACCOUNTS 24 5.1 PRINCIPLE OF LEAST ACCESS 24 5.2 PASSWORDS 24 5.3 ACCOUNTS 26 5.4 REMOTE ACCESS 28 6 PHYSICAL SECURITY 29 6.1 GENERAL PHYSICAL SECURITY STANDAKDS 29 7 NETWORK SECURITY 37 OP8-312-1 ZANTAZ Private Information 3 DEF0043346 Production Security Policy Manual 1111512000 7.1 GENERAL GUIDELINES 37 7.2 FIREWALLS 38 7.3 MONITORING 39 7.4 ACCESS 39 7.5 REMOTE ACCESS 40 7.5.1 VPN Access 40 7.5.2 Dial-up Access 40 • 7.6 FAX MACHINES 41 8 DEVICE SECURITY 42 8.1 INTRODUCTION 42 8.2 OPERATING SYSTEM SECURITY 42 8.3 SOFTWARE POLICY 42 8.4 SESSION POLICY 43 8.5 MONITORING 43 9 SECURITY ATTACKS 45 9.1 MALICIOUS CODE 45 9.2 VIRUSES 46 9.3 DENIAL OF SERVICE ATTACKS 47 10 INCIDENT RESPONSE 49 l 0. I INCIDENT LEVELS 49 10.2 GENERAL GUIDELINES 50 11 PARTNER AND CUSTOMER CONNECTIONS 52 APPENDIX A: 54 APPENDIX B: 56 x! i : OPS-312-1 ZANTAZ Private Information 4 ..... DEF0043347- ......... Production Security Policy Manual 11115/2000 1 INTRODUCTION 1.1 GENERAL POLICY STATEMENT Computer information and systems are valuable company assets that require extreme protection. Measures must be taken to protect them from unauthorized modification, destruction, or disclosure, whether accidental or intentional. Every effort must be made to maintain system and data integrity, availability, and confidentiality. These systems are in place to serve the business needs of ZANTAZ; security policies and activities must be based on business objectives and requirements. 1.2 PURPOSE The purpose of the ZANTAZ Production Security Policy (ZPSP) is to provide security policies and standards for all company customer-facing information, technological devices, networks, and workplace environments. This manual is designed for use in conjunction with other ZANTAZ technical security documents. In the field of Information Security, the phrase 'security policy' has a very common and strict interpretation, as laid out in the U.S. Government Trusted Computer System Evaluation Criteria (often called the "Orange Book"). There, a process matrix of explicit subjects, objects, and mandatory access controls is explained in detail. The ZPSP is not intended to be as logically rigorous as the Orange Book layout. Rather, it should be seen as an accumulation of "Best Practice" approaches for security, listing general principles that are laid out more explicitly in supporting Procedural documents developed by the ZANTAZ Security Committee. These documents together carry the weight of company mandate, and should be followed in applicable situations. If there is a conflict between the ZPSP and any other company documentation, the Production Security Policy supersedes, except in cases where the other documentation is more stringent or unless it is specifically stated in the other document that the requirement is a "known exception to the ZPSP." All exceptions must be approved by Executive Management or their appointees, and recorded with the ZANTAZ Customer Operations group. Due to changes planned for ZANTAZ but not yet complete, ZANTAZ may not have components in place to meet some of the policies listed. However, the intent is for ZANTAZ to work toward fulfilling these standards. Furthermore, the ZPSP is a living document and ZANTAZ reserves the fight to amend or revise the ZPSP from time to time as the need arises with authorization from Executive ManagemenL OPS-312-1 ZANTAZ Private Information 5 DEF0043348 Production Security Policy Manual 11/15/2000 The foundations of this Policy are the security concepts of Risk Management, Accountability, Auditability, Least Privilege, and Separation of Duties. Risk Management The process of identifying, controlling, and minimizing or eliminating uncertain events that may affect system resources. Accountability The process of tracing activities to a responsible source. Auditability The use of informational markers and messages that can be reviewed to determine how effectively the security policy is enforced. Least Privilege The principle that security architectures should be designed so that each system entity is granted the minimunl system resources and authorizations needed to do its work. Separation of Duties The practice of dividing the steps in a system function among different individuals. Properly implemented, this can provide the necessary checks and balances to mitigate against fraud, errors, and omissions. 1.3 SCOPE The controls in this Policy are the minimum requirements for providing a secure environment for development, implementation, and maintenance of customer information and services in the ZANTAZ Production and Data Center environments. The guidelines and procedures laid out in this and related documents should be the basis of security for any technological device attached to ZANTAZ-owned computer networks providing customer support and services, the physical environment in which those networks exist, and set baseline expectations for any non-ZANTAZ networks to which ZANTAZ is connected. 1.4 AUDIENCE This manual applies to all ZANTAZ Entities, Agents, Employees, Contractors, and Vendors involved in the development, implementation, maintenance, and use of business information in the ZANTAZ Production EnvironmenL The guidelines in this document are aimed to work with and expand upon information presented in the ZANTAZ Employee Handbook, the ZANTAZ Corporate Security Policy Manual, and related ZANTAZ security policy and guideline documents. 1.5 DOCUMENT CHANGES AND FEEDBACK This document will be updated and re-issued annually. If there is a major change between these dates, an addendum will be issued and communicated to department managers for dissemination OP$-312-1 ZANTAZ Private Information 6 DEF0043349 Production Security Policy Manual 11/1512000 to appropriate personnel. Discrepancies should therefore be: reported as soon as possible to management for review and addendum in the next version of the ZPSP. OPS-312-1 ZANTAZ Private Information 7 DEF0043350 Production Security Policy Manual 11/15/2000 2 Security Awareness 2.1 INDIVIDUAL AWARENESS In accordance with the Information Security Policy outlined in the ZANTAZ Employee Handbook, employees are responsible for understanding and complying with all information security policies and standards. All employees are expected to conduct business in accordance with those standards. This standard is a requirement that is subject to internal audit. Non- compliant situations should be brought to the attention of management for appropriate steps to bring the issue to compliance. Any action that impedes or disrupts this effort, whether intentional or not, may result in a disciplinary action, up to and including immediate termination, criminal prosecution, and/or civil liability. A plan is required to retrofit systems already in existence so that they are in compliance with this standard. It may be deemed practical, however, to consolidate changes during system upgrades. The plan for retrofitting is the responsibility of the department manager. This standard applies to both the development and production environments, although some controls may not be possible to implement in the earlier phases of development. These exceptions should be addressed on a case-by-case basis. Outsourced processing and storage facilities, such as service bureaus, vendors, partnerships, and alliances, must be monitored and reviewed to ensure either compliance with ZANTAZ policies and standards or a level of control is provided which is equivalent to ZANTAZ policies and standards. This should be accomplished through contractual commitments with provisions to permit auditing and monitoring to ensure compliance. 2.2 ORGANIZATIONAL AWARENESS The objective of this section is to identify organizational responsibilities for information security within ZANTAZ and the functional roles to which this standard applies. All organizations should be unified with the concept that corporate security is vital to success at ZANTAZ and should have an understanding of how their role fits into the corporation security solution. Executive Man agement The Executive Management team is responsible for approving and supporting the enforcement of security policies at ZANTAZ. It is vital that high-level management conveys to the organization the importance of security and is cognizant of its impact on business ifstaffdoes not adhere to standards. Executive Management should be prepared to review security policies on an annual basis. Business Development OPS-312-1 ZANTAZ Private Information 8 " 'DEF0043351 ...... Production Security Policy Manual 1111512000 Business Development team members customarily have the greatest amount of contact with ZANTAZ's clientele. As a result, the type of information that Business Development handles, such as contracts, pricing rate sheets, and business contacts, could place ZANTAZ at a competitive disadvantage or financial loss if it were compromised. Team members can help support security efforts by configuring their work environment in a way where their files could not be accessed without their knowledge or authorization. Business Development should monitor clients to confirm that they sign and comply with ZANTAZ's Non-Disclosure Agreement. Finance Nearly all information handled by the Finance team is classified as Restricted or Confidential. As a result, appropriate precautions must be taken when working with any business information from the Finance area. Engineering The Engineering team must be aware of corporate security standards as it builds and enhances the Digital Safe. Employees should have some knowledge in regards to system exploits or bugs that could compromise the integrity of the system. It is the Engineering department's responsibility to build a product that prevents fraudulent injection of data and the unauthorized viewing of information in any and all archives within ZANTAZ's Digital Safe. Furthermore, models, plans, and any other Digital Safe design documentation should be handled appropriately. Human Resources - The Human Resources team is responsible for the dissemination of security policies and standards within ZANTAZ. Handbooks, training, and orientation materials for new or existing employees should contain basic information in regards to corporate security and refer employees to the full manual for further reference. In addition, the Human Resources area has access to confidential and restricted personnel information that must be protected to preserve the privacy of employees. Operations The Operations team is responsible for the installation and :maintenance of secure systems at ZANTAZ. To fulfill this responsibility, Operations must be: aware of system vulnerabilities and potential exploits. Periodic audits must be performed by Operations against internal systems to enforce corporate security compliance. Systems not in compliance are only to be repaired by the operations team. This includes items such as disinfections of viruses and resetting of passwords. The operations team must maintain documents and procedures in regards to corporate security. OPS-312-1 ZANTAZ Private Information 9 DEF0043352 Production Security Policy Manual 11115/2000 3 Security Classification 3.1 INTRODUCTION All information must be identified and classified according to its level of confidentiality and business need-to-know. Five Security Levels shall be discussed, together with four Security Domains. Levels and Domains taken together lead to the layout of Security Zones. 3.2 GENERAL GUIDELINES All major informational assets shall have an owner. The owner shall classify the information into one of the approved security classifications, depending upon legal obligations, costs, corporate policy, and business needs. They are responsible for protection of this information. The owner shall decide who is allowed access to the data. Anyone requiring access to information that is owned by another person or department must obtain access permission from that owner or owning group manager. A collection of information (e.g., Digital Safe archives, project folders, financial reports, filing cabinets, etc.) will carry the highest classification of any of its data; that is, the higher level will "'dominate" the lower. For example, if you have two pieces of information (e.g., a network diagram and a business summary) that are accessible from the same resource, and one is classified as confidential and the other is classified as restricted, then all of the data within that resource should be classified as restricted. An exception carl be made if the restricted information can be protected separately and not made available with the lesser-classified data (i.e., specific Word documents on a desktop computer can be protected with an additional password). 3.3 SECURITY LEVELS The following is a listing of the five security levels used at ZANTAZ from most secure down to the least secure: Restricted, Confidential, Private, Public, and Unknown. Laid out below for each classification level are definitions of the classifications; the risk levels associated with the classifications; guidelines on storage, transmission, and destruction; and examples of information that normally falls within each classification. 3.3.1 Classification RESTRICTED Definition Information intended solely for restricted use within ZANTAZ and limited to those with an explicit, predetermined, stringent need-to-know. Unauthorized ! 0PS-312-1 ZANTAZ Private Information 10 DEF0043353 Production Security Policy Manual 1111512000 disclosure, compromise, or destruction could result in severe damage, provide significant advantage to a competitor, or cause penalties to ZANTAZ, its customers, or employees. This is the highest, most restrictive, classification. Color Key Red Access Granted By: All requirements of level Confidential, plus an extensive background check, plus Departmental approval. Risk Level High Risk Data Integrity Data integrity is vital. Guidelines on Storage Information shall be labeled. That is, the classification level should be written on documents, messages, and file media (tapes, diskettes, disks, CDs, etc., where possible). The integrity of systems holding such information should be regularly monitored. An example of this would be regularly scanning for viruses. Information shall be kept under lock-and-key (e.g., documents in locked cabinets computers in locked rooms). Information shall be stored in encrypted form, or on removable disks that are physically secured. Guidelines on Transmission This information shall be encrypted during transmission outside of secure zones. Guidelines on Destruction Information shall be securely disposed of when no longer needed (e.g., by shredders for documents, destruction of old disks and diskettes, etc.) Examples Digital Safe client archives; Encryption keys; Customer account information; Strategic plans; Passwords, PINs, SSNs; Authentication records or databases. 3.3.2 Classification CONFIDENTIAL Definition Information intended solely for use within ZANTAZ and limited to those with business need-to-know. Unauthorized disclosure, compromise, or destruction would directly or indirectly have an adverse impact on ZANTAZ, its customers, or employees. Financial loss, damage to ZANTAZ's reputation, loss of business, and potential legal action could occur. Color Key Yellow OPS-312-1 ZANTAZ Private Information 11 DEF0043354 Production Security Policy Manual 11115/2000 Access Granted By: All requirements of level Private, plus a basic background check. Risk Level Moderate Risk Data Integrity Data integrity is vital. Guidelines on Storage Information shall be labeled. That is, the classification revel should be written on documents, messages, and file media (tapes, diskettes, disks, CDs, etc., where possible). The integrity of systems holding such information should be regularly monitored. ,Ma example of this would be regularly scanning for viruses. The integrity of systems should be regularly monitored. Systems shall be configured to protect against unauthorized modification of data and programs. Information shall be kept under lock-and-key (e.g.., documents in locked cabinets computers in locked rooms). Guidelines on Transmission Passwords should not be transmitted in clear-text, either electronically or on paper. This information should stay within ZANTAZ. If it must transit public media, such as the Intemet, it should be encrypted. Guidelines on Destruction Information shall be securely disposed of when no longer needed (e.g., by shredders for documents, destruction of old disks and diskettes, etc.) Examples System requirements; Network Designs; Personnel records; Customer records; Unit business plans; Customer correspondence; Budget information; Security plans and standards. 3.3.3 Classification PRIVATE Definition Information that is limited to ZANTAZ employees, contractors and vendors covered by a non-disclosure agreement. External access to this data is to be prevented due to its business and technical sensitivity. If there is unauthorized disclosure, compromise, or destruction, there would be minimal or no significant impact to ZANTAZ, its eustorners, or employees. Color Key Blue Access Granted By:. Non-disclosure agreement with individual or customer. Risk Level Low Risk OPS-312-1 ZANTAZ Private Information 12 DEF0043355 Pr6duction Security Policy Manual 11/15/2000 Data Integrity Data integrity is important but not vital. Guidelines on Storage Information shall be labeled. That is, the classification level should be written on documents, messages, and file media (tapes, diskettes, disks, CDs, etc., where possible). The integrity of systems holding such information should be regularly monitored. An example of this would be regularly scanning for viruses. Guidelines on Transmission For projects involving collaboration with eternal partners, a project policy document shall stipulate what information may be shared with the external partners. Guidelines on Destruction None Examples Employee Handbook; Policies; Routine administrative & office information; Internal telephone books; Organizational charts. 3.3A Classification PUBLIC Definition Information that can be disclosed to anyone without violating an individual's right to privacy or the company's proprietary rights or trade secrets. Knowledge of this information does not expose ZANTAZ to financial loss, embarrassment, or jeopardize the security of ZANTAZ assets. Color Key Green Access Granted By: No formal authorization required, though informational signature forms may be used for tracking. Risk Level No Risk Data Integrity Data integrity is not vital. Guidelines on Storage None Guidelines on Transmission None Guidelines on Destruction None Examples Marketing brochures; Published annual reports; Interviews with news media; Business cards; Press releases; Web site; Sales materials. 3.4 Classification UNKNOWN Definition Information, devices, networks or other computing resources that have not been certified by ZANTAZ employees. This is the lowest, most open classification as it OPS-312-1 ZANTAZ Private Information 13 DEF0043356 Production Security Policy Manual 11115/2000 contains everything that has not been classified to approved ZANTAZ security levels. Color Key Black Access Granted By:. Information or system should be isolated from any ZANTAZ information or system. No ZANTAZ password should be used to access Unknown data or systems, for risk , of sniffing and compromise. Risk Level Assumed High Risk until proven otherwise. Data Integrity No expectations ofdata integrity. Guidelines on Storage Isolate from any other information. Do not store for extended lengths of time. If storage is desired, examine and reclassify to another security level so that handling can be done appropriately. Guidelines on Transmission No UNKNOWN infoimation should ever be transmitted by ZANTAZ. Data of this type can be accepted (such as lip downloads), but should be isolated until examination and reclassification can be done. Guidelines on Destruction None ' Examples Contractor-owned, non-ZANTAZ laptops; Interact i networks between geographically-separated ZANTAZ sites; Email not downloaded through ZANTAZ virus-scanned mail sewers. 3.5 INFORMATION HANDLING BY LEVEL This table describes how information should be handled according to its security level and as it relates to systems development. For example, if a report is printed and automatically distributed, labeling information and distribution standards would be required. Additional notes can be found at the end of the table. The level UNKNOWN is not listed below, as it is a generic case. Before anything can be done with it, it must first be examined and reclassified into an approved security level. OPS-312-1 ZANTAZ Private Information 14 DEF0043357 Production Security Policy Manual 1111512000 requk_. Statements appear on the bottom of each appear on the bottom of each appear on the bottom of each • .::'._?_:_:; .... ! _;:,_:'_, that clarify information page and on removable media page. Additional control page. A cov_ page on paper . .=:- :._:: i ..... .i. : (e.g., footnotes) for its labels. Additional control stat_l should be added docun'_ms must contain only :-= 7 _: _ :' :: _: ...._ :: intended audicnc© may statwnents which am needed directly near the "Confidential" the following: =_;; : .... ::_ : :::_::. be added, should be added near the label on each page. : . _ : "Internal" label on the first I. The label "Restricted" on bottom. :"" : page, they may be added on "Confidential" shou]d appear -: :': _ : 2. Specific control _,: :_i:. : i_i :: : : each subsequent page as on removable media labels, statements that specify the necessary. _ :: - audience of the ':_ ! :':-: information, and that unauthorized review of the ._ _ : . : : document is prohibited. audience menlbers to initial that !!_::: : ;_,.,:: • = they have read and under, land - -, " ...... the restricted classification of the document in their _:': : ,_-" ;i:; remm_ble media labels. _-_m_ _::i: ! No restrictions Reproduction is authorized if Reproduction is authorized if Reprr_luction is discouraged, ,:_: . :1 not prohibited by the control not proh_ited by the control however, if performed, must be _. ; _:_:' I statement, statement, with permission from the i ;.:?: • :._ . :; _l owner. Labels and control statements are not required on correspondence sent to the customer. However, if the correspondence contains sensitive data, the customer should be advised by ZANTAZ to handle the information with appropriate caution. Information may have a life cycle; which should be specifically stated. For example, "This Confidential data will become Public on June 2, 2000." Add control statements near the classification label; they fitrthcr describe the need to take care of information required by the proponent or application owner. While control statements are virtually unlimited in meaning, some examples are: • Modification or reproduction is prohibited. • Copyright ©2000 ZANTAZ. All fights reserved. • Electronic transmission allowed only if encrypted. • To be opened by addressee only. • Document classified PUBLIC after month, day, year. • Advice of Counsel. • A label must clearly display the classification of the information. It should be clearly visible and highlighted (using dements such as bolding, asterisks {*}, all capital letters, or color to stand out from the body of the page). "\ : OPS-312-1 ZANTAZ Private Information 15 DEF0043358 Production Security Policy Manual 1111512000 i Distri[mtloi !_ No restrictions. Distribution should I>’ only to Distribution must be only to Distribution must be only to " ' _-!': .... :_i I ZANTAZ encployces, and those those who have a business those who have a stringent i :_ _ ==_ _ _ :;: individuals with a business need- to-know and are either business need-to*know and arc =: . :: need-to-know. ZANTAZ employees or either ZANTAZ employees or =:.:.._.- someone who has signed a non- someone who has silted a non- disclosure agreement, disclosure agreement. , : Information distributed outside The dist_butor of the 'ii _: : of ZAN'rAZ must have a valid, information should note the ; i cun'_t, and properly executed audience and number of people Non-Disclosure Agreerrcnt on the distribution list. approved by marmgemcnt in : , :: place. Information distributed outside :: : of ZANTAZ must have a valid, - " , : ,:_i cun'ent, and properly executed :- - , ..:. :, Non-Disclosure Agrecmeaat =:;: :'-': : :. .... : approved by management in .:,_. 3,! f_:-._. .. : place. ]Elcct_iii’ Mall i No rcstr/ctions. May be sent to other ZANTAZ May b’ sent internally but no_ May be sent internally but not , (E_ i.: :'_ _!_, , employees and over a public over public networks unless over public networks unless ....... i :_.i network2, such as An'crica protccLPd by a ZANTAZ protected by a ZANTAZ ":_Orl_: All : .:: Online or the Interact. sanctioned encryption package sanctioned cncryption packag’ inl_L_l_l __ -• , ., _ . :i;_:_orlgl ! information inform/ng the cxpli,=Rly stated in the mcss_g’. are:e-_1_v_:totb_e ; intended audience to handle the _i_S_afe_ " ' sensitive information If possible, all attachments ]g_ m,qst do appropriately, should have additional i i_:_lW:-_: :. password ]0’otccfion. Do no{ I • iifinredza’t_ provide the password in the : ,_b:_'ttJr ]PrlZiti_ No restrictions. No re_tr/ctions. Remove printouts immediately Remove printouts immediately _i i __: ..... _i: if using a shared printer, aRcr pr/ntlng on a shared or -: :- _: direct-connected printer. 