Download - Developing a Standards-Based Records Management Program Frank McGovern Product Marketing Engineer
Developing a Standards-Based Records Management Program
Frank McGovernProduct Marketing Engineer
2
AgendaAgenda
• Trends and Challenges in RM
• Defining and Positioning RM
• Overview of Relevant RM Standards
• Using ISO 15489
• Key Take-Aways
3
Records Management TrendsRecords Management Trends
• Decline in number of staff specializing in filing
• Investment in Software functionality that creates records is growing
• Mission critical records are often not sharable, retrievable or useable
• Copies proliferate; data conflicts or is unreliable
• Email often replaces phone conversations, meetings and formal written communication
• Instant Messaging increasingly replaces email
• Litigation and discovery costs skyrocketing
• Authenticity is questioned
• Premature destruction NARANARA
4
The Challenge of Electronic RecordsThe Challenge of Electronic Records
• Authenticity – Over Time
• Variety – 4,800+ Different Types of E-Record Formats
• Complexity – Increasingly Sophisticated Formats
• Volume – Vast Quantities of Records
• Obsolescence – Constantly Changing Technology
• User Expectations –Evolving, Unrelenting NARANARA
5
Effective Records Management:Effective Records Management:
• Simultaneous attention to People, Process and Technology
• Integrating Records Management into an Organization’s Business Processes and IT Governance and Applications
NARANARA
6
Defining a RecordDefining a Record
• Recorded information
• Made or received by an organization
• Regarding legal obligations or transactions
• Evidence of operations
• Has value requiring retention for a specific period of time
• Regardless of recording format, medium or characteristics
7
Characteristics of a RecordCharacteristics of a Record
• Authenticity – It is what is says it is.
• Reliability – It can be trusted as a full and accurate representation of the transactions or facts.
• Integrity – It is complete and unaltered.
• Usability – It can be located, retrieved, presented and interpreted
ISO 15489ISO 15489
8
RM from 10,000 FeetRM from 10,000 Feet
• Supports event and time based retention rules
• Structured file plan organizes records and manages, enforces complex policies/rules
• Enables legal holds, facilitates audit and electronic evidence discovery
• All processes are audited and managed
• Ensures record authenticity, integrity and contextual relationships
9
RM from 10,000 FeetRM from 10,000 Feet
• Preserves records over time and ensures reliability
• Ensures record access, retrieval and usefulness
• Prevents unauthorized deletion
• Ensures timely disposition and complete record expungement
• Ensures privacy and record security policy management
• Supports physical records
10
Records Management StandardsRecords Management Standards
• DoD Standard 5015.2
• ISO Standard 15489
• ANSI/ARMA 9-2004
• VERS
• DOMEA
• MOREQ
11
DoD 5015.2DoD 5015.2
• RM Software Certification and Testing Program
• DoD certification required for software sales to Department of Defense, National Archives and Records Administration (NARA), federal government agencies
• De facto industry standard
• Key Sections• Definitions• Mandatory Requirements
• General• Detailed
• Non-Mandatory Features• Requirements defined by the Acquiring Organizations• Other Useful Features
• Classified (Secret) Records
12
Impact of DoD 5015.2 Standard Impact of DoD 5015.2 Standard
• Adoption and recognition by vendor community• 50+ Vendors/Products Currently Certified
• Standalone (RM only)• Product pairings (RM + ECM Suite)• Multiple Versions (Certification valid for 2 years)• Multiple Environments (Oracle/MS SQL/DB2)
• 45 Vendors/Products Scheduled
• Mandatory for most government opportunities
• Mandatory/highly desirable for most Fortune 1000 Companies and others
• FileNet Records Manager is certified (Chapter 2)
13
ISO Standard 15489ISO Standard 15489
• Information and Documentation, Records Management• Part I – General• Part II – Guidelines
• Important standard, gaining momentum throughout world
• Framework for records program design in many industries
14
Key PointsKey Points
• Principles of Records Management Programs• Determining which records should be created• Deciding form and structure• Metadata requirements• Retrieval requirements• How to organize records• Assessing risks• Preserving records• Complying with legal and regulatory requirements• Security• Records retention• Improvement opportunities
15
ImpactImpact
• UK National Archives has formally adopted ISO 15489• Embraced in many UK FOI deployments
• Foundation for US NARA’s Strategic Redesign of RM
• Adopted by Australian Federal Government• Used by Auditor General to monitor Government performance
• Translated in many Languages
• Recognized by ARMA
• Basis of FileNet’s RM Best Practices
16
MOREQ (European Union)MOREQ (European Union)
• Model Requirements for the Management of Electronic Records
• Focus on the functional requirements for electronic records management systems—390 requirements
• Key areas:• Classification Schemes• Controls and Security• Retention and Disposal• Capturing Records• Referencing• Searching, Retrieval, and Rendering• Administrative Functions
17
ANSI/ARMA 9-2004 – Email StandardANSI/ARMA 9-2004 – Email Standard
• Requirements for Managing Electronic Messages as Records
• Describes• Retention and Disposition IAW Records Retention Schedule• Acceptable Use• Access and Retrieval• Appropriate Security Measures• Network Security• Protection of Confidential Information• Identification and Protection of Vital Records• Remote Access• Back-Up• Metadata Capture• Audit Trails• Anti-Virus Protection
• No certification program
18
VERS Standard (Australia)VERS Standard (Australia)
• Victorian Electronic Records Strategy• Generic, extensible standard
• Works with existing recordkeeping and business practices • Ensures records preservation
• Enable viewing of records in the future, regardless of systems that created them
• Specifies methods to capture records from desktop and business systems
• Specifies ways to capture meta data • Preserves contextual relationships
• Details audit trail methodologies so that changes to records are detectable
19
DOMEA (Germany)DOMEA (Germany)
• Document Management and Electronic Archiving• RM for case files• Governs
• Completeness, integrity and authenticity of official records, to guard against official documents being altered, changed, removed, destroyed or deleted.
