RIM Compliance Framework April 2012 1 © Computer Sciences Corporation 2012. All rights reserved.
-
Upload
emmeline-lloyd -
Category
Documents
-
view
214 -
download
0
Transcript of RIM Compliance Framework April 2012 1 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework April 2012 1 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework April 2012 2 © Computer Sciences Corporation 2012. All rights reserved.
Some Background
• About CSC:– Founded as Computer Sciences Corporation in 1959
– Over the last 53 years, has evolved into a global leader in technology-enabled business services and solutions
– 98,000 employees located in more than 70 countries
– $16B+ in revenues
• About me:– More than 25 years’ experience working in large, multinational companies
• Kraft Foods (1986 – 1996)• Ford Motor Company (1996 – 2009)• CSC since July 2009
RIM Compliance Framework April 2012 3 © Computer Sciences Corporation 2012. All rights reserved.
A Word About Terminology
• Typical RIM terms:– Documents
– Record
– Non-records
– Declaring records
• My philosophy:– Typical documents/records distinctions increasingly irrelevant in a world of ESI
– Use a broad definition of “Record” and employ terms that are more intuitive to the end user• A “Record” is recorded information that supports the activity of the business or
organization that created it• Records can be temporary, a work in progress, or final/approved• Records can also be convenience copies of final/approved records
RIM Compliance Framework April 2012 4 © Computer Sciences Corporation 2012. All rights reserved.
Why a RIM Compliance Framework?
• Typical Enterprise Content Management solutions:– Focus on unstructured records– Tend to address “declared records”– Can’t handle every format or interface– Are costly and time-consuming to implement
• A RIM Compliance framework:– Addresses structured as well as unstructured records– Can be established without major funding investment– Enables a tiered, prioritized approach to compliance– May eventually be replaced with a centralized approach using a “champion
technology”
RIM Compliance Framework April 2012 5 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework Approach
• Life cycle controls for all information, regardless of whether the records are temporary, work-in-progress, or final/approved
• Consistent categorization through a Records Retention Schedule • Immutability of form and format that affects authenticity, reliability,
integrity, and usability– Once finalized, records must not be modified
• Impact of storage media and management on life cycle controls• Support of information security and data privacy requirements
to ensure authorized access and use of information• Consistent, systematic destruction processes — including the ability
to suspend destruction — in order to meet legal, regulatory and operational requirements
RIM Compliance Framework April 2012 6 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Model: Core RIM Functionality Based on Industry Standards
1 Identify a Record
The ability to determine what constitutes the record within the system, for example a report, a PDF document, or some distinguishable collection of data
2 Categorize a Record
The ability to categorize a record in accordance with a records retention schedule, e.g., PUR1010 “Purchase Orders”
3 File a Record The ability to distinguish some data collection at some point in time, indicating it is now considered a final record, and to secure it in order to prevent premature destruction or further modification (authenticity)
4 Search fora Record
The ability to find records as needed for business or legal reasons
RIM Compliance Framework April 2012 7 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Model: Core RIM Functionality Based on Industry Standards (Cont’d)
5 Report on a Record
The ability to report what records exist within a system, where they are, and what activities are performed on them for audit and integrity purposes
6Apply Retention to a Record
The ability to track a record with a retention rule in order to know when the record is no longer needed for business or legal purposes
7Dispose of a Record or Retain for Reuse
The ability to delete or indefinitely archive a record
8 Hold a Record
The ability to temporarily prevent a record from being disposed of due to a Legal Hold
RIM Compliance Framework April 2012 8 © Computer Sciences Corporation 2012. All rights reserved.
Levels of RIM Compliance Mapped to Core RIM Functionality
RIM Compliance Levels Primary Core RIM Functionality of Each Level
Gold
Silver
BronzeRecord Categorization Requirements 1 & 2 (identify and categorize a record)
In-Place Record ControlsRequirements 1 – 5 (Bronze functionality, plus ability to “lock down” final/approved record; to find records needed for legal or business reasons; and to report on and audit records)
Retention ManagementRequirements 1 – 8 (Silver functionality, plus ability to associate retention requirements with a record; to delete or indefinitely retain a record; and to temporarily prevent a record from being deleted)
RIM Compliance Framework April 2012 9 © Computer Sciences Corporation 2012. All rights reserved.
System Type — Definitions
I. Structured Data Management Systems A. New applications/systems that will be purchased or developed for which
RIM compliance standards can be introduced early in requirements definition process
B. Legacy applications/systems that must be modified and/or enhanced to introduce RIM compliance standards
II. Unstructured and Semi-Structured Data Management SystemsA. File shares or local directories containing files with basic operating
system (OS) functionality (e.g., Windows Active Directory)
B. Content management systems or applications that track and manage unstructured content (e.g., SharePoint, Open Text, FileNet, Documentum). Note: Content management systems may have available records management functionality through additional modules or add-on capabilities
III. Hybrid Systems containing a mix of structured and unstructured dataA. Content containing applications/systems — includes both line of
business (LOB) applications, e.g., legal matter management, as well as collaborative workspaces, e.g., internal social networking
RIM Compliance Framework April 2012 10 © Computer Sciences Corporation 2012. All rights reserved.
System Type — RIM Compliance Options
System Type Description RIM Compliance Standards
I-A Structured Data Management Systems: New applications/systems
I-B Structured Data Management Systems: Legacy applications/systems
II-A Unstructured and Semi-Structured Data Management Systems: File shares or local directories
II-BUnstructured and Semi-Structured Data Management Systems: Content management systems
III-A Hybrid Systems: Systems containing a mix of structured and unstructured data
Bronze
Silver
Gold
RIM Compliance Framework April 2012 11 © Computer Sciences Corporation 2012. All rights reserved.
Record/Information States Compliance Framework
Associate Business Rules with both the Information State metadata tag and the Record Class Code
Retention and Disposition
Example: 90 days, then additional action
is performed
Retention and Disposition
Example: 3 years, then additional action
is performed
Retention and Disposition
Records Retention Schedule (calculated from metadata),
then additional action is performed
Business Rules
Temporary Work in Progress Final/Approved
Legal Holds
Information States
RIM Compliance Framework April 2012 12 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework Methodology
• Assign System Type (I-A, I-B, II-A, II-B, III-A)• Complete RIM assessment
– Define what records are managed in system
– Determine what Information States apply
– Identify ability of application/system to define and capture records
– Assess any existing records management capabilities within the application/system
• Define risk/RIM compliance profile– Magnitude of complexity (low/medium/high)
– Magnitude of operational or legal/regulatory risk (low/medium/high)
• Develop RIM compliance plan– Target compliance level (Bronze, Silver ,or Gold)
– Requirements vs. recommendations
– Collaborative effort between application/system owner and RIM team
RIM Compliance Framework April 2012 13 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Controls and Auditing
To sustain the RIM Compliance Framework:• RIM Policy, Records Retention Schedule, and procedures must be
reviewed and updated periodically• RIM compliance controls and auditing must be established for specific
manual and automated process activities described in framework• RIM compliance controls and auditing should become part of overall
design specification for tools that will be managing records at level of risk or compliance defined for each specific application/system
RIM Compliance Framework April 2012 14 © Computer Sciences Corporation 2012. All rights reserved.
How RIM Compliance Framework Can Be Used
• Conduct RIM compliance reviews as part of application development process
• Establish RIM technology roadmap priorities and approach– Proactively address certain applications/systems, based on:
• Value of the content• Enterprise reach of the systems• Ability to implement records management functionality• Risk to the organization if the content remains unmanaged
– Examples of priorities: • Enterprise applications with high-value content• Content management systems with records management capabilities• Email system
RIM Compliance Framework April 2012 15 © Computer Sciences Corporation 2012. All rights reserved.
Elements Captured in RIM Compliance AnalysisSystem Information
System TypeSystem Purpose/ General Description
System Interconnection Points
System Contains Official Records?
I-A (new applications/systems)I-B (legacy applications/systems)II-A (file shares or local directories)II-B (content management systems)III-A (hybrid systems)
Provide brief description
Describe systems or applications that feed into the application, or where output is sent
If no — conduct an analysis based on what information states apply (Temporary or Work-in-Progress), and work with application owner to determine an acceptable retention practice and processes for applying Legal Holds
RIM Compliance Framework April 2012 16 © Computer Sciences Corporation 2012. All rights reserved.
Elements Captured in RIM Compliance Analysis Categorization and Data Flow
Content Type Record Series Record FormatBrief description of data elements that comprise a record (e.g., Purchase Order, Sales Proposal)
Alpha-numeric code to represent the record series from the Records Retention Schedule
(e.g., database fields, Word document, PDF)
Data Source Data Exported to
Describe source of any data elements, including user input or data feed from another application
If applicable, describe the location of any data that is fed to another application or system
RIM Compliance Framework April 2012 17 © Computer Sciences Corporation 2012. All rights reserved.
Elements Captured in RIM Compliance Analysis Bronze Compliance Analysis
Identify a RecordCategorize a
RecordCapture Record Creation Date
Capture Event Date (e.g., no longer active)
Are there any challenges in determining which data elements comprise a record?
Can the application or system assign a record series to the data elements that comprise a record?
Are there data elements that can be used to identify the creation date for the record?
If the record series requires event-based retention, is there a date already captured in the system which can be used to calculate the event date?
RIM Compliance Framework April 2012 18 © Computer Sciences Corporation 2012. All rights reserved.
GBS Global Knowledge Management ApplicationSilver Compliance Analysis
File a Record Secure a Record
Automate Changes to Information
States
Search for a Record
Is there a way to distinguish data collection at some point in time to indicate that the data is now considered a final/approved record?
Can the records be secured once finalized, to prevent premature destruction or further modification?
Can the shift from one information state to another (e.g., work in progress to final/approved) be automated?
