The Business Controls Caddy

Permalink Get Your Swamp Root for Compliance!




As readers of this blog know, I do not suffer FUD (Fear, Uncertainty and Doubt) well, especially when products are marketed as "certified" by some unknown or unidentified group, or even by the Government. Added to this recipe is receiving the marketing message from a spammer that has promised to remove me from their distribution list. It just leaves the marketing message open from dissection. So I will now dissect the marketing message entitled "Get Compliant with the only Government Certified Records Management system for <ProductName>!", and talk about how the company in question blew, in my opinion, what could have been a very strong marketing message by wrapping it in FUD. Instead, it comes across as a swamp root pitch.

"Get Compliant with the only Government Certified Records Management system for <ProductName>!"

As I have stated on here and in presentations, tools and software will not "Get" your organization compliant. Compliance arises from a solid corporate and information systems governance environment. This environment has been built on risk assessments, the development of sounds business control processes where the benefits derived exceed the costs of the controls, the controls map to specific business objectives, sound policy development, and a commitment from all levels of an organization to this environment. Software and other tools should be selected and used to support this environment. Without a sound governance structure, it will not matter what tools are used.

"Many organizations today need to comply with government regulations and corporate standards for managing electronic records. An electronic record includes any document, e-mail, or other information that is used to make a business decision."

This statement is misleading and incomplete. Records retention is about *MORE* than electronic records. It is, loosely, about the retention of any and all business records that have a business intent or purpose. The specific definition may vary among entities. The vendor should have made this clear and not confused the issue by only referring to "electronic records". For information purposes, the Wikipedia definitionn is:

"A business record is a recording of business dealings that must be retrievable at a later date so that the business dealings can be accurately reviewed as required. Since business is dependent upon confidence and trust, not only must the record be accurate and easily retrieved, the processes surrounding its creation and retrieval must be perceived by customers and the business community to consistently deliver a full and accurate record with no gaps or additions."

You will notice that there is no distinction between electronic or other forms in this definition.

"<CompanyName> has released <ProductName>, which is the first product on <Platform> to ever pass the rigorous DOD 5015.2 certification testing process. The DOD 5015.2 standard is the most common standard used for records management in government and industry."

DOD 5015.2 certification is indeed a rigorous certification to obtain. It is an investment that would allow a product to be sold to the United States Department of Defense, or any U.S. Government Agency that follows that standard. In the private sector, it would be valuable to sell the product to companies that receive federal contracts and have to adhere to this standard. But to say that it is the "most common standard", without providing any supporting data/information is suspect at best. The more global standard is ISO 15489 (Information and documentation). But again, this does not mean a tool is right for every organization. And the marketing might have been better focused from this angle.

"Whether you need compliance with Sarbanes Oxley, HIPAA, SEC, FDA, BASEL II, EU Privacy Act, Federal Records Act (NARA), or other rules, <ProductName> can declare and manage your records in an industry-accepted manner."

Again, what is the definition of "industry accepted"? In the end, it is not what will be accepted by industry, but what will be accepted by the auditors, the regulatory bodies, and the legal system. The vendor should have cited specific standards and regulations, as opposed to blanket "names".

"This will help you satisfy legal requirements for document retention and destruction, and the government certification means that your solution will have the ability to satisfy the legal challenges which are often raised to validate the technology in use."

The tool indeed may be helpful, but to state that the government certification "means that your solution will have the ability to satisfy the legal challenges which are often raised to validate the technology in use" is misleading and might be seen as exaggeration. The "solution" will not survive legal challenges if not backed up by sound policies and procedures. In addition, these policies and procedures will need to be validated (preferably by audit) and implemented consistently. In addition, unless employees are trained in the policies and procedures, and embrace/accept them, the "solution" will not matter. What good is it to have software and/or tools if they are not used properly, if at all? We have all seen many examples of where expensive technology sits unused because of the lack of user education and acceptance.

"<ProductName> also manages physical records, including paper and photographs."

This message is buried at the bottom of the SPAM. This should have been at the top as part of the definition.

What Would Have Made Me Happier?

I might have been more receptive to this information if it had not come from a "marketing" company that is not in compliance with the CAN-SPAM Act. I would have been more receptive if the vendor had offered a white paper with more meat to back up their statements. I would have had a better initial reaction if the subject line had not been written as it was.

Sources of Good Information on Records Management

If you would like to get a better handle on records management definitions and concepts, you might want to download DOD 5015.2 standard (275 KB, PDF) or read an US Office and Management and Budget (OMB) discussion on the topic.



Comments

No documents found

Add Your Comments



Email addresses provided are not made available on this site.





You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links


:angry: :-( :-p :lips: :laugh: :-o :rolleyes: :huh: :-D :grin: :cool: :cry: :-) :-\ ;-) :-x :emb:






Remember me    

Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This may take up to 10 minutes.

Site Name

Permanent URL of TrackBack Post

Title of Post ( If Any )

Excerpt of Post ( Max 250 Chars )



free html hit counter