INFM- 200

SWOT Analysis

A SWOT Analysis is an applied contextual analysis assessment technique that is commonly used in business in order to produce both internal and external workflow improvements. Internal factors include: "Strengths" and "Weaknesses;" and external factors include: "Opportunities" and "Threats." I'll add that the information gathered is a matter of perspective and can vary depending on the current context that is being reviewed.

Authenticity

An authentic electronic record encapsulates the reliability and integrity of an electronic record, proving that the record hasn't been changed or altered, thereby holding up in court as evidence.

CONTENT MANAGEMENT SYSTEMS (Module 3)

CONTENT MANAGEMENT SYSTEMS (Module 3)

Drivers

Drivers are used to identify the competition's strategic and tactical goals, as well as their current status of achieving them. Informaticists can use drivers to interpret how and why records, information and data are created in order to fulfill an organizational objective.

ETHICAL ISSUES AND LEGAL OBLIGATIONS (MODULE 6)

ETHICAL ISSUES AND LEGAL OBLIGATIONS (MODULE 6)

Predictive Coding and Automation

Electronic content is becoming increasingly dynamic and voluminous, and it can be very challenging for a human to manually input records as well as search and retrieve all relevant records stored within Content Management Systems. Because of this, automated intake that captures metadata characteristics, can migrate records being created or input into the system into their appropriate location based on taxonomy criteria and associated retention and access rules. The use of predictive coding and automated tagging can support document retrieval and legal discovery processes. By being able to tag electronic records with multiple criteria, predictive coding can be used to support keyword searches, filtering and samples of files to help users retrieve relevant and useful content related to their interest. Furthermore, if an electronic record actually relates to more than one retention rule, all relevant policies can be attributed to that record and then the most appropriate destruction date and access restrictions can be set and complied to.

Physical (Environmental) Security

Electronic Content Management systems along with server systems offer rules for how an electronic record and associated information and data is accessed and managed within the system and network infrastructure. The use of these systems help us to ensure the authenticity, reliability and integrity of our content, supporting productivity, and aiding us in responding to the needs of our stakeholders. However, if a malicious actor gains direct access to the infrastructure, such as by using them without authorization or for instance stealing a hard drive or other media storage, then that content may no longer be secure. English (2011) adds to this, explaining that "while many organisations are getting better at identifying and understanding digital weaknesses, the inherent weaknesses of physical devices are not as well recognized" (Para. 3). Nevertheless, physical and environmental security isn't just an IT priority, physical risk factors can also affect analog records and other valuable materials that may impact an organization's operations. Since the risk has the potential to impact our entire organization, it emphasizes the importance for informaticists to work in collaboration with IT, legal, records management, and organizational leadership to prioritize risk management efforts for the entire organization, not just what's within our IT infrastructure. It's important to note that physical threats can be both unintentional or intentional, even if the ramifications end up being the same. A lost laptop at a coffee shop is likely an accident on the part of the employee, whereas theft from the server room where a keycard may be required suggests potential internal malicious intent or unauthorized entry. Either way, the records, information and data stored within these devices may hold sensitive information. There are also environmental risks that we may not be able to control but could possibly prepare for, such as an electrical outage, fire, or earthquake. Regardless of the safeguards we've enacted, an effective approach is to understand what assets our organization holds, how they are connected and integrated into the infrastructure and workflow of operations, and to have an assessment process that ensures that operations are running as expected and that unnecessary exposure isn't evident. Some examples include inventorying the company's laptops regularly, checking data ports for compromise, making sure secure doors remain restricted, and ensuring that fire prevention requirements are up to code. There are many types of physical security safeguards, which may include: walls, fencing and gates, guards, dogs, ID cards and badges, locks and keys, traps, electronic monitoring and surveillance, alarms and alarm systems, secure computer rooms and wiring closets, and the use of interior walls and doors (Whitman & Mattord, 2012, pp. 400-401). As important as protecting infrastructure is, preventing physical security threats can also ensure the long-term protection of the company's workforce from an environmental disaster, structural damage or other concerns. Building on this, informaticists along with other IT and security stakeholders can work to identify areas of deficiency and to recommend solutions to secure them, while also assessing compliance to an organization's physical security measures. Even more, I'd also add that it's a partnership with the general workforce of the organization. Awareness of being safe in the workplace, methods to protect mobile devices when working remotely, the importance of inventory, being mindful of abnormal technology suddenly appearing within the system, protocols for unauthorized visitors to the building, as well as how to both detect and report areas of concern can all help protect our organizational assets.

Financial Requirements

Financial requirements are similar to legal and regulatory, in that these obligations are again to government agencies such as a federal, state or provincial oversight entity like the Internal Revenue Service, Revenue Canada, the Securities and Exchange Commission, regional reporting to State, Territory or Provincial tax authorities, as well as local governments. However, financial requirements are predominantly about financial obligations rather than outright litigation, although breaches of trust can ultimately result in a litigation scenario. For these records, the justification for retaining them is typically written in a tax code or other relevant financial authority, such as the reporting requirements for public companies determined by the Securities and Exchange Commission, and is used to support financial audits and tax returns, as well as provide evidence of ethical business practices to shareholders, taxpayers, and other interested stakeholders.

No Legal or Regulatory Requirements

In many cases, records have no legal or regulatory requirements, and their retention is exclusively based on operational value. This does vary by the type of organization, but some common examples include drafts, third-party reference material, meeting invitations, announcements of social events, casual travel schedules, product catalogs, and so forth. Despite that there is no perceived requirement, these transitory records can still offer risk if not maintained in accordance to a policy. The best approach is to work with stakeholders to determine a retention period that reflects the minimum amount of time necessary to retain the record while still achieving all business obligations and supporting employee workflow responsibilities.

Legal and Regulatory Requirements

Legal and regulatory requirements are far-reaching, and while these requirements can serve as guidance when helping us to develop efficient workflow practices regarding the management of records and information, they also can support external stakeholder processes such as audit reviews, legal discovery and litigation proceedings, all of which are scenarios where our organizations need to respond quickly and truthfully in the most efficient manner possible. Governments, as well as some public companies and organizations with regulatory responsibilities, may also have to furnish records to the citizenry upon request. This is especially true in government organizations, and while rules vary depending on jurisdiction, public disclosure legislation such as the Freedom of Information Act was designed to support the citizenry's right to hold the government accountable of their actions and use of public resources. In instances where public disclosure legislation isn't complied to, the organization may be subject to substantial penalties. As informaticists, we may find opportunities to partner with legal counsel, records management and other compliance and risk management stakeholders to ensure that our organization's policies are thorough and that we have accounted for any requirements that may need to be complied to. While each rationale for retaining records has its merit, legal and regulatory requirements are likely the most pressing reason for developing records retention and other guidance policy documents to support their workflow and management of content. Many organizations are concerned about maintaining legal and regulatory compliance to their respective government agencies and organizations. Achieving compliance is challenging in an ever changing regulatory environment, meaning that these policies need to be living documents with a mechanism in place to periodically update and enhance, although the vast amount of legwork required will be during the initial development process. Legal or compliance experiences occur regularly for companies and other types of organizations, such as through an audit or to respond to a lawsuit. The compliance process includes showing that the organization has a routine practice where records are not destroyed haphazardly. A retention policy that is routinely followed can show that an organization is seeking to manage their records and information in good faith under their normal business operations. Informaticists seek to support our organization's workflow while aiding in the compliance of a wide variety of external requirements, which may includes legal statutes, enacted laws, executive orders, court cases, governmental regulatory agency policies and determinations, industry expectations, among others. Furthermore, international business practices can expose the organization to similar requirements necessary in the additional jurisdictions. In partnership with legal and records management programs, we have a responsibility to learn about the requirements that our organization is subject to, and making them known to our stakeholders when working with and managing their records and information. This may require that compliance documents be produced when an action takes place, how certain records should be maintained and for how long, as well as privacy and confidentiality access restrictions, which could result in the redaction of sensitive information or if they can even be released at all. Furthermore, legislation may regulate copyright, patent, trademark and other intellectual property protections and limitations, and stipulate the rights of individuals, corporations, interest groups and governments to access and use these records.

