Records management
This chapter provides an overview of records management. We describe the concept of a record, the importance of records management, and how it relates to information lifecycle governance.
We cover the following topics:
Planning an information lifecycle governance program
Records Management Maturity Model
Organizational readiness
Records Management System Technical Standards and Guidelines
Role of IBM Enterprise Records within IBM Information Lifecycle Governance
1.1 What constitutes a record
A record is any type of content that states results achieved, pertains to, and provides evidence of activities performed. There are four essential characteristics of a record:
Authenticity
A record must be what it purports to be.
Reliability
A record must be a full and accurate representation of the transactions, activities, or facts to which it attests.
Integrity
A record must be complete and unaltered.
Usability
A record must be able to be located, retrieved, presented, and interpreted.
A record is generally retained for analysis, legal and corporate policy, or historical purposes and as a representation of what occurred. It can be in any type of format, including soft or hard copy.
As depicted in Figure 1-1 on page 3, a record can take the form of paper records, microfiche, electronic documents, email, fax, instant messaging, collaboration content, voice recording, wireless communication content, audio, video, shared drive content, Web content, or documents on cloud storage. Email messages are a common sources of records as a history of discussions and decisions made, which is a primary reason for eDiscovery on email today.
Figure 1-1 Types of records
Records can be any business or personal transaction. Records are often made up of a group of related content, not always a single individual email message, file, or document.
Records can include trade instructions, trade confirmations, articles of incorporation, bylaws, or standard operating procedures. Records can be stored on any medium, such as diskettes, tape, optical disks, and shared drives. Records can be generated internally within a company or can be received from other sources.
Records are similar to other assets of a company. They are valuable and subject to industry regulations. Many countries around the world have legislation related to recordkeeping. Most are applicable to physical and electronic records, some specify the active and inactive retention period, and some have special compliance requirements for storage media. Some industries are more heavily regulated than others and some of those regulations are more complex. Conflicting regulations that produce contradictory records retention periods across different jurisdictions or locations where they operate are problems for organizations.
Historically, the simplest path to take was to pick the longest imposed retention period across all relevant content in the business, worldwide. However, this has the potential to lead to over-retention, unnecessary costs for storage and related costs, and far greater eDiscovery review costs. A modern information governance program that implements a modern records retention program is able to identify and deal with these differences and ensure that only the relevant records content is preserved for the minimal amount of time for each jurisdiction.
To illustrate, we review a partial list of legislation pertinent to the financial services industry in 1.5.1, “Addressing regulatory requirements” on page 10.
1.2 What records management involves
Records management is a formal and structured process of identifying recorded information, of preserving needed content, and of destroying what is no longer needed after the approved retention period has been reached.
In simple terms, managing records requires the following actions:
Categorizing records
Retaining records for a specified length of time
Destroying records when the company is no longer obliged to retain them
Retaining an audit trail of all activity
There are two key factors in records management:
Preservation Make sure to keep only what you need to keep for as long as you need to keep it.
Destruction Make sure that after the required retention period ends, records are destroyed.
 
Important: Because records might be required to comply with industry regulations or to protect a company from liability, the company controls the records, not the users or the creators of the records.
Records management is different from content management. Content management provides the ability to capture, store, and manage content. Records management works within this type of infrastructure to apply formal, rules-based management to the retention and disposition of that stored content.
Not all content is a record. Ideally, you are able to automate the identification of this subset and manage it formally under a records management program. All other content, as part of a modern information governance program, should also be under some form of simple retention control to avoid the historical habit of just keeping it all indefinitely. The preferred practice is to define and apply an automated general retention period across all relevant content and, under a records management program, automate the identification, declaration, and disposal of the subset that must be managed differently,
An effective records management solution manages the lifecycle of corporate records from creation to cremation. Each record has its own lifecycle. In its inception, contents are created or captured. The content is then organized, used, and disseminated. At some point, the contents of the records are declared as records. Records are preserved and retained. At the end of their lifecycles, records are disposed of as specified.
A record is only one type of content that falls into the domain of content management. At the inception of a record, an author creates a document. There can be many revisions to this document. When the document becomes an official record, it cannot be altered and is now subject to a retention rule. When it is time for disposition, an authorized person can archive or expunge the record. Typically, the disposition process is automated.
 
