Thursday, May 14, 2015

ARMA TR24-2013 Best practices for managing electronic messages



Another day, another standard. Let's see what this one says.
  • It could serve as a complement to ANSI/ARMA 19-2012, Policy design for managing electronic messages.
  • There's the standard definition of terms. I like nonrecord.
  • PDF/A is ISO 19005; PDF is ISO 32000-1.
  • Preserved messages should have (or be linked to) necessary metadata, such that:
    • Necessary metadata to render and make understandable content, context, use, and structure
    • Logical and physical structure remains intact
    • Business context (creation, reception, use) is apparent
    • Links and attachments are present
    • Hyperlinks are intact and docs available
    • Integrity of docs with threads, embedded files, and digital objects is maintained
    • Metadata is preserved
    • Header data is maintained and indexed for retrieval
    • Authorization is enforced
  • Electronic messages include email, forums/listservs, IM, SMS.
  • Components: addresses, conversational threads, receipts, subjects
  • Metadata is important. Management of metadata should be linked to the records retention policy, including:
    • Security and privacy policies that define retention of metadata
    • Mandating which metadata is editable
    • Specifying which metadata is part of the audit trail
    • Which metadata can be accessed by which entity
  • Separate storage of metadata makes access easier, but strips out context and linkages
  • Common metadata elements:
    • ID
    • Subject
    • Date/time sent
    • Date/time received
    • Sender/originator (X.500 format)
    • Prior originator
    • Addressees/Participants (X.500)
    • Location
    • Attachments
    • Message format
    • Message type (email, IM, SMS, etc.)
    • Message size (bytes)
    • Language
    • Electronic signature
    • Encryption
    • User-defined metadata
  • Records management metadata:
    • Records category
    • Classification date/time
    • Disposition even trigger (date or event)
    • Disposition certificate
    • Migrate date
    • Migration history (trail of migration events)
    • Retention schedule (pointer to schedule)
    • Access domains (credentials, possibly at the field -- not record -- level as per EU Data Protection Directive, HIPAA, etc.)
  • Records utilization metadata:
    • Access (ID of entity, including system)
    • Access events
    • Access event time stamp
    • Access restrictions
    • Access event detail
    • Annotation content
    • Hold (yes or no)
  • Section 4 gives us some details on managing organizational requirements. It notes that an Electronic Message Management (EMM) program should include:
    • Appraisal and identification of records vs. nonrecords
    • Auditing
    • Electronic systems/file formats/file plans
    • Legal holds and ediscovery
    • Media obsolescence; tech conversion and migration
    • Metadata
    • Preservation
    • Program quality improvement
    • Reg and stat requirements
    • Retention and disposition
    • Risk management
    • Search
    • Security, confid, privacy
    • Training
  • Section 5 is a review of Electronic Messages as Records. It references GARP, ISO 15489, and ANSI/ARMA 19-2012, Policy design for managing electronic messages.
    • Presumption of authenticity: "For records in the form of electronic messages, authentication techniques should be as technology-neutral as possible."
    • Digital signatures may be impossible to migrate. InterPARES recommends detaching the signature and adding information to the integrity metadata.
    • Drafts aren't generally records
    • Copies: "If a copy or duplicate exists that is not in support of business activities, but for mere convenience, it is not considered a record."
  • The records lifecycle:
    • Creation
    • Appraisal. Determine how to retain records. Value can be fiscal, legal, operational/admin, research/historical. EMM policy includes:
      • How and by whom schedules will be applied
      • Training programs
      • Periodic/random audit
    • Classification.
    • Disposition. Destruction or transfer. Destruction is described in ARMA's Contracted destruction of records and information media.
    • Preservation. ISO 14721; ISO 16363. Or Preserving Email by Christopher Prom or InterPARES 3 reports: Keeping and Preserving Email and Guidelines and Recommendations for E-Mail Records Management and Long-Term Preservation.
      • Native format like SMTP is best. Note: FRCP 34(b) mandates that ESI must be produced in "a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms."
  • Records management tools should support email
  • SMTP is popular but might result in loss of data such as rich formatting or embedded objects. Other formats include MBOX and EML. XML is best. PDF/A for attachments. X.500 for address metadata.
  • Cloud storage. Consider:
    • Data location/jurisdiction
    • Data security
    • Legal
    • Cloud services (segregation, etc.)
    • RIM
    • See ARMA's Guideline for outsourcing records storage to the cloud and Guideline for evaluating offsite records storage facilities and Guideline for outsourcing electronic records storage and disposition.
  • Concerns include obsolescence, mobility and remote access.
  • Legal issues:
    • Holds and ediscovery
    • Statutes and regulations
    • Vital records
  • Specific business continuity plan. It provides good details.
  • Backups. References to NISPOM and NIST guidelines on sanitization.
  • Section 10 is audit and compliance.
    • Have people sign the EMM policy
    • Monitor usage
    • Train and include it in the handbook
  • Compliance metrics from:
    • Audit logs
    • Desk checks
    • Discovery drills
  • Section 11 is about security:
    • Confidentiality. Information is either public or its confidential. Confidential information either can't be transmitted electronically or must be watermarked "for internal use only".
    • Personal information. Good guidelines on legislation.
    • Encryption: secret key vs. public key
  • Section 12 is all about training and communication. Training should include: etiquette, RM practices and principles, security, confidentiality, privacy, copyright, statutory/legal requirements. Training should be evaluated.
  • Section 13 is about program improvement.
  • The appendix is a pretty good audit framework.






0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home