Document Management Implementation

There are solid business reasons to implement a data-management system. We'll tell you how to handle the deluge.

March 12, 2004

14 Min Read
Network Computing logo

Network admins concerned about bandwidth needn't worry. Although pressure on some servers will increase as DM systems encrypt and decrypt documents and provide security, workflow, version control and auditing, once users access and load a document, it remains in memory on the local workstation until transferred back to the server. Hardware and IT staff costs should be minimal as well; the DM systems we examined in our RFI "Averting Document Disaster," work on a standard Intel architecture and are no more difficult to install and use than any other business app.

In addition, DM systems are integrated with familiar Windows applications, like Office and Explorer, a plus for end users. The bigger challenge comes in developing and disseminating a policy identifying documents as records. Once a policy is in place, the records manager or group must translate that to the DM system.

DM can be handled using a Windows client or via a browser. Fat clients are a benefit and a burden. You must install and maintain them, but the reward is integration on the desktop and support for Office applications. Checking documents in and out right from the desktop beats importing and exporting them through a Web browser. Also with a client, identifying a document as a record is easily accomplished by pull-down menus. You won't find any client support for open-source productivity suites like StarOffice in DM systems. If you use an alternative office suite, however, you can work with the DM system using a standard Web browser to check documents in and out. In that way, the systems are universal for various platforms and apps. As for security, at a minimum, ACLs (access-control lists) restrict access to individual files and folders, and audit controls apply to the same. Both are integrated with LDAP directories to identify and authenticate users.

If enterprises can't find a good business reason for DM, federal and state governments will give them one. Post-Enron, new laws and regulations, including the Sarbanes-Oxley Act of 2002, aka SOX, are forcing enterprises to take document and records management seriously. Executives of public companies affected by SOX are accountable for their financial reports and audits. Even though SOX applies only to companies that trade securities on U.S. exchanges, private companies should pay attention: The SEC is not the only one fed up with corporate accounting fraud. Investors are looking to invest in only those enterprises with responsible directors and visible assets. And they would like to see credible reports of assets, liabilities, revenue, sales and the like.So what's holding back those companies with no content systems? One hurdle is that one person's content is another's document and yet another's record. Adding to the confusion is the variety of vendor offerings--you'll find DM, ECM (enterprise content management) and RM (records-management) systems.

We consider content to be any information fixed in a tangible medium, whether paper or electronic. Under this broad definition, content can be a streaming-media file, a dynamic Web page, even e-mail. This is the focus of an ECM system, which aims to manage all formats, from e-mail to HTML to text files. If you need to get a grip on a variety of content, look to ECM systems from the likes of Documentum and Mobius.DM systems, which we focused on in our RFI, integrate with word processors to provide an infrastructure that classifies, stores, controls access to, searches and retrieves documents. What's a document? Anything drawn up to answer or respond to business needs, like a contract or a letter to a client. DM works with various storage media, including nonrewritable disks. DM even integrates with systems that manage records.

Conventionally, a record is evidence of a business transaction. Laws and regulations require enterprises to identify records, classify them and retain them for defined periods. For example, employee records are kept in perpetuity, while tax and business records are retained for at least seven years. RM systems give enterprises a facility to declare content or documents as records. Once declared, they can be classified according to a file plan or schema. However, the long-standing definition of a record is changing because of technology advances, new legislation and complex litigation. It can be data, in any format, as defined by legislation or a court of law.

In the past, questions about whether a document qualified as a record were debated in operational circles and laid to rest by a records manager. Now that's a discussion for the boardroom, thanks to new laws that apply an expanding definition to the format and scope of records. UETA (the Uniform Electronic Transactions Act) and the Electronic Signatures in Global and National Commerce Act of 2000 stretch a record's format to any information "created, generated, sent, communicated, received or stored by electronic means." HIPAA (the Health Insurance Portability and Accountability Act) and the FDA further expand the scope of a record. Under HIPAA, health-care providers must retain documents relating to disclosures of patient health information for six years. And the FDA requires pharmaceutical companies to maintain electronic records and signatures to ensure authenticity and confidentiality.

SOX, in particular, has generated attention because it provides for stiff criminal and civil penalties for noncompliance. In a nutshell, SOX requires public companies to treat all transactions and correspondence that relate to financial reporting and audits as records and retain them for seven years. Although this may not appear difficult, think of the various methods of communication your employees use, including e-mail, instant messaging, chat rooms and voicemail. Maintaining these records over their life cycles is no small task. Without a good method, it would be madness.

