Quiz for Electronic Document and record Management-IT
IT 380
Electronic Document and
Record Management
Systems
Unit 2: Fundamentals of EDRMS
Instructor: Dr. Michelle Liu
Agenda
▪ Important terminologies, cont’d
▪ Documents vs. records
▪ Information theft
▪ Mobile devices
▪ The evolution of ERMS
▪ Key concepts
2
Functionality Requirements
3
▪ Policy and Rules ▪ Creating, maintaining, and enforcing information management policies,
whether a result of law and regulation, internal policy and process, or business agreements
▪ Must operate across technology platforms and resources
▪ Examples include policies for retention, disposition, security, privacy, use, and distribution.
▪ Content Management ▪ Creating, templating, capturing, storing, version managing, retaining,
archiving, disposing, collaborating, holding and preserving information
▪ Configuration Management ▪ Establishing ownership and custodial responsibilities and business
application dependencies
▪ Classification ▪ Classification of data, including the ability to distinguish between
business records and non-business information, classified and non- classified in the government sense, personally identifiable information (PII), and classifying information based on policy attributes
▪ Crawling (Gathering) ▪ Locating and gathering unstructured information scattered across the
information management environment
Functionality Requirements (Continued)
4
▪ Information Access and Discovery ▪ Indexing, searching, and discovery across resources
▪ Creation , Transfer and Copy Management ▪ Rules on the creation of information, copies to be maintained, transfer
of information, and de-duplication (single instancing)
▪ Security and Privacy ▪ Policies for identity management, information authentication, access
management, privacy control, use management and auditing
▪ For example, this functionality allows the user to determine the authenticity of business records and to establish and maintain a policy based relationship between users and data
▪ Analytics and Reporting ▪ Monitoring, alerting, and real-time reporting on key information
management events such as policy updates, configuration changes, security anomalies, classification events, and “right-to-know” requests
▪ Compliance and Risk Mitigation ▪ Legal compliance and mitigation of risk resulting from inappropriate use
of the unstructured documents
Security of Electronic Documents
5
▪ Much of computer security also applies to documents: ▪ Network defenses (firewalls, etc)
▪ Access control
▪ Encryption
▪ Journaling and logging
▪ Special techniques: ▪ Digital signatures
▪ Watermarking
▪ Digital Rights Management (DRM)
▪ Preservation
Privacy of Electronic Documents
6
▪ Much of privacy same as other types of data ▪ Privacy policy
▪ Disclosure of personally identifiable information (PII)
▪ Internet access and availability
▪ Breach notification rules
▪ Global variations
▪ Document specific concerns ▪ Classification
▪ Collaboration
▪ Redaction
▪ Proliferation
▪ Source: “Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework” , Department of Commerce, December 2010
Known Problems
7
▪ Need for end-to-end solution ▪ From creation to disposal
▪ Lack of scalability
▪ Integration issues
▪ Escalating storage growth
▪ Inflexible policy management
▪ Inaccurate auto-classification engines
▪ Inadequate search capabilities
▪ Increasing regulatory compliance
▪ Increasing amounts of e-discovery
Electronic Document Management
Roadmap
8
▪ Basic principles and objectives
▪ Inventory of document assets (where are they)
▪ Converting existing paper records
▪ Managing distribution inside and outside the
organization
▪ A methodology to automate data classification
▪ Records management policies and procedures
▪ Educational materials (for communicating 'the why')
▪ Training materials (for transferring knowledge of 'the
how')
▪ Auditing and compliance parameters and metrics
▪ A lifecycle strategy/plan for continuous improvement
Making Priorities
9
▪ Get better understanding of the user’s
information flow needs
▪ Identifying the information flow disconnects and
resulting unintentional non-compliance with
regulatory, legislative, and corporate policies
▪ More effective management of cultural change
and better opportunity for project marketing
▪ Initial focus on education (the why) and save
training (the how) for later on in the process
Selecting Tools
10
▪ No single solution available from a vendor that will meet all requirement ▪ All current single solutions will be overkill in some areas and
lacking in others.
▪ Integration of solutions, therefore, will be necessary ▪ Technologies and vendors that do not facilitate and “play
nice” with other solutions should be avoided
▪ Short-term solutions to fix critical business problems may be necessary ▪ Cost of replacing the solution should be built into the
business case and budget
▪ Solutions can and should be different for different departments/LOBs.
