RIM Compliance Framework April 2012 1 © Computer Sciences Corporation 2012. All rights reserved.


Some Background

• About CSC:– Founded as Computer Sciences Corporation in 1959

– Over the last 53 years, has evolved into a global leader in technology-enabled business services and solutions

– 98,000 employees located in more than 70 countries

– $16B+ in revenues

• About me:– More than 25 years’ experience working in large, multinational companies

• Kraft Foods (1986 – 1996)• Ford Motor Company (1996 – 2009)• CSC since July 2009


A Word About Terminology

• Typical RIM terms:– Documents

– Record

– Non-records

– Declaring records

• My philosophy:– Typical documents/records distinctions increasingly irrelevant in a world of ESI

– Use a broad definition of “Record” and employ terms that are more intuitive to the end user• A “Record” is recorded information that supports the activity of the business or

organization that created it• Records can be temporary, a work in progress, or final/approved• Records can also be convenience copies of final/approved records


Why a RIM Compliance Framework?

• Typical Enterprise Content Management solutions:– Focus on unstructured records– Tend to address “declared records”– Can’t handle every format or interface– Are costly and time-consuming to implement

• A RIM Compliance framework:– Addresses structured as well as unstructured records– Can be established without major funding investment– Enables a tiered, prioritized approach to compliance– May eventually be replaced with a centralized approach using a “champion

technology”


RIM Compliance Framework Approach

• Life cycle controls for all information, regardless of whether the records are temporary, work-in-progress, or final/approved

• Consistent categorization through a Records Retention Schedule • Immutability of form and format that affects authenticity, reliability,

integrity, and usability– Once finalized, records must not be modified

• Impact of storage media and management on life cycle controls• Support of information security and data privacy requirements

to ensure authorized access and use of information• Consistent, systematic destruction processes — including the ability

to suspend destruction — in order to meet legal, regulatory and operational requirements


RIM Compliance Model: Core RIM Functionality Based on Industry Standards

1 Identify a Record

The ability to determine what constitutes the record within the system, for example a report, a PDF document, or some distinguishable collection of data

2 Categorize a Record

The ability to categorize a record in accordance with a records retention schedule, e.g., PUR1010 “Purchase Orders”

3 File a Record The ability to distinguish some data collection at some point in time, indicating it is now considered a final record, and to secure it in order to prevent premature destruction or further modification (authenticity)

4 Search fora Record

The ability to find records as needed for business or legal reasons


RIM Compliance Model: Core RIM Functionality Based on Industry Standards (Cont’d)

5 Report on a Record

The ability to report what records exist within a system, where they are, and what activities are performed on them for audit and integrity purposes

6Apply Retention to a Record

The ability to track a record with a retention rule in order to know when the record is no longer needed for business or legal purposes

7Dispose of a Record or Retain for Reuse

The ability to delete or indefinitely archive a record

8 Hold a Record

The ability to temporarily prevent a record from being disposed of due to a Legal Hold


Levels of RIM Compliance Mapped to Core RIM Functionality

RIM Compliance Levels Primary Core RIM Functionality of Each Level

Gold

Silver

BronzeRecord Categorization Requirements 1 & 2 (identify and categorize a record)

In-Place Record ControlsRequirements 1 – 5 (Bronze functionality, plus ability to “lock down” final/approved record; to find records needed for legal or business reasons; and to report on and audit records)

Retention ManagementRequirements 1 – 8 (Silver functionality, plus ability to associate retention requirements with a record; to delete or indefinitely retain a record; and to temporarily prevent a record from being deleted)


System Type — Definitions

I. Structured Data Management Systems A. New applications/systems that will be purchased or developed for which

RIM compliance standards can be introduced early in requirements definition process

B. Legacy applications/systems that must be modified and/or enhanced to introduce RIM compliance standards

II. Unstructured and Semi-Structured Data Management SystemsA. File shares or local directories containing files with basic operating

system (OS) functionality (e.g., Windows Active Directory)

B. Content management systems or applications that track and manage unstructured content (e.g., SharePoint, Open Text, FileNet, Documentum). Note: Content management systems may have available records management functionality through additional modules or add-on capabilities

III. Hybrid Systems containing a mix of structured and unstructured dataA. Content containing applications/systems — includes both line of

business (LOB) applications, e.g., legal matter management, as well as collaborative workspaces, e.g., internal social networking


System Type — RIM Compliance Options

System Type Description RIM Compliance Standards

I-A Structured Data Management Systems: New applications/systems

I-B Structured Data Management Systems: Legacy applications/systems

II-A Unstructured and Semi-Structured Data Management Systems: File shares or local directories

II-BUnstructured and Semi-Structured Data Management Systems: Content management systems

III-A Hybrid Systems: Systems containing a mix of structured and unstructured data

Bronze

Silver

Gold


Record/Information States Compliance Framework

Associate Business Rules with both the Information State metadata tag and the Record Class Code

Retention and Disposition

Example: 90 days, then additional action

is performed


Example: 3 years, then additional action

is performed


Records Retention Schedule (calculated from metadata),

then additional action is performed

Business Rules

Temporary Work in Progress Final/Approved

Legal Holds

Information States


RIM Compliance Framework Methodology

• Assign System Type (I-A, I-B, II-A, II-B, III-A)• Complete RIM assessment

– Define what records are managed in system

– Determine what Information States apply

– Identify ability of application/system to define and capture records

– Assess any existing records management capabilities within the application/system

• Define risk/RIM compliance profile– Magnitude of complexity (low/medium/high)

– Magnitude of operational or legal/regulatory risk (low/medium/high)

• Develop RIM compliance plan– Target compliance level (Bronze, Silver ,or Gold)

– Requirements vs. recommendations

– Collaborative effort between application/system owner and RIM team


RIM Compliance Controls and Auditing

To sustain the RIM Compliance Framework:• RIM Policy, Records Retention Schedule, and procedures must be

reviewed and updated periodically• RIM compliance controls and auditing must be established for specific

manual and automated process activities described in framework• RIM compliance controls and auditing should become part of overall

design specification for tools that will be managing records at level of risk or compliance defined for each specific application/system


How RIM Compliance Framework Can Be Used

• Conduct RIM compliance reviews as part of application development process

• Establish RIM technology roadmap priorities and approach– Proactively address certain applications/systems, based on:

• Value of the content• Enterprise reach of the systems• Ability to implement records management functionality• Risk to the organization if the content remains unmanaged

– Examples of priorities: • Enterprise applications with high-value content• Content management systems with records management capabilities• Email system


Elements Captured in RIM Compliance AnalysisSystem Information

System TypeSystem Purpose/ General Description

System Interconnection Points

System Contains Official Records?

I-A (new applications/systems)I-B (legacy applications/systems)II-A (file shares or local directories)II-B (content management systems)III-A (hybrid systems)

Provide brief description

Describe systems or applications that feed into the application, or where output is sent

If no — conduct an analysis based on what information states apply (Temporary or Work-in-Progress), and work with application owner to determine an acceptable retention practice and processes for applying Legal Holds


Elements Captured in RIM Compliance Analysis Categorization and Data Flow

Content Type Record Series Record FormatBrief description of data elements that comprise a record (e.g., Purchase Order, Sales Proposal)

Alpha-numeric code to represent the record series from the Records Retention Schedule

(e.g., database fields, Word document, PDF)

Data Source Data Exported to

Describe source of any data elements, including user input or data feed from another application

If applicable, describe the location of any data that is fed to another application or system


Elements Captured in RIM Compliance Analysis Bronze Compliance Analysis

Identify a RecordCategorize a

RecordCapture Record Creation Date

Capture Event Date (e.g., no longer active)

Are there any challenges in determining which data elements comprise a record?

Can the application or system assign a record series to the data elements that comprise a record?

Are there data elements that can be used to identify the creation date for the record?

If the record series requires event-based retention, is there a date already captured in the system which can be used to calculate the event date?


GBS Global Knowledge Management ApplicationSilver Compliance Analysis

File a Record Secure a Record

Automate Changes to Information

States

Search for a Record

Is there a way to distinguish data collection at some point in time to indicate that the data is now considered a final/approved record?

Can the records be secured once finalized, to prevent premature destruction or further modification?

Can the shift from one information state to another (e.g., work in progress to final/approved) be automated?

Can the records be located based on content-specific or records-specific metadata (e.g., invoice number or record series code)?


Elements Captured in RIM Compliance Analysis Gold Compliance Analysis

Apply Retention Dispose of a Record Hold a Record Audit/Report

a Record

Can the system track a records with a retention rule? Can it produce expiration reports for items nearing a disposition date? Can the retention rules be changed globally when changes are made to the Records Retention Schedule?

Can the system allow for various options for processing disposition, including automatic, manual, or via an approval workflow? Can it assure that any deleted records and associated metadata cannot be reconstructed? Can it report on disposition activities?Can it recategorize select records as “archival”?

Can the system temporarily prevent a record from being disposed due to a Legal Hold? Can it assign unique identifiers to each legal hold? Can it support multiple Legal Holds with each record? Can it return records to their previous Information States once the Legal Hold is removed? Can it integrate with e-discovery tools?

Can the system keep an audit trail of all disposition and legal hold actions?


Challenges with Structured Records

• Requires identifying records based on a combination of data elements, usually across multiple tables

• Do not support traditional library or version control capabilities • Depending on the complexity of the system, multiple tables may feed into

different record requirements– Locking down or deleting data elements for one record may have unintended

consequences for another record

– Data often flows to or from other applications, adding to the complexity

• While structured data lends itself to management through programming, programming all RIM functionality quickly becomes expensive

• Structure of Software as a Service (SaaS) applications cannot be modified


Checklist for Structured Records

• Request concept of operations overview, including process/data flow diagram

• System overview– Is the system currently in production? If not, when is it scheduled to go

into production?

– How is the system used?

– What content does it contain, and in what format?

– [If applicable:] Can the database schema be made available?

– Does the system integrate with other systems? If so, how, and which systems?

– Does this system utilize cloud-based storage? [If yes, see additional questions relating to cloud-based storage]


Checklist for Structured Records (Cont’d)

• Information States– Do you consider this system to be the System of Record for the content

it contains?

– Does the system contain content that has long-term value, or is it temporary in nature?

– Does the system reflect a process that is a work in progress, or does it contain final/approved content — or both?

• Use/Access Controls– Who has access to the system?

– [If applicable:] Can the end user change the content from temporary to work in progress or final/approved?

– [If applicable:] Can content be locked down once it becomes final/approved?

– Does the system track who has made changes?

– Do users have permission to delete content?



• Retention/Legal Holds– Is there a time-effective or cost-effective way to associate content with a record

series?

– Does the system have date fields that can be used to help calculate retention (capture date and/or event date)?

– Does the system have a way to prevent the deletion of content that is marked as a record or marked as having a legal hold assigned to it?

– Can the system be programmed to delete content based on retention rules? If so, can a legal hold override the deletion?

– Does the system have audit capabilities that can track activities related to each content object?



• Cloud-Based Storage– Does the system have either an age or storage capacity limitation that could

cause information to be removed automatically?

– What are the host’s contractual obligations related to providing the data back to CSC in the event of a termination — either voluntary or involuntary?

– In what format can the information be made available to assure that it can be read without the host system software?

– If we request deletion, is data overwritten so it is no longer retrievable?


Conclusion

• Framework takes into account the entire spectrum of content subject to RIM compliance– Unlikely that “one size fits all” approach will ever be able to apply to all five system types

• Provides a “bridge” for RIM compliance while more holistic, automated approaches are investigated– Scalable to systems of all sizes and complexity

– Permits progress before investing in champion technology

• Downsides:– Less efficient and more costly in the long run

– Requires manual tracking of all systems where it has been implemented, for updating any Records Retention Schedule changes

• Advantages:– Implementable immediately

– Less costly in the short run

– Does not require system integration


Elizabeth W. AdkinsCertified Records Manager, Certified Archivist

Director, Global Information Management

[email protected]

RIM Compliance Framework April 2012 1 © Computer Sciences Corporation 2012. All rights reserved.

Documents

Transcript of RIM Compliance Framework April 2012 1 © Computer Sciences Corporation 2012. All rights reserved.