Intelligent Enterprise featuring Transform
START NEWS & ANALYSIS OPINION CHANNELS PRODUCT GUIDES REVIEWS TECHWEBCASTS
CONTACTS ARCHIVES ADVANCED SEARCH
Rate & Review
Letter to the Editor
E-mail Article
Print Article
September 2003

Ask the Experts

Where to Start With Records

by Penny Lunt

A viewer of Transform Magazine's recent Web seminar "Content Compliance: Managing Corporate Records" asks, "The records management requirements of Sarbanes-Oxley and ISO standards seem quite overwhelming. Where do you start?"

Charles P. Brett, Sr. Program Director, Technology Research Services, Meta Group, Reston, VA

There is a major difference between Sarbanes-Oxley (SOX) and ISO 15489: SOX is a mandated regulation for all public companies while ISO is a guideline for a records management (RM) framework. SOX was designed to enhance and enforce corporate governance and accountability, and contains serious provisions for the management, security, distribution and disposal of (potentially) vast amounts of corporate content, both in electronic and paper form. ISO 15489 has two parts (15489-1 and 15489-2), with section one specifying the elements of RM and expected results and section two providing a methodology for meeting section one standards.

SOX and ISO are actually complementary in that an organization looking to satisfy the RM stipulations in SOX may be well advised to use ISO 15489 as a framework. Implementing an RM framework is a process involving several steps as well as constituents from IT, legal and compliance, among others. The process begins with an assessment of what constitutes a corporate record (which may have different classifications under SOX and ISO) and ultimately leads to enterprise implementation, audit and refinement. ISO 15489-2 is a very good starting point for instituting RM.

Julie Gable, Founder and Principal, Gable Consulting, Wyndmoor, PA

FIRST, put together an oversight team of legal, tax and senior management advisors who will have sign-off power on all enterprise policies and procedures. The team's immediate objectives are to draft basic policies governing RM and to develop strategies for moving forward in increments.

Policies explain the company's attitudes toward keeping records to satisfy business, regulatory, legal and fiscal requirements. Policies typically state that the company destroys documents in due course when they have reached the end of their required retention, that company officials approve destruction and, most importantly, that destruction activities stop if litigation or investigation is imminent. Communicate the policy to all employees as soon as it is finalized.

Devising strategy requires realistic risk assessment. Risks vary by type of industry but can include disasters, product liability litigation, patent defense lawsuits, EEOC lawsuits, regulatory audits (such as FDA or EPA), and SEC investigations, among others. In every instance, the point is to produce the required records or be able to competently defend not having them. The RM program - policies, retention schedules, vital records protection, employee training and compliance audits - addresses these risks.

[ BACK | NEXT ]



Channels
Business Process Management
Content Storage
Content Management
Compliance
Enterprise Solutions
Document Scanning & Capture
Content Delivery & Publishing
Collaboration & Knowledge Management
Search and Classification
Locate an article from our print magazine. Just enter your Locator ID Number below.
ID#


NEWS FROM THE PIPELINE

OpenOffice.org 2.0 Closes On Final

New Study Finds Steep Growth For Smartphones

PalmSource Sale Cleared By Federal Agency

CTIA Panel Examines Enterprise Security Risks

[more]





HOME | ARCHIVE | REALWARE AWARDS

A Publication of the Network Computing Enterprise Architecture Group
Brought to you by CMP Media LLC, Copyright © 2005
Privacy Statement | Your California Privacy Rights | Terms Of Service