Administrative

Often created automatically when content is entered into the CMS, these values are used to manage the content. Administrative metadata includes things like date created or author. They can sometimes include sub-elements about rights-management or preservation.

RECORD KEEPING - SAFETY, SECURITY, ACCESS, PRIVACY (MODULE 5)

RECORD KEEPING - SAFETY, SECURITY, ACCESS, PRIVACY (MODULE 5)

Metadata

The information provided in metadata makes the content findable and understandable to either a human or a computer. Metadata is information about the content that provides structure, context, and meaning. There are three main types: 1.Structural 2.Administrative 3. Descriptive

Reliability

The reliability of an electronic record validates the record's trustworthiness as evidence. An electronic record makes sense within its context in relation to other records. Reliability emphasizes context, citing that there should be a reasonable purpose for why that record was created which can be documented, and that the use of metadata, which is supporting data about the record's creation, history and use, can be used to describe the record and be used to verify that these records weren't developed as exceptions to a typical workflow process. Essentially a record is reliable when we can show that it wasn't created as a response to a request for evidence. When a record is looked at in the context of other recorded information within that organization, people understand how and why that record is there and that it fulfills some sort of business purpose.

Descriptive

These values describe aspects specific to each content component, like title, subject, audience, and/or purpose.

Privacy

There has been substantial public concern about how personal information is being used and distributed, raising serious information security-related questions about how protected personal information really is when maintained by governments and corporations, as well as a greater expectation by stakeholders that IT systems and information management policies will prioritize personal privacy when protecting the records, information and data held in an organization's possession. Data breaches have become increasingly common, and along with that an increased concern by the public that has lead to global regulations such as the General Data Protection Regulation (GDPR) in the European Union, privacy protection improvements by corporations holding personal information, and regulators of governments throughout the world looking to set regulation and parameters for how personal information is used. Effective information security, including privacy protection, runs in the background, and while such a practice should be designed to both ethically protect and use stakeholder information, a byproduct of successfully doing so is that it upholds the organization's brand identity as worth doing business with. Bad press reduces the public's confidence in the capabilities of the business, especially if stakeholders feel that they are at risk. The role of privacy protection in an information security effort is perhaps one of its key benefits. Companies have a legal and ethical obligation to protect the information that they hold in their custody, although the level of actual legal obligation to do so will vary depending on what type of business it is, whether it is a public or private sector organization, as well as the nation(s) that the company operates in and the regulations that they are beholden to. Whitman and Mattord (2012) explain that "many organizations are collecting, swapping, and selling personal information as a commodity, and many people are looking to governments for protection of their privacy" (p. 93). Corporations utilize personal information routinely to support their business objectives. Because of this free-flow of information, individuals as external parties have minimal control over their information once it is in an outside organization's custody, and the associated risk of this arrangement has lead to the growing demand of privacy protection measures and passage of new regulations. Nevertheless, it is important to note that regulation does not result in the cessation of personal information being collected. Instead, it stipulates the current rules that must be followed in order to gather and use personal information in compliance within that jurisdiction and to retain stakeholder confidence. Some organizations have public records disclosure obligations, such as governments and certain record types for regulated corporations beholden to compliance requirements, resulting in the potential release of information through open access legislation such as the Freedom of Information Act or other regulatory requirements. Often, due to confidentiality reasons we can't release information to the public until certain established time periods or security parameters are met, or with restrictions such as the requirement to first remove or redact personally identifiable information. As informaticists we may find ourselves working with internal legal counsel and records management programs to support the free flow of public information whenever possible while also fulfilling the legal obligations of our own organizations in conjunction with the privacy expectations of our stakeholders. While privacy protection legislation is intended to add a level of protection for stakeholders, regulated protections are much stronger when managing government records and information when compared to the private sector's control over personal information. Private sector privacy protections are limited and specifically target certain sectors and regulated activities, leading to selective government enforcement over private entities. Outside of legal and regulatory obligations or a lawsuit, private companies have minimal direct accountability to the citizenry, although the GDPR has shown that this is changing as the regulation targets global businesses operating within the European Union and how they manage their citizen's personal information. Informaticists in these settings can support risk management, workflow, operational priorities, and the legal process. Companies that develop privacy protections and offer privacy safeguards often do so to encourage customer confidence and protect themselves from risk. Furthermore, to some extent individuals have a burden to make an informed decision as to if they want to do business with that organization, knowing that they will be sharing their information under the terms of the company's internally developed privacy policies, which are typically designed to meet the requirements of where that business is operating. Nevertheless, a company's privacy protection practices can provide stakeholders with the confidence that personal information is protected against unauthorized use.

Overview

Throughout this course we've discussed a wide range of informatics-related priorities, including the creation, use and management of records, information and data, physical storage and Electronic Content Management Systems, compliance obligations, security and other safeguards, along with ethical practice. Achieving this wide-range of informatics-related priorities is a challenging process and one of its greatest roadblocks can be obtaining the commitment of organizational stakeholders - the users of our information. So then, how do we foster the value of our services to executive leadership and our stakeholder community in order to actually achieve the institutional support and enterprise-wide commitment necessary to make our objectives a successful reality? While our efforts will remain ongoing, we can strengthen our impact through a three-pronged approach: 1) ongoing professional development to maintain being current and capable Informatics professionals; 2) train our stakeholders to be knowledgeable of our priorities and concerns; and 3) ensure that all stakeholders are aware of the importance of our information assets and the need of their support in our management and compliance processes. This aids our ability in safeguarding, managing and disseminating the organization's information assets, in support of our priorities and workflow. The long-term adoption of our informatics-related priorities ultimately depends on the executives, employees and other stakeholders understanding and valuing the long-term benefits that the effective management and security of information assets has to offer the organization. Ultimately, our policies and practices will need to become a routine part of daily business activity, with careful oversight and mechanisms to ensure that expectations are followed. This may be a cultural shift within the organization's business practice, which could require outreach throughout the organization to promote understanding of its benefits through training, internal communications, a receptive presence by the organization's informaticists and associated information professionals, and allowing for feedback and continual improvement upon and after any implementation of initiatives or new practices and procedures. Informaticists can support business process compliance to help fulfill both management and information-related organizational priorities. Information needs to be presented as an asset, not just a convenience, and when information is strategically accounted for and managed comprehensively, it can be used by our organizations to support their achievement of a competitive advantage, which results in a strengthened potential for greater capabilities and profitability. I'd like to briefly introduce the business concept of competitive advantage, because companies view the attainment of a competitive advantage as a milestone and our efforts can support this ambition. Harvard Business Professor Michael Porter wrote the landmark business theory book titled Competitive Advantage, in which he discussed how when a firm's profits are above average in comparison to their overall industry, they've achieved a competitive advantage over their rivals. Companies strive to achieve competitive advantage, because competitive advantage positions them as leaders in their industry and helps them to produce economies of scale (which is the most cost efficient level of production). There are two types of competitive advantage, cost advantage and differentiation advantage. A cost advantage is when a company can offer a comparable product or service at a lower cost compared to competitors, and a differentiation advantage is when the product or service is offered at a better value than those of competitors. When an organization has a competitive advantage, they offer the best overall package and value for that product or service when compared to their competitors. From our perspective, every program area and team member uses records, information and data to support their workflow objectives, and at varying levels of efficiency. By analyzing our information-related practices, we can develop process improvement strategies that can help us gain control over our information assets. This in turn can result in greater efficiency in achieving organizational priorities and improvements that in turn can contribute to gaining competitive advantage (QuickMBA). It's worth noting that whenever we successfully complete an information-related improvement effort, we're now at a new beginning as technology keeps changing, new formats of records, information and data continually are being developed, and security practices are consistently being challenged and improved upon. Yet, each achievement is still an important milestone in our process, but it still requires ongoing intentionality to ensure that we keep up with change. It's also challenging to maintain such an effort, and our initiatives and practices require continual oversight, revision, improvement and expansion to account for changes in technology and how information is developed and used. Technological change and process improvement is also continual and resource intensive, requiring the ongoing commitment of leadership and the continual value and commitment of stakeholders dedicated to strengthening the organization's oversight over their information assets.

disposition phase

generally means that upon review records can be destroyed because there is no longer a business use for retaining those records and the continual retention of those records may actually expose the organization to legal liability *However, a small amount of records with long-term historic/research value upon the completion of any business, legal or regulatory requirements may be deemed archival and may instead be retained indefinitely or transferred to an archival program for long-term preservation and reference.