2Public nctworks arc defined as those accessa'ble to the general public, such as: the Internet, telephone lines, satellite links, and wireless or cellular communications. Public networks (also known as external networks) are considered "untrustcd"; therefore, all restrictions that apply to untrusted environments will be applied to "public" or "external." Public networks (also known as internal networks) arc defined as networks not available to the general public such as: the Production, Corporate, or any other ZANTAZ Local or Wide Area Network. Private networks arc considered "trusted" if the network is controlled fi'om end to end by ZAHTAZ or a vendor with an approved contractual commitment to meet ZAHTAZ's security requirements. OPS-312-1 ZANTAZ Private Information 16 DEFO043359 Production Security Policy Manual 1111512000 No restrictions. May be sen! through regular May be sent through regular Should not be sent out but hand U.S. mail with no special U.S. mail but clearly marked on can-i_. If this is not possible, a handling, the outside should be the words priority courier service should i -_: .. _ ;"" "To be Opened by Addressee be used (e.g., FcdEx, Airborne ....... :.. '/-_ If possible, materials should be Only. = E_). ' .... : : - ":-:'";: sent on official ZANTAZ • " " " " " stationery. If possible, materials should be Materials should be given : '- - -:. " sent on official ZANTAZ additional protection by:. . .: stationery. I. Sealing and enclosing it in : • . " .... . . a scaled envelope clearly marked "ZANTAZ =, : : -. :-'_ ! i RESTRICTED". Cart • : 7;: _+_,. '++ : must be taken to ensure , . - that classification .. • - .., markings are not visible through to outer envelope __-:-'i: -_._. :" _i_:_,:__ i_ " ' via windows or thin , ' .' ': ": " papcrtd envelopes; ............. : ' 2. Inserting the tint envelop= !:::_, . -. - ..... . into a secorld el"tVe]ope " ,_ -. ,,_, having no classification .... :" ,._2-'_: "_.. _ markings but containing : '. .... i ?:';:_: :_ , the Con_ s,_t_ent"To - - Be Opened by Addressee --_--, Only'; and, • " - - " 3. Sending the envelope with • . ..... _ " . = u_, receipt acknowledgment :: .::: ';' : ,:_:,_-' requested. _:: : : Split custody (e.g., mailing parts of the contents in rrmltiple envelopes) is also encouraged. :F_. _ ...,_ _, :__ , No restrictions. Faxes should be sent only to an Faxcs should be sent only to an Prohibited unless authorized by _g_.Network)_:: " external entity that has signed a external entity that has signed a the Executive Team :-j _" :: ., :_, non-disclosure agreement with non-disclosure agreement with +- . ...... .... -:'_- . ZANTAZ. ZANTAZ and immediate verbal - - _ i: + acknowledgment of receipt is ; :_:._::,,:. _ ....:._ ..,’ :, Faxes received at ZANTAZ ..._, _ .; _ .... " ....... ..... should be removed form the fax .... • ...... : " _' " machine immediately'. ___;_ No restrictions. No restrictions, but Authorized, but only to This information should be :___*i; conversations should be limited ZANTAZ employees and others discussed in person and in •-:-_:,._+_+_'_+:,._ / ..... ;_ _,;+ .... ' to o_cr Z?_NTAZ employees or with a lmslncss need-to-know, private only. The Executive ::..:._:_:_: 7' "., _ ;,_-_' individuals cov_'ed by a non- Team may authorize exceptions. _-_.-_"..... _:_:'_+_:_-_ [ No r_trictions. No restrictions, hot prohibited unless encrypted by Prohibited u_less encrypted by __1 conversations must be limited a ZANTAZ sanctioned , ZANTAZ sm_doned to otho" ZANTAZ employees or encryption packa_ or og'ryption package or ' _+ ...... " - : "_ individuals covered by a nm- algorithm, or mfless use is authorized by the Executive _:-"_': • : ' ;_ disclosure agreem_L explicitly authorized by Team. _+7+,. ..: :--_!._-:_.._ _ manai_etmmt. __ No restrictions. Whenever possible, do not leave Ensure that documents and Ensure that documents and • +-:_:..,_;,_ ......!::' documents and screens screens are positioned to scr_ms are positioned to • : ' :_'_ _':;_' ' " -. ::_:_ unattended and unsecured in pqrevent inadvertent disclosure. _t inadvertent disclosure. + ': i;_" : 1_" " ' " + : _" " " : "_'_: "_" public locations. Do not leave documents and Do not leave doouments and +,'_::t-.+_:.+ • '::- "-' .... scr=ms unattended and scrtens unattended and +,_; +:_+_ -.- .+_. _ _ unsecured in any location. Erase unsecured in any k)cation. ._ .::-'.'._:_ :! : _.--.:::-.._: :: all white boards at the end of Restricted dam must not be " ::.:);_-i:-_-- - _:&" meetings, viewed in a public place. : " ...... ' + , Erase, all white boards at the . _ ..... " .+,_:;:_;-_ end ofm’ctinp. OPS-312-1 ZANTAZ Private Information 17 DEF0043360 Production Security Policy Manual 11115/2000 Stor_i_e . '- No restrictions. When on ZANTAZ property, no Strongly recommended that Pap_ or removable media must . And..... " . " special requirements. If paper or removable media be be stored in a locked enclosure 2'_’Ioip... - ._ transported outside, apl:a'opriate stored in a locked enclosure when not in use. Me'alia must • - " care must be taken to prevent when not in use. Media should not be left unattended on a desk • - " - - " " ..... ' disclosure or theft, not be h:R unattended on a at any time. Access must b’ • desk. logged. Electronic storage in . - E|cctronic storage requires other media requires mandarory access controls and file access controls and file - • , protection mechanisms. If these protection mechanisms. If these :.; _..... . are not found in the operating requirements arc not found in system in use, then additional the operating system in use, ': '.: _. '": .--' security packages are required, then additional security Backups require the same care packages are required. Backups as originals to maintain require the same cart as • confidentiality, onginals to maintain l con dent, ali . ,a_ l______ _ _ ___ : l" _ l : NO_I} waste disposal. Hard copy should use a secure nard copy requires a secure Hard copy requires a secure disposal container or shredder, disposal container or shredder, disposal container or shredder. z {._:_ .:_-- ..- Norma] deletion commands or Electronic storage media must Electronic storage media must - . .... - utilities within operating be irretricvabty erased, disposed be irretrievably erased, disposed _ .:._ ._.r_.:...:: . systems are sufficient for files, of in a secure fashion, or of in a secure fashion, or ..... . : . . ,. , Reformatxing of media is also overwritten with a random overwritten with a random ; ..... _.. :. " valid, paltem, pattern. -. _..: .... ...... Empty the Recycle Bin in Empty the Recycle Bin in Empty the Recycle Bin in -.ii--,;:: . - _j_. _. :.... • Windows. Windows. Windows. !:._Recillludfy or =- No requirements. Ho requirecrcnts. Only the owner may reclassify Only the owner with Deehi’_:.:: - : _ or declassify, management approval may _: reclassi f)' or declassify. 3.6 SECURITY DOMAINS Along with setting levels for information and systems within ZANTAZ, and identifying the owners of information, it is helpful to lay out functional "groups of owners," known here as "Domains". These are areas that already share information of all security levels. Grouping them within a domain allows us to design a coherent security policy that will keep barriers to exchange within a domain to a minimum, while allowing protections to be placed around domains to increase overall company security. Whereas security levels can be seen as a "vertical" description of information, domains can be seen as an what does this mean?, horizontal description. An example of how the domains are drawn up is to consider Login IDs. All groups have desktop and server computers. If you needed to share access to your machines with another group or individual on a fi'equent basis, then you would all be grouped into the same domain. For the purposes of this doeurnent, the information and services within ZANTAZ can be seen as falling into four security domains: Corporate, Engineering, Finance, and Production. 3 Records on any type of medium, such as paper, microfiche:, magnetic, or optical, must be retained as required by the record retention and disposal policy published by their division, legal, or regulatory agency, and then promptly disposed of in a secure fashion. Refer to Digital Safe manuals for additional information on this topic. OPS-312-1 ZANTAZ Private Information 18 DEF0043361 Production Security Policy Manual 1111512000 I Corporate The Corporate Domain holds the Executive Staff, and the Human Resources, Marketing, and Sales Departments. These groups handle the day-to-day administration and public face of ZANTAZ. Engineering This is the Research and Development ann of ZANTAZ. They have special requirements in security to guard work under development, information on test beds, and desktop security that allows access to development servers without putting that information at risk to machines in other domains. Finance While the Finance groups can be grouped within the Corporate domain, they often have higher security requirements than most other sections of the company, in order to protect financial plans and accounts. Therefore, we allow them under a separate domain to ease security planning for their needs. Production The Production domain handles all services provided to Customers. Rarely do they need to exchange their information daily with the other domains; customer data is never shared with other departments. Placing such information in its own domain makes security planning more straightforward. Along with Customer data goes non-Customer data necessary for day-to-day operations, such as server administrative passwords. OPS-312-1 ZANTAZ Private Information 19 DEF0043362 Production Security Policy Manual 1111512000 3.7 SECURITY ZONES Security Zones are the result of applying security Levels within each security Domain. The table below outlines this matrix, and gives some examples ofintbrmafion in each Zone: ,.i '::L_-_ , _:iii_ :i,!!i Access to .... :: Proprietary :i Strategic Plans _ Customer Data -ii:. i :ii_ Corporate i :_: Software Code :_: :::_:._-_:: :_:!':_ : ::::::::! :'-- Personnel Software and ::: Budget System ::_i-_:.,:,*:_':-!i_..._.,_:__: Records :,_ Device :'_ Information :._- Requirements; Designs Network : '71 • " . - Layouts :i ii_i-:i ?_ Corporate Individual • _: Individual Problem .... : (:!i! Telephone Project Tasks :: Purchase Reports and .:._i_i_:i!:Privat_7:._...._ :.i Directory Orders . Resolution ii: " ": :i::.:_ Information _, i_:::::.!i_ .... _._ Marketing Technology Published Annual Operations • : .... ::: :_ : : Brochures; Whitepapers Reports Architectural : ..... __'_hH©-;: ..... Overview ...._ ._:.._-':_ ......' External Web ::!.:_:!7-_':_I?I _i".:: - site _!' :_S_IL_:%: Arriving Email Software [ I don't have a Customer Data [.._._:..___.'->"*_'__._. _.,_:*_'_"_'..:.-' before Virus Packages good example arriving through l __-:--_P'y_afimu'_ Scanning downloaded from here; Suggestions unencrypted _.:_ _:_ :,:.,,:: .., ._:..:_.:; the Intemet Welcome! ] channels In the table above, note the barriers that have been indicated between the domains at levels Private and above. The sharing of information and resources at the Public and Unknown levels between domains is open and relatively unlimited. Sharing in the higher security levels between OPS-312-1 ZANTAZ Private Information 20 DEF0043363 Production Security Policy Manual 11/15/2000 domains must be controlled and only done through clear procedures. Information at these levels is sensitive, and must be treated as such. There are some important security guidelines to follow for the three highest levels: • Domains should be implemented as physically separate. Zones, as much as possible, should be physically separate as well. • Information from one domain should not mix with information of another domain. • Information traveling from one zone to a similar zone by way of lower security zones will be encrypted. • The use of a machine in one zone should not allow use of a machine of a higher zone, except through explicit, stronger reauthorization methods. For example, users of a desk'top (username, password login) need two factor authentication to access a server (username, token login scheme); an automatic authentication method such as Unix .rhosts must not be used. • Administrative access to a machine of one zone should never open up administrative access to a machine of a higher zone. • Administrative access in one domain will not grant administrative access in another domain. Each domain must be treated as independent, with as little erosstalk as possible. • Passwords of all types for one domain will be treated separately from any other domain. • Passwords for each zone of a domain should vary. For example, a User's password for access to their desktop should never by default be the same as that for access to an important ZANTAZ server. This must be set up administratively to ensure that different passwords and access methods are needed at each level. • Production Red zones must be isolated from all other zones. Network traffic entering or exiting the Production Red zone must do so across proxied gateways. Each such gateway must be continuously monitored and traffic auditable. OP$-312-1 ZANTAZ Private Information 21 DEF0043364 ' Production Security Policy Manual , , 1111512000 I TI I OPS-312-1 ZANTAZ Private Information 22 DEF0043365 Production Security,Policy Manual 11115/2000 4 Computer Use 4.1 ACCEPTABLE USE GUIDELINES Users of ZANTAZ systems are not allowed to: share accounts or passwords with friends or relatives, run password checkers on system password files, run network sniffers, break into other accounts, disrupt service, abuse system resources, misuse email, examine other users' files without permission of the file owner, or copy unlicensed software onto ZANTAZ machines. Users must not establish any communications systems that accept incoming dial-up calls or enable dial-out calls, unless these systems have been pre-approved by the Security Committee and the Department owning the equipment. All employees will take responsibility for protecting customer and corporate privacy, confidentiality, and security. All local, national, and international laws covering the use of ZANTAZ systems and services must be adhered to. This includes laws governing data privacy and dissemination of pornography. 4.2 BANNERS To identify company resources, and warn against misuse, all ZANTAZ services and computing devices shall display a banner when accessed, listing the acceptable users and conditions for that service or device. As much as possible, no identifying information, such as company name, Company logo, or address is to be displayed before a successful login. The following banner message (or a similar facsimile) should be displayed, as appropriate: "WARNING. This system is for use by authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence from such monitoring to law enforcement officials." 0P$-312-1 ZANTAZ Private Information 23 DEF0043366 Production Security Policy Manual 11/15/2000 5 Authorization and Accounts 5.1 PRINCIPLE OF LEAST ACCESS To protect the information and interests of its customers, ZANTAZ will abide by a principle of Least Access: Only those employees who require access to particular information or devices to perform their designated functions will be permitted access Limiting access decreases the chances of human error, increases privacy, and enhances the auditing of changes. 5.2 PASSWORDS Adopting a good personal password policy is the most impc)rtant barrier to unauthorized access of customer and corporate information and systems. The password length must be a minimum of six characters. On some systems, the maximum number of characters treated as significant may be eight. The password must contain at least one alphabetic, one numeric, and one special character so that the password is not easily guessed. Passwords that pertain to particular applications should attempt to follow the same guidelines. Passwords must differ from the user's login name, and any reverse or cyclical shift of that user name. The password lifetime must be a maximum ofg0 days. Passwords for privileged user accounts, such as Unix root access, should be changed every 30 days. Where possible, a warning of password lifetime expiration should be given to the user at least three days before, at every logon during that period. The sharing of privileged account passwords, such as Unix root user, should be avoided. User group permissions, or utilities to temporarily raise user privilege such as 'sudo," should be used instead. All default passwords within sottware products and hardware must be changed prior to or during installation. A valid password must be given before a new password can become effective. Records of password changes (date and time) should be kept as part of the system activity logs. Passwords are to be treated as RESTRICTED security class objects; therefore, the appropriate classification guidelines should be followed. \ " OPS-312-1 ZANTAZ Private Information 24 DEF0043367 Production Security Policy Manual 11115/2000 Passwords should never be transmitted as clear-text. Use of one-time password generating devices, such as tokens or SmartCards, is required as a means of achieving strong two-factor authentication. Passwords must be stored using one-way encryption or hashing; i.e., a password cannot be decrypted into clear-text. Passwords must not be stored in command files or shell scripts, or in communication scripts in workstations. Do not check the "Save Password" box in any Windows applications. Reusing passwords is not recommended. If possible, the system should prohibit users from using at least the previous four passwords. When an account is created, it must be assigned a random and secure password that must be preset to expire upon initial log-in. The password can be generated by the system or by the creator of the account. The password assignments should be unique to each user. The user must be forced to change the password upon log-in. The maximum number of times a password can be attempted is three. After the threshold has been violated, the user's password or ID must be suspended. Records of unsuccessful password attempts must be kept for six months. Resets are for the purpose of resetting the violation count to pe,mit an authenticated user to use their already known password. Only an authorized administrator should reset passwords. Passwords are reissued when the users have forgotten their passwords or when resetting the password violation counter will not resolve the problem. These reissued passwords shall be treated the same as Initial Passwords, listed above. Passwords and IDs must not be transmitted within the same media (document) at the same time unless the message is encrypted. The communication of the ID, password, or the formula, to the user is permitted as follows: • Telephone / Voice mail - The information can be passed to the user's voice mailbox, The user will be able to retrieve the password by authenticating and accessing their password protected voice mailbox. • Email - Due to the archival of all email messages to the Digital Safe, it is not recommended that IDs and Passwords be transmitted unless the message is encrypted. Furthermore, the message shofild not be transmitted across the Internet or through service providers (e.g., AOL). Both voice mail messages and email messages containing Passwords and IDs should be deleted immediately after use. OPS-312-1 ZANTAZ Private Information 25 DEFO043368 Production Security Policy Manual 11/15/2000 5.3 ACCOUNTS A comprehensive policy of Account management is a necessity for security auditing. The following guidelines should be followed for all Production system accounts: Each user must have an account individually assigned by login name, password, and user identification, except for certain privileged accounts as noted in the Privileged Account section below. User IDs must be unique and consistent with naming conventions within the appropriate operating system, database, or application. Periodic reviews oflDs and privileges associated with an account should be conducted by a technical resource designated by the department manager. Records of reviews must be kept for at least six months. Changes (add, delete, or modifications) to the privileges within the security profile of any user must be logged by the system. These logs should be retained for six months. A privileged account is an account whose function provides the ability to establish or change IDs and/or access rules, or the ability to modify production applications, operating systems, or network parameters. A privileged account may or may not be associated with an individual. If the account is not associated with an individual, it must provide an audit trail to allow pointing back to an authorizing user. These accounts must be kept to a minimum, individually approved, documented, and strictly limited to those with a business need. Email addresses for ZANTAZ mailboxes must be of the form user(_,ZANTAZ when used to communicate outside the corporation. Addresses that specify an intemal server name are not allowed (e.g., user(_,dev.ZANTAZ). Regular review of privileged accounts must be conducted by a technical resource designated by the Executive Team. Confirmation that privileges are still required must be performed periodically, and records of the review kept for six months. Accounts for non-ZANTAZ personnel, both on-site and remote, must not be enabled except upon approval by Production management. Such accounts must be disabled upon completion of the requirement. The account should be enabled only for a specified limited time, and authorizations limited to a need-to-have basis. Access must be documented in an approved request form. The person assigned, date, time, group, and purpose of the use must be recorded. A pseudo account is an account associated with a batch program ID or an application. A pseudo account is not associated with a user;, however, an audit trail pointing back to an authorizing user must be provided. OPS-312-1 ZANTAZ Private Information 26 DEF0043369 Production Security Policy Manual 11/15/2000 Login IDs not used for 35 days must be deactivated. IDs not used for 60 days must be deleted, with managerial approval. Privileges and authorizations for those deleted IDs must be revoked and records maintained for six months. All files owned by the ID must be identified and either archived or transferred to a valid user. When users no longer require access because they resign or are transferred or terminated, IDs, privileges, and authorizations must be revoked and records maintained for six months. The objective is to stop access as soon as possible. If an employee resigns or is terminated, the following must be accomplished within 24 hours of notification of a change in employee status. For employees who transfer and no longer require access, this must be accomplished within 10 days of notification. It is the responsibility of the employee's manager to notify the appropriate person(s) when an employee's status changes: The user's privileges and/or passwords must be changed to preclude access. All passwords known by the user on all systems must be changed. All privileged account passwords must be changed if the employee was a privileged user who had access to any other privileged account passwords. The user access must be revoked from any files that grant access to the account. Pending mail for the user must be redirected within 24 hours and should be reviewed and archived within 30 days. All files owned by the employee must be identified and either archived or transferred to a valid user. All jobs previously requested, or previously submitted batch jobs, must be reviewed. All ZANTAZ property, tokens, documentation, and electronic media must be returned. OPS-312.1 ZANTAZ Private Information 27 DEF0043370 Production Security Policy Manual 11/15/2000 5.4 REMOTE ACCESS All Remote Access from outside ZANTAZ to trusted networks requires extra security to prevent unauthorized access. Hard tokens (such as SECURid (is this SecureD?) or SAFEWORD cards) will be assigned for use by non-ZANTAZ personnel who have occasional need to remotely support systems located in ZANTAZ sites. This will be deemed a "proxy token." Management must approve the Business purpose, documentation, and project plan before a token is assigned for this purpose. The token will be held by a designated ZANTAZ employee or group who will provide the current PIN and one time key (as displayed on the token) to the non-ZANTAZ personnel when access is needed. All access via the proxy token will be logged with the name of the user, systems being accessed and time in and out of the system / network. The token and PIN will be stored securely when not in use. The user's workstation used for dialing into ZANTAZ is an extension of the office and should therefore be secured in accordance with the ZANTAZ ZPSP. All computers used for telecommuting must consistently enforce policies for Confidential and Restricted company information. One standard solution for remote access to ZANTAZ is the Red Creek VPN, which provides IP address access control and communication chmmel encryption. Users will only be allowed from external locations into ZANTAZ systems and networks for which they are authorized when accessing systems from internal locations. The user must go through normal channels to request access to ZANTAZ systems. Users must not establish any communications systems that accept incoming dial-up calls or enable dial-out calls, unless these systems have been pre-approved by the Security Office. Non-ZANTAZ accounts must be configured in such a way that their access is limited to the host destination (IP Addresses, host names) that they have been authorized to access for support purposes. OPS-312-1 ZANTAZ Private Information 28 DEF0043371 Production Security Policy Manual 11115/2000 6 Physical Security This section contains requirements for the protection of computer equipment and physical access to the immediate area surrounding the equipment. 