• The records principle of public administration, i.e., documents are organized in subject files.
• Maintenance of adequate and proper documentation for accountability and lawfulness of administrative procedures.
20
RM Standards SummaryRM Standards Summary
*Formal Certification Programs
Products Program
DoD 5015.2* ISO 15489
VERS* ANSI/ARMA 9-2004
DOMEA*
MOREQ*
RM STANDARDSRM STANDARDSRM STANDARDSRM STANDARDS
21
ISO 15489 - Part 1 GeneralISO 15489 - Part 1 General
• Applies to the management of records, in all formats or media, created or received by any public or private organization in the conduct of its activities, or any individual with a duty to create and maintain records
• Provides guidance on determining the responsibilities of organizations for records and records policies, procedures, systems and processes
• Provides guidance on records management in support of a quality process framework to comply with other ISO standards
• Provides guidance on the design and implementation of a records system
22
ISO 15489 – Part 2 GuidelineISO 15489 – Part 2 Guideline
• Provides guidance on implementing the policies and procedures in Part 1
• Developing Policies and Procedures• Formulating Records Management Strategies• Designing the Records Management Program Elements• Implementing the Solution• Establishing Processes and Controls• Programs to Monitor and Audit the Program• Training the Organization of RM Policies and Procedures
23
Steps to Sound Records ManagementSteps to Sound Records Management
• Develop/Review Policies and Responsibilities
• Strategic Planning, Program Design and Implementation
• Develop Records Processes and Controls
• Monitoring and Auditing Requirements
• Planning and Executing Training Programs
24
Develop/Review Policies and ResponsibilitiesDevelop/Review Policies and Responsibilities
• Develop Records Management Policy Statements• Documents Policies and Procedures Performed in the
Normal Course of Business• Authorized by Highest Level in the Organization
• Define Responsibilities and Program Authorities• Requires Employees to Declare Records• Ensure Records Created as Part of the Process• Provide Transparent or Easy Access• Provide Protection of Records • Enforces Records Disposition Policies
25
Strategic Planning, Program Design and ImplementationStrategic Planning, Program Design and Implementation
Step A:
Conduct preliminary
investigation
Step B:
Analyze business activity
Step C:
Identify requirements for records
Step E:
Identify strategies to
satisfy requirements
Step F:
Design records system
Policy
Standards Implementation
Design
Step D:
Assess existing systems
Step H:
Conduct post-implementatio
n review
Step G:
Implement records systems
26
Strategic Planning, Program Design and ImplementationStrategic Planning, Program Design and Implementation• Conduct Preliminary Investigation
• Analyze Business Activities and Processes
• Identify Records Requirements
• Assess Existing Systems
• Develop Strategies for Meeting Records Requirements
• Design the Records System
• Implement the Records System
• Perform Post-Implementation Review
27
Develop Records Processes and ControlsDevelop Records Processes and Controls
• Instruments of Control• Classification Scheme Based on Business Processes• Disposition Processes• Security and Access Controls• Analyze Regulatory Requirements• Perform Risk Analysis• Identify Employ and User Permissions
• Classify Business Activities
• Create Thesaurus, Glossary
• Establish Records Disposition Authority
• Determine Documents/Objects to Classify as Records
• Develop Retention Schedules
28
Develop Records Processes and ControlsDevelop Records Processes and Controls
• Capture
• Registration
• Classification
• Access and security classification
• Identification of disposition status
• Storage
• Use and tracking
• Implementation of disposition
29
Monitoring and Auditing RequirementsMonitoring and Auditing Requirements
• Identify Requirements for Compliance Auditing
• Determine what Evidential Weight is Necessary
• Develop Performance Metrics and Monitoring and Reporting Processes
30
Auditing and MonitoringAuditing and MonitoringS
OX
SO
X
Pa
trio
t A
ct
Pa
trio
t A
ct
HIP
AA
HIP
AA
CA
Da
tab
ase
P
rote
ctio
n A
ct
CA
Da
tab
ase
P
rote
ctio
n A
ct
Ba
sel
IIB
as
el II
Business and Messaging Apps Business and Messaging Apps
Records ManagementRecords Management
Policies, Controls and ProcessPolicies, Controls and Process
