Information Management Advice 18 Managing records in business systems



Similar documents
TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

9. GOVERNANCE. Policy 9.8 RECORDS MANAGEMENT POLICY. Version 4

Business System Recordkeeping Assessment - Digital Recordkeeping Compliance

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems

Queensland recordkeeping metadata standard and guideline

Management of Official Records in a Business System

Migrating digital records

State Records Guideline No 15. Recordkeeping Strategies for Websites and Web pages

Records and Information Management. General Manager Corporate Services

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0

Information Management Advice 18 - Managing records in business systems: Overview

Records Management - Department of Health

Records Management Policy

State Records Guideline No 25. Managing Information Risk

information Records Management Checklist business people security preservation accountability Foreword Introduction Purpose of the checklist

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

System Requirements for Archiving Electronic Records PROS 99/007 Specification 1. Public Record Office Victoria

Life Cycle of Records

ANU Electronic Records Management System (ERMS) Manual

Archiving and Backup - The Basics

Digital Continuity Plan

Generally Accepted Recordkeeping Principles How Does Your Program Measure Up?

Strategies for Developing a Document Imaging & Electronic Retention Program

CCG: IG06: Records Management Policy and Strategy

Records Management Plan. April 2015

Implementing an Electronic Document and Records Management System. Key Considerations

Scotland s Commissioner for Children and Young People Records Management Policy

REVENUE REGULATIONS NO issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the

State Records Office Guideline. Management of Digital Records

RECORDKEEPING MATURITY MODEL

3. Ensure the management of information is compliant with legislative requirements to maximise the benefits and minimise risks;

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

Cloud Computing and Records Management

Retention & Disposition in the Cloud Do you really have control?

Policy Document RECORDS MANAGEMENT POLICY

Considerations for Outsourcing Records Storage to the Cloud

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs

Union County. Electronic Records and Document Imaging Policy

OFFICIAL. NCC Records Management and Disposal Policy

EDRMS Migration Project Checklist

Territory Records (Records Disposal Schedule Disaster Recovery (Human Services) Records) Approval 2005 (No 1)

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

2.2 INFORMATION SERVICES Documentation of computer services, computer system management, and computer network management.

FIPPA and MFIPPA: Bill 8 The Recordkeeping Amendments

INFORMATION AND DOCUMENTATION RECORDS MANAGEMENT PART 1: GENERAL IRISH STANDARD I.S. ISO :2004. Price Code

Cloud Service Contracts: An Issue of Trust

Digital Archiving Survey

Information Management Advice 50 Developing a Records Management policy

NHS Business Services Authority Records Management Audit Framework

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Records Management and SharePoint 2013

Information Management Advice 54 Records Management Toolkit for Local Government

Digital Continuity in ICT Services Procurement and Contract Management

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

Records Management Checklist. preservation. accountability. information. security. peoplep. A tool to improve records management

50238: Introduction to SQL Server 2008 Administration

Basic Records Management Practices for Saskatchewan Government*

An Approach to Records Management Audit

Records Management - Council Policy Version 2-28 April Council Policy. Records Management. Table of Contents. Table of Contents... 1 Policy...

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

DELAWARE PUBLIC ARCHIVES POLICY STATEMENT AND GUIDELINES MODEL GUIDELINES FOR ELECTRONIC RECORDS

39C-1 Records Management Program 39C-3

Records Management Policy

Management: A Guide For Harvard Administrators

Records Management and Information Lifecycle Strategy

Microsoft SharePoint and Records Management Compliance

IS INFORMATION SECURITY POLICY

Records Management - Risk Assessment Tool

RUTGERS POLICY. Approval Authority: Executive Vice President for Academic Affairs and Senior Vice President for Administration

USER GUIDE: MANAGING NARA RECORDS WITH GMAIL AND THE ZL UNIFIED ARCHIVE

INTEGRATING RECORDS MANAGEMENT

15 Organisation/ICT/02/01/15 Back- up

Generally Accepted Recordkeeping Principles

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

Records Disposal Schedule Anti-Discrimination Services Northern Territory Anti-Discrimination Commission

Management of Records

Implementing an Electronic Document and Records Management System. Checklist for Australian Government Agencies

Staffordshire County Council. Records Retention and Disposal Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Management

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

U.S. FDA Title 21 CFR Part 11 Compliance Assessment of SAP Records Management

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

ELECTRONIC RECORDS MANAGEMENT AND ARCHIVES MANAGEMENT POLICY

UNIVERSITY OF MANITOBA PROCEDURE

ERMS Solution BUILT ON SHAREPOINT 2013

Recordkeeping for Good Governance Toolkit. GUIDELINE 14: Digital Recordkeeping Choosing the Best Strategy

Record Management in SharePoint

POLICY AND GUIDELINES FOR THE MANAGEMENT OF ELECTRONIC RECORDS INCLUDING ELECTRONIC MAIL ( ) SYSTEMS

LORD CHANCELLOR S CODE OF PRACTICE ON THE MANAGEMENT OF RECORDS UNDER

Transcription:

Information Management Advice 18 Managing records in business systems Assessment tool: Measuring recordkeeping compliance in business systems Introduction Using this tool to identify and assess core business systems as part of your Records Management Program will assist the agency to comply with the Archives Act 1983. The completed documentation must be included in the evidence provided to TAHO when decommissioning business systems (see Advice 18 - Managing Records in Business Systems). Before commencing this assessment, consult Information Management Advice 18 - Part 1: Checklist for decommissioning business systems and Part 2: Assessing recordkeeping functionality in business systems. Instructions Use tool to assess business systems against minimum recordkeeping requirements. This assessment has been divided into four sections: Records appraisal System requirements Metadata requirements Risk Assessment Criteria assessment measures Yes = the system complies with the requirement Not currently available = A gap has been identified but can be remedied by changes to the system configuration and/or procedures. An action should be documented explaining how and when this change will be implemented. Page 1 of 16

No system is not = the system is not able to meet the requirement. Risks should be identified for not being able to develop or enhance the system to comply. If the agency achieves a Yes for all questions in Sections 2 and 3, the system is of recordkeeping and meets minimum requirements for State records under the Archives Act 1983. It is not intended to constitute an endorsement by TAHO of the system being assessed, but it can be submitted to TAHO before the decommissioning process commences (the process described in Part 1: Checklist for decommissioning business systems). If after completing every section, the system is assessed as not meeting requirements, the system should be subjected to a more detailed risk analysis, and a plan for managing the records in the system should be implemented. Agency name: Department/Unit: System name and version: Business activities captured in system: System owner: Assessment conducted by: Date: Page 2 of 16

Records appraisal 1.1 Does the system contain State records? NOTE: If the business system does not hold State records, there is no need to proceed further with this assessment. 1.2 Are the records covered by a Disposal Schedule approved by TAHO? The business system has been identified as containing State records. Depending on the circumstances, records in the business system may be any or all of the following: Tables in a database Individual database records (field information) Entire database Reports generated by the application Linked documents/data in other systems Audit logs If they are not covered by a Disposal Schedule you need to contact TAHO. You will need to determine, with TAHO s assistance, what the agency and other stakeholders requirements are for accessing, using and retaining the records contained within the system. Page 3 of 16

Use this table to document the records held in the business system. It is likely that more than one record type will be held in the system. Attach additional pages as required. Retention ID1 Recordkeeping requirement2 Additional metadata requirements3 Linked records / record aggregations4 or systems Notes 1 A retention and disposal schedule reference number, or if not covered by a disposal schedule, a temporary control number (1, 2, 3 ) 2 Describe the requirements that need to be met. This could be the disposal class from a schedule, a legislative requirement, a business requirement or other. 3 Additional metadata required to be kept by the system. If the minimum metadata is not kept by the system, define what additional information or metadata must be captured and managed in other systems/locations (see Advice 18 Part 2 - Assessing recordkeeping functionality in business systems). 4 Is the record linked or grouped with other records in the system? If linked to a separate system, name that system. Page 4 of 16

System requirements: 2.1 Is there an established business owner for the business system? The business system has a known business owner who is responsible for the overall care and management of the business system. 2.2 Is the business system well documented? 2.3 Has the business system replaced a previous business system or systems? 2.4 Does the business system manage access controls that, if required, can restrict or permit access to the defined records by specified individuals or groups? Documentation of the business system s configuration, metadata schema, data dictionaries, any system customisation and/or enhancements should be attached. Previous systems that have performed the same requirements of the current system existed. These systems may still hold related records that need to be managed or migrated. Attach system migration plan. Information security and protection mechanisms are in place and documented. The system is able to provide appropriate permissions to access records in particular ways (e.g. viewing, printing, editing, copying, and transmitting.) The alteration, deletion or addition of metadata elements is controlled by administrative users only. t currently available but can be achieved with a change Page 5 of 16

2.5 Does the business system keep an audit log of actions performed in or by the system? 2.6 Can the system create and keep the digital records you have defined? (refer to page 5) 2.7 Can the records in the system be accessed? An audit log should be maintained to identify who and when users have accessed or changed records as well as any actions performed on or by the system. Audit logs give the ability to detect breaches of security, the inappropriate alteration or deletion of records and ensure that actions are being carried out according to assigned roles and responsibilities. The business system allows users to capture and store records received by the system in their native format. Where the record is made up of more than one component or object, the system must be able to maintain relationships between all components. The system must be able to store and retrieve the defined records along with their associated metadata and including all components of the records in useable, human-readable form. This can be on screen, as exported reports or printed document/extracts, or other suitable method. t currently available but can be achieved with a change t currently available but can be achieved with a change t currently available but can be achieved with a change Page 6 of 16

Metadata requirements Business systems must demonstrate that all records have a minimum level of metadata (see Advice 14 - Recordkeeping metadata standard). The system must capture/create, accumulate and maintain over time the recordkeeping metadata. Metadata can be applied automatically or manually to the records. 3.1 Does the business system create a unique identifier for each record? 3.2 Does the business system capture a title or name for each record? A unique identifier is created for each record generated within the system. A unique identifier can be an identification number, alphanumeric code or serial number applied to the record. An appropriate, meaningful description explaining what each record is about is captured. The description may be known as the Title field or Subject field. Both serve the same purpose. t currently t currently Page 7 of 16

3.3 Does the business system capture the date each record was created? 3.4 Does the business system identify who or what process creates and edits records? The date of when each record is created or captured into the system is provided. For object based records added to the system, the creation date may not necessarily be the same as the date in which it was captured. The business system identifies the person, process, or system that creates and edits records in the system. An audit log of individuals or other forms of creating (e.g. migration process) and editing mechanisms, is maintained to ensure authenticity and integrity of records. t currently t currently Page 8 of 16

3.5 Does the business system allow for the application of disposal actions, changed access rules and triggers to records? The business system allows for the application of disposal actions and triggers to be applied to records. Business systems need to be able to accommodate the disposal of records in a systematic and accountable way that is consistent with mandated records management practices. The destruction of records should be distinguishable from an ad hoc deletion so that destruction is carried out only by authorised users. Business system should allow for the appropriate sentencing (preferably on creation) which will lead to the eventual disposal of records. t currently Page 9 of 16

3.6 Does the business system allow for the review of disposal actions and triggers? The business system allows for the review of disposal actions and triggers. The value of records can alter over time, providing a different purpose for maintaining a record longer than the originally intended business purpose. As a result, reviews of disposal actions should be able to be conducted. Any disposal freezes placed on records should be able to be applied to records within the business system. The hold on disposal actions should also be able to be applied for events including impending litigation or the receipt of a discovery order. t currently Page 10 of 16

3.7 Does the business system identify that a record was destroyed (deleted) from the system? The business system identifies all records which have been destroyed under lawful means, including: The date each record was destroyed from the system is captured. The identity of who undertook the destruction process is captured. The authority (i.e. RDS and class number) under which the record was destroyed is provided. This may be held in a manual system outside of the business system. It is recommended that automated bulk destruction based on pre-defining coding is not used due to risks related to inappropriate destruction of records. t currently Page 11 of 16

3.6 Is the system able to export the defined digital records and their associated metadata to another system or to an external medium? 3.7 If applicable: Does the business system identify records migrated into the system from other systems? Records should always be readable and able to be converted for migration to other technology platforms. Links between records and metadata that give the content, context and structure of the records should also be able to be maintained and reported on or exported. The process should not degrade record relationships, data quality or metadata. The business system should produce queries and create reports on the actions carried out on records; reports on or about records in the business system, including their management. Where records have been migrated from predecessor business systems, the system indicates this history, including the date the migration occurred. The business system needs to ensure that any metadata elements carried over from predecessor systems remain linked to each record. Also, any records that have been destroyed within predecessor systems have identifiers showing their destruction. t currently t currently Page 12 of 16

Risk Assessment Risk management reduces or eliminates the risk of events having an impact on the business system and its captured records. 4.1 Are risks associated with recordkeeping and the business system identified? 4.2 Is a risk treatment plan available to minimise risk to recordkeeping and the business system? A risk assessment has been carried out to identify and mitigate possible low, high and acceptable risks associated with recordkeeping and the business system. The risk assessment may be included in the agency s risk register or a risk management plan. A risk treatment plan is established outlining how risks will be managed. Treatment plans are implemented and regularly reported on. The risk treatment plan may be included in the agency s risk management plan. Page 13 of 16

4.3 Has the business system been identified to contain vital records? 1.6 Is there an established framework for responding to disasters affecting the business system? Vital records are essential to the continuing operation of the agency in the event of a disaster and will have severe consequences to the agency if they are completely lost or destroyed. If they are able to be recreated from other sources in any way, they will most likely be costly and time consuming to do so. The agency s vital records register should list the business system, and any replacement systems. See Advice 52 - Identifying and Managing Vital Records for more information. Counter disaster measures for the business system have been established and are documented. Disaster planning includes disaster prevention, response, salvage and recovery. Vital records should be known and identified within the agency s disaster management plan. The plan should be regularly reviewed and updated to reflect the current environment. Page 14 of 16

Is regular testing done on the recovery and restoration processes of the business system? Is training provided to users of the business system? If applicable: Have all risks associated with storing records in a cloud environment been identified and managed? Regular testing is carried out on the recovery and restoration processes of the business system. Regular testing ensures that recovery and restoration processes are understood and can be effectively implemented in a disaster recovery environment. Training is provided to users of the business system. Training should include initial training on the business system to new users and have the availability of refresher training. Training may need to be divided into different categories such as user and administrator level training. A detailed risk assessment of the recordkeeping risks associated with cloud computing has been carried out. See Guideline 17 - Managing risks associated with Cloud Computing for more information. Adapted from Territory Records Office ACT, Business Systems and Digital Recordkeeping Functionality Assessment Tool (2013) Page 15 of 16

Page 16 of 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information