Standardization

is the method of using standardized, non-proprietary file formats such as TXT, MP3, JPEG and PDF with the assumption that these formats will remain easily readable far into the future. It is often paired with migration so that the hardware does not deteriorate before electronic records are saved, which allows for greater potential in the preservation of electronic records.

Creation stage

records are created to fulfill a business purpose and objective, and at some point they will no longer be needed as often as they were before

Contextual Analysis

serves to help information professionals understand the organization that they are working with, in order to assess how and why a record was created and its use in order to fulfill workflow objectives. Simply put, contextual analysis is the process of analyzing business operations by identifying internal and external factors that would influence the organization's processes. It is a general business practice that can be applied to a wide variety of purposes and settings, and can influence our work as informaticists by helping us understand our organization better and the content that they are producing and working with. This, in turn, leads to better information gathering and allows us to produce more comprehensive policies and workflow processes to better support our stakeholders. There are many contextual analysis theories and methodologies, with a noteworthy example being Michael Porter's Four Corner's Model which we can use to support our planning process along with a SWOT Analysis, which is the most commonly performed applied contextual analysis assessment technique.

Mobile Devices

A common repository of electronic records is mobile devices, such as a laptop, tablet or smartphone. Whether corporate-owned or personally provided through a Bring-Your-Own-Device (BYOD) policy, there are tremendous risks with business records and information being stored on mobile devices used for conducting business outside of the primary work environment. Regrettably public Wi-Fi or other outside connections may lack effective security, and so we need to include safeguards that protect our intellectual property when working in these settings. Personal hotspots and virtual private networks can offer encrypted and password-secured access, along with other integrated security options, providing effective cyber protection mechanisms for businesses and individuals to use when working outside of the organization's firewalls (O'Donnell, n.d.). From a business standpoint, smartphones holding corporate records and information but with built-in security encryption have a lower risk of being accessed improperly when physically obtained, and are further effective when combined with more advanced Mobile Device Management (MDM) software. The built-in encryption offers an extremely high level of security for general users, which has law enforcement groups very concerned from a legal security standpoint because it limits their access to investigate content (e.g. data, contacts, e-mail and photographs) stored on a mobile device running these operating systems. They caution that a reduction of access could be detrimental to law enforcement efforts. On the other side of this issue is public privacy concerns resulting in increased demand by privacy advocates, users and corporations for greater transparency in surveillance and more personal control over electronic privacy. Apple, Google and other manufacturers have developed strong safeguards that have had a very positive reception by consumers (Wilber, 2014). One of the challenges with personal mobile devices being used under a BYOD framework is that IT likely doesn't have full and direct control over that personally owned device, and so remotely securing and wiping of the device may not be possible if it is lost or compromised. Software like VMware's AirWatch, an example of a Mobile Device Management system, makes it possible to manage large-scale corporate owned mobile devices as well as those that are BYOD connected. When users notify IT that their device is missing, IT can wipe it remotely and protect the organization's electronic content. Requiring employee consent and understanding of the service and expectations upon integrating a personal device into the enterprise's system is essential, since personal content may also be kept on the device and could also be wiped if lost, but the technology is available to account for their devices when compromised so that all parties can minimize their risk.

Taxonomy

A taxonomy is a formal classification system. A taxonomy groups the words, labels, and terms that describe something, and then arranges the groups into a hierarchy. People construct taxonomies for almost any kind of information, from biological systems to organizational structures. For example, biologists group living organisms into four major classifications: animal, plant, fungus, and microbe. Each of these major groups has many subdivisions. Together, the whole system is a taxonomy. Organizations create taxonomies in too many ways to list. They create Chart of Accounts taxonomies to manage accounting systems, organization charts and job classifications to manage employees, product catalogs and so on. All these taxonomies are structured hierarchies of information; formal classification systems that help people handle information.

Alphabetic Filing

Alphabetic filing tends to be the default approach to organizing paper records and information. If you have a filing cabinet at work or in a home office, alphabetic filing is the most likely filing method used. The reason is that this is a simple A to Z approach, where if you have some kind of category such as a name or organization that's fairly obvious, alphabetic filing provides an approach to easily organize that information into a uniform manner. The downside to the alphabetic method is that its broad nature can result in the organization of the files becoming quite messy, since file naming conventions are likely not uniform and developed haphazardly by the individual creating and filing the record. The method is very good when organizing broad amounts of reference information, personnel files, student records, customer files, pretty much anything that has just a simple alphabetic name or subject heading.

Filing Arrangements

As informaticists we'll likely work primarily with electronic content, however at times we may need to reference paper records as well. Furthermore, organization methods for electronic records are adapted from techniques used for paper record filing. Users dealing with a manual electronic file structure, such as on a local server, may find that the organization of their electronic records are virtually identical to their paper counterparts. Electronic records stored in a Content Management System will build on these fundamentals and will likely allow for advanced search capabilities, predictive coding and additional tagging related to metadata characteristics and custom development aligned with their taxonomy. I'd like to briefly review several filing methodologies originally designed for managing paper documents but have applicability for electronic records. These include: alphabetic, numeric, chronological, phonetic and geographic filing techniques.

Functional Analysis

Building on our understanding of context, a functional analysis is a process that we can use to better understand how records and their associated information and data are used as part of the organization's workflow. A benefit of conducting a functional analysis is the depth that it provides when seeking to ascertain a specific organizational process in greater detail, as well as to form a clear assessment of how information assets are created and used by an organization's entire business structure. The functional analysis is a top-down, hierarchical approach that looks at business processes as tiered levels. The analysis first begins by seeking to identify distinct functions performed by the organization, which in this example is item 1, the Management of legal processes. Next, each function is broken down into the various activities performed in order to fulfill that function, such as the Contracting example listed as item 1.1. In this case, contracting is a type of activity that is used to fulfill tasks related to the management of a legal process, but it isn't necessarily the only thing involved in order to manage a legal process, nor is the management of legal processes dependent exclusively on it. If there are multiple activities, then they can each independently contribute to that function. The third level is transactions, which are tied to a specific activity and are presented in the example as items 1.1.1 to 1.1.5. In this example, the transactions reflect independent processes related to contracting that is necessary to complete the contracting activity, fulfilling the function. Typically when we identify records and its associated information and data, they're at the transactions level, although sometime activities don't have transactions and so then they would reflect the activity level. Upon completion of the functional analysis, we should be able to answer the following questions about the business area that we are learning about: What are the department's functions? Which may include:What are the main things the department does to achieve its mission, strategic aims, and goals? What activities are carried out to fulfill each function? What transactions make up each activity? What are the processes that comprise each activity? What is unusual or unique about the department? What is most important to document about the department? How is the department structured? Which can be broken down to include: Is the department organized into divisions or sections? Does the department operate special programs? What are the department's regular meeting groups? What are the department's in-house and/or outside committees? What are the purpose and history of these? The development of a functional analysis can assist us in identifying key groups and workflow processes necessary for the records, information and data that we work with.

Proprietary and Non-Proprietary File Formats

By using software to create, capture or manipulate an electronic record, the electronic record may be assigned a proprietary file format that is readable only with the developer's software, although some products allow for document creation in non-proprietary formats as a feature. A consequence of proprietary formats is that if users do not purchase a license to use this software, the ability to read the file may not be possible. There are also potential long-term access considerations should the proprietary software no longer be available. Non-proprietary file formats may allow for digital content to be viewed by more than one specific proprietary software product, in a universal setting across computer platforms. They also allow the user to avoid investing in specific resources for that particular format, while also increasing the lifespan of an electronic record. However, electronic records stored in a non-proprietary file format typically have less functionality or customizable options than their proprietary equivalent. Examples of proprietary file formats include records produced from a commercial product, such as Microsoft Office or Apple's Pages and Keynote. Common non-proprietary formats include TXT, MP3, JPEG and PDF. It's interesting to note that PDF was originally developed as a proprietary file format by Adobe, but on July 1, 2008 Adobe released PDF as a non-proprietary open document standard known as ISO 32000-1 and a more streamlined PDF format for dedicated archival purposes called PDF/A, which is described in ISO 19005.

Capabilities

Capabilities identify how the organization is able to respond to external threats, and the resources that they have available to do so. This is essential for competitors to assess when planning their own objectives in the marketplace. Informaticists can assess capabilities to determine the likelihood, commitment, and resources available by the departments or organizations that they're working with in order to encourage policy changes and process improvements.

Chronological Filing

Chronological filing is pretty straightforward as it's a type of numeric filing. This is one of the exceptions where an index isn't necessarily needed, because you're looking for something by date and as long as you know the date of the event you can retrieve the content that you're looking for. It is very useful when you're dealing with information such as outgoing correspondence or tracking some kind of conversation where the date is specific. In the example image to the left, you can see the date example of 2006.05, which corresponds with records from May 2006, and then you'll have to leaf through all the records in that section in order to find the specific record that you're looking for. Chronological filing is an appropriate system for date-driven records but otherwise standard numeric filing methods would be preferable.

Disadvantages of Cloud Computing

Cloud computing usually means that your organization's records and information are being held in the custody of a third party vendor - another company than your own. Therefore, you must be confident that not only is the vendor TRUSTWORTHY enough to manage your company's records and information, but that their data security is advanced and effective enough that their other clients CANNOT ACCESS your information, and that there is protection against external threats (e.g. data breaches) that could put your content at risk. Another consideration is the LONGEVITY of the vendor you've selected, meaning will they be in operation for the long term and is your data secure and retrievable if they happen to go out of business. Generally, large cloud computing providers, such as Amazon S3 Web Services or Iron Mountain, are more reliable because of their size and track record. Depending on the services, however, they may be more expensive than a small, local company, which may offer a high quality service and top-tier dependability. When selecting a cloud-computing vendor, considerable due diligence is needed, in order to evaluate the best product and level of service you need weighed against the organization's level of acceptable risk.

Taxonomies in Content Management Systems

Content Management Systems provide an excellent opportunity for structured taxonomies. The primary goal of moving electronic records into automated Content Management Systems is to avoid having unstructured and manual electronic filing systems, where instead the Content Management System allows you to add a classification to your records and taxonomy guidelines so that they are organized according to your organization's recordkeeping priorities, this allows for tagging content with multiple criteria and supports search capabilities and predictive coding. For example, records could be classified based on each of your clients or by distinct business functions, since the systems are quite customizable. When a record is filed into the system, the user is usually prompted with a listing of applicable classifications that the record may belong to, which when assigned automates with applicable retention policies and encourages consistent management and oversight of this content. at the Sharepoint example to the right, what we have here is a very basic structured hierarchy for electronic records using an alphabetic filing method. "Products" is the business function classification, and within it is "tents" as a records series and then further filing transactions that include "backpacking," "family," and/or "ultralight tents." In a Content Management System, the system can be set up like a file plan or classification scheme, where you can select only one type of tent, or within a taxonomy framework where you could choose to select multiple criteria, as well as link the records series within the "manufacturers" business classification if appropriate. This is a relatively straightforward example, but it does show that electronic records managed in this type of system can be attached to a wide variety of rules that can automate the lifecycle. Based on configuration, such functionality can include associated retention processes and the creation of uniform naming conventions, while allowing for flexibility in business need. These systems can be utilized to maintain recorded information on behalf of the organization in a uniform and secure manner.

Contextual Analysis as a Business Process

Contextual analysis is a business process, typically used to gain a holistic understanding of a selected organization but can also be used as an internal assessment designed to find areas of information-related process improvement. Furthermore, it can be used by an outsider to gauge competition and support the development of strategies used for their own advantage. Informaticists can use contextual analysis to identify the current status of a programmatic area as well as learn how and why stakeholders produce and maintain their records, information and data in a particular way. Understanding context allows us to interpret our stakeholder's needs, gauge the importance of the information we're working with, and produce quality results that support our entire organization.

Current Strategy

Current strategy determines how the organization wishes to compete in the marketplace. While the planning process might result in an ideal objective, the current strategy also identifies what actions have been taken to actually achieve the strategic objective, which could be different from their initial vision. Positive results can be used as a predictive measurement by the competitor conducting the analysis because positive results are generally viewed favorable by the organization, meaning that they'll likely continue operating in the same or similar manner. Informaticists can use current strategy as a predictive tool for identifying priorities, as well as gauge areas and timing for internal support and where process improvements would be most helpful.

Structural

Defines the metadata elements that need to be collected; labels like title, author, date created, subject, purpose, etc. Defining these structural elements is typically based on a mix of organizational and system needs, along with standard schemas like Dublin Core.

Authenticity, Reliability and Integrity of Electronic Records

For a record to be considered valid under legal scrutiny, such as for evidence during a litigation review or audit, they need to uphold three fundamental characteristics to validate them: their authenticity, reliability and integrity. While these traits technically apply to analog record formats like paper as well, a paper record has traditional characteristics that can be verified against forgery or alteration in a fairly straightforward way when scrutinized. For electronic records, it can be argued that they are not a record unless they embody all three traits, as electronic records are naturally unstable and constantly at risk of being compromised, lost, or disturbed in some fashion without direct oversight and careful management. Let's do a quick review of all three, beginning with reliability:

Historical Requirements

For a very small amount of records there may be a historical benefit to retaining them indefinitely, typically referred to as archival, provided that all other requirements have been met and that indefinite retention doesn't create unnecessary risk. These are records created by organizations that tell their story, such as the articles of incorporation, bylaws, charters, and board of directors' minutes, as well as letters establishing significant programs, photographs of events, publications and annual reports, and advertising and marketing materials.

Microsoft Share Point Box Epic Systems

Helps by enhancing internal workflow, coordinating policy, and showing the steps taken to maintain compliance requirements should they be audited or questioned in a legal situation. work on projects collaboratively and globally, establish a monitoring system that tracks version changes of records so that different versions can be accounted for and users can revisit what has been produced in the past. anyone with access to that system with the proper permissions can view and work on that content and move it throughout the workflow process.

Why Retain Records?

I'd like to begin by discussing why records retention is important. Shepherd and Yeo (2003) describe this well, stating that: "effective retention management demands a system which ensures that records are retained for as long as necessary and that those no longer required are eliminated" (p. 146) as well as "records, whether paper or digital, cannot all be retained indefinitely. Storage and maintenance over time is often expensive and, as the volume of records grows, access becomes slower and more difficult" (p. 146). Both statements are very true, and sum up the need for comprehensive records retention policies and practices, as well as the importance of informaticists understanding the legal and regulatory, financial, operational and historical reasons that the records they are working with were developed, being retained, and ultimately disposed of.

Statute of Limitations

I'll add that not all legal and regulatory requirements are obvious, since their recordkeeping responsibilities may change based on unexpected circumstances. For example, Statute of Limitations legislation refers to the maximum amount of time where a legal proceeding can be initiated following a specific event. The Statute of Limitations varies based on jurisdiction and the type of situation, and is a practice exclusive to nations practicing the common law legal system, like the United States, Canada, and the United Kingdom, and so this type of practice may differ in nations operating under other legal systems. Statute of Limitations legislation doesn't usually directly refer to records but instead records can support the legal process, and so records retention policies can use applicable Statute of Limitation requirements to help determine retention periods, if it is clear what records they may refer to. However, it can be a challenging interpretation that may benefit from additional legal advice if necessary.

The Life Cycle of Records (The Five Stages in the Life of a Record)

I. CREATION STAGE: Records are produced by internal and external parties... II. .DISTRIBUTION AND USE STAGE: ..and are transmitted to internal and external users... III. STORAGE AND MAINTENANCE STAGE: ...and are classified and filed in storage devices and maintained for active reference... IV. RETENTION AND DISPOSITION STAGE ...then become inactive and are destroyed or tranferred to a storage facility... V. ARCHIVAL PRESERVATION STAGE: ...or preserved permanently in an archive for historical purpose.

Informational Value

Information security efforts ensures that our records, information and data remain authentic, reliable, and hold integrity. These types of material hold value, and if compromised there's a strong potential for its value to decline. The use and development of information is to be expected for normal workflow purposes when supporting a business need, and depending on the context, some records and information hold more apparent value than others. Whitman and Mattord (2011) write that "the value of confidentiality of information is especially high when it is personal information about employees, customers, or patients. Individuals who transact with an organization expect that their personal information will remain confidential... [and that] problems arise when companies disclose confidential information" (p. 13). However, our informational assets are potentially compromised when unauthorized access to our systems or unsanctioned distribution of these materials occurs. Records, information and data can support business practices and trade secrets, and should be used as intended and released only when warranted. Safeguards put into place to protect the access to information assets ensures that only authorized stakeholders are able to retrieve and use this material.

Integrity

Integrity emphasizes the use of metadata and audit trails for tracking creation, use and alteration to electronic records. This can easily be captured in a Content Management System but can also be potentially supported by system security and usage logs. For example, when a record is added to the Content Management System, the system creates and attaches a log of the record's actions to the metadata of that record, tracking information such as when the record was added to the system, if it was changed or updated, who has used it, different versions that have been developed, and if it has been disseminated within and/or outside the organization. In addition, a wide variety of custom notations and classifications can be attributed to the electronic record, if desired.

Management Assumptions

Management assumptions identify the internal perceptions and assumptions that the competitor has about their role in the overall marketplace, which they can use when developing their internal strategy. Essentially, the competitor conducting the analysis is trying to predict management's next steps. Informaticists can use management assumptions to assess their stakeholder's perceived internal strengths and weaknesses, understand their organizational culture, and identify their next steps, in order to support the development of relevant policies, processes and guidance that makes sense for their stakeholder's needs.

Michael Porter's Four Corners Model Filing Arrangements

Michael Porter's Four Corners Model is a strategy that organizations can use in order to assess the current status and goals of their competition. While our need for understanding context as an informaticist may not be the same as the original intention of this model, the method provides an analytical thought process that is supportive of our objective of understanding the organizations and processes that we are working with. The four corners model allows us to interpret motivations for producing records, information and data and the actions taken or achieved by doing so. The four corners that we'll be discussing are "Drivers," "Management Assumptions," "Current Strategy" and "Capabilities."

File Plans/Classification Schemes and Taxonomies

Much like their paper counterparts, electronic records require structured organization throughout their lifecycle. This is a process that requires a fair amount of planning due to the high-level of investment that an organization commits to, as well as the labor time needed to make the system's implementation successful. Electronic records can be filed in a few different ways. A manual filing process is called a file plan or classification scheme, where less-dynamic records are filed in a system very similar to how a paper record is filed into a file cabinet. This is a common and potentially effective approach, because records are uniformly organized into distinct work areas and records series, with little room for negotiation or cross-referencing. It can, however, be a restrictive top-down approach when considering the dynamic and interactive nature of how many electronic records are being produced. A more dynamic method is developing a taxonomy, which builds on a file plan or classification scheme, because it supports the rapid and expanding nature of electronic information. Multiple parameters and cross-referencing can be attributed to a record within a Content Management System's taxonomy, which often mirrors the nature of the workplace and the collaborative nature of many projects and work groups taking place within the organization. To the left is an example of a classification scheme that I developed. Effectively, the top-level subject matter is Human Resources, and then we have departmental functions. Records and their associated transactions can be assigned to these categories, with the purpose being able to classify and organize records under a distinct business function in a uniform top-down manner. Unlike a more dynamic taxonomy which offers flexibility in electronic systems, in this classification scheme records are limited to one parent business function, and so a record attributed to Recruitment and Hiring would usually not also be repeated under another function such as Benefits Administration, even if there is overlap between the business functions.

E-Mail

One of the most common sources of electronic records is e-mail. E-mail holds a ubiquitous role in all aspects of life, but in business it has emerged as the initial point of compliance and risk concern for our organizations, requiring considerable oversight, retention criteria and risk consideration. E-mail is the leading piece of evidence requested during the discovery phase of civil trials (Smallwood, 2014, p. 241). E-mail volume is extensive and its levels are continuously expanding, and while not all e-mails themselves are records, many messages contain important information within them, encapsulate records (e.g. as attached documents), or the contents of the e-mail qualify the message as a record that need to be accounted for within the auspices of the company's retention criteria. E-mail systems are exposed to the risk of both external threats and internal misuse, and when unmanaged and unprepared for, can leave the organization exposed and vulnerable, which could lead to a disruption of business operations and a reduction in stakeholder confidence. Informaticists can encourage an effective enterprise-wide structured approach to e-mail management that accommodates business need and user access.

Operational Requirements

Operational retention requirements are much more subjective, and really does depend on the assessed need for records to be retained. A record that may have a legal requirement of three years may still hold important business value beyond that, and so normally it wouldn't make sense to have records destroyed prior to the completion of their overall need unless there is a high risk to retaining it. In this case, the legal and regulatory or fiscal requirements can serve as a baseline or minimum for the retention, and the operational need would add additional time when justifiable. Identifying assessed need likely requires the insight of the routine record users and creators, however we want to avoid a "just in case" approach where records are kept forever, and instead develop an intentional understanding of how and why records need to be kept beyond their baseline requirements and then account for this as a routine process in policy which satisfies all stakeholders involved. Extending a retention based on operational need must be justifiable, because the longer the records are kept the possibility of greater risk they can cause the organization. Extensions to a record's retention period due to an operational value should be approved by legal counsel to ensure that a lengthier time period won't create unnecessary risk.

Opportunities and Threats

Opportunities are external elements that offer an advantage, whereas threats are external elements that could be problematic. Informaticists can assess these external factors to identify how outside elements can impact the organization or the processes that they are working with, such as a risk for litigation or a pending natural disaster, in order to determine areas of process improvement and conduct the planning necessary to respond to a situation that is not part of the normal course of business.

Information Security Training

Our organizations can design training opportunities for our stakeholders that promotes awareness and improves the information security of the organization. While general information security training is important, we can also use these training opportunities to emphasize the areas of risk and the actions that can be taken to protect and prevent compromises that are most likely for our organization to experience. Training should be current and comprehensive, in order to accomplish the following three objectives: - "Improving awareness of the need to protect system resources; - Developing skills and knowledge so computer users can perform their jobs more securely; - Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems" (Whitman & Mattord, 2012, p. 209). It's highly likely that those who are responsible for managing information resources and technical systems have a stronger expertise regarding information security issues than the general employee population, whether through formal training, professional development, or just a vested interest. Among our stakeholders, there will be varying levels of interest, understanding and commitment. Therefore, we need to view the training component of securing our organization's IT infrastructure and information assets as an outreach opportunity, where the greater the acknowledgement of value for our initiative the better potential we have for improvement and protection measures.

Identifying Potential Records for Legal Action

Our policies and practices can support our responses to litigation scenarios if they should occur, in order to guarantee that our records are admissible and reliable to the court systems as well as to protect our organizations from unnecessary consequences due to improper actions or a lack of compliance related to records destruction. Records are used as evidence in order to support or contest an argument being made in a legal proceeding, as well as to prove and clarify these arguments. However, for records to be considered as evidence, the courts must determine that the records are admissible, first they must be deemed relevant and second the court must be confident in the reliability and authenticity of the record.

Finding Applicable Guidance

Perhaps our greatest challenge is simply finding the laws and regulations that apply to our organization's records, which informaticists may have to do if an established retention policy isn't in effect or to support in the development of one. This research is extensive, and requires significant awareness of our internal needs and external obligations. Researching federal, state, provincial, or local government retention guidelines can provide us with legal guidance that may apply to our organization's needs, as well as sections of the United States' Code of Federal Regulations or their international equivalents for records supported at the federal level. Many countries have legislation for public accountability for records, such as the U.S. and Canadian Freedom of Information Acts and the United Kingdom's Public Records Act. Oversight agencies, such as the Environmental Protection Agency, Federal Aviation Administration, and the Securities and Exchange Commission provide regulatory guidelines for corporate behavior and their records produced, whenever applicable. International copyright and intellectual property laws, as well as privacy considerations, vary by nation and region. Most business activities produce records and information, and when external stakeholders are involved, it's quite possible that there is either a group or legal process designed to ensure its accountability. Perhaps most importantly, it is valuable to form strong working relationships with members throughout the enterprise. As creators of the records and information that relates to their own work responsibilities, they may be able to provide us with firsthand information about how their work utilizes this content, as well as new regulatory requirements relevant to their industry. If your organization is subject to audits, than another valuable source can be to research the audit's requirements. Typically, auditors request the records they need and the amount of years necessary to support their process, which can also provide a baseline and help identify records used by that department or program. Furthermore, there is software on the market that supports legal research, such as the LexisNexis information service. ARMA International routinely releases legal and regulatory update alerts that information professionals can subscribe to, and there are plenty of books written that can provide us with a foundation of common practices. Organizations like the American Bar Association and Canadian Bar Association, and their local professional groups do provide legal interpretations and guidelines of current regulatory issues that can also be relevant to informaticists.

The Role of Context

Records are created to support a purpose and in context. Context provides us with a greater understanding of the record, and justifies its status of being a record rather than unstructured information or data. Context provides us with background information about the record, its origin, as well as why it was created, how it was used, and by whom. What we want to understand is how this record supports the organization's objectives as a whole, as well as why the record is useful in achieving a particular task. Context provides credibility that shows that it makes sense for that record to exist.

Value of Records, Information and Data

Regardless of why records, information and data are kept, the vast majority of this content typically becomes less significant for business use as time goes on. In many cases, by the time records have reached the end of their retention period, they may not have even been referred to in years, and instead they were just patiently waiting for disposition. Because of this, retention criteria should reflect only the actual time period that a record may be needed to achieve business objectives and fulfill external requirements, so that only minimum level of risk incurs. Furthermore, their timely destruction allows us to utilize our storage and financial resources more efficiently. The exception to this is when records have been identified as archival in value, and upon completion of their business need and external requirements they are transferred to an archival program for scholarly purposes.

Evidence Spoliation

Spoliation is the action of destroying or removing records that are relevant to a legal process, whether intentional or unintentional. There are three scenarios where the destruction of records can result in evidence spoliation. The first instance is when an active record has reached disposition per the established retention policy, however it wasn't systematically destroyed and then a legal scenario presented itself. Despite that the record should have been destroyed, it wasn't because a routine process wasn't in place. Destruction at this point with the awareness of its requirement for litigation is unacceptable, and the organization must accept the fact that they have to accommodate unnecessary exposure. The second instance is when records are still active per the established retention policy and not yet subject to destruction. When the litigation scenario presents itself, the organization realizes that they will have unfavorable exposure due to the nature of the record and then destroys or removes it, hoping that its missing presence isn't detected. The third instance is when the organization has no established retention policy, doesn't routinely and uniformly destroy records, and a litigation scenario presents itself and the organization opts to destroy or remove the record rather than furnish it. In this scenario, spoliation is particularly obvious because the standard practice is not to manage records. In the case of all three, the legal process does still have the burden of proving that relevant records are missing.

Strengths and Weaknesses

Strengths are characteristics of the business or project that give an advantage relative to others, and weaknesses are characteristics that show a disadvantage relative to others. Informaticists can use internal factors to assess how the organization's internal workflow process affects records, information and data creation and use, and then their overall impact on current processes within the organization. Having this information can support the planning and prioritization of needed changes and improvements.

TAXONOMY, CLASSIFICATION, CODING STANDARDS (Module 4)

TAXONOMY, CLASSIFICATION, CODING STANDARDS (Module 4)

Information Security

The establishment of effective information security is a complex process, and there are many frameworks and tactics that each organization can utilize to support their unique objectives and goals - note that there are some linked examples in this module's content area. Successful information security practices reduces the risk that can be caused to information resources and IT infrastructure - whether accidental or intentional. Protection measures reflect an evolving process to incorporate innovative technology as it is developed and implemented, adapting to compliance requirements that an organization is beholden to, and combating external threats and their potential impact to the organization. There are essentially four functions that information security efforts should offer an organization, which include: 1. "Protecting the organization's ability to function; 2. Enabling the safe operation of applications running on the organization's IT systems; 3. Protecting the data the organization collects and uses; 4. Safeguarding the organization's technology assets" (Whitman & Mattord, 2011, p. 41). If any of these functions are compromised, a record's authenticity, reliability and integrity may become at risk. The necessary response to this challenge is a proactive effort which ensures that IT security processes are current and dynamic, and that the organization has allocated the resources necessary to grow and adapt their systems and practices as priorities change, innovations and updates to technology are implemented, and new records and information tools and methods are developed and utilized. Our information assurance efforts benefit from action and preparation, with successful IT security systems and safeguards being supported by user actions guided by policies, procedures and guidelines disseminated to users under management direction and with employee training and participation. Such guidance should account for legal and regulatory factors while also allowing for stakeholder productivity requirements. Awareness of these issues and actions at all levels can lead to substantial security improvement. Governance efforts seek to protect the organization in terms of compliance and preserving workflow, but also through actions seeking to protect not only a record's authenticity, reliability and integrity, but to also ensure their confidentiality, availability and non-repudiation (meaning that their validity cannot be denied). While precautions should be put into place to prevent threats and unauthorized access to information assets, in the rare case that an attack is successful, recovery mechanisms should be able to restore IT infrastructure and systems while also reestablishing access to records and information with as minimal a workflow and stakeholder disruption as possible. While much of this is driven through IT initiatives, security practices are also dependent upon the commitment of the entire organization to prevent external malicious intent through an organizational-wide understanding of ongoing information-related and IT-infrastructure needs as well as compliance and auditing efforts. The organization's efforts must be proactive through an assessment of potential threats and a clear understanding of the current status of the organization's IT safeguards while identifying areas of improvement. Regardless of impact or likelihood, any vulnerability can be potentially exploited, which can be harmful to stakeholders and debilitating to workflow efforts.

Geographic Filing

The geographic filing method is an adaptation of the alphabetic and numeric filing systems. Alphabetically, these relate to records that are being filed by location, such as: countries, cities, provinces and states, anything that would be a geographic location by name. Numerically, this would include records that are filed by their street address, postal or zip code of their location if they begin with a number. Geographic filing can potentially be alphanumeric as well, for example in many countries postal codes consists of both numbers and letters.

