E-Records

Management: The Path

of Least ResistanceTim Shinkle, Millican & Associates, September 2015

1

A New Approach to ERM

The traditional approach of a single vendor platform for all e-records has

failed…too expensive, too complex, too few users, all ending up with too few

records being managed

A new approach is to better understand and leverage what technology your

organization already owns and implement an ERM framework where additional

automation is added, on a system by system basis, only when it makes sense

from a cost, risk and benefit perspective.

2

History of ERM

In the beginning there were a few ERM vendors, Tower Trim, PSSoftware,Provenance Systems…others

Two paths, one focused on providing DM and RM, the other focused on integrating with emerging DM players (PC Docs, Documentum, OpenText, FileNet and others)

DOD 5015.2 (1997), paired certifications

Auto-categorization and filing for file shares and email was available in 1999/2000

Integration options transfer or manage in place

Complex problem, heavy cost in integration, object model mapping, taxonomy mapping, API coding and maintenance, multiple steps to filing records

Document management and workflow were bigger drivers for IT

Paper was a big driver for RM

Archiving for IT and the CIO was good enough

3

ECM Industry

Consolidation of services on single platforms (DM, RM, Search, Workflow, BPM,

Collaboration, WCM, Publishing, etc…)

Leaders emerged and consolidated smaller players (Documentum – ForeMost,

OpenText – PSSoftware, IBM – Tarian)

Early signs from Microsoft SharePoint 1.5 (DOD 5015.2 pair certified with

ForeMost)

Vision of one platform to solve all your needs, unstructured content would

become managed content

Vision failed to materialize – local drives, file shares and email still dominated

– users still followed the path of least resistance

SharePoint and collaboration, Microsoft went after the ECM space

4

ECM Today

Cloud has come along and introduced new players, DropBox, Box, GoogleDocs,

OneDrive/O365 and many others

ECM players moving to the Cloud include Alfresco, IBM, OpenText and others

Trend is now to add retention and compliance to existing systems similar to

the ECM vendors, Cloud vendors are doing the same thing (e.g., O365 has

Compliance Center, Google Vault, etc…) – Why?

Cloud providers are adding data mining services on top of their Cloud

repositories – ERM threatens to take data away from their services

Meanwhile, most large organizations are still in a Cloud hybrid mode with

more repositories to manage than ever before (we have one of everything)

5

The Problem

Legacy migration and decommissioning is expensive

Consolidating to a single platform is expensive

Most systems provide some form of ERM, making it hard to justify the cost of redundancy just for ERM

Business needs are driving technology change, not ERM

Users follow a path of least resistance with local drives, shares and email systems to preserve their data

Auto-categorization is the promise that has never been fulfilled, it’s still too expensive to integrate, maintain and manage, accuracy challenges…better for searching, auditing and data mining

A new approach is needed that leverages what you own and adjusts as technology changes over time…a framework is needed more than any specific technology

6

ERM Framework

Steps:

1. Define a simplified set of ERM requirements

2. Understand the landscape of systems and applications

3. Prioritize the systems in terms of importance

4. Define a repeatable approach as part of the SDLC to sustain, add, integrate or

replace existing systems for ERM based on the cost, risk and benefit of

automating the requirements

5. Map the approach to the RM and Governance programs

6. Define an auditing approach to evaluate the success of the program over time

7. Implement, make adjustments as necessary and repeat…

7

1. Simplified set of ERM requirements

ERM Requirement CFR 1236.20(b) Requirement Mapping (Note: Some requirements

may map more than once)

(1) Identify a record. Provide a mechanism to distinguish individual

records within a system.

(1) Declare records. Assign unique identifiers to records.

(2) Capture records. Import records from other sources, manually

enter records into the system, or link records to other systems.

(2) Categorize a record. Provide a means of tagging a record with a

record category that can be tied back to a records retention schedule

record series.

(3) Organize records. Associate with an approved records schedule

and disposition instruction.

(3) File a record. Ensure the integrity of a record by making it read-

only and limiting the number of users that modify security to a select

group.

(4) Maintain records security. Prevent the unauthorized access,

modification, or deletion of declared records, and ensure that

appropriate audit trails are in place to track use of the records.

(4) Search on a record. Provide the ability to find a record, e.g.,

navigation or search query.

(5) Manage access and retrieval. Establish the appropriate rights for

users to access the records and facilitate the search and retrieval of

records.

(6) Preserve records. Ensure that all records in the system are

retrievable and usable for as long as needed to conduct agency

business and to meet NARA-approved dispositions. Agencies must

develop procedures to enable the migration of records and their

associated metadata to new storage media or formats in order to

avoid loss due to media decay or technology obsolescence

8

1. Simplified set of ERM requirements

ERM Requirement CFR 1236.20(b) Requirement Mapping (Note: Some requirements

may map more than once)

(5) Report on a record. Provide the ability to report on records and

record activity.

(4) Maintain records security. Prevent the unauthorized access,

modification, or deletion of declared records, and ensure that

appropriate audit trails are in place to track use of the records.

(6) Retention. Provide the ability to apply a retention rule or policy to

a record.

(7) Execute disposition. Identify and effect the transfer of permanent

records to NARA based on approved records schedules. Identify and

delete temporary records that are eligible for disposal. Apply records

hold or freeze on disposition when required.

(7) Disposition. Provide the ability to dispose of a record, either

deleting it or transferring it to NARA.

(7) Execute disposition. Identify and effect the transfer of permanent

records to NARA based on approved records schedules. Identify and

delete temporary records that are eligible for disposal. Apply records

hold or freeze on disposition when required.

(8) Hold. Provide the ability to place a hold on a record preventing it

from being deleted and removing the hold once it is done.

(7) Execute disposition. Identify and effect the transfer of permanent

records to NARA based on approved records schedules. Identify and

delete temporary records that are eligible for disposal. Apply records

hold or freeze on disposition when required.9

Email Requirements – Capstone 6.1

Tier Item Records Description Disposition Instruction

1 – Email of

Capstone

Officials

GRS 010 Email of officials listed in the

Definition and Designation of

Capstone Officials section of

this schedule.

Permanent. Transfer email

to NARA no sooner than 15

years, an no later than 25

years after agency

determined cut off.

2 – Email of

Non-Capstone

Officials

GRS 011 Email of officials not listed in

the Definition and Designation

of Capstone Officials section

of this schedule. This item

covers all emails not included

in item 010.

Temporary. Delete when

between 3 and 7 years old,

but longer retention is

authorized if required for

business use.

3 – Email

Related to

Other Records

Agency

approved

record

policy

As a supplement to the

Capstone approach, an agency

may want to associate certain

email records that relate to

other records, such as case

files or project files.

Example, dispose 25 years

after case closes.

10

2. Understand the landscape of

candidate systems

Get a sense for the lay of the land

Do you already have an inventory of systems/applications? Does it include summary details, technology being used, system owner, business owner, backup strategy, disaster recovery strategy, record series, record types, volume, number of users, etc… ?

Is the data structured, semi-structured or unstructured?

What are the inputs and output? Do reports get generated from a structured system that might be considered the record? (Note: There maybe no one answer for what the record is).

Leverage existing IT and Legal inventories of systems

Distribute the inventory across departments

If no IT systems inventory currently exists then coordinate the inventory with a traditional records inventory

Enhance the inventory with records data and records functionality: Does the system currently have records? Are they vital? How are they being managed? How are they backed up? Is there a disaster recovery mechanism? Has there ever been an eDiscovery done? What business processes does the system automate?

11

3. Prioritize the systems in terms of

importance

Interview the owning business unit and business owner to determine the criticality of the system

Interviews can be brief, often the business units themselves gives clues to the criticality of the system

Systems costs and maintenance support costs can help understand the criticality of the investment to the organization

Is the system mission critical, operations support, administration or one off for convenience?

Define a high level ranking system, maybe 1-5 where 5 is most critical, and use this to sort by ranking

Determine a top 10 or top three for each department depending upon the size of the organization and number of systems

12

4. Evaluation and the Cost, Risk, Benefit

for Improved Automation

This is the biggest step, where a model is defined for evaluating each system

that has been prioritized against the cost, risk and benefit of improving ERM

automation, case by case

The improvement can be categorized based on levels of automation of the

requirements where the greater the automation the lower the risk (assuming

the automation is accurate enough)

Cost – automation comes at a price

Risk – automation lowers risk by reducing human error

Benefit – automation can increase benefit by reducing effort and improving value

of data

13

4. Evaluation of Systems

System / Application Level of RM Automation

Automated Functionality of Each

level

Description of Functionality

Manual

Bronze

Silver

Gold

Record Categorization (Requirements 1, 2)

1. Identify a record - The ability to tag a record in order to distinguish it from a non-record, for example a metadata field or location.

2. Categorize a record - The ability to tag a record with a category that maps back to Records Retention Schedule, for example a metadata field or descriptor.

In-Place Record Controls

(Requirements 3, 4, 5)

3. File a record – The ability to lock down a record and make it immutable or difficult to change without proper permissions.

4. Find a record – The ability to perform a search on records.

5. Audit/Report on a record – The ability to generate a report on what records exist within a system, where they are and any activities performed on them for audit and integrity purposes.

Retention Management

(Requirements 6, 7, 8)

6. Apply retention to a record – The ability to apply a retention rule to a record in order to know when the record is no longer needed for business or legal purposes.

7. Dispose of a record – The ability to run a disposition on a record which either deletes or permanently archives the record.

8. Hold a record – The ability to suspend the disposition of a record until the hold is removed.

• An example of the model is to put

the eight foundational ERM

requirements into four buckets for

simplicity (Manual, Bronze, Silver

and Gold)

• An example is a file share, where

it can be configured to be bronze

but has difficulty auditing use,

applying retention outside of

manual tracking, disposition, holds

can be done with read only

security, rudimentary but possible.

14

4. Evaluation and the Cost, Risk, Benefit

for Improved Automation

The options for enhancement based on a cost, risk and benefit approach include:

1. Sustain the system as-is (i.e., do nothing additional for ERM), low risk of non-compliance

2. Upgrade the system to include some additional level of ERM automation, medium risk of non-compliance

3. Integrate the system with another ERM or RMA that can provide more automation (transfer or manage in-place), high risk of non-compliance

4. Replace the system with one that provides more automation for ERM, high risk of non-compliance

Cost risk and benefit criteria should be relative to the organizations situation, some organizations can’t be sued, some are always under investigation.

Often it is IT and business driving the technology, not RM. It is challenging for RM to tell business units to stop using a system because it doesn’t automate RM well enough – work with business groups and IT, not against

15

5. Map the approach to the RM and

Governance programs

Steering committee, executive buy in

Add requirements to the SDLC process as part of the organizations procedures

Training and department record liaisons to evangelize the process

Align the inventory and file plan development with the process for enhancing

systems

Align with governance for systems including provisioning and retirement of

repositories, security, legal discovery, backups and disaster recovery

Enhance system procedures for RM, like backups and security. What steps are

required to file records? How is it done? (e.g., file share, move to a dedicated

records folder under the appropriate subfolder)

16

6. Auditing

How well is the solution working?

Liaisons reporting back on a periodic basis

System inventory tracking updates through the SDLC

System audits, how many records vs non-records, expired records, disposition

tracking

This is starting to look like data mining…future state?

17

7. Implement, Adjust, Repeat

Tackle the highest prioritized systems first

E.g., File shares are usually pretty high on the agenda

Cloud systems, social media systems, IM, mobile devices – make them all part

of the SDLC

Is the organization aware of the policy and procedures of the SDLC

Is ERM a checkpoint in the SDLC process? Similar to security

Is there a steering committee with RM, IT, CIO, Legal, Risk Management,

Business representatives, etc..?

18

Conclusion

Avoid the costly mistake of trying to implement a huge ECM platform solution

just for ERM

Establish a repeatable framework that is technology independent

Leverage technology you already own

Lower risk by distributing the cost of automating compliance

Track systems and improve their risk of non-compliance incrementally over

time

Work with IT and business groups to add ERM to their preferred systems,

similar to complying with security requirements

Centralize policy, but share the cost and burden of implementation

19

Future State

Policy hub to publish policies to multiple systems?

Proactive eDiscovery, scan the enterprise, de-dup, track and manage in place,

audit, migrate on demand?

Data mining – once it’s in the Cloud, turn on the data mining services, find

value in historical data, data mine for eTrash to eliminate the waste

Compliance and ERM built-in to Cloud? O365 is always enhancing this, Google,

Microsoft, Amazon, IBM don’t want data to leave their Cloud – Google is

challenging right to be forgotten

eTrash Cloud services, cheap Cloud storage recycle bin, low value data,

punting on disposition but can still data mine

20