Archive for the ‘Legal’ Category

Applying information security and protection capabilities in Office 365 & SharePoint Online

March 12, 2017

Office 365 includes a range of information security and protection capabilities. These capabilities are first set in Azure and then applied across the Office 365 environment, including in Exchange and SharePoint Online. This post focuses on the application of these capabilities and settings to SharePoint Online.

AzureInfoProtClassLabels

Enterprise E3 and E4 plans include the ability to protect information in Office 365 (Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business). If you don’t have one of those plans you will need a subscription to Microsoft Azure Rights Management.

Enabling Information Protection in Azure

The following steps must be carried out the first time Information Protection is enabled on Azure:

  • Log on to Azure (as a Global Administrator).
  • On the hub menu, click New. From the MARKETPLACE list, select Security + Identity.
  • In the Security + Identity section, in the FEATURED APPS list, select Azure Information Protection.
  • In the Azure Information Protection section, click Create.

This creates the Azure Information Protection section so that the next time you sign in to the portal, you can select the service from the hub ‘More Services’ list.

Default Azure Information Protection policies

There are four default levels in Azure Information Protection:

  • Public
  • Internal
  • Confidential
  • Secret

Once set, these levels can be applied as labels to information content. Sub-labels and new labels may also be created, as necessary via the ‘+ Add a new label’ option.

The configuration settings are shown below:

AzureInfoProtClassPortal.png

Each of these label/level settings may:

  • Be enabled or disabled
  • Be colour-coded
  • Include visual markings (the ‘Marking’ column)
  • Include conditions
  • Include additional protection settings.

Each includes a suggested colour and recommended tip, which are are accessed via the three dot menu to the right of each label.

Markings

When selected, this option will place a label watermark text on any document when the label is selected.

Conditions

Conditions may be applied, for example, if credit card numbers are detected in the text. It allows the organisation to define how conditions apply, how often (Occurrences), and whether the label would be applied automatically or is just a recommended option.

AzureInfoProtClass2

Global Policy Settings

In addition to the settings per level, there are three global policy settings:

  • All documents and emails must have a label (applied automatically or by users): Off/On
    • When set to On, all saved documents and sent emails must have a label applied. The labeling might be manually assigned by a user, automatically as a result of a condition, or be assigned by default (by setting the Select the default label option).
  • Select the default label:
    • This option allows the organisation the default label to be be assigned to documents and emails that do not have a label.
    • Note: A label with sub-labels cannot be set as the default.
  • Users must provide justification to set a lower classification label, remove a label, or remove protection: Off/On [Not applicable to sub-labels]
    • This option allows you to request user justification to set a lower classification level, remove a label, or remove protection. The action and their justification reason is logged in their local Windows event log: Application > Microsoft Azure Information Protection.

Custom Site

A custom site may be set up for the Azure Information Protection client ‘Tell me more’ web page.

Unique ‘Scoped’ Policies

In addition to the default policies listed above, a unique policy may be created. These are called Scoped Policies.

Enabling (and Disabling) Azure Information Protection

The steps above are used to set up the labels. They must then be enabled to provide protection. The steps below also allow protection to be removed.

From the Azure Information Protection section, click on the label to be set, then click on Protect. This action opens the Permission settings section.

Select Azure RMS and ‘Select template’, and then click the drop down box and select the default label template. This will probably show as, e.g., ‘(Your Company Name) – Confidential’.

Click ‘Done’ to enable this label and repeat for the others.

Note: If a new template is created after the Label section is opened, you will need to close this section and return to step 2 (to select the label to change), so that the newly created template is retrieved from Azure.

Removing Protection

Users must have the appropriate permissions to remove Rights Management protection to apply a label that has this option. This option requires them to have the Export (for Office documents) or Full Control usage right, or be the Rights Management owner (automatically grants the Full Control usage right), or be a super user for Azure Rights Management. The default rights management templates do not include the usage rights that lets users remove protection.

If users do not have permissions to remove Rights Management protection and select this label with the Remove Protection option, they see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.

Additional notes

If a departmental template is selected, or if onboarding controls have been configured:

  • Users who are outside the configured scope of the template or who are excluded from applying Azure Rights Management protection will still see the label but cannot apply it. If they select the label, they see the following message: Azure Information Protection cannot apply this label. If this problem persists, contact your administrator.
  • All templates are always shown, even if a scoped policy only is configured. For example, a scoped policy for the Marketing group; the Azure RMS templates that can be selected will not be restricted to templates that are scoped to the Marketing group – it is possible to select a departmental template that selected users cannot use. It is a good idea (to help troubleshoot issues later on) to name departmental templates to match the labels in the scoped policy.

Once these settings are made, they need to be published (via the ‘Publish’ option) to become active.

Enabling Information Protection in Office 365

Activating Information Protection in the Office 365 Admin Portal

Once they have been configured and published, it is then necessary to enable the required settings in the Office 365 Admin Portal (Settings > Services & add-ins > Microsoft Azure Information Protection).

To do this, log on to the Office 365 Admin Portal (as a Global Administrator) then click on ‘Services & add-ins’ under Settings. Click ‘Activate’ to activate the service.

Activating Information Protection for Exchange and SharePoint Online

Once the service is activated for Office 365, it can then be activated in the Exchange and SharePoint Admin Centres. In SharePoint Online this is done via the Admin Center section ‘Settings’ and ‘Information Rights Management (IRM)’.

Configuring SharePoint and SharePoint Libraries for IRM

As at 12 March 2017, it is only  possible to link Azure Information Protection classification policies with SharePoint Online if a new site is created via the SharePoint end user portal, as it appears as an option when enabled. Sites created via the SharePoint Admin Portal do not (yet) include the option to apply a protection classification.

If the creation of sites via the SharePoint end user portal is enabled, users with appropriate permissions (e.g., Owners with Full Control) can apply Information Rights Management to SharePoint libraries in their sites.

IRM is enabled on each individual library or list where the settings will be applied via Library Settings > Information Rights Management, under Permissions and Management.

SP_IRM_LibrarySettings.png

Check the box to ‘Restrict permissions on this library on download’. Only one policy can be set per library.

Assigning Information Protection labels to Office documents

[NOTE: for clients that have installed versions of Office, the Azure Information Protection client needs to be installed on the desktop. See this site for more information: https://docs.microsoft.com/en-us/information-protection/get-started/infoprotect-tutorial-step3%5D

When labels are configured and enabled, they can then be be automatically assigned to a document or email. Or, you can prompt users to select the label that you recommend:

  • Automatic classification applies to Word, Excel, and PowerPoint when files are saved, and apply to Outlook when emails are sent. It is not possible to use automatic classification for files that were previously manually labeled.
  • Recommended classification applies to Word, Excel, and PowerPoint when files are saved.

Applying the policies to Exchange and office

The site below describes how to apply these policies to Exchange and Office applications. These are not discussed further here.

https://github.com/Microsoft/Azure-RMSDocs/blob/master/Azure-RMSDocs/deploy-use/configure-applications.md

How Office 365 challenges traditional records management practices

September 27, 2016

If your organisation is using SharePoint on-premise now, or just starting out with Office 365, it is important to understand how the Office 365 ecosystem will challenge traditional ways of managing records practices while at the same time delivering a transformational all-digital experience for end users.

SharePoint On-Premises

When configured well, SharePoint on-premises (e.g. versions up to SharePoint 2016) allowed organisations to manage unstructured (i.e., document-based) content through a hierarchy of site collections – sites/sub-sites – document libraries – (folders/document sets) – documents.

In on-premise SharePoint environments, document libraries could be used to store and manage records, thereby becoming the logical containers or aggregations of records, similar to ‘files’ in traditional EDRM systems.

The Office 365 ecosystem

Office 365 changes and challenges the on-premises model of SharePoint by adding new ways of working to standard SharePoint team and publishing sites. These new ways of working include:

  • Office 365 Groups, each of which has a dedicated SharePoint site
  • OneDrive for Business, a personal version of SharePoint
  • Yammer
  • Skype for Business
  • Delve
  • Planner
  • Sway

Why is this important? 

SharePoint has been clearly positioned as Microsoft’s online document management engine. SharePoint, not network file shares, is the document management future. And so, by extension, it becomes the future location for the management of digital records for any organisation that subscribes to Office 365.

From both the business and end-user points of view, SharePoint provides easy-to-use and more efficient content management and collaboration capabilities allowing users to access and use a range of content anywhere, anytime, on any device. Coupled with collaboration options such as Office 365 Groups, Yammer, and Skype for Business, information is now available across a number of different applications within the same single ecosystem.

From a records management point of view, this new way of working challenges the idea that information can be stored in the context of a single function, activity or transaction that created it. Instead, it supports the concept that digital information cannot truly be assigned to a single function or context; its context may also depend on the context of the person seeking to access it.

That is, how one person stores information is not necessarily how others may expect to find or use it. Think of the parallels with eBay, Facebook, LinkedIn and similar products – algorithms present information to you, often in a ‘feed’, based on what the application knows about you, not how other people store that information.

‘Modern’ Team Sites

The most striking change with ‘modern’ team sites in SharePoint Online (compared with SharePoint 2013 and earlier) is the disappearance of the ribbon menu and the simplification of the user-experience to be more or less identical with OneDrive for Business.

When any library is selected (and before a document is selected), the user is presented with the common options: New (Folder, Word, Excel, PowerPoint, OneNote, Link), Upload, Quick Edit, and Sync.

o365sp1

When a document is selected, the user is presented with a context-specific menu offering again commonly used options: Open, Share, Get a link, Download, Delete, Pin to top, Move to, Copy to, Rename, Version History, Alert me, and Check out.

O365SP2.JPG

O365SP3.JPG

The familiar Library Settings, previously located on the ribbon menu, are now found via the Office 365 settings ‘cog’.

O365SP4.JPG

Microsoft have also changed the look of SharePoint Online sites and provided a new ‘SharePoint’ landing page to help users access all the sites they are following, and also present suggestions for sites to follow. In other words, the system understands the user’s context and presents content suggestions, the same way Facebook users are invited to befriend people.

From a records management point of view, little has changed with document libraries in team sites. SharePoint Online continues to offer all the same features as before:

  • Almost unlimited metadata options allowing multiple metadata-based views to be set up
  • Unique, persistent document IDs
  • Folders and document sets (although the latter are even harder to set up than they were)
  • Versioning (and more efficient storage of versions)
  • Popularity trends and per-document views
  • Detailed audit trails
  • Access/permission controls
  • Legal compliance/retention and disposal
  • Powerful search
  • Full integration with Office but now allowing users to save directly by default to SharePoint and OneDrive by default.
  • Hyperlinkable documents
  • Easy sharing

While it is still possible in SharePoint Online to manage records out the box, the other elements that make up the Office 365 ecosystem provide a much broader and complex environment for the storage and management of records. SharePoint Online is just one component of this environment.

Office 365 Groups

Office 365 Groups provide a way for a group of people within the organisation – as well as external users – to discuss and share information.

  • They are similar to Active Directory (AD) Distribution Groups in the sense that they are a pre-defined organisational group designed to receive information.
  • They are different in that, instead of being just the recipient of information, users (and people who join the group at a later date) can see all discussions that have been sent to all members and access any Group documents.

Office 365 Groups are made up of two main content elements: ‘Conversations’ email-based threads and ‘Files’.

O365SP5.JPG

  • Conversation threads are based on simple email exchanges presented in Outlook – currently it is not possible to create folders in the group.
  • The Files option in Office 365 Groups is a SharePoint site that allows the group to store, share and collaborate on any unstructured content.

Groups also include a calendar and a group Notebook (which opens OneNote Online in the Group SharePoint site).

Office 365 Groups content is stored either within the context of the Group’s email-based conversations or in unstructured content stored in an associated SharePoint site.

Office 365 Groups SharePoint sites are visible in the user’s list of SharePoint sites, making it easy to get back to the Group’s site or its conversations.

OneDrive for Business

OneDrive for Business is built on the SharePoint engine. The consumer version of OneDrive has been around for a few years and is a direct competitor to the likes of Google Drive, iDrive, DropBox, Box and so on.

OneDrive for Business, the online replacement for ‘personal’ network drives, allows users to store, synchronise and share ‘personal’ work information through an interface that in Office 365 is now almost identical with modern team sites (less the Library Settings).

As with personal drives on network drives, content stored by users on OneDrive for Business is inaccessible unless shared with others. Organisations have only 30 days by default to do something about the user’s OneDrive for Business content when they cease to be an employee, before the content is deleted.

Options to manage the otherwise hidden content of a departed user’s OneDrive for Business account include allowing the user’s manager to review and if necessary move or delete it, allowing an authorised person in IT to review it, and/or backing it up to other storage so it is not deleted.

Yammer

While the long-term future of Yammer is unclear in the face of Office 365 Groups, Yammer may still exist and capture information and records for a time to come.

Skype for Business

In addition to Yammer and the conversation options provided through Office 365 Groups, Skype for Business provides yet another option to discuss and share information including via voice and/or video calls.

Delve

All the options described above provide a function-rich environment to store and manage unstructured content and collaborate with other people both within and external to the organisation. But how to make sense of all this information?

Depending on licensing, Delve provides a way to find content that may be relevant to the user.

O365SP6.JPG

Delve suggests a range of content that may be of interest (based on the user’s profile, connections and content created or accessed), and provides an analysis of the user’s activity as recorded in Outlook, the calendar and other actions.

Challenges with managing records in Office 365

While Office 365 provides a transformative digital experience for end users, managing the records created and stored in various parts of Office 365 presents new challenges for records managers.

For example, there is far less ability to control the way content is stored or described in specific, pre-defined and/or metadata-driven aggregations and contexts. Users are likely to use whatever application is the most appropriate or convenient. For example, they may use OneDrive for Business to create and store large volumes of content, hidden away from corporate view. They may even share content from this application, including with external users.

The default settings in SharePoint, if not disabled, provide end-users with considerable latitude to create new SharePoint sites and Office 365 Groups, in addition to their personal OneDrive for Business sites, to store, manage and share rich digital content including with external users. In reality, these settings probably need to be disabled to prevent uncontrolled growth in the environment.

Even if records managers (as Site Collection Administrators) have oversight and control of the creation of SharePoint Online team sites, some questions arise:

  • How will they extend this control to SharePoint sites created to support Office 365 Groups, or the conversations that take place within those groups?
  • What about content stored in and shared from OneDrive for Business?
  • How will it be possible in the future to bring together all information about a given function/activity for disposal or disposition actions, especially if it’s not all stored in the one aggregation?

Good SharePoint (and Office 365) governance requires a good balance of control. Too much control and users will be put off using and benefiting from the ecosystem. Too little and the ecosystem may become uncontrollable but possibly very ‘lively’ in terms of content profusion.

Ideally, users should feel that they have the ability to manage their information within a lightly controlled environment – for example, SharePoint site owners cannot create new Sites (to prevent the massive proliferation of sites) but they can create document libraries (thereby reducing IT administrative controls).

Can analytics help with managing records?

Analytics via the Office Graph may provide a way to bring together information and records in context, a context (or contexts) which may be unforeseen by the person who created the content in the first instance. For example, a user may store information in a document library, unaware of its relevance or similarity to others in the organisation. Analytics may be able to connect the two, or the different people doing similar things.

At this stage, Analytics does not seem to provide the ability to bring together all information about a given subject. The model, instead, appears to be about presenting or making information accessible in any context at any time to users depending on their context at the time.

eDiscovery?

eDiscovery, a feature available from SharePoint 2013, has the potential ability to bring together all information about a given subject from across the Office 365 ecosystem. However, the primary purpose of eDiscovery is to support legal processes, not records management.

New ways of thinking are necessary

Records managers need to think differently about how they will approach the management of all types of digital records and other content (conversations, discussions, photographs, videos, Sway presentations) created and stored by users across the complex ecosystems that is Office 365.

It will no longer be possible to assume that all records relating to a given function/activity pair, subject, or context can or will be stored in the same aggregation of records. Instead, records managers need to find other ways to manage digital content, including to manage disposition activities.

Artificial Intelligence (AI) may provide the clue to this. Microsoft CEO Satya Nadella made this very clear in a keynote presentation to the Microsoft Ignite conference on 26 September where he noted that AI would be able to: “… to reason over large amounts of data and convert that into intelligence”. He also noted Microsoft’s ambition is to create an intelligent assistant that “… can take text input, can take speech input, that knows your deeply. It knows your context, your family, your work. It knows about the world.”

Nadella also noted that: ” The most profound shift is in the fact that the data underneath the applications of Office 365 is exposed in a graph structure. And in a trusted, private-preserving way, we can reason over this data and create intelligence. That’s really the profound shift in Office 365.” (Source: https://techcrunch.com/2016/09/26/microsoft-ceo-satya-nadella-on-how-ai-will-transform-his-company/)

(Note, the last two paragraphs were added on 29 September to include comments made by Satya Nadella about Microsoft’s AI ambitions).

 

 

SharePoint 2013 Site Disposal Policies

May 18, 2013

SharePoint 2013 includes the option to set a disposal date on site collections. This article describes how to configure a SharePoint 2013 site collection to include a site disposal policy.

Default settings

A site cannot be deleted (either manually or automatically) unless a Site Policy has been set up (exception – the SharePoint Administrator has permissions to do this).

Without a Site Policy, the default settings under the Site Closure and Deletion option (see below) are as follows:

  • Site Closure – ‘Close this site now’ click box default: greyed out.
  • Site Deletion – ‘This site will be deleted on:’ Default: ‘Never’.
  • Site Policy – Default:  ‘No Site Policy’.

Setting up a Site Policy

New site policies are created under Site SettingsSite Collection AdministrationSite Policies. Once created, the policy is applied under Site SettingsSite AdministrationSite Closure and Deletion. While you can create multiple policies, only one policy can be selected at a time under the Site Closure and Deletion option.

There are no default policies; the first time Site Policies is opened, the Site Policies section provides only one option – ‘Create’. Each policy must have a Name and may have a Description. The name and description can be the class description from a records retention schedule, using ‘after date created’ or ‘after date closed’ as the triggers (see below).

Site Closure and Deletion options

There are three options under Site Closure and Deletion:

  • Do not close or delete site automatically. The default option.
  • Delete sites automatically. This option deletes a site on a pre-defined date after it was created or closed.
  • Close and delete sites automatically. This option first closes the site and then deletes it on pre-defined dates.

In addition there is a check box ‘Site Collection Closure’ that allows the site collection to be made read only when it is closed.

Delete sites automatically

When this option is selected the following appears:

  • Set Deletion Event. The two options provided are ‘Site closed date’ and ‘Site created date’, plus n days, months, or years.
  • (Check box) ‘Send an email notification to site owners this far in advance of deletion:’ (i.e., to warn them of the pending deletion) – n days, months or years. Default setting is 3 months.
  • (Check box) ‘Send follow-up notifications every:’ (i.e., to remind site owners of the pending deletion) – n days, months, or years. Default setting is 14 days.
  • (Check box) ‘Owners can postpone imminent deletion for:’ (i.e., to postpone the proposed deletion) – n days, months or years. Default setting is 1 month.

Close and delete sites automatically

This option is identical to Delete Sites Automatically except that it also includes a date when the site can be closed – after which a deletion event date is set followed by the same three options above.

Site Closure and Deletion

As noted above, a Site Policy must exist before a site can be closed and deleted using these options. The Site Policy must be selected otherwise the default options (see above) apply.

  • If the Site Policy is based on the Delete Sites Automatically option, the option to ‘Close this site now’ becomes available. If the option ‘Site Closed Date’ was selected, the site will not be deleted (at the pre-defined time) until this option is selected. If the option ‘Site Created Date’ was selected there is no requirement to ‘manually’ close the site.
  • If the policy is based on the Close and Delete Sites Automatically option, the option to ‘Close this site now’ becomes available. This allows the site to be closed earlier, otherwise the deletion date will be automatically calculated from the site policy setting and displayed next to the Site Closure and the Site Deletion options.
  • If no policy is selected, the default settings will apply; this means that the site cannot be closed.

Further reading

Overview of site policies in SharePoint 2013 (Microsoft).

Applying recordkeeping policies to email – Microsoft Messaging Records Management (MRM)

June 1, 2012

The problem

The problem of managing emails as records is summed up in the following statements:

“Many organizations have yet to define an email retention policy. More than one‐quarter of organizations have not yet established any sort of email retention policy despite the fact that there are a growing body of statutory requirements and legal obligations to preserve business records, including those stored in email. Among the nearly three‐quarters of organizations that have established an email retention policy, only two‐thirds of these organizations indicate that their users are fully aware of the policy.” Michael Osterman, “Messaging Archiving and Document Management Markets Trends, 2009-20112”, dated May 2009.

‘Over 40 years after the invention of email, relatively few institutions have developed policies, implementation strategies, procedures, tools and services that support the longterm preservation of records generated via this transformative communication mechanism.’  Christopher J Prom, ‘Preserving Email’, DPC Technology Watch Report 11-01 Decemer 2011. www.dpconline.org/component/docman/doc_download/739-dpctw11-01.pdf

Storing business records in context

Traditional records management theory recommends that there should be a clear relationship between records about a particular subject or issue, regardless of format, and the business context that originated it. (AS ISO 15489-2002: 9.3 Records Capture)

In the paper world, this was achieved by the co-location of related records in a physical file.

In the electronic world, this is usually achieved through the application of metadata. Business classification and naming systems applied to electronic folders generally achieve this; as well, electronic systems also allow for a range of cross-subject metadata that allows records to be organised in different contexts.

Additional, business context-specific metadata can be applied to emails (including from integrated business applications – for example, an email saved to TRIM will show the TRIM record number in its email metadata properties).  However, this ability (as with Properties in Office documents) is rarely enabled or used.

Instead, and as with Office documents, we tend to let users ‘categorise’ their emails (and documents on network shares) through folders – although not all users do this.  (Interestingly, online email systems like Google’s gmail use tags instead of folders).

Are emails documents?

The short answer is yes (in the Australian legal evidence context), but they are documents that, in a way like xml-based Office documents like docx, are made up of structured data that displays as a single ‘document’.

Part of the problem with emails as records is the perception (on the part of users who have never had to face court) that they are not documents, but messages.  The ability to use the system to send or receive ‘private’ messages exacerbates this perception.

The problem of storing emails as records

Emails have been a constant problem and challenge for records managers and recordkeeping since they first appeared in the early 1990s.

The three main approaches to keeping emails have been to (a) print to paper, (b) save to a recordkeeping system, and (c) save to a drive.

Print to paper, while relatively common in many organisations even now, is probably the poorest (and some might say ‘silliest’) option in the digital world as (a) it is dependent on users, (b) emails usually lose their message headers, (c) emails are unsearchable in their electronic form, (d) emails remain on the Exchange system and are discoverable.

Saving emails to a recordkeeping system, while better than printing, is an inadequate option because (a) it is usually dependent on users to do it, (b) the email still remains in the Exchange system, and (c) it can sometimes result in the email being saved in a different format that is not necessarily suitable for long-term preservation (e.g., TRIM’s .vmbx).  There is also the problem of users saving ‘dumb’ emails with (valuable) attachments, which can make the attachment harder to find, identify or access.  Some systems (such as SharePoint 2010) include email-enabled storage locations.

Chris Prom, in a blog posting titled ‘Practical E-Records ‘Facilitating the Generation of Archives in the Facebook Age’, notes that:

‘…the formal recordkeeping systems previously used by many organizations for electronic records have died or have one foot firmly in the grave.  At the same time, the habits that individuals use in producing, consuming, storing, filing, searching, and interpreting records are themselves undergoing constant change.  People adopt new communication technologies at an ever-quickening pace.   Divergent personal practices, rather than the centralized electronic systems, are the harsh reality that confronts our profession’.

Saving to a drive is also a poor option, and is usually based on user preferences to want to ‘keep’ emails.  Emails saved to drives (a) will still remain in the Exchange system, (b) may lose their header information, and (c) are not necessarily saved in appropriate or accessible formats.

In relation to the last point, Outlook does not make it easy for an end user to decide, with usually five options to choose from – which is the right one?  Users will usually choose whatever is the default (.msg), but this isn’t necessarily the best long term option (which is MIME or EML – the latter described by the National Archives of Australia (NAA) as ‘an acceptable open file format for long term storage).

In all cases, keeping these emails in the business context to which they relate has been a constant problem for records managers.  As a consequence, there is a tendency on the part of almost all businesses to leave and manage emails where they are (i.e., in Exchange).

Microsoft Exchange 2010 – Messaging Records Management

To try to address this problem, Microsoft introduced ‘Mailbox Manager Policies’ in Exchange Server 2003.

This was followed by ‘Message Records Management’ with Managed Folders in Exchange Server 2007 (a feature that remains in Exchange 2010).

Exchange Server 2010 includes a new model of managing emails as records, called ‘Messaging Records Management’.  Microsoft describe it as follows:

‘Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2010 that helps organizations reduce the legal risks associated with e-mail. MRM makes it easier to keep the messages needed to comply with company policy, government regulations, or legal needs, and to remove content that has no legal or business value. This is accomplished through the use of retention policies or managed folders’. (Source: http://technet.microsoft.com/en-us/library/dd335093)

As Microsoft notes, however (on the same page), MRM does not prevent users from deleting messaging; it is really only designed to remove them at the end of a given period.  Microsoft recommend ‘journaling’ emails where there are specific business reasons to keep them for longer (such as legal proceedings or the need to ensure specific email is kept), or applying the Legal Holds functionality.

The key elements of MRM are Retention Policy Tags (RPTs) and Retention Policies.

There are three types of Retention Tags: (1) Default Policy Tags (DPT), (2) Retention Policy Tags, and (3) Personal  Tags (which are an ‘opt-in’ on the email client).

  • Retention Policy Tags (RPTs) are used on default folders (e.g., inbox, junk mail, sent, deleted). Users cannot change the RPT but can override it with a Personal Tag.
  • Default Policy Tags can be applied by users to untagged items.  A Retention Policy can contain only one default policy tag.
  • Personal Tags can be applied by users to their own custom folders or individual emails.

In most cases, users make the decision, and the retention applies on where the email is located.  If there is actual or anticipated litigation, a Retention Hold can be applied to the user’s mailbox; however, this does not prevent users deleting emails, it only overrides any retention policies.  The Legal Hold option should be applied to prevent deletion.  Once this option is applied, Legal Hold ‘captures any deleted or edited items into a special folder that’s neither accessible nor changeable by the user’.

All retention tags include: a Tag Name, a Tag Type, an age limit (in days) with an action to take, and comments.

The actions available are:

  • Delete And Allow Recovery – This action will perform a hard delete, sending the message to the dumpster. The user will be able to recover the item using the Recover Deleted Items dialog box in Outlook 2010 or Outlook Web App.
  • Mark As Past Retention Limit – This action will mark an item as past the retention limit, displaying the message using strikethrough text in Outlook 2007, 2010 or Outlook Web App.
  • Move To Archive – This action moves the message to the users archive mailbox.(see below)
  • Move To Deleted Items – This action will move the message to the Deleted Items folder.
  • Permanently Delete – This action will permanently delete the message and cannot be restored using the Recover Deleted Items dialog box.

Once the tags are created, they can be added to a Retention Policy and this policy, in turn, is then applied to specific mailboxes – one policy per mailbox.

The ‘auto-tagging’ feature, once 500 items have been tagged, will automatically tag items in a user’s mailox based on their past tagging activities.

So, is MRM the answer to managing emails as records? 

Yes and no.  From a recordkeeping perspective, MRM:

  • Does nothing to ensure that records are kept in the business activity or functional context to which they relate, unless (of course) the emails are the only form of record that exists for the business activity.
  • Does not stop users from deleting emails.

On a positive note, MRM:

  • Attempts to address the problem of email retention.
  • Allows the application of a retention policy to emails that might be stored in a business context Outlook mailbox or fold As well, Exchange features like Legal Hold and Journaling allow further controls to be implemented.

Archiving

Exchange 2010 now includes a ‘personal archives feature’, which allows users to save emails to their own archive instead of saving emails to drives or using Personal Storage (.pst). A good article on this subject can be found at this location: http://mohamedridha.com/2011/11/07/exchange-2010-online-archiving-and-retention-tagspolicies-a-practical-example/

Sources (all retrieved 1 June 2012)

Enforcing Information Management Systems … and Strategies that Work

June 16, 2010

Extracted from a speech given to the 4th Information Management & E-Discovery Summit, Sydney, Australia, 10th June 2010.

Digital information is everywhere. One of the biggest problems for organisations is the volume of so-called unstructured information commonly found on network drives and in email folders.

Electronic document management systems (EDMS), often now known as enterprise content management (ECM) systems, are seen as the panacea to this problem, however unless they are mandated for all unstructured information, users will continue to have some level of discretion about what goes into them.

In response to this, organisations may implement an email archiving system to at least capture emails, or use back up tapes as a form of archive tape, or move information to some other form of long-term storage.

All of these options have shortcomings, not the least of which is that they may end up storing information for much longer than necessary, thereby exposing the organisation to the risk of this information being discovered.

So, you are probably a bit confused about what to do, and what direction to take.

Do you:

(a) Acquire and implement a system in the hope that you can get users to put unstructured information into it, and somehow manage the information that’s not captured, including by using email archiving or network drive archiving/duplication?

(b) Acquire, implement and mandate a system across the organisation for all unstructured information?

(c) Don’t acquire anything, and risk manage it all?

If you decide to go with option (a), here are some suggestions for managing unstructured information more effectively in organisations.

Have a good information management strategy

Not everything (usually) needs to be managed in the same way.  It would be an unusual organisation that wanted to manage everything in exactly the same way.  Some information must be managed well, some less so.

A good strategy will show a good understanding of the following elements:

  • Your organisation’s digital information assets.
  • Your compliance requirements and standards, including records management best practice, standards and compliance needs.
  • The way your users, and your organisation, currently do their work.
  • Your current technological environment (your technological limits or opportunities).
  • The external information management and electronic document management environment (what is happening out there).
  • How contemporary electronic document management systems work, as they are not all the same.

And then develop your information management strategy and EDMS implementation plan accordingly.

Communicate this strategy through information provided via the intranet, all staff emails, desk drops, information provided through managerial meetings.

Make sure there is effective communication at all phases of the project

This is essential, almost critical to success.  More is better.  Best projects have very good communication.

Keep people informed and they will keep up with you.  They may even use your system.

When considering change management, remember the technology adoption lifecycle and the five broad categories of users.

There will always be innovators, early adopters, the early majority and late majority and finally the laggards.

And yes, unfortunately, these are often (but not always) reflective of the ages of your staff.  Target your changes, and the required training, accordingly.

