0
PUTTING POLICYINTO PRACTICEHow to develop and implement aneffective RIM policy
AGENDA Understanding what a policy is (and isn’t) Basic policy characteristics Fundamental policy components Obtaining...
WHAT A POLICY IS (AND ISN’T) Instructs employees what to do (Policy) Not how to do it (Procedure) When drafting a polic...
BASIC POLICY CHARACTERISTICS Simple Concise Relevant/specific Enforceable
BASIC POLICY CHARACTERISTICS Simple Employees need to be able tounderstand what you are tryingto communicate. Avoid usin...
BASIC POLICY CHARACTERISTICS Concise A policy does not have to belong to be effective. The shorter – the better; aconci...
BASIC POLICY CHARACTERISTICS Relevant/specific The policy should addressrelevant issues and providespecific direction th...
BASIC POLICY CHARACTERISTICS Enforceable It’s assumed (by outside entities,e.g. courts, commissions,regulatory bodies) t...
FUNDAMENTAL POLICY COMPONENTS Purpose Scope Glossary Audits Vital records Retention schedule Information hold order...
FUNDAMENTAL POLICY COMPONENTS Purpose The purpose states the reasonfor (or objective of) the policy. Example: The purp...
FUNDAMENTAL POLICY COMPONENTS Scope The scope communicates whatand who the policy applies to. Example: This policy app...
FUNDAMENTAL POLICY COMPONENTS Glossary A policy often includesterminology that’s unfamiliar toemployees. It’s recommende...
FUNDAMENTAL POLICY COMPONENTS Audits The policy should informemployees that all topics andmatters contained within thepo...
FUNDAMENTAL POLICY COMPONENTS Vital records The policy should contain asection on the identificationand protection of th...
FUNDAMENTAL POLICY COMPONENTS Retention schedule Specifically address the purposeof the retention schedule andthe requir...
FUNDAMENTAL POLICY COMPONENTS Information hold orders All employees should fullyunderstand their responsibilityregarding...
FUNDAMENTAL POLICY COMPONENTS Record storage The policy should address thatorganizational records shouldonly be stored w...
FUNDAMENTAL POLICY COMPONENTS Network and hard drives The policy should provideguidance on the use andmaintenance of net...
FUNDAMENTAL POLICY COMPONENTS Email Policy should take intoconsideration what technologyit has implemented related toema...
FUNDAMENTAL POLICY COMPONENTS Information destruction The policy should addressproper methods for thedestruction/deletio...
OBTAINING POLICY APPROVAL Group effort Before distributing the policythroughout the organization, itmay require review a...
DISTRIBUTING THE POLICY Hardcopy Softcopy/email with attachment Intranet
DISTRIBUTING THE POLICY Hardcopy Least recommended option Periodic updates In smaller organizations thisapproach may b...
DISTRIBUTING THE POLICY Softcopy/email withattachment Not recommended – for similarreasons (periodic updates). Allows f...
DISTRIBUTING THE POLICY Intranet Recommended approach Have the employee come tothe policy – rather than sendingthe poli...
AUDITING THE POLICY Developing an audit plan Communicating the audit Documenting audit findings
AUDITING THE POLICY Developing an audit plan Audit areas Testing Communication Audit findings report
AUDITING THE POLICY Audit areas The primary objective of anaudit is to identify areas of risk.Therefore, a RIM audit wil...
AUDITING THE POLICY Policy components toaudit Policy acknowledgement Vital records Retention schedule Information hol...
AUDITING THE POLICY Communicating the audit Before conducting an audit, it’srecommended that you notifythe management te...
AUDITING THE POLICY Documenting the auditfindings Provides information on theresults of the audit Areas of compliance a...
THANKYOU!Q & A TIME
Upcoming SlideShare
Loading in...5
×

Putting policy into practice

175

Published on

Best practices for developing and implementing a practical, effective and enforceable records and information management policy. Please contact Blake E. Richardson, CIP, CRM if you would like additional information - rm4dummies@gmail.com!

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
175
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Putting policy into practice"

  1. 1. PUTTING POLICYINTO PRACTICEHow to develop and implement aneffective RIM policy
  2. 2. AGENDA Understanding what a policy is (and isn’t) Basic policy characteristics Fundamental policy components Obtaining policy approval Distributing the policy Auditing for compliance
  3. 3. WHAT A POLICY IS (AND ISN’T) Instructs employees what to do (Policy) Not how to do it (Procedure) When drafting a policy it is recommended to make notes ofsubject matter that will require and associated procedure
  4. 4. BASIC POLICY CHARACTERISTICS Simple Concise Relevant/specific Enforceable
  5. 5. BASIC POLICY CHARACTERISTICS Simple Employees need to be able tounderstand what you are tryingto communicate. Avoid usingoverly formal wording,acronyms and long sentences. The policy should beconstructed and worded sothat it can be understood by allemployee levels. Remember – you know thesubject matter – don’t assumethe policy reader does.
  6. 6. BASIC POLICY CHARACTERISTICS Concise A policy does not have to belong to be effective. The shorter – the better; aconcise policy will increasereadership. Long email syndrome
  7. 7. BASIC POLICY CHARACTERISTICS Relevant/specific The policy should addressrelevant issues and providespecific direction that will guidethe employee’s decision-making. Policies that aren’t specificinevitably lead to inconsistentemployee behavior. Inconsistency leads to reducedpolicy compliance and anincrease in organizational risks.
  8. 8. BASIC POLICY CHARACTERISTICS Enforceable It’s assumed (by outside entities,e.g. courts, commissions,regulatory bodies) that what’scontained in a policy can andwill be followed. The policy shouldn’t include anyelements or directions thatemployees are incapable offollowing – this may include lackof technology, resources ortraining.
  9. 9. FUNDAMENTAL POLICY COMPONENTS Purpose Scope Glossary Audits Vital records Retention schedule Information hold orders Record storage Network and hard drives Email Information destruction
  10. 10. FUNDAMENTAL POLICY COMPONENTS Purpose The purpose states the reasonfor (or objective of) the policy. Example: The purpose of this policy is toensure the complete lifecyclemanagement of organizationalinformation.
  11. 11. FUNDAMENTAL POLICY COMPONENTS Scope The scope communicates whatand who the policy applies to. Example: This policy applies to all companyemployees and governs themanagement of physical andelectronic information.
  12. 12. FUNDAMENTAL POLICY COMPONENTS Glossary A policy often includesterminology that’s unfamiliar toemployees. It’s recommendedthat the policy contain anappendix of terms withdefinitions. If the policy is electronicallyposted (Intranet), hyperlinkscan be established to provide adefinition for each term.
  13. 13. FUNDAMENTAL POLICY COMPONENTS Audits The policy should informemployees that all topics andmatters contained within thepolicy should be complied withand are subject to internal andexternal audits.
  14. 14. FUNDAMENTAL POLICY COMPONENTS Vital records The policy should contain asection on the identificationand protection of theorganization’s vital records. Example: It’s the responsibility of eachdepartment head to identify theiroperation’s vital records It’s important to clearly definethe term vital records –Theterm is often misinterpreted bybusiness owners.
  15. 15. FUNDAMENTAL POLICY COMPONENTS Retention schedule Specifically address the purposeof the retention schedule andthe requirement that it befollowed. Additional information can beadded to this section of thepolicy, which addresses requestsfor modifications to theschedule.
  16. 16. FUNDAMENTAL POLICY COMPONENTS Information hold orders All employees should fullyunderstand their responsibilityregarding information holdorders. The policy should clearly statethat any information on holdregardless of the reason ormatter should be retained, evenif the retention period of theinformation has expired.
  17. 17. FUNDAMENTAL POLICY COMPONENTS Record storage The policy should address thatorganizational records shouldonly be stored with approvedvendors. In this section of the policy youcan also address environmentaland security requirements forlong-term onsite recordsstorage.
  18. 18. FUNDAMENTAL POLICY COMPONENTS Network and hard drives The policy should provideguidance on the use andmaintenance of network andhard drives. Example: Hard drives (C: drives) are not tobe used for the storage ofcompany records or information ofbusiness value. This type ofinformation must be stored in arepository accessible by employeeswith appropriate authorization.
  19. 19. FUNDAMENTAL POLICY COMPONENTS Email Policy should take intoconsideration what technologyit has implemented related toemail management. Some organizations have aseparate an email “usage” policy,that typically does not addressinformation management.
  20. 20. FUNDAMENTAL POLICY COMPONENTS Information destruction The policy should addressproper methods for thedestruction/deletion of physicaland electronic information. This section of the policy wouldalso include that only approveddestruction vendors are to beused. Certificates of destruction areto be received andappropriately retained.
  21. 21. OBTAINING POLICY APPROVAL Group effort Before distributing the policythroughout the organization, itmay require review andapproval by other departments: Internal Audit Legal IT Compliance Example: If the policy states that complianceis subject to audit – then you wantto ensure that the Internal AuditDepartment can support thestatement.
  22. 22. DISTRIBUTING THE POLICY Hardcopy Softcopy/email with attachment Intranet
  23. 23. DISTRIBUTING THE POLICY Hardcopy Least recommended option Periodic updates In smaller organizations thisapproach may be appropriate.
  24. 24. DISTRIBUTING THE POLICY Softcopy/email withattachment Not recommended – for similarreasons (periodic updates). Allows for easier distribution v.hardcopy. Distributing the policy via email(attachment) allows you toprovide additional commentaryregarding the policy to therecipient such as, the policyneeds to be reviewed by acertain date and that therecipient must respond thatthey have reviewed the policy.
  25. 25. DISTRIBUTING THE POLICY Intranet Recommended approach Have the employee come tothe policy – rather than sendingthe policy to the employee. Email with link. The link can be part of a RIMIntranet page. Reality check – employees canstill print the policy from theIntranet creating staleinformation.
  26. 26. AUDITING THE POLICY Developing an audit plan Communicating the audit Documenting audit findings
  27. 27. AUDITING THE POLICY Developing an audit plan Audit areas Testing Communication Audit findings report
  28. 28. AUDITING THE POLICY Audit areas The primary objective of anaudit is to identify areas of risk.Therefore, a RIM audit willtypically include policy areas,that if not complied with, createthe greatest potential for risks. Fundamental policycomponents
  29. 29. AUDITING THE POLICY Policy components toaudit Policy acknowledgement Vital records Retention schedule Information hold orders Record storage Network/hard drivemaintenance Destruction
  30. 30. AUDITING THE POLICY Communicating the audit Before conducting an audit, it’srecommended that you notifythe management team of eachdepartment. Proposed dates What will be audited How to prepare for the audit
  31. 31. AUDITING THE POLICY Documenting the auditfindings Provides information on theresults of the audit Areas of compliance andnoncompliance Classifying the severity andcauses of the risk posed bynoncompliance Recommendations forresolution Action plans Resolution dates Re-audits
  32. 32. THANKYOU!Q & A TIME
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×