Email and Collaboration Risk for Records Managers
In a previous blog, we explored how the growing need to capture social site content and track it as records is now another layer of complexity that records managers must contend with. Added to that are the challenges posed by email and collaboration.
The cloud has made the dissemination of information easy, maybe too easy. The average organization has 72 business partners. In many organizations, more than you would like to think, access levels for users are often inadequate, or simply wrong. Users may have had access to records, sensitive information, or privacy information for a specific project, and the access levels may have never been removed.
Users share passwords as well as information. In turn, the information may then be shared with third parties. Once the information has left an organization, it’s gone, and it’s gone forever. For better or for worse. The challenge is to stop the sharing of unauthorized content before it happens. But how?
This is where security enters the picture and re-evaluates the access levels of users. How do you stop users from sharing passwords? Good question, and I don’t know the answer. Records managers must evaluate the content to determine if it is a record. If so, it must be processed according to organizational policies.
Email represents a significant weakness in an organization. Although most organizations manage email, it is done by those in administrative rather than security roles. How many times are presentations sent to a whole group of users? And how many times do those files remain dormant once accessed? Do they represent a risk? Information that is shared poses a significant security risk, particularly when it contains client, personal, or financial data. Information that is unmanaged, or mismanaged, can hamper litigation and make an organization vulnerable during eDiscovery. Collaborated content represents records, so must be processed and treated as such.
One way to handle the disposition of emails and other content is to take a zoned approach. Based on three zones, the information can be categorized for deletion or declaring as records, depending on the content. Questions that need to be answered will provide the framework for effectively managing the content.
- When must the information be classified or categorized, at the time of creation or within a certain time period?
- Who may access and retrieve archived emails, and for what purpose?
- Are there privacy regulations in place to limit access?
- Is there a specific definition of what makes an email a ‘business record’ or must all emails be managed, including personal emails sent and received on business accounts?
- How long must emails be retained?
- Are there requirements for how and where emails are stored?
Zone one emails are the regular emails that everyone receives each day. Some are records, some could be records, but most are probably of the ‘read and delete’ variety. In zone one, unless an employee explicitly indicates otherwise, these emails are automatically deleted after a set period of time, usually 90 days. This auto-delete policy will cause resistance from staff who are used to keeping email in their Inbox indefinitely.
Zone two emails are defined as emails with corporate value, but which have yet to be declared as records. This zone is like email purgatory, in that some action needs to be taken on them in a set amount of time, usually one year. Either they get declared as records or they get deleted.
Zone three emails are defined as records that need to be moved into an enterprise records repository and have some kind of policy placed on them, for retention, disposition, or eDiscovery, for example. These are email records that need to be managed properly.
Records management professionals face increasing challenges from content ingested and consumed by their organizations on a daily basis. However, chosen policies and processes must offer organizations appropriate protection.
Concept Searching technologies enable short and long-term strategies for managing content, due to their ability to address standard records management requirements. Our solutions comprise one set of technologies to achieve data cleanup, migration, protection of privacy information, improved enterprise search, and effective content management.
Compliance and information governance are incorporated from the beginning, encompassing the identification of a single source of truth and adherence to legislation, such as the Health Insurance Portability and Accountability Act (HIPAA), enabling control and protection of critical data, and proactive risk management. If an organization has a taxonomy that mirrors the file plan, documents can be automatically be declared records and routed to the records management application or managed in place. In the SharePoint environment, the technologies will automatically change the content type during processing. An added benefit in the SharePoint environment is that this works bisynchronously with the SharePoint Term Store, reading and writing in real time.
If you are starting to get bogged down with content, then a demo could help show you how to take the pressure off and process all forms of records, regardless of format. Nothing ventured, nothing gained. Hope to speak with you soon.