Posted by: Tony Bradley
data breach, data protection, Microsoft SharePoint
This is a guest post by Antonio Maio, Microsoft SharePoint Server MVP and Senior Product Manager, TITUS:
According to a 2011 AIIM survey, organizations are experiencing a 23% yearly growth in electronic records. This rapid growth presents a challenge to organizations that must comply with records management regulations while ensuring that the right people are accessing the right information.
To address this challenge, many organizations are looking to Microsoft SharePoint. With its powerful record-keeping capabilities, organizations can now manage their records using the same platform as they use for everyday collaboration and document management.
Records Management is one of the most popular drivers for using Microsoft SharePoint. Despite how much has been written on this, Records Management is sometimes confused with Document or Content Management, but it is in fact quite a unique discipline with its own best practices and processes. Microsoft SharePoint provides some great features to enable these processes, and it provides enterprises with the appropriate controls for the data and documents that they declare to be corporate records.
A recordrefers to a document or some other piece of data in an enterprise (electronic or physical) that provides evidence of a transaction or activity taking place, or some corporate decision that was made. A record requires that it be retained by the organization for some period of time. This is often a legal or regulatory compliance requirement. As well, a recordby definition must be immutable, which means that once a document or piece of data is declared to be a record, it must remain unchanged.
The period for which records are retained, along with the process followed once that time period has expired, is a critical requirement for records management. There are legal and business implications to consider when content is kept too long. The business policy could be that after X years, a record is archived and then after Y years from that point it is disposed (which could include deletion or moving it to offline long-term storage). Again, establishing this policy requires planning and getting agreement from stakeholders, especially around any legal, regulatory compliance, revenue or tax implications.
The requirements for records immediately suggest certain processes that must be in place to ensure that records are managed appropriately from several perspectives: business, auditing/legal, tax, revenue, and even business continuity. As we often find, for business processes to be applied consistently across all SharePoint content or records, automation is a key requirement, as well as making appropriate use of metadata.
The first step in implementing records management in SharePoint is to define a file plan, which typically includes:
· A description of the types of documents that the organization considers to be records
· A taxonomy for categorizing the records
· Retention policies that define how long a record will be kept and how to handle disposition
· Information about who owns the record throughout its information lifecycle, and who should have access to the record
It is important to determine what type of content should be considered a record. For example, if I am working on a new HR policy for next year, my initial draft and its various iterations should likely not be considered records because they are still changing – they are not yet approved or final, nor can I make any decisions based on those preliminary versions. But once my HR plan is ‘approved’ or considered ‘final’ then it can be declared a record because I can now base corporate decisions on it. Establishing a policy around what type of data is a record requires planning, meeting with appropriate stakeholders and agreeing on policy that’s communicated to everyone that may be declaring content as a record.
Once the organization has defined what information it wants to preserve as records, SharePoint 2010 provides several methods to declare a record and implement record retention policies. These include the Records Center site, which is a SharePoint site dedicated to centrally storing and managing records. It provides many features that are critical to implementing a records management system, including a dashboard view at the site level for Records Managers with searching capabilities and integration with the Content Organizer for routing records within the site. Depending on the business need, it may make sense to centralize records management and storage in the Records Center. This is particularly true if the business demands that a small number of users be considered “Record Managers” and it is their role alone to declare content as records.
A second method involves declaring records “in-place”.This feature allows individual users to declare content as records in their current SharePoint location. Records do not need to be moved or added to a central Records Center site, nor do they need to be routed within the Records Center. This is a trend in the records management space, because it allows users to continue to find content where it resides, based on its business nature, topic or properties. One drawback of this approach is that end users – who are typically not records managers – may be apprehensive about declaring records, due to the official and legal nature of a record.
The powerful recordkeeping capabilities in SharePoint give organizations an effective enterprise records management system. SharePoint contains valuable features that can be used to define the appropriate records and retention policies for the business.
TITUS is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk.