SOX
Sec.802 Criminal Penalties for Altering Documents
This section imposes penalties of fines and/or up to 20 years
imprisonment for altering, destroying, mutilating, concealing,
falsifying records, documents or tangible objects with the intent to
obstruct, impede or influence a legal investigation.
We're a Canadian organization but SOX is a point of reference for our
outside counsel anyway because the end result SOX specifies resonates as
a sound thing to do. How one gets to the end result of SOX compliance
was obvious to our lawyers and to our information management
professionals: follow case law and follow best practices of the
industry. Laws are a lot like standards (such as ISO): both state the
end goal but don't specify exactly how to achieve it, both are based on
the current best practice and take that as the ideal that inspires what
the end result should be. It's true that SOX doesn't state that a
retention workflow must have a module that includes two instances of
authorization to automate certain kinds of disposition activity. SOX
also doesn't state that the system you buy has to come in a purple box.
The infamous court cases in the US and Canada where recordkeeping
practices were maligned always scrutinized both ERMS controls over
records and the policy overseeing the ERMS. Judgments in court cases
that commented on recordkeeping have made points about how the
recordkeeping system functioned, how it enabled abuse/record alteration,
and whether policy existed and was enforced. Organizations were, and
are, judged on the way their ERMS functions on the whole, and its role
in the organization (eg is it truly relied upon? does everyone use it?
is it used only as an afterthought repository as was ruled in Kinsella
v. Logan (New Brunswick, Canada) ) Mismanagement always occurs because
of records systems that lacked audit logs and/or lacked retention
controls and where there was no governance to enforce policy or where no
policy existed. Maybe that's why it's so obvious to lawyers that
retention controls in an ERMS are required and that "control" means some
level of automation.
Records Management Website
http://teamsites/sites/Records_Management/default.aspx
Maureen Cusack | Smart Systems for Health Agency
desk phone: 416.586.4012 | cell: 416.854.4987 | fax: 416.586.4398
[log in to unmask]
415 Yonge Street, Suite 1900 | Toronto, ON M5B 2E7 | www.ssha.on.ca
This message (including any attachment, if any) is confidential, may be
privileged and is intended for the above-named recipient(s) only. If you
have received this message in error, please notify the sender by return
email and delete this message from your system. Any unauthorized
distribution, disclosure or use of this message is strictly prohibited.
-----Original Message-----
From: Records Management Program [mailto:[log in to unmask]] On
Behalf Of Larry Medina
Sent: December 22, 2005 12:36 PM
To: [log in to unmask]
Subject: Re: Microsoft ECM
On 12/22/05, Cusack, Maureen <[log in to unmask]> wrote:
>
> (of course it cannot be used as a
> recordkeeping system because it doesn't have automated retention
> scheduling functionality which is required by US law and international
> best practice).
>
Wuzzat????
Where is this "required by US Law" and nothing is "required" by any best
practice, it's only recommended....
Automated retention is an elective function, one that is rather
questionable
until a lot of tweaking and rule-building is done by the user
organization
before it becomes useful, and event then, it requires diligence to
ensure it
remains curent with regulations, legislation and business practices,
including potential legal hold issues that may result in a need/desire
to
retain records longer than originally scheduled.
Larry
--
Larry Medina
Danville, CA
RIM Professional since 1972
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|
