Slideshow 6 Steps to Establish an Information Management Policy

  • August 14 2012, 8:35am EDT

The following slide show presents the path toward a successful IM policy implementation taken by one CIO at an enterprise we’ll call ABC Corp., as retold by Tom Turner, president at Document Solutions Inc.

Step One: Take Inventory

To establish a baseline, find out how much disk space is being used to back up and archive data, how many backup tapes are stored off-site and how much data each tape contains. Don't forget paper files; most companies have thousands of boxes of files stored off-site. Then take a sample of the data to get a rough idea of how much qualifies for transfer to the Safe Harbor folder –the area where electronic documents are kept that meet the company’s criteria for retention – and how much can be deleted. If your sample is truly random, and depending on the volume of data that you have, as few as 500 documents may provide a statistically valid sample that can be extrapolated to the entire system.

Content Continues Below

Step Two: Identify the Types of Records that Must be Retained

This will vary by industry. If you are a regulated industry, like ABC Corp., regulations lay out for you that certain records must be kept for at least 10 years. In ABC’s case, this included financial records, documents about how they acquire and respond to customers, and how they determine pricing. These documents were moved to the Safe Harbor folder. For ABC Corp.’s nonregulated records, determining which records must be retained and for how long was more difficult, because it required an examination of how the company does business and what information is essential to running the business.

Step Three: Appoint Records Coordinators Throughout the Company

The actual implementation of the IM policy is carried out by records coordinators at the business unit and department level. ABC Corp. currently has about 150 records coordinators, which works out to one coordinator for every 22 employees. The CIO stressed that department heads, not he or his staff, are the final arbiters on what to keep and what to delete because department heads, not the IT department, know what information is important to keep in their area of expertise. However, to prevent department heads from being overly accommodating in deciding what to keep, the CIO’s team conducts periodic audits.

Step Four: Institute a Strict Email Retention Policy

At ABC Corp., the email policy is that any email not moved to the Safe Harbor folder within 90 days of its creation or receipt will be automatically deleted. No exceptions. This policy is also subject to audit. The CIO believes this may have been the hardest part of implementing the company’s IM policy, because many people are conditioned to treat their email as a to-do list. That is, they are being managed by their email instead of managing it. However, he found that it is quite possible for a large, national company to run very well under this policy. No essential information was lost, no projects were imperiled.

Content Continues Below

Step Five: Kick Off and Sustain the Program with Records Retention Weeks and Periodic Audits

Each business unit and department had a deadline for cleaning up their records, which culminated in a “Records Retention Week,” during which everyone in the business unit or department went through all data under his or her control – both electronic and paper files – and decided what to keep, archive or trash. Extra paper shredders were brought in to handle the paper files thrown away. At the end of records retention week, the IT department conducted an audit to make sure that the process was successful, and has since repeated these audits annually.

Step Six: Prevent Unauthorized Data Removal or Archiving

An IM policy would be meaningless if data can be removed from the audit process, which is why ABC Corp. requires that all data be saved on the company’s servers, not on individual desktop computers. There are also no USB ports, CD burners or any other data removal devices on any terminal. All of the data that employees work with resides on the company’s servers. A secure mobile access system allows them to access their data from anywhere, anytime, so they can work off-site or after hours with complete access to all of their files if the situation requires it.

For more …

Click here for the extended article by Tom Turner. To read more news, trends and instructional articles on e-discovery, click here. All photos used with permission from ThinkStock.