Lost in Cyberspace

Lost in Cyberspace

An integrated records repository can save critical e-mails from disappearing into an electronic black hole

Business processes have jumped to cyberspace at warp speed. A vast majority of organizations now regularly conduct business transactions via e-mail, cell phone, mobile messaging, wireless PDAs, online discussion forums, Instant Messaging, and peer-to-peer file shar ing. Yet many entiti es that have adopted these new technologies do not have policies and systems in place to control and manage them.

In the recent survey “E-Mail Policies and Practices: An Industry Study,” conducted by AIIM International and Kahn Consulting, Inc. (2003), fully 100 percent of respondents say they use e-mail for business purposes, including highly sensitive transactions and activities with legal and compliance implications, yet 60 percent of the same respondents have no formal policy governing e-mail retention.

E-mail messages, along with other digital documents, become official records when the information they contain directly affects the transaction of business and an organization’s legal obligations. (See sidebar “What IS a ‘record’?,” pg. 27.) As such, e-mail messages and their attachments must be preserved in an unaltered state within an electronic records management (ERM) system that allows the documents to be stored, located, and retrieved during a regulated life cycle.

Just as physical records management, which includes paper documents, microform, and other types of physical evidence, is accepted as sound business practice, the retention of those documents created or received in electronic formats also is essential to carrying out an entity’s mission and complying with industry standards, laws, and government regulations.

However, many IT managers do not fully under-stand that retaining electronic business records goes beyond saving them on a computer. Archiving electronic documents must retain original data integrity, including authenticity, reliability, and usability, so that the records are acceptable as evidence for legal purposes or for transacting business.

Resistance is Futile
Since the Arthur Andersen and Enron failures, new laws and regulations, such as the Sarbanes-Oxley Act, Securities and Exchange Commission Rule 17, and the Health Insurance Portability and Accountability Act among others, have renewed emphasis on entities’ accountability and translate into tight control and retention of electronic communications, including e-mail.

For example, Sarbanes-Oxley defines “records” as including e-mails related to the transaction of business, along with the original content and history. The Act imposes severe penalties if e-mail records are arbitrarily destroyed without a justified retention policy in place.

Faced with the consequences of noncompliance with these regulations, many organizations have taken the position of printing each electronic message and attachment and filing the hard copies into their existing records management systems. Not only does this approach increase storage demands on the physical document repository, but also it can actually compromis e the integr ity of electronic documents by altering their original state.

Storing e-mail records in desktop users’ personal electronic mailbox folders makes the documents inaccessible to other authorized personnel and keeps them outside the formal records management retention system because the e-mails remain under end users’ control to save or delete at will. Too often individual e-mail account size is predetermined by a storage quota, and messages are saved or deleted accordingly.

Backing up the main e-mail server on tape media only preserves messages residing on the system at the time of backup, and does not account for e-mails sent, received, or deleted during the day. Retrieval of messages transferred to backup tape is both difficult and time consuming. (See side-bar “A Cautionary Tale,” below)

E-mail archiving within electronic mail systems is a start, but true archiving means creating permanent copies through a standalone archiving package and saving the indexed, noneditable records in a secondary location or storage area network.

In its white paper “E-Mail Archiving and Records Management,” sponsored by eManage and published in March 2002, Ferris Research, Inc., summarizes, “Organizations must be able to define and retain important records and make them available for audit and other types of access. When users delete e-mail to stay beneath a message store quota, they, and not the organization, make the decisions as to what should be maintained. Administrators, not individuals, need to ensure that e-mails are analyzed, and that appropriate entity assets are identified and retained for future use. ARM [e-mail archiving and records management] technology helps organizations decide what e-mails constitute intellectual property and then ensures that the e-mails are correspondingly classified, stored, and made accessible.”

Charting a Course
The solution to an enterprise-wide records management system for both physical and electronic records in all formats, including e-mail, is an integrated records repository, a central system that standardizes indexing, classification, search and retrieval, tracking, reporting, and disposition of all critical business records according to the organization’s records management policies.

With a central repository, records management software is installed on every desktop, and employees are trained in the entity’s records management/retention policies to know what needs to be saved and how to save it. Desktop users declare and classify electronic documents, including e-mail messages, attachments, and images, as business records into the system for long-term archiving, although copies can be kept on the desktop. Dupl ication of r et ained records is eliminated and data is compressed. An audit trail is created. Multiple users have simultaneous access to the electronic documents over the network with the security administrators granting or restricting access. Because the original documents are not removed from the system they cannot be edited, misfiled, stolen, damaged, or lost.

Prime Directive
Because government entities use e-mail for both internal and external communications, such as memos, discussion, budgetary information, and communications with agencies, civilians, and contractors, the U.S. National Archives and Records Administration (NARA) endorsed the “Design Criteria Standard for Electronic Records Management Software Applications.” The standard DoD 5015.2-STD, created by the Department of Defense and revised in June 2002, establishes baseline definit ions and mandatory funct i onal re qui rements f or r ecor ds management software to be used by all federal agencies to manage electronic records, including those that are classified. (Downloadable versions of the DoD directive as well as additional information about the certif ication process are available through NARA’s Web site; log on to: www.archives.gov/records_management/initiatives/dod_standard_ 5015_2.html.)

The revised standard requires that audit trails and safeguards be incorporated into the records management application’s information architecture to ensure that e-mail and other electronic records remain in their authentic formats to preserve t heir i nt egr i ty a nd evi denti ar y value, that e-mail records contain the real names of senders and addressees, and that the records management system has the ability to retrieve and export e-mail from the records repository.

Furthermore, the value of DoD 5015.2-STD lies in its application to both the public and private sectors, as it defines best practices for electronic records management systems and gives criteria for vendor certification according to the Federal Records Act, Title 36 Code of Fede ral Regul at i ons, and NARA’ s e-Government Electronic Records Management Initiative. Currently more than 40 certified vendors offer

commercial, off-the-shelf software products that comply with the DoD standard for electronic records management. (See sidebar “DoD 5015.2-STD Compliant Vendors of Electronic Records Management (ERM) Software Systems,” pg. 30.)

An organization should implement its records archiving system slowly and in stages, beginning with selecting and installing a basic module, training employees to use it, testing its operability, and solving any problems before moving on to the next phase, until full implementation is achieved.

Back to the Future
According to David Ferris, president of Ferris Research, the e-mail archiving market will reach $200 million in 2003 and grow 50 to 100 percent a year for each of the next four years. As more entities recogni ze the cr iti cal ne ed f or e-mai l archiving and plan to implement integrated records retention systems, they will find vendors ready with certified and compliant technology products that can be tailored to an entity’s size, functions, and organizational needs.

It would be wise to remember that today’s s torage media have their limitations. Magnetic and optical disks degrade over time, application software updates into enhanced versions, and hardware sys tems become obsolete and evolve into new technologies. But the integrity of electronic records must remain independent of hardware or software. Entities should plan for new integrated repository systems that will offer backward compatibility with older media and create a planned conversion schedule that establishes periodic rollovers into updated records management applications to ensure retention of and access to critical business records for as long as they are needed.