Can the records be located based on content-specific or records-specific metadata (e.g., invoice number or record series code)?
RIM Compliance Framework April 2012 19 © Computer Sciences Corporation 2012. All rights reserved.
Elements Captured in RIM Compliance Analysis Gold Compliance Analysis
Apply Retention Dispose of a Record Hold a Record Audit/Report
a Record
Can the system track a records with a retention rule? Can it produce expiration reports for items nearing a disposition date? Can the retention rules be changed globally when changes are made to the Records Retention Schedule?
Can the system allow for various options for processing disposition, including automatic, manual, or via an approval workflow? Can it assure that any deleted records and associated metadata cannot be reconstructed? Can it report on disposition activities?Can it recategorize select records as “archival”?
Can the system temporarily prevent a record from being disposed due to a Legal Hold? Can it assign unique identifiers to each legal hold? Can it support multiple Legal Holds with each record? Can it return records to their previous Information States once the Legal Hold is removed? Can it integrate with e-discovery tools?
Can the system keep an audit trail of all disposition and legal hold actions?
RIM Compliance Framework April 2012 20 © Computer Sciences Corporation 2012. All rights reserved.
Challenges with Structured Records
• Requires identifying records based on a combination of data elements, usually across multiple tables
• Do not support traditional library or version control capabilities • Depending on the complexity of the system, multiple tables may feed into
different record requirements– Locking down or deleting data elements for one record may have unintended
consequences for another record
– Data often flows to or from other applications, adding to the complexity
• While structured data lends itself to management through programming, programming all RIM functionality quickly becomes expensive
• Structure of Software as a Service (SaaS) applications cannot be modified
RIM Compliance Framework April 2012 21 © Computer Sciences Corporation 2012. All rights reserved.
Checklist for Structured Records
• Request concept of operations overview, including process/data flow diagram
• System overview– Is the system currently in production? If not, when is it scheduled to go
into production?
– How is the system used?
– What content does it contain, and in what format?
– [If applicable:] Can the database schema be made available?
– Does the system integrate with other systems? If so, how, and which systems?
– Does this system utilize cloud-based storage? [If yes, see additional questions relating to cloud-based storage]
RIM Compliance Framework April 2012 22 © Computer Sciences Corporation 2012. All rights reserved.
Checklist for Structured Records (Cont’d)
• Information States– Do you consider this system to be the System of Record for the content
it contains?
– Does the system contain content that has long-term value, or is it temporary in nature?
– Does the system reflect a process that is a work in progress, or does it contain final/approved content — or both?
• Use/Access Controls– Who has access to the system?
– [If applicable:] Can the end user change the content from temporary to work in progress or final/approved?
– [If applicable:] Can content be locked down once it becomes final/approved?
– Does the system track who has made changes?
– Do users have permission to delete content?
RIM Compliance Framework April 2012 23 © Computer Sciences Corporation 2012. All rights reserved.
Checklist for Structured Records (Cont’d)
• Retention/Legal Holds– Is there a time-effective or cost-effective way to associate content with a record
series?
– Does the system have date fields that can be used to help calculate retention (capture date and/or event date)?
– Does the system have a way to prevent the deletion of content that is marked as a record or marked as having a legal hold assigned to it?
– Can the system be programmed to delete content based on retention rules? If so, can a legal hold override the deletion?
– Does the system have audit capabilities that can track activities related to each content object?
RIM Compliance Framework April 2012 24 © Computer Sciences Corporation 2012. All rights reserved.
Checklist for Structured Records (Cont’d)
• Cloud-Based Storage– Does the system have either an age or storage capacity limitation that could
cause information to be removed automatically?
– What are the host’s contractual obligations related to providing the data back to CSC in the event of a termination — either voluntary or involuntary?
– In what format can the information be made available to assure that it can be read without the host system software?
– If we request deletion, is data overwritten so it is no longer retrievable?
RIM Compliance Framework April 2012 25 © Computer Sciences Corporation 2012. All rights reserved.
Conclusion
• Framework takes into account the entire spectrum of content subject to RIM compliance– Unlikely that “one size fits all” approach will ever be able to apply to all five system types
• Provides a “bridge” for RIM compliance while more holistic, automated approaches are investigated– Scalable to systems of all sizes and complexity
– Permits progress before investing in champion technology
• Downsides:– Less efficient and more costly in the long run
– Requires manual tracking of all systems where it has been implemented, for updating any Records Retention Schedule changes
• Advantages:– Implementable immediately
– Less costly in the short run
– Does not require system integration
RIM Compliance Framework April 2012 26 © Computer Sciences Corporation 2012. All rights reserved.
RIM Compliance Framework April 2012 27 © Computer Sciences Corporation 2012. All rights reserved.
Elizabeth W. AdkinsCertified Records Manager, Certified Archivist
Director, Global Information Management
RIM Compliance Framework April 2012 28 © Computer Sciences Corporation 2012. All rights reserved.