6.1 GENERAL PHYSICAL SECURITY STANDARDS ili "_::"_':_i: Security Review All physical security designs must be reviewed and -:-..: approved by the Executive Team. 2:!_-_!i::!! Building Access Access to buildings containing a data center facility must be limited to only authorized individuals, and must _I:IL !i: provide for individual accountability. _:"'_ :_' ,_- Identification is requh'ed for ingress and egress to the .ji: _! • building such as: ,,' _'" • Badges _!_:_:-:!_:_: ,, Fingerprint scans :::i_i_ii_:: * Hand geometry scans i_.?:_i_:,i,i_ • Sign-in book _::_i':. :,)i:_ Access control systems must be stand-alone and _::., " supported by LIPS. Alarms are to be integrated into the "_ ": _ system and must be capable of printing reports and _.: archiving the information. The system should have multiple password levels. ! ::..? i_.- : :_:_:7_ Procedures must be in, place that ensure keys are returned changed employees ,i!i_!_!_.ii! and code, when transferor are f_:iii!:: terminated. Procedures and systems must also be l_._-__ designed to prevent piggybacking, i.e., multiple people entering the facility m_der the authority of a single person. Wherever possible, security guard posts should be __-.._ -:_:i:=:_ :: established to ensure ,mother level of authentication and : ,_,': protection. Security guard posts should be at the central ::_- _ console and provide for roving patrols. Systems should !_A_"_!i _ _ be in place to monitor and record the facility perimeter, ;-_....:_ parking lots, main employee entry, loading docks, etc. OPS-312-1 ZANTAZ Private Information 29 DEF0043372 Production Security Policy Manual 1111512000 [: %. .3. ::: Access to Data Centers Access into restricted floor(s) or data center areas must :::_ .: be controlled using two-factor authentication. An example of this would be requiring a badge to be scanned '- :_!_ plus hand biometric scanning. • The presence of tumbler or metal-keyed door locks can be used to circumvent the two-factor authentication scheme. Therefore, all tumbler or metal key door locks i. !: _:: '_'_ shall be removed from access way doors. i ......... " I All restricted areas must be monitored with CCTV. =_, CCTV must be monitored and recorded. The videotape : := :_: _ii: must be retained for one month. : +_! All access logs must be checked monthly. _ '!" :' .... Any unusual access must be reported to the building _:_ . security manager immediately. i_' ._ Access to Data Centers will be limited to ZANTAZ _:_: personnel who have been cleared for access to the highest : level of information within the Data Center, have an express need for their job function for access, and have been authorized by the Data Center Manager. ': _": ZANTAZ employees, or non-ZANTAZ personnel, :- L i _ requiring Data Center access will be escorted at all times by a ZANTAZ employee authorized for access into the ._:,: _:.:. = _._ particular Data Center. = _J.i_ Perimeter Security Perimeter elements (windows, doors, walls, floor, and ,_ ::_i "_ ceiling) must be installed in a manner such that they .....- cannot be removed or displaced sufficiently to allow _::;_ ;: entry unless an authorized key or equivalent is used or at _i::__i:_ least one of the elements is visibly and permanently _ _:: damaged. OPS-312-1 ZANTAZ Private Information 30 DEF0043373 Production Security Policy Manual 11115/2000 i _= _'_:_':::_: ' There should be no windows in the Data Center, but if ,5._i_!:!i_i Data Center Perimeter there are, these must be a minimum of triple-pane in i!:::!-: if: Security strength, and tamper-proof. _::_:: • Locations with doors opening directly to the outside t i_;, :::" : of the building shall be excluded. ':::: .ii • Locations with windows opening to the outside shall _ ..... _: be excluded. .:. ' • Locations may not include piping (except sprinklers i_i:-_.-:_ and drains). _: _:. • Locations in close proximity to an elevator machine _!. room and/or elevator shafts shall be excluded. _ _: : . • Locations at the lowest level (except ground floor ,: ..... . only) shall be excluded. • _._-_;:. :. :_: ,.: :_:,. • All windows must: have inlaid wire mesh to prevent :_":_'_ :. shatter in the event of breakage. :_= • Any delivery window must have Medico-type locking ...:,_._. devices and must be secured whenever no one .....:, -:_'. attendin_ the window. ii 6i:: ...... Public Address Systems The building must have a full coverage public address :' system for emergencies and evacuations. i: i% ,, i:_7._ i-_ Removable Media All removable media 'will be labeled with its security ,::_,_.......... : :- classification _: :,_:... All removable media :must be accounted for. • _' _ :-::.-: simply thrown away. A record of this destruction must be i _.,_:. :_ obtained, and held for one year. \.--_..,i When not in use, all removable media holding customer ?: =_ information shall be stored in Media Safes with a UL :_::_i Class Fire rating of at least one hour. __,,, Raised Floors In Process. OP$-312-1 ZANTAZ Private Information 31 DEF0043374 Production Security Policy Manual 11115/2000 19, i i Dropped Ceilings There may be dropped ceilings, but if so, there must be :_'.: i,_ additional security measures taken to reduce the risk of • _ access through the ceiling. ..... _- • Any walls between the ceiling panels on the outside _:,: and the inside of the room must extend to the :_::iii_!i_!_:-: superceiling (true slab to true slab). :i: .i_J • There must be monthly checks of the ceiling to ' " _' _ prevent faulty wiring, pests or other potential hazards !_/i:::: from going unnoticed above the ceiling. i:::_/-: _ * The lighting in the panels must be checked by a !i'_-_ certified electrician for any wiring or connectivity - problems. :!i_!: • There should be some form of monitoring - visual or audio - to notify s, ecurity if there is movement above • - ::- the ceiling panels. : i:i_:: _ There should be some: form of alarm monitoring, visual, ! = : audio, or motion detection to notify Security if there is : movement above the ceilin_ panels. !9; Data Center Walls Space envelopes (the walls surrounding the restricted : area) shall have minimum one-hour fire ratings and be ,i:il true slab to true slab. All electrical outlets within the :!-!//'i walls must have anti-surge wiring conduits to protect - ........= fiom possible in-wall fires. Convenience outlets should _:i _ be located along the walls of the space at a distance of _! i: ':!:: 12'0" maximum, from center to center. Convenience ::..,:_ _ _- _:!_:_ _,=: outlets shall not be supplied with power offthe UPS '_ _ " system and shall not be located below the raised floor. _1_I,'_:_ Data Center Doors • All doors must be solid core with "panic" bars for _:r_ _ emergency exits that utilize a 15-second delay _"_-:_:_,- mechanism. : _.-..:_-::_,._. * All doors must have magnetic devices that will secure l _.___:._@_ the door when closed. i _:!_'i;,v_: • All mechanical locks must use Medico-type locks. • _:" ° .S • All doors must have some form of access control _i_: _iil device - e.g., card reader, biometric device -that will • _: _ _i_: authenticate whoever is accessing the room. ili_::i_!i'ill * CCTV must monitor all exit doors. i L:ii: . • Doors must fit their jambs snugly, to avoid tampering ,.,." _'_,._.' _-i,_ with lock bolts or using mechanical extensions to _:_,_. open the doors using the inside door handles. OPS-312-1 ZANTAZ Private Information 32 DEF0043375 Production Security Policy Manual 1111512000 --_ _:_;_-Z:- : _ _., _i:!!_-_i".i" Climate Controls Air conditioning and humidity controls must be installed ,.._:_ _ii:__i.._:'.i, in the computer room, and these controls must operate _::. continuously and be available 24 hours per day. The air " i__ _: conditioning equipment shall incorporate machine -:;::::!7- :._ redundancy such that the failure of any one component • _:..::._._.-: shall not interrupt the air conditioning. .i ;_i?_,_ . "_ _'_"!_:_,, • ' Provide a high ambient temperature detection (above 85 ° _:_:. F) system, which has a dry contact alarm with a signal to ::-_:_._,..:' :'._ • the local Building Management System (BMS) and/or : v. .... ?:_i off-premises alarm communication system. :q • _..:.-_- .... _._ Equipment that is stacked on racks must have proper -"-..;_ • ventilation, including:: • _---'.._: ,,-_-:._:_!i!:(::.: * Proper access to the equipment and a level ground for • the racks. .i,_; :: • Portable fans, if the room dimensions are small. - _. ; _ Climate control equipment must be properly labeled. (:: I :,-.:!_..: _ All of these systems must be on a generator with an ' "" _ . -I operating time of at least 60 minutes to ensure proper _,,_,:i_ .... _!;] shutdown of all systems impacted. ! _ii ....... ] The temperature of the room must be consistently air i'_ iiii_ ] cooled to between 68 ° F - 72 ° F, with a humidifying _._... :: . " i device that removes all excess moisture from the ':;:_..._.._: i environment. _::_-2_:.7 Air filters should be changed monthly in most areas. In _._._. _:? downtown or high industrial areas, these filters should be ::, _:-:'-:..:_ changed more frequently. -_.,- :-Z 2..,_,_ _...i_:_ Radio Frequency Radio frequency emmaations should be reduced as much _._.__..- :-: ,v Emanations as possible for the location and environment. i OPS-312-1 ZANTAZ Private Information 33 DEF0043376 Production Security Policy Manual 1111512000 4_.=i:_i Power Controls All precautions must be taken to reduce the risk of power _:': c- "_ surges. Anti-surge devices must be installed to all . : : :' connecting electrical accesses. In addition, UPS and i :I'::: : ; portable generators should be immediately available and • : accessible in the event a power failure occurs. :_:_!_;ii I The UPS system shall be an on line system and shall _ _!< incorporate: • "_f_i • Auto bypass. ,,_: .... • Maintenance bypass. • _. . _ -: ._-_ • On line battery connection. <_}_< _:_ • 30-minute battery operation at rated load (15 minutes ii;ii!.:%!! with emergency generator power). !, .... _ ............. _: Local panel board(s) .,;hall incorporate: =.. • Isolated ground bus. :.:’_:,!: _ • Equipment groumt bus. ,:: ::_ Alarms shall incorporate: ... _.w..: .- .....Y %', • Indication of loss of power on supply feeder to UPS. i-_._, _,:.--'-.: • Indication of UPS system on bypass. •: ,_i:.:........ 7-. :_{i:' Transmit a summary "UPS Failure" signal to the local .... -i_ building BMS and or an off-premises alarm i :_:._:, -A communication system. I ....... ...S£ I I n '_g_i::_iTi File Servers and Special Ensure secured and isolated environment for all File :_::_(i'_: Device Personal Servers and special device PCs. =. _-:.--.'_ - w ,:_'_!-}_ Computers Procedures or an access control system must be in place __,,; _.,_.;.,’ for authorizing and logging access to that portion of the ,_,_-_ computer room containing such equipment i b. "e.:-.',. ,. .... :" Keyboards must be detached from Servers when not in ,.._, .- ! use or appropriate keyboard locks must be used. , :'_;.'.--..-. ; '. "i ...... " t II OPS-312-1 ZANTAZ Private Information 34 DEF0043377 Production Security Policy M anual 1111512000 _l_ '!':'-_ Telecommunications Any telecommunications equipment room must have !=i 'i ":'__ Equipment either an electronic access control system or an audit trail _ :- type lock, if the room is not in a secured area. ) ...... : ::- _"'i/'!: i i:: Wiring (e.g., local cables, telephone closets, gateways, :::: :' modems, telephone lines - leased, switched, ISDN) must _:i i:! (:i be protected from unauthorized access. !:!_:_ _': i_i_ An assessment of the security of the wires must be performed by the telecommunications company from end i to end. The main conduit into the building must be secured from outside access. Telecommunications lines must be split into separate conduits to reduce the risk of full line detachment. Cables must be periodically inspected for evidence of line tapping or other forms of snooping. " : All wiring closets must be secured and all access to them ::, :::_ logged. i._:ii,: _ A certified electrician must do the --% - 7 power wiring and _:>- review the wiring quarterly to reduce the risk of .:i:'! :: :i':i undetected tampering. Such reviews must include both il I_ "..i_ -._ physical meter testing and visual inspection of the lines. _:> _; .... Access to the power source must be strictly limited and _= ::7-:-_' access to the room monitored. ! .!_ Console Sccufi W Access to consoles must be controlled with the same _"_---:;*_--. restrictions as any other system. This includes a _i:_"_:_ii mandatory user authentication process and individually -_. _ _._ _., .: ;_:_:_!_. :1 assigned user IDs. The server should have keyed on/off ._:.. :_'.. :.:_! ._ ........ :,: locks, alarmed cabinet contacts, and CCTV coverage. OP8-312-1 ZANTAZ Private Information 35 DEF0043378 Production Security Policy Manual 1111512000 !ili _18'. Smoke Detection A smoke detection system shall be provided which -.. -:--_._: includes the following features: ii i i:::i-_i:: ! • Dual ionization chamber "products of combustion'" ._:_ type detector heads. _ • Heads located at the ceiling spaced one per 250 _ : _: .i _:i:_ square feet. _ .:_,:.ii!_._i • Control panel in the controlled space. i ..... .._ • Annunciator located in the space indicating the -_ " location of triggered head. i ,:" _ _ _ • Supervision by a certified electrician against system i_i: wiring failures. !: .-_: ..... • Dry contact in the control panel for transmitting a ' i..: summary "Smoke"' signal to the local BMS and/or off _,_ premises alarm communications network. !;!i ii • Dry contact in the control panel for transrnitting a , ............ Smoke Detection System in Trouble" signal to the ..:.4: .... ..- local BMS and/or offpremises alarm ' - " communications network. 1:-_:5( _-g!._:! i_;_:..,_:_; • Dry contact in the control panel for initiating an i.. _ :.'_!_ alarm to the building alarm system upon receiving _':v._._ _..... _ sprinkler water flow activation and to shutdown room i_':_ power and air conditioning. _:_--.:..-._ _-_.: ,:_ • A test switch in the control panel. _.-._?-i • Connections to the building alarm system. _! ,:i_:_ ...._: Dedicated smoke detection control panels and ...... annunciators are preferred for ease of maintenance, ... - .: _ testing, troubleshooting, etc., unless there is a connection _-_., to the building's fire alarm control panel, which i !_:_'_-::_ accomplishes all of the above-mentioned functions. r, • OPS-312-1 ZANTAZ Private Information 36 DEF0043379 Production Security Policy Manual 1111512000 7 Network Security This section addresses general security controls related to access methods in the Production networked environment. 7.1 GENERAL GUIDELINES No communication device, router, gateway, or other network gear may be connected to a ZANTAZ Production network without an approved project plan and approval from the network's proponent. All communication design architectures must be reviewed and approved by the Customer Operations group. A central authority must coordinate network names and addresses. Customer Operations shall be the coordinating authority for the ZANTAZ Production networks. Because of the need for auditability, network systems in the Restricted and Confidential zones must make use of static IP addresses. Each system and node in a network must authenticate each accessing user, process, or other entity. Connection paths, terminal addresses, node addresses or other node identifiers do not, by themselves, constitute an acceptable means of node authentication. Only ZANTAZ owned, operated, and controlled nodes located in restricted facilities should be trusted nodes. As much as possible, networking should be done using Switches rather than Hubs. This will give both security and performance benefits. Any network device (router, switch, firewall, etc.) on which it is poss_le to stop and inspect traversing datagrams or packets will be treated wholly at the security level of the highest potential datagram or packet. For example, a switch handling a network of Red level nodes and Blue level nodes will be treated as a Red level switch. All network switches will make available one port to be used in "mirror" mode; that is, aU traffic crossing the device, destined for any interface, will be available on this port. The expected use of this port is for monitoring and problem debugging. Switch mirror ports will be administratively disabled at all times when not actively in use. No equipment will be leR connected to this port except during times of active use. No use will be made of Switch mirror ports without the express autho"nzation of the Data Center manager, the Director of Customer Operations, or the VP of Operations. OPS-312-1 ZANTAZ Private Information 3"7 DEF0043380 Production Security Policy Manual 11115/2000 A switch may not be excluded from this requirement simply on the basis of port "crowding," or convenience. Response time and active monitoring are mandatory requirements of Production networks; mirrored ports are a necessary feature of such requirements. A switch may be excluded from this mirrored-port requirement if it can be demonstrated to the satisfaction of the Director of Customer Operations or the Data Center Manager that monitoring a mirrored port on another switch in the same network grouping will show all desired traffic that could be watched on such a mirrored port. For example, the switching fabric mayuse a cascade of switches; all traffic meant for a "leaf-node" of the cascade must first pass through a "branch" switch. This exclusion principle should be avoided if possible, however, as it will leave the crosstalk of hosts that reside concurrently on the leaf-node switch umnonitorable. 7.2 FIREWALLS All network access into the ZANTAZ Production secure areas will be protected by stand-alone Firewalls. This will be in addition to any router ACL controls. An Internet Service Provider (ISP) providing Internet connectivity for ZANTAZ may provide firewall protection, but this should be in addition to that provided by ZANTAZ-controlled fn'ewalls. For example, current Data Center connections often use lines provided by Pilot Network Services. Administrative access to the firewalls shall be done using two-factor, authenticated logins or one- time passwords. All communication traffic should pass over encryption tunnels. The firewall policy and configuration must be accurately documented. For current acceptable practices, please refer to the ZANTAZ Security Committee document "ZANTAZ Corporate Firewall Architecture Policies, Standards and Procedures." The firewall machines must be subject to regular monitoring and audits. Detailed firewall logs shall be kept (if possible, by forwarding monitoring messages to a dedicated logging server). Logs shall be automatically analyzed, with critical errors generating alarms. Logs shall be archived for at least one year. Statistics on usage should be available. Firewalls shall be available 24 hours a day, 7 days a week. There shall be a maximum downtime of four (4) hours (during office hours), with a downtime frequency of no more than twice per month. A regularly scheduled maintenance slot will be arranged for during non-critical business hours. Regular backups shall be made of firewall configurations.. Updates and configuration changes shall be logged. OPS-312-1 ZANTAZ Private Information 38 DEF0043381 Production Security Policy Manual 11/15/2000 i 7.3 MONITORING Possession, distribution, or use of network diagnostic, monitoring, and scanning tools, network probes (hardware or software), or attack scanners (hardware or software) is limited to designated and authorized personnel in accordance with their job responsibilities. This includes anything that can replicate the functions of such tools. Use of any such tools by non-ZANTAZ personnel on or against ZANTAZ-owned systems must first receive explicit permission from the ZANTAZ Production Customer Operations VP or Director. Unauthorized possession, use, or distribution of such tools or functions is prohibited, and may be grounds for immediate termination, and criminal and civil liability. All Production network gear shall have a method of providing a log of time-stamped, ASCII-text monitoring messages, and provide a means for these messages to be sent in real time to a designated, Production central logging server. An example of such a system is the Unix Syslog package. Other methods may be used, as long as the resulting log messages may be centralized for scanning. 7.4 ACCESS There are two types of access: trusted access and tmtrusted access. Access is considered trusted if the network is controlled from end to end by ZANTAZ or a vendor with an approved contractual commitment to meet ZANTAZ's security requirements. Untrusted access refers to access between non-ZANTAZ controlled nodes, systems, or networks and the ZANTAZ trusted network. ZANTAZ-approved VPNs are considered trusted access. All untrusted connections to internal systems require two-fiictor authentication (e.g., SecureID token card and system password or PIN) and should be documented in a plan approved by management. All access to Production non-customer should be done with two-factor authentication or one-time passwords. As much as poss_le, traffic will pass only through encrypted tunnels. For example, logins should be supported through SSHD rather than TELNETD. VPN software may be used on internal desktops to reach Production machines. However, restrictions must then apply: * No automatic access shall be set up. A conscious and secure effort to access must be required. This is to block non-cleared personnel with physical access to the desktop from reaching the Production areas unhindered; for example, by simply rebooting a desktop. • No automatic logins to such desktops will be allowed, in the event that a currently opened access of Production machines could be sniffed or otherwise inspected. For OP5-312-1 ZANTAZ Private Information 39 DEF0043382 Production Security Policy Manual 11115/2000 example, if an NT desktop contains VPN software, and could be used by cleared staff for access to Production, then the NT desktop must not allow administrative or SMS logins by non-cleared staff. If such access was allowed, then root admin passwords found on non-cleared machines could be used to access the VPN desktop, and a sniffer program placed to catch Production access passwords. 7.5 REMOTE ACCESS 7.5.1 VPN Access Off-premises login access to ZANTAZ computers running across untrusted networks will be offered through Virtual Private Networks (VPN) only, using two-factor authentication or single- use passwords. This includes employees working from home, sales staffusing laptops on the road, or administrative access fi'om one ZANTAZ site to another. 7.5.2 Dial-up Access Dial-up access through the Public Switch Network (PSN) telephone lines to any computer poses the highest risk possible to the trusted network. Special precautions must be taken to ensure that computers accessed via modems connecting through the PSN are protected. Other alternatives must be considered before this type of dial access is permitted; alternatives must include strong, two-factor authentication. PSN Modems, whether dial-in or dial-out, will not be set up in the Production Data Center. If Dial-out modem service is installed on Production non-customer networks, the following guidelines should be used: • All requests for dial-out modem line service only (calling to America Online, Prodigy, or other service providers) must restrict incoming calls. If local phone companies are installing the service and restriction is possible, the incoming line must be set up so that no incoming calls are possible. Otherwise, the incoming calls must be forwarded to a number assigned by ZANTAZ. • Additionally, the automatic answer function of the modem must be disabled. The common command line statement for changing this feature in Hayes AT command set compatible modems is: autoanswer off=-ATS0=0. Additional information can be found in the user manual for the modem. • Users must not set up an interactive session whereby the untrusted node could gain access to or interact with a ZANTAZ system. • Modems must be disconnected from any telephone lines when not in use. • Modems in unsecured locations must not have telephone numbers, ownership, or system identification markings on them. OPS-312-1 ZANTAZ Private Information 40 DEF0043383 Production Security Policy Manual 11115/2000 Users of SLIP and PPP or other IP protocols must take special precautions not to broadcast their IP addresses. Users must be aware that external access back into their system can occur and possibly go undetected. 7.6 FAX MACHINES Stand-alone fax machines (not fax servers or fax modems) are permitted on Production non- Customer areas. No fax machine should be attached to Production Customer networks. Remember to consider the data classification as part of due care. Today's fax modems are capable of data transmissions outside of the facsimile protocol. Therefore, they must be given the same consideration as regular moderns. Systems with fax modems should be set up to allow fax transmissions only. OPS-312-1 ZANTAZ Private Information 41 DEF0043384 Production Security Policy Manual 11/1512000 8 Device Security 8.1 INTRODUCTION This section contains general standards for host system security. It provides guidelines on operating system security, software, access, and monitoring. 8.2 OPERATING SYSTEM SECURITY The procedures necessary to improve the security of operating systems (abbreviated "OS") used at ZANTAZ from the vendor-supplied defaults into something relatively secure are quite complicated. The exact steps will vary depending upon the OS used, the version of the OS, and current industry-wide accepted practices. Therefore, the ZANTAZ Security Committee has produced guidelines specific to particular operating systems. These documents will undergo review in step with vendor updates and patches, security announcements, and newly released versions of the OS. For Solaris system security, please see the document "ZANTAZ Security Standards for Solaris.'" For systems running Microsoft NT, please see "ZANTAZ Security Standards for Windows NT 4.0." For Linux systems, please see the "ZANTAZ Security Standards for Linux Systems." For Firewalls and Routers, please refer to the "ZANTAZ Corporate Firewall Architecture Policies, Standards and Procedures." 8.3 SOFTWARE POLICY Along with the requirement of OS security "hardening," there are general guidelines that should be followed for software used on all ZANTAZ systems: No Unlicensed software will be made available on ZANTAZ machines. Public Domain software may be used, but only after the source code has been reviewed or, if the source is too big, after the package has been run and tested thoroughly by system administrators. On Unix Production systems, Set-UID or Set-GID scripts are to be avoided. Compiled programs or scripts with lesser privileges should be used. OPS-312-1 ZANTAZ Private Information 42 DEF0043385 Production Security Policy Manual 11115/2000 Game software will not be run on any Production Customer machines, or any machine providing services to Customer machines, or be set up in anyway to impact Customer network throughput. Game software may be allowed, at the discretion of the local manager, on non-production and non-customer systems. However, the local manager and system administrator must ensure the software does not use excessive system resources nor interfere with the course of normal ZANTAZ business. All local site-specific scripts and programs must be stored in new directories and not in standard vendor supplied system directories that could be overwritten during a system upgrade. All local site-specific scripts and programs must be maintained in a set,rare revision or document change control system. All software to be used on Digital Safe or other mission-critical Production systems must undergo testing by the Operations Quality Assurance group. Their task will be to ensure the package performs as expected, does not interfere with the workings of Digital Safe, and does not violate tenets of integrity, access authorization, or confidentiality. All application designs must be based on the ZPSP with exceptions and controls documented in the security plan. 8.4 SESSION POLICY All logoffs, timeouts, and other session terminations must clear the screen and close the session. A session must be suspended after a period of inactivity not to exceed fifteen minutes, and re- authentication required to resume the session. A user must lock an unattended session or completely log off. Where available, controls must be activated to detect an attempt to sign on to the platform using an ID already in session and security or the system administrator notified. The user may also be notified. The ability to limit access by time of day and day of the week should be provided, where such a mechanism is available. 8.5 MONITORING OPS-312-1 ZANTAZ Private Information 43 DEF0043386 Production Security Policy Manual 11115/2000 All mission-critical systems must be set up to synchronize their clocks, in reference to standard UTC time signals. This allows correlation of events between machines through the use of valid timestamps. All computing systems will be set up to log significant operating system and application events to a central logging server. On systems in Production Customer areas, the logging will be done both to the local filesystem and to a central logging server. ]'his redundancy will ensure that in the case of a network outage significant system events are still captured for later analysis. The central logging host is a vital component of the ZANTAZ security stance. Access to it must be limited to just those necessary to administer the box and the logging system. A log must be maintained for all system startups and shutdowns. If such a log cannot be generated by the system and maintained with integrity, a manual log must be kept. On the central logging host, logged events shall be scanned in realtime for problem signatures. This checking will concentrate on small to medium length patterns, to increase the availability of the CPU. For example, it would be preferable to watch for the pattern "'WARNING", rather than the entire string "Datestamp Hostname ProcesslD WARNING ErrorMessageOfSomeLength." Additionally, the log files will be rescanned at least weekly on the central logging host. This will allow a secondary check for the previous set of patterns, plus checking of longer, more extensive patterns that will help detect attack signatures that have been intentionally constructed to leave protracted, less noticeable footprints. Log files on all hosts shall be rotated at least daily. Files of longer periods (e.g., weekly) can cause problems and should be avoided -- they can become too large to transfer comfortably between systems, and detection of problems in the file creation or access itself can go unnoticed for long periods, creating gaps in the audit record for the system. Logs should be made available to users with need-to-access by some mechanism other than standard logins. For example, the logs could be made available through HTTPS access to a Web server process on the logging server machine, if strong authentication methods can be arranged. Logging on Production servers must include system administrator activity, unsuccessful log-in attempts, and significant application behavior as decided by the Data Center Manager. All logs released to non-ZANTAZ individuals must be first "sanitized" to remove IP addresses, host names, and other information that would specifically identify ZANTAZ systems. All ZANTAZ mission-critical computing systems must have additional realtime monitoring packages installed to ensure notification of problems to ZANTAZ support staff in a timely fashion. Such notifications will be routed through the ZANTAZ Global Monitoring Center if possible. OPS.312-1 ZANTAZ Private Information 44 DEF0043387 Production Security Policy Manual 11115/2000 9 Security Attacks There are two major types of attacks that could jeopardize information security by contaminating data. They are malicious code and viruses. Computing systems themselves can be rendered unavailable through outside actions, commonly called "Denial-of-Service" (or "DOS") attacks. This section provides controls to protect against such attacks. 9.1 MALICIOUS CODE Description Malicious code is a general name for programs that are intended to cause harm or otherwise defeat security measures. Code reviews and stringent change control of allapplications developed should take place. This requirement includes applications developed by both internal employees and non-ZANTAZ personnel. There are four basic types of malicious code. • Backdoor: An entry point into a program that is usually bypassed during the development process. Normally these entry points would be closed when the program development is completed; however, they can be left open either intentionally or unintentionally. • Logic Bomb: A program that triggers an unauthorized, malicious act when some pre- defined condition occurs. • Worm: A worm is a program that tunnels through a network by gaining access privileges. Worms can tie up all the computing resources on a network and essentially shut it down. • Trojan Horse: A program that appears to function as anticipated but contains additional, hidden functions that allow unauthorized collection, falsification, or destruction of data. The Trojan Horse is the most commonly used method for program-based frauds and sabotage and for disguising viruses. Protection To aid in preventing malicious code attacks on ZANTAZ Production resources, the following preventive measures should be undertaken. File modification detection programs should be used on all possible hosts. This would be used first to acquire a baseline state ofsnsceptible files. This baseline is then used for comparison • against the existing state of files, and changes noted. 0P8-312-1 ZANTAZ Private Information 45 DEF0043388 Production Security Policy Manual 11/15/2000 Programs and services added to Production systems should follow the principle of Least Access. A program infected by malicious code cannot hurt what it cannot access. Intrusion detection systems will be implemented on all Production networks. This will aid in the detection of unusual activity, such as the proliferation of software worms. Services provided by systems shall be "wrapped" as much as possible, to add a further layer of control and auditing. An example of this would be using the Unix program TCP Wrappers to intercept access requests to the SMTP port 25. Firewalls will be used between the networks in a particular Data Center, and on the networks connecting Data Centers. • 9.2 VIRUSES Description A typical virus is a small computer program that, as part of its operations, reproduces itself by making copies of itself and inserting these copies into unint_cted programs or data files.. This insertion process takes only a fraction of a second, a virtually undetectable delay. The infected program will subsequently execute the virus code during its: normal processing. / In addition to its ability to reproduce, the virus may cause damage to the programs, data, or equipment, or it may perform some other annoying though relatively harmless function. Viruses can use one or more of the malicious code techniques to achieve their purpose. Sharing data files can spread them. Personal computing environments are more susceptible to viruses; however, they can occur in the server-based computing environment as well. Protection The following are controls that can reduce the chance of virus infection within the computing environment. These standards apply to all ZANTAZ computing resources and environments. Virus detection or integrity checking software must be used in all desktop workstation environments that have access to the production area, or make use of media that will be used in Production machines. This includes laptops and PCs located at employee's homes. The vires detection software should be the current ZANTAZ-approved package for that particular system. The data files used by the detection software must be updated at least once a month to ensure that system scans can identify most known viruses. No software, regardless of source, should be loaded on ZANTAZ Production PCs without prior Production Group approval. OPS-312-1 ZANTAZ Private Information 46 DEF0043389 Production Security Policy Manual 11115/2000 All software introduced into trusted computing environments, including ZANTAZ PCs that are located in employees' homes, must be known to be virus-free. Vendor computing environments into which ZANTAZ software and/or data is introduced should be known to be virus-free. Sottware distributed from any ZANTAZ PC to another ZANTAZ organization or a ZANTAZ customer must be known to be virus-free. Virus scans or integrity checks must be done prior to the fii_t use of each executable file that is brought into the ZANTAZ environment from untrusted environments; e.g., program fixes copied from vendors' bulletin boards or Web sites. Virus scans of permanent media must be performed at least once a week: • On computers that have direct access to the Production network. • On computers used for distribution of files outside of ZANTAZ; e.g., those used to send files to external customers or vendors. • On computers running an application for which the risk is medium or high for loss of data or loss of the application. Virus scans must be done at least monthly in all other situations. Whenever possible, virus scans should be scheduled to occur automatically. Records must be kept to show scans that have occurred and the details of any findings from the SC artS. 9.3 DENIAL OF SERVICE ATTACKS Description The service provided by ZANTAZ to customers often makes use ofcommtmication over the Interact from previously unidentified hosts. Because of this, those services are susceptible to attackers attempting to block legitimate use of the service. An attack of this nature is called a "denial-of-service" ("DOS"). Examples of this kind of attack include attempts to: • "Flood" a network, thereby preventing legitimate network traffic. • Disrupt cormeetions between two machines, thereby preventing access to a service. OPS-312-1 ZAICrAZ Private Informalion 47 DEF0043390 Production Security Policy Manual 11115/2000 • Prevent a particular individual from accessing a service. • Disrupt service to a specific system or person. Protection To help prevent Denial-of-Service attacks against ZANTAZ systems, the following recommendations should be followed: • Router filters should be implemented to block known attacks, such as TCP SYN flooding. • Systems should be kept up-to-date with the latest Vendor patches protecting against DOS attacks. • Unused or unnecessary network services should be disabled. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack. • Machine file systems should be partitioned to separate critical functions from other activities. This will protect against attacks designed to fill up diskspace, causing processes to block waiting for I/O, or even to crash. • Establish baselines for ordinary network activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic. 0PS-312-1 ZAHTAZ Private Information 48 DEF0043391 Production Security Policy Manual 1111512000 10 Incident Response The procedures for handling security incidents, especially those that successfully disrupt ZANTAZ business, can be quite complex. A separate policy document is being written to fully record procedures for incident evaluation, response, and recovery. Please see the ZANTAZ Incident Response Procedures document for more details. This section lists some general incident handling guidelines. Security levels are listed, with different procedures for each occurrence where corporate security has been violated. Depending on its level or urgency, incidents may be escalated to department managers, and if necessary, to the ZANTAZ Security Office for resolution. Certain incidents may require immediate action and employees should use their best judgment in these cases. For all but the most trivial incidents, or if there are any questions about policy or actions to take, the ZANTAZ Security Office should be contacted. The ZANTAZ Security Office should be the central area for reporting security issues or incidents. Each issue should be recorded, prioritized, and reviewed by the office; in some cases, several incidents of a particular nature may expose an underlying security problem. To report an incident, call the ZANTAZ Security Office hotline at XXX-XXX-XXXX or send an email i message to infosec@ZANTAZ. 10.1 INCIDENT LEVELS Level I Examples Employees do not take precautions to security ZANTAZ's business information (i.e., not securing their workstation, leaving confidential information in plain view in a public area). Procedures Advise the person of the correct procedure. Escalate to the ZANTAZ Security Office if the issue is not resolved. Levd 2 Examples Code is discovered that could compromise the integrity of a computer system or allow unauthorized access (e.g., a virus or a Trojan Horse). A door that is normally locked during non-business hours is left open and unattended. ZANTAZ equipment and/or property is missing and presumed stolen. Procedures Contact the Security Office. A record of the issue/incident should be filed. The Security Office will work with the appropriate departmental staff for resolution. .... . Level 3 OPS-312-1 ZANTAZ Private Information 49 DEF0043392 Production Security Policy Manual 11/15/2000 Examples Attempt or successful act of compromising security mechanisms of a system on the ZANTAZ network. Disrupting ZANTAZ business services with Denial-of-Service attacks. Any incident where it is suspected that customer information within the Digital Safe is at immediate risk. Procedures Contact the ZANTAZ Security Office. A record of the issue/ineident should be filed. The Security Office will work with the appropriate departmental staff for resolution. Any incident involving Customer systems or information will be reported by the Security Office to the Operations Technical Support Center (TSC). It is responsibility of the TSC to handle all communication with Customers. Once the issue is mitigated, the Security Office and TSC will work together to publish a "post-mortem'" :report for ZANTAZ Executive Management. Level 4 Examples The attempt or successful act to cause physical harm to ZANTAZ employees or property, including damage to any systems or other property. Procedures Employees should contact the local emergency authorities immediately for resolution. 10.2 GENERAL GUIDELINES Keep copies of names, telephone numbers, and email addresses ottline. Do not assume online information will be available during an emergency. Reliable, fi'equent backups are extremely important. Where possible, work with customers and users to minimize disruption and outages caused by attacks or compromises. Communication is important. Only ZANTAZ employees specifically authorized for Public Relations should talk with media or the press concerning any ZANTAZ security incidents. lfa system appears to be eompromised, and there is not obvious imminent risk that the problem will escalate, leave the system as it is until help from the Security OffΙce can be obtained. Disconnecting a suspect system from the network or powering it offbefore proper triage can be done will result in the loss of information helpful in assessing the extent of the attack or compromise. OP5-312-1 ZANTAZ Private Information 50 DEF0043393 Production Security Policy Manual 11115/2000 Once an incident is over, the affected systems must be checked to ensure they are again performing normally. Make sure all expected services have: been restored. If there were any failures in the Incident Response Procedures, the Security Oftiee must be sure to update the document. OPS-312-1 ZANTAZ Private Information 51 .... DEF0043394 " Production Security Policy Manual 11115/2000 11 Partner and Customer Connections It is important to have adequate controls in place when dealing with external business relationships. The objective of this section is to provide standards that will keep ZANTAZ's information secure and reduce the likelihood of contamination of data and information systems. Non:Disclos_’,Agreem_ A Non-Disclosure Agreement of confidentiality must be signed if _,j :? "........ :-: : ZANTAZ confidential or restricted information is to be disclosed. • .... :-_ ' - The proponent must ensure that proper non-disclosure agreements i :i t R_dant or Outsoureed: Redundant or Out.sourced processing and storage facilities, such • si_rage Facilities :: _ [ as Pilot Network Services, should be monitored and reviewed to '_: ..... " ' ensure either compliance with ZANTAZ policies and standards or a level of control is provided which is equivalent to ZANTAZ policies and standards. This should be accomplished through contractual commitments with provisions to permit auditing and .: monitoring to ensure compliance. .... ,. • ,. m • - • " -.-- " l Indepcnderit Review_ Management may request that the Executive Team grant an -_ :L:: .:. . _- :_ _ independent review or audit by a third party. The objective of the review should be clearly stated to the Executive Team and should , - _. .... . - ...... . . , contain the scope, timeline, and any other supporting :.;/i!i . : ::_:". :.- ": documentation. m-;._-_'-._ . _-..,. :_L-":. - _ n I_Providers-!i_:!_!. • ..... I Service providers must show a level of acceptable due diligence .... with regards to information protection as evaluated by ZANTAZ I .._: .: i-::._:_: i( -.;_ :1 technical resources. I:_,_;-::::._-:P -_'_ " _,........ _" .... .' I -Td_fiOns-_W_4 When external telecommunications personnel (such as Pacific __:;'? i :L ! Bell) perform work, the work must adhere to ZANTAZ's __c:"-_:i_ ; i :i " ': :' Production Security Policy manual. In order to ensure that the t ii_::' :_:-_-_:'-, ,i:;:.::. : ::: - -n network remains secure, Operations should review all work prior , " ' :.-4._ ..... - -, ...... ' .......... , to and after implementation. _.-.:... -:._:_ :_:: - :-_. . .: ,_"’ ,- ?;4 • ,,_ior idenfiiiCafi-_;_ -"_' ]1 The identity of the provider of vendor supplied hardware and/or : ' i o . system software should be verified. Existence ofappropriate '_ ...... ..... ' : ::': ..... ji'_j: ' contractual agreements for use of vendor software should be '-:-_ :-:::_:'_ ..... : :-_. -.' conllrmed. OPS-312-1 ZANTAZ Private Information 52 DEF0043395 Production Security Policy Manual 11115/2000 ' r ....................._,::,_'_............ _ I...i; _ , _i " . iJ:.__ .........::. _ • So_are:S_ty:_ : I. Vendor supplied software must adhere to ZAHTAZ sccmity ._:.: ......... :>7_:i.(_: I. 7,:_44_,i_:.,ilj_.!j:ti_;:'_.::i standards. :Co_trtic_q__il;.:_i- ::i Every contract for outside information processing services must ";::::: ::;!i:!!:i :=i!i!:::!!_i_i i:i _ :::;:::!:ii:!!_ i i contain the provisions listed in Appendix A below. OP5-312-1 ZANTAZ Private Information 53 DEF0043396 Production Security Policy Manual 11115/2000 APPENDIX A: Contracts for Information Processing Services - Standard Security Provisions The following items must be included in all contracts for outside information processing services. The exact wording in any contract may be negotiated and must be reviewed and approved by the ZANTAZ Executive Management team. 1. "Vendor" agrees that ZANTAZ personnel will be responsible for determining and maintaining all levels of security residing on ZANTAZ hardware or systems. 2. "Vendor" agrees that the security provided at its end of the connection will not allow unauthorized traffic to pass into ZANTAZ networks through the common Internet connection. 3. "Vendor" agrees that any server access required by the "'Vendor" staff through outside security products will be in a READ-only mode unless there has been prior, written approval of a security plan for more intrusive access. 4. ZANTAZ reserves the right to disconnect the "Vendor" service if unauthorized access is discovered. This does not, however, relieve "Vendor" of its commitment to deliver on its Service portion of the Agreement and Addendum. Such Service requirements will have to be met by on-site servicing until the inappropriate access can be investigated and resolved to the satisfaction of ZANTAZ. 5. "Vendor" agrees there will be no extraneous access from platforms or use of protocols other than those in the current configuration presented by "Vendor" 6. "Vendor" agrees to maintain an alert status regarding all xaalnerabilities and security patches or corrective actions through an industry-recognized service issuing security advisories. 7. "Vendor" agrees that it will supply ZANTAZ with a letter certifying it has developed and engineered its software without any undocumented application code that bypasses any security features. If there are such surreptitious accesses for programming and code modification, "Vendor" agrees that it will identify those accesses to ZANTAZ and assist ZANTAZ in removing them from the Services under the Agreement and Addendum. If "Vendor" is using purchased software from another Vendor, "Vendor" agrees to obtain such a certification letter from its software vendor. 8. "Vendor" certifies that all of its staff, contractors, or sub-contractors have had background investigations performed and that no person working for '`vendor" under this Agreement and Addendum has a prior felony charge or conviction for embezzlement, fraud, antitrust, or securities- related or financial-related crime. 9. "Vendor" certifies that their staff, contractors, and sub-contractors are bonded and will inderunify ZANTAZ against any loss, claim, or damage to a third party, caused by an "Vendor" staff person, contractor, or subcontractor in the performance of this contract. 10. "Vendor" agrees to sign a ZANTAZ Non-Disclosure Agreement. 11. "Vendor" agrees and understands that the project security will be incgeiigntally implemented as access to production data becomes more imminent. ''Vendor" further agrees to allow ZAaNTAZ network assessments based on a schedule mutually agreed upon. "Vendor" understands that, should a OPS-312-1 ZANTAZ Private Information 54 DEF0043397 Production Security Policy Manual 1111512000 ZANTAZ assessment reveal inappropriate or inadequate security based on the pre-defined requirements for security, ZANTAZ may remove "Vendor" access from the ZANTAZ network until "Vendor" satisfactorily complies with security requirements defined. 12. "Vendor" agrees to establish and maintain all application and system logs under its domain and further agrees that ZANTAZ shall have a copy of all logs on a weekly basis. 13. If not considered a vital asset or corporate sensitive document, "Vendor" agrees to give ZANTAZ a copy of its employee handbook section regarding disciplinary action taken when unauthorized access to customer information is investigated. 14. "Vendor" agrees to provide ZANTAZ with a documented description of their disaster recovery strategy / capability. This description will address actions to be taken in the event of an extended outage of service. (Such an outage could be caused by a number of events ranging from technical hardware/software/network related malfunctions to a catastrophic disaster.) The description should address: • Risk avoidance and disaster prevention provisions in place (e.g., physical security systems, fire protection / suppression systems, equipment spare parts on-site, Uninterrupted Power Supply (UPS) and backup generators, etc.). • Recovery time frames. (In the event of an outage, how many hours until service will be restored? In a worst-case scenario, define the maximum allowable downtime.) • Data backup and off-site storage process. • Lost customer data / data in progress recovery. • Service recovery strategy (e.g., internal/redundant backup, commercial hotsite backup, equipment "quick ship" agreements with other vendors, etc.). • Notification process. • Recovery testing process. (How many recovery tests per year? Is ZANTAZ involved in recovery testing?) • Recovery Plan maintenance. (Who maintains the recovery plan? How frequently is it reviewed and/or updated as a result of technical / product / service changes?) • Define recovery roles and responsibilities assumed by "Vendor" and ZANTAZ. 15. "Vendor" agrees to provide ZANTAZ with a copy of its SAS 70 report and that this report will be updated and a copy delivered to ZANTAZ annually. 16. "Vendor" agrees that ZANTAZ may, at its discretion, conduct audits of the "Vendor's" computer systems and processing environment. 17. "Vendor" agrees to provide ZANTAZ the necessary information to complete the System Security Plan Information Data Sheet. 18. "Vendor" agrees that their facilities, if processing or storing any ZANTAZ data, is in compliance with ZANTAZ security policies and standards. OPS-312-1 ZANTAZ PHvate Information 55 DEF0043398 Production Security Policy Manual 11115/2000 Appendix B: Resources One of the hallmarks of this digital age is the quick dissemination of information, especially in areas of computer security. Ideas and opinions, precipitations of experience, can find themselves shaped into de facto standards, or "Best Practices," as they are often called. These Practices have been shaped by many authors, and escape easy bibliographic expression. Much of the information given in this Policy is borrowed from just such sources. Below are listed some of the more notable references, both print and Web. The ordering of the sources, at the moment, is arbitrary: • "Practical Unix Security," Simon Garfinkel and Eugene Spafford, O'Reilly & Associates, 1991. • "The Process of Network Security," Thomas Wadlow, Addison-Wesley, 2000. • http://www.brown.edu/Research/Unix Admin/cuisp • http://www.eff.org/pub/CAF/policies • ftp://nic.merit.edu/dowciuments/fyi/fyiS.txt • http://www, sfsu.edu/~helpdesk/docs/rules/security.htm_ • http://www.eustoms.ustreas.gov/about/ais-doc.htm • Fraser, B., "Site Security Handbook," RFC 2196, September 1997, flp://ftp.isi.edu/in- notes/rfc2196.txt. • Shirey, R., "Internet Security Glossary," RFC 2828, May 2000, ftp://ftp.isi.edu/in- notes/rfc2828.txt. At ZANTAZ, the primary constructors ofthis document include Wayland Chun, the members of the ZANTAZ Security Committee, and the staffofthe Customer Operations Department. OPS-312-1 ZANTAZ Private Information 56 ............ DEF0043399 " " ZANTAZ Background Verification Policy 1 Introduction 1.1 Purpose Backgrotmd verification policy required for Production level access. 1.2 Scope Employees who are hired to work on Production systems are required to go through a complete background check prior to hire. Production systems are defined as any server or device that either passes or stores customer data_ 1.3 Background Verification Criteria The background check will verify the following information about a potential employee prior to hire. Name Address Telephone SSN County Criminal Records Federal Criminal Records County Civil Records Federal Civil Records Driving Record Employment Credit Report Education Verification Previous Employment Verification 1.4 Agency ZANTAZ employs a third party agency to complete the background verification for potential employees working on Production systems. Page 1 of 1 ZANTAZ Confidential Attachment D DEF0043400 Meeting August 8, 2002 Washington, DC Page 1 1 UNITED STATES DISTRICT COURT 2 FOR THE DISTRICT OF COLUMBIA 3 ....... 5 ELOUISE PEPION COBELL, et al., : 6 Plaintiffs, : 7 v. : No. 96-1285 8 GALE NORTON, et al., 9 De f endant s. : I0 .............. x Ii 12 BRIEFING ON PROPOSED DEPARTMENT OF THE INTERIOR 13 EMAIL BACKUP AND RECOVERY PROGRAM 14 15 Twelfth Floor Conference Room 16 1717 Pennsylvania Ave., N.W. 17 Washington, D.C. 18 Thursday, August 8, 2002 19 PRESENT : 20 ALAN BALARAN, Special Master, presiding 21 On behalf of Plaintiff: 22 MARK BROWN, Esq. 23 On behalf of Defendant: 24 PETER B. MILLER, Esq. 25 SANDRA SPOONER, Esq. A|derson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 200 Exhibit 2 Defendants' Motion Re: ZANTAZ E-Mail Proposal Meeting Augur8,2002 Washington, DC Page 2 1 ALSO PRESENT: 2 FROM ZANTAZ: 3 THOMAS E. PRIOR 4 ROGER ERICKSON 5 CURT DEININGER 6 FROM DEPARTMENT OF THE INTERIOR: 7 JIM CASON 8 SABRINA McCARTHY 9 HORD TIPTON T i0 JUDY SNOION ii REGINA LAWRENCE 12 13 14 15 16 17 18 19 2O 21 22 23 24 25 Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 3 1 P R O C E E D I N G S 2 (2:18 p.m.) 3 MR. MILLER: We would like to thank the Special 4 Master Mark Balaran for joining us at the presentation 5 today. We're here to talk about the Interior email 6 proposal that was first discussed in the February 20th, 7 2002, letter to the Special Master and counsel for the 8 Plaintiffs. The email proposal is an outgrowth of the 9 Special Master's order from July of 2001 and dates back to i0 the May II, 1999, order and an earlier order relating to ii the obligation to search and produce responsive emails 12 from the Solicitor's Office email backup tapes. 13 In working on trying to develop a proposal to 14 address that requirement, it became apparent that it made 15 more sense to work with an outside contractor. The backup__ 16 system itself was not designed to search and retrieve 17 particular emails. It was designed primarily to deal with 18 catastrophic failure and system backup. 19 In the course of working on this process, 20 Interior spoke with a number of people and ended up 21 working primarily with Zantaz to develop this proposal. 22 The purpose here today is to simply discuss the outlines 23 of that proposal, and I will briefly talk about the 24 components of it and then turn it over to Zantaz for more 25 discussion and then questions that relate to the proposal Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 4 1 itself. 2 The proposal has two key components. The first 3 is the restoration of email from backup tapes that have 4 been retained by the Department of the Interior in the 5 Solicitor's Office and other offices. That process is 6 essentially a restoration process and will allow the 7 unique emails from those backup tapes to be placed into a 8 searchable archive that can then be searched according to 9 agreed upon search terms. I0 The second step is: a realtime capture of email II traffic going forward so that the backup tapes themselves 12 no longer become the operative pieces of that system and 13 instead the emails are put into a searchable archive 14 directly going forward. 15 So those are the two pieces that Zantaz is going 16 to provide, assuming that we can get the approval of the 17 Special Master. This is a fairly expensive and 18 significant undertaking for the Department of the Interior 19 both in terms of cost and in terms of revamping the system 20 itself, and as a result we have decided that we're going 21 to ask for formal approvalof this proposal before we 22 actually finalize the contract and begin to implement it. 23 One of the questions that the Special Master 24 asked me before this started today is whether the funding, 25 which had not been finalized as of the February 20th Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting Augu_ 8, 2002 Was_ngton, DC Page 5 1 letter, is now available if this proposal proceeds. My 2 understanding is that that funding is now available, 3 assuming that we're able to get approval for the proposal. 4 I think with that I'll turn it over to Zantaz, 5 unless there are any preliminary questions. Tom. 6 MR. PRIOR: I'm Tom Prior. I've been working 7 with the DOI on this component since about September of 8 last year. Briefly what I want to do is tell you who 9 Zantaz is, what we do for a living, why we think we're i0 uniquely qualified really to address a lot of the issues Ii that we have discovered during this process. 12 We're not going to show a PowerPoint 13 presentation, but what I have put together is some slides 14 that will summarize what we're going to be talking about 15 today. So it's an overview of who we are and what we do. 16 In a nutshell, I think one of the reasons why we 17 were selected for this is Zantaz is an outsource service 18 provider and where we spend almost all our time is on Wall 19 Street in the financial services community. What they're 20 obligated to do by law under the rules and regulations of 21 the SEC, the NASD, and NYSE is exactly the type of demands 22 it seems like are placed on the DOI right now. 23 To run their business, they are obligated to 24 capture all electronic correspondence, internal electronic 25 correspondence that deals with their business. They are _derson Reposing Company, Inc. I l I l 14th S_eet, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Me_ing August 8, 2002 Washington, DC Page 6 1 also obligated by law to capture all electronic 2 correspondence to any customer, to or from the individual. 3 So in other words, no email can be lost, destroyed, 4 tampered with, or missing under their rules and 5 regulations. That is what they have obligated to do to do 6 business. 7 So what Zantaz does is we provide an outsource 8 service and what we do is, there's two components of what 9 we do mostly. We automatically capture all emails sent to i0 or from any of our customers. Once we capture that, we ii index it, so we keep all the header information, so it's 12 the To, the From, and the attachments, any dates, times. 13 SO that's automatically indexed. 14 We store it, we secure it, and then it's 15 available. Then we archive it. Under the archival 16 component is they are obligated also by law that any email 17 that is captured, you have to be able to retrieve again. 18 You have to prove it's not been tampered with. You have 19 to show an audit record of anyone that's looked at those 20 emails. You have to show the original email. You have to 21 show any kind of attachments. 22 So those are their obligations and that's the 23 type of system we've implemented offsite. The other 24 component is that it has to be a third party. It had to 25 be stored at a third party site, again for the obvious Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 7 1 reasons. We want to make sure there's absolutely no way 2 you can show this has been tampered with, and you have to 3 have multiple copies. 4 So that's the infrastructure we've put in place. 5 It,s been torture-tested by Wall Street and some of the 6 biggest financial services firms use that to stay in 7 compliance with the SEC, including Salomon, including B of 8 A, including Morgan Stanley. 9 SPECIAL MASTER BALARAN: Arthur Andersen? i0 MR. PRIOR: People have asked us that. ii So those are their obligations. That's what we 12 do. We're an outsource service provider, again, that does 13 that. The reason they like it is you don't come to us and 14 say, can you build this for us, you spend millions of 15 dollars and years later, saying, that's not what we asked 16 for, you're not meeting the requirements, I'm missing this 17 opportunity. 18 So they'll come to us because it's something you 19 can implement immediately. That was one of the 20 attractions the DOI had here. We don't have to test it. 21 It works. We can prove that. We can show the volumes. 22 So that's going forward. How do I capture all 23 of this information? The rules and regulations that 24 they're obligated to live by came into effect a couple of 25 years ago. Some Wall Street firms have implemented them Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 8 1 better than others, as is demonstrable now on Wall Street. 2 So there are other obligations. As in the case here is, 3 you have an awful lot of email backups. They consider 4 that a way of meeting the obligations. Well, email 5 backups are great because they went with the assumption I 6 never have to find anything of that again, I meet my 7 obligations. But you ask me to find something, it's a 8 nightmare to do. 9 Our system takes those email tapes, we take just i0 the unique messages off them and we store them into, as ii Peter said, a searchable format. So all the emails that 12 have been sent or captured on these tapes we can restore 13 into a searchable archive along with all their 14 attachments, along with all the header information, and 15 along with any email traffic as well. So we can restore _ 16 that into a searchable format that, searching on any 17 criteria, whether it's the header information or any 18 keywords within the body of the text, we can find that for 19 you. 20 So that is what we are proposing in the offer to 21 the Department of Interior, to take both your restored 22 emails, put them on line, unlimited searching, and, moving 23 forward, automatically capture the emails moving forward. 24 The nice thing about this is there's no human intervention 25 on the automatic capture. It's not like I have to have a Alderson Reporting Company, Inc. ! 111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 9 1 system admin that's saying each night dump this to tape. 2 It cannot be deleted or destroyed before we capture it 3 because we get a copy of the email as soon as it hits your 4 servers. So there's no way of tampering with it. 5 If a person within here tries to retrieve a 6 record, we keep an audit of that person going after the 7 record. 8 Now, you have access into this archive only by 9 authorized personnel, and it's up to whoever our customers I0 are to say this person has authority to go in and search ii the following. And again, we keep an audit trail of 12 everybody that's done that. 13 So in essence, it's a comprehensive system that 14 meets all the SEC, NASD, NYSE rules and regulations for 15 books and records for electronic correspondence, and 16 that's what we've implemented over time. 17 SPECIAL MASTER BALARAN: It captures cc's and 18 bcc's, etcetera? 19 MR. PRIOR: Cc's, bcc's. The nice thing about 20 it is, some archival systems are like the "Raiders of the 21 Lost Ark": you see them putting the thing in the vault, 22 we know it's there, but we'll never find it again. So the 23 whole idea is we keep any kind of cc, bcc, anything. We 24 keep one copy of the record, but we index everybody that's 25 been copied on that. Alde_on RepoSing Company, Inc. I I 11 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washin_on, DC 20005 Meeting Augu_ 8, 2002 Washington, DC Page 10 1 So if you are cc'ed on something and I wanted to 2 see a "From" Mr. Miller to you, I will see that you were 3 copied on that. So I will pull that back there. 4 The other thing we do, it's not an arduous task 5 to return the documents. We can literally, if it's 6 online, return it to you in seconds. It's not like you 7 give me a request and months later from now we'll see if 8 we can find it. You'll know right away what activity was 9 there. i0 So again, if you store this and you can't find ii it again, you're in a lot of! trouble. 12 We also put it on a non-tamperable device, so 13 you can say, I know I have the original. So it's a very 14 conservative approach we have taken with these Wall Street 15 firms to implement a system that the SEC has never 16 challenged them on, nor has any audit ever been challenged 17 on the applications we have done, because a lot of times, 18 again, our customers will say, I have a huge audit 19 request. You can see what's going on on Wall Street right 20 now. I need the following, I need quick turnaround. We 21 provide that as a service as well. So we're an outsource 22 service provider. 23 The other thing that's going to come up is 24 what's the security behind this. We've been audited by 25 some of the world's largest firms to see what our security Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Washington, DC Page 11 1 measures are, for our accuracy of what we do, and any kind 2 of intrusion into our systems, because I know it's 3 obviously been a sensitive issue around this subject. 4 We also provide quarterly services that audits 5 this as well. So it's a constant approach to both 6 security and integrity of the documents. 7 SPECIAL MASTER BALARAN: Who would be the 8 individuals who will actually have access to the 9 information? Because obviously all of this information is i i0 between attorneys, there's information that applies to ii clients, there's information that will be sensitive in 12 nature. 13 MR. PRIOR: Right. 14 SPECIAL MASTER BALARAN: So who are the people 15 on your end that will actually have access? 16 MR. PRIOR: The way that it's set up and what 17 we'll do, what we want to do, is to give you an 18 introduction of who we are, and Roger Erickson is the Vice 19 President of Services and Support. We can go into how 20 that works, but basically we can go through the security 21 process that we have, who has capability from Zantaz' 22 point of view. The CEO cannot go back there. He doesn't 23 have access into it. 24 Behind here, I've put in what we have for 25 securities policies, procedures, disaster recovery, and Alderson Reporting Company, Inc. ! 111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Wastngton, DC Page 12 1 what our hiring process is. So from Zantaz' perspective, 2 we can put that and we've actually sent to Interior, it's 3 a 52-page document of our security policies and 4 procedures. So that's available, I believe, in the 5 package they sent to you as well for your review. 6 MR. MILLER: Actually, just to jump in, if you 7 look at attachments B, C, and D to the February 20th, 8 2002, letter that was involved on the Zantaz production 9 security policy and also the background verification. i0 MR. PRIOR: We also say we can we can give you ii any audit reports from the people who have done the audits 12 as well. 13 From your perspective it,s going to be who do 14 you want to grant authority to. Now, you may have, 15 typically within our clients you might have the chief 16 compliance officer has authority to review all 17 correspondence, or they might break it down by division or 18 a reviewing authority that has, I can only do the 19 Northeast or I can do a subset. So you can make it 20 discrete applications. 21 So in this case we might say in the BIA only 22 this person has authority, in the Solicitor's Office only 23 this person has authority. But you will have, you can 24 grant overarching authority to an individual or group of 25 individuals in the Department. It comes down to how does Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 13 1 it best fit your requirements or business. There is no 2 restriction that we place oll it. 3 MR. DEININGER: Just to make another point that 4 Tom had brought up before, so we've got the most 5 conservative banks and brokerage houses, some of the most 6 conservative ones in the world that are customers of ours, 7 that have trusted us with their data and the security is 8 there, and we can show you that the security is all there. 9 But the fact that we not only take their live email and I0 archive it for them for these responses to the audits from II the NASD and the SEC, but also we take those legacy tapes, 12 the same thing that we're talking about here, for firms 13 like Citigroup and Morgan and eTrade, Datek, and it goes 14 on and on, and we store those tapes and put them in. 15 So the only point: I wanted to make is it is our 16 business. That's the only business that we're in. That's 17 what Roger is going to tell you about, how it is that 18 we're going to take care of the tapes of the DOI. 19 MR. PRIOR: Someone said, you're in a small 20 niche. It's a real boring one, but it serves, especially 21 lately, an interesting group. Because of what you've seen 22 on Wall Street, a lot of people did not take their 23 obligations seriously enough and they're actually coming 24 up and saying: restore, restore, restore; we need some 25 help quickly. Alderson Reposing Company, Inc. I l I l 14th Street, N.W. Suite 400 ]-800-FOR-DEPO Washin_on, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 14 1 So as Curt said, it is a very conservative 2 approach we took. A lot of people look at the SEC rules 3 and regulations and they'll interpret it as loosely as 4 possible, saying, we're meeting their obligations because 5 we have a backup tape, etcetera. We took the most 6 conservative approach, and we can actually give you the 7 rules and regulations that responds to. That's the 8 business that we're in. 9 In looking at the financial nature of this and i0 the requirements to restore vast terabytes upon terabytes ii of information, we have both the capacity and the 12 capability to do that, and it's not like we're saying six 13 months from now we'll have something up and running for 14 you. We can demonstrate it immediately. We actually ran 15 a couple of pilots during the past year to validate the 16 process and everything. 17 MR. DEININGER: Okay. With that -- 18 MR. PRIOR: And he has the expertise that makes 19 it all happen. 20 MR. ERICKSON: Any questions just in general 21 about the type of service we do before I launch into sort 22 of the process? Mark, any questions or whatever? 23 MR. BROWN: No. I'm sure you'll get technical 24 on me. 25 MR. ERICKSON: No, I'm not. I'm not going to Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting • August 8, 2002 Was_ngton, DC Page 15 1 dive into the details. But I think it's useful to kind of 2 understand the process and what we do. 3 Obviously, there's two issues here. One is 4 capturing the live stream. Obviously, one of the reasons 5 why you want to do that is once you start capturing the 6 live stream it takes less of a burden off of doing the 7 backups, because then we will have the live data. We 8 perform daily backups. The data is protected. The key 9 thing is, I think relative to this, is that you want to i0 have one repository that has all the data in :it that can II be searched together. 12 So the solution that we have allows you to take 13 the live stream data, emails that are going on now, go 14 into the electronic vault. What we'll do is we'll take 15 all the backup tapes, go through a process of restoring 16 those tapes to the native environment. We run through a 17 second phase that actually goes through and removes 18 duplicates, because the daily backups typically run almost 19 a 90 percent duplicate rate. There's no reason to go 20 store all of that because they are identical duplicates 21 and the email environments are very good about keeping 22 unique message ID's for the messages. 23 So we simply have a big master index that we 24 keep all of those in. We run all the tapes through them, 25 remove duplicates, and then we funnel that data into our Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 16 1 digital safe, just the same way we would run live data. 2 So at the end of the day, what you have is the live data, 3 you have the restored data. You can search it all 4 together. 5 Our customers have the ability to perform their 6 own searches or we sometimes: do the audit searches for 7 them if they're more comfortable with doing that. 8 So that's basically the process. There's a 9 whole lot of technology that goes into doing that. What's i0 interesting about our solution is that we can store tens ii of terabytes in a single digital safe and it's almost 12 instantly searchable. So that's why a lot of the firms 13 have come to us now, because we do have this technology 14 that allows -- and actually, if you look at the bottom of 15 the second page, I think that's where you're at, you see 16 the restoration and content search process. 17 That's for the tape restores. But it winds up 18 in the digital safe. What we do is we content-index, as 19 Tom mentioned, the To, the From, the Subject, as well as 20 the body of the email and the attachments. So any text 21 that's imported into the system is searchable. So you can 22 do a content search, you can do time search based on 23 dates. 24 We index both on receive data and sent date. 25 It's amazing how many people -- we get sent dates from Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Pagel7 1 email systems about 2,040, so people are definitely 2 planning ahead, I guess. 3 SPECIAL MASTER BAI_RAN: Would you actually 4 bring pieces of equipment over to Interior? 5 MR. ERICKSON: No. This is an outsource 6 service, so all this happens back at Zantaz. We have a 7 data center that's protected. So they route their data to 8 us and all this happens at the Zantaz facility. 9 SPECIAL MASTER BALARAN: How? I0 MR. ERICKSON: In the case of, if it's Lotus II Notes, then we run an agent on their servers that captures 12 the stream. As an email is sent, we basically make a copy 13 of that email and send it through a secure pipe to the 14 Zantaz facilit Y . If it happens to be Exchange, then we 15 use the journaling capability that is inherent in Exchange 16 to create a copy of that to come to us. 17 So we're literally another IP address that the 18 data gets sent to. Everything is copied to us, so we have 19 the secure pipe to do that. 20 MR. CASON: Just a commentary to make sure we're 21 on the same page. As I recall when we had the briefing, 22 you're basically capturing email realtime. As it's being 23 sent, you're siphoning off a copy of it to save, and 24 basically Interior doesn't take any action at all. Just 25 we're doing our normal business and they take a copy off Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting Au_st 8, 2002 Was_ngton, DC Page 18 1 the Internet and save it or off the net and save it. 2 SPECIAL MASTER BALARAN: So they don't notice 3 any difference in the way they do business? 4 MR. ERICKSON: They don't see any difference in 5 their business. We actually, we load very little software 6 on their site. It is an agent that sits on the Note 7 servers, because they're predominantly a Notes operation, 8 Lotus Notes in their facilities. So the agent runs there. 9 They don't even know what's going on. It gets sent to our i0 facility and we're copied on everything. Obviously, part II of the agent's job is to make sure that nothing is missed. 12 SPECIAL MASTER BAI_RAN: Your security measures 13 are documented? 14 MR. ERICKSON: Absolutely, absolutely. There's 15 a summary of all the security measures in the back here. 16 And like Tom mentioned, we go through regularly, quarterly 17 audits, security audits. We bring in outside vendors to 18 conduct these audits. As a trusted third party, that's 19 just a core part of what our business is. 20 SPECIAL MASTER BAI_RAN: Where would I be 21 looking? 22 MR. ERICKSON: Let's see. I don't know -- these 23 pages aren't numbered. I'd say about four pages from the 24 back, five pages from the back. That starts with "Secure 25 People, Trusted Third Party." Alderson Reporting Company, Inc. ! I 11 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Pagel9 1 So we do background checks. Everyone in the 2 company has background check:s. We have graduated levels 3 of security. We have a secure data center that uses palm 4 print machines to verify access to that. I don't have 5 access to our data center. Only people that are there to 6 do administrative and backups, etcetera, have access. 7 We have special labs set up for the tape 8 processing. Tapes are kept in a secure fire vault as well 9 as in the secure data center. We have a very elaborate I0 process for logging the tapes, tracking the tapes, and ii then, obviously, ultimately returning them. 12 That's what we do. Then we have, obviously, a 13 lot of different levels of security, graduated levels of 14 security for receiving the live data. We use a secure SSL 15 link to do that. We have firewalls, multiple firewalls 16 actually. 17 The most conservative people use a dedicated 18 line to us. They don't go over a VPN even. So we can 19 handle that however they choose to want to do that. 20 So it really gets down to a cost issue. So we 21 have the secure facility, the secure live link process. 22 From the system design standpoint, obviously, you have to 23 address the security from that. Each customer's data is 24 kept on physically separate devices, so that the same 25 storage device does not store DOI data with Citigroup Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 20 1 data. So everything is physically separated. 2 It's all administered together. We make backups 3 on a regular basis. Those backups are stored off site, 4 once again usually in usually an ISO-9000 certified 5 facility. So that's kind of the way the process works. 6 MR. BROWN: How many dedicated lines are you 7 having going to Interior? 8 MR. ERICKSON: I don't recall. Hord, do you 9 know what the configuration for the lines, the physical I0 lines being sent off for servers? II MR. TIPTON: Dedicated? I'm not sure in what 12 sense. 13 MR. ERICKSON: Well, what is the configuration 14 of the communication lines coming into Zantaz? 15 MR. TIPTON: Right now we have a number of T-I 16 lines going, anywhere from Denver to Portland back to 17 Washington. I'm not sure exactly how you folks are 18 planning on setting it up. 19 MR. BROWN: You're talking about from a security 20 standpoint. The best security is dedicated, so I assume 21 we've got dedicated; is that right? 22 MR. TIPTON: Dedicated to Zantaz? 23 MR. BROWN: It was your word. I assume that's 24 what you were talking about. 25 MR. ERICKSON: That is the most fail-safe, Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 21 t there's no question. I actually don't recall what the -- 2 13 MR. DEININGER: I think what we're looking at is 4 a VPN, virtual private network, if I'm not mistaken; is 5 that right? 6 MR. TIPTON: That was my understanding. 7 MR. BROWN: Okay. Are we taking lines from 8 every field office, headquarters? How are we doing that? 9 MR. ERICKSON: Correct, it's going to come from 10 each bureau. Each bureau that has servers will have their li own connection to Zantaz. So it's not going to go from 12 Interior to a central location within the DOI, then to us. ii3 It'll come right off the servers. The active production 14 servers at each bureau is going to send information to 15 Zantaz. 16 MR. BROWN: Are you able to strip the non-unique i? message? If somebody in one part of the country sends an 18 email to somebody in the other, it'll go through two i9 servers and you'll strip that? "20 MR. ERICKSON: Absolutely, absolutely. There is iii one master index for all data coming into the DOI project ,_2 that the messages will be checked against. 2_ MR. DEININGER: And it will still be indexed. 24 If somebody sends it out to 50 people, it's still indexed 25 to all 50, but it's actually one copy. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_n_on, DC Page 22 1 SPECIAL MASTER BALARAN: Who supplies you the 2 architecture so you know where to start stripping these 3 from? 4 MR. ERICKSON: We actually developed it 5 ourselves. Zantaz is a venture-funded firm and spent tens 6 of millions of dollars on this, on the product that we 7 use. 8 SPECIAL MASTER BAI_RAN: I'm sorry, I meant the 9 architecture for Interior. I0 MR. ERICKSON: Oh, I see, I'm sorry. The ii architecture for Interior as far as their email system? 12 SPECIAL MASTER BAI_RAN: Uh-hmm. 13 MR. PRIOR: We did[ an assessment earlier in the 14 year just to quantify and try to qualify the amount of 15 traffic, expected traffic. We talked to all the different 16 bureaus about the configuration setup. So we got an 17 initial estimate of where the volume is, where the central 18 points of contact are. 19 Part of the implementation -- and that's part of 20 the proposal -- is during the implementation we flesh that 21 out into the exact detail of how the content will get 22 there, from what bureaus, from where. That's part of the 23 cost of implementation. 24 SPECIAL MASTER BAI_RAN: I don't know that I 25 understand you, I'm sorry. Are you saying that basically Alderson Reporting Company, Inc. 11 I1 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 23 1 you estimate based on what you think the highest volume is 2 and you focus on those sources? 3 MR. PRIOR: No. What we did, we did several 4 months ago, is we sent out questionnaires to all the 5 different bureaus on their email traffic, the type of 6 email they're on, whether it's Exchange, whether it's 7 Notes, how many servers you have, and we estimated the 8 volume to expect from each bureau. 9 SPECIAL MASTER BALARAN: Did you ask any I0 questions about the content of the email? Ii MR. PRIOR: No, no, just strictly from the 12 traffic point of view because what we do, as Roger said, 13 we set up a repository back there. We have to define 14 enough space that we're going to capture that correctly. 15 SPECIAL MASTER BALARAN: And who did you send 16 these out to? 17 MR. PRIOR: The email administrators. 18 MR. DEININGER: Through the individual bureau 19 CIO's, right? 20 MR. PRIOR: It went through DOI and they 21 distributed it that way, but it's basically an estimate of 22 traffic. 23 MR. BROWN: How many questionnaires did you get 24 back? 25 MS. McCARTHY: All of them. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 24 1 MR. PRIOR: I think we sent them out to eight 2 bureaus. Again, it was to estimate the volume, and then 3 as part of the implementation it would be to actually go 4 back to these sites and look at their configuration, what 5 kind of server they are, how many, stuff like that. We 6 have not gone to that detail. It was more to do estimates 7 at this point. 8 MR. MILLER: This is probably a good point to 9 just clarify, as we stated I think in a February 20th i0 letter, that Interior has identified designated offices ii that they're going to do this email archive in and 12 implement it in. That's the Office of the Solicitor, BIA, 13 Office of the Special Trustee, Office of Historical Trust 14 Accounting, Minerals Management Service, Bureau of Land 15 Management, Office of the Secretary, Office of the _ 16 Assistant Secretary for Indian Affairs, Office of Hearings 17 and Appeals, and Office of the Assistant Secretary for 18 Policy and Management and Budget. 19 Those offices were selected on the basis that 20 they were the ones that had been directly involved with 21 the issues and they've been sort of the target for the 22 production requests to date. 23 SPECIAL MASTER BALARAN: So there was a 24 decision, for instance, not to put in the Office of 25 Surface Mining? Alderson Reporting Company, Inc. I 111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 25 1 MR. MILLER: Correct. The offices that are, the 2 phrase that we've used is, below the line are Bureau of 3 Reclamation, Fish and Wildlife, National Business Center, 4 National Park Service, OSM, and the U.S. Geological 5 Survey. 6 SPECIAL MASTER BAI_ARAN: When you say "below the 7 line," what were the criteria you used? 8 MR. MILLER: The criteria was the determination 9 about the offices that were most likely to have the high I0 volume of traffic and where the production was directed, II the production requests were directed. 12 SPECIAL MASTER BAI_RAN: Well_ the volume of 13 traffic or the substance of the traffic? 14 MR. MILLER: Both. I mean, the substance in 15 terms of relating to the Cobel litigation. 16 MR. BROWN: So the parameters of that are geared 17 to what the production requests have been? 18 MR. MILLER: Primarily, and also the offices 19 that Interior had determined to be directly involved in 20 the trust activities. 21 SPECIAL MASTER BAI_RAN: Does this somehow at 22 all get into begging the question as to what Indian trust 23 data is? That gets me nervous. 24 MR. MILLER: Well, we've been focusing on the 25 email traffic and the production requests, so I don't know Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Washington, DC Page 26 1 that we're begging the question about Indian trust data. 2 SPECIAL MASTER BALARAN: Well, when you say that 3 may have any bearing on the Cobel litigation, that's why 4 I'm asking. I mean, if there's traffic about that that 5 has to do with Indian trust data, then it's inferentially 6 directly related to the Cobel litigation; would you agree? 7 MR. MILLER: Correct. 8 SPECIAL MASTER BALARAN: Then I would say you 9 need to have that criteria established before you made a i0 decision if something is above the line or below the line. ii MS. McCARTHY: We were looking to the bureaus in 12 the Department that carry out the trust responsibility, 13 and a good place to start is the 1994 Trust Reform Act, 14 which identifies what Congress considered to be the 15 relevant bureaus. We've added to that based on our 16 experience in the case and our responses to document 17 production requests. We have to start somewhere. 18 SPECIAL MASTER BAI_RAN: Oh, no, I wasn't 19 critical. I just wanted to know what criteria was being 20 employed. 21 Just trying to give you more work. 22 (Laughter.) 23 MR. ERICKSON: We'll take it wherever we can get 24 it. 25 I don't know what else to add as far as detail. Alderson Reporting Company, Ine. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Washington, DC Page 27 1 If you have any questions about the security of the 2 service or whatever, I'd be happy to address it. 3 SPECIAL MASTER BALARAN: I think what I'd like 4 to do is perhaps have somebody who's helping me with the 5 security issues contact you with any specific questions 6 they may have. They can speak whatever language is to be 7 spoken and ask the specific questions in the dialect and 8 they can get the answers they want from you. So why don't 9 I do it that way. I'm perfectly satisfied with that. I0 MR. ERICKSON: Sure. II MR. CASON: Are you thinking of the IBM guys? 12 SPECIAL MASTER BALARAN: Yes, that's what I was 13 thinking of, is have them contact whoever your security 14 guy is. 15 MR. ERICKSON: They can contact me, and if I 16 can't answer the questions I'll make sure that they find 17 the right person to do that. 18 MR. BROWN: Let me ask you some questions, or 19 were you about to pass this to someone else? 20 MR. ERICKSON: No, quite all right. 21 MR. BROWN: Okay, let me ask you a couple 22 questions. What is your definition of a unique message? 23 MR. ERICKSON: A message that has a unique ID; 24 within the messaging servers, that when you create a copy 25 of a message or copy different people it will have the Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 o Meeting August 8, 2002 Washington, DC Page 28 1 same message ID that goes out. 2 MR. BROWN: Let's just say I'm sending a message 3 to somebody and they reply and in their reply they -- in 4 their reply the message replied to is also in it. Are 5 those two unique messages? 6 MR. ERICKSON: Yes:. 7 MR. BROWN: So really, even though you're taking 8 out duplicates, in many cases the same paragraph of text 9 is repeated? I0 MR. ERICKSON: Oh, absolutely. When you build Ii an email message thread, that thread is going to be 12 captured every time there's new content added. 13 SPECIAL MASTER BALARAN: That's because it's 14 captured in real time. 15 MR. ERICKSON: Yes. 16 SPECIAL MASTER BALARAN: That makes sense. 17 MR. PRIOR: It's a new message. 18 MR. ERICKSON: Right. 19 MR. BROWN: Is there any information, electronic 20 information, that is not captured by your system? 21 MR. ERICKSON: No. Actually, we go to great 22 lengths -- actually, in Exchange and Lotus Notes there's a 23 bunch of header fields that are not exposed to users, and 24 we go to great lengths to capture as many of those that 25 are documented. So there's actually quite a bit of Alderson RepoSing Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 29 1 information there that people never look at that's 2 actually still part of the retained message. 3 SPECIAL MASTER BAI_RAN: How about attachments? 4 Do you capture those as well.? 5 MR. ERICKSON: Absolutely. 6 SPECIAL MASTER BAI_RAN: No matter how many 7 times they may through? 8 MR. ERICKSON: That's right. In fact, if it's a 9 text attachment or a standard Office document, those get I0 text-indexed as well, so they're searchable right along II with the email text. Obviously, if someone sends like a 12 PowerPoint the only thing that gets caught out of that is 13 the text. We're not doing imagery or anything like that. 14 MR. DEININGER: From a reporting standpoint, we 15 can track that individual message all the way back to the 16 tape that it was restored from, so for any tracking 17 purposes. 18 SPECIAL MASTER BALARAN: Have you ever done this 19 for anybody in a litigation context? 20 MR. DEININGER: Really, all of our customers 21 that have audits through the SEC, it's for some type of - 22 23 MR. ERICKSON: Responding to a subpoena. 24 SPECIAL MASTER BALARAN: I see. 25 MR. PRIOR: So we'll restore the tapes, we'll Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 WasNngt0n, DC Page 30 1 search them for them, and we send it back to them. Then 2 obviously it's up to their ].awyers to decide. We never 3 know the final disposition, either the content or what 4 happens to it. It's usually an urgent request of some 5 sort. 6 SPECIAL MASTER BAI_RAN: Have you ever been 7 subpoenaed to explain the process that you use? 8 MR. ERICKSON: Not: yet. 9 MR. PRIOR: I don't think so, no. : I0 MR. DEININGER: So with the downturn, obviously, ii in the market and all the class action suits and things 12 going on, you can imagine how busy we are and the system 13 is as far as bringing those results back. So it's gotten 14 a lot of use lately particularly. 15 MR. BROWN: You said that you capture a lot of 16 what wasn't visible. Is the:re some you don't capture, 17 though, in the Lotus Notes headers? 18 MR. ERICKSON: I don't know of any fields that 19 we don't capture. 20 MR. BROWN: Is there a way to link -- so I take 21 it you will be able to recreate a trail of a message even 22 if it replies to a message and the text in the original 23 message is not reproduced in the reply? Is that true? Is 24 that clear? 25 MR. ERICKSON: I don't think I follow. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting AuguS 8, 2002 Washington, DC Page 31 1 MR. BROWN: Okay. Sometimes people will reply 2 to a message and the text of[ the original message is not 3 included. 4 MR. ERICKSON: Right. 5 MR. BROWN: I assume you can recreate those 6 trails? 7 MR. ERICKSON: Oh, create links all the way back 8 through? 9 MR. BROWN: Yes. i0 MR. ERICKSON: Actually, creating the links is ii not part of the system capability today. It's probably a 12 good idea, but that's not what the system does today. 13 MR. DEININGER: However, if you did a search, 14 obviously, whether it was a keyword search or you're 15 searching for a person in the To or From field, obviously 16 you would still pull back those messages. So if you're 17 looking for all the messages from John Jones to Frank 18 Samuels, you'd be able to search all those and all those 19 messages would come back whether or not he kept the 20 original text in that it responded to. 21 If you think about the way people use the 22 system, obviously, if they're going to reply it's 23 automatic that the original text is in there. 24 MR. BROWN: It is automatic, but people have 25 replied to me automatically and as I'm sitting here I Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Washington, DC Page 32 1 wonder how they did that, because the header is the same, 2 the title, the "Re" line, is the same. 3 SPECIAL MASTER BALARAN: You erase what's there 4 if you don't want to send an entire document every time. 5 MR. PRIOR: You can erase that, but that 6 original document is still there. As Curt said, I can go 7 back and say, you're referring to that one. That never 8 disappears. And since he erased it, that's a new email 9 anyway and we capture that again as a To or From. i0 MR. BROWN: Does Lotus or some original email II system have an ability to produce those links? In other 12 words, are you somehow erasing those links in the process 13 of putting it in the system? 14 MR. ERICKSON: No, you're not erasing any links. 15 You know, I don't know what links Lotus keeps in there. I 16 know that there's some technology to try and create 17 linkages out of that. But you see, part of the issue is 18 that we're -- as a trusted third party, we don't open the 19 emails, we don't evaluate the content. We just store the 20 original. That's our mandate, is to store the original, 21 non-tampered with, non-additive, non-anything. 22 So we sort of bent over backwards to make sure 23 that that is the case. So you're not interrogating data, 24 even within the header, to create additional information 25 out of that. So we don't do that. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Washington, DC Page 33 1 MR. BROWN: How long does it take to restore a 2 tape? 3 MR. ERICKSON: That's a good question. There's 4 really three main variables. One is the amount of data 5 that's on the tape. Backups range from typically 5 6 gigabytes as high as 50 or 60 gigabytes. So lit depends on 7 the tape media used. 8 The DOI has at least four different backup 9 technologies that were used as part of the original. So I0 if it's 8-millimeter tape, that's slower than DLT. II SPECIAL MASTER BAIaARAN: You're referring to the 12 restoration process? 13 MR. ERICKSON: Yes, I'm talking about the 14 restoration. 15 SPECIAL MASTER BAL_RAN: Were you asking about 16 the restoration? 17 MR. BROWN: I was. 18 MR. ERICKSON: Just the short answer, anywhere 19 from a half an hour to six hlours is typical to do a 20 restoration of a tape. 21 MR. BROWN: Can you restore off any what we'll 22 call original proprietary system? 23 MR. ERICKSON: Yes. Typically what happens is 24 the people that conducted the backups -- there's a lot of 25 cases the backup software has been discontinued. We have Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting Augur8,2002 Washington, DC Page 34 1 mechanisms to go get that. We haven't found a situation 2 yet that we can't acquire the software or acquire the 3 media to read it. 4 MR. BROWN: Have you looked at each of the -- 5 what are we going to call them -- proprietary systems, is 6 that the word that we should use, the existing systems? 7 MR. ERICKSON: I don't think it's proprietary. 8 I just think it's legacy, I think is probably a better 9 term. i0 MR. BROWN: Have you looked at all the legacy - II - or how many different legacy email systems does Interior 12 use right now? 13 MR. ERICKSON: Well, there was, was it Ernst & 14 Young, I guess -- 15 MR. DEININGER: Right. 16 MR. ERICKSON: -- conducted the survey and there 17 was, I think as I recall, four, possibly five. It's hard 18 to tell from the samples that we have. But we processed, 19 I think we had approximately 40 tapes that were given to 20 us as samples. We processed all of those. Those were the 21 variations that we saw, and it all seemed to be 22 manageable. 23 MR. DEININGER: So they took a sample of each 24 one of the various formats and sent those to us that we 25 restored to make sure that there wasn't an issue. Alderson Reporting Company, Inc. 11 ! 1 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 35 1 MR. BROWN: Is it my understanding that as you 2 sit here you're not sure how many legacy systems you're 3 going to have to take data from? 4 MR. ERICKSON: Well, what I'll say is this: that 5 even though there was a, I don't know, a review of the 6 process, if we're going to process II,000 tapes we're 7 going to see some stuff that we didn't anticipate. That's 8 just a fact of life when you're doing restorations of 9 backups that occurred over multiple years. That's just I0 the way it is. It happens every time. ii What you do is we go through about a three-step 12 process to try and recover the tape. We have some 13 forensics we use to try and read it. If it's non-readable 14 then what we've agreed with the DOI is that we'll return 15 it to them and maybe they can -- then a decision can be 16 made to try it themselves or possibly to send it out to a 17 forensics company that that's what they do on a regular 18 basis, is recover data from, quote, "unreadable" media. 19 MR. BROWN: So there are some tapes you suspect 20 may not be restored, at least in the first wave? 21 MR. ERICKSON: I suspect that there will be some 22 tapes that we will not be able to restore with our 23 standard process. 24 MR. BROWN: How many legacy systems -- 25 forgetting the backup tape issue, just in terms of ongoing Alderson Reporting Company, Inc. 1 ! 11 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 36 1 email, how many legacy systems are operational[ at Interior 2 right now that you're going to deal with? 3 MR. ERICKSON: There's Lotus Notes, there's 4 Exchange -- there's three, and some CC Mail. 5 MR. BROWN: Are you comfortable -- do you need 6 to alter the interface of your software with Interior's 7 three systems in any way because there are three different 8 systems as opposed to one? 9 MR. ERICKSON: No, we handle all that already. I0 MR. BROWN: So you're taking all the information II off of those systems, even though they're different? 12 MR. ERICKSON: Disparate, correct. 13 MR. DEININGER: So when you think about it, 14 there's really three variables. There's the type of email 15 software that they use, there's the type of backup 16 software that they're restoring it onto the tapes, and 17 then there's the different formats of the actual tapes. 18 So those are the three variables, and we've seen that at 19 other companies, where they'll change backup software one 20 year over the next and they'll change the type of tapes 21 that they use one year over the next. 22 So there's a number of different variables and 23 we work with those in our current clients. 24 MR. BROWN: Do one of these three legacy systems 25 save more data, headers, whatever you want to call it, Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 37 1 than any other? 2 MR. ERICKSON: They all work differently. 3 There's different fields that are contained within an 4 Exchange server versus Lotus Notes. They're all different 5 is what I can tell you. 6 MR. BROWN: So some of them save different 7 amounts of information than another? 8 MR. ERICKSON: Yes. They all save different, 9 especially internal fields. Internal statistics, routing i0 things, it's all different. Now, fortunately there are ii standards for the critical fields, like To, From, and 12 things like that. I would say most of the fields are the 13 same, but there are some different fields in every email 14 package. 15 MR. BROWN: And are you telling us you're 16 saving, even though they're disparate fields, you're 17 saving every field in each of those programs? 18 MR. ERICKSON: Correct. Everything that comes 19 to us we have the ability to save and we do. 20 MR. BROWN: Well now, that's a different issue, 21 isn't it? 22 MR. ERICKSON: What's that? 23 MR. BROWN: You're saying everything that comes 24 to you. I assume something can be lost in the translation 25 or the "coming" process, right? Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 38 1 MR. ERICKSON: Only if you use a non-generic 2 environment to their environment to send it. If you 3 translate it into a different format, then you could lose 4 something. But we're not translating. You're speaking of 5 the live email, right? 