7Seven Things You Need to Know About Long-Term Document Storage and Compliance



Similar documents
10 Steps to Establishing an Effective Retention Policy

Document Management Software. Find what you need fast Break through organizational barriers Work from wherever you want, whenever you want

Streamline Enterprise Records Management. Laserfiche Records Management Edition

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

Speed the transition to an electronic environment. Comprehensive, Integrated Management of Physical and Electronic Documents

# Is ediscovery eating a hole in your companies wallet?

San Francisco Chapter. Information Systems Operations

68% Meet compliance needs with Microsoft Exchange. of companies send sensitive data via .

Recovering Microsoft Exchange Server Data

Case Management and Real-time Data Analysis

Carestream Information Management Solutions. Managing the explosion in patient information

EMC White Paper EMC Xtender Provides Records Management for Microsoft Exchange Server 2003

Laserfiche for Federal Government MEET YOUR AGENCY S MISSION

Rackspace Archiving Compliance Overview

Protect the Past, Secure the Future

DATA ARCHIVING. The first Step toward Managing the Information Lifecycle. Best practices for SAP ILM to improve performance, compliance and cost

Symantec Enterprise Vault and Symantec Enterprise Vault.cloud

ediscovery AND COMPLIANCE STRATEGY

Things You Need to Know About Cloud Backup

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS

United Cerebral Palsy of Greater Chicago Records and Information Management Policy and Procedures Manual, December 12, 2008

Nuance Power PDF is PDF uncompromised.

Sage ERP I White Paper. An ERP Guide to Driving Efficiency

Director, Value Engineering

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

System Requirements for Archiving Electronic Records PROS 99/007 Specification 1. Public Record Office Victoria

HIPAA Security Matrix

VMware vcloud Air HIPAA Matrix

Connecting your global manufacturing company NEXT»

Accelerating HIPAA Compliance with EMC Healthcare Solutions

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies.

EMC PERSPECTIVE EMC SourceOne Management

ENTERPRISE DOCUMENT MANAGEMENT SYSTEM

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

ipatch System Manager - HIPAA Compliance

Veritas AdvisorMail. archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies

WHY CLOUD BACKUP: TOP 10 REASONS

39C-1 Records Management Program 39C-3

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

Brochure Achieving security with cloud data protection. Autonomy LiveVault

Document Management for Healthcare

Security in Fax: Minimizing Breaches and Compliance Risks

How To Preserve Records In A Financial Institution

Veritas Enterprise Vault.cloud for Microsoft Office 365

Rowan University Data Governance Policy

Why cloud backup? Top 10 reasons

Realizing the ROI of Information Governance. Gregory P. Kosinski Director, Product Marketing EMC

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Information Security Policy

Why Document Management. Fortis & Fortis SE

INFORMATION TECHNOLOGY CONTROLS

AUTOMATED DATA RETENTION WITH EMC ISILON SMARTLOCK

White Paper. Central Administration of Data Archiving

Symantec Enterprise Vault for Lotus Domino

LogRhythm and HIPAA Compliance

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Discovery Technology Group

IBM DB2 CommonStore for Lotus Domino, Version 8.3

Union County. Electronic Records and Document Imaging Policy

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Integrated archiving: streamlining compliance and discovery through content and business process management

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

10 Point Plan to Eliminate PST Files

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

As databases grow, performance drops, backup and recovery times increase, and storage and infrastructure costs rise.

How To Use A Court Record Electronically In Idaho

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

Elements of a Good Document Retention Policy. Discovery Services WHITE PAPER

WHITE PAPER ONTRACK POWERCONTROLS. Recovering Microsoft Exchange Server Data

Can CA Information Governance help us protect and manage our information throughout its life cycle and reduce our risk exposure?

Archiving Whitepaper. Why Archiving is Essential (and Not the Same as Backup)

Data Sheet: Archiving Symantec Enterprise Vault Store, Manage, and Discover Critical Business Information

Transcription:

7Seven Things You Need to Know About Long-Term Document Storage and Compliance

Who Is Westbrook? Westbrook Technologies, based in Branford on the Connecticut coastline, is an innovative software company that has been developing enterprise content management products since 1991. With nearly 24,000 users worldwide, its Fortis and FortisBlue software give users the control, speed and power to make a difference for their companies every day. This software provides lifecycle management for paper and electronic documents, along with delivering fully searchable documents and images, automated workflow and integration with other line-of-business applications. The end result is productivity to the extreme because users can find what they need fast, work from anywhere at any time, and break through organizational barriers and bottlenecks.

Seven things you need to know about long-term document storage and compliance U.S. companies are required by law to retain documents and data in both physical and electronic format. Implementing comprehensive retention policies protects you from unnecessary risks while helping to control business costs. While there are many recent regulations that impact a company s content management strategy, people are most familiar with the Health Insurance Portability and Accountability Act (HIPAA) which the U.S. Congress passed in October 1996, and the Sarbanes- Oxley Act (SOX) which came into force in July 2002. SOX introduced major changes to the regulation of corporate governance and financial practice. Prior to its passage, no company in the U.S. had a system of controls, auditing and reporting in place that would completely satisfy the new law. Enterprise content management helps put practices in place to ensure continued compliance which typically incorporates long-term archival storage. In addition, content management software provides tools for business process management and auditing, as well as document versioning. In general, a content management implementation should have the flexibility to address retention requirements specific to an organization s industry and the states in which it operates. It s important to look for a granular security model that prevents unauthorized users from accessing documents and data. The document archive should be fully secure, even when information is shared over the Internet. Automating document lifecycle processes also helps ensure regulatory compliance and provides an audit trail that reports on who has accessed, modified or deleted documents. Plan to carefully track user and administrator activities to assure compliance with Sarbanes-Oxley, HIPAA, state records management rules and other industry-specific regulations. Audited user activities should include indexing, modifying, deleting, viewing, forwarding, emailing and printing data and documents. Your information management strategy should include the ability to track versions, audit system changes, and protect intellectual property from unauthorized access. Following are seven best practices guidelines for preserving data for long-term archival storage.

1 What do you need to know before starting? Begin by conducting a needs assessment, or discovery, to identify the best way to use content management in your organization. The implementation methodology is not a rigid process; but rather, it is a foundation of crucial steps. The purpose is to foster two-way communication between IT, other departments, and the software vendor so that everyone is in agreement on the types of services needed, how they fit into the overall implementation, and integrate with existing systems. Clearly define the project scope in each department or functional group. All stakeholders have to be involved in a discovery process to define the types of documents, data, photos, graphics, audio and video files that will be archived. Businesses need to define and plan for industry-specific requirements such as the ability to archive and retrieve email for e-discovery or, in the case of public entities, to respond to Freedom of Information Act requests. Before implementing software to improve business processes, meet compliance mandates and improve collaboration, develop an understanding of the current processes and desired improvements. Look for a vendor that takes a consultative approach to software implementation and keeps the focus on operating improvements.

2 What will you need to get started and follow through to implementation? Post-discovery, the exchange of ideas that takes place on-site should result in a document exchange between vendor and those who will accept the project plan. Creating a detailed project plan mitigates the risks associated with a technology purchase. Your organization should receive a blueprint from the vendor that reflects your design specifications and a bill of materials that shows all the components, implementation and training required to deliver the ROI you mandated. Once the project plan is approved, schedule the implementation with your vendor who will assemble, integrate and configure the components that will provide the expected functionality. The roll out should be incremental, but completed over the allocated time specified in the project plan.

3 What best practices should you follow for making sure data is preserved properly? The document storage archive should have a strong security model and audit trail. Version control is another important feature that assures you are working with and ultimately archiving the most current, approved information. Also look for full text search, automated batch import, indexing and tools for sharing information via the Web. Once a retention schedule is established for each document type, purging the documents is the final component within a records management workflow. Documents that meet the specific criterion will be eliminated after a particular number of days or years. Having an automated system enables organizations to limit liability and mitigate the costs associated with storing documents for longer than necessary. All purge events should be recorded in an audit log, so there is always a way to track deleted documents. The purge component should include data clearing and sanitization using a secure tool prior to deletion as per the DOD standard.

4 How do you decide what needs to be archived? Document retention requirements vary by state and by industry. Securities brokers and dealers, for example, are required to retain all business-related communications for three years, the first two years in an accessible format. Trucking companies must keep the results of employee alcohol tests for up to five years. All businesses must retain federal payroll tax records for at least four years from the date the tax is paid. There are currently over ten thousand federal, state and local laws and regulations addressing document retention. The most widely enforced include: Health Insurance Portability and Accountability Act (HIPAA): HIPAA affects any organization that creates, receives or maintains healthcare information. HIPAA requires that Protected Health Information (PHI) be kept secure and archived for at least six years or two years after an individual s death. This includes patient medical records, billing records, authorization forms from physicians, and all communications between patient and physician basically any healthcare information that can be linked to a specific individual. Sarbanes-Oxley Act (SOX): SOX mandates the retention of records used for financial audits and reporting for at least seven years. A record is any material containing information about the company, including plans, results, policies or performance. All records may be subject to an audit. The lack of a good records management and retention system is a red flag for auditors. Under SOX, the annual report of a company must include a review of the effectiveness of internal controls of the document management system, as well as the policies and processes of the company as a whole. The records also must be searchable and quickly made available upon request. Organizations need a system that can be adopted in a wide range of regulatory environments. Your legal department or corporate counsel should get involved in helping to define the requirements.

5 What products, tools or programs might you need? Organizations need a product that s simple to use and easily adaptable to the requirements of multiple departments across an organization. The ability to search and access documents or data via the Web is typically important. Organizations will also want to invest in off-site backup for additional disaster recovery protection. Disaster recovery software should provide real-time back-up at the byte level while offering continuous high availability of data and documents with automatic failover capabilities. Features to look for include: Real-Time Data Protection Allows continuous replication over any shared or private IP-based LAN, WAN or SAN, ensuring that altered information is protected and can be quickly restored at all times Application Agnostic Ability to work with your existing hardware to protect documents and data within all software applications Continuous Data Protection Guarantees business continuity and high availability by restoring access to data in minutes with failover capabilities to maintain a seamless working environment

6 What are the benefits of following the recommended practices? Risk Reduction Archive all electronic and paper-based documents: Store documents that must be retained in a secure electronic repository Security and retention: Create and communicate strict policies around security and document retention Business process automation: Publish, enforce, and audit mandated business processes Transparency: Enable rapid access to all appropriate business documents Discovery: Be able to search corporate documents to discover all information pertaining to specific business issues Monitor Access: Prevent unauthorized use, editing or deletion of documents Confidentiality: Safeguard private data through access security and redaction Solution Mechanism Advanced capture and secure retention: Image and archive all incoming and outgoing paper and electronic communications Revision control: Place all office documents (Microsoft Word, email, faxes, spreadsheets, memos) under revision control and enforce pre-determined retention strategy Automated processes: Ensure compliance by providing electronic notification and automatic escalation to minimize human error Comprehensive audit trail: Detailed reporting on who views, accesses, prints, and changes all documents Full text search: Index content for easy retrieval, audit and discovery Compliance Benefits With the right content management system, your organization can: Ensure adherence to compliance regulations and corporate best practices Audit all access and modifications to corporate documents Impose document retention and purging schedules Enable permission-based access to relevant information pertaining to potential legal matters Ensure the ability to find, retrieve and deliver files for a timely response to information requests Provide a disaster recovery backup to ensure critical records are never lost

7 What pitfalls do you need to watch out for? It is important to plan for exceptions to every retention rule. For example, typically an invoice is retained for seven years. However if that invoice has never been paid or may be required as evidence for an ongoing court case, you will want a mechanism to flag that invoice and save it. Be aware that multiple laws may affect the retention period of the same record or file. The common exceptions to retention rules can be discussed during the initial discovery process. Once you have drafted a data retention and destruction policy, it should be uniformly enforced throughout the organization. Inconsistent enforcement for example, permitting high-level employees to destroy data more frequently than provided under the policy could support a charge that the policy was intended to camouflage bad faith destruction of evidence. In addition, you should examine all storage media assigned to employees who have resigned or have been terminated. Move records subject to statutory or regulatory retention periods to the appropriate storage medium. Destroy all other data the former employee has stored.

Summary Long-term document storage, or archiving, means keeping documents and data around for a defined period. Organizations can successfully use content management and related archiving to be in compliance with a defined set of legal or regulatory requirements, and then be able to prove that they actually meet those requirements. The exact length of time you need to retain documents and data varies between organizations and industries. The goal of archiving is to keep your documents around for as long as necessary in a manner in which you can search, process and retrieve them when required. When they are no longer needed, purge them from your system. By maintaining an audit log of purge events, you will be able to track deleted documents to further ensure compliance.

1150 National Pky. Mansfield OH, 44906 877-529-8295 419-529-8295 www.mtbt.com Westbrook Technologies, Inc 22 Summit Place, Branford, CT 06405 U.S.A. Tel: +1 203 483 6666 Fax: +1 203 483 3350 westbrooktech.com THIS DOCUMENT IS PROVIDED TO YOU FOR INFORMATIONAL PURPOSES ONLY. The information furnished in this document, believed by Westbrook Technologies, Inc. to be accurate as of the date of this publication, is subject to change without notice. Westbrook assumes no responsibility for any errors or omissions in this document and shall have no obligation to you as a result of having this document available to you or based upon the information it contains. The Westbrook logo is a registered trademark of Westbrook Technologies, Inc. Westbrook, Fortis and FortisBlue are trademarks of Westbrook Technologies, Inc. All other products and services are the registered trademarks of their respective holders. Copyright 1997-2011, Westbrook Technologies, Inc. All Rights Reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information