Note: Expunge is a records management term that implies irrevocably deleting the records so that even document forensics cannot recover any aspect of the records. Records are expunged when destroying is a records disposition option.
Records management is about retaining corporate records for the appropriate retention period to meet the business and regulatory requirements. The essence of records management is managing the risks and costs of retaining corporate records. Companies are required to demonstrate that they have records retention policy and procedures in place and that they enforce these policy and procedures consistently.
1.3 The business challenge: Information lifecycle governance
In earlier days when there were only physical records—predominately paper record and microfiche—staff used to file hard copies of final versions of documents according to a company’s retention policies. Drafts were discarded. Index cards were used for cataloging the documents. When the retention period expired, records were disposed of. In some cases, records were kept permanently.
As technology has advanced with the invention of analog fax, printers, and wide use of computers, the volume of records has increased. Before electronic records had legal effects, companies still managed official records by keeping physical records in a somewhat controlled environment.
In today’s digital world, records can be in the form of paper records, microfiche, electronic documents, electronic mail, fax, instant messages, collaboration content, voice recordings, wireless communication content, audio, video, shared drive content, and Web content. Electronic documents are now valid and have legal effect. They can be subpoenaed by opposing counsel. All of these contents are subject to legal discovery and can be produced as evidence if there is litigation and for the purpose of potential of records for audit, US Freedom of Information Act (FOIA) request, regulatory investigations, and so on.
In an extreme case where records are being kept indefinitely, they could be detrimental to the company if there is litigation, because the records are sometimes not to the company’s advantage.
Companies are facing information that grows exponentially and spans various media, such as email, shared drives, packaged products, or cloud storage. This puts pressure on existing company infrastructure, drives up costs, and lowers efficiency.
From the compliance perspective, companies are dealing with discovery risks related to meeting legal obligations to preserve and provide evidence in case there is litigation or an investigation. The cost of meeting the legal obligation is high, and not being able to meet the obligation can damage the company’s reputation and good will.
C-level executives who are dealing with explosive growth of information must decide what to retain and what can proceed to disposition. This leads to unnecessary IT costs, which takes away from strategic initiatives of the companies.
The number of documents and records that business needs to manage has increased exponentially by the use of other communication media. Although most of the companies have a good process for managing physical records, they need to extend the records management program to cover records produced by the other media, such as electronic documents and email.
1.4 The importance of records management
In a corporate environment, documents are often created or captured in a decentralized environment with no surveillance. Documents are named and filed according to the individual’s preferences and often duplicated. Records are kept for too long, which can lead to increased storage cost. If the records become part of litagation, companies spend more to locate the records. In some cases, companies cannot locate the records, which can lead to a financial penalty or, more importantly, damage to the company’s reputation.
The key objectives of records management include risk mitigation and cost containment of recordkeeping. There are several benefits:
Operational efficiency. Making sure that corporate information is captured, retained, and disposed properly (which is one of the keys to an efficient company).
Cost containment. Making sure that records are destroyed after their required retention period can reduce storage costs and space requirements.
Meet compliance and litigation requirements. Industries and government regulations often impose different retention requirements for records. Timely destruction of records in full compliance reduces the risk of exposure in case of litigation.
Safeguard records for business continuity audit or business continuity reasons. Records are vulnerable to natural disasters, accidents, theft, or mishandling. An efficient records management solution helps identify and protect against such threats, which is especially important for vital records that are essential to the continuation of the operation of a company.
Compliance with fiscal requirements. Effective management provides verification that any fiscal constraints on records keeping are met.
Keeping a history of records. An active, well-defined and documented records management system helps in defending why records were deleted and are no longer available.
Businesses need a holistic approach to record management throughout a record’s lifecycle, from capture, through retrieval and archiving, to disposition. Companies need to be prepared to prove the authenticity of the records, the trustworthiness of the processes, and the integrity of the records management systems. Strong accountability through records management verifies integrity and authenticity to prove compliance, especially during an audit.
1.5 Legal, regulations, compliance, and investigations
The legal, regulations, compliance, and investigations domain addresses general records retention legislation and regulations.
Figure 1-2 attempts to provide a glimpse of the global legal landscape pertaining to records retention. A company might be subject to jurisdiction in more than one country, depending on where the company is incorporated and files taxes, where the company is located, and whether the employees are within that country.
Figure 1-2 Regulations in different countries
 
 
Note: This section is about the conceptual issues and concerns and is not intended as a deep technical discussion of the domain. The focus of this chapter is on concepts and internationally accepted methods, processes, and procedures. This chapter avoids in-depth descriptions of country or region-specific laws, legislation, and regulations. Although some regional examples are presented to clarify certain points, these are limited to the emphasis of principles common across most jurisdictions, if not all of them.
In this section, we provide certain major records retention legal regulations that pertain to financial institutions in the United States (US) and laws that relate to information systems. The intention is not to turn readers into international law experts but to introduce the context and backdrop for the remainder of the chapter. We also examine the need for awareness of legislative and regulatory compliance. This includes general information system legislative and regulatory principles. We then move to investigations.
Regulatory bodies and the government impose different retention periods on different record series.
 
Note: A record series is a group of related records grouped as a unit and evaluated as a unit for retention and disposition purposes.
Compliance specifies how and what documents a company needs to preserve to comply by laws and regulations. One of the objectives of an effective records management program is to preserve records for the appropriate length of time. Companies that destroy records before their legal retention period expires can be subject to adverse consequences if there is litigation. Alternatively, exceeding the required retention period can put the company at a disadvantage in litigation, and it also leads to higher storage and discovery costs.
Whenever there is a court or regulation authority order, companies must go through a legal discovery process. Often, this requires the companies to search all documents to determine whether they are records or not and identify those that match the discovery order. Any document in any medium that has information relevant to the subject matter of a dispute is potentially discoverable and must be preserved for as long as the lawsuit is anticipated, pending or in process. These records and documents need to be placed on record hold so that the normal retention schedule and disposition is no longer applicable during the process.
 
Note: IBM Enterprise Records has record hold capabilities. You can apply record holds only to content that is declared and managed as records. In general, this is guided by eDiscovery for litigation.
A record hold is different from a legal hold, which is an action taken on record collections to ensure that they are not disposed of as part of their normal retention schedule lifespan and are kept, possibly beyond their scheduled date of destruction. Records under legal hold are protected from any possible destruction until the hold is lifted. A legal hold is usually guided by litigation discovery needs.
Legal holds are commonly scoped and apply across all relevant content in the business. The fact that you defined some of it as “records” is immaterial.
During discovery, in some cases documents are produced out of context, are damaged, or are presented to the court and can damage the company’s case.
Companies might not be able to claim undue burden as a reason of not being able to produce relevant records in response to discovery orders. The inability of a company to comply with a regulation or legal action can result in financial loss or damage to the company’s reputation.
1.5.1 Addressing regulatory requirements
Companies need to have a good understanding of applicable regulations, identifying records, and identifying the corresponding retention requirements for the records. Complexity of managing records is increased by evolving compliance rules and regulations, as illustrated in Figure 1-3 on page 11.
Figure 1-3 Example of regulations pertaining to retention in the US
Compliance is the act of adhering to and demonstrating adherence to internal or external regulations. A regulation is a compromise between prohibition and no control at all. For example, the sale and consumption of prescription drugs are controlled by regulations, as are other areas, such as transactions in the financial sector.
Compliance with what any regulation and law requires the following actions:
Interpreting what the regulation and law says
Verifying where your company currently stands
Documenting a plan for achieving compliance
Executing the plan
Devising measures and controls to prove that your company has implemented the plan
Addressing regulatory requirements is not a straight-forward exercise because of the complexity of the regulations.
Examples of US regulations related to financial transactions
This section lists selected regulations that pertain to the global financial institution in our case study. They provide an example of how different regulations have different requirements across the different legal entities. Chapter 3, “Retention and file plans” on page 65, describes the case study and demonstrates how the legal requirements are analyzed and apply to the retention schedule.
Securities traders
The selected US regulations that follow pertain to records of trading securities:
Securities Exchange Act (SEA) 1934
SEC Act of 1934 for broker-dealers and transfer agents section 17a requires securities brokers, dealers, investment companies, financial advisers, and transfer agents to keep records of electronic interoffice communications and communications with customers.
Sec. 240.17a-1 Recordkeeping rule for national securities exchanges, national securities associations, registered clearing agencies, and the Municipal Securities Rulemaking Board.
Sec. 240.17a-2 Recordkeeping requirements relating to stabilizing activities.
Sec. 240.17a-3 Records to be made by certain exchange members, brokers, and dealers.
 
Note: 17a-3 requires that all members of a national securities exchange, including all brokers and dealers, keep current a variety of books and records that relate to their businesses.
Sec. 240.17a-4 Records to be preserved by certain exchange members, brokers, and dealers.
 
Note: 17a-4 requires that some records that must be retained by brokers and dealers must be preserved for at least six years, the first two years in an easily accessible place, while other records must be retained for at least three years, the first two years in an easily accessible place.
 
Note: 17a-4 requires broker-dealers to maintain records electronically by using a digital storage medium that preserves the records exclusively in a nonrewriteable, non-erasable format.
Sec. 240.17f-1 Requirements for reporting and inquiry with respect to missing, lost, counterfeit, or stolen securities.
Sec. 240.17f-2 Fingerprinting of securities industry personnel.
Sec. 240.17h-1T Risk assessment recordkeeping requirements for persons associated with brokers and dealers.
Sec. 240.17Ad-6 Recordkeeping.
Sec. 240.17Ad-7 Record retention.
Sec. 240.17Ad-11 Reports regarding aged record differences, buy-ins and failure to post certificate detail to master security holder and subsidiary files.
Sec. 240.17Ad-15 Signature guarantees.
Investment Company Act (IC) 1940
Sec. 270.31a-1 Records to be maintained by registered investment companies, certain majority-owned subsidiaries thereof, and other persons having transactions with registered investment companies.
Sec. 270.31a-2 Records to be preserved by registered investment companies, certain majority-owned subsidiaries thereof, and other persons having transactions with registered investment companies.
Sec. 270.31a-3 Records prepared or maintained by other than the person required to maintain and preserve them.
Sec. 270.38a-1 Compliance procedures and practices of certain investment companies.
Investment Advisors Act 1940
The Investment Advisors Act rule 204-2 establishes recordkeeping requirement for books and records to be maintained by investment advisers.
Sec. 275.204-2 Books and records to be maintained by investment advisers.
CEA (Commodity Exchange Act) and CFTC
Sec. 1.31 Books and records, keeping and inspection
Sec. 1.32 Segregated account, daily computation and record
Sec. 1.33 Monthly and confirmation statements
Sec. 1.34 Monthly record, point balance
Sec. 1.35 Records of cash commodity, futures, and option transactions
Sec. 1.36 Record of securities and property received from customers and option customers
Sec. 1.37 Customer’s or option customer’s name, address, and occupation recorded; record of guarantor or controller of account
Sec. 1.39 Simultaneous buying and selling orders of different principals; execution of, for, and between principals
Sec. 42.2 Compliance with Bank Secrecy Act
Banks
The selected following are pertain to banking:
Federal Deposit insurance Corp (FDIC)
Sec. 9.8 Recordkeeping
Sec. 27.3 Recordkeeping requirements
Sec. 27.5 Record retention period
Office of Thrift Supervision (OTS)
Sec. 551.50 What records must be maintained for securities transactions
Sec. 551.60 How records must be maintained
Self-regulatory organizations
The selections that follow pertain to self-regulatory organizations (SROs):
National Association of Securities Dealers (NASD)
 
Note: NASD rules 2711, 3010 and 3110 requires that member firms establish and maintain a system to supervise the activities of each registered representative, including transactions and correspondence with the public.
Rule 2210 Communications with the Public
Rule 3010 Supervision
Rule 3011 Anti-Money Laundering Compliance Program
Rule 3060 Influencing or Rewarding Employees of Others
Rule 3110 Books and Records
Rule IM-3110 Customer Account Information
Rule 3115 3115. Requirements for Alternative Trading Systems to Record and Transmit Order and Execution Information for Security Futures
New York Stock Exchange (NYSE)
The NYSE rule 440 requires brokers and dealers to make and preserve books and records as prescribed by the NYSE.
Related regulations
The following list includes some of the other regulations:
Bank Secrecy Act (Anti-money laundering statutes and rules)
The Bank Secrecy Act requires businesses to keep records and file reports that are determined to have a high degree of usefulness in criminal, tax, and regulatory matters. Agencies use these documents to identify, detect, and deter money laundering whether it is in furtherance of a criminal enterprise, terrorism, tax evasion, or other unlawful activity. Businesses must report cash payments of over $10,000 received in trade or business from one buyer as a result of a single transaction or as a result of two or more related transactions.1
Statutes
State or local laws also govern the requirement of recordkeeping. Each state has its own jurisdiction, depending upon the state where you are located.
Sarbanes-Oxley Act (SOX)
The Sarbanes-Oxley Act requires firms that audit companies governed by the SEC to retain all relevant documentation to protect against mishandling of information.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, is a US federal law enacted to control ways that financial institutions to deal with private information for individuals.
The Office of Foreign Assets Control
The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction.
1.5.2 Investigations
The requirements for the admissibility of evidence vary across legal systems and among different cases. At a generic level, evidence should have some probative value, be relevant to the case at hand, and meet the following criteria:
Authentic
Accurate
Complete
Convincing
Admissible
Two concepts are particularly important when dealing with digital or electronic evidence: chain of custody and authenticity or integrity.
The chain of custody refers to who, what, when, where, and how the evidence was handled from its identification through its entire lifecycle, which ends with destruction. Any break in this chain can cast doubt on the integrity of the evidence.
Ensuring the authenticity and integrity of evidence is crucial. If the courts feel that the evidence is not accurate or lacks integrity, it is doubtful that the evidence or any information derived from the evidence will be admissible.
 
Note: For example, paragraph (f)(2)(ii)(A) of SEC Rule 17a-4 requires that the electronic storage media used by broker-dealers preserve the records exclusively in a non-rewritable and non-erasable format.
1.6 Planning an information lifecycle governance program
Companies require a holistic information lifecycle governance (ILG) program to meet today’s compliance and business needs. An impeccable plan illustrates the deep linkages between business and technology. As Figure 1-6 on page 19 shows, a well-informed ILG program considers the linkages between strategic business objectives, capabilities required to achieve those objectives, gaps in capability areas, initiatives required to close those gaps, and the prioritization of such initiatives.
As summarized in Figure 1-4 on page 17, business and IT stakeholders have different interests and motivations.
Figure 1-4 ILG needs and benefits from different stakeholders’ perspectives
The business executives want to use information for better and more informed decision making. They would like to get mobile and localized access to information and would like to avoid unnecessary IT or legal costs.
Legal personnel want to meet their obligations to preserve, produce, and protect information. Their goal is to minimize the costs of meeting those legal obligations for information.
Records managers want to define and meet regulatory and policy requirements to keep records and to respond rapidly to regulator inquiries.
Information technology personnel want to minimize administrative costs and be able to channel investments and resources to strategic growth areas of the company. They want to achieve economies of scale to drive the costs down when volume rises.
Figure 1-5 summarizes the planning phases.
Figure 1-5 Planning an ILG program
1.6.1 Obtaining corporate sponsorship and stakeholder buy-in
A successful records management program requires corporate governance from the top down and enforcement throughout the company. Executive sponsorship is a key to the success of an enterprise-wide deployment. Other stakeholders include, but are not limited to, Records Managers, the Office of General Counsel, compliance officers, and a cross-functional team that includes representatives from all business areas.
 
Note: The Office of General Counsel provides legal and policy advice within the company.
A records management program usually requires significant funding. Failure to do so can be even more costly in case of litigation. It is important to get an executive sponsor and to engage a cross-functional team for enterprise-wide participation.
1.7 Records management maturity model
During the assessment and evaluation phase, the company’s current situation is reviewed. Assess the company’s assets, including company’s retention policies and procedures and retention schedules. Records retention procedures should reflect the company’s records retention policies. The outcome of the exercise is to identify requirements and gaps and to establish priorities.
1.7.1 Using an objective records management maturity model
One way to assess the health of a company’s current records retention and management practices is to use an objective records management maturity model, from nonexistant through optimized stages, as shown in Figure 1-6.
Figure 1-6 Maturity model
This model enables companies to establish baselines for business records retention and management practices by using an objective matrix:
Level 0. Non-existent
There are no common practices and general awareness of records management within the company is lacking.
Companies at maturity Level 0 are likely to exhibit the following behaviors:
 – No common practice on records retention
 – No general awareness of records retention program
 – Costly and manual legal discovery
 – No formal archiving
 – No information classification
 – Inability to produce records when required
There is no system in place. Electronic discovery for companies at this level is typically an outsourced process.
Level 1. Initial
Companies that have achieved Level 1 of this model have a general awareness that a problem exists. Currently, they have no common practices of records management policies and procedures in place.
Companies at maturity Level 1 might exhibit the following behaviors:
 – Formal records program for physical records and, possibly, archiving
 – Departmental policies exist but little or no awareness of them
 – Some control over paper records
 – User-controlled email and documents
 – Information that orignated in digital form being printed multiple times
 – Some images (paper, fax, and reports) being captured
At this level, retention is managed from spreadsheets. Companies also use a records management tool for paper tracking. There is no electronic records system (ERS) in place. The company might have an email archive. There are definitely no electronic discovery tools. Storage is not integrated. Electronic discovery for companies at this level is a costly, manual, outsourced process.
Level 2. Repeatable but intuitive
Companies that have achieved Level 2 have limited practices and processes.
Companies at maturity Level 2 might exhibit the following behaviors:
 – Primitive records retention process that is repeatable
 – Some awareness of enterprise needs on records retention
 – Limited practices or records management tools
Level 3. Defined process
Companies that have achieved Level 3 of this maturity model have defined records retention policies and procedures.
Companies at Level 3 might exhibit the following behaviors:
 – Formal records program for archiving physical and electronic records
 – Electronic discovery is still a costly, manual process
 – Initial awareness of enterprise policies
 – Some procedures for handling electronic records
 – Manual declaration and classification by business users
 – Electronic discovery partly supported by IT
 – Key repositories for federation identified
Level 3 companies have an ERS system in place. They manage email and desktop files as records from the ERS. There are electronic discovery and collection tools and image capture is in place also. Classification is still manual. Storage and ERS are partially integrated.
Level 4. Managed and measurable
Companies that have achieved Level 4 have mature practices. There are defined measurements of performance of the program.
Companies at maturity Level 4 might exhibit the following behaviors:
 – Measurable records program
 – Enterprise policies enforced and general awareness of the policies
 – Increased control over electronic records
 – Electronic discovery increasingly supported by IT
 – Expanded paper conversion to reduce risk and cost
Companies achieving this level of the maturity model have an ERS system to include federation. They have also integrated physical and electronic records systems. Images are managed as records from the ERS. Electronic discovery analysis tools are in place. Storage and ERS are interoperable.
Level 5. Optimized
Companies that have achieved Level 5 have a holistic view of an enterprise content management solution and has a focus on continuous improvement.
Companies at maturity level 5 are likely to exhibit the following behaviors:
 – Records program embedded in key processes and the IT infrastructure
 – Enterprise policies complete and enforced
 – Integrated records management and electronic discovery processes
 – Enterprise paper conversion programs in place
 – Enterprise federation strategy in place
Companies that achieve this level of maturity have an ERS system that is expanded for line-of-business (LOB) systems. Enterprise federated records are across multiple ECM systems. Classifications are automated and are invisible to users. Storage and ERS are tightly integrated for long-term storage.
1.8 Organizational readiness
Figure 1-7 is a sample visual representation of an output of the assessment that measures the readiness of an ILG within a company.
Figure 1-7 ILG assessment
The guidelines for this assessment include completing the following tasks:
1. Identify key measurement areas in the ILG program.
2. Identify departments that receive records management services. Conduct interviews with selected departments.
3. Review the results from the interviews and address specific issues or concerns raised by the departments.
4. Analyze the results of the survey and determine the departmental satisfaction rating for each key measurement area.
5. Compare the departmental satisfaction rating with the target. Determine the course of action needed for improvement, and track those actions.
This type of visual representation, called a radar graph (also called a star or spider graph), can serve as a guideline for assessing every aspect of records management lifecycle maturity and other areas to be measured. This assessment provides a relative strength of the area against the objective maturity model as shown in the previous section. It identifies the gap and brings attention to the area that requires improvement to achieve the desired result.
The next step is to identify the gaps and to determine the business and technology requirements.
Each competency can be further broken down into ILG processes. For example, the following are sample processes related to legal requirements:
Identifying employees
Determining which employees have information potentially relevant to an actual or anticipated lawsuit or government investigation.
Identifying data
Determining information, records, and data sources that are potentially relevant to an actual or anticipated lawsuit or government investigation.
Notification of the hold
Communicating, syndicating, and executing legal holds to people, systems, and data sources for compliance.
Evidence collection
Fact-finding and inquiry with employees who have knowledge of a matter in dispute to determine potentially relevant information, the sources, and their locations. Collecting potential evidence in response to a request agreed to with an adversary or government agency.
Evidence analysis and cost controls
Assessing information to understand dispute and potential information sources and for determining, controlling, and communicating the costs of outside review of relevant information.
Legal record
Documenting the custodians and data sources identified and the legal hold and collection activities over multiyear lifecycle of the material.
This example pertains to records management:
Master retention schedule and taxonomy
Defining an information classification schema that reflects the organization structure; cataloging, updating, and mapping the laws that apply to each class in the countries where the organization operates to determine regulatory record-keeping obligations; establishing and managing a network of records liaisons to help establish what records exist and where.
The following examples pertain to the business:
Departmental information practices
Using an enterprise information taxonomy, cataloging which information each business organization values, generates, or stores by class, where they store it, and how long it is useful to them results in retention schedules for information and enables data source-specific retention schedules that reflect both business value and regulatory requirements.
Realize information value
Gaining timely access to and ability to apply information in the course of their work, including the ability to harness information of quality as it ages and the ability to use relevant information with or without author context to maximize the enterprise value of information.
The following are examples pertain to privacy:
Secure information of value
Determining a schema for the various levels of information importance and the corresponding security needed; using an enterprise information taxonomy and network of liaisons across the business, cataloging which information each business organization generates or stores and assigning the appropriate security level; communicating these security needs to employees who generate, use, manage, and store information.
Privacy and data protection
Assessing privacy duties by data subject and data location, including overlapping obligations for information and information elements and a means of communicating these requirements to those employees who generate, use, access, and store information.
The following are examples that pertain to information technology:
Data source catalog and stewardship
Establishing a common definition and object model for information and the people and systems with custody of it for use in determining, defining, communicating, understanding, and executing governance procedures
System provisioning
Provisioning new servers and applications, including associated storage, with capabilities for systematically placing holds, enforcing retention schedules, disposing, collecting evidence, and protecting data elements subject to privacy rights
Active data management
Differentiating high value actively used data by the business from aging data of value to regulators only or less frequently accessed data; results in increased accessibility, security, privacy; aligns and enables data value with storage tiering by value
Disposal and decommissioning
Disposing of data and fully decommissioning applications at the end of their business utility and after legal duties have elapsed
Legacy data management
Processes, technology, and methods by which data is disposed of and applications are fully decommissioned at the end of their utility and after legal duties have elapsed
Storage alignment
The process of determining and aligning storage capacity and allocation with information business value and retention requirements, including optimizing use targets, storage reclamation, and reallocation after data is deleted to link storage cost to business need for data stored
Audit
Testing to assess the effectiveness of other processes, which, in this instance, refers to the processes for determining, communicating, and executing processes and procedures for managing information based on its value and legal duties and disposing of unnecessary data
1.9 Records management system technical standards and guidelines
A records management application is a software tool to help solve a business need that often involves process changes. Standards for records management are emerging and evolving in many countries around the world.
Records management standards are the guidelines to manage records as defined by government agencies in various countries. In this section, we present several of the major standards.
 
Note: A records management standard is defined by a particular authority or government for its own requirements. It might be applicable for other organizations. Therefore, an organization must assess its requirements before adopting any standard.
 
Note: Guidelines are recommendations or non-mandatory controls that help to support standards or serve as references when no applicable standards are in place.
These product standards provide a baseline for the technical requirements. What follows are examples of some of the records management standards around the world:
ISO 15489 information and documentation: Records management
The ISO 15489 standard is recognized worldwide as establishing the baseline for excellence in records management programs and implementing records management software applications. It is a process standard that provides a blueprint for the establishment, structure, monitoring, and auditing of a best practice records management program and software applications. It enables an organization to efficiently and effectively record and retrieve information, which enhances decision-making, productivity, and accountability and reduces the risk of exposing information.
This standard does not focus on records management technology solutions, but it encompasses all aspects of a records management program and software applications. There is, therefore, no software certification program for ISO 15489. If an organization implements an Electronic Records Management Systems (ERMS), this implementation is considered an enabler for ISO 15489.2
US Department of Defense (DoD) 5015.2
The United States Department of Defense (DoD) Design Criteria Standard for Electronic Records Management Software Applications, better known as DoD 5015.2, debuted in 1997. Since then, it has become a common standard for US government agencies, including the National Archives and Records Administration (NARA). It provides a formal certification program that private sector businesses routinely use as a way to evaluate or short-list records management software for potential purchases.
IBM Enterprise Records is DoD certified since inception. DoD 5015.2 is also the starting point for base use cases for the retired UK National Archive (TNA) and the new European MoReq2010 standards.
For example, one of the mandatory requirements is C2.2.4.1: Records management applications (RMAs) shall treat email messages as any other records, and these shall be subjected to all requirements of this standard.
These standards are evolving. For example, C2.2.4.5 of version 3 of DoD 5015.2 mandates that RMAs shall not require users to save attachments to their hard disk drives or other media before filing them separately from the email message. This is new to version 2.
In June 2002, classified requirements were added to the specification with additional requirements for records management applications, supporting classified records (for instance, confidential, secret, and top secret), expanded audit requirements, more user-defined metadata fields, and guidance about email record support.
A third revision of the specification came out in 2007. Version 3 added these provisions:
 – Requirements for interoperability between records management systems, export and import capabilities, and accession to NARA
 – Privacy Act and Freedom of Information Act (FOIA) considerations (optional requirements)
 
Note: Accession means to transfer and archive records from one records management system to another records-holding authority. It is one type of record disposition option.
Model Requirements for Managing Electronic Records (MoReq 2010)
The MoReq specification is a model specification of requirements for ERMS to be used in Europe. For example, 5.1.1 of the specification stipulates that the ERMS must provide a function that specifies retention schedules, automates reporting and destruction actions, and provides integrated facilities for exporting records and metadata.
MoReq 2010 is the next generation of the MoReq standard. MoReq 2010 was formally published June 2011. The former version MoReq2 was published in March 2008. MoReq2 provides testing schemes, a feature that was not available in the MoReq. It has also taken input from newer records management standards and best practices and provides a software certification testing program for vendors. It is a European standard, but different countries can have local variations. MoReq 2010 was written to encourage different models of records management system to emerge.
Document Management and Electronic Archiving (DOMEA)
DOMEA is a German standard for document management and electronic archiving in public administration. For example, requirement group (RG) 5 stipulates requirements about mobile records management. In addition to records management through web clients, mobile records management represents an alternative for many authorities to ensure the fulfillment of daily tasks, regardless of the employees’ presence in the office.
Victorian Electronic Records Standard (VERS)
VERS is an Australian standard developed by Public Record Office Victoria (PROV) to provide guidelines on capturing, managing and preserving electronic records in the state of Victoria.3 For example, it defines that an electronic records format must be able to support evidence. Electronic records must be admissible as evidence and given due weight in a court of law. This requires the ability to prove that a record has not been altered in an unauthorized or undocumented fashion since creation and to demonstrate who created the record and when it was created.
Although the other standards mentioned here really focus on requirements for a records management solution, VERS concentrates on defining a standard for the long-term preservation of electronic records. The intention is to ensure that an electronic record created today using current technology can fulfill these objectives:
 – Be viewable in 10, 20, 50, or 100 years. The problem exists today. It is getting increasingly difficult to try to view a document that was created by a word processor 15 years ago, because current vendors drop support for these older formats.
 – Have context, so that it is understood exactly where the record came from, who the author was, and what it is related to.
1.10 Role of IBM Enterprise Records within the
IBM Information Lifecycle Governance portfolio
The IBM Information LIfecycle Governance (ILG) portfolio includes capabilities that legal, IT, records, and business users can use to help manage legal risk and to reduce data management and discovery costs. To achieve this, the ILG portfolio provides solutions for electronic discovery (eDiscovery), archiving, disposal, policy management, and records retention and management. The portfolio helps organizations manage enterprise information based on its business value, comply more efficiently with litigation and regulatory duties, and dispose of information when it is no longer required. Figure 1-8 on page 29 provides a high-level overview of the ILG portfolio.
Figure 1-8 IBM Information Lifecycle Governance portfolio
In terms of the broader ILG portfolio, IBM Enterprise Records is incorporated in the Records Retention and Management element of the portfolio. Records Retention and Management helps you define and describe the records retention policies for your organization. Those policies can then be applied to content managed in an IBM repository by using IBM Enterprise Records.
IBM Enterprise Records is an electronic records management application to help manage ongoing governance for records, from creation to disposition, to ensure that records remain trusted, accurate, and compliant through the application of defensible and relevant records retention policies. Enterprise Records combines content, process, content federation technology, and connectivity to automate and simplify all record-based activities.
1.10.1 Policy management relationship to IBM Enterprise Records
In today’s business environment, many organizations face several records retention and management challenges as a result of their standard operations:
Overlapping or conflicting retention schedules that specify the duration that information must be retained
Requirements to apply multiple schedules to information that is specific to the origins of the information, for example, retention policies specific to Europe, Singapore, and New Zealand
Difficulties as a result of the size and structure of the organization, such as multiple departments that need to add the same record type, which is separately securable or needs to be reviewed by different business areas
Requirements to apply policies to physical and electronic data and to manage items existing in both formats, individually or in unison
As an initial step, many organizations begin recording the various regulatory obligations for their enterprisees in tools such as spreadsheets, which often show no relationship or bear little resemblance to the application that they use for records management. To assist with overcoming these complexities, IBM Global Retention Policy and Schedule Management policy and the Retention Management module offer several capabilities:
Define and capture accurate, dynamic schedules that are value-based and support the distinct needs of different business units and countries
Host a full, shared law library to create a centralized repository to support legal requirements
Establish information lifecycles and enable auditable programs for both physical and electronic data
Synchronize and maintain centralized retention control to deliver a consistent corporate retention framework with local responsibilities
After the organization’s regulatory obligations are defined and captured in Global Retention Policy and Schedule Management, they are available to be syndicated to the organization’s unstructured and structured data management applications, such as IBM Enterprise Records for unstructured data management or IBM Optim™ for structure data management. The syndication of data from Global Retention Policy and Schedule Management provides Enterprise Records with the structure for managing the organization’s records, including the file plan, the retention schedules, the disposal schedules and disposal actions, and the record information owners.
Figure 1-9 on page 31 provides a conceptual overview of Global Retention Policy and Schedule Management. It illustrates how the software creates policies based on the organization, what information is stored, where, why, and when to preserve and retain information. It is the unification of this information that can be disseminated to other systems by using Global Retention Policy and Schedule Management policy syndication.
Figure 1-9 Overview of Global Retention Policy and Schedule Management Policy Management
It is also possible to manually enter or import this information into Enterprise Records even if you do not have Global Retention Policy and Schedule Management. Many IBM clients also use custom scripts to import the file plan and retention rules.
1.10.2 Syndicating global retention and schedule management policies to Enterprise Records
Where an organization has used Global Retention Policy and Schedule Management to define the organization’s corporate and classification structures, there is a mechanism to syndicate the details to Enterprise Records.
Figure 1-10 on page 32 describes, at a high level, the information from Global Retention Policy and Schedule Management being syndicated to Enterprise Records to create the structure of the file plan.
Figure 1-10 The relationship between Global Retention Policy and Schedule Management Policy Management and IBM Enterprise Records
The left side of the diagram shows IBM Global Retention Policy and Schedule Management, which is used to create the Records Retention and Management policy for the organization, based on organization structure, the corporate taxonomy, and library of retention, privacy, and discovery laws with appropriate roles and change management processes for field-level authorization. Using configuration settings, items identified for use in Enterprise Records can be flagged for syndication.
The right side of the diagram shows IBM Enterprise Records, which has the file plan and disposal authorities. These elements are populated directly from Global Retention Policy and Schedule Management by using the IBM Atlas eDiscovery Policy Syndication Framework.
 
Important: When Global Retention Policy and Schedule Management is used to create or define the structure in IBM Enterprise Records, the intent is for Global Retention Policy and Schedule Management to continue to be used as the Records Retention and Management policy tool for the organization. All changes or modifications to the schedules and policies should be enacted in Global Retention Policy and Schedule Management, which is then syndicated as an update to IBM Enterprise Records.
1 Information taken from the Internal Revenue Service website:
2 ISO official website: http://www.iso.org/iso/home.htm
3 According to the Public Record Office of Victoria, Australia http://www.prov.vic.gov.au/vers/standard/
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset