Why a RIM Compliance Framework?

advertisement
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 1
Some Background
• About CSC:
– Founded as Computer Sciences Corporation in 1959
– Over the last 53 years, has evolved into a global leader in technology-enabled
business services and solutions
– 98,000 employees located in more than 70 countries
– $16B+ in revenues
• About me:
– More than 25 years’ experience working in large, multinational companies
• Kraft Foods (1986 – 1996)
• Ford Motor Company (1996 – 2009)
• CSC since July 2009
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 2
A Word About Terminology
• Typical RIM terms:
– Documents
– Record
– Non-records
– Declaring records
• My philosophy:
– Typical documents/records distinctions increasingly irrelevant in a world of ESI
– Use a broad definition of “Record” and employ terms that are more intuitive to
the end user
• A “Record” is recorded information that supports the activity of the business or
organization that created it
• Records can be temporary, a work in progress, or final/approved
• Records can also be convenience copies of final/approved records
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 3
Why a RIM Compliance Framework?
• Typical Enterprise Content Management solutions:
– Focus on unstructured records
– Tend to address “declared records”
– Can’t handle every format or interface
– Are costly and time-consuming to implement
• A RIM Compliance framework:
– Addresses structured as well as unstructured records
– Can be established without major funding investment
– Enables a tiered, prioritized approach to compliance
– May eventually be replaced with a centralized approach using a “champion
technology”
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 4
RIM Compliance Framework Approach
• Life cycle controls for all information, regardless of whether the records
are temporary, work-in-progress, or final/approved
• Consistent categorization through a Records Retention Schedule
• Immutability of form and format that affects authenticity, reliability,
integrity, and usability
– Once finalized, records must not be modified
• Impact of storage media and management on life cycle controls
• Support of information security and data privacy requirements
to ensure authorized access and use of information
• Consistent, systematic destruction processes — including the ability
to suspend destruction — in order to meet legal, regulatory and
operational requirements
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 5
RIM Compliance Model: Core RIM Functionality Based
on Industry Standards
1
Identify
a Record
The ability to determine what constitutes the record within
the system, for example a report, a PDF document, or some
distinguishable collection of data
2
Categorize
a Record
The ability to categorize a record in accordance with a
records retention schedule, e.g., PUR1010
“Purchase Orders”
3
The ability to distinguish some data collection at some point
in time, indicating it is now considered a final record, and to
File a Record secure it in order to prevent premature destruction or
further modification (authenticity)
4
Search for
a Record
The ability to find records as needed for business or
legal reasons
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 6
RIM Compliance Model: Core RIM Functionality Based
on Industry Standards (Cont’d)
5
Report on
a Record
The ability to report what records exist within a system,
where they are, and what activities are performed on them
for audit and integrity purposes
6
Apply
Retention to
a Record
The ability to track a record with a retention rule in order to
know when the record is no longer needed for business or
legal purposes
7
Dispose of a
Record or
Retain for
Reuse
The ability to delete or indefinitely archive a record
8
Hold a
Record
The ability to temporarily prevent a record from being
disposed of due to a Legal Hold
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 7
Levels of RIM Compliance Mapped to Core RIM Functionality
RIM Compliance Levels
Bronze
Silver
Gold
Primary Core RIM Functionality
of Each Level
Record Categorization
Requirements 1 & 2 (identify and categorize
a record)
In-Place Record Controls
Requirements 1 – 5 (Bronze functionality, plus
ability to “lock down” final/approved record; to
find records needed for legal or business
reasons; and to report on and audit records)
Retention Management
Requirements 1 – 8 (Silver functionality, plus
ability to associate retention requirements with
a record; to delete or indefinitely retain a record;
and to temporarily prevent a record from
being deleted)
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 8
System Type — Definitions
I.
Structured Data Management Systems
A. New applications/systems that will be purchased or developed for which
RIM compliance standards can be introduced early in requirements
definition process
B. Legacy applications/systems that must be modified and/or enhanced to
introduce RIM compliance standards
II.
Unstructured and Semi-Structured Data Management Systems
A. File shares or local directories containing files with basic operating
system (OS) functionality (e.g., Windows Active Directory)
B. Content management systems or applications that track and manage
unstructured content (e.g., SharePoint, Open Text, FileNet, Documentum).
Note: Content management systems may have available records
management functionality through additional modules or add-on capabilities
III. Hybrid Systems containing a mix of structured and unstructured data
A. Content containing applications/systems — includes both line of
business (LOB) applications, e.g., legal matter management, as well as
collaborative workspaces, e.g., internal social networking
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 9
System Type — RIM Compliance Options
System Type
Description
RIM Compliance Standards
I-A
Structured Data Management
Systems: New applications/systems
I-B
Structured Data Management
Systems: Legacy applications/systems
II-A
Unstructured and Semi-Structured
Data Management Systems:
File shares or local directories
Bronze
Gold
II-B
Unstructured and Semi-Structured
Data Management Systems:
Content management systems
III-A
Hybrid Systems: Systems containing a
mix of structured and unstructured data
© Computer Sciences Corporation 2012. All rights reserved.
Silver
RIM Compliance Framework
April 2012 10
Record/Information States Compliance Framework
Legal Holds
Information
States
Temporary
Work in Progress
Final/Approved
Business Rules
Retention and Disposition
Retention and Disposition
Retention and Disposition
Example: 90 days, then
additional action
is performed
Example: 3 years, then
additional action
is performed
Records Retention Schedule
(calculated from metadata),
then additional action
is performed
Associate Business Rules with both the Information State
metadata tag and the Record Class Code
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 11
RIM Compliance Framework Methodology
• Assign System Type (I-A, I-B, II-A, II-B, III-A)
• Complete RIM assessment
– Define what records are managed in system
– Determine what Information States apply
– Identify ability of application/system to define and capture records
– Assess any existing records management capabilities within the
application/system
• Define risk/RIM compliance profile
– Magnitude of complexity (low/medium/high)
– Magnitude of operational or legal/regulatory risk (low/medium/high)
• Develop RIM compliance plan
– Target compliance level (Bronze, Silver ,or Gold)
– Requirements vs. recommendations
– Collaborative effort between application/system owner and RIM team
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 12
RIM Compliance Controls and Auditing
To sustain the RIM Compliance Framework:
• RIM Policy, Records Retention Schedule, and procedures must be
reviewed and updated periodically
• RIM compliance controls and auditing must be established for specific
manual and automated process activities described in framework
• RIM compliance controls and auditing should become part of overall
design specification for tools that will be managing records at level of risk
or compliance defined for each specific application/system
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 13
How RIM Compliance Framework Can Be Used
• Conduct RIM compliance reviews as part of application
development process
• Establish RIM technology roadmap priorities and approach
– Proactively address certain applications/systems, based on:
• Value of the content
• Enterprise reach of the systems
• Ability to implement records management functionality
• Risk to the organization if the content remains unmanaged
– Examples of priorities:
• Enterprise applications with high-value content
• Content management systems with records management capabilities
• Email system
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 14
Elements Captured in RIM Compliance Analysis
System Information
System Type
I-A (new applications/
systems)
I-B (legacy
applications/systems)
II-A (file shares or
local directories)
II-B (content
management
systems)
III-A (hybrid systems)
System Purpose/
General
Description
System
Interconnection
Points
Provide brief
description
Describe systems or
applications that
feed into the
application, or
where output is sent
© Computer Sciences Corporation 2012. All rights reserved.
System Contains
Official Records?
If no — conduct an
analysis based on
what information
states apply
(Temporary or
Work-in-Progress),
and work with
application owner to
determine an
acceptable retention
practice and
processes for
applying Legal Holds
RIM Compliance Framework
April 2012 15
Elements Captured in RIM Compliance Analysis
Categorization and Data Flow
Content Type
Brief description of data
elements that comprise a
record (e.g., Purchase Order,
Sales Proposal)
Record Series
Alpha-numeric code to
represent the record series
from the Records Retention
Schedule
Data Source
Record Format
(e.g., database fields,
Word document, PDF)
Data Exported to
Describe source of any data elements,
If applicable, describe the location of any data
including user input or data feed from another
that is fed to another application or system
application
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 16
Elements Captured in RIM Compliance Analysis
Bronze Compliance Analysis
Identify a Record
Are there any
challenges in
determining which
data elements
comprise a record?
Categorize a
Record
Can the application
or system assign a
record series to the
data elements that
comprise a record?
© Computer Sciences Corporation 2012. All rights reserved.
Capture Event
Date (e.g., no
longer active)
Capture Record
Creation Date
Are there data
elements that can be
used to identify the
creation date for the
record?
If the record series
requires event-based
retention, is there a
date already
captured in the
system which can be
used to calculate the
event date?
RIM Compliance Framework
April 2012 17
GBS Global Knowledge Management Application
Silver Compliance Analysis
File a Record
Secure a Record
Automate
Changes to
Information
States
Is there a way to
distinguish data
collection at some
point in time to
indicate that the data
is now considered a
final/approved
record?
Can the records be
secured once
finalized, to prevent
premature
destruction or further
modification?
Can the shift from
one information state
to another (e.g.,
work in progress to
final/approved) be
automated?
© Computer Sciences Corporation 2012. All rights reserved.
Search for a
Record
Can the records be
located based on
content-specific or
records-specific
metadata (e.g.,
invoice number or
record series code)?
RIM Compliance Framework
April 2012 18
Elements Captured in RIM Compliance Analysis
Gold Compliance Analysis
Apply Retention
Can the system track
a records with a
retention rule? Can it
produce expiration
reports for items
nearing a disposition
date? Can the
retention rules be
changed globally
when changes are
made to the Records
Retention Schedule?
Dispose of
a Record
Hold a Record
Can the system
allow for various
options for
processing
disposition, including
automatic, manual,
or via an approval
workflow? Can it
assure that any
deleted records and
associated metadata
cannot be
reconstructed? Can
it report on
disposition activities?
Can it recategorize
select records as
“archival”?
Can the system
temporarily prevent
a record from being
disposed due to a
Legal Hold? Can it
assign unique
identifiers to each
legal hold? Can it
support multiple
Legal Holds with
each record? Can it
return records to
their previous
Information States
once the Legal Hold
is removed? Can
it integrate with
e-discovery tools?
© Computer Sciences Corporation 2012. All rights reserved.
Audit/Report
a Record
Can the system keep
an audit trail of all
disposition and legal
hold actions?
RIM Compliance Framework
April 2012 19
Challenges with Structured Records
• Requires identifying records based on a combination of data elements,
usually across multiple tables
• Do not support traditional library or version control capabilities
• Depending on the complexity of the system, multiple tables may feed into
different record requirements
– Locking down or deleting data elements for one record may have unintended
consequences for another record
– Data often flows to or from other applications, adding to the complexity
• While structured data lends itself to management through programming,
programming all RIM functionality quickly becomes expensive
• Structure of Software as a Service (SaaS) applications cannot
be modified
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 20
Checklist for Structured Records
• Request concept of operations overview, including process/data
flow diagram
• System overview
– Is the system currently in production? If not, when is it scheduled to go
into production?
– How is the system used?
– What content does it contain, and in what format?
– [If applicable:] Can the database schema be made available?
– Does the system integrate with other systems? If so, how, and which systems?
– Does this system utilize cloud-based storage? [If yes, see additional questions
relating to cloud-based storage]
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 21
Checklist for Structured Records (Cont’d)
• Information States
– Do you consider this system to be the System of Record for the content
it contains?
– Does the system contain content that has long-term value, or
is it temporary in nature?
– Does the system reflect a process that is a work in progress, or does it
contain final/approved content — or both?
• Use/Access Controls
– Who has access to the system?
– [If applicable:] Can the end user change the content from temporary to
work in progress or final/approved?
– [If applicable:] Can content be locked down once it becomes
final/approved?
– Does the system track who has made changes?
– Do users have permission to delete content?
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 22
Checklist for Structured Records (Cont’d)
• Retention/Legal Holds
– Is there a time-effective or cost-effective way to associate content with a record
series?
– Does the system have date fields that can be used to help calculate retention
(capture date and/or event date)?
– Does the system have a way to prevent the deletion of content that is marked
as a record or marked as having a legal hold assigned to it?
– Can the system be programmed to delete content based on retention rules?
If so, can a legal hold override the deletion?
– Does the system have audit capabilities that can track activities related to each
content object?
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 23
Checklist for Structured Records (Cont’d)
• Cloud-Based Storage
– Does the system have either an age or storage capacity limitation that could
cause information to be removed automatically?
– What are the host’s contractual obligations related to providing the data back to
CSC in the event of a termination — either voluntary or involuntary?
– In what format can the information be made available to assure that it can be
read without the host system software?
– If we request deletion, is data overwritten so it is no longer retrievable?
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 24
Conclusion
• Framework takes into account the entire spectrum of content subject to
RIM compliance
– Unlikely that “one size fits all” approach will ever be able to apply to all five system types
• Provides a “bridge” for RIM compliance while more holistic, automated
approaches are investigated
– Scalable to systems of all sizes and complexity
– Permits progress before investing in champion technology
• Downsides:
– Less efficient and more costly in the long run
– Requires manual tracking of all systems where it has been implemented, for updating
any Records Retention Schedule changes
• Advantages:
– Implementable immediately
– Less costly in the short run
– Does not require system integration
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 25
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 26
Elizabeth W. Adkins
Certified Records Manager,
Certified Archivist
Director, Global Information Management
703.641.2410
eadkins3@csc.com
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 27
© Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework
April 2012 28
Download