Trusted Systems (Part One)
One of the subject areas where we get a lot of questions is trusted systems. So, I thought it made sense to do a two-part blog series. The first will give you an overview and for the second we’ll dig into some detail.
As expected, California leads the way in defining the way local agencies should maintain official records in electronic records ensuring that they are both reliable and trustworthy. My shorthand for the standard is that records need to be “true, accurate, and reliable.” California mandates that electronic records must be maintained in trusted systems as defined by AIIM standards and documented in their AIIM’s Recommended Practices.
The requirements give clarity to regulations that have been California law since 2000. Remember agencies are not required to manage records electronically, but if they do, they must ensure to follow the guidelines found in ARP1 (2009).
Essentially, ARP1 (2009) states that a trusted ECM system is to consist of:
An amalgamation of media, hardware, and software storage that mitigates unauthorized alterations.
The system is verifiable via independent auditing processes.
Agencies are required to keep two copies of the system. At least one needs to be copied to a separate and safe location.
Documented policies and procedures for the handling and management of records.
Similarly, AIIM and ISO 15801 guidelines recognize that there can be variations and that there are too many to select one methodology. Hence, it is recognized that, conclusively, the goal is to prevent unauthorized alterations to records in the system. This is the concept that serves as a central theme in creating a trustworthy system. Additionally, redundancy and transparency as to how the records will be handled according to policy. Staff members must be consistently trained and understand their roles and responsibilities.
Most official records are not physical documents. It is important to know that documents that are “born” electronically should be managed according to the regulations. Agencies should comply with Government Code section 12168.7 and California Code of Regulations, Title 2, Div. 7, chapter 15, sections 22620.1 through 22620.8.