Many enterprises think they're immune to the changing definition of a record, but they aren't exempt from civil litigation. Under the rules of civil procedure, courts can define records relevant to litigation and compel their discovery. Enterprises must supply copies or a description of all documents opponents may use to support their position. Failure to disclose such information can lead to sanctions. Further, litigants are entitled to inspect documents, maps, photographs, correspondence and other materials relevant to a claim.Searching for computerized data to fulfill a discovery request that includes e-mail and electronic documents can be a tremendous burden. Corporate e-mail systems and data repositories weren't designed for discovery. To satisfy such requests, it may be necessary to mount and search a tape archive, which can cost thousands of dollars per tape when you add up the technical and legal expertise required. And there's a good chance you'll breach the privacy of your employees or expose a confidential communication. To minimize the risk of litigation and reduce the available documents and records, develop and implement a retention policy (see "Documents Everywhere," below) and install a DM system with an eye toward your requirements under the law (see "Open Season for Laws and Regulations,").

But be aware: You must understand the requirements of the laws and regulations that affect you and implement technology to minimize risk. Even though using content-management products can go a long way toward satisfying standards and regulations, you must purchase and implement them with an informed eye. For example, DM and RM systems can be applied to some requirements of SOX. We asked each of the participants in our RFI how they could help an enterprise comply with SOX. They met the challenge like champs. When choosing a DM suite, make sure it satisfies industry standards for records management, such as the Department of Defense's 5015.2 standard in the United States or UK-Pro in the United Kingdom (see "Bellwether for RM: DoD 5015.2,").So what does all this cost? The systems we reviewed range from $118 to $590 per user per year. Some vendors set price by number of users, some by the function of users and some by the number of servers used to service the DM software. For modular systems, adding RM or collaboration functionality to basic DM will cost you.

As for ROI, that depends on what it costs to reproduce or search for lost documents. DM vendors we spoke with said a lost document can cost $200 to $300 to reproduce. That seems high to us, but it depends on the documents--for example, memoranda to clients versus detailed insurance policies for customers. Creating and editing documents online with workflow features streamlines document creation and reduces errors--documents won't need to be printed out and routed. This will help your company respond to clients faster, more efficiently and more securely, online.

And DM systems offer enhanced security for document access and editing. By locking down files in a DM repository, IT administrators won't have to create elaborate login scripts so users can find their files. They also won't need to set up complex folder permissions for users and groups. This can all be handled by the DM system.

As with any other system, if a would-be attacker knew an employee's user name and password, he or she would have the keys to that user's kingdom--or the content that user has the rights to view, modify or delete. Still, with auditing, you can find out who accessed documents, when and from where. You can also quickly limit a person's access to the system by user ID, password and client station.As for the elusive paperless office, a DM system will--in theory--reduce the number of documents that must be printed out and stored. This could meet with some resistance. People like their paper. If, as Alvin Toffler says, "Making paper copies of anything is a primitive use of machines and violates their very spirit," then most of our PCs must be near suicidal. We don't expect to see a paperless office any- time soon.

If you don't own an RM system, buying a DM suite with integrated RM is a must. These United States harbor a litigious society. The ability to produce a record to support a corporate action can be a lifesaver.

SEAN DOHERTY is a technology editor and lawyer based at our Syracuse University Real-World Labs. A former project manager and IT engineer at Syracuse University, he helped develop centrally supported applications and storage systems. Write to him at [email protected].

Post a comment or question on this story.

If your data professionals are doing their jobs, you no doubt suffer from document bloat. All the content created and edited on computers and delivered via e-mail is saved on your corporate file systems, backed up on a regular basis and archived. You may have miles of tape containing multiple versions of memos, letters, contracts and e-mail messages. This is good for disaster recovery, but it's bad if you get sued: If you don't have a record-retention policy to restrict the amount of archived nonbusiness-related content, you risk e-mail messages or document drafts becoming smoking guns in a lawsuit.

