Developing a Standards-Based Records Management Program

Slides:



Advertisements
Similar presentations
Why an international standard on Record Management?
Advertisements

The Impact of Auditing on Records Management Risk and Compliance Susan B. Whitmire, CRM, FAI Manager, Enterprise Records and Information Management BlueCross.
2009 Data Protection Seminar
Introduction to Records Management Policy
What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
1 Auditing in the Public Interest Records Management in the Victorian Public Sector Audit objective Audit had two objectives : The first objective was.
Records Management for UW-Madison Employees – An Introduction UW-Madison Records Management UW-Archives & Records Management 2012 Photo courtesy of University.
IMPLEMENTING AN ELECTRONIC RECORDS MANAGEMENT PROGRAM Philip C. Bantin Indiana University Archivist IU Electronic Records Program Website:
Information Governance and the Presidential Memo on Managing Government Records: Converging Issues and the Search for New Ideas Presidential Memorandum:
National Archives and Records Administration, 2003 Federal Records Management for Managers What’s in it for me?
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
The Islamic University of Gaza
Use of Oregon Statewide Electronic Records Management Systems (ERMS) Price & Services Agreements (PSA) DAS SPO Representative Lena Ferris DAS EISPD Representatives.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Information Systems Controls for System Reliability -Information Security-
Department of Commerce Records Management Training.
Created May 2, Division of Public Health Managing Records What is a Record? What is a Records Retention & Disposition Schedule? Why is this Important?
AIIM Presentation Selecting and Implementing A Records Management System June 5, 2008.
The Caldeson Consultancy. 2 Good afternoon ! Tēna koutou. Tēna koutou, katoa. Tēna koutou. Tēna koutou, katoa.
Internal Auditing and Outsourcing
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
U.S. Department of the Interior U.S. Geological Survey USGS Records Management Program: Initiatives, Opportunities, and Assistance Administration and Enterprise.
By Helen Streck President/CEO Kaizen InfoSource LLC Litigation Readiness: Information Manager’s Role.
ECM and Compliance Marcelle Blasl ECMm² (AIIM)
1 EDMS 101 Speaker: Monica Crocker, DHS EDMS Coordinator Overview of current project(s) Objective of this section: This session outlines EDMS fundamentals.
Good Digital Records Don’t Just ‘Happen’ Embedding Digital Recordkeeping as an Organic Component of Business Processes and Systems Adrian Cunningham, National.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Electronic Records Management: What Management Needs to Know May 2009.
Creating an Effective Policy Central Missouri Chapter Jesse Wilkins April 16, 2009.
Principle of Protection By C’Les Jensema About ARMA International and the Generally Accepted Recordkeeping Principles® ARMA International (
Web (Website) Records Management. Agenda:  Brief Definitions and Outline – NARA  Vendors  Member Q & A  Who has formal policies for web/website management?
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
fact sheet (07/03/2007) 1 ARE ARCHIVING SOLUTIONS RECORDKEEPING SOLUTIONS? 7 th March 2007 Stephen Clarke Government Recordkeeping Programme.
Retention & Disposition in the Cloud: Mission Critical and/or Mission Impossible? Patricia C. Franks, PhD, CA, CRM, IGP Archives 2015 August 22, 2015 Tweet.
Ecords Management Records Management Paul Smallcombe Records & Information Compliance Manager.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Records & Information Management (RIM) Risk: Is Your Company Exposed? March 19, 2013.
Records Management Benchmarking: Choosing a Standard Presentation by Martin Bradley.
1.Summary of Needs Analysis 2.Summary of Action Plan 3.Systems Analysis between Microsoft SharePoint® and OpenText Content Server 4.System Recommendation.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Audit Planning Process
E-records and the law John D. Gregory Policy Division Ministry of the Attorney General May 14, 2007.
The Government Recordkeeping Survey 2008 Natalie Dewson, Senior Advisor, Government Recordkeeping Programme, Archives New Zealand.
Archival Workshop on Ingest, Identification, and Certification Standards Certification (Best Practices) Checklist Does the archive have a written plan.
Information and Records Management INFM 718X/LBSC 708X Seminar on E-Discovery.
1 Records Management Organization The Committee provides guidance on operating the company’s records management program.
ISO/IEC 27001:2013 Annex A.8 Asset management
Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles ® Registered Trademark of ARMA International.
Generally Accepted Recordkeeping Principles: The Principle of Transparency Alaska Chapter of ARMA International Presented by: Tara Carey, ARMA Board Member.
Chapter 8 Auditing in an E-commerce Environment
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
UNDERSTANDING INFORMATION MANAGEMENT (IM) WITHIN THE FEDERAL GOVERNMENT.
What ICT specialists need to know about information and records Christine Johnston.
ARMA VI - NANAIMO 2016 David Young Records Management Archivist University of Victoria Electronic Records as Documentary Evidence CGSB‐72.34‐2015 (To supersede.
What standards, relevant to me, are there? Barbara Reed Chair, Standards Australia IT 21 Committee on Records and Document Management Systems.
UW-Madison Guidelines for Managing the Records of Departing Employees*
Data Minimization Framework
Records Management Program Deliverables
Electronic Records Management Program
IS4680 Security Auditing for Compliance
Information Governance Part 2
CGSB and Electronic Records
Garrison Okinawa Incoming Soldiers and Civilians Records Management Brief Lawrence L. Brown.
Presentation transcript:

