I MAGE N OW Meeting Compliance Understanding Standards & Procedures
W HY A RE W E H ERE ? To learn the steps each office needs to take to meet the compliance requirements for NDSU’s internal document imaging audit. Campus Audit is reported to NDUS each year (June) by NDSU Chief IT Security Officer Audit is conducted to meet requirements of NDUS Policy
NDUS P OLICY Purpose: “The purpose of this procedure is to establish an imaging procedure for all NDUS institutions that create, use, and manage digital images on optical imaging systems.”
NDUS P OLICY Procedure Summary: 2.“Institutions shall create and follow documentation that outlines and describes system hardware and software specifications and written policies and procedures that document the creation, maintenance, use and preservation of digital images within the system.” 3.“Training schedules that include initial instruction as well as regular, ongoing retraining must be implemented to ensure that employees understand the policies and procedures and any changes that may occur.”
I NITIAL A CCESS & T RAINING Checklist Item #1 Procedures for electronic imaging of documents have been formally documented and are provided to individuals who have been given access or duties related to imaging documents. Translation: Do you have training documents and/or user manuals prepared for first-time ImageNow users?
I NITIAL A CCESS & T RAINING Create Tutorials for the Basics: Logging In, Logging Off, & Password Changes Toolbar Icons, Interface & Default Settings How to Search How to Scan/QA/Link How to Upload & Link using ImageNow Printer Resources: ImageNow User Manual (PDF, hard copy, Client Help) Internal Customized Tutorials
C ONFIDENTIAL D ATA T RAINING Checklist Item #2 Individuals with access to data and system have been given appropriate training regarding policies and procedures for security and safety of data stored and manipulated within system. The training is ongoing and is updated according to changes in policy and federal law. Checklist Item #9 All those assigned access and use the system have undergone basic training on handling and use of confidential data and have signed confidentiality agreements.
C ONFIDENTIAL D ATA T RAINING Translation: Have users reviewed data privacy policy & completed confidential data training before using ImageNow? How do we Comply? Log and file (date of training, who attended, who provided training) NDUS Data Privacy Training Signed Confidentiality Agreement Responsibility Review Security/Confidentiality Topic during Staff Meeting
S CANNING & QA T RAINING Checklist Item #10 Individuals who perform the scan or validation function have received additional training on document quality assurance. How do we Comply? Create separate training tutorial for scanning process Make sure VRS settings are optimized for all documents Do not allow “Bypass QA” setting for scanning profiles
S YSTEM O VERSIGHT Checklist Item #3 An individual(s) has been assigned the responsibility to oversee and manage the training of assigned personnel. Translation: Each participating office needs to have a designated ImageNow “Manager” Why is this Required? Act as a “point of contact” for each office Limits number of users who can access & change security In charge of keeping & collecting audit compliance data
S YSTEM O VERSIGHT Checklist Item #12 Logs of individual training are maintained by the person(s) managing the oversight of those who use the system. Translation: ImageNow “Managers” need to keep track of which users have received which types of training and when. How do we Comply? A spreadsheet will be developed and distributed to help managers track user training.
S YSTEM O VERSIGHT Proposed Spreadsheet: Record completed training dates for each user Submit copy of spreadsheet for audit each year NameRole Data Privacy Conf. Data 1 st Time User Scan & QA Resp. Review Staff Meeting User #1 Power User 08/23/200407/01/201209/15/201010/10/201003/01/201104/26/2012 User #2Manager11/03/199507/01/201205/21/200710/10/201006/01/201104/26/2012 User #3Staff03/17/200807/01/201209/15/201010/10/201009/01/201104/26/2012 User #4Student09/30/201107/01/201210/15/ /01/201104/26/2012
S ECURITY M ANAGEMENT Checklist Item #4 Separation of duties is in place for individuals who have been given access to the imaging system. (For example the person who scans in a document does not have the ability to delete a document.) Checklist Item #6 Formally documented procedures have been established to ensure that only authorized personnel can create, copy, annotate, or access digital images within the system. This access is granted based on specific need for use of the system.
S ECURITY M ANAGEMENT Translation: Assign user security settings according to function Don’t grant more access than absolutely necessary Keep track of: Who is responsible for scanning? Who can delete linked documents? Who can view documents in which drawers? Who can view certain document types? Who can edit custom properties, notes, annotations? Who can print, save, or imaged documents?
D OCUMENT V ALIDATION Checklist Item #5 A validation process using a sampling technique has been implemented to verify that the scanned document matches the original document. This process is conducted and documented each quarter. Checklist Item #11 Logs are collected, monitored and documented to verify reproduction accuracy and reliability according to the original document.
D OCUMENT V ALIDATION Validation Process: ImageNow Documents 1.Search for documents created on certain date 2.Randomly select documents (note Date, ID#, DocType, & # of pages) 3.Locate selected documents in hard copy archive 4.Confirm quality of the documents Hard Copy Documents 1.Randomly select documents from hard copy archive 2.Search for documents in ImageNow 3.Confirm quality of scanned documents
D OCUMENT V ALIDATION VALIDATION PROCESS DEMONSTRATION Nancy Kasper Registration & Records
U SER M ANAGEMENT Checklist Item #7 Those employees no longer needing access to the system have been removed. Process: ImageNow “Manager” deactivates user account in ImageNow and removes user from all associated groups Or contact Viet to have him deactivate the user Notify your IT Liaison to include removal of “ImageNow service tag” when the Help Desk ticket requesting end of IT services is submitted
D OCUMENT M ANAGEMENT Checklist Item #8 Digital images that are the records of documented business processes have been linked to the business processes that created them. Translation: Documents are stored in “Drawers” of the department that created them Drawer names are changed when documents transfer between departments “View” access is usually retained by original department
D OCUMENT M ANAGEMENT Checklist Item #13 All digital images are destroyed according to NDSU Records and Retention policy and procedure 713. Translation: Documents need to be purged based on the document retention schedule ( Process: 1.Query is run for ID#s of “inactive students” (last 5 years?) 2.ImageNow is searched for documents “In List” 3.Index fields & custom properties determine purge items
D OCUMENT M ANAGEMENT Checklist Item #14 All data that is stored as an image is classified according to NDUS policy and procedure Translation: “Any electronic data asset of the NDUS or Institution shall be classified as Public, Private or Confidential according to the following standards.” – NDUS How do we comply? “Confidential” drawers can be created for highly sensitive documents that can only be accessed by designated users
D OCUMENT A UDITING Checklist Item #15 A system “audit trail” is in place to document who, the date and time, and what was accessed for the previous 12 months. This “audit trail” is maintained and available for review. How do we comply? “Audit” setting in ImageNow is turned on for: Add Annotations Document Copy Document Create Document Create via Batch Document Delete Document Move Document Page Delete Document Restore Document Send to Recycle Bin Document View User Login
QUESTIONS?
A DDITIONAL L ICENSES ??? Contact Heather Soleim in R&R for more information Office# of Users# of Licenses# of Scanners Admission19102 Bison Connection1031 Customer Account Services92-- Enrollment Management1-- Graduate School1371 HR/Payroll1431 International Programs1251 IT Services721 Registration & Records31153 Residence Life2121 Student Financial Services1941 TOTALS