Developing a Standards-Based Records Management Program

Frank McGovern Product Marketing Engineer

Agenda

Trends and Challenges in RM Defining and Positioning RM Overview of Relevant RM Standards

Using ISO 15489

Key Take-Aways

Records Management Trends

Decline in number of staff specializing in filing Investment in Software functionality that creates records is growing Mission critical records are often not sharable, retrievable or useable Copies proliferate; data conflicts or is unreliable Email often replaces phone conversations, meetings and formal written communication Instant Messaging increasingly replaces email Litigation and discovery costs skyrocketing Authenticity is questioned Premature destruction NARA
3

The Challenge of Electronic Records

Authenticity Over Time

Variety 4,800+ Different Types of E-Record Formats

Complexity Increasingly Sophisticated Formats Volume Vast Quantities of Records Obsolescence Constantly Changing Technology User Expectations Evolving, Unrelenting

NARA
4

Effective Records Management:

Simultaneous attention to People, Process and Technology Integrating Records Management into an Organizations Business Processes and IT Governance and Applications

NARA
5

Defining a Record

Recorded information Made or received by an organization Regarding legal obligations or transactions

Evidence of operations
Has value requiring retention for a specific period of time Regardless of recording format, medium or characteristics
6

Characteristics of a Record

Authenticity It is what is says it is. Reliability It can be trusted as a full and accurate representation of the transactions or facts.

Integrity It is complete and unaltered.

Usability It can be located, retrieved, presented and interpreted

ISO 15489
7

RM from 10,000 Feet

Supports event and time based retention rules Structured file plan organizes records and manages, enforces complex policies/rules

Enables legal holds, facilitates audit and electronic evidence discovery

All processes are audited and managed Ensures record authenticity, integrity and contextual relationships

RM from 10,000 Feet

Preserves records over time and ensures reliability Ensures record access, retrieval and usefulness Prevents unauthorized deletion

Ensures timely disposition and complete record expungement

Ensures privacy and record security policy management Supports physical records
9

Records Management Standards

DoD Standard 5015.2 ISO Standard 15489 ANSI/ARMA 9-2004

VERS
DOMEA

MOREQ

10

DoD 5015.2

RM Software Certification and Testing Program DoD certification required for software sales to Department of Defense, National Archives and Records Administration (NARA), federal government agencies De facto industry standard Key Sections Definitions Mandatory Requirements

Non-Mandatory Features Classified (Secret) Records

11

General Detailed

Requirements defined by the Acquiring Organizations Other Useful Features

Impact of DoD 5015.2 Standard

Adoption and recognition by vendor community

50+ Vendors/Products Currently Certified

Standalone (RM only) Product pairings (RM + ECM Suite) Multiple Versions (Certification valid for 2 years) Multiple Environments (Oracle/MS SQL/DB2)

45 Vendors/Products Scheduled

Mandatory for most government opportunities

Mandatory/highly desirable for most Fortune 1000 Companies and others

FileNet Records Manager is certified (Chapter 2)
12

ISO Standard 15489

Information and Documentation, Records Management

Part I General Part II Guidelines

Important standard, gaining momentum throughout world Framework for records program design in many industries

13

Key Points

Principles of Records Management Programs

Determining which records should be created Deciding form and structure Metadata requirements Retrieval requirements How to organize records Assessing risks Preserving records Complying with legal and regulatory requirements Security Records retention Improvement opportunities
14

Impact

UK National Archives has formally adopted ISO 15489

Embraced in many UK FOI deployments

Foundation for US NARAs Strategic Redesign of RM Adopted by Australian Federal Government

Used by Auditor General to monitor Government performance

Translated in many Languages Recognized by ARMA Basis of FileNets RM Best Practices

15

MOREQ (European Union)

Model Requirements for the Management of Electronic Records

Focus on the functional requirements for electronic records management systems390 requirements Key areas:
Classification Schemes Controls and Security Retention and Disposal Capturing Records Referencing Searching, Retrieval, and Rendering Administrative Functions

16

ANSI/ARMA 9-2004 Email Standard

Requirements for Managing Electronic Messages as Records

Describes

Retention and Disposition IAW Records Retention Schedule Acceptable Use Access and Retrieval Appropriate Security Measures Network Security Protection of Confidential Information Identification and Protection of Vital Records Remote Access Back-Up Metadata Capture Audit Trails Anti-Virus Protection

No certification program
17

VERS Standard (Australia)

Victorian Electronic Records Strategy

Generic, extensible standard

Works with existing recordkeeping and business practices

Ensures records preservation

Enable viewing of records in the future, regardless of systems that created them

Specifies methods to capture records from desktop and business systems Specifies ways to capture meta data
Preserves contextual relationships

Details audit trail methodologies so that changes to records are detectable

18

DOMEA (Germany)

Document Management and Electronic Archiving

RM for case files Governs

Completeness, integrity and authenticity of official records, to guard against official documents being altered, changed, removed, destroyed or deleted. The records principle of public administration, i.e., documents are organized in subject files. Maintenance of adequate and proper documentation for accountability and lawfulness of administrative procedures.

19

RM Standards Summary
RM STANDARDS Products DoD 5015.2* VERS* DOMEA* MOREQ* Program ISO 15489 ANSI/ARMA 9-2004

*Formal Certification Programs

20

ISO 15489 - Part 1 General

Applies to the management of records, in all formats or media, created or received by any public or private organization in the conduct of its activities, or any individual with a duty to create and maintain records organizations for records and records policies, procedures, systems and processes

Provides guidance on determining the responsibilities of Provides guidance on records management in support of a
quality process framework to comply with other ISO standards

Provides guidance on the design and implementation of a records system

21

ISO 15489 Part 2 Guideline

Provides guidance on implementing the policies and procedures in Part 1

Developing Policies and Procedures Formulating Records Management Strategies Designing the Records Management Program Elements Implementing the Solution Establishing Processes and Controls Programs to Monitor and Audit the Program Training the Organization of RM Policies and Procedures

22

Steps to Sound Records Management

Develop/Review Policies and Responsibilities Strategic Planning, Program Design and Implementation Develop Records Processes and Controls Monitoring and Auditing Requirements Planning and Executing Training Programs
23

Develop/Review Policies and Responsibilities

Develop Records Management Policy Statements

Documents Policies and Procedures Performed in the Normal Course of Business Authorized by Highest Level in the Organization

Define Responsibilities and Program Authorities

Requires Employees to Declare Records Ensure Records Created as Part of the Process Provide Transparent or Easy Access Provide Protection of Records Enforces Records Disposition Policies

24

Strategic Planning, Program Design and Implementation

Step A: Step B: Step C: Step E: Step F:

Conduct preliminary investigation

Analyze business activity

Identify requirements for records

Identify strategies to satisfy requirements

Design records system

Policy

Design

Step D: Assess existing systems

Standards

Implementation

Step H: Conduct postimplementation review

Step G: Implement records systems

25

Strategic Planning, Program Design and Implementation

Conduct Preliminary Investigation Analyze Business Activities and Processes

Identify Records Requirements Assess Existing Systems Develop Strategies for Meeting Records
Requirements

Design the Records System Implement the Records System Perform Post-Implementation Review
26

Develop Records Processes and Controls

Instruments of Control Classification Scheme Based on Business Processes Disposition Processes Security and Access Controls Analyze Regulatory Requirements Perform Risk Analysis Identify Employ and User Permissions

Classify Business Activities Create Thesaurus, Glossary Establish Records Disposition Authority Determine Documents/Objects to Classify as Records Develop Retention Schedules
27

Develop Records Processes and Controls

Capture Registration Classification Access and security classification Identification of disposition status Storage Use and tracking Implementation of disposition

28

Monitoring and Auditing Requirements

Identify Requirements for Compliance Auditing Determine what Evidential Weight is Necessary Develop Performance Metrics and Monitoring and Reporting Processes

29

Auditing and Monitoring

CA Database Protection Act

Patriot Act

Basel II

HIPAA

SOX

Policies, Controls and Process

Business and Messaging Apps Records Management

Evidence and Proof

30

Auditing and Monitoring

Measurem ent Category Access to Services Metric Capture Method Capture Medium Periodic Audit System Capture Burden Low Low Com m ents Almost certainly greatly improved w ith automation Almost certainly greatly improved w ith automation Measure of Quality

Hours of Operation Manual Access Points Percentage of Records correctly declared Percentage of Records correctly classified Size of Holdings (i.e. number of records) Automated

Manual

Periodic Audit

High

Accuracy

Manual

Periodic Audit

High

Measure of Quality

Capacity

Automated

System

Low

No indication of Quality Purely subjective but indicative of success and acceptance of electronic records management

Efficiency

Ease of performing Manual daily tasks

Survey

High

August 2004 Industry Advisory Council White Paper

31

Auditing and Monitoring

Measurem ent Category Metric Number of Seats Number of People Declaring Records Number of People Classifying Records Number of People Retrieving Records Number of Requests Processed Each Week System Search Time System Retrieval Time Number of Successful Searches Number of Search Indexes Number of Classification Categories Capture Method Automated Manual Capture Medium System Live Oversight Capture Burden Low Medium Com m ents No indication of Quality Indicative of Acceptance of the System Indicative of Acceptance of the System Indicative of Acceptance of the System Difficult to measure enterprise-w ide across multiple processes No indication of Quality No indication of Quality Difficult to interpret; returned result is not necessarily the desired result Indicator of complexity and therefore ease of use Indicator of complexity and therefore ease of use

Participation

Manual Manual

Live Oversight Live Oversight

Medium Medium Low for one system, high across the enterprise Low Low

Productivity

Automated

System

Automated Automated

System System

Search and Retrieval

Automated Automated

System System

Low Low

Automated

System

Low

August 2004 Industry Advisory Council White Paper 32

Auditing and Monitoring

Measurem ent Category

Metric Throughput (i.e. transactions per hour or per unit of time) Response Time (i.e. time to retrieve a record) Availability (i.e. system uptime) User satisfaction rating

Capture Method Automated

Capture Medium System

Capture Burden Low

Com m ents

Measures IT performance not success of ERM Measures IT performance not success of ERM Measures IT performance not success of ERM Nearly universal metric for ERM exemplars

System

Automated Automated Manual

System System Survey

Low Low High

User Satisfaction

August 2004 Industry Advisory Council White Paper

33

Auditing and Monitoring

Measurem ent Category Metric Capture Method Capture Medium System Capture Burden Low Com m ents Indicative of Acceptance of the System, no indication of success or satisfaction Indicative of Acceptance of the System, no indication of success or satisfaction Measure of accuracy and quality of the ERM processes w ith potential legal w eight, significance, and bearing Number of People Automated Retrieving Records Utilization Virtual Visitors Automated System Low

Legal

Numbers and types of process violations that are Semi-Automatic System caught, missed, and/or are attempted Fraction of the inventory of electronic records Semi-Automatic System w ithin an ERM system that is in the w rong state

Medium

Medium-High

Indicative of the quality of the processes and services provided w ithin an ERM system

August 2004 Industry Advisory Council White Paper

34

Planning and Executing Training Programs

Identify Records Management Training Requirements for the Organization Determine the Personnel that Must be Trained Managers, including senior managers, Employees, Contractors, Volunteers, Other personnel who have a responsibility to create or use records Provide Records Management Professionals Training Determine Training Methods Evaluate Effectiveness of Training

35

Key Take-Aways

Records Management is a journey RM Software applications are tools, not a substitute for policy

The ISO Standard 15489 serves as an excellent model for an RM program

36