As more organizations and federal agencies begin implementing changes to comply with NARA electronic record standards, it becomes apparent that the burden is not just in the conversion of physical records to electronic records, but also the management of that same content.
No longer are sensitive records able to be secured through physical measures, such as transport to an off-site location. With the move to electronic records, the process has shifted, and one of two things tend to happen:
More burden is placed on the security and IT teams to ensure proper records retention, or
Records managers are tasked with becoming IT professionals in order to properly manage the systems of record.
In addition, the volume of content is far too vast to manage with the same level of oversight that it was when the records were stored in a physical repository. These records may also span several systems.
To properly manage this shift, organizations should implement a Risk/Value Framework with respect to their content. The goal is to understand what content holds the most value and what content holds the most risk. By understanding and categorizing the content, it is then easier to understand which systems require more scrutiny and oversight and which don’t. Additionally, the content that does not fall into one of the risk or value categories can be handled separately and will require less time to manage.
There are multiple ways to utilize this framework, and there are many standards out there. Regardless of which you choose, be sure to:
Identify: Identify the systems that are being used as systems of record.
Categorize/Classify: Categorize the system based on the information contained. This can also be done via a business impact analysis.
Assess: Assess current security controls and, based on the new categorization, note necessary changes.
Implement: Implement new security changes.
Review: Review the security changes to ensure that the systems are operating as intended.
Authorize: Set permissions to the locations as necessary.
Monitor: Monitor the systems and locations that have been identified as having content in the risk or value categories.
While this sounds like an extensive process, it does not have to be. There are automated solutions that can perform the legwork for the bulk of this framework. AvePoint’s Enterprise Risk Management is able to assist in the assessment of data, validating how it’s used and accessed, documenting security controls and reporting on the risks and breaches.
The transition to electronic records does not have to be any one team’s responsibility. By utilizing the proper framework, records managers can feel confident that the records are stored properly and IT and security teams can feel confident that the proper controls are in place to prevent leaks. With teamwork and the right solution to help automate the process, everyone can sleep better at night.
Antoine Snow is a senior solutions manager at AvePoint, leading the Public Sector business unit. He has held various positions in IT over the past several years ranging from front-end web developer to Microsoft 365 Service Owner. In his current role, Antoine focuses on governance and adoption challenges plaguing the modern workplace and helping government organizations understand the components of a governance strategy and its implementation. Antoine's views on these topics can be found in various blog posts and has been the focus of one-to-one workshops.