May, 2006
Records Information Management
First, the Securities
Exchange Act of 1934, specifically, Rule
17a-4, defines a business record as
“Originals of all communications
received and copies of all communications sent by such member, broker or dealer
(including inter-office memoranda and communications) relating to his business
as such.”
It goes on
to state such things as the electronic storage media must preserve the records
exclusively in a non-rewriteable, non-erasable format and verify automatically
the quality and accuracy of the storage media recording process.
The National
Association of Securities Dealers manual also has some interesting ideas,
especially in Section 3110. Also, NASD § 3110 defines email as a business
record.
The
Sedona Principles’ Best Practices Recommendations & Principles for Addressing
Electronic Document Production, unlike the NASD and SEC described above,
does not define what a business record is directly. Instead it focuses more
on the idea that organizations need to create an electronic document preservation
program that helps “business units establish practices and customers, tailored
to the needs of their businesses, to identify the business records they need
to retain”. For this group, a business record is anything falling within the
organizationally provided definition.
One
last resource I have used as a model is ARMA
International. ARMA is a professional organization and is the recognized
authority in record management. ARMA was
a key contributor to the ISO-15489
international records management standard.
A
quote from the ARMA International website:
“It's estimated that more than 90% of the records being created today are
electronic. Coupled with the overwhelming growth of electronic messages -
most notably e-mail and instant messaging - the management of electronic records
has become a critical business issue. How that information is managed has
significant business, legal, and technology ramifications. Ultimately, it
doesn't matter what medium is used to create, deliver, or store information
when determining if content is a record and should be managed accordingly.”
“Records
and information are at the core of every transaction any organization undertakes.
Therefore any inadequacy in those records and information – including noncompliance
with regulations such as the Sarbanes-Oxley
Act and international privacy laws – can threaten the organization’s ability
to conduct business. Yet many organizations lack effective policies and procedures
for systematic control of recorded information. As a result, they risk extensive
penalties for non-compliance with recordkeeping regulations, a tarnished reputation,
and possible legal liability. That makes records management one of the most
powerful tools in the compliance and risk management arsenal.”
“ISO 15489, the international records management standard,
is recognized worldwide as establishing the baseline for excellence in records
management programs. Other standards that influence how organizations manage
information and records include the U.S. Department
of Defense's 5015.2 and MOREQ.”
ARMA International divides records into four categories.
1)
Vital records are any records that an organization must have to
conduct
business and likely could not replace if they were destroyed.
2)
Important records support an organization’s business operations and,
if
destroyed would be replaceable, but only at great cost.
3)
Useful records are for records that are helpful in conducting business
operations
and if they were destroyed, would be easy to replace or the
organization
would not greatly feel their loss.
4)
The final category is nonessential records. This category does not
contain
any business records and instead is for any record that has
no
predictable value to the organization after their initial use. Records in
this
category should be destroyed after use.
They
suggest that special backup and protective measures should be taken for records
in categories (1) and (2).
Category
(1) and category (2) files are the easiest to define for any organization.
Defining
which email records suit category (3) may be more complicated and require a
definition based on regulations and standards being augmented by organizational
policies.
Category
(4) by default will end up containing email that does not suit the other
categories. Examples of such email are announcements and bulletins to employees
and their acknowledgements.
All
this has evolved into something called the Unified Compliance Framework.
Here is a chart I found on the Internet showing the UCF
structure.
What takes place is the tracking of several
hundred regulations, standards, generally accepted principles, and guidelines.
This table summarizes the major categories of documents that call for the
various types of controls for business record information assurance.
