This article is written by Reynold Leming of Mint Business Solutions to provide guidance on defining an Enterprise Information Management strategy and subsequent policies.
Information is a valuable business asset. Information is, at last, being recognised as the fourth resource of business, next to property, manpower and product. Information is one of the most important assets an organisation has at its disposal. Therefore, information like any other asset needs to be classified, structured, validated, valued, secured, monitored, measured and managed efficiently and effectively.
The British Standards Institution has published BSI-DISC PD 0010, "Principles of Good Practice for Information Management". This provides a practical framework to guide you through the development and operation of new methods and technologies for information management, based upon a set of 5 Principles. They are intended to act as guidelines for establishing procedures and controls.
The principles state that an organisation should:
1. Recognise and understand all types of information;
2. Understand the legal issues and execute 'duty of care' responsibilities;
3. Identify and specify business processes and procedures;
4. Identify enabling technologies to support business processes and procedures;
5. Monitor and audit business processes and procedures.
The principles also provide an umbrella framework within which other best practice, including BS 7799 - Code of Practice for Information Security Management is invoked. BS 7799 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.
Annex A of BS 7799 identifies 10 controls:
- Information security policy
- Organization of assets and resources, with relation to managing information security
- Asset classification and control, so that they may be identified and protected
- Personnel security risk management
- Physical and environmental security
- Communications and operations management, ensuring efficiency and security
- Access control to the informaiton
- Systems development and maintenance considerations for built-in security
- Business continuity management
- Compliance with any criminal and civil law, statutory, regulatory or contractual obligations, and any other security requirement
Within this context account should also be taken of the legal admissibility fo electronic records. General opinion is that document image processed documents are likely to be admissible in court, with the same weight as of evidence as photocopies and microfilm documents which are considered as secondary evidence. There is a potential reduction in the weight of evidence if the authenticity of the copy is questioned (e.g. if a signature is being disputed).
The British Standards Institution has published a Code of Practice (BIP 0008, previously PD0008) concerned with the 'Legal Admissibility and Evidential Weight of Information Stored Electronically'. Compliance with the Code does not guarantee legal admissibility - it defines best practice by which a company may demonstrate at any time, in a manner acceptable to a court of law, that the contents of a specific data file created or existing within a computer system have not changed since the time of storage (i.e. when the file is 'frozen'), and that where a data file contains a digitised image of the physical source document, the image is a true facsimile of that source document. The issue being addressed is essentially one of authentication.
PD 0008 is itself part of 'Electronic Documents and e-Commerce Transactions as Legally Admissible Evidence': the BSI code of practice, PD 5000:1999, which enables organisations to demonstrate the authenticity of their electronic documents and e-commerce transactions, so they can be used as legally admissible evidence. This set of 5 International Codes of Practice cover the whole scope of the e-business revolution. They provide essential guidance on how e-commerce systems should be managed to provide the required security and integrity of business information.
The parts are:
1. Information Stored Electronically (BIP 0008, previously PD0008)
2. Electronic Communication and e-mail Policy
3. Identity, Signature and Copyright
4. Using Certification Authorities
5. Using Trusted Third Party Archives
An organisation will process and generate information within and from a variety of applications, including financials, human resources, CRM and supply chain systems. To this is added the correspondence created by office applications and received by post, email or fax; and the information published in a variety of formats, especially via the internet. All of this is the enterprise "content" which needs to be managed as an asset.
The term Enterprise Content Management (ECM) is now common currency in the IT glossary. Whilst content management is often referred to in the context of tools facilitating the publication of information to a web site (intranet or internet), more broadly speaking it covers Document Management, Records Management and what I shall refer to as Publication Management. By the term publication management, I mean the ability to purpose and publish your marketing, training, product etc. documentation via a range of delivery methods: paper, internet, web-enabled mobile phones, personal digital assistants (PDAs), iTV, CD ROM etc.
In effect, ECM is one or more technologies providing facilities for the creation, management, delivery and archival of content, irrespective of format.
Please also see our complementary information resource, The Document Site
information is...being recognised as the fourth resource of business