If a federal agency isn't sure whether an email message is a "record" or not, Figure A shows a handy decision tree that can help make the determination.

FIGURE A


Government workers can use this decision tree for determining whether an email message is a record. Roll over picture for a larger image.

Although it initially seemed there were no "uh-oh" moments reading about the four agencies' record-keeping practices, none of them got it right:

Three of the four agencies we reviewed had policies in place that generally complied with key aspects of NARA's regulations on email records management. At these agencies, the policies were each missing one of nine key elements. For example, one agency's policy did not specify, as required, that draft documents circulated via email may be federal records; agency officials indicated that they planned to address the omission in updated guidance. At the fourth agency [HUD], the policy was missing three of eight applicable requirements.

Figure B contains a nice chart that showcases where things broke down.

FIGURE B


This GAO table shows how the various agencies conformed to required policy. Roll over picture for a larger image.

If you look carefully at the chart, you'll notice the last line item. That one says:

Instruct staff on the management and preservation of email messages sent or received from nongovernmental email systems

Uh-oh.

Security risk at the Department of Homeland Security
Sometimes it seems like it wouldn't be a report about government computer systems without discovering at least one new security risk of relatively major proportions.

The folks at Homeland Security have a whopper of a security flaw. According to the GAO report:

...although employees can currently access Web-based and Internet-accessible private email systems, the department is taking steps to restrict or remove this access.

Let's understand this a little more clearly. Right now, Homeland Security employees can, from within their federal offices, surf the Web, getting email from such places as AOL, Hotmail, and Gmail.

The entire apocalypse-in-a-box that is the Internet is allowed to tunnel through all of Homeland Security's security because employees can open the Pandora's box of trouble that's everyone's email account on the net.

But, you say, the department is taking steps. Fair enough, but we all know our government. Those steps are likely to take four or more years. In the meantime, Osama bin Hacker can just as easily send a virus or a trojan into the Department of Homeland Security's "secured" private network as he can to you or me.

Security risk at Federal Trade Commission
And this leads us to the Federal Trade Commission. I wasn't going to write about them, but between the time I started writing report and the time I got this far into the document, I got another email, this time pointing me to a new Web page at the FTC.

The Federal Trade Commission is the nation's primary consumer protection body and is the lead arm of the government dealing with identity theft issues. The FBI investigates identity theft as a crime, but the FTC deals with it in terms of consumer protection and policy.