Putting policy into practice

  • Published on

  • View

  • Download

Embed Size (px)


Best practices for developing and implementing a practical, effective and enforceable records and information management policy. Please contact Blake E. Richardson, CIP, CRM if you would like additional information - rm4dummies@gmail.com!


  • 1. PUTTING POLICYINTO PRACTICEHow to develop and implement aneffective RIM policy

2. AGENDA Understanding what a policy is (and isnt) Basic policy characteristics Fundamental policy components Obtaining policy approval Distributing the policy Auditing for compliance 3. WHAT A POLICY IS (AND ISNT) Instructs employees what to do (Policy) Not how to do it (Procedure) When drafting a policy it is recommended to make notes ofsubject matter that will require and associated procedure 4. BASIC POLICY CHARACTERISTICS Simple Concise Relevant/specific Enforceable 5. BASIC POLICY CHARACTERISTICS Simple Employees need to be able tounderstand what you are tryingto communicate. Avoid usingoverly formal wording,acronyms and long sentences. The policy should beconstructed and worded sothat it can be understood by allemployee levels. Remember you know thesubject matter dont assumethe policy reader does. 6. BASIC POLICY CHARACTERISTICS Concise A policy does not have to belong to be effective. The shorter the better; aconcise policy will increasereadership. Long email syndrome 7. BASIC POLICY CHARACTERISTICS Relevant/specific The policy should addressrelevant issues and providespecific direction that will guidethe employees decision-making. Policies that arent specificinevitably lead to inconsistentemployee behavior. Inconsistency leads to reducedpolicy compliance and anincrease in organizational risks. 8. BASIC POLICY CHARACTERISTICS Enforceable Its assumed (by outside entities,e.g. courts, commissions,regulatory bodies) that whatscontained in a policy can andwill be followed. The policy shouldnt include anyelements or directions thatemployees are incapable offollowing this may include lackof technology, resources ortraining. 9. FUNDAMENTAL POLICY COMPONENTS Purpose Scope Glossary Audits Vital records Retention schedule Information hold orders Record storage Network and hard drives Email Information destruction 10. FUNDAMENTAL POLICY COMPONENTS Purpose The purpose states the reasonfor (or objective of) the policy. Example: The purpose of this policy is toensure the complete lifecyclemanagement of organizationalinformation. 11. FUNDAMENTAL POLICY COMPONENTS Scope The scope communicates whatand who the policy applies to. Example: This policy applies to all companyemployees and governs themanagement of physical andelectronic information. 12. FUNDAMENTAL POLICY COMPONENTS Glossary A policy often includesterminology thats unfamiliar toemployees. Its recommendedthat the policy contain anappendix of terms withdefinitions. If the policy is electronicallyposted (Intranet), hyperlinkscan be established to provide adefinition for each term. 13. FUNDAMENTAL POLICY COMPONENTS Audits The policy should informemployees that all topics andmatters contained within thepolicy should be complied withand are subject to internal andexternal audits. 14. FUNDAMENTAL POLICY COMPONENTS Vital records The policy should contain asection on the identificationand protection of theorganizations vital records. Example: Its the responsibility of eachdepartment head to identify theiroperations vital records Its important to clearly definethe term vital records Theterm is often misinterpreted bybusiness owners. 15. FUNDAMENTAL POLICY COMPONENTS Retention schedule Specifically address the purposeof the retention schedule andthe requirement that it befollowed. Additional information can beadded to this section of thepolicy, which addresses requestsfor modifications to theschedule. 16. FUNDAMENTAL POLICY COMPONENTS Information hold orders All employees should fullyunderstand their responsibilityregarding information holdorders. The policy should clearly statethat any information on holdregardless of the reason ormatter should be retained, evenif the retention period of theinformation has expired. 17. FUNDAMENTAL POLICY COMPONENTS Record storage The policy should address thatorganizational records shouldonly be stored with approvedvendors. In this section of the policy youcan also address environmentaland security requirements forlong-term onsite recordsstorage. 18. FUNDAMENTAL POLICY COMPONENTS Network and hard drives The policy should provideguidance on the use andmaintenance of network andhard drives. Example: Hard drives (C: drives) are not tobe used for the storage ofcompany records or information ofbusiness value. This type ofinformation must be stored in arepository accessible by employeeswith appropriate authorization. 19. FUNDAMENTAL POLICY COMPONENTS Email Policy should take intoconsideration what technologyit has implemented related toemail management. Some organizations have aseparate an email usage policy,that typically does not addressinformation management. 20. FUNDAMENTAL POLICY COMPONENTS Information destruction The policy should addressproper methods for thedestruction/deletion of physicaland electronic information. This section of the policy wouldalso include that only approveddestruction vendors are to beused. Certificates of destruction areto be received andappropriately retained. 21. OBTAINING POLICY APPROVAL Group effort Before distributing the policythroughout the organization, itmay require review andapproval by other departments: Internal Audit Legal IT Compliance Example: If the policy states that complianceis subject to audit then you wantto ensure that the Internal AuditDepartment can support thestatement. 22. DISTRIBUTING THE POLICY Hardcopy Softcopy/email with attachment Intranet 23. DISTRIBUTING THE POLICY Hardcopy Least recommended option Periodic updates In smaller organizations thisapproach may be appropriate. 24. DISTRIBUTING THE POLICY Softcopy/email withattachment Not recommended for similarreasons (periodic updates). Allows for easier distribution v.hardcopy. Distributing the policy via email(attachment) allows you toprovide additional commentaryregarding the policy to therecipient such as, the policyneeds to be reviewed by acertain date and that therecipient must respond thatthey have reviewed the policy. 25. DISTRIBUTING THE POLICY Intranet Recommended approach Have the employee come tothe policy rather than sendingthe policy to the employee. Email with link. The link can be part of a RIMIntranet page. Reality check employees canstill print the policy from theIntranet creating staleinformation. 26. AUDITING THE POLICY Developing an audit plan Communicating the audit Documenting audit findings 27. AUDITING THE POLICY Developing an audit plan Audit areas Testing Communication Audit findings report 28. AUDITING THE POLICY Audit areas The primary objective of anaudit is to identify areas of risk.Therefore, a RIM audit willtypically include policy areas,that if not complied with, createthe greatest potential for risks. Fundamental policycomponents 29. AUDITING THE POLICY Policy components toaudit Policy acknowledgement Vital records Retention schedule Information hold orders Record storage Network/hard drivemaintenance Destruction 30. AUDITING THE POLICY Communicating the audit Before conducting an audit, itsrecommended that you notifythe management team of eachdepartment. Proposed dates What will be audited How to prepare for the audit 31. AUDITING THE POLICY Documenting the auditfindings Provides information on theresults of the audit Areas of compliance andnoncompliance Classifying the severity andcauses of the risk posed bynoncompliance Recommendations forresolution Action plans Resolution dates Re-audits 32. THANKYOU!Q & A TIME