E-Records
Management: The Path
of Least ResistanceTim Shinkle, Millican & Associates, September 2015
1
A New Approach to ERM
The traditional approach of a single vendor platform for all e-records has
failed…too expensive, too complex, too few users, all ending up with too few
records being managed
A new approach is to better understand and leverage what technology your
organization already owns and implement an ERM framework where additional
automation is added, on a system by system basis, only when it makes sense
from a cost, risk and benefit perspective.
2
History of ERM
In the beginning there were a few ERM vendors, Tower Trim, PSSoftware,Provenance Systems…others
Two paths, one focused on providing DM and RM, the other focused on integrating with emerging DM players (PC Docs, Documentum, OpenText, FileNet and others)
DOD 5015.2 (1997), paired certifications
Auto-categorization and filing for file shares and email was available in 1999/2000
Integration options transfer or manage in place
Complex problem, heavy cost in integration, object model mapping, taxonomy mapping, API coding and maintenance, multiple steps to filing records
Document management and workflow were bigger drivers for IT
Paper was a big driver for RM
Archiving for IT and the CIO was good enough
3
ECM Industry
Consolidation of services on single platforms (DM, RM, Search, Workflow, BPM,
Collaboration, WCM, Publishing, etc…)
Leaders emerged and consolidated smaller players (Documentum – ForeMost,
OpenText – PSSoftware, IBM – Tarian)
Early signs from Microsoft SharePoint 1.5 (DOD 5015.2 pair certified with
ForeMost)
Vision of one platform to solve all your needs, unstructured content would
become managed content
Vision failed to materialize – local drives, file shares and email still dominated
– users still followed the path of least resistance
SharePoint and collaboration, Microsoft went after the ECM space
4
ECM Today
Cloud has come along and introduced new players, DropBox, Box, GoogleDocs,
OneDrive/O365 and many others
ECM players moving to the Cloud include Alfresco, IBM, OpenText and others
Trend is now to add retention and compliance to existing systems similar to
the ECM vendors, Cloud vendors are doing the same thing (e.g., O365 has
Compliance Center, Google Vault, etc…) – Why?
Cloud providers are adding data mining services on top of their Cloud
repositories – ERM threatens to take data away from their services
Meanwhile, most large organizations are still in a Cloud hybrid mode with
more repositories to manage than ever before (we have one of everything)
5
The Problem
Legacy migration and decommissioning is expensive
Consolidating to a single platform is expensive
Most systems provide some form of ERM, making it hard to justify the cost of redundancy just for ERM
Business needs are driving technology change, not ERM
Users follow a path of least resistance with local drives, shares and email systems to preserve their data
Auto-categorization is the promise that has never been fulfilled, it’s still too expensive to integrate, maintain and manage, accuracy challenges…better for searching, auditing and data mining
A new approach is needed that leverages what you own and adjusts as technology changes over time…a framework is needed more than any specific technology
6
ERM Framework
Steps:
1. Define a simplified set of ERM requirements
2. Understand the landscape of systems and applications
3. Prioritize the systems in terms of importance
4. Define a repeatable approach as part of the SDLC to sustain, add, integrate or
replace existing systems for ERM based on the cost, risk and benefit of
automating the requirements
5. Map the approach to the RM and Governance programs
6. Define an auditing approach to evaluate the success of the program over time
7. Implement, make adjustments as necessary and repeat…
7
1. Simplified set of ERM requirements
ERM Requirement CFR 1236.20(b) Requirement Mapping (Note: Some requirements
may map more than once)
(1) Identify a record. Provide a mechanism to distinguish individual
records within a system.
(1) Declare records. Assign unique identifiers to records.
(2) Capture records. Import records from other sources, manually
enter records into the system, or link records to other systems.
(2) Categorize a record. Provide a means of tagging a record with a
record category that can be tied back to a records retention schedule
record series.
(3) Organize records. Associate with an approved records schedule
and disposition instruction.
(3) File a record. Ensure the integrity of a record by making it read-
only and limiting the number of users that modify security to a select
group.
(4) Maintain records security. Prevent the unauthorized access,
modification, or deletion of declared records, and ensure that
appropriate audit trails are in place to track use of the records.
(4) Search on a record. Provide the ability to find a record, e.g.,
navigation or search query.
(5) Manage access and retrieval. Establish the appropriate rights for
users to access the records and facilitate the search and retrieval of
records.
(6) Preserve records. Ensure that all records in the system are
retrievable and usable for as long as needed to conduct agency
business and to meet NARA-approved dispositions. Agencies must
develop procedures to enable the migration of records and their
associated metadata to new storage media or formats in order to
avoid loss due to media decay or technology obsolescence
8
1. Simplified set of ERM requirements
ERM Requirement CFR 1236.20(b) Requirement Mapping (Note: Some requirements
may map more than once)
(5) Report on a record. Provide the ability to report on records and
record activity.
(4) Maintain records security. Prevent the unauthorized access,
modification, or deletion of declared records, and ensure that
appropriate audit trails are in place to track use of the records.
(6) Retention. Provide the ability to apply a retention rule or policy to
a record.
(7) Execute disposition. Identify and effect the transfer of permanent
records to NARA based on approved records schedules. Identify and
delete temporary records that are eligible for disposal. Apply records
hold or freeze on disposition when required.
(7) Disposition. Provide the ability to dispose of a record, either
deleting it or transferring it to NARA.
(7) Execute disposition. Identify and effect the transfer of permanent
records to NARA based on approved records schedules. Identify and
delete temporary records that are eligible for disposal. Apply records
hold or freeze on disposition when required.
(8) Hold. Provide the ability to place a hold on a record preventing it
from being deleted and removing the hold once it is done.
(7) Execute disposition. Identify and effect the transfer of permanent
records to NARA based on approved records schedules. Identify and
delete temporary records that are eligible for disposal. Apply records
hold or freeze on disposition when required.9
Email Requirements – Capstone 6.1
Tier Item Records Description Disposition Instruction
1 – Email of
Capstone
Officials
GRS 010 Email of officials listed in the
Definition and Designation of
Capstone Officials section of
this schedule.
Permanent. Transfer email
to NARA no sooner than 15
years, an no later than 25
years after agency
determined cut off.
2 – Email of
Non-Capstone
Officials
GRS 011 Email of officials not listed in
the Definition and Designation
of Capstone Officials section
of this schedule. This item
covers all emails not included
in item 010.
Temporary. Delete when
between 3 and 7 years old,
but longer retention is
authorized if required for
business use.
3 – Email
Related to
Other Records
Agency
approved
record
policy
As a supplement to the
Capstone approach, an agency
may want to associate certain
email records that relate to
other records, such as case
files or project files.
Example, dispose 25 years
after case closes.
10
2. Understand the landscape of
candidate systems
Get a sense for the lay of the land
Do you already have an inventory of systems/applications? Does it include summary details, technology being used, system owner, business owner, backup strategy, disaster recovery strategy, record series, record types, volume, number of users, etc… ?
Is the data structured, semi-structured or unstructured?
What are the inputs and output? Do reports get generated from a structured system that might be considered the record? (Note: There maybe no one answer for what the record is).
Leverage existing IT and Legal inventories of systems
Distribute the inventory across departments
If no IT systems inventory currently exists then coordinate the inventory with a traditional records inventory
Enhance the inventory with records data and records functionality: Does the system currently have records? Are they vital? How are they being managed? How are they backed up? Is there a disaster recovery mechanism? Has there ever been an eDiscovery done? What business processes does the system automate?
11
3. Prioritize the systems in terms of
importance
Interview the owning business unit and business owner to determine the criticality of the system
Interviews can be brief, often the business units themselves gives clues to the criticality of the system
Systems costs and maintenance support costs can help understand the criticality of the investment to the organization
Is the system mission critical, operations support, administration or one off for convenience?
Define a high level ranking system, maybe 1-5 where 5 is most critical, and use this to sort by ranking
Determine a top 10 or top three for each department depending upon the size of the organization and number of systems
12
4. Evaluation and the Cost, Risk, Benefit
for Improved Automation
This is the biggest step, where a model is defined for evaluating each system
that has been prioritized against the cost, risk and benefit of improving ERM
automation, case by case
The improvement can be categorized based on levels of automation of the
requirements where the greater the automation the lower the risk (assuming
the automation is accurate enough)
Cost – automation comes at a price
Risk – automation lowers risk by reducing human error
Benefit – automation can increase benefit by reducing effort and improving value
of data
13
4. Evaluation of Systems
System / Application Level of RM Automation
Automated Functionality of Each
level
Description of Functionality
Manual
Bronze
Silver
Gold
Record Categorization (Requirements 1, 2)
1. Identify a record - The ability to tag a record in order to distinguish it from a non-record, for example a metadata field or location.