6 MR. BROWN: Yes. 7 MR. ERICKSON: It gets forwarded in its native 8 environment to us, so anything that would be sent to any 9 other system, it comes to us: in that form. I0 MR. BROWN: So based on that statement, you're II comfortable saying that you're saving every field? 12 MR. ERICKSON: Right. 13 MR. BROWN: Okay. Final question: You'll allow 14 Boullean searches? 15 MR. ERICKSON: Absolutely. 16 MR. BROWN: Okay. Is there anything not 17 searchable? I understand PowerPoint presentations, but in 18 terms of text is there anything notsearchable? 19 MR. ERICKSON: No. 20 (Pause.) 21 MR. MILLER: Any other questions? 22 MR. BROWN: No. 23 MR. MILLER: If not, I have to put my lawyer hat 24 back on for two seconds at least and cover just a couple 25 of additional issues. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 120005 Meeting August 8, 2002 Washington, DC Page 39 1 SPECIAL MASTER BALARAN: What hat did you have 2 on? 3 MR. MILLER: I was trying to stay away from 4 things entirely. 5 The first issue is that this is going to be a 6 new system of records and Interior has made a 7 determination that this is potentially a Privacy Act 8 system of records because of the search capability that 9 Mark and Roger were just talking about, that can be I0 searched by name, and therefore it requires public notice ii and allowing a period for comment for the system itself to 12 be implemented. 13 The Privacy Act notice has been published on 14 July 12th. The notice and comment period closes on August 15 23rd if OMB approves the request to expedite it for A-130 16 purposes; and if they don't ,approve that expedited 17 treatment the period will close on September 9th. So far, 18 as I understand it no negative comments or any comments 19 have been received regarding the new system, and if that 20 continues then obviously the Privacy Act is not an issue 21 for purposes of implementing the system. However, if 22 comments are received that may change things. 23 The second legal issue is that this is being run 24 as a sole source procurement and Interior has done its 25 internal due diligence to support and justify that opinion Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting Augu_ 8, 2002 Was_n_on, DC Page 40 1 feels very comfortable that that's the correct way to 2 proceed. Again, we haven't received any chal_Lenges, but 3 there's a possibility that a competitor or somebody else 4 could assert a challenge, and that would obviously affect 5 the ability to implement. 6 SPECIAL MASTER BALARAN: And the justification 7 given? 8 MR. MILLER: The justification was primarily in 9 response to litigation. i0 MS. LAWRENCE: And an urgent need. ii MR. MILLER: And an urgent need to implement. 12 It's a fairly established way to do it and didn't raise 13 any red flags on our end. 14 Then there are two sort of cost considerations. 15 As I said at the outset, this is a fairly expensive 16 process for Interior. If in the result of getting formal 17 approval for this process the scope of work changes 18 significantly, that could have an impact on how 19 implementation goes forward. 20 SPECIAL MASTER BALARAN: What does that mean? 21 How would the scope of work change? 22 MR. MILLER: Well, if for example in the 23 discussions it becomes necessary to do more than what's 24 been described here or substantially more than. what's been 25 described here and that cost component is something that Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Washington, DC Page 41 1 has a very high level for Interior and a very up-front 2 level for Interior in terms of the additional financing 3 that would be required, that. could affect the ability to 4 finalize the contract because of the Anti-Deficiency Act. 5 So that's one of the concerns that's present. 6 The second concern that Hord asked me to just 7 flag is in terms of being able to obligate the funds for 8 this there's a real advantage to being able to do it 9 before fiscal year 2002 closes if everyone's in agreement I0 that this is something that makes sense to go forward ii with, and that would require finalizing the contract in 12 September, is that right? 13 MR. TIPTON: No later than mid-September. 14 MR. MILLER: No later than mid-September. I 15 think what we'd like to do is address any concerns that 16 you have and that Mr. Brown and counsel for the Plaintiffs 17 have as quickly as possible 18 SPECIAL MASTER BALARAN: When can you get a 19 motion? 20 MR. MILLER: We can get a motion to you early 21 next week and start the clock ticking. 22 SPECIAL MASTER BALARAN: Why don't we do that, 23 and we'll get a ten-day response and a five-day reply, and 24 have an answer right away. 25 MR. MILLER: Okay. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August8,2002 Washington, DC Page 42 1 MR. BROWN: That's fine. 2 MR. MILLER: Then the final piece is, as we 3 discussed at the outset, the motion will have both the 4 restoration and realtime capture component, and then it 5 will also have a request that Interior be relieved of the 6 obligation to continue retaining its own email backup 7 tapes, for the reason that Roger and Tom have talked 8 about, which is that the backup is going to start being 9 done -- I0 SPECIAL MASTER BALARAN: Is superfluous. II MR. MILLER: -- by Zantaz once we get to that 12 step in the process. 13 SPECIAL MASTER BALARAN: Will that save you 14 money? So then you factor that in as well, the cost- 15 cutting. 16 MR. MILLER: Yes. And if that doesn't work, 17 that would be something that would substantially impair 18 the ability to go forward. 19 MR. TIPTON: We will still have to maintain 20 backup tapes just for the systems, operating systems 21 themselves. But we wouldn't: be doing it at near this 22 frequency. 23 MS. McCARTHY: And we wouldn't have to store 24 them indefinitely, keep buying new ones. 25 MR. TIPTON: We normally copy over those every Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 43 1 three months. 2 SPECIAL MASTER BALARAN: And you store them 3 indefinitely, correct? 4 MR. PRIOR: Yes. 5 SPECIAL MASTER BALARAN: So that's on their 6 heads. 7 MR. BROWN: As long as they're paid. 8 MR. DEININGER: That's right. I like this guy. 9 MR. BROWN: Follow the memory, right? i0 MR. MILLER: That is all that was on my list. I ii don't know if there's anything anybody would like to add 12 in questions. There are a lot of details. 13 SPECIAL MASTER BALARAN: Is the contract that 14 we're talking about something that will actually go on in 15 perpetuity if you figure this out, because obviously if 16 this is a contract that ends in two years it begs a lot of 17 questions, especially if you stop implementing your 18 systems, if you're holding onto tapes, etcetera. What 19 happens to this process if tlhey don't have the contract 20 forever? 21 MR. TIPTON: We're trying to address it and 22 implement it as a practical email management system, which 23 admittedly is better than what we have now. It gives us 24 the ability at any time to go back and to search for 25 whatever type of thing we want, whether it be a FOIA Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 o Meeting August 8, 2002 Washington, DC Page 44 1 request or what have you. We've discussed with Zantaz the 2 normal procedural limit of time to keep the captured email 3 live, for example. 4 We settled on a period of years that: we would 5 keep it live and searchable, and after that point to cut 6 the costs back we would archive that to DLT tapes 7 indefinitely. If it were not a subject of the court 8 thing, then you would have your normal record disposition 9 procedures to deal with. But seeing this is special, at i0 this point nothing goes away except keeping it: live, which II is really the expensive part of the operation. 12 So we would try to manage it in such a way that 13 we get the most utility out of it. 14 MR. MILLER: I guess to add to that, it's 15 important to say that when we talk about taking it live 16 and putting it onto DLT that would still be searchable. 17 It's simply making it one remove 18 MR. PRIOR: And we still maintain the security. 19 SPECIAL MASTER BALARAN: You're really replacing 20 the entire system so that it never goes back to you again. 21 That's the intent, it never goes back to Interior's hands. 22 MR. MILLER: Except in response to searches. 23 MR. BROWN: Are DLT tapes searchable by common 24 nonproprietary programs? 25 MR. ERICKSON: You restore them. You restore Alderson Reporting Company, Inc. I 111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Was_ngton, DC Page 45 1 the DLT tape to an environment and then you can search it. 2 SPECIAL MASTER BAI_RAN: The same way you would 3 search it if they were live? 4 MR. ERICKSON: Yes, once you restore it. You 5 don't search it off the tape. 6 MR. PRIOR: It goes back into our archival 7 system. We back it up from our archival system if you 8 want to load them again and restore it into the Zantaz 9 archival system. i0 SPECIAL MASTER BAI_RAN: Oh, I understand why Ii you guys are paid. It's searchable. My question really 12 is, let's say your contract ends and you have a room full 13 of tapes. What can someone intelligent do with those? 14 MR. ERICKSON: All the tapes are stored in 15 standard format, so they can be restored into -- for 16 example, if it's a Lotus Notes email, they can restore 17 that into a Notes environment, import it. They can import 18 it to Exchange or whatever environment. Each of those 19 environments have search capabilities built into it. 20 SPECIAL MASTER BALARAN: So if you guys are not 21 in business in five years, it's not dependent upon you? 22 MR. ERICKSON: No. 23 MR. MILLER: In fact, I think the draft 24 statement of work specifically says that if anything 25 happens to change the relationship Zantaz will return all Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washin_on, DC Page 46 1 the tapes and information to Interior in any format it 2 requests. 3 SPECIAL MASTER BALARAN: And you can attach the 4 statement of work to your motion? 5 MR. MILLER: We can attach the draft that we 6 have. There are some ongoing issues, but we will include 7 that with the motion. 8 SPECIAL MASTER BAL_RAN: Okay. 9 MR. TIPTON: The nice thing about the DLT tapes i0 is once they're stored they're stored sort of by bureau, ii indexed, and very easily searchable at that point, which 12 is a capability we don't have right now. 13 MR. DEININGER: So if you think about it, there 14 will be multiple copies. There will be the tapes that DOI 15 has sent to us and those will remain tapes with the data 16 on it. 17 MR. BROWN: You're just talking about the 18 archival, right? 19 MR. DEININGER: Yes, the archival tapes, right. 20 MR. BROWN: We're really talking about live, I 21 think. 22 MR. DEININGER: Okay. Then they'll be on 23 magnetic media for quick searching. There will be a quick 24 copy of the information and then we'll, after that's done, 25 we'll back those up onto these DLT tapes. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 47 1 MR. BROWN: So are you suggesting at the end of 2 the contract that the input tapes will be given to the 3 client? 4 MR. DEININGER: The DLT tapes that we back up 5 from? 6 MR. ERICKSON: The tapes that we receive from 7 DOI? 8 MR. BROWN: Let's just talk about live email. 9 You're getting it. I0 MR. ERICKSON: Electronically. Ii MR. BROWN: Electronically, so there's no tapes, 12 right? 13 MR. ERICKSON: Right. 14 MR. BROWN: And at the end of the contract you 15 back it up. Well, before that, but at the end of the 16 contract they're given DLT tapes. 17 MR. ERICKSON: At the end of the contract if 18 they would like their tapes back they can request them 19 back, as they said, or they can request them back as being 20 exported to a Notes environment or an Exchange 21 environment, however they'd like. 22 MR. BROWN: As they sit they are worthless to 23 anyone unless they hire you, is that right? 24 MR. ERICKSON: That's not true, that's not true. 25 The original emails are what are backed up on those tapes. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting Aught 8, 2002 Was_ngton, DC Page 48 1 So there is some information on those tapes, on the 2 backups, that other people would not be interested in. 3 But the original emails are restorable into any email 4 environment off of those backups. 5 The backups we do are generic, such that if you 6 use the restore facility into any common email environment 7 you can restore those originals back into the environment. 8 If you look at any backup tape, it has information on 9 there beyond the email backup. It'll have other things, I0 other files. So the way we do our backups is we make sure Ii that the backup of the original emails are generic so that 12 they can be imported by any other generic restore 13 facility. 14 MR. BROWN: So if I'm understanding you 15 correctly, you will give the client back the DLT tapes? 16 MR. ERICKSON: DLT, right. 17 MR. BROWN: DLT tapes, in a format that they can 18 then convert into notes, or you can convert it into notes 19 for them for an additional fee? 20 MR. ERICKSON: Absolutely. 21 MR. BROWN: Okay. Once they go back into the 22 notes format, no matter who converts them, are you 23 confident that all the information that you've taken from 24 Notes into your system and now have backed out: again and 25 restored back to notes is still there? Alderson Reponfing Company, Inc. } l I l 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 49 1 MR. ERICKSON: Absolutely. 2 MR. BROWN: So every one of the three, for the 3 three legacy systems, every one of the fields and 4 informations that you've told me before is preserved, 5 you're now telling me can be returned by a competent 6 technician? 7 MR. ERICKSON: Correct. 8 MR. TIPTON: It's our intent on the contract 9 that once they go to DLT, whether they be the restored I0 tapes that we hold live for a while while the searches are ii conducted or whether it's live email that is archived over 12 after three years, that there will be opportunities or 13 possibilities of additional searches wanted on those 14 tapes. So as part of our estimate of our operating cost, 15 we estimate that there will be a number of searches, in 16 which they have to go back and load those tapes, which we 17 would ask them the do. We wouldn't be doing it. 18 But we were trying to hold them live for a 19 reasonable period of time to avoid that because there's 20 more expensive involved if they go back and have to charge 21 us 150 bucks an hour or whatever to load the tapes back 22 and then do the searches after they've restored them. 23 But it wasn't our intent to pull the tapes back 24 into Interior to do our own searches on the DLT. 25 MR. BROWN: If this works as we've just Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-]zOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 50 1 discussed, what advantages do you offer over your 2 competitors? I assume your software is better and more 3 searchable while it's on your system; is that basically 4 what we're talking about? 5 MR. ERICKSON: It's very fast, right; and it's a 6 scalable environment, multiprocessed environment, to get 7 the speed. It's actually speed of storage as well as 8 speed of retrieval and volume. There are certainly some 9 advantages there. I0 The other thing that's interesting about the ii backup, for example, is we use blade technology, so each 12 one of the cells that stores the data manages only I00 13 gigabytes of data. So when we back that up, we can back 14 up that i00 gigabyte piece that has the full index on it, 15 which is the expensive part to create to do searching. So 16 when we do the backup, we'll back up the whole entity as 17 one, so we can actually restore that very quickly into a 18 new cell and begin searching very quickly because we don't 19 have to go back and re-index anything. Once that index is 20 built, we want to preserve it, which is how you search the 21 cell. 22 The advantages we have, if we give the tapes 23 back to DOI they could give that to someone else. They 24 could read the emails. But they would have to create an 25 index because they're not going to use our index to do Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 51 1 that probably, whereas we could restore the whole thing 2 and start searching in a couple hours and, bingo, you're 3 right back on line. 4 So that would be the only advantage. 5 MR. DEININGER: Another thing is the 6 infrastructure that we have to go ahead and restore these. 7 When DOE originally started looking for a solution to be 8 able to do this, there were in house or people that came 9 to them with an in-house solution that would require them i0 people time and hardware, software to go ahead and build ii this thing in house. 12 That's one of the things, is that they decided 13 that they didn't want to take on that additional burden of 14 having to do that in-house. And the fact that: we serve as 15 a trusted third party for several of the large financial 16 services companies was another attractive piece. Not a 17 lot of people have an extra 20 terabytes of disk space 18 sitting around that they could restore all this 19 information to and then be able to do the searches 20 against. That's another one of the things that we offer. 21 SPECIAL MASTER BALARAN: Okay. 22 MR. MILLER: Thank you all very much. We 23 appreciate it. 24 SPECIAL MASTER BALARAN: Thank you for your 25 time. Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 Meeting August 8, 2002 Washington, DC Page 52 1 (Whereupon, at 3:14 p.m., the meeting was 2 adjourned. ) 3 4 5 6 7 8 9 I0 ii 12 13 14 15 16 17 18 19 2O 21 22 23 24 25 Alderson Reporting Company, Inc. 1111 14th Street, N.W. Suite 400 1-800-FOR-DEPO Washington, DC 20005 [_" CERTIFICATE OF REPORTER I, MARK T. EGAN, CVR-CM, hereby certify that I am the official court reporter who reported to the best of my ability and thereafter reduced to typewriting under my direction the proceedings in the foregoing matter. That I am neither counsel for, related to, nor employed by any of the parties to this matter. I further certify that I am not a relative nor employee of any attorney or counsel employed by the parties thereto, nor financially or otherwise interested in the outcome of this matter. TH Company Overview Exhibit 3 Pg. 1 of 12 Defendants'Motion Re: ZANTAZ E-Mail Proposal ZANTAZ Background Restoration and Content Process Pg. 2 of 12 Archiving all Live Electronic Correspondence Retrieving all Electronic Correspondence Pg. 3 of 12 ZANTAZ Deliverables to DOI ZANTAZ Deliverables to IT Pg. 4 of 12 Digital Safe Process: Capturing Data Digital Safe Send Electronic / ’'_'_"_ I IIIIIII I M_,. ! Electronic '_ o..,,,. ...... . Documents "_ :_ j'_,_'_ Optional Secondary Site Pg. 5 of 12 View Attachments Captures and Logs all Header Informatio Pg. 6 of 12 Secure People (Trusted 3 rd Party) Secure Processes Pg. 7 of 12 Secure Product Design Secure Facilities Pg. 8 of 12 Data Center: Architecture Data Center: Electrical Pg. 9 of 12 Data Center: Fire Sup Data Center: HVAC Pg. 10 of 1:2 Disaster Recovery Technical Support Center Pg. 11 of 112 Network Operations Center Summary Pg. 12 of 12 Page 1 67 FR 46202-02 2002 WL 1482469 (F.R.) (Cite as: 67 FR 46202) NOTICES DEPARTMENT OF THE INTERIOR Office of the Secretary Privacy Act of 1974, as Amended; Addition of a New System of Records Friday, July 12, 2002 *46202 AGENCY: Department of the Interior. ACTION: Proposed addition of a new system of records. SUMMARY: The Department of the Interior is issuing public notice of its intent to add a new Privacy Act system of records to its inventory of records systems subject to the Privacy Act of 1974 (5 U.S.C. 552a). This action is necessary to meet the requirements of the Privacy Act to publish in the Federal Register notice of the existence and character of records systems maintained by the agency (5 U.S.C. 552a(e) (4)). The new system of records is called the Electronic Email Archive System (EEAS), Interior--OS-10. EFFECTIVE DATE: 5 U.S.C. 552a(e) (II) requires that the public be provided a 30- day period in which to comment on the intended use of the information in the system of records. Any persons interested in commenting on this proposed system of records may do so by submitting comments in writing to the Departmental Privacy Act Officer, U.S. Department of the Interior, Office of the Chief Information Officer, MS 5312 MIB, 1849 C Street NW., Washington, DC 20240. Comments received within 30 days of publication in the Federal Register will be considered. The system will be effective as proposed at the end of the comment period unless comments are received which would require a contrary determination. In that case the Department will publish any changes to the routine uses. FOR FURTHER INFORMATION CONTACT: For information on the Electronic Email Archive System contact Regina Lawrence, Office of the Chief Information Officer, Department of the Interior at 202-208-5413, or mail at MS-5312-MIB, 1849 C St. NW., Washington, DC 20240. SUPPLEMENTARY INFORMATION: The Interior Electronic Email Archive System (EEAS) will contain data from certain Department of the Interior bureaus/offices with Indian Trust program responsibilities for the purpose of responding to discovery requests from plaintiffs and requests from the Court, the Special Master, and the Court Monitor in Cobell et al. v. Norton, et al., U.S.D.C.D.C., No. 1:96CV01285. The capability of the system to retrieve information from an email archive depository will assist compliance with court requirements. Dated: July 9, 2002 Marilyn Legnini, Copr. © West 2002 No Claim to Orig. U.S. Govt. Works Exhibit 4 Defendants' Motion Re: ZANTAZ E-Mail Proposal Page 2 Departmental Privacy Act Officer, Office of the Chief Information Officer. INTERIOR/OS-10. System name: Electronic Email Archive System (EEAS). Security classification: Sensitive, but unclassified. System location: The records of this system are located at a digital safe site at a location managed by the contractor for the Department of the Interior. Only information maintained at this site by the contractor is considered a Privacy Act system of records covered by this notice. Categories of individuals covered by the system: The system contains information on individuals who send and receive electronic messages using Internet email and interoffice email from and to those Departmental bureaus/offices involved with Indian Trust programs, and those individuals who are referred to in the electronic messages. These bureaus/offices are as follows: Office of the Solicitor, Bureau of Indian Affairs, Office of the Special Trustee for American Indians, Office of the Assistant Secretary--Indian Affairs, Bureau of Land Management, Office of the Assistant Secretary--Policy, Management, and Budget, Office of Hearings and Appeals, Office of Historical Trust Accounting, Office of the Secretary, and the Minerals Management Service. Categories of records in the system: Records include information from Internet email and interoffice email, including address of sender and receiver(s), subject, date sent or received, text of the message, name of attachment, attachment text, and certification status. The name and email address of the sender and receiver are captured along with the bcc, cc, subject line, and text of the message. Authority for maintenance of the system: 5 USC 301, 43 CFR 1455, and 40 CFR part 1441. Routine uses of records maintained in the system, including categories of users and the purposes of such uses: Copr. © West 2002 No Claim to Orig. U.S. Govt. Works Page3 The system's main purpose is to respond to discovery requests from plaintiffs and requests from the Court, the Special Master, and the Court Monitor in the Cobell v. Norton litigation, filed in the U.S. District Court for the District of Columbia. Disclosures outside the Department of the Interior can be made to: (a) Contractors who service and maintain the system for the Department, ensuring that all provisions of the Privacy Act, and all other applicable laws, regulations, andpolicies relating *46203 to contracting and record security are met. (b) Another Federal agency to enable that agency to respond to an inquiry by the individual to whom the record pertains. (c) The Department of Justice, or to a court, adjudicative or other administrative body, or to a party in litigation before a court or adjudicative or administrative body, when: (I) One of the following is a party to the proceeding or has an interest in the proceeding: (a) The Department or any component of the Department; (b) Any Departmental employee acting in his or her official capacity; (c) Any Departmental employee acting in his or her individual capacity where the Department or the Department of Justice has agreed to represent the employee; and (2) We deem the disclosure to be: (a) Relevant and necessary to the proceeding; and (b) Compatible with the purpose for which we compiled the information. (d) The appropriate Federal agency that is responsible for investigating, prosecuting, enforcing or implementing a statute, rule, regulation or order, when we become aware of an indication of a violation or potential violation of the statute, rule, regulation, or order. (e) A congressional office in response to an inquiry to that office by the individual to whom the record pertains. Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system: Storage: Information in this system of records is maintained in electronic format on a system hard drive. Retrievability: This specific system has the capability of performing searches through email archive information identified in the "Category of records" section above using any word or number criteria. This capability makes it unique from other email archive systems that are maintained by Interior bureaus/offices, and therefore, this system becomes subject to Privacy Act requirements. Copr. © West 2002 No Claim to Orig. U.S. Govt. Works Page 4 Safeguards : The contractor maintaining this system must follow the requirements under 5 U.S.C. 552a(e) (I0) and 43 CFR 2.51 for security standards. A security plan was developed to prevent unauthorized access to the system. The plan addresses application security, administration/user security, and application agreements. Access to the system is limited to authorized personnel whose official duties require such access. The EEAS system will be maintained at the Government contractor's facility at a secured data center. Retention and disposal: Records in this system will be retained indefinitely pending completion of Cobell et al. v. Norton, et al., U.S.D.C.D.C., No. 1:96CV01285 or until the Court orders the Department to retain/dispose of these records differently. System manager(s) and address: The Technology Services Division, Administrative Operations Directorate, National Business Center, Department of the Interior, MS-1540-MIB, 1849 C St. NW., Washington, DC 20240. Notification procedures: To determine whether your records are in this Privacy Act system of records, contact the Privacy Act Officer at the bureau/office from which your email message was sent or where it was received (see list of participating bureau/offices identified in the "Categories of individuals" section above). Interior bureaus/offices are listed at the Department of the Interior Web site at w_-w.doi.gov. The request must meet the requirements of 43 CFR 2.60. Provide the following information with your request: (a) Proof of your identity; (b) List of all the names by which you have been known, such as maiden name or alias; (c) Your Social Security Number; (d) Your mailing address; (e) Time period(s) that records pertaining to you may have been created or maintained, to the extent known by you (See 43 CFR 2.60(b) (3)); and (f) Specific description or identification of the records you are requesting (including whether you are asking for a copy of all of your records or only a specific part of them), and the maximum amount of money that you are willing to pay for their copying (See 43 CFR 2.63(b) (4)). Record access procedures: To request access to records, follow procedures in the "Notification procedure" section above. The request must meet the requirements of 43 CFR 2.63. Provide with Copr. © West 2002 No Claim to Orig. U.S. Govt. Works Page 5 your request the same information identified in the "Notification procedures" sections. Contesting record procedures: To request an amendment of a record, send requests in writing to the contacts identified in the "Notification procedure" section above. The request must meet the requirements of 43 CFR 2.71. Records source categories: Some information maintained in the system is collected from mag-tapes provided by Interior bureau/office email backup systems from those installations identified in the "Categories of individuals" section above. This information is downloaded onto a hard drive managed by the contractor and stored digitally. Information from Interior bureau/office e-mail servers will be captured in real time, transmitted electronically through secured networks, and captured and stored electronically into the EEAS. Exemptions claimed for the system: None. [FR Doc. 02-17587 Filed 7-11-02; 8:45 am] BILLING CODE 4310-RK-P 67 FR 46202-02, 2002 WL 1482469 (F.R.) END OF DOCUMENT Copr. © West 2002 No Claim to Orig. U.S. Govt. Works Statement of Work As of August 8, 2002 Department of the Interior, Office of the Chief Information Officer 1. BACKGROUND AND OBJECTIVES The Department of the Interior (DOI) is required to demonstrate compliance with court orders. The DOI must provide assurance that past and future e-mails and their attachments will be reliably, consistently and automatically captured, archived and retained in a safe, secured and entrusted environment. In particular, the DOI must assure that all e-mails within and across the designated bureaus will be archived indefinitely; that integrity of the documents be ensured; that compliance be overseen; that documents can be retrieved in a timely manner; and that a sound agency wide solution can be implemented. 2. SCOPE This Statement of Work (SOW) defines two major efforts to meet the requirement. The first effort involves restoring, uploading, and indexing a large number of e-mail backup tapes. The second effort involves having the Contractor implement a real-time capture of all e-mail on a going-forward basis for inclusion in a searchable e-mail archive. The Contractor shall assist with the completion of the DOI's Privacy Impact Assessment(s) for the Electronic E-mail Archival system. It is anticipated that the Contractor will provide litigation advisory services including, but not limited to, the tasks identified in this SOW. The initial scope of this SOW is limited to the following bureaus and offices within DOI: • Office of the Solicitor • Bureau of Indian Affairs • Office of the Special Trustee for American Indians • Office of the Assistant Secretary - Indian Affairs • Bureau of Land Management • Office of the Assistant Secretary - Policy, Management, and Budget • Office of Hearings and Appeals • Office of Historical Trust Accounting • Office of the Secretary • Minerals Management Service • Bureau of Reclamation (only sites providing e-mail service to the Office of the Solicitor) The Contractor will be asked to include other bureaus for particular tasks as an option to this contract. Exhibit 5 Defendants' Motion Re: ZANTAZ E-Mail Proposal 3. TASK 1 - RESTORATION OF TAPE BACKUP 3.1 Description of Task: 3.1.1 The first component involves the restoring, archiving, indexing, and searching of e-mail backup tapes. The DOI will send the backup tapes to the Contractor=s location. The Contractor shall store all tapes in secure locations, including a highly secure data center for the storage of data, and fire safes for storage of tapes. Additionally, the Contractor shall account for all tapes in its possession, have the capability to track their whereabouts, and ensure safe return to the proper DOI bureau. The Contractor shall provide a complete written description of their security capabilities, processes and procedures. 3.1.2 As each tape is restored, the Contractor' will determine the date ranges of e- mail messages on the tape and the total e-mail volume contained on the tape (in megabytes). There may be multiple copies of an e-mail message located on the DOI backup tapes. When the DOI has duplicate messages, the Contractor shall restore a single copy of the unique message. The current results of the physical inventory indicated that 7,088 tapes contain e-mail backup sets performed after May 1, 1999 and will therefore be included in the restoration. 3.1.3 The Contractor shall restore data from the original tapes provided by the DOI or from copies of original tapes made by the DOI. Tapes shall be processed and restored by bureau, in the order determined by DOI's specified priority. The DOI will provide the processing priority order in writing to the Contractor. Any changes to this priority will be in writing following the appropriate contractual change order process. 3.1.4 The Contractor shall provide a report of the inventory of backup tapes. The Contractor shall provide all findings and recommendations in a written report to the DOI. 3.2 Task 1 Deliverables: 3.2.1 The Contractor shall provide the DOI with a Project Plan. 3.2.2 The Contractor shall restore and maintain all back-up tapes. All electronic messages and attachments shall be processed and restored to their original format, in the order determined by the DOI's authority. 3.2.3 As each tape is restored, the Contractor shall determine the date ranges of all e- mail messages on the tape and the total e-mail volume contained on the tape in megabytes. This information will be catalogued by tape. Any tape that cannot be read or restored will be identified, catalogued, quarantined, and reported to the COTR as part of weekly and monthly status reports. 3.2.4 The Contractor shall review the date ranges and volumes from the tapes to assess the completeness of the backup sets for each location, and to determine potential gaps in the e-mail backup sets. This review will include the physical inventory, the catalog of contents, and an assessment as to the completeness of the backup set. A written report of the Contractor findings will be provided to the DOI monthly. 3.2.4.1 This report shall include, but shall not be limited to the following information: • List of tapes processed • List of date ranges from the tapes processed • List of total e-mail volumes for each tape processed • A list of cataloged, quarantined tapes that could not be read or restored (this information shall also be provided to DOI weekly) • A running total of the total volume of e-mail after processing, in terabytes, by bureau 3.2.5 The Contractor shall ensure original e-mail messages and attachments are located, validated, authenticated, and then retrieved. 3.2.6 The Contractor shall move all restored e-mail messages and attachments into an audit repository provided by the Contractor. 3.2.7 The Contractor shall ensure audit results are password protected. These audit results shall be viewed online by authorized personnel to be determined by the DOI Chief Information Officers. The Contractor shall maintain audit results and provide written reports monthly. 3.2.8 The restored e-mails shall be structured by the Contractor in a format that will ensure a migration path for moving data in a third party content manager system as specified by the DOI. 3.2.9 The Contractor shall provide third party implementation attesting to completeness and accuracy of any and all documents. 3.2.10 The Contractor shall provide a complete written description of their security capabilities, processes and procedures. 3.2.11 Once the restoration and processing of the tapes for a bureau or office has been completed, the Contractor shall return the original DOI backup tapes to the appropriate bureau or office. 3.3 Task 1 Deliverable Schedule 3.3.1 A Project Plan shall be delivered to the DOI within one (1) week from the DOI's response to the Contractor's preparation questions listed in Task 2 (see below section 4.2.1). 3.3.2 The Contractor shall complete the first component of the e-mail Restoration of Tape Backup within 8 months of the contract award. 3.3.3 A written report of the Contractor findings will be provided to the DOI monthly. 3.3.4 Audit results shall be maintained by the Contractor and written reports shall be provided monthly. 3.3.5 Any tape that cannot be read or restored will be identified, catalogued, quarantined, and reported to the DOI on a weekly status report. This information shall be consolidated and also provided on the monthly status report. 3.3.6 The Contractor shall provide a complete written description of its security capabilities, processes and procedures within 30 days of contract award. 3.3.7 The Contractor shall return the original DOI backup tapes to the appropriate bureau or office, within 30 days of completion of the restoration and processing of all backup tapes for that bureau or office. 4. TASK 2 - IMPLEMENTATION OF LIVE E-MAIL CAPTURE 4.1 Description of Task: 4.1.1 This second component shall provide real-time capture of e-mail traffic and create a searchable archive. The Contractor shall provide an e-mail archive solution designed to protect intellectual capital and ensure legal compliance. This solution shall be offered under the application service provider model in which the Contractor furnishes, as an outsourced service, all hardware, software, and expertise in a highly secure and fail- safe environment. 4.2 Task 2 - Implementation Service Deliverables The Contractor shall provide the following during the Implementation process: 4.2.1 Identify the Customer e-mail infrastructure: • Number of servers. • Number of users. • Number of Internet connections. • Mail platform. NOTE: For the initial scope of this contract, live e-mail capture shall be required from Lotus Notes, Microsoft Exchange, Groupwise and cc:Mail platforms. 4.2.2 Develop a connectivity strategy: • Dependent on the specific Customer requirements and preference (Internet, VPN, Private Circuit - T1, T3). • The Contractor shall identify if redundancy is required and determine how long the Customer can queue mail at its location. • The Contractor shall identify the access point and determine where 6 the access point to the Contractor will be located. 4.2.3 Repository Creation, Set-up and Retention Schedule: • The Contractor shall develop a schedule for creating the Repository and Retention Schedule, based on DOI requirements. • The Contractor shall coordinate with DOI to identify the level of granularity at which the repositories will be created (Workgroup, Department, or Individual Mailbox). • The Contractor shall coordinate with DOI to identify whether the routing rules should store pointers in a large DOI repository and then also at the individual or Workgroup level. • The Contractor shall identify the retention schedule for the data collected based on DOI requirements. 4.2.4 Identify the Escalation and Contact Authorization: • The Contractor shall coordinate with DOI to determine the chain of escalation at the Customer site. • The Contractor shall coordinate with DOI to establish a report of technical contacts and pager numbers for a 24-hour and 7-day support. • The Contractor shall coordinate with DOI to establish events about which the customer wants to be notified. • The Contractor shall coordinate with DOI to establish who needs access and what controls the Customer wants on those individuals that do have access to the repositories. • The Contractor shall document the escalation and contract authorization information noted above in a written report to DOI. 4.3 Task 2 - Deliverable Schedule 4.3.1 The implementation of the real-time capture of e-mail traffic and creation of a searchable archive shall be accomplished within 15 days per bureau once email is created, if a VPN or a FTP or open Internet is used. If a dedicated line such as a T1 is used, the schedule will then be dependent upon the installation schedule of the phone service. 4.3.2 A written report documenting the escalation and contact authorization information shall be provided to DOI within 30 days of contract award. 5. TASK 3 - ON-GOING SUPPORT OF LIVE EMAIL CAPTURE 5.1 Description of Task: 5.1.1 The Contractor shall capture the DOI's live e-mail and attachments from various messaging platforms such as: Lotus Notes, GroupWise, Exchange and CC:Mail. All incoming and outbound e-mails and attachments are automatically copied to the DOI's archive repository, where they remain online and are easily accessed with the Digital Safe search engine. This will provide the DOI with a single location to quickly and efficiently search, find and retrieve all the inlbrmation needed. 5.1.2 The Contractor shall provide a fully outsourced service for e-mail and attachments. The Contractor shall ensure the integrity, authenticity and completeness of all messages. The Contractor shall also capture and retain all "bcc and cc" addresses and shall retain all e-mail messages sent or received. The Contractor shall also retain all modifications and document history, all Internet and Gateway header information, all attachments and all topic information. The Contractor shall make results available within seconds of submission. The Contractor shall provide the ability to integrate into other document management systems providing for a single, transparent portal for all archived documents. The Contractor shall serialize all the indexes, and provide a date time stamp. The Contractor shall provide a digital index of all e-mail messages. 5.2 Task 3 - Deliverables 5.2.1 Capture: The Contractor shall use a solution to automatically capture, store, and index incoming and outgoing electronic messages, and preserve them in their entire, original format. For every email that a user sends, and every email that a user receives, a copy shall be made and sent to this solution. Immediately, a hash code shall be created for each document and the document shall be transferred to non-tamperable media. Each record is then copied to a redundant site. This hash codes a date and time stamp on each record. The Contractor shall guarantee the highest level of document authenticity, integrity and security. The Contractor shall capture all e-mall transparently on non-tamperable redundant media (worm devices), at the router level so no messages shall be lost, deleted or destroyed. NOTE: For the initial scope of this contract, live e-mail capture shall be required from Lotus Notes, Microsoft Exchange, Groupwise and cc:Mail platforms. 5.2.2 Archive: The captured data shall be written to archival grade optical disks at a Digital Safe Data Center. The Contractor shall set up DOI's archive and repositories at the level of granularity determined in Task 2. Immediately, the data shall be duplicated to a second data center in a different geographic region. The Contractor shall replicate DOI data to ensure that documents are securely preserved and always accessible, regardless of the operational state of any one individual site. 5.2.3 Retrieve: From a secure Web site, an authorized user for DOI shall be able to easily retrieve archived documents. Opening the Digital Safe search engine, the user shall be able to select an intuitive set of search criteria. Search results shall be available rapidly, and can be viewed online. When the required message is found, the original version - with all its delivery information and attachments shall be provided to the retriever via a search Web connection, or other media as specified by DOI. The Contractor shall implement routing rules. And the Contractor shall create retrieval rules and user access. The Contractor shall provide timely retrieval across the entire document set by bureau or across bureaus. The Contractor shall provide retrieval of information by authorized persons only. The Contractor shall provide Web based retrieval. The contractor shall provide an audit report that contains information about searches conducted by DOI. The specific information to be provided in this report shall be supplied by DOI. 5.2.4 Storage: The Contractor shall oversee all long-term media technology upgrades and migrations and maintenance, relieving the DOI of any storage equipment maintenance. The Contractor will also provide complete backup and security on all the DOI records. The Contractor shall process and store enormous volumes of e-mails and attachments with unlimited retention periods. The Contractor shall permit indefinite record storage with ability to manage retention schedule of individual users or departments. Data (e-mail and attachments) will be indexed and stored by the Contractor. This indexing shall allow the DOI to locate a single message from a large volume of data. 5.2.5 Backup Tapes: The contractor shall backup the data in the Digital Safe on a regular basis. The backup tapes created are the property of the government, and shall be returned to DOI upon termination of this contract in a format that is readable by DOI. 5.3 Task 3 Deliverable Schedule 5.3.1 Capture- Once the implementation Service (Task 2) is completed, the Capture shall be performed automatically within 15 days per bureau, for every new e-mail. 5.3.2 Archive- Once the implementation Service (Task 2) is completed, the Archive shall be performed automatically within 15 days per bureau for every new e-mail. 5.3.3 Retrieve - Once the implementation Service (Task 2) is completed, the Retrieval by authorized users shall be immediately available within 15 days per bureau for every new e-mail. 5.3.4 Storage- Once the implementation Service (Task 2) is completed, Storage shall happen immediately within 15 days per bureau for every new e-mail. 6. OPTIONS 6.1 Options Requested Searching and other services as described below shall be provided by the Contractor as options under the contract. The Contractor shall provide estimates of the costs to provide options 1, 2 and 4 as part of their initial proposal. 6.2 Option 1 - Searching If this option is exercised, the Contractor shall conduct text searches on the body of the e-mail messages both in the live capture repository and in the repositories lO created from DOI backup tapes. The contractor shall locate e-mail messages that contain designated search terms to be supplied by the DOI. The Contractor shall provide to the DOI all e-mails (with file attachments) that are determined to fit the search criteria. When required documents are found, the Contractor shall make the original version, along with all of its delivery information available for viewing either via the web or via various messaging platforms such as: Lotus Notes, GroupWise, Exchange and cc: Mail. The e-mail will be produced in a mutually agreed-upon format, and will be provided on storage media designated by the DOI. 6.3 Option 2 - Historical Data On-Line The Contractor shall maintain the results of the restoration and processing of the DOI backup tapes on-line for a period of time specified by DOI, if the option to do so is exercised by DOI. In response to this proposal, the Contractor shall provide DOI the cost to keep the results of the restoration and processing of the DOI backup tapes on-line. The costs shall be provided in a per-terabyte, per- month format, starting with a minimum of three months on-line storage. Ranges for numbers of terabytes and months can be provided (i.e., 5-10 terabytes for 0-6 months.) 6.4 Option 3 - Additional Bureau Implementations The Contractor shall implement Live E-Mail Capture for additional DOI bureaus not included in the original scope of this contract. If this option is exercised, DOI will work with the Contractor to gather the information necessary to determine the cost to implement the requested bureau. 6.5 Option 4 - Copy of Results of Restoration and Processing of DOI Backup Tapes It is the understanding of DOI that once the backup tapes provided by the bureaus and offices have been restored and processed to eliminate duplicate messages and system information, the Contractor will be copying the resulting data to tape. It is also the understanding of DOI that while the Contractor may retain possession of these tapes for an indefinite time period, the tapes are the property of the Government and will be returned to DOI at the end of the contract. If this option is exercised, the Contractor shall provide DOI with an additional copy of the tapes created. 11 7. PERIOD OF PERFORMANCE The period of performance for tasks 1 and 2 of this contract shall not exceed March 31, 2003 (8 months of contract award). Task 3 shall be on-going until cancelled by DOI. Options may be requested at any time during the life of the contract. 8. PRIVACY Privacy Act, Federal Acquisition Regulation, and Departmental Requirements "Contractors handling information in this system must comply with Privacy Act requirements and Departmental regulations on the Privacy Act (See Department of the Interior (DOI) Privacy Act regulations at 43 CFR Part 2, Subpart D (attached)). For compliance with FAR privacy requirements see FAR 48 C.F.R. 24.102(a) and Department of the Interior Acquisition Regulation at 48 C.F.R. 1424.1." The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 930579, December 31, 1974 (5 U.S.C. 552a) and agency regulations, at 43 CFR Part 2, Subpart D. Violation of the Act may involve the imposition of criminal penalties. 9. SECURITY This effort shall require contractor personnel to have access to sensitive and proprietary information. The Contractor shall not disclose sensitive or proprietary information of, or in the possession of, the DOI or any of its operating units, contractors, or business partners to unauthorized persons. The Contractor shall handle all documents in accordance with Government and Interior-specific standards. The Contractor shall be subject to any and all penalties imposed by law for unlawful disclosure of the DOI information. The Contractor shall be required to abide by the DOI guidance for protecting sensitive and proprietary information. Any such information made available in any format shall be used only for the purpose of carrying out the provisions of this agreement. Such information shall not be divulged or made known in any manner to any person. The Contractor shaH immediately notify the on-site COTR upon discovery of any intentional or inadvertent disclosures of information. The Contractor shall not remove classified or sensitive material from Government sites without the DOI's express permission. 12 At the conclusion of this project, all sensitive and proprietary material shall be returned to DOI or destroyed based on written direction from the DOI. 10. SECTION 508 COMPLIANCE This system must be compliant with Section 508 of the Rehabilitative Act. 11. OFFICE OF MANAGEMENT AND BUDGET (OMB) CIRCULAR A-130 COMPLIANCE This system must meet the security requirements of OMB Circular A- 130, "Management of Federal Resources", Appendix Ill, "Security of Federal Automated Information Resources." 12. Compliance with DOI Enterprise Architecture Interior is in the process of developing a high-level Enterprise Architecture. This project will be developed in accordance with Interior Enterprise Architecture Capital Planning Review Guidance. 13. POINTS OF CONTACT 13.1 Contracting Specialist: John Chadwick National Business Center Acquisition Services Voice : 202-208-3107 Fax: 202-208-4956 John_Chadwick@nbc.gov 13.2 Contracting Officer: Debra Glass National Business Center Acquisition Services Voice : 202-219-0340 Fax: 202-208-4956 Debra L Glass@nbc.gov 13 13.3 COTR: Roberta Heintz National Business Center Voice: 202- 208-5720 Fax: 202-208-4850 Roberta A Heintz@nbc.gov