ECM and Compliance Marcelle Blasl ECMm² (AIIM) 2014-07-01.
-
Upload
dennis-pearson -
Category
Documents
-
view
221 -
download
2
Transcript of ECM and Compliance Marcelle Blasl ECMm² (AIIM) 2014-07-01.
• Merriam-webster dictionary
Compliance
The act or process of doing what you have been asked or ordered to do.
To act according with any acceptable standard or criteria.
The “acceptable standard” can refer to any kind of criteria including business goals, performance measurements, laws, regulations or quality targets.
A level of quality, achievement, etc., that is considered acceptable or desirable.
Why Compliance?
Transacting business is evident in the records of such activities.
• Non-Compliance to legislation e.g. Section 13 of NARS Act dealing with management of records
• Non-Conformance to Audits with respect to records keeping
Audit:– Unqualified / Clean– Qualified– Disclaimers
It is all about the records
• Government Drivers– The Constitution of the Republic of South Africa, 1996 Section 32 – White Paper on e-Government– The Batho Pele White Paper (“People First”)
• Regulatory drivers– Companies Act– National Archives of South Africa Act (Act No 43 of 1996) (NARS)– Promotion of Administrative Justice Act (Act No 3 of 2000) (PAJA)– Promotion of Access to Information Act (Act No 2 of 2000) (PAIA)– Electronic Communications and Transactions Act, (Act No 25 of 2002) (ECT) – DPSA Regulations regarding Information Management– Public Finance Management Act, 1999 (PFMA) – Municipal Finance Management Act, 1999 (MFMA) – Sarbanes-Oxley (SOX)– King 3– Protection of Private Information (POPI)– Other organisation specific
Compliance?
Regulations
Private Government Financial Medical Construction Mining0
50
100
150
200
250
300
350
400
450
Industries
Estimated
Compliance continued• Internal drivers
– Lacks formal policies and standards and standardised structures for the management of information and records
– Problems to retrieve documents and information– Insufficient security– Problems with reporting and auditing– Lack of good corporate governance on records and information management – Lacks accountability – no CIO or records manager as specified in MFMA and PAIA Acts – Cumbersome processes and approvals– Non compliance with legislation open to risk (PFMA, PAJA , PAIA Acts) – Performance Management– Filing space problems– Backlogs of filing in registries– Business operations at risk with lack of a disaster recovery plan regarding all records
under its control
• External drivers– The public demands better services– Other similar organisations are doing it better (competition)– Emerging technologies (many products and vendors)
ECMEnterprise Content Management (ECM) Solution is the strategies, methods and tools used to capture, manage, store, preserve, and deliver content and documents related to organizational processes.
Policies
Internet PolicyRecords Managemnt Policy
Records Management
Policy
Records Centre Policy
Information Security Policy
Information Classification
Policy
Enterprise Content Management (ECM)
Policy
Archiving Policy
Other Affected Policies
Printing / CopyingPolicy
Intranet Policy
Scanning Policy
Digital Signatures /
Approval Policy
E-Mail Policy
Information Management Policy
Telephone policy
Social Media &Collaboration
Good Records Keeping
According to the NARSSA records management is:
A process of ensuring the proper creation, maintenance, use and
disposal of records throughout their life cycle to achieve efficient, transparent
and accountable governance
Records Management
Section 13
S.13(1) S. 3(5)
SANS (ISO) 15489 Information and documentation – Records management
S. 13(2)(a) S.13(2)(b)(i) S. 13(2)(b)(ii) and (iii)
S. 13(2)
Section 13 (1)
• Mandates National Archivist to regulate records management practices
• Aligned with international best practice and international standards– SANS (ISO) 15489 Information and
documentation – Records management • supports the records management requirements in
section 13 of the National Archives and Records Service Act
Section 13 (5)
Designate a records manager to take responsibility for the records
management practices and to ensure that the office complies with the
National Archives Act
Section 13 (2) (a)
• No public record shall be :- transferred- destroyed - otherwise disposed of
• without written authorization of the National Archivist
Section 13 (2) (b) (i)
The National Archivist shall determine the records classification systems to
be used by governmental bodies
File Plan
A plan to file records• Paper environment– File into physical folders opened
according to the File Plan
• Electronic environment –Metadata• Structured • Visible
Section 13 (2) (b) (ii) and (iii)
• The National Archivist shall determine the conditions subject to which – electronic records systems shall be
managed– records may be reproduced
electronically• Conditions contained in Managing
electronic records in governmental bodies: Policy, principles and requirements
Conditions for the management of electronic records
• From a records management perspective– Capturing of authentic and reliable
records (authoritative records)– Subject classification – Retrieval– Disposal– Long term preservation
Manage records in an Integrated Document and Records Management
System• managing a corporate file plan according to
which records are filed;– Including an e-mail integration that ensures that e-
mails are filed to the corporate file plan;
• maintaining the relationships between records and files, and between file series and the file plan;
• identifying records that are due for disposal and managing the disposal process;
Manage authenticity
• Metadata – Guidelines in Managing electronic
records in governmental bodies: Metadata requirements
– Based on SANS 23081: Information and documentation – Records management processes – Metadata for records – Part 1: Principles
Manage authenticity
• Audit trail – Guidelines in Managing electronic
records in governmental bodies: Metadata requirements
– Based on SANS 15801: Electronic imaging – Information stored electronically – Recommendations for trustworthiness and reliability
Secu
rity
an
d A
ccess C
on
trol
Fin
an
cia
l
Resou
rces-
Peop
le
Reg
ula
tory
Bu
sin
ess –
Pro
cesses
Tech
nolo
gy &
In
frastr
uctu
re
ECM Compliance
Data
an
d I
nfo
rmati
on
RM StandardsStandard Compliance
US DoD 168UKRIMTech 105Fortune 1000 105Victoria Public Records OfficeICA 275ISO 15489
NARSSA 441
Technology
• Out of the Box implementation does not give adherence to compliance
• Customisation does not guarantee compliancy
• Require 3rd party tools
Managing Compliance
1. Determine what the criteria should be
2. Develop techniques (controls) to ensure that the criteria are followed
3. Identify the risks that an organisation faces and advise on them
4. Design and implement controls to protect an organisation from
those risks (prevention)
5. Monitor and report on the effectiveness of those controls in the
management of an organisations exposure to risks (monitoring
and detection)
6. Resolve compliance difficulties as they occur (resolution)
7. Advise the business on rules and controls (advisory)
References:http://www.national.archives.gov.zahttp://www.rimtech.ca/f1000-requirements.htmlhttp://www.gimmalsoft.com
Marcelle Blasl
Cell: 082 859 1507