Developing a Standards-Based Records Management Program Frank McGovern Product Marketing Engineer

Agenda Trends and Challenges in RM Defining and Positioning RM Overview of Relevant RM Standards Using ISO 15489 Key Take-Aways

Records Management Trends Decline in number of staff specializing in filing Investment in Software functionality that creates records is growing Mission critical records are often not sharable, retrievable or useable Copies proliferate; data conflicts or is unreliable Email often replaces phone conversations, meetings and formal written communication Instant Messaging increasingly replaces email Litigation and discovery costs skyrocketing Authenticity is questioned Premature destruction NARA

The Challenge of Electronic Records Authenticity – Over Time Variety – 4,800+ Different Types of E-Record Formats Complexity – Increasingly Sophisticated Formats Volume – Vast Quantities of Records Obsolescence – Constantly Changing Technology User Expectations –Evolving, Unrelenting We are facing an electronic records challenge in the nation and specifically in the federal government. With the rapid evolution of information, technology has produced large, ever-increasing volumes of diverse, and complex digital records. Since NARA’s mission is to preserve the history of this Nation it is our responsibility to address the electronic records challenge. Nara is a small agency responsible for all other agencies (approx. 400) Scope - We have to do this for records of the entire Federal Government, which have different laws and rules that apply to them depending on whether they are records of federal agencies, or of the President, the Congress, or the Supreme Court. We also have to deal with donated materials, which are subject to their own rules, set out in deeds of gift. Variety - There's a great variety in the kinds of electronic records we have to deal with. This variety is already apparent in the records already in the National Archives: White House e-mail from President’s Reagan, Bush, and Clinton Casualty records from the wars in Korea and Vietnam The American Soldier in World War II National Collaborative Perinatal Project, 1959-1974 Fishing, Hunting, & Wildlife Recreation Abstracts of testimony, interviews, diaries from the Watergate Special Prosecution Force • • • • • The variety will only increase in the future. Complexity - Besides the variety in types of records, we also have to cope with a great variety of complex types of digital data. Volume Clinton Administration: 38 million email messages State Department: 25 million electronic diplomatic messages Department of Defense: > 50 million images of digital Official Military Personnel Files annually Census Bureau: 600 to 800 million image files (2000 census) Currently, there is no system to preserve all types of digital records over time. NARA

Effective Records Management: Simultaneous attention to People, Process and Technology Integrating Records Management into an Organization’s Business Processes and IT Governance and Applications NARA

Defining a Record Recorded information Made or received by an organization Regarding legal obligations or transactions Evidence of operations Has value requiring retention for a specific period of time Regardless of recording format, medium or characteristics

