If you were to receive a subpoena or audit notice today, are you confident that you can provide the requested records and information, and only those records and information? If not, you are not working with a trusted system, as defined in the AIIM/ANSI Standard 25-2012. Also referenced are ISO 15489 and ARMA’s Generally Accepted Recordkeeping Principles.
It is important to note that a trusted system is not limited to software requirements but encompasses policy, procedures and processes to ensure records and information are managed from the time they are received or created to the time of final disposition. In other words, the responsibility for a trusted system doesn’t lie in one department but in all departments.
Let’s break it down into its component parts:
- Governance – the rules
- Technology – the tools
- Process – how to use the tools according to the rules
- People – trained on not only the how but the why
- Compliance – saying it, doing it, proving it
Corporate Governance broadly refers to the rules, processes, by-laws and laws by which a business operates. Information Governance is a holistic approach to managing corporate information by implementing rules, processes, roles, controls and metrics that treat information as a valuable business asset. The common theme is the existence of rules and processes. Governance is specific and direct; rules, processes, role definitions should not include the words ‘should’ or ‘may’ but ‘shall’ and ‘will’. This removes uncertainty and the gray areas in which fraud can occur. For a trusted system to exist, governance has to be in place and understood by everyone.
In a perfect world, information management technology is deployed and improves business processes by reducing the number of human touches, displaying outliers for either resolution (defect) or emulation (best practice) and includes tools to manage information security, integrity, authenticity, access and disposition. The technology components that are deployed need to talk to each other so that an audit trail is established from the time a record is received or created to its final disposition, such as destruction or archival preservation.
Defined, published, communicated and attested processes are the heart of a trusted system. These are built upon the rules stated in the Governance section, with the tools from the Technology section appropriately configured and deployed to support Governance. Business Process Management as it relates to Records and Information is the most common failure point in creating a trusted system. Information management processes have traditionally evolved over the years according to personal preference or a limited understanding of business requirements. Manufacturing techniques in process improvement, such as Six Sigma and Lean work-outs or root cause analysis in defect remediation, can be adapted to map out existing processes and identifying more efficient methods prior to implementing new technology. It’s also helpful to address existing communication methods and education/training curriculum to ensure that the necessary changes needed to create a trusted system are adequate.
In the transition to a trusted system, buy-in from all levels is important to your success. Change is difficult and more so when it touches records and information. Many employees believe, rightly or wrongly, the information on their computer or folders in their filing cabinet belongs to them and not the organization. Changing how they create, save, distribute, protect, destroy or preserve it requires small steps and sometimes punitive measures. Training on the how and the why is not complete until there is confirmation of understanding, in writing. This ensures you can prove to the court or auditor your employees understand the processes, technology and rules in managing information. Deviations from the process are identified as mistakes – ’reply all‘was hit on an email with PII - or as malicious in intent – PII was downloaded to a USB drive by a disgruntled employee. Not everyone will be able to adapt to a trusted system for records and information management; so prepare for attrition.
If you can’t prove that you are using the tools with the processes and procedures in place, you are missing the last piece of the system. In your technology deployment, ensure audit functions exist and turn them on. Audit your system from the receipt or creation of a piece of information (native electronic and scanned image) to its disposition. Report on it. Do this on a regular basis.
Checklist for a Trusted System
c Executive level support
c Single sign on – no group IDs for logging into systems
c Records retention schedule with legal citations, defined operational requirements and criteria for declaring an historical/archival record as well as duplicate retention periods and disposition methods
c Procedures in place that support corporate and information governance
c Unique ID assigned to a piece of information from creation or receipt
c Capture system that supports validation and verification of authentic records
c Active use repository with workflow and retention modules to track and report on activity, approvals, holds and disposition
c Archival repository with migration paths defined so that as technology changes the permanent records maintain integrity and authenticity
c Training and education protocols with regularly scheduled refresher courses
c Budget to upgrade and migrate hardware and software when necessary
c Budget to train new employees
c Budget to refresh training for existing employees
c Scheduled process audits to ensure you’re doing what you said you would in the manner you said you would do it.
In summary, a “trusted system” isn’t a single piece of hardware or software but an ecosystem that supports and protects the organization.
Cheryl Ahrens Young, CIP, CDIA+, CTT+, APMD
Western Integrated Systems
Southern California Office
Direct: (714) 997-3700 ext 31
Mobile: (626) 824-1628