Access Control

The importance of access shouldn't be understated. The mechanisms we implement to regulate access offers the gateway to our systems along with to our information assets. Therefore, the level of protection is dependent on both determining what types of access make sense for our organization's needs while also accounting for level of risk. Sousa and Oz (2015) define access control as "hardware and software measures, such as user IDs and passwords, used to control access to information systems" (p. 490). These concerns are not unfamiliar to information professionals. Our policies and processes dictate roles and responsibilities for records handling, retrieval, and best practice, and our training efforts prioritize good conduct, so that those who do access records know how to do so in accordance to the norms of our department and organizational mandates. As a result, programs can regulate access in many ways, such as by limiting those who can retrieve records from our Content Management Systems, records storage facilities, as well as using indexes, identification codes, taxonomy design, RFID labeling and randomized filing to prevent unauthorized access to a record's contents, regardless of their format. For electronic records, access to information may be through user license role permission configurations at the server-level, such as in Microsoft Exchange, or directly in the Content Management System if it requires direct login and user accounts. While the level of security isn't exclusively the burden at the user level beyond logging in, it does require that the system is protected and that those issued access credentials have appropriate privileges and limitations attributed to their access. While access control on the surface appears to be about letting users in, in a way it's more about keeping most people out. System access is a trust relationship, where we ensure that those who are using our resources are authorized to do so, and are deemed trustworthy by having agreed to our requirements and expectations and having obtained authorization to use the system, along with having an actual reason to use the organization's software and information assets. A secure system therefore blocks use to those without permission, whether attempting to access the system externally or internally. We therefore select the technology safeguards necessary to reasonably regulate network entry as well as restrict the flow of data to and from our systems to ensure our security needs.

Numeric Filing

The numeric filing method is another common approach and is typically used to organize numeric information into a manner similar to alphabetic filing. Essentially, numeric files are organized into numeric order. A challenge with numeric filing is that if you don't know the context of the number, it can be very difficult to find the information that you're looking for. Therefore security advocates tend to make the argument that numeric filing is superior to the alphabetic method because there is typically a need for an external filing index, and that index doesn't necessarily need to be kept at the location of the files and may instead be in an otherwise secure location depending on the internal workflow processes of the organization. In this method, you'd approach an index with the topic in mind, identify its corresponding number, and then you'd go to the file cabinet to find the files you need. Numeric filing is a very popular method for organizing financial records, case files, and claim files, pretty much anything that can be organized by numbers. A potential downside of numeric filing is that as records come in they're usually assigned the most recent available number. Consequently, if they're being organized in file cabinets this can lead to heavy levels of congestion in certain areas of the file cabinet where there was increased activity, for example all of the current active records may be congregated at the very front of a drawer or some other designated spot, leading to difficulty finding records. There is a variation of numeric filing called the terminal-digit filing method, which provides more depth to the identification number. Terminal-digital still assigns the most recent number on that list, but adds an identification number based on subject classification allowing for placement into different areas of the filing cabinets that are separated into different subject headings.

Phonetic Filing

The phonetic filing technique is an interesting filing approach, it's less commonly used but it's worth having some familiarity with it in the event you come across this method. The idea is that English language words can be difficult to track in a filing system, since people might not know the spelling or there may be several types of spelling for a record's subject heading. Phonetic filing creates a system where similar words are assigned a numeric code tracked in an index. An example of this is the Soundex method, where most consonants are given a numeric value and then vowels and a handful of other consonants are eliminated from the filing label altogether. In theory, an index would be developed where all the different spellings that may apply to a subject classification and their associated phonetic identification number are presented, preventing user error in the filing and retrieval of records. Phonetic filing can be useful, and is particularly helpful when filing records based on the names of individuals because its inclusiveness of spelling variations means that similar records could be organized together. As great as this sounds, phonetic filing can be quite haphazard, because a lot of words that sound the same don't necessarily have the same meaning yet they could potentially be indexed into the same identification number. Or, because of the limited number scheme, records could end up having the exact same code, requiring the searcher to weed through a lot of content in order to find the actual information that they're looking for.

Policies and Ethical Action

The protection of our records and information assets shows the ongoing due diligence of our security implementation efforts. Whitman and Mattord (2012) describe this process well, stating that: "to minimize liability and reduce risks from electronic and physical threats, and to reduce all losses from legal action, information security practitioners must thoroughly understand the current legal environment, stay current with laws and regulations, and watch for new and emerging issues" (p. 90). The external risk of liability is offset by the conduct of our workforce, implemented security safeguards, and policies that reflect good faith practice on behalf of the organization. The protection of informational assets internally is also important, and internal threats shouldn't be discounted. For example, employees need to value that in most cases, the organization and not the record creator owns that record. The deletion or destruction of records outside of the parameters of the retention policy or IT safeguards is problematic, and can expose the organization to legal risk. There is a difference between being lawful and ethical. Ethical behavior builds on cultural or societal acceptable conduct, which inspires the context and rationale for creating and enforcing laws. While laws regulate acceptable practice with the risk of penalty for noncompliance, ethics are broadly focused and may vary by cultural perspective and/or situation. To ethically support our organization and adhere to the laws of the jurisdiction(s) that we operate in, we can look to achieve two objectives: 1. Establish and promote the ethical values of the organization that we are in, acquire stakeholder confirmation, and establish a baseline of conduct with consequences for non-compliance to the organization's accepted norms; and 2. Adhere to and be influenced by the professional codes of conduct that guide our professional practice. Our actions can impact the credibility of our records and informational assets, and so by promoting ethical conduct and complying to our policies we can encourage best practice.

Reliability and Authenticity

The reliability and authenticity of records can be achieved through a trustworthy records retention process that is comprehensive of the organization's workflow, which includes the routine use of retention policies and other records-related policy documents and practices. When records cannot be furnished upon a discovery request, an attorney can more readily defend the absence of such documents if they were methodically destroyed as part of a normal business process specified in an established records retention policy that is routinely used by the organization. As we'll discuss, records that are currently or anticipated to be subject to litigation should not be destroyed until the litigation situation has been resolved and destruction is approved by the organization's legal counsel.

UNDERSTANDING INFORMATICS USERS (MODULE 7)

UNDERSTANDING INFORMATICS USERS (MODULE 7)

Preparing Electronic Records for Long-Term Storage

Unlike a paper document, which can be put into a file cabinet or box and then ideally stored responsibly in a records center or secure in-office conditions, electronic records require considerable management and intervention to ensure long-term access. Long-term access may be for a set duration in accordance to policy to meet business and/or compliance options, or perhaps the electronic record has historic or intrinsic value and has been selected for indefinite archival preservation. There are four primary methods that we can choose from when preparing electronic files for long-term storage. These methods include: refreshing, migration, emulation, and standardization.

Advantages of Cloud Computing

Utilizing cloud-based computing services can be very beneficial to an organization, because it provides organizations with access to information technology infrastructure that is dynamic, flexible, and offers support to stakeholders at a lower cost This can be an asset to managing electronic records and information because your organization essentially rents the technological infrastructure from a vendor, putting the responsibility of technology upgrades, data migration and support on the third-party vendor organization when it's needed instead of having your own organization provide and maintain those services and resources. These features are typically achievable at a lower cost for cloud-computing subscribers because the subscribers pool their resources together with other client organizations in order to capitalize on a group-rate approach to IT resources. The vendor accomplishes this model because each of their clients share infrastructure with countless other clients, and clients can elect to subscribe to an isolated cloud-based system within their dedicated server space and technical environment. In a successful implementation with seamless integration, users may not even realize that the services they are accessing are actually hosted by a third-party vendor rather than the home organization itself.

Training in General

When trying to implement a new policy, practice, tool or process improvement, it's not unheard of to receive some push back from employees or management who like their current approach and don't understand or value the initiative that's influencing change. For the most part, this can be worked through, especially if your process was developed with the support of leadership in your organization. The implementation of a new process should be gradual in order to avoid frustration by our stakeholders by keeping the disruption of their workflow processes to a minimum. The informaticists along with their partner programmatic areas can offer comprehensive training on the new process as well as explain the importance and role of informatics services so that stakeholders understand the need for the change or new function. Senior leadership should reiterate their support of information-related initiatives so that their staff obtains high-level confirmation that their time and effort in supporting the new process will become well utilized and worthwhile. Training should explain the foundational concepts and features of records, information and data assets, discuss compliance and storage mechanisms, and highlight how eliminating unnecessary and obsolete content can protect the organization from liability. This won't be completed in a day; in fact informaticists and their partners may seek to train and implement processes and policies over time, beginning with the departments that have the highest risk and exposure. Training should be offered to all levels of the organization whenever there is a significant policy adjustment or the information process changes, with the same training also being made available to all new hires upon employment. Managers and executives should understand the legal ramifications the organization faces if they are not complying to the established requirements, in order to hold their own employees accountable. Training should be periodically required and updated.

Litigation/Legal Holds

Whenever it becomes known that there may be litigation or a regulatory investigation, even if a subpoena or notice hasn't yet been issued or the process itself hasn't started, organizations should temporarily suspend the destruction of any related records until further notice, which is a process called the litigation or legal hold. Litigation or legal holds should be issued from the organization's legal counsel and be supported by informaticists working with records and information. All relevant employees and stakeholders should be notified by the organization's legal counsel for immediate suspension of records destruction, and again by legal counsel if and when the matter is resolved and records destruction of those records can resume, as well as under what terms. The organization's legal counsel should issue litigation or legal holds as early as possible, and employees must also act immediately to comply, in order to protect any possible evidence from destruction and to eliminate the risk of spoliation.

semi-active stage

Where records are kept in storage and are referenced and referred to as needed...no longer necessary for the daily course of business and may be put into storage Electronic Records: may be stored in a data warehouse, cloud storage system or other backup medium Paper Records: can be kept in a file room or offsite storage

Digitization of Records

While the majority of electronic records that we interface with will be created in the electronic environment, we sometimes refer to them as born-digital, digitization of analog records can facilitate access and support collaboration. When digitized records are used in conjunction with a Content Management System, the system can serve as a longer-term storage method with associated metadata and records can be indexed and retrieved efficiently. The long-term benefits of digitization include the reduced need for physical storage space and their associated costs. However, when analog records are digitized, their lifespan needs to be considered. If the record is infrequently accessed, it may make more sense to store them in their original format. Furthermore, if the record is near the end of its records retention compliance requirements and business needs have been fulfilled or are about to be, than retaining it in the electronic format is both unnecessary and adds risk of over retaining when it could otherwise be destroyed. The infrastructure needed to set up a digitization program or to establish a vendor agreement to achieve this objective can become very expensive. Digitization, in particular, requires ongoing technology and labor investments, as well as routine support and improvement, so a cost-justification and needs assessment should take place. It's important to note that from a retention policy perspective, compliance requirements are typically format-neutral, and so both analog records and electronic records need to be effectively maintained until requirements are met, and then destroyed appropriately. When analog records are selected for digitizing, the organization is either committing their employees to a time intensive, manual document preparation process or a costly vendor-completed expense. It is ideal for obsolete records to not be scanned and instead destroyed in accordance to the organization's established retention policy. Employees usually love the idea of digitization because they have the belief that they can keep their records indefinitely "just in case," but this is not a good rationale for digitization due to the risks of liability and exposure obsolete records have, and so there should be an established reason and need to retain records which can be specified in the organization's policy framework or records retention schedule. With the exception of frequently accessed analog records that serve an ongoing business need, analog records selected for digitization should have long-term value.

Information Assurance

While this module will serve as an introduction to security priorities related to information access, later in the Informatics program you'll also take a course on Information Assurance. Information Assurance expands on our security efforts while also prioritizing risk management, IT capabilities, and the importance of management decision-making as part of any information-related improvement process, in order to safeguard the organization's information assets. Like many of our actions as informaticists, pursuing information assurance is a collaborative process that depends upon both organizational stakeholders and executive leadership. The commitment of personnel throughout the organization is crucial to supporting information assurance priorities, by highlighting the importance of everyone in our organization being a willing partner in the process of protecting the organization's information assets.

compliance records

are typically treated as format-neutral and important to note whether it is an electronic record, paper record or in another format, the record needs to be maintained responsibly and in compliance with any applicable laws or regulations. *In either stage, records will be assigned a retention period if the organization has a records retention policy

Electronic Content Management System

complex taxonomies can be developed to evaluate records as they are created to determine if they should be attributed a certain classification and retention period or even flagged for preservation. at the minimum they need to capture, manage, and provide access to records throughout their life cycle process.term-8 At a very basic level an electronic filing system may simply be a file server with a very informal file organizational structure, and users are filing records at their own discretion onto that SERVER in order to maintain the records within the organization's server resources and backup systems. **NOT A HOME COMPUTER which is haphazard, and records can be difficult to find and they are at risk of compromise Examples: Microsoft Share Point Box Epic Systems

Content Management Systems

contain the ability to capture and manage electronic records from a wide variety of systems and devices, and can serve as a focal point of governance for their integration and management. are extremely dynamic platforms that can offer a focal point of information exchange for our organizations. But it's not an out-of-the-box solution. A successful implementation requires high levels of customization to manage electronic records, compatible third-party products to fully integrate information assets, and a governance strategy that makes the system useful and effective. The key struggle organizations have with these systems is the extensive customization and IT resources that are also contingent on employee user adoption, compatible technology, personnel proficient in its management, and employees adept in using it. Informaticists can work with IT and other stakeholders to help influence the system's customization and adoption for the most effective management of electronic records and information. The system needs to also be set up with stakeholder use, effective design, legal requirements and risk considerations in mind. A loosely set-up Content Management System results in a great deal of user autonomy in regards to access, use and management, which may appear desirable in some instances, but can have the result of the system being used under each user's own terms rather than with effective oversight. Ultimately, such an approach can become haphazard and burdensome. Instead, by keeping in mind that Informaticists need to work with users to identify how their content is used, they can continuously explain the importance of the system, influence and develop reasonable workflow within the system that enhances user productivity, and be receptive to ongoing change. In such an approach, a comprehensively managed system can still be an easy to use and helpful system. Furthermore, this can result in important intrinsic benefits, which can include an understanding that the system benefits the organization; and that users find it easier to locate their organized information when needed to aid in their own responsibilities and collaborative efforts.

Refreshing

is a method where electronic records are simply copied from the original hardware to another device of the same design. While this may be an acceptable system for backup purposes, as technology changes the records stored on the older hardware may have compatibility problems with current versions. This is a method that could work in the short term for active electronic records, but is not ideal for archival preservation.

Emulation

is an interesting concept, based on technology that initially allowed for older video games to be played on current computer systems. The premise is that instead of updating computer hardware and file formats, by using emulation software a newer computer can run older operating systems and proprietary software as if they were on the original system. There are several problems with this method. The older software must be obtainable, and over time this may become more difficult. Also, software developers must remain motivated to develop and support both emulation software and the proprietary software operating within those systems, and over time demand may decrease and support may not remain available.

records retention schedule

is an organizational policy document that can be adopted to provide legal or institutional authorization by the organization to retain records throughout their life cycle and then specify when they can be subject to disposal

Migration

is the method of copying electronic records from the older hardware to a more current system. This is an attempt to avoid the incompatibility of older hardware by transferring files before they become inaccessible by newer technology. This should be done as part of a routine check of older systems and awareness of technological changes in order to determine the appropriate time for migration. The concept applies to proprietary software versioning as well, where electronic records can be converted to the newer version of the same proprietary file format.un

Cloud Computing

refers to the outsourcing of information technology infrastructure and software services to external industry professionals so that our organizations don't have to host, upgrade and maintain their own hardware and software infrastructure. Outside providers: where the storage of your records is under the custody of an outside provider. Internal: interface and storage software, or it could be a custom implementation of your own software system hosted in the cloud environment example: Box (internal sotfware use) Google docs (outside provider) Dropbox (outside provider)

Fundamental Component of Informatics

the management of data, information and records in electronic systems that serve as effective repositories and workflow support not just for storage but for user access and interpretation, destruction/purging of content when no longer needed, and to meet any compliance requirements.