Evidence and ProofEvidence and Proof
31
Auditing and MonitoringAuditing and Monitoring
Measurement Category
MetricCapture Method
Capture Medium
Capture Burden
Comments
Hours of Operation Manual Periodic Audit LowAlmost certainly greatly improved w ith automation
Access Points Automated System LowAlmost certainly greatly improved w ith automation
Percentage of Records correctly declared
Manual Periodic Audit High Measure of Quality
Percentage of Records correctly classif ied
Manual Periodic Audit High Measure of Quality
CapacitySize of Holdings (i.e. number of records)
Automated System Low No indication of Quality
EfficiencyEase of performing daily tasks
Manual Survey HighPurely subjective but indicative of success and acceptance of electronic records management
Access to Services
Accuracy
August 2004 Industry Advisory Council White Paper August 2004 Industry Advisory Council White Paper
32
Auditing and MonitoringAuditing and MonitoringMeasurement
CategoryMetric
Capture Method
Capture Medium
Capture Burden
Comments
Number of Seats Automated System Low No indication of Quality
Number of People Declaring Records
Manual Live Oversight MediumIndicative of Acceptance of the System
Number of People Classifying Records
Manual Live Oversight MediumIndicative of Acceptance of the System
Number of People Retrieving Records
Manual Live Oversight MediumIndicative of Acceptance of the System
Productivity
Number of Requests Processed Each Week
Automated System
Low for one system, high across the enterprise
Diff icult to measure enterprise-w ide across multiple processes
System Search Time
Automated System Low No indication of Quality
System Retrieval Time
Automated System Low No indication of Quality
Number of Successful Searches
Automated System LowDiff icult to interpret; returned result is not necessarily the desired result
Number of Search Indexes
Automated System LowIndicator of complexity and therefore ease of use
Number of Classif ication Categories
Automated System LowIndicator of complexity and therefore ease of use
Participation
Search and Retrieval
August 2004 Industry Advisory Council White Paper August 2004 Industry Advisory Council White Paper
33
Auditing and MonitoringAuditing and Monitoring
Measurement Category
MetricCapture Method
Capture Medium
Capture Burden
Comments
Throughput (i.e. transactions per hour or per unit of time)
Automated System LowMeasures IT performance not success of ERM
Response Time (i.e. time to retrieve a record)
Automated System LowMeasures IT performance not success of ERM
Availability (i.e. system uptime)
Automated System LowMeasures IT performance not success of ERM
User Satisfaction
User satisfaction rating
Manual Survey HighNearly universal metric for ERM exemplars
System
August 2004 Industry Advisory Council White Paper August 2004 Industry Advisory Council White Paper
34
Auditing and MonitoringAuditing and MonitoringMeasurement
CategoryMetric
Capture Method
Capture Medium
Capture Burden
Comments
Number of People Retrieving Records
Automated System LowIndicative of Acceptance of the System, no indication of success or satisfaction
Virtual Visitors Automated System LowIndicative of Acceptance of the System, no indication of success or satisfaction
Numbers and types of process violations that are caught, missed, and/or are attempted
Semi-Automatic System Medium
Measure of accuracy and quality of the ERM processes w ith potential legal w eight, signif icance, and bearing
Fraction of the inventory of electronic records w ithin an ERM system that is in the w rong state
Semi-Automatic System Medium-HighIndicative of the quality of the processes and services provided w ithin an ERM system
Utilization
Legal
August 2004 Industry Advisory Council White Paper August 2004 Industry Advisory Council White Paper
35
Planning and Executing Training ProgramsPlanning and Executing Training Programs
• Identify Records Management Training Requirements for the Organization
• Determine the Personnel that Must be Trained• Managers, including senior managers,• Employees,• Contractors,• Volunteers, • Other personnel who have a responsibility to create or use records
• Provide Records Management Professionals Training
• Determine Training Methods
• Evaluate Effectiveness of Training
36
Key Take-AwaysKey Take-Aways
• Records Management is a journey
• RM Software applications are tools, not a substitute for policy
• The ISO Standard 15489 serves as an excellent model for an RM program