▪ The ability to effectively classify data in line with policy must be included in every tool selected
Electronic Discovery
11
From edrm.net
References
▪ ISO 15489
▪ MoReq2
▪ US DOD 5015.2
▪ Other relevant
sources
12
Definition of Record
▪ “Information created, received, and
maintained as evidence and information by
an organization or person, in pursuance of
legal obligations or in the transaction of
business.”
–Source: ISO 15489
13
Key Points of Record
▪ A record could, in principle, be in any form or
format we can think of, so long as it conveys
information.
▪ Records are not only created within
organizations but also received by them.
▪ The word “maintained” indicates that it is not
enough to ‘capture’ records. They have to
be stored, and managed properly once
stored. ▪ Include disposing of records when they are no
longer needed 14
Key Points of Record, Cont’d
▪ For a record to be good evidence (e.g., in a
court case), there must be no doubt that it is
complete and unchanged. ▪ Place requirements on ERM systems
▪ Records need to be kept for two reasons: ▪ Legal obligations
▪ Transaction of business
15
Records Management
16
▪ In the past, the term used to refer only to the management of
records which were no longer in everyday use but still needed to
be kept
▪ Today, refers to the entire 'lifecycle' of records - from the point of
creation right through until their eventual disposal
▪ The ISO 15489-1: 2001 standard ("ISO 15489-1:2001") defines
records management as "[the] field of management responsible
for the efficient and systematic control of the creation, receipt,
maintenance, use and disposition of records, including the
processes for capturing and maintaining evidence of and
information about business activities and transactions in the
form of records“
▪ The ISO considers management of both physical and electronic
records
Question
▪ What is a document?
17
Definition of Document
18
Recorded information or object which can be
treated as a unit.
Source: ISO15489
Information set down in any physical form or
characteristic. A document may or may not meet
the definition of a record.
Source: DoD 5015.2
Document vs. Record
▪ The definition of “document” does not say
anything about whether, or how, the
documents are kept.
▪ The definition of “record” sets out strictly how
they must be managed.
▪ Some documents become records at some
time in their existence. ▪ Others don’t!
▪ Document can be changed by suitably-
authorized people ▪ By definition, document is not necessarily
controlled. 19
Changes to Documents not Records
20
▪ Documents can change BUT records do not
and MUST not change
▪ The record is a document or set of documents,
all relating to a specific matter that has
happened in the past ▪ A record of history
▪ A document could be a work in progress ▪ Subject to change and therefore not a record
automatically
▪ Documents do become records once they are
finalized
Worldwide Shift
▪ In today’s digital world, the distinction between
records and documents has become vague
▪ Any document can be considered a record and any
piece of its content can be extracted and used in a
context different from the original intention of the
document, making it a separate record
▪ The traditional view of records management as a
discipline has been changed ▪ Not restricted in library catalogue and archive
management any more
▪ How records are created and used in
organizations is also reshaped 213/5/2021
Worldwide Shift, cont’d
22
▪ In recent years there has been a worldwide shift toward electronic transactions, in business and government ▪ Internet ▪ Mobile applications ▪ BYOD
▪ People do not to have to be physically present at an office location
▪ Organizations need to be able to access information quickly, easily, and efficiently
▪ Paper files and folders have been used for years and are an ingrained culture
▪ Need to be replaced by electronic document and record management system
Archive
▪ Files that are selected for permanent or long-
term preservation due to enduring historical
value
▪ Area or media used for long-term storage
▪ Inactive or not as active but required to be
maintained for legal or operational reasons
23
Information Leaking
24
▪ Web-facing documents contain confidential data ▪ Internal server?
▪ Spiders?
▪ Multiple drafts before document is published ▪ History ▪ Properties
▪ Redaction
▪ Lost laptops with no access controls
▪ Storage media that do not show sensitive content
▪ Reuse of electronic media ▪ Deleted files?
▪ Credentials easy to forge ▪ Physical access
▪ Small hard drives and thumb drives that can be easily hidden
Protection Against Information
Leakage
25
▪ Not always intentional
▪ Common problems: ▪ Not understanding the information conveyed in
metadata such as in a Word document
▪ Not employing robust encryption protection
▪ Inadequate monitoring of sensitive data and filtering of data leaving a company
▪ IM
▪ FTP
▪ Inadequate erasure of magnetic media
▪ Delete not enough
Google Hacking
26
▪ Uses Google Search and other Google applications to find confidential information in various places on the Web
▪ Examples of sources: ▪ Naming Web tools on Web site: “Powered by:” ▪ Published paper in a professional journal ▪ Employment Ad. describing systems environment
including Web infrastructure ▪ Posting a newsgroup asking for technical advice on an
issue ▪ Blog posting ▪ Biography of researcher indicating areas of research
▪ Need to develop appropriate search patterns to find the information
Need for Controls
27
▪ Controls result from a security policy put in place to manage the problem
▪ If an organization does not have means to identify its assets, cannot protect them from ▪ Unauthorized access
▪ Theft
▪ Compromise
▪ Based on principle of least privilege ▪ Only have access if needed by my job
▪ Organize into security zones to minimize disclosure of sensitive information
▪ Label according to the zone in which it was created
Use of Zones
28
▪ Example: ▪ Public ▪ Internal ▪ Sensitive ▪ Confidential ▪ High security
▪ Cannot move a document created in one zone to a zone of lesser security without some form of control ▪ Redaction
▪ Only public documents can be used on mobile applications
▪ Security auditing software is used to check that documents are labeled and in the appropriate zone otherwise an alert is raised
Mobile Devices
29
▪ Increasingly mobile and digital society ▪ PDAs
▪ Laptops
▪ Cell phones
▪ Thumb drives
▪ CD/DVDs
▪ Mobile devices become easy target ▪ Small and easy to conceal
▪ Easy to resell device
▪ Information may be valuable for fraud or
blackmail activities
Losing Mobile Devices
30
▪ Nearly every type of organization has reported
a data breach because of a lost mobile devices ▪ Hospital
▪ University
▪ Financial services company/bank
▪ Government agencies
▪ Three preventative measures: ▪ User education: carelessness is major cause
▪ Tracking lost devices
▪ Protecting information
▪ “Bogus” data added
▪ Encryption
Implementing an Organization-
Wide System
31
▪ The vast majority of organizations have not implemented an organization-wide system ▪ Some departments are more automated than others
▪ No central source of documents
▪ Much duplication
▪ Daunting prospect given that: ▪ Existing paper-based culture for review and approval
▪ Many historical records still on paper and no electronic document available
▪ Three aspects: ▪ Technical
▪ Managerial
▪ Cultural change
Document Image Processing (DIP)
32
▪ Earliest systems beginning in 1980s
▪ Electronic equivalent of a filing cabinet ▪ Scanning
▪ Indexing
▪ Storage
▪ Retrieval
▪ Some systems also included elements of
workflow ▪ Routed scanned documents around the
organization for designated staff to process
Electronic Document Management
System (EDMS)
33
▪ Emerged in the 1990s
▪ Generally integrated with systems such as
Microsoft Office
▪ Allowed users to actively manage documents
▪ Documents stored in a document repository ▪ Check documents in and out
▪ Versioning used to track version control
▪ May also include DIP functionality ▪ Scanning
▪ Indexing
▪ Archiving
Electronic Record Management
System (ERMS)
34
▪ First started appearing in the 1990s
▪ Records management is the practice of maintaining the records of an organization from the time they are created up to their eventual disposal. ▪ Classifying
▪ Storing
▪ Securing
▪ Destruction or archival preservation
▪ A record can be either a tangible object or digital information: for example, birth certificates, medical x-rays, office documents, databases, application data, and e-mail
▪ Primarily concerned with the evidence of an organization's activities, and is usually applied according to the value of the records rather than their physical format
Quiz 1 Terms
35
▪ Access control
▪ Analytics
▪ Authenticity
▪ Backup
▪ Classification
▪ Configuration management
▪ Controls
▪ Content management
▪ Crawling
▪ Data at rest
▪ Data integrity
▪ Digital signature
▪ Disposition
▪ Document management
▪ E-discovery
▪ EDMS
▪ Electronic document
▪ Encryption
▪ File management
▪ HIPAA
▪ Indexing
▪ Information redundancy
▪ Media stability
▪ Metadata
▪ Open government
▪ PII
▪ Preservation
▪ Privacy
▪ Records management
▪ Redaction
▪ Retention
▪ Risk mitigation
▪ Scanning
▪ Security
▪ System of record
▪ Transparency
▪ Unstructured data
▪ Vital records