You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

Related Resources

Purpose

To provide a practical set of resources that will assist members of the higher education community in addressing related issues of electronic records management (ERM), e-discovery, and data retention on their own campuses.

Introduction

We all create and use information every day. Taking care of that information (in all its many forms) is an effort requiring shared responsibility by each member of a specific community. Just figuring out where to start and what needs to be done can be a time-consuming task.

Some institutions have done a lot of work in this area, while others have just gotten started, and still others have done little or nothing. We all have an opportunity to learn from and share with each other. This set of resources is intended to be a collaborative and evolving effort. Please use this forum to share what you have done! It might be just what someone else is looking for. If you have questions or comments regarding this toolkit, or if you'd like to contribute your own material, please contact the Higher Education Information Security Council.

This toolkit will provide valuable information on the following areas:

ERM Background and Context

Interest in records and information management (RIM) continues to increase among university & college leadership due to new compliance regulations and statutes. The growing number of corporate scandals and government incidents involving questionable or deficient records management practices have raised general awareness of and created a critical interest in records compliance, retention period requirements, litigation preparedness, data security & privacy, and many other records and information management issues.

Records management is often seen as an unnecessary or low priority administrative task that can be performed at the lowest levels within an organization. However, this perception is changing as these publicized events have demonstrated that records management is in fact the responsibility of all individuals within an organization.

Electronic Records Management

The general principles of records and information management apply to records in any media, form and format. However, the complex attributes of electronic records (also called digital records) present specific issues that records stored in paper and microfilm do not typically share. For example, it is more difficult to ensure that the content, context and structure of electronic records is preserved and protected.

Several concepts are critical when addressing Electronic Records Management. A simple way to think about it is to imagine all information existing within a lifecycle. From the moment of creation until the time it is no longer needed, information should be managed with care according to a variety of factors, including sensitivity, confidentiality, and desired longevity.

Within the information lifecycle, information may take different forms over time. Records are one type of information. Electronic records are those records that have been created or stored using electronic systems.

Records may be grouped into classes according to a variety of factors. Common factors include, but are not limited to, record type, sensitivity, confidentiality, and desired longevity.

Based on those classifications, records can then be scheduled according to their required or desired retention periods, and their recommended method of disposition. In addition, certain classes of records may only be appropriate for access by certain members of a community. Almost all records are subject to discovery.

The entire process by which an organization creates, classifies, controls, and authorizes access to electronic records is known as Electronic Records Management.

Related Topics

Practical Guide to Getting Started

So what's the best way to get started? The answer to that question will largely depend on the particular culture of your campus and your knowledge of the players involved.

No matter where you start, though, you likely won't get far unless you have the support of top-level administration, and can build a critical mass of people within the community who understand (and can help others understand) what's at stake.

Who to Involve?

Potential partners include legal counsel, internal auditors, chief information officers, information security officers, privacy officers, records managers, archivists, comptroller, head of student affairs, and head of academic affairs.

What to Do?
  • Know what records you have & where they are (data or records inventory).
  • Decide how sensitive or valuable those records are (data classification & records retention/disposition scheduling).
  • Prioritize (start with the most sensitive or valuable stuff first).
  • Understand the alphabet-soup-of-regulations (e.g., HIPAA, FERPA, FOIA, GLBA, PCI-DSS, ISO, COBIT).
  • Find out what others in your region are doing (collaborate, don't reinvent).
  • Form partnerships with state & national organizations addressing this issue.

Raising Campus Awareness

Need help making the case? Here's a presentation you can tailor to suit your needs and institutional culture. Good luck!

Building and Providing Tools

Access control is any mechanism by which a system grants or revokes the right to access some data, or perform some action.

Data classification is the act of placing data into categories that will dictate the level of internal controls to protect that data against theft, compromise, and inappropriate use.

Records inventory

A records inventory is a detailed listing of the volume, scope, and complexity of an organization's records, usually compiled for the purpose of creating a records schedule. The results of the inventory can be used to analyze the records for various purposes including retention and protection. For more information, please refer to Records Retention & Disposition – Records Inventory.

Records Retention and Disposition Schedule

Records retention is the act of the keeping records for as long as they have administrative, business, legislative and/or cultural value. Retention specifically refers to the period of time a document is required to be kept. At the end of the retention period, the document becomes eligible for disposition.

Records disposition refers to actions taken with regard to records that are no longer needed for current business as determined by their appraisal pursuant to legislation, regulation, or administrative procedure. The term "disposition" includes both actions of destruction and the transfer of records to an appointed archive for permanent preservation. For more information on retention and disposition, please refer to Records Retention and Disposition#RecordsRetentionandDisposition-Inventory.

Information Management Policies

These policies describe expectations for handling certain types of content.

  • Incident Response – An incident response plan outlines actions to be taken in the event that information or systems have been compromised.
  • Privacy – Privacy policies set forth the expectation for safeguarding and sharing of information entrusted to an institution.
  • Security – Security policies describe the legal, privacy, and security-related responsibilities that members of the institution have.
  • Responding to Law Enforcement Requests – Policies in this area assist faculty and staff in responding to investigative contact by law enforcement officials.
  • Responding to Open Records Requests – Policies in this area assist faculty and staff in responding to open records requests.

#Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

  • No labels