Transcript FileNet Presentation

Developing a Standards-Based Records
Management Program
Frank McGovern
Product Marketing Engineer
Agenda
•
•
•
•
•
Trends and Challenges in RM
Defining and Positioning RM
Overview of Relevant RM Standards
Using ISO 15489
Key Take-Aways
2
Records Management Trends
•
•
•
•
•
•
•
•
•
Decline in number of staff specializing in filing
Investment in Software functionality that creates records is
growing
Mission critical records are often not sharable, retrievable or
useable
Copies proliferate; data conflicts or is unreliable
Email often replaces phone conversations, meetings and formal
written communication
Instant Messaging increasingly replaces email
Litigation and discovery costs skyrocketing
Authenticity is questioned
Premature destruction
NARA
3
The Challenge of Electronic Records
•
Authenticity – Over Time
•
Variety – 4,800+ Different Types of E-Record Formats
•
Complexity – Increasingly Sophisticated Formats
•
Volume – Vast Quantities of Records
•
Obsolescence – Constantly Changing Technology
• User Expectations –Evolving, Unrelenting
NARA
4
Effective Records Management:
•
Simultaneous attention to People, Process and
Technology
•
Integrating Records Management into an
Organization’s Business Processes and IT
Governance and Applications
NARA
5
Defining a Record
•
•
•
•
•
Recorded information
•
Regardless of recording format, medium or
characteristics
Made or received by an organization
Regarding legal obligations or transactions
Evidence of operations
Has value requiring retention for a specific period of
time
6
Characteristics of a Record
•
•
Authenticity – It is what is says it is.
•
•
Integrity – It is complete and unaltered.
Reliability – It can be trusted as a full and accurate
representation of the transactions or facts.
Usability – It can be located, retrieved, presented and
interpreted
ISO 15489
7
RM from 10,000 Feet
•
•
Supports event and time based retention rules
•
Enables legal holds, facilitates audit and electronic
evidence discovery
•
•
All processes are audited and managed
Structured file plan organizes records and manages,
enforces complex policies/rules
Ensures record authenticity, integrity and contextual
relationships
8
RM from 10,000 Feet
•
•
•
•
Preserves records over time and ensures reliability
•
Ensures privacy and record security policy
management
•
Supports physical records
Ensures record access, retrieval and usefulness
Prevents unauthorized deletion
Ensures timely disposition and complete record
expungement
9
Records Management Standards
•
•
•
•
•
•
DoD Standard 5015.2
ISO Standard 15489
ANSI/ARMA 9-2004
VERS
DOMEA
MOREQ
10
DoD 5015.2
• RM Software Certification and Testing Program
• DoD certification required for software sales to Department of
Defense, National Archives and Records Administration
(NARA), federal government agencies
• De facto industry standard
• Key Sections
• Definitions
• Mandatory Requirements
• General
• Detailed
• Non-Mandatory Features
• Requirements defined by the Acquiring Organizations
• Other Useful Features
• Classified (Secret) Records
11
Impact of DoD 5015.2 Standard
•
Adoption and recognition by vendor community
•
•
50+ Vendors/Products Currently Certified
•
•
•
•
Standalone (RM only)
Product pairings (RM + ECM Suite)
Multiple Versions (Certification valid for 2 years)
Multiple Environments (Oracle/MS SQL/DB2)
45 Vendors/Products Scheduled
•
•
Mandatory for most government opportunities
•
FileNet Records Manager is certified (Chapter 2)
Mandatory/highly desirable for most Fortune 1000
Companies and others
12
ISO Standard 15489
•
Information and Documentation, Records Management
•
•
Part I – General
Part II – Guidelines
•
Important standard, gaining momentum throughout
world
•
Framework for records program design in many
industries
13
Key Points
• Principles of Records Management Programs
• Determining which records should be created
• Deciding form and structure
• Metadata requirements
• Retrieval requirements
• How to organize records
• Assessing risks
• Preserving records
• Complying with legal and regulatory requirements
• Security
• Records retention
• Improvement opportunities
14
Impact
• UK National Archives has formally adopted ISO 15489
•
Embraced in many UK FOI deployments
• Foundation for US NARA’s Strategic Redesign of RM
• Adopted by Australian Federal Government
•
•
•
•
Used by Auditor General to monitor Government performance
Translated in many Languages
Recognized by ARMA
Basis of FileNet’s RM Best Practices
15
MOREQ (European Union)
•
Model Requirements for the Management of Electronic
Records
•
•
Focus on the functional requirements for electronic
records management systems—390 requirements
Key areas:
•
•
•
•
•
•
•
16
Classification Schemes
Controls and Security
Retention and Disposal
Capturing Records
Referencing
Searching, Retrieval, and Rendering
Administrative Functions
ANSI/ARMA 9-2004 – Email Standard
•
Requirements for Managing Electronic Messages as
Records
• Describes
•
•
•
•
•
•
•
•
•
•
•
•
Retention and Disposition IAW Records Retention Schedule
Acceptable Use
Access and Retrieval
Appropriate Security Measures
Network Security
Protection of Confidential Information
Identification and Protection of Vital Records
Remote Access
Back-Up
Metadata Capture
Audit Trails
Anti-Virus Protection
• No certification program
17
VERS Standard (Australia)
•
Victorian Electronic Records Strategy
•
•
•
•
•
18
Generic, extensible standard
• Works with existing recordkeeping and business practices
Ensures records preservation
• Enable viewing of records in the future, regardless of systems that
created them
Specifies methods to capture records from desktop and
business systems
Specifies ways to capture meta data
• Preserves contextual relationships
Details audit trail methodologies so that changes to
records are detectable
DOMEA (Germany)
•
Document Management and Electronic Archiving
• RM for case files
• Governs
• Completeness, integrity and authenticity of official records,
to guard against official documents being altered, changed,
removed, destroyed or deleted.
• The records principle of public administration, i.e.,
documents are organized in subject files.
• Maintenance of adequate and proper documentation for
accountability and lawfulness of administrative procedures.
19
RM Standards Summary
RM STANDARDS
Products
DoD 5015.2*
ISO 15489
VERS*
ANSI/ARMA 9-2004
DOMEA*
MOREQ*
*Formal Certification Programs
20
Program
ISO 15489 - Part 1 General
• Applies to the management of records, in all formats or media,
created or received by any public or private organization in the
conduct of its activities, or any individual with a duty to create
and maintain records
• Provides guidance on determining the responsibilities of
organizations for records and records policies, procedures,
systems and processes
• Provides guidance on records management in support of a
quality process framework to comply with other ISO standards
•
Provides guidance on the design and implementation of a
records system
21
ISO 15489 – Part 2 Guideline
•
Provides guidance on implementing the policies and
procedures in Part 1
• Developing Policies and Procedures
• Formulating Records Management Strategies
• Designing the Records Management Program Elements
• Implementing the Solution
• Establishing Processes and Controls
• Programs to Monitor and Audit the Program
• Training the Organization of RM Policies and Procedures
22
Steps to Sound Records Management
•
Develop/Review Policies and Responsibilities
•
Strategic Planning, Program Design and
Implementation
•
Develop Records Processes and Controls
•
Monitoring and Auditing Requirements
•
Planning and Executing Training Programs
23
Develop/Review Policies and Responsibilities
•
Develop Records Management Policy Statements
•
•
•
Documents Policies and Procedures Performed in the
Normal Course of Business
Authorized by Highest Level in the Organization
Define Responsibilities and Program Authorities
• Requires Employees to Declare Records
• Ensure Records Created as Part of the Process
• Provide Transparent or Easy Access
• Provide Protection of Records
• Enforces Records Disposition Policies
24
Strategic Planning, Program Design and
Implementation
Step A:
Step B:
Step C:
Step E:
Step F:
Conduct
preliminary
investigation
Analyze
business
activity
Identify
requirements
for records
Identify
strategies to
satisfy
requirements
Design
records
system
Policy
Step D:
Standards
Design
Implementation
Assess
existing
systems
25
Step H:
Step G:
Conduct postimplementation
review
Implement
records
systems
Strategic Planning, Program Design and
Implementation
• Conduct Preliminary Investigation
• Analyze Business Activities and
Processes
•
•
•
Identify Records Requirements
Assess Existing Systems
Develop Strategies for Meeting Records
Requirements
• Design the Records System
• Implement the Records System
• Perform Post-Implementation Review
26
Develop Records Processes and Controls
• Instruments of Control
•
•
•
•
•
•
Classification Scheme Based on Business Processes
Disposition Processes
Security and Access Controls
Analyze Regulatory Requirements
Perform Risk Analysis
Identify Employ and User Permissions
• Classify Business Activities
• Create Thesaurus, Glossary
• Establish Records Disposition Authority
• Determine Documents/Objects to Classify as Records
• Develop Retention Schedules
27
Develop Records Processes and Controls
• Capture
• Registration
• Classification
• Access and security classification
• Identification of disposition status
• Storage
• Use and tracking
• Implementation of disposition
28
Monitoring and Auditing Requirements
•
Identify Requirements for
Compliance Auditing
•
Determine what Evidential Weight
is Necessary
•
Develop Performance Metrics and
Monitoring and Reporting
Processes
29
Basel II
CA Database
Protection Act
HIPAA
Patriot Act
SOX
Auditing and Monitoring
Policies, Controls and Process
Business and Messaging Apps
Records Management
30
Evidence and Proof
Auditing and Monitoring
Measurem ent
Category
Access to
Services
Metric
Capacity
Com m ents
Almost certainly greatly improved
w ith automation
Almost certainly greatly improved
w ith automation
Low
Access Points
Automated
System
Low
Manual
Periodic Audit
High
Measure of Quality
Manual
Periodic Audit
High
Measure of Quality
Automated
System
Low
No indication of Quality
High
Purely subjective but indicative of
success and acceptance of
electronic records management
August 2004 Industry Advisory Council White Paper
31
Capture
Burden
Periodic Audit
Ease of performing
Manual
daily tasks
Efficiency
Capture
Medium
Hours of Operation Manual
Percentage of
Records correctly
declared
Percentage of
Records correctly
classified
Size of Holdings
(i.e. number of
records)
Accuracy
Capture
Method
Survey
Auditing and Monitoring
Measurem ent
Category
Participation
Productivity
Search and
Retrieval
Metric
Number of Seats
Number of People
Declaring Records
Number of People
Classifying
Records
Number of People
Retrieving Records
Number of
Requests
Processed Each
Week
System Search
Time
System Retrieval
Time
Number of
Successful
Searches
Number of Search
Indexes
Number of
Classification
Categories
Capture
Method
Automated
Capture
Medium
System
Capture
Burden
Low
Manual
Live Oversight
Medium
Manual
Live Oversight
Medium
Indicative of Acceptance of the
System
Manual
Live Oversight
Medium
Indicative of Acceptance of the
System
Automated
System
Low for one
system, high
across the
enterprise
Difficult to measure enterprise-w ide
across multiple processes
Automated
System
Low
No indication of Quality
Automated
System
Low
No indication of Quality
Automated
System
Low
Difficult to interpret; returned result
is not necessarily the desired result
Automated
System
Low
Indicator of complexity and therefore
ease of use
Automated
System
Low
Indicator of complexity and therefore
ease of use
August 2004 Industry Advisory Council White Paper
32
Com m ents
No indication of Quality
Indicative of Acceptance of the
System
Auditing and Monitoring
Measurem ent
Category
System
User
Satisfaction
Metric
Throughput (i.e.
transactions per
hour or per unit of
time)
Response Time (i.e.
time to retrieve a
record)
Availability (i.e.
system uptime)
User satisfaction
rating
Capture
Method
Capture
Burden
Com m ents
Automated
System
Low
Measures IT performance not
success of ERM
Automated
System
Low
Measures IT performance not
success of ERM
Automated
System
Low
Manual
Survey
High
August 2004 Industry Advisory Council White Paper
33
Capture
Medium
Measures IT performance not
success of ERM
Nearly universal metric for ERM
exemplars
Auditing and Monitoring
Measurem ent
Category
Metric
Capture
Method
Capture
Medium
Capture
Burden
Number of People
Automated
Retrieving Records
System
Low
Virtual Visitors
System
Low
Utilization
Legal
Automated
Numbers and types
of process
violations that are
Semi-Automatic System
caught, missed,
and/or are
attempted
Fraction of the
inventory of
electronic records
Semi-Automatic System
w ithin an ERM
system that is in
the w rong state
August 2004 Industry Advisory Council White Paper
34
Com m ents
Indicative of Acceptance of the
System, no indication of success or
satisfaction
Indicative of Acceptance of the
System, no indication of success or
satisfaction
Medium
Measure of accuracy and quality of
the ERM processes w ith potential
legal w eight, significance, and
bearing
Medium-High
Indicative of the quality of the
processes and services provided
w ithin an ERM system
Planning and Executing Training Programs
• Identify Records Management Training Requirements for the
Organization
•
Determine the Personnel that Must be Trained
• Managers, including senior managers,
• Employees,
• Contractors,
• Volunteers,
• Other personnel who have a responsibility to create or use records
• Provide Records Management Professionals Training
• Determine Training Methods
• Evaluate Effectiveness of Training
35
Key Take-Aways
•
•
Records Management is a journey
•
The ISO Standard 15489 serves as an excellent model
for an RM program
RM Software applications are tools, not a substitute
for policy
36