2. Categorize a record - The ability to tag a record with a category that maps back to Records Retention Schedule, for example a metadata field or descriptor.
In-Place Record Controls
(Requirements 3, 4, 5)
3. File a record – The ability to lock down a record and make it immutable or difficult to change without proper permissions.
4. Find a record – The ability to perform a search on records.
5. Audit/Report on a record – The ability to generate a report on what records exist within a system, where they are and any activities performed on them for audit and integrity purposes.
Retention Management
(Requirements 6, 7, 8)
6. Apply retention to a record – The ability to apply a retention rule to a record in order to know when the record is no longer needed for business or legal purposes.
7. Dispose of a record – The ability to run a disposition on a record which either deletes or permanently archives the record.
8. Hold a record – The ability to suspend the disposition of a record until the hold is removed.
• An example of the model is to put
the eight foundational ERM
requirements into four buckets for
simplicity (Manual, Bronze, Silver
and Gold)
• An example is a file share, where
it can be configured to be bronze
but has difficulty auditing use,
applying retention outside of
manual tracking, disposition, holds
can be done with read only
security, rudimentary but possible.
14
4. Evaluation and the Cost, Risk, Benefit
for Improved Automation
The options for enhancement based on a cost, risk and benefit approach include:
1. Sustain the system as-is (i.e., do nothing additional for ERM), low risk of non-compliance
2. Upgrade the system to include some additional level of ERM automation, medium risk of non-compliance
3. Integrate the system with another ERM or RMA that can provide more automation (transfer or manage in-place), high risk of non-compliance
4. Replace the system with one that provides more automation for ERM, high risk of non-compliance
Cost risk and benefit criteria should be relative to the organizations situation, some organizations can’t be sued, some are always under investigation.
Often it is IT and business driving the technology, not RM. It is challenging for RM to tell business units to stop using a system because it doesn’t automate RM well enough – work with business groups and IT, not against
15
5. Map the approach to the RM and
Governance programs
Steering committee, executive buy in
Add requirements to the SDLC process as part of the organizations procedures
Training and department record liaisons to evangelize the process
Align the inventory and file plan development with the process for enhancing
systems
Align with governance for systems including provisioning and retirement of
repositories, security, legal discovery, backups and disaster recovery
Enhance system procedures for RM, like backups and security. What steps are
required to file records? How is it done? (e.g., file share, move to a dedicated
records folder under the appropriate subfolder)
16
6. Auditing
How well is the solution working?
Liaisons reporting back on a periodic basis
System inventory tracking updates through the SDLC
System audits, how many records vs non-records, expired records, disposition
tracking
This is starting to look like data mining…future state?
17
7. Implement, Adjust, Repeat
Tackle the highest prioritized systems first
E.g., File shares are usually pretty high on the agenda
Cloud systems, social media systems, IM, mobile devices – make them all part
of the SDLC
Is the organization aware of the policy and procedures of the SDLC
Is ERM a checkpoint in the SDLC process? Similar to security
Is there a steering committee with RM, IT, CIO, Legal, Risk Management,
Business representatives, etc..?
18
Conclusion
Avoid the costly mistake of trying to implement a huge ECM platform solution
just for ERM
Establish a repeatable framework that is technology independent
Leverage technology you already own
Lower risk by distributing the cost of automating compliance
Track systems and improve their risk of non-compliance incrementally over
time
Work with IT and business groups to add ERM to their preferred systems,
similar to complying with security requirements
Centralize policy, but share the cost and burden of implementation
19
Future State
Policy hub to publish policies to multiple systems?
Proactive eDiscovery, scan the enterprise, de-dup, track and manage in place,
audit, migrate on demand?
Data mining – once it’s in the Cloud, turn on the data mining services, find
value in historical data, data mine for eTrash to eliminate the waste
Compliance and ERM built-in to Cloud? O365 is always enhancing this, Google,
Microsoft, Amazon, IBM don’t want data to leave their Cloud – Google is
challenging right to be forgotten
eTrash Cloud services, cheap Cloud storage recycle bin, low value data,
punting on disposition but can still data mine
20