Characteristics of a Record Authenticity – It is what is says it is. Reliability – It can be trusted as a full and accurate representation of the transactions or facts. Integrity – It is complete and unaltered. Usability – It can be located, retrieved, presented and interpreted ISO 15489

RM from 10,000 Feet Supports event and time based retention rules Structured file plan organizes records and manages, enforces complex policies/rules Enables legal holds, facilitates audit and electronic evidence discovery All processes are audited and managed Ensures record authenticity, integrity and contextual relationships

RM from 10,000 Feet Preserves records over time and ensures reliability Ensures record access, retrieval and usefulness Prevents unauthorized deletion Ensures timely disposition and complete record expungement Ensures privacy and record security policy management Supports physical records

Records Management Standards DoD Standard 5015.2 ISO Standard 15489 ANSI/ARMA 9-2004 VERS DOMEA MOREQ

DoD 5015.2 RM Software Certification and Testing Program DoD certification required for software sales to Department of Defense, National Archives and Records Administration (NARA), federal government agencies De facto industry standard Key Sections Definitions Mandatory Requirements General Detailed Non-Mandatory Features Requirements defined by the Acquiring Organizations Other Useful Features Classified (Secret) Records

Impact of DoD 5015.2 Standard Adoption and recognition by vendor community 50+ Vendors/Products Currently Certified Standalone (RM only) Product pairings (RM + ECM Suite) Multiple Versions (Certification valid for 2 years) Multiple Environments (Oracle/MS SQL/DB2) 45 Vendors/Products Scheduled Mandatory for most government opportunities Mandatory/highly desirable for most Fortune 1000 Companies and others FileNet Records Manager is certified (Chapter 2)

ISO Standard 15489 Information and Documentation, Records Management Part I – General Part II – Guidelines Important standard, gaining momentum throughout world Framework for records program design in many industries

Principles of Records Management Programs Key Points Principles of Records Management Programs Determining which records should be created Deciding form and structure Metadata requirements Retrieval requirements How to organize records Assessing risks Preserving records Complying with legal and regulatory requirements Security Records retention Improvement opportunities

Impact UK National Archives has formally adopted ISO 15489 Embraced in many UK FOI deployments Foundation for US NARA’s Strategic Redesign of RM Adopted by Australian Federal Government Used by Auditor General to monitor Government performance Translated in many Languages Recognized by ARMA Basis of FileNet’s RM Best Practices

MOREQ (European Union) Model Requirements for the Management of Electronic Records Focus on the functional requirements for electronic records management systems—390 requirements Key areas: Classification Schemes Controls and Security Retention and Disposal Capturing Records Referencing Searching, Retrieval, and Rendering Administrative Functions

ANSI/ARMA 9-2004 – Email Standard Requirements for Managing Electronic Messages as Records Describes Retention and Disposition IAW Records Retention Schedule Acceptable Use Access and Retrieval Appropriate Security Measures Network Security Protection of Confidential Information Identification and Protection of Vital Records Remote Access Back-Up Metadata Capture Audit Trails Anti-Virus Protection No certification program

VERS Standard (Australia) Victorian Electronic Records Strategy Generic, extensible standard Works with existing recordkeeping and business practices Ensures records preservation Enable viewing of records in the future, regardless of systems that created them Specifies methods to capture records from desktop and business systems Specifies ways to capture meta data Preserves contextual relationships Details audit trail methodologies so that changes to records are detectable

DOMEA (Germany) Document Management and Electronic Archiving RM for case files Governs Completeness, integrity and authenticity of official records, to guard against official documents being altered, changed, removed, destroyed or deleted. The records principle of public administration, i.e., documents are organized in subject files. Maintenance of adequate and proper documentation for accountability and lawfulness of administrative procedures.

RM Standards Summary RM STANDARDS Products Program DoD 5015.2* ISO 15489 VERS* ANSI/ARMA 9-2004 DOMEA* MOREQ* *Formal Certification Programs

ISO 15489 - Part 1 General Applies to the management of records, in all formats or media, created or received by any public or private organization in the conduct of its activities, or any individual with a duty to create and maintain records Provides guidance on determining the responsibilities of organizations for records and records policies, procedures, systems and processes Provides guidance on records management in support of a quality process framework to comply with other ISO standards Provides guidance on the design and implementation of a records system

ISO 15489 – Part 2 Guideline Provides guidance on implementing the policies and procedures in Part 1 Developing Policies and Procedures Formulating Records Management Strategies Designing the Records Management Program Elements Implementing the Solution Establishing Processes and Controls Programs to Monitor and Audit the Program Training the Organization of RM Policies and Procedures

Steps to Sound Records Management Develop/Review Policies and Responsibilities Strategic Planning, Program Design and Implementation Develop Records Processes and Controls Monitoring and Auditing Requirements Planning and Executing Training Programs

Develop/Review Policies and Responsibilities Develop Records Management Policy Statements Documents Policies and Procedures Performed in the Normal Course of Business Authorized by Highest Level in the Organization Define Responsibilities and Program Authorities Requires Employees to Declare Records Ensure Records Created as Part of the Process Provide Transparent or Easy Access Provide Protection of Records Enforces Records Disposition Policies

Strategic Planning, Program Design and Implementation Step A: Conduct preliminary investigation Step B: Analyze business activity Step C: Identify requirements for records Step E: Identify strategies to satisfy requirements Step F: Design records system Policy Design Step D: Assess existing systems Standards Implementation Step H: Conduct post-implementation review Step G: Implement records systems

Strategic Planning, Program Design and Implementation Conduct Preliminary Investigation Analyze Business Activities and Processes Identify Records Requirements Assess Existing Systems Develop Strategies for Meeting Records Requirements Design the Records System Implement the Records System Perform Post-Implementation Review

Develop Records Processes and Controls Instruments of Control Classification Scheme Based on Business Processes Disposition Processes Security and Access Controls Analyze Regulatory Requirements Perform Risk Analysis Identify Employ and User Permissions Classify Business Activities Create Thesaurus, Glossary Establish Records Disposition Authority Determine Documents/Objects to Classify as Records Develop Retention Schedules

Develop Records Processes and Controls Capture Registration Classification Access and security classification Identification of disposition status Storage Use and tracking Implementation of disposition

Monitoring and Auditing Requirements Identify Requirements for Compliance Auditing Determine what Evidential Weight is Necessary Develop Performance Metrics and Monitoring and Reporting Processes

Auditing and Monitoring The laws have changed worldwide and while the trickle … The UK companies law, King 2 in South Africa… Over 8000 compliance regulations in North America… The federal government announced on January 12th… The government also recently made electronic records… Many of the regulations overlap… (click) 2 essential elements are required to achieve compliance… Policies, controls and process… That’s where proof comes in… Why proof is essential to compliance? If you have to defend your business practices… The records. And you must also demonstrate you complied… Spoliation being the willful alteration or destruction of evidence. Proof is one part content and one part process. Auditing and Monitoring Policies, Controls and Process CA Database Protection Act SOX Patriot Act HIPAA Basel II Evidence and Proof Business and Messaging Apps Records Management

Auditing and Monitoring August 2004 Industry Advisory Council White Paper

Auditing and Monitoring August 2004 Industry Advisory Council White Paper

Auditing and Monitoring August 2004 Industry Advisory Council White Paper

Auditing and Monitoring August 2004 Industry Advisory Council White Paper

Planning and Executing Training Programs Identify Records Management Training Requirements for the Organization Determine the Personnel that Must be Trained Managers, including senior managers, Employees, Contractors, Volunteers, Other personnel who have a responsibility to create or use records Provide Records Management Professionals Training Determine Training Methods Evaluate Effectiveness of Training

Key Take-Aways Records Management is a journey RM Software applications are tools, not a substitute for policy The ISO Standard 15489 serves as an excellent model for an RM program