Phase III

The main objective of this task is to develop a proper information governance plan that will be used as a guideline by the SCP to address some of the challenges it faces.

The only limitation with our team is that some of the team members have never participated in such a process before. Therefore, it is my responsibility to ensure that the new members are well oriented to ensure that they are smoothly incorporated into the team.

Information Governance Plan is a crucial component in an organization with Record Management system playing a key role in IG which has been further discussed in the paper.

It is very important to appropriately store and manage the documents and records created and exchanged between the merchants, merchant banks and issuing banks for SCP. The records can include credit card transactions, account statements tax files, account details etc. There are several reasons why a records management program is considered to be an integral part of the business functions at SCP. One of the reasons being, records dealt in SCP such as financial transactions etc. are considered as most important and sensitive resource of information and utilized cost effectively and securely in order to understand the business objectives. The program will help promote well-organized and effective records management. This is vital in facilitating timely and efficient decision-making.

Records Management Life Cycle (RMLC) can be defined as the management of records throughout the SCP business life cycle. The activities proposed in RMLC should be organized and proficiently control the creation or identification, storage, retention and disposal of records based on the business transactions and sensitivity of information involved. The first phase i.e., creation and identification of records involves acquiring and classifying the record. It is the first phase in the lifecycle of record management. This step ensures that records are created correctly and contains the right information based on the guidelines and policies established. As people utilize and update a record, the information in the record should be protected from exposure, misutilization and unauthorized access. At the same time, staff who need records on a regular basis should have an easy access to perform day to day activities in the company. The retention policies are defined based on the duration of the record. Based on the duration of how long the record is kept, there are two types of records. Active records are records that are in currently being used and easily available. Whereas, an inactive record is one that a company will no longer use for current business transactions, but it should still be maintained until it reaches the end of its retention period. At the end of a record’s lifecycle, the records management team should conclude whether to destroy or conserve the record. A record Management system is important to determine what happens to each record and in what time period. Several factors such as company policy and government rules and regulations effect the duration of the record retention.

SCP recognizes the responsibility towards its merchants, merchant banks, issuing banks and governing bodies to ensure the privacy, storage of financial and personal information related to the above-mentioned entities.

The RM policy play a crucial role in the smooth flow of business at SCP. This policy establishes a framework for implementation of the Record Management program at SCP and ensures that correct and complete records/ information are created, stored, maintained and legally disposed based on the legal, ethical laws and financial governing bodies. This policy also outlines the duties & responsibilities of employees participating in such activities and requirements.

The purpose of this policy is to ensure that necessary financial records and documents are adequately protected and maintained and to ensure that financial records that are no longer needed or are of no value to the company are discarded in timely manner.

The policy applies to all the employees at SCP, the staff in controlled entities such as merchant banks, merchants and issuing banks contracted or involved with SCP. The policy applies to all the records possessed by SCP under PCI DSS laws and regulations.

The purpose of carrying out a record management study is to determine the records that SCP has. As mentioned earlier, the SCP Company handles various forms of records due to the nature of the activities they undertake. Most of the records dealt with by this company revolve around finance, financial transactions and the financial institutions they transact with. As such, they need to have a proper way that ensures that the records are well captured and well stored (Picincu, 2018). Furthermore, they need to ensure that they design a proper way that allows various users to access the records. The management of records should be done in a way that they comply with the CIA standards of confidentiality, integrity, and availability.

In an organization set up, there are various methods of record management. Management of records starts from the traditional filing system all the way to modern cloud storage systems. In an ideal office, it is almost impossible to entirely do away with the conventional use of files to manage data. Some organizations still use files due to security and complexity reasons. According to Hamel (2018), such organization claims that electronic ways of record management are more vulnerable to attacks. Furthermore, they argue that electronic means of record management is more complicated when compared to the traditional way of using files.

Record management for SCP is no different from the case mentioned above. The company keeps most of their records electronically though there are still some few departments which store their data using manual filing systems. This represents a small percentage while the rest of the departments have entirely moved to electronic means. This can largely be associated with the bulkiness of data being handled by the company. According to Dallas (2016), it is a known fact that the automated way of storing and keeping records is more efficient when the data being involved is large enough.

Most of the departments have been equipped with enterprise record management software. These systems are important to SCP since they have advanced functionalities that can be able to store, organize and process a large amount of data. With this kind of resource, the database administrator will have an easier time tracking and managing both physical and digital records. It is also easier to follow and retrieve any record within the system (Dallas, 2016). It is also important to note that most modern record management systems are designed in a way that they are able to use access control measures as well as ensuring real-time data indexing. Having this feature in a record management system guarantees one of security of data.

Apart from record storage, the other activity that is carried out during management of records is the record processing. Record processing is bit complex process since it involves a lot of activities. The cycle of data processing begins with capturing of data from either primary or secondary sources (Fleischmann, 2011). In the case of SCP Company, most of the data available are capture electronically from online platforms. Clients are required to submit their details electronically. The other sources of data from Merchant banks and issuing banks are also captured electronically. Once the data have been captured, the next stop of record processing will be an analysis of the record. This process requires an experienced data analyst who can be able to maintain and process records to provide a complex index to authorities. Proper record processing results in data schema that shows the various relationships among different records. The relationship can be in the form of correlation among separate entries. All these presentations are necessary since they aid in the process of decision making.

In order to properly address this section, it is important to understand the nature of business activities that are being carried out by SCP. The company has various departments that handle various tasks. In this section, our main focus will be the department that handles various forms of records. We seek to collect various data from this department that can be useful in our entire plan.

The first phase of this design is to send a sample of questionnaires to different departments. The first set of survey questions is sent to the merchant departments that is corporate merchant department, large and small merchant department. The goal of the survey is to capture records and information about type merchant transactions that normally occur between SPC and the Issuing Bank. The survey also seeks to obtain information about the discounts that are deducted as SCP’s discount fees from each of the Merchant’s net income.

The other phase of data collection is a face to face interview. This method is meant to collect first-hand information from managers heading to different departments. During this phase, we seek to get the managers information and comments concerning monthly report for both the Merchant, Merchant bank and credit card associations. Additionally, we also intend to know more about the details of the transaction of the sales and the shipment of the POS terminals.

The tables below are used as a representation of how a record appears. The record contains information of the merchant customer, the customer’s merchant bank that are current holders of the deposit and the bank that issued the deposit. Additionally, the record has information about the type of information that each specific record should address. The records as capture from the department for finance show different card system associations.

As mentioned earlier, one of the methods used to collect data is through the use of a survey. The survey is carried out in different departments such as risk management department, human resource department, accounting department, PCI DSS compliant department, and in-house legal department. The survey is to be to complete by the departments that have been mentioned above. The survey questions are the form of the table below

After issuing out survey questions, is necessary to make a follow up of the progress of the survey. During this interview, the questions are designed to seek more specific answers on some crucial questions that were asked during the survey section. It should be noted that some questions asked in the survey section may have sensitive answers (Lucia, Herrmann, & Killias, 2007). As such, there is a need for close interaction between the interviewer and the interviewee. Additionally, interviews may be considered more appropriate compared to survey questions since it carries in it more seriousness.

1. Are there any external agencies that impose guidelines, standards or other requirements?

1. How effective is your risk management plan?

1. How are policies, procedures and guidance disseminated to the employees?

1. How do you ensure that you keep customers records in a way that meets confidentiality requirement?

1. What access policy requirements have you put in place to monitor access to sensitive data?

1. What strategies have you put in place to ensure that the company complies with PCI DSS policies?

1. Are there any court cases involving on any of the records? If yes, when are the cases likely to be over?

1. How important is Record Management System in you view

Record retention and disposal system is very crucial for superior card processing Inc., like any other transactional system as the records that are involved in the transactions and the logging around the card processing tasks are very important for having proof of transaction and for the processing to be approved by the merchant bank and the issuing bank. There are different aspects which enforce the retention and disposal of the data or records of such transactions. These include policies enforced by the merchant bank, issuing bank and also the legal policies that are enforced by governing agency which includes PCI DSS (Payment Card Information Data Security Standard) related policies as payment card information is involved. These policies are similar in most of the card processing companies for retention, but still can have few deviations from the minimum retention period as few companies may be storing the records for little longer than the required norms.

Record retention is the time period for which these transactional and analytical records are store. There are different types of records and its corresponding time duration for the storage of these records. These records are saved in different time duration ranging from permanent records to as less as one year based on the type of records and laws/policies that require logs.

1. Permanent records are set of records that are very essential for the company for proof of transactions and that can be challenged at any point of time in the companies’ existence. These records include and are not limited to Audit reports of CPA’s, capital stock records, trademark registrations, bond records, cash books, legal correspondence and agreements, deeds, mortgages and bills of sale, financial statements, ledger documents, insurance records, accident records, claims, policies, journals, cancelled checks of transactions including taxes, purchases or property, special contracts, etc., Such records can be challenged or requested anytime by governing entities or by customers when any legal issue arises and so such records are crucial to answer such requests.

1. There are also records that are retained for longer time duration ranging between 6 to 7 years that are of no use after that. These records are usually related to the transactions that can in some cases retained by companies archived for longer term as well but is not needed. These records include accident reports and claims of retired accounts, accounts payable, accounts receivable, checks, contracts and leases (expired), expense analysis, payroll records, retired employee records, retired consumer records, sales records, vouches records and so on.

1. Few records are saved for between 2 to 3 years and occasionally 5 years for few records which are more related to company management which may not directly impact the processing company. This includes employee application, employee records after termination, insurance policies, internal audit information, internal reports, and other management records that are not very important after some time.

1. Finally records that are generated as part of some maintenance process of the company which could be like office supplies, employee travel or utilities billing and so on. These are just recording for yearly taxes or some other such small needs that are not needed at all for long run.

Record disposal is mainly dependent on the retention policies and is necessary to reduce the load on the company with respect to the resources around it. These resources can be the storage space in databases or drives, applications supporting the record retention, impact in software delays due to the query load and other performance related resources. The disposal policies include documented removal of the mentioned service above if its software related and make sure any physical records that are disposed are properly shredded or destroyed so that the resource is not misused.

Based on the Retention Policy, some records are to be kept forever and, therefore, an archival process is necessary at some point. Thus, a record management archival process should be developed in the company. We would recommend archiving the permanent records via Cloud Record Management Systems. However, we need to keep the vulnerabilities and security risks in mind for such type of archives in addition to the cost of implementing cloud record management systems. Furthermore, a brief checklist needs to be developed to monitor the Record Management System (RMS) activities at SCP (refer appendix for checklist). Depending on the checklist, the RMS team can take further steps in order to improvise or control the activities of RMS.

References

Dallas, T. (2016). Document management; M-Files; retrieved from: https://www.m-files.com/en/press-release-impact-of-paper-use-survey

Erika, M., Grance, T. & Karen, S. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PI); National Institute of Standards and Technology Gaithersburg, MD 20899-8930

Fleischmann, A. (2011). Subject-oriented business process management: Second International Conference, S-BPM ONE 2010, Karlsruhe, Germany, October 14, 2010, selected papers. Berlin: Springer

Hemel, G. (2018). Advantages & Disadvantages of Traditional File Organization; Chron. Retrieved from: https://smallbusiness.chron.com/advantages-disadvantages-traditional-file-organization-41400.html

Lucia, S., Herrmann, L. & Killias, M. J Exp Criminol (2007). How important are interview methods and questionnaire designs in research on self-reported juvenile delinquency? Volume 3, Issue 1, pp 39–64

Picincu, A. (2018). Types of Records Management Systems; Bizfluent; retrieved from: https://bizfluent.com/info-7928109-types-records-management-systems.html

Singhal, S., Swaminathan, R., & Karp, A. H. (2012). Managing data retention policies at scale. IEEE Transactions on Network and Service Management, 9(4), 393-406.

Skupsky, D. S. (2018).Destruction of Records – Your Legal Obligations!; Information Requirement Clearing Hosue. Retrieved from: https://irch.com/destruction-of-records-%E2%96%A0-your-legal-obligations/

Smallwood, F. R. (2014). Information Governance; Concepts, Strategies, and Best practices. John Wiley & Sons, Inc., Hoboken, New Jersey