Information preservation: changing roles: if organizations want reliable electronic records, they must take the necessary steps to create and maintain that reliability.At the Core This article: * Discusses the importance of long-term Long-term Three or more years. In the context of accounting, more than 1 year. long-term 1. Of or relating to a gain or loss in the value of a security that has been held over a specific length of time. Compare short-term. management of electronic records * Explains the role of risk analysis The proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of electronic records requires that both records managers and archivists redefine Verb 1. redefine - give a new or different definition to; "She redefined his duties" define, delimit, delimitate, delineate, specify - determine the essential quality of 2. their roles. Like archivists, records managers must plan for the preservation and accessibility of records beyond the useful life of the systems (software, hardware, operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. ) that created them. This action, however, must be taken at the time the record is created, not later in the life cycle. If it is not done, the authenticity The correct attribution of origin such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named. Authenticity is one of the six fundamental components of information security (see Parkerian Hexad). and reliability--or the validity--of a record may be very difficult to establish. Accessibility to records over time is but the first challenge when working with electronic records. Electronic records are by nature easy to create, easy to revise--and easy to destroy. Those attributes make electronic records very useful in today's information-intensive business environment. However, if an organization wants to use electronic records as evidence in a court proceeding or convince an auditor of its financial position, it must have created electronic records that are both reliable and authentic. Looking toward the future, records managers and archivists need to work together to help their organizations create records that meet such attributes. Indispensable Attributes Paper records have features we generally take for granted that may not always be present with electronic records. These attributes include content, structure, and context. * Content conveys the information. It may include text, data, symbols, numerals, images, and/or sound files. In the paper environment these items are readily recognizable, and it is easy to see what is or is not included in a specific document. * Structure is the appearance and arrangement of the content. With paper documents, this is the physical appearance and includes things such as font style A typeface variation (normal, bold, italic, bold italic). and size, language, paragraph, and page breaks. Structure also shows the relationships between fields, entities, or tables within documents or databases. * Context is the background information that reveals the origin of the record and enhances the understanding of the technical and business environments to which it relates. With paper records, the context is conveyed by seeing who created/signed the document, the organization for whom the records were created, the function or activity to which the records relate, or the work processes that created the records. Content, structure, and context are necessary components of valid electronic records as well. In a 1996 Records Management Quarterly article, Richard Cox Richard Cox may refer to:
See also: favor a definition of a record including its structure, content, and context. The real decision [of the court] was that printing out e-mail distorted its structure and tossed off its context, making its contents meaningless or at least open to question" However, content, structure, and context are not sufficient in and of themselves in order for electronic records to stand as evidence in a court. Electronic records also must be created reliably and maintained authentically. Reliability is the measure of a record's authority and is a function of the record's creation. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , a record is reliable when its creation occurs under strict controls. We know who created it, when it was created, how it was created, and for what purpose. In other words, we can trust that the record is what it says it is; we can have faith in the record. Content, structure, and context are subsets of reliability: There can be no reliability without content, structure, and context. Authenticity is proven reliability over time and is a function of a record's preservation. A record is authentic when its preservation occurs under strict controls. Records are authentic if we know when a record was copied or migrated, how the copying or migration took place, the quality control processes that governed gov·ern v. gov·erned, gov·ern·ing, gov·erns v.tr. 1. To make and administer the public policy and affairs of; exercise sovereign authority in. 2. the copying or migration, and who did the copying or migration. We also know if the record was revised, who revised it, when, and why. In other words, we can trust that the record is still the same as it was when it was created because we can document everything that has happened to the record. We can still have faith in the validity of the record because we can prove what changes the record has undergone. Authenticity--proving that an electronic record is still what it was when it was originally created--is particularly important when electronic records are migrated from one system to another. Imagine, for example, proving that the electronic records created in System A, migrated to System B, and that a judge now is viewing in System C, are still trustworthy and valid. Reliability and authenticity are functions of policies and the implementation of technology that must be captured or documented at the time of a record's creation and/or maintenance. They cannot be added later. The reliability of an electronic record will not be verifiable if these factors are not present at the creation of the record. The authenticity of electronic records will not be verifiable if the procedures used to create and maintain the records are not documented. The historical division of labor between records managers and archivists must change if reliability and authenticity are to be maintained. If a records management position requires oversight
Oversight may refer to:
A Risk-Analysis Approach If invited to a user-group meeting to discuss the creation of an application, one of the first things First Things is a monthly ecumenical journal concerned with the creation of a "religiously informed public philosophy for the ordering of society" (First Things website). a records manager should understand is what the purpose of the system is and what records it will create. Next, it would be useful to perform a risk analysis on the records created because the levels of reliability and authenticity needed for records are proportional proportional values expressed as a proportion of the total number of values in a series. proportional dwarf the patient is a miniature without disproportionate reductions or enlargements of body parts. to the significance of the records themselves. Thinking of it in another way, creating reliability and authenticity within a system is something on which organizations will spend money. How much reliability and authenticity, then, is needed? Doing a risk analysis on the records and their importance will help answer that question. In the best case, a risk assessment team is brought together to help make this decision. This team would be comprised of three groups of people. There will be lawyers and auditors who have knowledge of the organization as well as the policies, procedures, laws, and standards that apply to its records. Then there are archivists and records managers, those professionals who know who accesses the records, how long they should be maintained, and the organization's records retention requirements. Clearly, the assessment team includes those to whom the records belong because they have the best working knowledge of the records. The team should assess the risks that the records and associated recordkeeping pose for the organization. What can go wrong, and what will happen if it does? What laws and regulations apply to this information? What are the industry standards for data and system security? What are the legal and economic consequences for the organization if these electronic records are not trustworthy and do not stand up as evidence in a court of law? What happens if the IRS An abbreviation for the Internal Revenue Service, a federal agency charged with the responsibility of administering and enforcing internal revenue laws. does not accept the electronic records in an audit? When considering this latter issue, remember that IRS Revenue Procedure 98-25 defines what the IRS classifies as essential recordkeeping requirements. These requirements include * documentation of the processes that create, modify, and maintain the records * evidence of the authenticity and integrity of the records * evidence of the internal controls used to ensure accurate and reliable processes * controls to prevent the unauthorized addition, alteration Modification; changing a thing without obliterating it. An alteration is a variation made in the language or terms of a legal document that affects the rights and obligations of the parties to it. , or deletion deletion /de·le·tion/ (de-le´shun) in genetics, loss of genetic material from a chromosome. de·le·tion n. Loss, as from mutation, of one or more nucleotides from a chromosome. of records For simplicity's sake, three categories may be used when assessing records: low-risk, medium-risk, and high-risk high-risk adjective Referring to an ↑ risk of suffering from a particular condition Infectious disease Referring to an ↑ risk for exposure to blood-borne pathogens, which occurs with blood bank technicians, dental professionals, dialysis unit records. There are four groups of considerations that the assessment team may want to use when applying these categories: probability of occurrence, public-relations considerations, financial considerations, and legal considerations. A familiar organizational adage fits here: Where you stand depends on where you sit. The criteria within the groups will change according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. their roles and placement in the organization. Probability of occurrence is the likelihood that something untoward will happen to the records. The criteria for low-risk to these records are * little value to hackers * simple technology in relation to the technical environment * little possibility that the records would be used in litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. The criteria for medium-risk records are * some value to hackers * small adaptations of technology * the records might be used in litigation The criteria for high-risk records are * hackers would gain notoriety NOTORIETY, evidence. That which is generally known. 2. This notoriety is of fact or of law. In general, the notoriety of a fact is not sufficient to found a judgment or to rely on its truth; 1 Ohio Rep. for invading in·vade v. in·vad·ed, in·vad·ing, in·vades v.tr. 1. To enter by force in order to conquer or pillage. 2. the system * complex use of or new technology * litigation using the records is very likely Public-relations considerations include both internal and external ramifications ramifications npl → Auswirkungen pl of unreliable records. The criteria for low-risk to these records are * occasional harsh media article * some internal criticism for the application/system manager Medium-risk records * individual responsible for the application/system might be called before the management body to account for the system failure * the institution experiences unfavorable public opinion High-risk records * institutional budget cuts * internal and external pressure to replace those responsible for the application/system * institution comes under intense media scrutiny with resulting widespread public distrust Financial considerations include how much money will be endangered en·dan·ger tr.v. en·dan·gered, en·dan·ger·ing, en·dan·gers 1. To expose to harm or danger; imperil. 2. To threaten with extinction. if the records are unreliable. It should be noted that the amounts given are subjective; these amounts may seem low to those in the business community. Low-risk * minimum or low financial consequences * less than $5,000 Medium-risk * 10 percent to 25 percent of your budget is at risk * less than $10,000 High-risk * more than 25 percent of the budget is at risk * more than $10,000 (this figure was taken from a State of Ohio e-government risk-analysis document) Legal considerations concern the legal consequences if the records prove unreliable. Low-risk * internal administrative records at risk * little prospect of litigation Medium-risk * internal or external records of low importance at risk * possible litigation High-risk * external programmatic pro·gram·mat·ic adj. 1. Of, relating to, or having a program. 2. Following an overall plan or schedule: a step-by-step, programmatic approach to problem solving. 3. or vital records at risk * litigation likely Once a value is put on the records in question, decisions on how much to invest in keeping the records reliable and authentic over time become clearer. From "Information System" to "Recordkeeping System" Creating and maintaining reliable and authentic records Authentic Records is an independent record label based in Des Moines, Iowa. It was created by the band The Nadas and has signed a number of rock artists, particularly in the Midwest. requires a recordkeeping system rather than an information system. Recordkeeping systems are designed to create and maintain reliable records per se. Good examples of a recordkeeping system are those applications that meet the U.S. Department of Defense (DoD) 5015.2 standards. Some of the same functions may be present for information systems, but information systems functions are commonly based on solutions to systems or business needs rather than on recordkeeping needs. An information system, however, can be modified to meet recordkeeping requirements. Such modifications need to take place in four areas: * system documentation * record metadata (1) (meta-data) Data that describes other data. The term may refer to detailed compilations such as data dictionaries and repositories that provide a substantial amount of information about each data element. * security needs * disaster recovery plans System documentation and metadata are the foundation for creating and maintaining reliable and authentic electronic records. Documentation and metadata enable the proper creation, storage, retrieval, use, and destruction of electronic records functions that are necessary to accommodate a low-risk application. System Documentation On a broad level, documentation is the process of written actions and decisions. On the system level, documentation is information about planning, development, specifications, implementation, modification, and maintenance of system components. System documentation also must include documentation of policies regarding the creation and maintenance of information on the system. The documentation should, at minimum, answer these questions: * How is data entered and accessed? * Who is authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: to modify data? When? How? * If data is to be duplicated, who does it? What is the process? * Who is authorized to delete To remove an item of data from a file or to remove a file from the disk. See file wipe, trash and undelete. 1. (operating system) delete - (Or "erase") To make a file inaccessible. data? * What techniques are used to index the data? * In what different ways can the data be output? System documentation should include user training documentation because untrained users may inadvertently compromise the system or the records. At a minimum, system documentation should include * name of the system and the unique identifiers With reference to a given (possibly implicit) set of objects, a unique identifier is any identifier which is guaranteed to be unique among all identifiers used for those objects and for a specific purpose. of the owners * hardware/software/network installation, modification, and maintenance * list of interconnected systems * how data is entered and/or modified * deletion and modification of records--how, why, and by whom * back-up procedures * quality assurance and control Metadata Metadata is data about data or information about information or records. (The data in a catalogue record for each book in a library is a familiar form of metadata.) Metadata should be a standardized standardized pertaining to data that have been submitted to standardization procedures. standardized morbidity rate see morbidity rate. standardized mortality rate see mortality rate. , structured format and provide a controlled vocabulary Controlled vocabularies are used in subject indexing schemes, subject headings, thesauri and taxonomies. Controlled vocabulary schemes mandate the uses of predefined, authorised terms that have been preselected by the designer of the controlled vocabulary as opposed to natural that allows for the precise description of record subject, location, and value. For electronic records, the metadata is an important and integral part of the record itself. Without it, there is no context in which the record was created. At a minimum, record metadata should include * unique record identifier * date and time of record creation * location of the record * date and time of record modification Security Needs Security needs of an electronic records system are quite different from those of a paper-based system. Electronic records, because they are so readily copied, moved, changed, or deleted Deleted A security that is no longer included on a specified market. Sometimes referred to as "delisted". Notes: Reasons for delisting include violating regulations, failing to meet financial specifications set out by the stock exchange and going bankrupt. , require additional security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security to ensure their reliability and authenticity. Security for electronic records can be defined as those functions concerned with the protection of documents, files, systems, or areas from unauthorized access and/or damage or loss from fire, water, theft, mutilation Mutilation See also Brutality, Cruelty. Mutiny (See REBELLION.) Absyrtus hacked to death; body pieces strewn about. [Gk. Myth.: Walsh Classical, 3] Agatha, St. had breasts cut off. [Christian Hagiog. , or unauthorized alteration or destruction. Generally speaking, users should only have the level of access necessary to do their jobs. Permission to alter retention codes or to edit or delete records must be strictly controlled. Administrators should maintain lists of all current and past users of the system. Duties and access restrictions should be made so that no one individual with an interest in record content will be responsible for administering system security, quality controls, audits, or integrity testing Integrity Testing, is a name given to the Non destructive testing of piled foundations. It was used or started back in the late 1960's and has developed over the years by many companies In Europe CEBTP in Asia and Australia by Integrity Testing, and USA by GRL. functions. Security procedures should be reviewed and tested on a regular basis. At minimum, security procedures should include * user identification and access procedures See: explosive ordnance disposal procedures. , which should be documented * unique identifiers and passwords for users * user lists maintained that include current and former passwords, privileges, and responsibilities * user functions and access restricted to those necessary for users to perform their jobs Disaster Recovery Any good recordkeeping system, regardless of media, should include a disaster recovery component. Disaster recovery includes plans, policies, and procedures intended to prevent or minimize damage to records from an unexpected occurrence that may inflict widespread destruction or distress. In other words, disaster recovery efforts minimize long-term adverse effects on operations due to unforeseen circumstances CIRCUMSTANCES, evidence. The particulars which accompany a fact. 2. The facts proved are either possible or impossible, ordinary and probable, or extraordinary and improbable, recent or ancient; they may have happened near us, or afar off; they are public or . Disaster and security hazard incident recovery plans should be periodically reviewed and tested for efficiency and effectiveness. Security incident hazards include hardware or software failure or malfunction mal·func·tion v. 1. To fail to function. 2. To function improperly. n. 1. Failure to function. 2. Faulty or abnormal functioning. , human error, and unauthorized access and/or activity. Disaster recovery includes fire and/or explosion, water/flood, wind (tornado/hurricane), lightning, power outage/spike, rodents/insects, human error, and violence/terrorism. In the world of electronic records, archivists and records managers must work together for each to function effectively. Joint efforts can better ensure that electronic records are accessible, that they can be preserved, and that they are created reliably and maintained authentically. Records managers and archivists can no longer operate in relative isolation, communicating only when records move from the jurisdiction of one to the other. Much more than paper documents, electronic records demand that we communicate and work together on a continual basis. Those organizations with separate records management and archival programs will find themselves at a distinct disadvantage when facing electronic records issues. READ MORE ABOUT IT For further information on reliability and authenticity, view the Minnesota Trustworthy Information System Handbook
This article is about reference works. For the subnotebook computer, see .
For further information on risk analysis, see the California California (kăl'ĭfôr`nyə), most populous state in the United States, located in the Far West; bordered by Oregon (N), Nevada and, across the Colorado River, Arizona (E), Mexico (S), and the Pacific Ocean (W). Risk Assessment Model at www.doit.ca.gov/SIMM/RAM Questions.asp or the State Information Technology Consortium at www.state-itc.org. For further information on DoD 5015.2, see http://jitc.fhu.disa. mil/recmgt/#procedures and the Gable gable Triangular section formed by a roof with two slopes, extending from the eaves to the ridge where the two slopes meet. It may be miniaturized over a dormer window or entranceway. article in this issue. For further information on the Ohio Electronic Records Committee, visit www.ohiojunction.net/erc/index.html. Charles E. Arp, State Archivist ARCHIVIST. One to whose care the archives have been confided. of Ohio, chairs the Ohio Electronic Records Committee and is a member of the Ohio Historical Records Advisory Board. He may be contacted at carp@ohiohistory.org. Joseph C. Dickman Jr. is Project Manager/Senior Consultant with Fireproof fire·proof adj. Impervious or resistant to damage by fire. tr.v. fire·proofed, fire·proof·ing, fire·proofs To make fireproof. Verb 1. Records Center. He has directed the growth of Fireproof's imaging service bureau and undertaken numerous consulting assignments. He may be contacted at jdickmanjr@ sprynet.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion