280 likes | 376 Views
Some Background. About CSC: Founded as Computer Sciences Corporation in 1959 Over the last 53 years, has evolved into a global leader in technology-enabled business services and solutions 98,000 employees located in more than 70 countries $16B+ in revenues About me:
E N D
Some Background • About CSC: • Founded as Computer Sciences Corporation in 1959 • Over the last 53 years, has evolved into a global leader in technology-enabled business services and solutions • 98,000 employees located in more than 70 countries • $16B+ in revenues • About me: • More than 25 years’ experience working in large, multinational companies • Kraft Foods (1986 – 1996) • Ford Motor Company (1996 – 2009) • CSC since July 2009
A Word About Terminology • Typical RIM terms: • Documents • Record • Non-records • Declaring records • My philosophy: • Typical documents/records distinctions increasingly irrelevant in a world of ESI • Use a broad definition of “Record” and employ terms that are more intuitive to the end user • A “Record” is recorded information that supports the activity of the business or organization that created it • Records can be temporary, a work in progress, or final/approved • Records can also be convenience copies of final/approved records
Why a RIM Compliance Framework? • Typical Enterprise Content Management solutions: • Focus on unstructured records • Tend to address “declared records” • Can’t handle every format or interface • Are costly and time-consuming to implement • A RIM Compliance framework: • Addresses structured as well as unstructured records • Can be established without major funding investment • Enables a tiered, prioritized approach to compliance • May eventually be replaced with a centralized approach using a “champion technology”
RIM Compliance Framework Approach • Life cycle controls for all information, regardless of whether the records are temporary, work-in-progress, or final/approved • Consistent categorization through a Records Retention Schedule • Immutability of form and format that affects authenticity, reliability, integrity, and usability • Once finalized, records must not be modified • Impact of storage media and management on life cycle controls • Support of information security and data privacy requirements to ensure authorized access and use of information • Consistent, systematic destruction processes — including the ability to suspend destruction — in order to meet legal, regulatory and operational requirements
RIM Compliance Model: Core RIM Functionality Based on Industry Standards
RIM Compliance Model: Core RIM Functionality Based on Industry Standards (Cont’d)
System Type — Definitions • Structured Data Management Systems • New applications/systems that will be purchased or developed for which RIM compliance standards can be introduced early in requirements definition process • Legacy applications/systems that must be modified and/or enhanced to introduce RIM compliance standards • Unstructured and Semi-Structured Data Management Systems • File shares or local directories containing files with basic operating system (OS) functionality (e.g., Windows Active Directory) • Content management systems or applications that track and manage unstructured content (e.g., SharePoint, Open Text, FileNet, Documentum). Note: Content management systems may have available records management functionality through additional modules or add-on capabilities • Hybrid Systems containing a mix of structured and unstructured data • Content containing applications/systems —includes both line of business (LOB) applications, e.g., legal matter management, as well as collaborative workspaces, e.g., internal social networking
System Type — RIM Compliance Options Bronze Silver Gold
Record/Information States Compliance Framework Legal Holds Temporary Work in Progress Final/Approved Information States Business Rules Retention and Disposition Retention and Disposition Retention and Disposition Example: 90 days, then additional action is performed Example: 3 years, then additional action is performed Records Retention Schedule (calculated from metadata), then additional action is performed Associate Business Rules with both the Information State metadata tag and the Record Class Code
RIM Compliance Framework Methodology • Assign System Type (I-A, I-B, II-A, II-B, III-A) • Complete RIM assessment • Define what records are managed in system • Determine what Information States apply • Identify ability of application/system to define and capture records • Assess any existing records management capabilities within the application/system • Define risk/RIM compliance profile • Magnitude of complexity (low/medium/high) • Magnitude of operational or legal/regulatory risk (low/medium/high) • Develop RIM compliance plan • Target compliance level (Bronze, Silver ,or Gold) • Requirements vs. recommendations • Collaborative effort between application/system owner and RIM team
RIM Compliance Controls and Auditing To sustain the RIM Compliance Framework: • RIM Policy, Records Retention Schedule, and procedures must be reviewed and updated periodically • RIM compliance controls and auditing must be established for specific manual and automated process activities described in framework • RIM compliance controls and auditing should become part of overall design specification for tools that will be managing records at level of risk or compliance defined for each specific application/system
How RIM Compliance Framework Can Be Used • Conduct RIM compliance reviews as part of application development process • Establish RIM technology roadmap priorities and approach • Proactively address certain applications/systems, based on: • Value of the content • Enterprise reach of the systems • Ability to implement records management functionality • Risk to the organization if the content remains unmanaged • Examples of priorities: • Enterprise applications with high-value content • Content management systems with records management capabilities • Email system
Elements Captured in RIM Compliance AnalysisSystem Information
Elements Captured in RIM Compliance Analysis Categorization and Data Flow
Elements Captured in RIM Compliance Analysis Bronze Compliance Analysis
GBS Global Knowledge Management ApplicationSilver Compliance Analysis
Elements Captured in RIM Compliance Analysis Gold Compliance Analysis
Challenges with Structured Records • Requires identifying records based on a combination of data elements, usually across multiple tables • Do not support traditional library or version control capabilities • Depending on the complexity of the system, multiple tables may feed into different record requirements • Locking down or deleting data elements for one record may have unintended consequences for another record • Data often flows to or from other applications, adding to the complexity • While structured data lends itself to management through programming, programming all RIM functionality quickly becomes expensive • Structure of Software as a Service (SaaS) applications cannot be modified
Checklist for Structured Records • Request concept of operations overview, including process/data flow diagram • System overview • Is the system currently in production? If not, when is it scheduled to go into production? • How is the system used? • What content does it contain, and in what format? • [If applicable:] Can the database schema be made available? • Does the system integrate with other systems? If so, how, and which systems? • Does this system utilize cloud-based storage? [If yes, see additional questions relating to cloud-based storage]
Checklist for Structured Records (Cont’d) • Information States • Do you consider this system to be the System of Record for the content it contains? • Does the system contain content that has long-term value, or is it temporary in nature? • Does the system reflect a process that is a work in progress, or does it contain final/approved content — or both? • Use/Access Controls • Who has access to the system? • [If applicable:] Can the end user change the content from temporary to work in progress or final/approved? • [If applicable:] Can content be locked down once it becomes final/approved? • Does the system track who has made changes? • Do users have permission to delete content?
Checklist for Structured Records (Cont’d) • Retention/Legal Holds • Is there a time-effective or cost-effective way to associate content with a record series? • Does the system have date fields that can be used to help calculate retention (capture date and/or event date)? • Does the system have a way to prevent the deletion of content that is marked as a record or marked as having a legal hold assigned to it? • Can the system be programmed to delete content based on retention rules? If so, can a legal hold override the deletion? • Does the system have audit capabilities that can track activities related to each content object?
Checklist for Structured Records (Cont’d) • Cloud-Based Storage • Does the system have either an age or storage capacity limitation that could cause information to be removed automatically? • What are the host’s contractual obligations related to providing the data back to CSC in the event of a termination — either voluntary or involuntary? • In what format can the information be made available to assure that it can be read without the host system software? • If we request deletion, is data overwritten so it is no longer retrievable?
Conclusion • Framework takes into account the entire spectrum of content subject to RIM compliance • Unlikely that “one size fits all” approach will ever be able to apply to all five system types • Provides a “bridge” for RIM compliance while more holistic, automated approaches are investigated • Scalable to systems of all sizes and complexity • Permits progress before investing in champion technology • Downsides: • Less efficient and more costly in the long run • Requires manual tracking of all systems where it has been implemented, for updating any Records Retention Schedule changes • Advantages: • Implementable immediately • Less costly in the short run • Does not require system integration
Elizabeth W. AdkinsCertified Records Manager, Certified Archivist Director, Global Information Management 703.641.2410eadkins3@csc.com