Have realistic and understandable policies and procedures for managing electronic documents

A key element in any information strategy, therefore, is having and implementing an effective policy that addresses the management and retention of information.

But, make sure it is a policy that everyone can access, understand, and put into practice.  Recent research conducted in Malaysia in 2004 and 2008 indicated that less than 50% of organisations had a policy for managing electronic documents, and of the 50% that did, less than 25% of respondents complied with it.  The one’s who didn’t comply said they didn’t have the time, or found it too difficult, to do so.

Interestingly, the research also showed that most respondents said they wanted such policies in the form of guidelines for managing electronic records.

What does this research indicate to us?  That good communication and effective change management are critical to support policies and help users to use systems to keep records; if you don’t have one, you probably won’t succeed.

Have a good, realistic defensible, and well considered project scope document

Don’t underestimate just how hard it is to implement these systems.  After all, you are making a fundamental and sometimes unintuitive change to the way people manage information.

This is a key part of any proposed project.  What are you trying to achieve?

Installing a new product is easy, changing staff behaviours is very difficult.

What’s your objective?  Why is it your objective?  Is it compliance, if so, compliance with what?  There would be few organisations in Australia for which compliance with something is the only driver for an organisation-wide EDMS.

When defining the project scope and project plan, you should have a really good handle on the following:

  • What information are we actually trying to manage?
  • What are the actual compliance drivers?  (see below)
  • How do people actually manage digital AND paper information now?
  • What are the risks with current processes and practices?
  • What risks are you trying (or needing) to mitigate against?
  • What is happening externally?

A simple rule of thumb that seems to work in most cases is this: the greater your risks of not complying or needing to be accountable (including because of anticipated litigation), the more likely your users will manage your information well.

Or, to put it another way, you are more likely – and probably should – spend most of your effort managing the information that you have to manage well.

There are several risks associated with users continuing to use uncontrolled systems such as network drives and email folders to manage records.  Making them aware of these risks through policies, procedures or guidelines can be a good idea.

The risks are:

  • Being unable to find and produce information required except through costly data recovery or forensic processes.
  • Not meeting compliance requirements, that is, managing information poorly.
  • Keeping information for longer than required.

The longer we keep information that doesn’t need to kept, the more we expose the organisation to potential embarrassment and expense through e-discovery and other forms of information retrieval.

Understand your real compliance requirements

What are your actual compliance mandates?  If users know what they are, they may respond better to a new system.  Often this is not well communicated.

It is very important to have a very thorough understanding of your actual compliance requirements.

And then, based on that understanding, take a risk based approach to the management of your information.  This will in turn inform how you approach the issue of user uptake of a system.

In August 2007 the Management Advisory Committee (MAC) of the Federal Government’s Public Service Board published one of the most useful common sense documents to come out of Canberra, ‘Note for File’.

The report acknowledged the key difficulties faced by agencies in managing information, the problems of information stored unofficially on network drives and in email and other electronic systems.  It recommended agencies take a risk based approach and prioritise their recordkeeping attention on activities that pose the greatest level of risk.

Get senior management support

Will your CEO use the system? If not, why not? My CEO uses our system.  It’s a great selling point for staff.

Have end user participation and contribution from the beginning

This is part of good business analysis.

Understand your organisation and its business needs, preferably with some product knowledge behind you.

Find the key users, the early adopters. Consult. Listen. Identify problem areas.

BUT! Recognise that users are not always right and remember that customisation can be expensive.

Have well defined system requirements – but don’t over do it

Understand your business needs and define your requirements for a system carefully.

Understand and define what the relationship will be between the existing systems, drives and email folders and the new system, and how end users will work in the future.  Storybook it even.

Many products probably already do what you want.  These systems offer users folders containing documents, wrapped up in access, security and audit requirements, sharing and collaboration models, with retention and disposal capability.

The more you customise the base product, the more expensive and complicated it gets.

Find the product that best meets your needs

Find a product that is the best match for your business needs, not one that has the best marketing team, or is flavour of the month.  Many products have been around for years.  They started out as DM, became EDM, then EDRM, and are now ECM systems.

There is a lot of maturity in this market and, in recent years, a great deal of upheaval and acquisitions.

TRIM was bought by HP.  Hummingbird and Vignette were acquired by Open Text.  The old iManage was bought by Interwoven and became Worksite (and Mailsite), then was acquired by Autonomy.  Documentum by ECM, and in the wake of those acquisitions Alfresco appeared.

Really get to know the product and what it does, including your infrastructure requirements

So, what’s the best system for users to use?  One that meets your objectives.  One that will:

  • Meet your business, regulatory and litigation compliance requirements and standards for keeping, storing or managing information and records.
  • Be used by users, with minimal training.
  • At a cost that is affordable and gives true return on investment.

It doesn’t, necessarily, have to manage everything.

Don’t forget about recordkeeping requirements.  If you follow the principles outlined in ISO 15489 you are more likely to have good records that will meet compliance requirements.

A realistic project plan AND change plan

Have a separate change and project plan, although they may be in the same document.

I’ve seen extraordinarily complex project plans for projects that didn’t succeed, and very simple project plans that did succeed.

Success can be as much about a great plan as it is about the people and resources doing the work, and the capability of the users in the organisation to change.

Failure, on the other hand, is often about poor scoping and/or scope creep, poor understanding of the organisation’s capability for change, poor change management, poor communication, user rejection, and, frankly, the wrong choice of technology.

As they say, successful projects have proud parents, the unsuccessful ones are orphans.

Have a great change management plan

You need a good change plan, especially for the late majority and late adopters.  In fact, some people suggest you should only target these groups for change.

Change is not popular.  People fear change and tend to be somewhat parochial and protective of the technology they have got used to.

Moving from a paper-based to an electronic-based way of managing information is, perhaps, one of the greatest challenges over the past decade.

Understand the technology adoption lifecycle.

Software – know your proposed or acquired product – well.

I mean, really well.  How often do we see organisations evaluating and acquiring a system, and then engaging a systems integrator to implement a product, without having a good idea of how the product really works in the first place?

This is as much about the acquisition process as it is about the implementation process.

In one case I was involved in recently, the organisation spent a lot of money getting external consultants to help define the business requirements of the system, which were then passed to an integrator who did exactly what was required.