An effective retention policy will identify documents and records that you are required by law to keep--those necessary for operational, historical and legal purposes--and will retain them for the required periods only. Your policy should distinguish between business and nonbusiness communications and ruthlessly weed out the latter. Much of this process can be automated with an RM system coupled with DM capabilities. For more on building a data-retention policy, see "The Rules of Electronic Record-Keeping,".The Sarbanes-Oxley Act cannot be underestimated as a driver for formalizing document and records management. SOX will come into play for large enterprises (more than $75 million in market cap) on Nov. 15, while smaller companies have until April 15, 2005, to comply.SOX sets corporate responsibility for public financial reports. Every public company that fills out periodic reports to the SEC must have a principal executive officer certify the report has been reviewed and does not contain any false or misleading statements. SOX also requires that each report fairly present the financial and operating conditions of the enterprise. If it falls short, the signing officer can be fined up to $1 million and/or imprisoned for up to one year.

That's not all. Enterprises must disclose material changes in their financial conditions or operations publicly on a "rapid and current basis." And they must do it in plain English. Finally, after Enron, there are criminal penalties for destroying, altering or falsifying records or documents supporting an audit, with fines and/or imprisonment of up to 20 years.

All the DM systems we evaluated in "Averting Document Disaster" provide central, secure workplaces to prepare and submit financial reports. Each has a method to create, track and confirm the accuracy of documents, and they can use workflow rules to route and track approval requests. These systems also make it easy to create and publish documents rapidly. Each system provides an audit trail that will show a history of actions taken on documents. Additionally, they provide a records-management module that can identify and retain all records pertaining to an audit.

Think these systems can be tricked? Not likely. Auditors have rights distinct from those of admins and users. Admins cannot alter audit parameters--any changes they make will appear in the audit. If the system is set up with crossover rights and responsibilities, the audit trail is a sham.

Although each product reviewed had something to offer--any one could be a lifesaver if litigation looms--Hummingbird Enterprise with its RM (records-management) component earned our Editor's Choice award.Enterprise content and documents are targets for multiple product markets. Business applications create and maintain documents, and storage products give them a home and ensure redundancy. Web applications serve them to end users, while security products lock them down to provide authentication and nonrepudiation. But vendors are starting to follow documents from beginning to end without respect for market barriers. As a result, the document- management market is rife with mergers, acquisitions and partnerships. Although no one vendor can cover the full range of activity on content, some are trying. Besides the consolidation mentioned earlier:

  • ECM (enterprise content management) systems are shoring up their ability to handle both documents and records, while DM systems are taking on records and growing portals. EMC, the 800-pound gorilla in the storage market, recently acquired Documentum, the 80-pound ape in the DM space.

  • Verity, an enterprise search company, acquired Cardiff Software. The company says it hopes to expand UltraSeek to search content within a forms-processing system and within paper documents captured in digital form by LiquidCapture. All this follows on the heels of the merger between Interwoven and iManage last year. Together, they offer a package that includes DM, Web content management, collaboration tools and digital asset management.Legal requirements cannot be satisfied simply by purchasing a "compliant product." First off, many products advertise their "compliance" with laws like HIPAA and SOX. But products do not need to be compliant with the law"enterprises do. Simply purchasing software or hardware off the shelf and installing it will not impress anyone, especially the attorney teneral.

    If you plan to use a DM system to comply with laws or regulations, you should implement it in concert with your management team. After all, regulations like SOX demand accountability at the top. Think lawyers, RM professionals, management weenies, IT professionals, security types and business process experts coming to a meeting of the minds"and IT should be included right from the start to implement a plan where the law is "open" and technology neutral. This will allow invention, innovation and the best practices of the industry to come to bear on the problems or risks identified by the law.

    Laws do not provide a specific technology road map to mitigating those risks. For example, HIPAA requires "covered entities" to implement security controls on data networks and recommends strong authentication strategies to access network resources. It does not suggest specific technologies, such as RADIUS or LDAP, and it is a far cry from sanctioning particular products like Funk's Steel-Belted RADIUS or OpenLDAP. Also, HIPAA dictates privacy controls for patient health information"that includes any information collected by an entity that identifies an individual and relates to his or her mental or physical condition, past, present or future. This information needs to be kept secure and private no matter its format, paper or electronic.

    Your best bet: Approach laws and regulations by their identified risks as they apply to your particular industry and situation, and develop ways to mitigate them. As long as you maintain a "best practices" approach to risk mitigation within your particular industry, you should be within the confines of the law. That's because, as courts interpret laws and regulations, they will look to whether an enterprise knowingly flouted the law or negligently failed to identify and mitigate risk. To determine negligence, courts will look to accepted government or industry standards, such as DoD 5015.2 and UK-PRO, as well as what others in a given industry are doing. For example, if everyone on the block uses strong authentication or applies audit trails for access to content and you don't, you might be a candidate for a test case.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights