Presented to the Managing Health Information Conference

1
Developing a Comprehensive and Protected
Information Management Strategy

• Presented to the Managing Health Information
  Conference
• 25 October 2004, Toronto, Ontario, Canada
• Christopher J. Olsen
• Chief, Records and Classification Management
  Group
• Central Intelligence Agency

2
Records and Risk
Why You Need an Effective Records Management
Program!
3
Agenda

• Understand the Rules of Engagement
• What to Talk About
• Lessons Learned
• The Horror Story
• Ready, FIRE, AIM
• The Case Study

4
Rules of Engagement

• Nobody Leaves
• Nobody Sleeps
• Audience Questions Follow the Charismatic Church
  Format
• If the Question Moves You, Shout It Out
• If You Wish to Agree With the Speaker, the
  Appropriate Response Is Amen
• All Questions Must Not Embarrass the Speaker

5
What to Talk About

• I dont know much about Canadian Law
• I dont know much about the medical profession
• And, I dont have a magic formula for success

So, why am I here?
6
Lessons Learned
7
While in Montana
8
Lesson No. 1
Records Management is not interesting to most
people
9
While in My Car
10
Lesson No. 2
Technology is inevitable, if not ubiquitous And
often serves no real purpose
11
But, Why Me as the Speaker
12
Lesson No. 3
Failure is good!
13
Value of the Lessons

• Lessons Learned
• Lesson No. 1 RM is not interesting
• Lesson No. 2 Technology is inevitable, if not
  ubiquitous
• Lesson No. 3 Failure in good!

• Actions
• Change the message change the approach
• Records Managers must know technology partner
  with IT professionals
• Learn from what didnt work think and act
  differently

14
The Horror Story
15
Whats Scarier Than Halloween
16
(No Transcript)
17
Records Management in the News
Interior Dept. Accounting System Faulted
INS Failure Cited in Visa Case
FBI Management Will Probe Failure to Produce
Papers in McVeigh Case
Papers Found During Fifth Search at Federal
Facility Failure Blamed on Storage Lapses
Dept of Interior Admits Some Indian Trust Records
No Longer Exist
Destruction of Iran Coup Data Sparks CIA Search
for Other Missing Records
Up to 40,000 Tax Returns Lost in PA Facility
Auditors Say U.S. Agencies Lose Track of Billions
18
More News on Records Management
Schering Plough fined 500 million for
manufacturing non compliance
ENRON Official Indicted
Investigation of TYCO Operations Continues
Martha Stewart Starts Few Days at Camp Cupcake
Banc of America fined 10 million for document
production failures
5 Firms Fined 8.5 million for Failure to
Preserve e-mail
Arthur Anderson Goes Belly Up
DuPont Spends 11 million dollars producing
records it could have destroyed
19
Reflections on the Horror Stories

• No company is in business for compliance
• Unless there is a jail term or significant
  finemany organizations are not well motivated by
  fear
• Dont confuse illegal, immoral, unethical or
  stupid practices as records management failures
• A good records management will not fix illegal,
  immoral, unethical or stupid practicesit will
  identify them though
• Millions will be spent on technology to fix the
  problemand IT seldom does
• Records management and technology will be useful
  to an organization if it improves the bottom line
• A good crisis gets attentionride the wave if it
  gets you want you need

20
Ready, Fire, Aim
21
Warning Plan First, Buy Second
They dont care what you call it just fix the
information problem!
22
Unnecessary Expenses

• In 2003, US firms spent 3 billion on
  technologies to comply with Sarbanes-Oxley (SOX)
  requirements
• Health institutions, providers and health care
  insurers spending millions with vendors who offer
  Health Insurance Portability and Accountability
  Act (HIPAA) compliant products

23
What About Records and Risk

• Most organizations are producing more records
  than ever before
• Most agencies are storing more records than ever
  before
• So, wheres the risk
• Users cant find em or the find the same ones
  over and over againbusiness decisions are
  impacted
• Information sharing is frustrated and frustrating
• For every dollar spent on IT, there is less money
  for other business ventures/profit
• IT departments are desperately trying to manage
  retrieval against storage
• Migration costs are inconceivable archive medium
  is not archival
• Disaster recovery is made difficult and expensive
• New rules require stricter compliance
• Litigants are smarter than ever before

24
Getting Started

• Map the present process to the desired business
  state
• Read the law, regulations
• Go slow on bringing in technology as the fix
  (e.g. statutes seldom dictate technology)
• Form your dream team
• Diagnose the problem identify risks
• Identify the gaps and the options for remediation
• Brief the stakeholders
• Fix accountability
• Ensure your policies, practice and compliance are
  in place
• Communicate, communicate, communicate

25
Its All About the Business, Stupid

• Records Management (RM) must facilitate business
• RM must save resources for the business
• RM must be integrated in the business
• The Business is not RM, but the Business will not
  function well without RM
• Your program better address the top three issues,
  or you will not get out of the starting block

26
If Youre Driven By Risk

• Identify the risk
• Determine the impact
• Calculate the frequency or probability of the
  occurrence
• Decide on options (that limit or allow the
  company to survive the risk impact)

27
How About Defining the Gap

• Review the policies
• Are the practices consistent with the policy
• Are the technologies enabling policy and
  practices
• Are people aware of the policies and conforming
• Is there a program for ensuring awareness and
  consistency in practice (training)
• Does the audit or compliance efforts identify
  practices that are inconsistent or not followed

28
What to Expect

• You may not get management buy-in
• Fear of litigation or reprisal will get you
  attention but, will not sustain an enterprise
  records management program
• You will not be successful simply with the
  deployment of records management software
• Your records management plan must address more
  than just documents
• Your program, if properly constructed and
  effective, will take years to implement
• Without some metrics of ROI, your funding will
  end
• Without a partnership with IT, you will fail!

29
Getting Re-started

• Understand the business priorities
• Develop, then present the RM program as a
  business program with milestones and deliverables
• Focus your attention focus on a problem
• Ensure your plan is built around the source of
  information and the people who have it
• Build partnerships with the business and the
  Information Technology office
• Define measurable metrics to demonstrate success
• Status the program and herald the accomplishments
• Plan Globally, act locallyconquer the enterprise
  one office at a time

30
The Case Study
31
Fixin the MessThe Formula For Success
MP3
32
Meet the Mission With
Programs
Process
People
33
Meet the Mission With
Programs
34
The Analysis
35
Program - First StepsDesigning a Program
36
Program Prong 1Searching With No Taxonomy
37
Program Prong 1Searching With the YAHOO!
Taxonomy
38
Program- Prong 1Search Engine V. Taxonomy
39
Program Prong 1The CIA Taxonomy

40
Program Prong 1The CIA Taxonomy at All Four
Levels

41
Program Prong 2Proactive Electronic Records
Management (PERM)

• Consider deploying a records management
  application
• All records electronically filed at the desktop
• Records sent to the repository with a couple of
  mouse clicks
• Electronic files are available to work group
• Sent to an electronic repository where records
  integrity/access assured
• All files are retrievable via full-text search
• Files can be viewed alphabetically or
  hierarchically
• Consider targeting certain (not all files) for
  you RMA
• Consider this deployment as an interim step

42
Program Prong 2Sending e-mail to PERM
43
Program Prong 3The Metadata Benefits

• Metadata is the enabling technology for
• Improved coordination and decision making
• Better support to users and customers
• Data and application interoperability
• Collaboration
• Electronic information storage and management
• Improved search and access
• Integrating open source
• Multiple security level interconnection
• Enabling knowledge/content management
• Basis for XML and DTDs

44
Program Prong 3The CIA Document Object Metadata
45
Program Prong 3Searching Using the Metadata
Repository
End User via Portal
46
Program Prong 4 Electronic Recordkeeping
System (ERKS)Certification
procedures
policy
retrieval
rules
need to know
records custodian
file tag
discipline
taxonomy
archive
IMO
metadata
records control schedule
disposition
documentation
access controls
audit trail
ERKS
47
URL for CIA EKRS and Metadata
www.foia.cia.gov
48
Meet the Mission with
Process
49
The Process -Second StepEstablish, Influence,
Infiltrate Processes

• Conduct a enterprise-wide audit and present the
  findings to CIO, CFO or other senior management
• Show what you can/cannot do with resources
• Write and/or propose system development standards
  that address common records management
  concerns, like
• Disaster recovery
• Migration and disposition
• Data standardization
• Integrate RM requirements into system lifecycle
  and programmatics
• Attend the control gates of major systems

50
The Process - Second Step Market Successes, Let
Someone Else Toot Your Horn!

• Get the Word Out Through Agency Communication
  Devices
• Ask Business Owner, CTO, IT Infrastructure Chief
  to Speak About the Benefits
• Invite Big Shots From Outside the Agency to See
  Your Stuff
• Invite Big Shots From Outside the Agency to
  Embarrass your big shots
• Benchmark you Program Against that of a
  Competitor and Let Management Know the Results
• See Your Program As the Answer in Every Forum
• Look for Marketing Opportunities All Year Long

51
The Process - Second Step Get U Some Policies

• Write the e-Policies
• Examine your current policies for applicability
  to the e-records update them as necessary
• Remember, once published, few people read em
• So, youre policies must be actionable,
  including
• Mandatory training for everyone, annually
• Tied to infrastructure activity
• Validated through regular inspections

Policies without Compliance are like Laws
without Policeman
52
The Process - Second StepTough Love Policies

• No email will be kept in the users mail file for
  longer than 90 days
• No backup tapes on user email will be kept for
  more than 90 days
• No email will be archived to databases or removal
  media
• All Office Directors will be required to
• Assure users are aware of the policies
• Ensure users go to mandatory training
• Annually, affirm that he/she has directed all
  e-records to be maintained in an approved
  repository
• All capture of email, IM or other e-records for
  auditing must have the concurrence of the Senior
  Records Authority and a disposition schedule

53
Meet the Mission With
People
54
RM as a Virus in Your Organization
55
Remember the User

• Determine whats in it for her/him
• Involve the user
• Does your plan and technology follow their
  business practice

56
People Forming AllegiancesBusiness Case
Benefits

• Make the Business Case Do Not Make Records
  Management Your Mantra
• Use Whatever gets you in the door and people
  listening, e.g. Sarbanes-Oxley, HIPAA, SEC 17a
• Target a Mission Office(s) With Specific, High
  Profile Problems for Pilot and demonstrate
• Competitive Advantage
• Reduced Time to Market
• Exploitation of Information for Decision Support,
  Trends Analysis
• Protection of corporate assets
• Survival or Dominance

57
People Forming AllegiancesBusiness Case
Benefits

• Show the IT Department the Saving
• Reduced or Optimized Production and Operation
  Costs
• Demonstrate Security Features to Security Office
• Give examples of the lessened potential for
  litigation or adverse action to the Legal Staff
• Address the compliance issues associated with
  state and Federal regulations
• Trade on Your Success to Convince Other Senior
  Managers to Experiment

58
People Examining Your Talent

• Do we have the right people to implement of an
  IM program?
• How should we use and train our IM professionals
  to meet the customer challenges?
• How do we reward, advance and develop the finest
  cadre of IM professionals in private and public
  sector?

What People Do You Need for Success?
59
Getting StartedA Timeline Be Patient

• 1998
• Started File Plan Completed in 14 Months, Fully
  Vetted With Customer
• Began Strategic Campaign for Four Prong Approach
  and for New Hires
• 1999
• Started Metadata Completed in 10 Months
• Metadata Adopted As an Agency Standard
• First Delivery of PERM

60
Got StartedA Timeline - Progress

• 2000
• Agency File Plan and ERKS Adopted As Standard
• PERM Program Office Operational
• Aggressive Marketing to CIO
• Every Information Management Officer Required to
  Delivery File Plan Tied to Award System
• Five Mission Systems ERKSd
• 2001
• PERM Announced As Strategic Direction in CIO
• Early Technical Alliances Formed
• New records officials arrive w/ MLS, MIS, MCS

61
Really StartedA Timeline More Progress

• 2001 (Continued)
• ERKS and Metadata Standard Become Part of Agency
  Governance Board
• Agency Data Steward and Records Management Office
  Form Partnership for Metadata
• Intelligence Community Establishes an IC Markup
  Language
• 2002
• PERM in Every Agency Directorate
• Records Management Office Is XML Stewart for the
  Agency
• Hired 42 New RM Officers

62
Starting to Finish Phase 1

• 2003
• Deployed PERM to over 5000 users
• Will Complete PERM deployment to Agency
• Demonstrated Taxonomy and Categorization Tool
  Against Business Problem
• Import Shared Drive Contents to PERM Using
  Categorization Software
• Defined the Front-end and Back-end RM
  Functionality for Automated Information Systems

63
Started Phase II

• 2004
• Intensifying training
• Reassessing the RMA Deployment and Further
  Enhancements
• Investing in Auto categorization
• Marketing capability
• Securing Partnerships
• Securing Additional Funding
• Securing Agreements with Program Managers
  Building Mission Repositories for Design and Data
  Exploitation
• Briefed CIO and Infrastructure Officers on New
  Content Management Concept

64
Phase III - The Plan for FY05

• Targeted use of PERM
• Better metrics for ROI or worse case, to scare
  the pants off management
• Continued targeted support to mission elements
• Production version of the auto-categorization
  plug-in
• Complete PERM files for certain customers
• Early version of the e-mail/SAMETIME capture
  repository

65
The Triad for Success
66
Resources

• www.ARMA.org
• www.Cohasset.com
• http//www.foia.cia.gov/

67
Oh, Canada
Got Any Questions?
68
Thank You!