What are Access Controls in an ERM System?

Access Controls are the rules and mechanisms by which an ERM system will restrict access to records by users. The term ‘Access Control Policy’ or ‘Access Policy’ are often used to refer to access control rules.

Underpinning the concept of restricting access to records by users are the following:

• Identification - is how we establish the identity of a user. This is usually a username which will uniquely identify the user to the system.
• Authentication - is how we establish that the user is who they claim to be, for example by using a secret password known only to the user
• Authorization - is the access rights granted to a user. In the context of ERM system, a users' authorization will determine what functions are assigned to them and which records they can access once their identity has been authenticated successfully. This may include what metadata they can see. Access rights can be assigned to an individual user, to a group of users or by role-based access control.

Techniques or mechanisms involved in the enforcement of Access Control include:

• Using encryption, rendering a document unreadable - and therefore unavailable - to all users unless they are in possession of a decryption key.
• Using digital signatures to establish a protocol to authenticate the identity of the sender of a message or the signer of a document. A digital signature can also ensure that the original content of the message or document that has been sent or stored is unchanged.
• An audit trail can provide evidence of authenticated users exercising their rights over records. This information is used to understand the current state of a record and recreate its life history.

By Carl E.Weise

Only the Government needs Security Levels, Right?

I'll let you decide the answer to that question since only you know your business and organizational structure.

We are all familiar with the standard levels of Classified, Secret, Top Secret and the highest of the high which is Top Secret with need to know only. Anyone familiar with the government, in particular the Federal and military arms, know these designate access rights to information that is under control or restricted for various reasons of National Security. What of the commercial world? Shouldn't we be just as concerned as the government?

Think about this, most of the espionage activity today that we hear about is not from the government sector, though you may never hear about it in the news, it comes from the private sector. Information that is stolen and passed to the competition for cold hard cash. In particular, this information typically comes from sources that are trusted within the organization as reliable, loyal and trustworthy and who have access to information they might not have a need to access.

Corporate or economic espionage costs corporation billions of dollars every year in lost revenue. The window of opportunity as the first or only current provider is the competitive advantage every business seeks yet are we as diligent at protecting out intellectual assets as we could be? After all, is it not those same assets that has given us the advantage to begin with and should we not treat these as all of the Gold in the Kingdom.

Some businesses really get the concept but many do not and when presented with this scenario of losing their intellectual assets through espionage, often waive it off as the never happen to me perspective. The question is, if your trusted employees were presented with an opportunity to make a lot of money for the minimal risk of making a copy for someone, would they?

Why take the chance? Incorporating and implementing a security scheme that reflects the government for the sake of protecting the wealth of your kingdom should be inherent to the way you do business. It also eliminates most temptations because if it cannot be accessed it cannot be copied. It also provides tighter controls and auditing in that if information should make out of your organization, you may quickly be able to identify who based upon the type of information leaked.

So I ask again, only the government needs security levels, right?

By Bob Larrivee

Ease of Use – A Non-Functional Requirement for ERM Systems

The ERM system interacts with users in ways determined by the system requirements specified for it. There are basically two kinds of system features, and therefore system requirements:

• Functional requirements:  these requirements mainly specify what the system has to do.  Things like allowing users to add information, protecting information from change, keeping audit trails and so on.  These are well-covered in various publications, such as DoD 5015.2 and MoReq.
• The second kind of requirement is Non-functional requirements.  These requirements relate to more abstract features, how the system and it environment operates, such as ease of use, speed and reliability.  They do not define the business functions that the system has to perform, which results in the name ‘non-functional’. 

A key non-functional requirement is the all-important ‘Ease of use’.

Human beings are generally creatures of habit. They are reluctant to embrace change, and will look for reasons why they should not change.  Thus, if users find a new system difficult to use, they will be reluctant to change from their old ways of working. This could cause an ERM initiative to stumble at the system implementation stage, and unless a solution is found, could lead to failure.

When considering this ‘ease of use’ requirement, you first need to identify what makes users think a system is easy to use, and the degree (as in for example - must, should, or nice to have) to which those factors affect their thinking.  You then need to decide how to specify that to a supplier, and how you will assess how well their proposed solution meets your requirement.

The ‘ease of use’ requirement may also vary between the types of user of the system, and the amount of training that can be provided. 

Some examples of ‘ease of use’ requirements are:

• The user interface must be familiar to users, and so may need to follow a single set of rules consistent with those of the operating system, or other mainstream applications.  These days, most vendors do follow this good practice, and it is a much lesser issue than it used to be.
• Common, frequently used, transactions must be designed so that they can be completed with the smallest possible number of mouse clicks and/or keystrokes.  Having common transactions that require long or complex series of keystrokes and clicks is a common source of serious system implementation.  To head this off, you should think about some of the common transactions, such as declaring a record, finding a folder, or retrieving a record, then set about evaluating how short or long that process can afford to be.  The system should be closely integrated with the e-mail system and other office applications to allow users to send links and files to colleagues without exiting from ERM.
• It may be easier for a user if they can set up different screen layouts for the different types of work they have to do.  So, it is required that the system should allow users to customize the graphical user interface, including menu contents, layout of screens, use of function keys, on-screen colours, fonts and font sizes, and audible alerts.  These configuration changes made by the user should be saved in their user-profile.

Other examples include:

• When entering repetitive or large volumes of data manually, it is helpful if the system provides defaults for data entry wherever possible, including user-definable values, repeats of the previous item, and values derived from context, such as date, file reference, or user identifier.  This is a general principle to observe when selecting a system; when implementing a system, you need to go through each data entry field to determine which of these features applies to it and how.
• The system should support optical character recognition to capture metadata from scanned images of printed documents.  This is not relevant to all implementations of course; but where it can be applied – that is, where the nature of the records being scanned supports the automated extraction of metadata – it is enormously helpful.
• The ERM system must be able to display several records simultaneously to make searches or comparisons easier.  Most systems now have this capability.
• The system should allow users to define cross-references between related records to support easy navigation between them.  Especially in the early days of using a new system, or, later on, when needing an infrequently used function of the ERM system, it is easier if the system provides context-sensitive online help throughout.
• It could also make things easier if the system includes help on use of the organization’s classification scheme.  The quality of on-line contextual help varies greatly from system to system; you may need to devise a way to evaluate this quality.
• All the system’s error messages must be meaningful to any user that is likely to see them – and ideally should include explanatory text and an indication of the appropriate actions to take to resolve the problem.
• The system should support user-definable macros, to help users partially automate repetitive tasks.
• Administrator functions must also be easy to use and intuitive throughout.

‘Ease of use’ can be influenced by a very broad range of features within an ERM system, and is best defined and judged by the different types of user. From all of this, it is strongly suggested that a panel of users be convened to help identify usability requirements for a new system, assess the various solutions, and to test, and act as ambassadors for, the chosen configuration during implementation.

By Carl E. Weise

Microsoft resources to help you plan and implement document and records management

I just came across a Microsoft TechNet website with guidelines and questionnaires to help you plan and implement document and records management using Microsoft Office SharePoint Server 2007.

Plan document management

• Identify document management participants
• Analyze document usage
• Plan document libraries
• Plan content types
• Plan workflows for document management
• Plan versioning, content approval, and check-outs
• Plan Information Rights Management
• Plan information management policies
• Plan Enterprise content storage

Plan records management

• Identity records management roles
• Develop the file plan
• Design the Records Center site
• Plan how records are collected
• Plan physical records retention

By Atle Skjekkeland.

Indexing - Applying Metadata to Records and Information within the Organization

‘Indexing’ is the process of capturing relevant metadata associated with your records.  Some of the metadata is used to index the records to make retrieval easier; some of the metadata is used for later management of those records.  So capturing the most appropriate metadata to enable easier retrieval and management is important.

You will need to develop your policy and guidelines for capturing metadata.  For example, is it best for your organization to capture metadata for all documents (recognizing that only some will become records later) or should you just capture metadata for those documents that you declare as records.  You will also need to define what metadata elements should be captured for different types of records.  You will want to create a metadata model for your organization.

The process of capturing the metadata can be manual or automatic and the metadata itself can be captured from information from a variety of sources.  For example, when using standard desktop applications such as Microsoft Office, the electronic records management (ERM) system may capture useful information about the document from the ‘document properties’.

Other sources of metadata are:

• the classification scheme for retention information,
• the ERM system itself for metadata like the ‘unique record number’ and
• the underlying operating system for information such as date and time of capture.

The actual amount and type of metadata required will be dependent on your organization’s business needs.

Many of your records will be evidence of an important business activity or transaction, so it is important that you capture relevant metadata relating to:

• the people involved in the activity or transaction
• the nature of the activity or transaction itself
• the outcome of the activity or transaction
• reference to any other important related records

If your organization has not been using an ERM system, it is highly likely that you and the rest of the people in your organization have not been capturing metadata.  Therefore, asking them to start manually capturing metadata as you move to ERM will not be popular and could undermine the success of the ERM Project.  Consequently, you will need to restrict the amount of manual metadata capture to an absolute minimum, ideally no more than one element.  Indexing should be as automated as possible. 

A crucial part of the indexing process is to provide an audit trail of what has happened to a record over its lifecycle.  Therefore, as a minimum during the indexing process, the following metadata should be captured:

• the Unique Identifier – this is usually a unique number (or alphanumeric string) assigned to the record by the ERM system
• the date and time of capture of the record
• the title of the record
• the author of the record.  This may be one person or an organization such as a company or a team (sometimes called a “corporate author).

Those of us who have worked in records management have applied labels to folder and boxes, inventoried file cabinets and drawers and created content listings of our holdings.  All of this represents applying metadata to the records and information we manage.  We have been successful in the past and through an ERM system we will be even better and more thorough.

By Carl E. Weise

Records Retention: Who needs it?

You do, especially in light of recent amendments to the Federal Rules of Civil Procedure (FRCP). If you haven’t heard of this before now, I suggest you contact your legal counsel when you finish reading this and find out what it means and how it will impact you and your business. Recent indications are that more change is likely to come in the near future, with the impact yet to be determined.

In short, the amendments made and which took hold on December 1, 2006 stipulate that all businesses regardless of size or type are required to produce all materials regardless of form, be it email, electronic files, etc. and regardless of where they reside be it on a network drive, PDA, thumb drive, etc. within a reasonable time as determined by both parties without exception. In other words, if you are brought to into a civil proceeding you will likely be required to produce information from everywhere and may have to prove you have provided all of the materials or if you destroyed it, that it was in accordance with your records retention policy and you are not merely to hide it.

So who needs a records retention policy? You do. If you face the challenge to defend why you destroyed a document, you will be asked to prove it was not intentionally done to avoid possible sanctions and you will have to present your documented retention policy to prove it. If you do not have one in place, you will likely lose your case or be asked to open your files and systems for inspection based upon the severity of your situation and depth of the case.

So I say again, if you do not have a records retention policy in place or you are in doubt as to whether it is a sound plan, contact your legal counsel when you finish reading this and explore your level of risk. If you want to know how to begin and where to learn about the holistic approach to Electronic Records Management (ERM) and Enterprise Content Management (ECM), contact AIIM and inquire about the Certificate programs. These programs are a great way to learn about the complete make-up of an ERM and ECM environment, providing a solid platform to launch your initiative for a new environment or strengthen the one you have in place to lessen your risk and gain additional business benefits like improved operational efficiencies.

written by Bob Larrivee

ECM is a Team Sport

In order for ECM to be successful in your organization, you must accept the fact that it will impact every member of your organization, internal and external. ECM should be approached from the top down with customers and partners as the focus. How do you make their experience better and deliver the best quality and highest levels of service in order to grow your business?

Look at the business processes that support these customers and understand the underlying activities to make these processes work. What do your employees do in order to meet the needs of your customers? Before you add technology, it may even be possible to adjust these processes and enhance your business for immediate results. The key is to document the processes and activities, understand how your business works and identify areas of opportunity to make changes that will have positive impact for your customer.

You must also know what documents and data you are dealing with as part of your overall business structure. What information is gathered and when? How is it shared and with whom? Where is it stored and for how long? Who touches it and what do they do with it? How does it move throughout the organization?

Finally you must look at the foundation supporting it all and that is your IT infrastructure. Systems, networks, desktop or delivery vehicles are all vital to making your organization a well oiled machine, not only for today but in the future.

ECM is a team sport that includes every level of your organization from customer to customer service representative; from purchaser to accountant; from legal counsel to IT administrators. They all have a vital role in making your ECM implementation project a success.

Written by Bob Larrivee

Impact areas of an ERM Program

An ERM initiative is not just a collection of one-time projects – it is the start of a long-term commitment.

Impact areas of an ERM Program Include:

Development of Records Management

• Develop and maintain ERM instruments
• Monitor adherence to ERM procedures (for example, audits)
• Disposition reviews – archive/destroy records
• Information Hubs (‘iHubs’) – user support (floor walker)
• In a large organization, these activities may need several dedicated teams
• In a smaller organization, Records Management may be a part-time
  activity

New Ways of working

• Consider the impact on how staff do their work
  • Where do I save my records
  • What do I do with emails?
  • How do I share records?
• Develop Process Models and review them against the ERM system’s capabilities

Acceptance by users

• Affected by the design of the system
• Consider the end user first, then develop the system

Business Processes

• Opportunity for business processes to become:
  • Faste
  • More secur
  • Paper free
• Opportunity for process improvement through ERM and associated tools such as:
  • Workflow and Content Management
• Real opportunity for financial benefits
  • But generally under-exploited

Web Content Management

• Consider internet / intranet / extranet
• Ensure rigorous adherence to the content standards and styles
  • This can be done by defining suitable 'styles' and adding templates to the organization’s word processing application.
• Then automate the process

Change Management

• Importance and cost of Change Management
  • Far more ERM implementations fail because of inadequate resources allocated to change management than any inherent faults in the system or any other aspects of the environment
• Consider in particular
  • Senior management endorsemen
  • Communication
  • Training
  • Helpdesk and User Support

Benefits in small and large organizations

• Benefits of ERM linked strongly to level of adoption
• The wider the scope, the greater the productivity benefits
• Roll-out to small and large organizations may be different
  • Incremental approach
• Ensure all hardware / software decisions conform to the standards

Constantly evolving delivery channels

• All channels (including PDAs, mobile phones and Blackberries) have implications for ERM
• Evaluate how information is created and accessed
  • E-mail message to Blackberr
  • SMS (Short Message Service ) text message to mobile phone
• Now and in the future!

By Carl E. Weise

Developing an ECM Strategy or Concept of Operations

You need to start the ECM program or project by agreeing upon an ECM strategy or Concept of Operations (ConOps). I addressed this in my previous post “What are your benefits of Enterprise Content Management?”, and the ConOps describes;

• Vision of the Future for the organization after the project or program has been completed
• the organizational changes and content governance structures required
• the new business processes, behaviors, and Ways of Working that will be required of staff
• the tools, applications, and IT infrastructure needed to achieve successful implementation.

The purpose of the ConOps is;

• to achieve agreement of the stakeholders to this vision
• to facilitate communication between stakeholders & the Executive Board on how to reach that vision
• to obtain permission from the Executive Board for the ECM–related implementation project or program to be established and to start
• and finally, it should ensure that the proposed project or program contributes to the organization’s Information Management strategy, and in turn its business strategy.

Many use IEEE 1362-1998, "IEEE Guide for Information Technology - System Defnition - Concept of Operations (ConOps) Document" to develop a ConOps, but you can also use the following structure from AIIM’s ECM and ERM Specialist training program:

1. Executive Summary
2. Introduction
3. Vision, including Principles and Anticipated Benefits
4. ECM system
5. Processes
6. Ways of Working (WoWs)
7. Support organization
8. ECM ‘Instruments’
9. Legal and regulatory Issues
10. Policy framework
11. Governance
12. Technology (the IT Environment)
13. Appendix A: Glossary of Abbreviations
14. Appendix B: Glossary of Terms

The AIIM ECM and ERM Specialist programs tell you how to develop a ConOps, and the following links provides you with examples of ConOps:

• http://www.archives.gov/era/pdf/concept-of-operations.pdf
• http://www.access.gpo.gov/projects/pdfs/FDsys_ConOps_v2.0.pdf
• http://www.nwdc.navy.mil/Conops/Conops.aspx
• http://www.solidthinking.org/
• https://www.myaoc.org/EWEB/dynamicpage.aspx?webcode=020607_Conops
• http://www.eurocontrol.int/oca/public/standard_page/op_concept_conops.html

I prefer to keep the ConOps as short and precise as possible, - do you have an example of a good ConOps or ECM Strategy document? Let me know.

By Atle Skjekkeland.

Eeeny Meeny Miney Mo, this direction we will go!

Sometimes as users, we feel this is the method being taken to decide what the corporation did in relation to ECM. In particular, I have heard this more and more in relation to the selected method of finding information.

“Why did they choose such a clunky interface when there are search engines out there that can do the same thing and better?” The real question is not whether it can be done better with a search engine but what were the reasons this method was chosen and could a search engine be complementary to the ECM solution?

It is true search engines can be more intuitive these days and offer a fast and easy method to find information but it alone, does not provide the key aggregation facilities needed to work with the corporate Business Classification Scheme (BCS), meet the retention management requirements or support the taxonomies upon which your company has standardized for consistency.

The search engine may also be such that if there were a discovery request and legal hold placed on information for litigation, there is no way to manage it properly thus putting the company at risk. In this case the risk could equate to millions of dollars if the methods and utilities used cannot be confirmed and proven.

These are questions that arise regularly within AIIM membership. Questions that can be addressed with suggested practices learned through AIIM education. Perhaps the real question is one of taking a professional enrichment course like the ERM and ECM programs by AIIM.

Written by Bob Larrivee