Problem was, the system then failed because it was not designed to work in the way that the users had requested, the consultant had defined, and the integrator had made it work.  Find out how other organisations use the same product.

You should also know your vendor very well, too, along with any proposed systems integrator.

Customise only when necessary

This is an interesting one and in many ways related to the previous point. Clearly it is a good idea to engage staff in how they want a system to work.

However, many systems are, by default, capable of doing most of what the majority of users want without customisation.

You need to tread a very fine line between listening to users and implementing what they want.

The more complex your project in terms of customisation (in particular), the more likely it is the majority of potential early adopters will miss out.

Maintain sufficient flexibility to get your project over the line within time and budget.

In a case I was involved in last year, the organisation persisted in developing a complex and expensive set of customisations, when the product out of the box actually met 98% of user requirements.

Recordkeeping

Don’t forget about recordkeeping issues, including retention periods for the information.  This is closely linked to your policy.

Remember, keeping records for too long can be just as risky as not keeping them, because it exposes the organisation to legacy information that should probably have been deleted.

Use qualified resources

Use qualified resources, people who have a good track record.

Post implementation evaluation of the project

Look around at other projects. Learn the lessons. Communicate them!

A brief history of the origins of the Statute of Limitations

January 28, 2010
(NOTE: This article was completely re-revised on 1 February 2010, all original content was changed).
Summary
The retention – and eventual disposal – of records is a common business practice, despite occasional concerns about what gets destroyed.  Justice Scalia, in Arthur Andersen LLP v United States (No. 04-368, 2004) said as much about the destruction of records relating to Enron by Arthur Anderson ‘… we all know that what are euphemistically termed “record-retention programs” are, in fact, record-destruction programs, and that one of the purposes of the destruction is to eliminate from the files information that private individuals can use for lawsuits and that Government investigators can use for investigations.’
A key factor in all records disposal programs is determining how long records should be kept.  In many parts of the English speaking world, seven years is frequently cited as the minimum period that records must be kept. But what is the origin or significance of this period of time?
It seems, based on the available evidence, that the seven year period is based on an arbitrary period or time limit of six years, set in 1623.  Some jurisdictions with English legal traditions around the world have retained the same minimum six year period, for example, ‘An action for an account shall not be brought in respect of any matter which arose more than six years before the commencement of the action.'(s4(2) Limitation Act 1950 (New Zealand)). Others have decided to go with seven years, based on (it would seem) the expiry of the six year period.
It has been claimed by some commentators that the seven year period is based on Deuteronomy 15:1 – 2, which refers to the release of debts after a seven year period, and Deuteronomy 31:10 which has similar references.  There is also, as we will see, Jewish influence on English property law during the same period which set the scene for the eventual creation of statutes of limitations, but these links do not provide credible links to the specific period of time that was chosen.  If anything, the origins of a set timeframe for (legal) actions can be traced to Roman Law but, again, the links with early English property law is not strong.
Roman Law
Roman law, as outlined in the Twelve Tables (see, for example, http://www.unrv.com/government/twelvetables.php), included the principle for property related matters of usucapio, literally ‘taking by use’ (Table VI.5).  ‘Usucapio of movable things requires one year’s possession for its completion; but usucapio of an estate and buildings two years.’
The concept of usucapio is in many respects the basis for the English expressions ‘possession is nine-tenths of the law’, and ‘finders keepers’.  The timeframes defined in the original tables were eventually extended by Justinian but ‘it remained in principle a method of acquiring ownership’.  (House of Lords, R v Oxfordshire County Council and Others, 24 June 1999).
Roman law also established the concepts of possession (possessio) and ownership (dominium). (see http://penelope.uchicago.edu reference in sources).
Of interest is that Henry de Bracton, a Royal judge during the time of Henry II, wrote considerably on Roman Law, although his writings and the value of them have been disputed (see Wikipedia article).
English Law
English law, on the other hand, never accepted the idea that long possession of property was the basis for ownership or acquiring title. Instead, the continual possession of property over a passage of time removed the original owner’s right to claim it back.
Blackstone’s Commentaries on the Laws of England (1765-1769) notes that William I introduced feudal tenures into England after 1066.  An essential part of this new governance model was that ‘the king is the universal lord and original proprietor of all the lands in his kingdom; and that no man doth or can possess any part of it, but what has mediately or immediately been derived as a gift from him, to be held upon feodal fervices’.  This meant that the tenant’s possessory right in land was limited to usufruct, as granted by the King, who retained absolute dominion over the land.
Usufruct means that the tenant, or ‘fief’ was required to render service to the sovereign in return for the privilege of using the land.
According to Judith Shapiro, William also brought with him Jews who were owned by him and became his moneylenders.  Jews could not own land, but they could lend money using land as the collateral security, and presumably over a period of time.  While the contracts established at the time (‘shetar’, also known as ‘Jewish gage’) did include a clause from the bible (Deuteronomy 24:10-11) protecting debtors, it is highly doubtful that they released debt at the end of 7 years – in fact, Deutoronomy 15:3 clearly distinguishes ‘foreigners’ from this requirement.
According to the UK Law Commission April 2009 report ‘Why does the present law need reform’, the first limitation periods applied only to land-related actions.
Henry I succeeded William in 1100 and reigned until his death (of gluttony) in 1135.  Henry I brought about many changes to English feudal law recognised in documents such as ‘Leges Henrici Primi’ (written around 1115) and ‘Quadripartitus’.  One important change introduced was a limit on the date by which a ‘disseisor’ (that is, a person claiming ownership of land as a result of adverse possession (‘assize of novel disseisin’)) could claim ownership.
In R v Oxfordshire County Council and others, 1999, it is noted that ‘… the medieval real actions for the recovery of seisin were subject to limitation by reference to past events.
Shapiro (ibid) notes that, during Henry II’s reign (1154 – 1189), ‘… the King’s court assumed an increasing share of litigation that had previously only been heard in local courts.  This was done through the issuance of Royal writs, including the new ‘writ of debt’, used to collect loans of money.
Writs of Entry were also created during this period, according to Joseph Biancalana.  Writs of entry were used to allege that a defendant had no entry into land other than by a transaction or taking that did not authorise him to hold the land, for a period of years (‘ad terminum qui preterit’), defined in three degrees.
Biancalana claims that the timeframe set out in the three degrees was developed from the writs of ‘gage’ (debt).
Shapiro claims that, eventually, the Jewish moneylending practices became ‘a weapon of socio-economic changes that tore the fabric of feudal society and established the power of liquid wealth in place of land holding.’  Riots broke out in 1190 and many of the original documents were destroyed (leading, incidentally, to the creation in 1200 of local Archives (Archae) and duplicate copies).
The UK Law Commission report noted above states that,
  • Before 1237, ‘… plaintiffs could not claim land on the basis of seisin before the day in 1135 when Henry I died.’
  • In 1237, the Statute of Merton, 20 Hen III (1235) stated that a writ of right for land-related claims could not refer back to any time before the coronation of Henry II in 1154.
  • In 1275, the Statue of Westminster, 3 Ed I c 39 moved this date forward to the coronation of Richard I in 1189.
  • These dates were not changed again until the 1540 Act of Limitation, which prescribed 60, 50, and 30 year limitation periods for land-related writs of right, writs of morts d’ancestor, and claims based on possession of the claimaint, respectively.
In R v Oxfordshire County Council, it further notes that ‘as time went on, proof of lawful origin … became for practical purposes impossible … the evidence was not available …’ to assess claims of novel disseisin.  Judges apparently instructed juries that ‘if there was evidence of enjoyment for the period of living memory, they could assume that the right had existed since 1189’.  As time wore on, it clearly became impossible to prove.
Finally, the Statute of Limitations Act 1623 fixed a 20 year period for ‘writs of formedom’ (UK Law Commission report).
However, these changes still proved difficult in practice and often relied on ‘legal fictions of presumed grants’ (R v Oxfordshire) effectively based on ‘time immemorial’ (that is, since 1189).
Until the passage of the Act in 1623, no limitation periods existed for other, non land-related claims. (UK Law Commission report) The new Act included limitation periods for non-land-related claims as follows:
  • Two years: Actions for slander
  • Four years: Actions of trespass to the person, assault, menace, battery, wounding and imprisonment
  • Six years: Actions on the case (other than slander); actions for account, other than such accounts as concern the trade of merchandise between merchant and merchant, their factors or servants; actions of trespass, detinue, action sur trover, and replevin for taking away of goods or cattle; actions of debt grounded upon any lending or contract without speciality; and actions of debt for arrears of rent; actions of trespass to land.
The 1623 Act also provided for an extension of time where the plaintiff was under the age of 21, a married woman (‘feme covert’), mentally disabled (‘non compos mentis’), imprisoned, or ‘beyond the seas’.
The UK Law Commission states, on page 5 that ‘we have been unable to trace any information on the reason why the six year period was thought appropriate’.  They add that ‘No limitation period applied to contracts under seal (that is, specialties), actions of account between merchants, their servants or factors, actions brought for debt under a special statute, or actions brought on a record’.
Limitation periods for land related actions were reviewed by the Real Property Commissioners in 1829.  The Commissioners recommended the retention of the 20 year period, implemented in the Real Property Limitation Act 1833 and the Prescription Act 1832.  The Commissioners also found that no limitation periods applied in some cases, including where seisin did not need to be alleged. And, there were no statute of limitations applied to actions by the Church. The 20 year period was then reduced to 12 years by the Real Property Limitation Act 1874. (UK Law Commission report)
Limitation periods were further reviewed in 1936 and recommendations made.  These included:
  • That a single limitation period of six years should apply to actions in simple contract, and actions in tort.
  • A new limitation period of 12 years (down from 20) was created for actions on a specialty.

According to the UK Law Commission report, the six year period ‘which at present applies to the majority of such actions … is familiar to the general public’.

References:
  • ‘The Shetars Effect on English Law – A Law of the Jews becomes the Law of the Land’ by Judith Shapiro in The Georgetown Law Journal Vol 71, pages 1179 – 1200
  • ‘The Origin and Early History of the Writs of Entry’, Joseph Biancalana.  Law and History Review.  Vol 25, No. 3, Fall 2007.
  • ‘Final Report on Limitation  and Notice of Actions’, Western Australian Law Reform Commission,  1997.
  • ‘Ownership and Possession in the Early Common Law’, by Joshua C. Tate, Southern Methodist University (SMU) – Dedman School of Law, American Journal of Legal History, Vol. 48, pp. 280-313, 2006 SMU Dedman School of Law Legal Studies Research Paper No. 5
  • http://www.1911encyclopedia.org/Possession_(Law)
  • UK Law Commission, ‘Why does the Present Law need Reform?’, April 2009
  • Blackstone’s Commentaries on the Laws of England (1765-1769) http://avalon.law.yale.edu/subject_menus/blackstone.asp
  • ‘A Man and His Money’, Harvey Reeves Calkins , 1915.
  • ‘A treatise on the law of actions relating to real property’, Henry Roscoe, 1825

Integrity

November 9, 2009

Integrity is a key element in recordkeeping.  According to AS ISO 15489, integrity of documents means that they are complete and unaltered.

These words mirror s.11(3) of the Electronic Transactions Act 2000 (NSW) which notes that the integrity of information contained in a document is maintained if, and only if, the information has remained complete and unaltered, apart from:

(a) the addition of any endorsement, or

(b) any immaterial change, which arises in the normal course of communication, storage or display.

Processes, machines and devices

November 9, 2009

s.146 of the Evidence Act notes that:

  • Where a document or thing is produced wholly or partly by a device or process, AND
  • the device or process is one that, or is of a kind that, if properly used, ordinarily produces that outcome, THEN
  • it is presumed (unless evidence sufficient to raise doubt about the presumption is adduced) that, in producing the document or thing on the occasion in question, the device or process produced that outcome.

Proof of contents

November 9, 2009

Provence evidence is a key element in ensuring the authenticity of documents in evidence. Proving that the contents of a document are authentic could be critical to the outcome of a court case.

According to s.48 of the Evidence Act (NSW), the proof of contents of a document may be obtained (summarised):

  • Via an admission made by another party to the proceeding as to the contents of the document in question
  • Tendering a document that
    • is or purports to be a copy and has been produced by a device that reproduces the contents
    • is or purports to be a transcript of the words
    • was or purports to have been produced by use of a device
    • forms part of the records of or kept by a business