MEETING COMPLIANCE REQUIREMENTS WITH DOCUMENT MANAGEMENT SOFTWARE BY JAMES TRUE

Similar documents
Document Imaging: A White Paper

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

Compliance in the Corporate World

Rackspace Archiving Compliance Overview

savvisdirect White Papers

Recovering Microsoft Office SharePoint Server Data. Granular search and recovery means time and cost savings.

"Bring Your Own Device" Brings its Own Challenges

10 Steps to Establishing an Effective Retention Policy

ARCHIVING SERVICES SERVICE DEFINITION

How to Go Paperless In Three Simple Steps: A Guide for Small Businesses

Archiving, Retrieval and Analysis The Key Issues

Archiving Services

Protecting Data-at-Rest with SecureZIP for DLP

Waiting to Upgrade: Understanding Archiving and ediscovery Limitations in Exchange by Michael Noel and Rick Wilson

Recovering Microsoft Office SharePoint Server Data

WHITE PAPER: BUSINESS BENEFITS

Streamlining the drug development lifecycle with Adobe LiveCycle enterprise solutions

COMPLIANCE BENEFITS OF SAP ARCHIVING

The True Impact of Documents on Business Today

Addressing Legal Discovery & Compliance Requirements

DOCSVAULT WhitePaper. Concise Guide to E-discovery. Contents

Achieving HIPAA and HITECH Compliance. with Enterprise Single Sign-On

Driving Success. Make Time & Attendance as Easy as Your Project Costing IME TRACKING

DELAWARE PUBLIC ARCHIVES POLICY STATEMENT AND GUIDELINES MODEL GUIDELINES FOR ELECTRONIC RECORDS

Archiving and the Cloud: Perfect Together

How To Restore From A Backup In Sharepoint

Cabinet NG, Inc. DOCUMENT MANAGEMENT IN THE PERSONAL INJURY LAW FIRM BY ANDREW BAILEY

# Is ediscovery eating a hole in your companies wallet?

ARCHIVING FOR DATA PROTECTION IN THE MODERN DATA CENTER. Tony Walker, Dell, Inc. Molly Rector, Spectra Logic

Security in Fax: Minimizing Breaches and Compliance Risks

Seven Steps to Designating Owners of Unstructured Data

Enhancing Microsoft Exchange & Office 365 Archiving, Retention, and Discovery with Netmail

Implementing HIPAA Compliance with ScriptLogic

8 Best Practices to Make Time and Attendance Easy

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Document Management Glossary

Product Brief. Intacct Financials & Accounting. Intacct General Ledger

Streamline Enterprise Records Management. Laserfiche Records Management Edition

Veritas AdvisorMail. archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies

HIPAA Compliance and the Protection of Patient Health Information

White Paper. Why Should You Archive Your With a Hosted Service?

Veritas Enterprise Vault.cloud for Microsoft Office 365

Introduction Thanks Survey of attendees Questions at the end

retained in a form that accurately reflects the information in the contract or other record,

Security Information Lifecycle

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

Preservation and Production of Electronic Records

WHY CLOUD BACKUP: TOP 10 REASONS

archiving, compliance, and ediscovery solution designed specifically for U.S. financial services companies.

OVERCOME REGULATORY DATA RETENTION CHALLENGES WITH COMPLIANCE ARCHIVING

Using EMC SourceOne Management in IBM Lotus Notes/Domino Environments

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

Strategies for Developing a Document Imaging & Electronic Retention Program

Partner / E-Discovery Team Chair. Craig Roy Director of IT & E-Litigation Services

EPA Classification No.: CIO 2155-P-3.0 CIO Approval Date: 04/04/2014 CIO Transmittal No.: Review Date: 04/04/2017

The Recipe for Sarbanes-Oxley Compliance using Microsoft s SharePoint 2010 platform

InstaFile. Complete Document management System

Add the compliance and discovery benefits of records management to your business solutions. IBM Information Management software

Document Management and Records Management in SharePoint Scott Jamison

Making Compliance Work for You

Can CA Information Governance help us protect and manage our information throughout its life cycle and reduce our risk exposure?

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

E- Discovery in Criminal Law

EMR. The Easiest Path to. White Paper. Healthcare Document Management for Provider Organizations

Why you need Cryoserver for your Office 365 cloud service

Cloud Security Trust Cisco to Protect Your Data

Protecting Business Information With A SharePoint Data Governance Model. TITUS White Paper

The Impact of HIPAA and HITECH

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

City of Minneapolis Policy for Enterprise Information Management

GxP Process Management Software. White Paper: Software Automation Trends in the Medical Device Industry

Outsourcing HR: Advantages for Small Businesses

Emptoris Contract Management Solution for Healthcare Providers

Knowledge Capture Voice - Compliance Enabled Call Recording

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

10 Hidden IT Risks That Threaten Your Practice

Office of the Chief Information Officer

Board Portal Essentials for Community Banking

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Symantec Enterprise Vault.cloud Overview

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

The Phoenix Corporate Legal Suite. Efficient Document, , and Matter Management for Law Departments and In-house Counsel

Real-World Strategies for Effective Document Management

Taming the Beast Open Records and Discovery for

The Business Case for Data Governance

Active Directory Auditing The Need and Result

M-Files QMS. Out-of-the-Box Solution for Daily Quality Management

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Cloudbuz at Glance. How to take control of your File Transfers!

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Integrated archiving: streamlining compliance and discovery through content and business process management

How To Ensure Health Information Is Protected

Why cloud backup? Top 10 reasons

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Archiving Compliance Storage Management Electronic Discovery

INTEGRITY IN ACTION - HEALTH CARE COMPLIANCE

RECORDS MANAGEMENT POLICY

Life Cycle of Records

Transcription:

2009 Cabinet NG, Inc BY JAMES TRUE

Table of Contents Introduction... 3 What is Compliance?... 3 Key Compliance Elements... 4 Managing documents... 4 Enforcing security/disaster recovery... 6 Auditing activities... 7 Conclusion... 8 CNG White Paper Page 2

Introduction Compliance is of primary concern to financial service, healthcare, and government organizations. Meeting compliance regulations have historically been perceived as an onerous burden. Today, leading companies are taking a broader approach to meeting compliance and are even embracing the benefits compliance offers. Meeting compliance must be a systemic process that touches all aspects of an organization. Most governmental regulations deal with the handling of business and personal information. Regulations are designed to protect against a diverse array of risks that span different industries, disciplines, and government agencies. Most compliance regulations are the result of prior industry failings, now recognized as best practices. Many companies not subject to compliance regulations are taking the initiative to follow industry best practices anyway because of the value to operations and business reputation. For example, several manufacturers electively become compliant with ISO 9000 standards in the course of good business and become more competitive. Similar to a restaurant displaying an excellent health inspection score, meeting compliance builds consumer confidence. Companies who embrace compliance as a positive opportunity to impact business will enjoy all the benefits it has to offer. Besides, if the business must invest in meeting compliance regulations, it might as well get the most out of its investment. If you think compliance is expensive, try noncompliance. Former Deputy US Attorney General Paul McNulty This paper is based on the three tenets of information compliance: Records Management, Data Security, and Audit. It will also highlight the value of applying an Electronic Document Management System (EDMS) as a tool to meet compliance while delivering significant improvements to operational efficiencies. Compliance is an extremely large topic and cannot be fully addressed by reading a single document. This document summarizes the key elements of applying electronic document management to satisfy compliance regulations and is not a complete or comprehensive guide to compliance. What is Compliance? Wikipedia defines regulatory compliance as: describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations Several disciplines including medical, financial and manufacturing each follow their own set of regulations. In the medical environments the most common body of regulations is The Health Insurance Portability and Accountability Act (HIPAA) which was enacted by the U.S. Congress in 1996. HIPAA sets the basic requirements that health insurance plans and providers must meet, including keeping a person s medical information private. The Securities and Exchange Commission (SEC) is a key regulatory CNG White Paper Page 3

arm of the federal government in the financial industry. It sets and enforces rules, and is charged with ensuring the integrity of the markets. Laws that govern the Securities industry include: Securities Act of 1933 Securities Exchange Act of 1934 Trust Indenture Act of 1939 Investment Company Act of 1940 Investment Advisers Act of 1940 Sarbanes-Oxley Act of 2002 Mandatory manufacturing regulations generally address: Occupational Safety and Health, Environmental, and Construction/Fire codes. Whereas ISO 9000 is typically voluntary and widely used by manufacturers, certain countries require ISO certification and many customers prefer vendors and suppliers that are ISO-certified. In the series of standards for ISO 9000, ISO 9001 is among the most popular because it applies to all types of organizations. This ISO standard is primarily concerned about quality management and fulfilling customer and regulatory requirements through continuous improvement of the ISO 9001 quality system. Regulations set by the government are intended to reduce risk and increase overall quality for all parties involved. Regulations should also be an integral part of employee training and the evaluation of the effectiveness of current practices. As regulations and legislations change, managers must work to evolve their practices as well. Establishing the organization's own Best Practices is an excellent way to comply with existing regulations and make changes and innovations that will improve overall productivity, safety and operational efficiency. All levels of government; federal, state, and local can provide separate regulations to follow. Some regulations apply regardless of the nature of the business and, of course, a business in more than one state or local jurisdiction must comply with applicable laws and regulations from all applicable jurisdictions. Many businesses appoint a compliance officer to oversee that the organization is in compliance with all required regulations. Several agencies have public information departments to assist in providing information and obtaining compliance. Key Compliance Elements The majority of regulations are addressed by one or a combination of three categories: managing documents, enforcing security/disaster recovery, and auditing activities. Managing documents Organizations rely on various technologies to help meet compliance requirements. Of these technologies, managing documents is the most prevalent. Technology for managing documents has steadily received new functionality over the last decade. As a result, we have seen this technology labeled as Records Management, Content Management, Enterprise Content Management, and simply Document Management, among others. For practical purposes, these terms are virtually CNG White Paper Page 4

interchangeable. We will use Electronic Document Management System (EDMS) for consistency throughout this document. So how does EDMS help with meeting compliance? To remain in compliance, any organization must demonstrate its ability to know the absolute whereabouts of all documents at any given moment. Accomplishing this in a paper-based environment is no longer practical. Before we get too far ahead of ourselves, let s review what a document is. Compliance regulations encompass several types of documents. From the EDMS perspective, there are two categories of documents, paper and electronic. Electronic documents are put into the EDMS as electronic files. Paper documents must be scanned and converted into electronic files to be placed in the EDMS. Electronic documents come in a number of formats such as tif, doc, xls, ppt, pdf, xml, etc. The best way to organize, track and control documents is to place them into the EDMS document repository. This is the foundation that creates numerous advantages for the organization. First of all, the whereabouts of a document is always known by the system. Anyone with proper authority can quickly locate any document with as little as one piece of information about the document. A good EDMS will give the user a number of methods for locating a document including: structural search (mimicking the physical filing aspects of a cabinet, folder, tab structure), Metadata search (file attributes such as name, size, data type, age, etc.), or full text search (locating words within the document s body). This gives the user the flexibility to use the right tool based on what they know about a document. Having a full arsenal of search options impresses auditors and can shorten the time spent on the audit process. Another common requirement with most compliance regulations is the ability to control the lifecycle of a document. Depending on the regulation, this may include the ability to prevent a document from being deleted within a defined period and/or prevent a document from being edited. Two system values in the EDMS are used to control these lifecycle aspects. Retention determines how long a document must be in the system before it can be deleted. Retention periods are defined based on what the document is and the industry in which it is being used. An employee application may need to be retained for 2 years in one industry and 5 in another. Retention policies can range from none through forever. Edit rights are used to control whether a document can or cannot be edited. In most cases, both the retention and edit rights are put in place the moment the document enters the system. Setting these attributes can also be automated so they are set without user assistance. This can come in handy in demonstrating how the organization s policies are being consistently enforced during a compliance audit. Some industries, such as legal, may also require the ability to handle retention exceptions. A legal hold is a process an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. Recent amendments to the United States Federal Rules of Civil Procedure (FRCP) require organizations to hold all electronic records until each legal matter is formally settled, even if an organization only reasonably anticipates litigation. Retention policies implemented in the EDMS should have the means of supporting this requirement, regardless of what the document s initial retention policy was. Another feature used during a legal hold is workflow. EDMS workflow automates the CNG White Paper Page 5

traditional cumbersome process of formally notifying all custodians and distributing instructions and collecting agreement to its terms. Workflow is also a powerful tool for accelerating general processes and enforcing policies that may be related to compliance. Staying with the human resources example, let s assume all new applications must be handled in a particular manner. In addition to setting the appropriate retention and security rights when the application is filed in the EDMS, all new applications must be reviewed by HR and the department head in determining if they qualify for an interview. If qualified, HR will invite the candidate in for a formal interview. If they do not qualify, HR will send the candidate the company s standard thank you letter. Custom workflows are easily set up to automate this example. The end result is having a highly efficient process for handling all new applicants. In addition, laws and regulations at the federal, state, and local levels regulate how companies conduct staffing. Using workflow can help build a strong defense in the three sensitive areas of legal concern with which managers must comply: equal opportunity, affirmative action, and sexual harassment. Enforcing security/disaster recovery Enforcing security and providing for disaster recovery are chief compliance criteria regardless of industry. Securing documents in an EDMS needs to be accomplished in a way that enables users to be productive the moment they log into the system, yet prevent them from ever accessing restricted information. EDMS user access control needs to be enforced at multiple levels to allow all users instant access to entitled information. The best structure for implementing and managing access control is based on the metaphor of a physical filing. This gives access rights a logical hierarchy of control. Users can have access rights enforced at the repository, cabinet, folder, and document level. Top levels, such as the repository and cabinet, simply need to enforce having yes/no access rights, meaning the user either sees or doesn t see these items. Folders and individual documents require a more granular control mechanism. User rights for these items need to include the ability to control what the user is permitted to do with the document or folder. Enforceable rights should include: Folder Rights None Preview View Edit Create Delete Lock Export (indexes / contents) Transfer (move / copy) Document Rights None Preview View Edit Create Delete Lock Export CNG White Paper Page 6

Note: User rights are also affected by the document s retention and legal hold status. When a legal hold (also known as suspended) or retention policy is in effect, documents cannot be edited or deleted regardless of the user s rights. Another benefit of using the EDMS for maintaining compliance comes into play when back-up and disaster recovery needs are addressed. No EDMS should ever be implemented without a sound backup/disaster recovery plan. Fortunately the EDMS itself simplifies back-up and recovery dramatically because all documents and system information are centrally located in the repository. A repository consists of two elements, the database and the documents. Both must be backed up for reliable system recovery in the event of a disaster. This is far more manageable then trying to recover documents stored on individual laptops and computers. The EDMS should be able to work with both on or off premises back-up implementations. When using off premises back-up, make sure it also includes an additional layer of security by using encrypted communication links. Some compliance requirements also mandate periodic system recovery testing to verify the recovery plan is working. Required or not, disaster recovery testing is just good policy, much like replacing the batteries in a smoke detector once a year. Auditing activities There are two components for having a successful audit. First, all activity needs to be captured in a transaction audit log. Second, the capability to filter the log data needs to be available so it can be presented in a useful manner. Every action performed by a user is added to the audit log with a date/timestamp. This gives administrative personnel the ability to generate a report based on a range of items. The administrator creates a query for the audit database by constructing it from a wide range of options. Filters may be grouped using AND/OR clauses. These features enable the administrator to create specific queries to answer questions such as, Which documents did Susan create in the vendors cabinet on 12/31/2008?, or Who has viewed Joe Black s patient file in the last year? Queries may be saved and recalled allowing administrators the ability to build a library of common queries which may be called up whenever needed. Administrative generated reports can be very simple reports of a specific activity or complex queries covering multiple criteria. Once a report is generated, the resulting data can be previewed or saved in a variety of file formats such as html, text, excel, etc. for additional data manipulation and report formatting. Beyond satisfying the compliance aspects of audit, auditing activities can be a powerful tool when it comes to identifying events that are too time consuming and in need of improvement. Whether the auditor requests information about a particular document (i.e. when it was created, edited, moved or deleted) or a global action (i.e. listing all documents created in the past 90 days), the EDMS built-in audit functions need to be able to handle the task. Using an EDMS that is built on a powerful industry standard database offers the highest performance and flexibility to accomplish this task. Complementing the audit functions are search and trace functions. Search is used daily by end users of the EDMS to locate specific information. Trace is a simple function that allows the user to review the workflow history of an entire folder or individual document. Trace is especially helpful in demonstrating CNG White Paper Page 7

that a workflow process is following the organization s documented policies. Just like Audit reports, Trace reports can be immediately previewed on the monitor or saved in a variety of file formats for data reorganization and reporting. Compliance requirements will often require an organization to produce a complete set of documentation that clearly defines various policies and procedures. During an audit, these policies and procedures must be demonstrated as being readily available and followed. Storing policies and procedures in the EDMS is the best way to make sure they are readily available for reference and review. Version control can be used to keep documentation up to date while maintaining a historical account of all modifications. Creating specific workflows based on policies and procedures also ensures everything remains in order and is properly documented. Workflow policies can also be applied to ensure all policies are periodically reviewed by required personnel. Conclusion Maintaining compliance is a crucial task in most organizations. When done correctly, the burden of maintaining compliance can also deliver substantial benefits to the organization such as: applying best practices, improving efficiency, and lowering costs. EDMS is a necessary tool for maintaining compliance in a cost effective and business enhancing manner. Managing compliance in a paper-based environment is no longer practical, and in many cases impossible. Fortunately, applying a good EDMS can be an efficient, secure, and affordable approach to maintaining compliance within your organization. A good EDMS also simplifies implementing back-up and disaster recovery strategies while maintaining user activity logs for audit and other reporting requirements. CNG White Paper Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information