ARMA TR24-2013 Best practices for managing electronic messages

Another day, another standard. Let's see what this one says.

• It could serve as a complement to ANSI/ARMA 19-2012, Policy design for managing electronic messages.
• There's the standard definition of terms. I like nonrecord.
• PDF/A is ISO 19005; PDF is ISO 32000-1.
• Preserved messages should have (or be linked to) necessary metadata, such that:
• Necessary metadata to render and make understandable content, context, use, and structure
• Logical and physical structure remains intact
• Business context (creation, reception, use) is apparent
• Links and attachments are present
• Hyperlinks are intact and docs available
• Integrity of docs with threads, embedded files, and digital objects is maintained
• Metadata is preserved
• Header data is maintained and indexed for retrieval
• Authorization is enforced
• Electronic messages include email, forums/listservs, IM, SMS.
• Components: addresses, conversational threads, receipts, subjects
• Metadata is important. Management of metadata should be linked to the records retention policy, including:
• Security and privacy policies that define retention of metadata
• Mandating which metadata is editable
• Specifying which metadata is part of the audit trail
• Which metadata can be accessed by which entity
• Separate storage of metadata makes access easier, but strips out context and linkages
• Common metadata elements:
• ID
• Subject
• Date/time sent
• Date/time received
• Sender/originator (X.500 format)
• Prior originator
• Addressees/Participants (X.500)
• Location
• Attachments
• Message format
• Message type (email, IM, SMS, etc.)
• Message size (bytes)
• Language
• Electronic signature
• Encryption
• User-defined metadata
• Records management metadata:
• Records category
• Classification date/time
• Disposition even trigger (date or event)
• Disposition certificate
• Migrate date
• Migration history (trail of migration events)
• Retention schedule (pointer to schedule)
• Access domains (credentials, possibly at the field -- not record -- level as per EU Data Protection Directive, HIPAA, etc.)
• Records utilization metadata:
• Access (ID of entity, including system)
• Access events
• Access event time stamp
• Access restrictions
• Access event detail
• Annotation content
• Hold (yes or no)
• Section 4 gives us some details on managing organizational requirements. It notes that an Electronic Message Management (EMM) program should include:
• Appraisal and identification of records vs. nonrecords
• Auditing
• Electronic systems/file formats/file plans
• Legal holds and ediscovery
• Media obsolescence; tech conversion and migration
• Metadata
• Preservation
• Program quality improvement
• Reg and stat requirements
• Retention and disposition
• Risk management
• Search
• Security, confid, privacy
• Training
• Section 5 is a review of Electronic Messages as Records. It references GARP, ISO 15489, and ANSI/ARMA 19-2012, Policy design for managing electronic messages.
• Presumption of authenticity: "For records in the form of electronic messages, authentication techniques should be as technology-neutral as possible."
• Digital signatures may be impossible to migrate. InterPARES recommends detaching the signature and adding information to the integrity metadata.
• Drafts aren't generally records
• Copies: "If a copy or duplicate exists that is not in support of business activities, but for mere convenience, it is not considered a record."
• The records lifecycle:
• Creation
• Appraisal. Determine how to retain records. Value can be fiscal, legal, operational/admin, research/historical. EMM policy includes:
• How and by whom schedules will be applied
• Training programs
• Periodic/random audit
• Classification.
• Disposition. Destruction or transfer. Destruction is described in ARMA's Contracted destruction of records and information media.
• Preservation. ISO 14721; ISO 16363. Or Preserving Email by Christopher Prom or InterPARES 3 reports: Keeping and Preserving Email and Guidelines and Recommendations for E-Mail Records Management and Long-Term Preservation.
• Native format like SMTP is best. Note: FRCP 34(b) mandates that ESI must be produced in "a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms."
• Records management tools should support email
• SMTP is popular but might result in loss of data such as rich formatting or embedded objects. Other formats include MBOX and EML. XML is best. PDF/A for attachments. X.500 for address metadata.
• Cloud storage. Consider:
• Data location/jurisdiction
• Data security
• Legal
• Cloud services (segregation, etc.)
• RIM
• See ARMA's Guideline for outsourcing records storage to the cloud and Guideline for evaluating offsite records storage facilities and Guideline for outsourcing electronic records storage and disposition.
• Concerns include obsolescence, mobility and remote access.
• Legal issues:
• Holds and ediscovery
• Statutes and regulations
• Vital records
• Specific business continuity plan. It provides good details.
• Backups. References to NISPOM and NIST guidelines on sanitization.
• Section 10 is audit and compliance.
• Have people sign the EMM policy
• Monitor usage
• Train and include it in the handbook
• Compliance metrics from:
• Audit logs
• Desk checks
• Discovery drills
• Section 11 is about security:
• Confidentiality. Information is either public or its confidential. Confidential information either can't be transmitted electronically or must be watermarked "for internal use only".
• Personal information. Good guidelines on legislation.
• Encryption: secret key vs. public key
• Section 12 is all about training and communication. Training should include: etiquette, RM practices and principles, security, confidentiality, privacy, copyright, statutory/legal requirements. Training should be evaluated.
• Section 13 is about program improvement.
• The appendix is a pretty good audit framework.