Developing a Standards-Based Records Management Program

1
Developing a Standards-Based Records Management
Program

• Frank McGovernProduct Marketing Engineer

2
Agenda

• Trends and Challenges in RM
• Defining and Positioning RM
• Overview of Relevant RM Standards
• Using ISO 15489
• Key Take-Aways

3
Records Management Trends

• Decline in number of staff specializing in filing
• Investment in Software functionality that creates
  records is growing
• Mission critical records are often not sharable,
  retrievable or useable
• Copies proliferate data conflicts or is
  unreliable
• Email often replaces phone conversations,
  meetings and formal written communication
• Instant Messaging increasingly replaces email
• Litigation and discovery costs skyrocketing
• Authenticity is questioned
• Premature destruction

NARA
4
The Challenge of Electronic Records

• Authenticity Over Time
• Variety 4,800 Different Types of E-Record
  Formats
• Complexity Increasingly Sophisticated Formats
• Volume Vast Quantities of Records
• Obsolescence Constantly Changing Technology
• User Expectations Evolving, Unrelenting

NARA
5
Effective Records Management

• Simultaneous attention to People, Process and
  Technology
• Integrating Records Management into an
  Organizations Business Processes and IT
  Governance and Applications

NARA
6
Defining a Record

• Recorded information
• Made or received by an organization
• Regarding legal obligations or transactions
• Evidence of operations
• Has value requiring retention for a specific
  period of time
• Regardless of recording format, medium or
  characteristics

7
Characteristics of a Record

• Authenticity It is what is says it is.
• Reliability It can be trusted as a full and
  accurate representation of the transactions or
  facts.
• Integrity It is complete and unaltered.
• Usability It can be located, retrieved,
  presented and interpreted

ISO 15489
8
RM from 10,000 Feet

• Supports event and time based retention rules
• Structured file plan organizes records and
  manages, enforces complex policies/rules
• Enables legal holds, facilitates audit and
  electronic evidence discovery
• All processes are audited and managed
• Ensures record authenticity, integrity and
  contextual relationships

9
RM from 10,000 Feet

• Preserves records over time and ensures
  reliability
• Ensures record access, retrieval and usefulness
• Prevents unauthorized deletion
• Ensures timely disposition and complete record
  expungement
• Ensures privacy and record security policy
  management
• Supports physical records

10
Records Management Standards

• DoD Standard 5015.2
• ISO Standard 15489
• ANSI/ARMA 9-2004
• VERS
• DOMEA
• MOREQ

11
DoD 5015.2

• RM Software Certification and Testing Program
• DoD certification required for software sales to
  Department of Defense, National Archives and
  Records Administration (NARA), federal government
  agencies
• De facto industry standard
• Key Sections
• Definitions
• Mandatory Requirements
• General
• Detailed
• Non-Mandatory Features
• Requirements defined by the Acquiring
  Organizations
• Other Useful Features
• Classified (Secret) Records

12
Impact of DoD 5015.2 Standard

• Adoption and recognition by vendor community
• 50 Vendors/Products Currently Certified
• Standalone (RM only)
• Product pairings (RM ECM Suite)
• Multiple Versions (Certification valid for 2
  years)
• Multiple Environments (Oracle/MS SQL/DB2)
• 45 Vendors/Products Scheduled
• Mandatory for most government opportunities
• Mandatory/highly desirable for most Fortune 1000
  Companies and others
• FileNet Records Manager is certified (Chapter 2)

13
ISO Standard 15489

• Information and Documentation, Records Management
• Part I General
• Part II Guidelines
• Important standard, gaining momentum throughout
  world
• Framework for records program design in many
  industries

14
Key Points

• Principles of Records Management Programs
• Determining which records should be created
• Deciding form and structure
• Metadata requirements
• Retrieval requirements
• How to organize records
• Assessing risks
• Preserving records
• Complying with legal and regulatory requirements
• Security
• Records retention
• Improvement opportunities

15
Impact

• UK National Archives has formally adopted ISO
  15489
• Embraced in many UK FOI deployments
• Foundation for US NARAs Strategic Redesign of RM
• Adopted by Australian Federal Government
• Used by Auditor General to monitor Government
  performance
• Translated in many Languages
• Recognized by ARMA
• Basis of FileNets RM Best Practices

16
MOREQ (European Union)

• Model Requirements for the Management of
  Electronic Records
• Focus on the functional requirements for
  electronic records management systems390
  requirements
• Key areas
• Classification Schemes
• Controls and Security
• Retention and Disposal
• Capturing Records
• Referencing
• Searching, Retrieval, and Rendering
• Administrative Functions

17
ANSI/ARMA 9-2004 Email Standard

• Requirements for Managing Electronic Messages as
  Records
• Describes
• Retention and Disposition IAW Records Retention
  Schedule
• Acceptable Use
• Access and Retrieval
• Appropriate Security Measures
• Network Security
• Protection of Confidential Information
• Identification and Protection of Vital Records
• Remote Access
• Back-Up
• Metadata Capture
• Audit Trails
• Anti-Virus Protection
• No certification program

18
VERS Standard (Australia)

• Victorian Electronic Records Strategy
• Generic, extensible standard
• Works with existing recordkeeping and business
  practices
• Ensures records preservation
• Enable viewing of records in the future,
  regardless of systems that created them
• Specifies methods to capture records from desktop
  and business systems
• Specifies ways to capture meta data
• Preserves contextual relationships
• Details audit trail methodologies so that changes
  to records are detectable

19
DOMEA (Germany)

• Document Management and Electronic Archiving
• RM for case files
• Governs
• Completeness, integrity and authenticity of
  official records, to guard against official
  documents being altered, changed, removed,
  destroyed or deleted.
• The records principle of public administration,
  i.e., documents are organized in subject files.
• Maintenance of adequate and proper documentation
  for accountability and lawfulness of
  administrative procedures.

20
RM Standards Summary
RM STANDARDS
Formal Certification Programs
21
ISO 15489 - Part 1 General

• Applies to the management of records, in all
  formats or media, created or received by any
  public or private organization in the conduct of
  its activities, or any individual with a duty to
  create and maintain records
• Provides guidance on determining the
  responsibilities of organizations for records and
  records policies, procedures, systems and
  processes
• Provides guidance on records management in
  support of a quality process framework to comply
  with other ISO standards
• Provides guidance on the design and
  implementation of a records system

22
ISO 15489 Part 2 Guideline

• Provides guidance on implementing the policies
  and procedures in Part 1
• Developing Policies and Procedures
• Formulating Records Management Strategies
• Designing the Records Management Program Elements
• Implementing the Solution
• Establishing Processes and Controls
• Programs to Monitor and Audit the Program
• Training the Organization of RM Policies and
  Procedures

23
Steps to Sound Records Management

• Develop/Review Policies and Responsibilities
• Strategic Planning, Program Design and
  Implementation
• Develop Records Processes and Controls
• Monitoring and Auditing Requirements
• Planning and Executing Training Programs

24
Develop/Review Policies and Responsibilities

• Develop Records Management Policy Statements
• Documents Policies and Procedures Performed in
  the Normal Course of Business
• Authorized by Highest Level in the Organization
• Define Responsibilities and Program Authorities
• Requires Employees to Declare Records
• Ensure Records Created as Part of the Process
• Provide Transparent or Easy Access
• Provide Protection of Records
• Enforces Records Disposition Policies

25
Strategic Planning, Program Design and
Implementation
Step A Conduct preliminary investigation
Step B Analyze business activity
Step C Identify requirements for records
Step E Identify strategies to satisfy
requirements
Step F Design records system
Policy
Design
Standards
Implementation
Step D Assess existing systems
Step H Conduct post-implementation review
Step G Implement records systems
26
Strategic Planning, Program Design and
Implementation

• Conduct Preliminary Investigation
• Analyze Business Activities and Processes
• Identify Records Requirements
• Assess Existing Systems
• Develop Strategies for Meeting Records
  Requirements
• Design the Records System
• Implement the Records System
• Perform Post-Implementation Review

27
Develop Records Processes and Controls

• Instruments of Control
• Classification Scheme Based on Business Processes
• Disposition Processes
• Security and Access Controls
• Analyze Regulatory Requirements
• Perform Risk Analysis
• Identify Employ and User Permissions
• Classify Business Activities
• Create Thesaurus, Glossary
• Establish Records Disposition Authority
• Determine Documents/Objects to Classify as
  Records
• Develop Retention Schedules

28
Develop Records Processes and Controls

• Capture
• Registration
• Classification
• Access and security classification
• Identification of disposition status
• Storage
• Use and tracking
• Implementation of disposition

29
Monitoring and Auditing Requirements

• Identify Requirements for Compliance Auditing
• Determine what Evidential Weight is Necessary
• Develop Performance Metrics and Monitoring and
  Reporting Processes

30
Auditing and Monitoring
CA Database Protection Act
SOX
Patriot Act
Basel II
HIPAA
Business and Messaging Apps
Records Management
31
Auditing and Monitoring
August 2004 Industry Advisory Council White Paper
32
Auditing and Monitoring
August 2004 Industry Advisory Council White Paper
33
Auditing and Monitoring
August 2004 Industry Advisory Council White Paper
34
Auditing and Monitoring
August 2004 Industry Advisory Council White Paper
35
Planning and Executing Training Programs

• Identify Records Management Training Requirements
  for the Organization
• Determine the Personnel that Must be Trained
• Managers, including senior managers,
• Employees,
• Contractors,
• Volunteers,
• Other personnel who have a responsibility to
  create or use records
• Provide Records Management Professionals Training
• Determine Training Methods
• Evaluate Effectiveness of Training

36
Key Take-Aways

• Records Management is a journey
• RM Software applications are tools, not a
  substitute for policy
• The ISO Standard 15489 serves as an excellent
  model for an RM program