Thursday, November 12, 2009

ATR: To the Defense of Archives (and the English Language)

I'm throwing down the gauntlet. I'm tired of people mis-using the term "archival" and now I see that the term "archivist" is going to start to be abused. I've engaged in a periodic running battle with Benjamin Wright. He's a lawyer; I'm not. I probably shouldn't single him out here, but unfortunately, he pops up on my Google Reader blogs and his usage gets in my face. Small apology to Mr. Wright for picking on him, because there are undoubtedly many sinners in this space.

"Archival".
Someone tell me when this term became a noun. Checking Dictionary.com, "archival" is an adjective. However, I keep seeing the term used as a noun, generally in combination with "email", as in "email archival". What the heck is that? Arguably, you could say "archival email" and that would (sort of) have meaning, but "email archival" has no meaning in the English language. You could also say "email archive", but I'd rather that you didn't.

In this post, Mr. Wright says,
Many lawyers and archivists recommend, for example, that email systems be configured to purge email, by default, after only . . . 15 days or 30 days.
ARCHIVISTS say this? Whoa! At least in North America, an archivist is generally assigned to be the custodian of historical records. In other parts of the world, an archivist is the de facto records manager for an organization. But I would suggest that at least this records manager (and fallen away archivist) would never suggest that all email be deleted in short order. Email is a means of transport and storage for information. Paper is also a means of transport and storage for information. The content value of the information drives the retention period, not the means of transport and storage. If you are going to suggest that "email" has a particular retention period, then you also have to set a retention period for "paper".

Now records managers have been known to be accused of being Conan the Shredder from time to time by our colleagues who toil in historical archives. If anything, when conflicts arise regarding destruction of records in the information professions, it's archivists thinking records manager are too quick to destroy records and records managers thinking archivists are too slow.

So my thinking is that Mr. Wright is considering IT storage management professionals to be "archivists" (these are the same folks who have to manage all those email "archivals", I guess, so they must be "archivists"). Let's put a stop to this nonsense right now. We have enough difficulty explaining the difference between "backups" and "archives" to the IT folks. And when you insert a "real" archivist into the mix (because your organization has an historical archive), people get really confused.

I would suggest the following: the storage location for information is a "repository", regardless of the physical form of the information. So when you retain email, it is retained in an email repository. When you retain hard copy, you store it in a hard copy repository. The discipline of managing the repository is "storage management". The discipline of setting the retention period for an organization's records is "records management" or "retention management" or even some flavor of "governance".

If we can agree on those terms, let's look at the issue raised by Mr. Wright. Mr. Wright is rapidly leaning into the camp that suggests that email should be retained in an "immutable archive" (there's that term again, although not used by Mr. Wright) -- which means that you don't delete any email message once it is created or received. His logic in the article seems to indicate that only bad guys delete email because they must have something to hide.
For good business people, lengthy, complete email and text message records -- including all the metadata -- are a friend.

The only people who have incentive to destroy their electronic message records quickly are mobsters, the Mafia. They of course are motivated to toss all the smoking guns and dead bodies into the river.

I can understand where this logic comes from, but I would suggest that if you are going to retain all electronic messages, you have to retain all paper messages as well. And that means that you have to retain EVERYTHING that shows up in paper form -- and, to ensure that you are retaining metadata for the paper, you have to keep the envelopes too. So when I get an advertisement in the mail, I'm going to have to keep it, regardless of the fact that in the electronic world, that same content might have been deleted automatically by a spam filter. Those reusable Interoffice envelopes? Use them once and keep them to show when the document was sent. That FedEx box? Better keep it to show the routing stickers and codes used by FedEx to deliver the documents.

Clearly that's nonsense. But it is effectively what is being suggested in the electronic world. And I don't buy the statement, "Well, you can easily tell what is junk and what is a record when it is a paper document." So we're suggesting that human beings are capable of discerning non-record from record in the paper world, but they can't do this in the electronic world? But hard copy records take up too much space and they are costly to retain! Try that one with electronic records. There is a double standard here that simply makes no sense to me.

I would suggest that proper management of information starts with much better training than most organizations are prepared to deliver today. And, that training has to be followed with auditing of business practices. If you can train people well, create a simple system to ensure that record-worthy information is retained in appropriate repositories, and validate that the rules are being followed, then you will have a defensible system of record. That is neither easy, nor is it inexpensive. But it is necessary before we start to see case law and precedent built up that demands two systems of records in an organization -- paper records and electronic records.

I am rapidly becoming an advocate of developing systems that separate information into three buckets: first, non-records; second, transitory records; third, declared records.

Non-records:
Non-records do not have to be retained and if not immediately disposed of, should be fully discarded within a relatively brief period of time (say 60 days). So you build into your repository a means to discard the garbage within 60 days of receipt or creation.

Transitory Records:
Transitory records are maintained for a period of time to determine if they should become a declared record or discarded as a non-record. This transition period should be fairly short, perhaps no more than two years. Government retention schedules have most often defined transitory records and often set even shorter retention periods.

Declared Records:
Declared records are assigned a retention period tied to a record series or category on a retention schedule. The repository for declared records will generally have greater controls over deletion and changes to the records as well as provide mechanisms to establish legal holds (arguably, any repository for information -- including those for non-records and transitory records -- should have a mechanism to ensure that information subject to a legal hold is retained until released from hold).


To circle back to where I started, I would suggest that all of us who support the management and retention of information come to agreement on more precise use of terms that describe what is being retained and where it is retained, particularly when those terms have the potential to be seen as confusing or conflicting between information professionals.

Tuesday, October 27, 2009

OTR: Public Speaking

I'm back from the ARMA Conference for a week, but it feels like a month. Today was the first day that I had a few minutes to catch my breath at work and I spent some time cleaning up email and getting back to some folks that I met at Conference. A few of those folks were kind enough to compliment me on my presentations and ask me if I'd like to speak at one of their Chapter meetings or seminars.

I'm always flattered to be asked. I don't speak as much as I once did, when I was building a career and trying to get rolling in consulting (the firm saw speaking as marketing). Today, the Day Job is time-consuming, but I do allow myself time to get out and do a presentation on occasion. I often joke to my colleagues in the Chicago Chapter that the only time that I'm able to see them is when they invite me to speak.

If you're interested in having me speak to your Chapter or non-profit organization, all I ask is that you cover my travel expenses, feed me, and give me a place to stay. If it is a for-profit event, an honorarium would be appropriate. I do have a list of presentations and I will customize what I've done, but a completely new topic is often a challenge (but feel free to ask). Since I usually do a presentation at the ARMA Conference, I usually have at least one piece of new material every year. I always tell folks that if you've gone to the expense of getting me to your event, feel free to make use of me all day. I always feel bad when I get up and speak for 45 or 75 minutes and head right back to the airport. I try to arrive the night before and my preferred airline is United (yet another geek thing for me). If it is close to Chicago and flying would involve something with no headroom and propellers, I'll drive or see if Amtrak goes there.

I'm in the ARMA directory or my email address is available if you click the link to my Blogger Profile.

ATR: My FAI Thank You Speech

As many of you know, at the ARMA International Conference in Orlando, I was privileged to be named to ARMA International's Company of Fellows. As Fellow #43, some wags refer to me as "W" or "Dubya"... short pause while you think about that...

When I received the official Lucite plaque, I was offered five minutes for some remarks. I now publish them here, for those of you who may have missed the Awards Reception.

++++++++++++++++++++++

My Dear Friends and Colleagues:

As I stand here today, the first thought that comes to me is, in the immortal words of Wayne and Garth…. “I’m not worthy!” But here I stand, nonetheless. I’ve been given about five minutes for some comments, so I’ve prepared my remarks tonight, mainly, as many of you know, because I am often incapable of speaking in increments of less than an hour and fifteen minutes.

I am humbled and honored to be here tonight. Almost 20 years ago, I sat in a hotel ballroom in San Francisco and watched the first Fellows be introduced to the Association. At the time, I never imagined that I would someday be able to count my name among those luminaries. I was, after all, but a little records manager at the time.

There are many people that I need to thank tonight. I’ll start with my colleagues who nominated me. I am humbled to be so honored by them. Larry Bates, Beth Chiaiese, and Tim Hughes, I am forever in your debt for your nomination. Thank you. Next must come my family – my wife and daughters – who have often wondered what it is that I do when I traipse off to some exotic locale like Kansas City, Boise, Omaha, Milwaukee, Detroit, Appleton, or Bloomington. You see, the road to this honor was paved with many visits to many places where there was no doubt that I had to be speaking or learning. But airport t-shirts and key chains are small substitutes for dinners missed, so to them, I also say thank you for allowing me to grow in my craft and share what I know with others.

I must take a minute to thank Jac Treanor, my dear friend, colleague, and mentor. Without Jac allowing me time, early in my career, to give back to my profession, and the opportunity to speak in public, I would not be here today. Jac is also the boss who gave me my first computer and the opportunity to learn how to use it. Yep, he’s the one to blame.

There are many others along the way – such as the officers of the Chicago Chapter who welcomed me in to their midst, gave me responsibility, and bought me many a soda from the bar; or Mike Pemberton, who asked me to participate on the Task Force that developed the Code of Professional Responsibility; or John Phillips, who asked me to help launch ARMA’s first website; and ARMA’s Education staff, who put up with my “just in time” style of preparing presentations for Conference.

I also want to thank the Chapter meeting and seminar leaders and the Program Committee members through the years who have thought well enough of me to invite me to share my thoughts with our members. And of course, I want to thank all of you who have put up with my unanswerable questions, long-winded stories, and bad jokes all of these years. I trust that you actually learned something from me.

I’d also like to thank the many International Board members and the staff of the Association who put up with my griping from time to time, then welcomed me as a Board member so I could see how the sausage was made.

There are many others who also deserve thanks and my gratitude for their wisdom, their friendship, and their encouragement. Some of you know who you are and I thank you, even if I don’t name you here tonight.

I think this is the part where I am supposed to impart some wisdom or some special insight into the future of our profession. What I say tonight is what I often say in my presentations… Never stop learning. Never stop growing. Use this Association to network and to step beyond your comfort zone. I believe that our profession is at the cusp of significant changes that will redefine what it is that we do as records managers and how we perform our work. We have to embrace those changes and welcome the opportunities that come with change.

My present boss is fond of saying… “There are no challenges, only opportunities.” In these times, and in this profession, those are words to live by.

Party on… and thank you.

Tuesday, September 29, 2009

ATR: Twitter

A couple of weeks ago, at a half day seminar that I presented to the ARMA Nebraska Chapter, I said something humorous about "twits Tweeting" (I liked the alliteration) . With all due respect to my esteemed professional colleagues who Tweet with regularity, I hope you understand that I wasn't talking about you.

I opened a Twitter account the other day and began doing some "Following" this evening. There's a work-related reason for this, but we'll add that story to the book of stories that I can't ever tell in public. It will be a long book at the rate things are going.

Anyway.

I decided to see what this "Following" thing was all about. So I "Followed" some of my fellow bloggers, some work-related Twitter accounts, and some odds and ends. Next thing I know, people are thanking me for Following them, and inviting others to Follow ME!!!! EEEEEK! Then people I'm not Following are signing up with me and I think they are all expecting a Tweet or something. People, people, people... I can't speak in less than 75 minute increments or create a PowerPoint with less than 25 slides and there is no way in heck that I can write anything resembling a full thought in 140 characters or less. I had to create this blog because I was filling up the Listserve when I rambled on...

So sorry Followers, there will be no profundity in less than 140 characters from me. You'll have to come here for the unabridged version. And you really don't care about my general health, what I had for lunch, or what I'm shopping for, right?

Why is this post, "Above the RIM"? Well, even if you are afraid of becoming known as a twit who Tweets, you may need to join Twitter to see who is Tweeting and what presence your organization has on Twitter. You might be surprised. And when you find your organization's presence, have you found records of the organization, pointers to press releases retained elsewhere, or just the musings of twits who Tweet?

I'll be over here, trying not to bow to peer pressure or those accumulating Followers...

Tuesday, September 15, 2009

ATR: Records Management as Science?

So the other day, Russell James asks, "Why Not 'Records Science'?" I read Russell's blog from time to time and he does think the deep thoughts. Russell tends to live in the archivist's world moreso than the records manager's world, but he's always thinking. It's not a bad thing. He and I both subscribe to Jac Treanor's statement that records management and archives are two sides of the same coin, so he can't be a bad guy.

Problem is, we may have missed the science bus some time ago. One of the biggest challenges to calling what we do a "science" is that most answers to records management questions start with, "It depends..." Yes, the profession is getting more and more standardized, such as is possible when the types of records are nearly infinite. And just when we think we have one system of records nailed down, something else pops up. ARMA posits the "Generally Accepted Records Principles" and a bunch of records managers scream, "I don't accept those!"

This all takes me back to my (still in progress) read of "Everything is Miscellaneous". Now could ARMA have chosen a more antithetical keynote speaker at Conference? We records managers want order. We create order from disorder. That's what we share in common with librarians and archivists, and to some extent, historians. But our order is rarely consistent or standard. Librarians rely on Mr. Dewey and the Library of Congress. Archivists describe to the rigor of MARC formatting. We just hope that people don't call paid invoices "pinks" or "paid bills". We rail at IT-folks who want to declare email a record type. We pale at the thought of deciding, arbitrarily, "If it hasn't been touched in two years, delete it!" We run interference for lawyers and try to thrash the ones who demand that we implement the latest vendor's "email archival" (whatever the heck that usage means -- I'm still trying to figure out if "archival" is used as a noun). We debate at length if a Tweet is a record and if so, how and where do we retain it. Where once we had thousands of line items on our retention schedules and shared those statistics with great pride and no little bit of chest-thumping, we now try to whittle the retention schedule down to 100 or so buckets inside of a half-dozen "big buckets" (and argue about what those really are). Our science is in constant flux and under continuous attack.

And this in a constant state of cost-cutting, insane advances in technology, outsourcing to the lowest bidder, and the anarchy of the records creator. Years ago, I wanted a concession at the ARMA Conference selling t-shirts that said, "Image it all, let god sort it out." Today, we're nearly better off saying, "Archive it all, let god and the lawyers sort it out." We exist in a world demanding governmental and corporate "transparency", where transparency comes from laws and regulations demanding retention of records. Court systems demand accounting for records and explanations for records not produced. But the courts live in the records and technology world of ten years ago. With each passing day, the anarchy of the records creators reigns supreme. Today I learned about an engineering initiative at Google called the "Data Liberation Front", where the mission statement is:

Users own the data they store in any of Google's products. Our team's goal is to give users greater control by making it easier for them to move data in and out.

Now one of the challenges for these guys is understanding who the customer is. While most of Google's customer's are individuals, Google also seeks the enterprise / corporate customer (and the link to this was found on Google's Enterprise Blog). Unfortunately, the last thing that you want in your organization's scientific approach to records management is even more user optionality. If you have science, you demand repeatability. An infinite number of independent users with an infinite number of unique records means an infinite number of outcomes. Google's sincere approach to the corporate customer is (and I have heard it almost verbatim from two different Google employees in different venues), "We're a search company. Just keep everything and we'll help you find it when you need it." No need to worry about metadata. No need to get rid of pesky personal emails or spam that sneaks through. No need for deduplication. Don't bother classifying, just keep it all. The term they repeat is, "an immutable archive", Uh huh. (Now I could rant about Google's naivete for a couple hundred more words, but I'll stop now.) They are coming around to a more "corporate" way of thinking, but they aren't there yet.

So let me return to Russell's premise. Russell wants us (and our kindred spirits in archives management) to refer to ourselves as "records scientists". Unfortunately, I'm afraid that if we go down that path, the only white coats that we'll wear will have extra long sleeves that tie around back. Let's take a look at Pat's definition of information and records.... Stuff gets created, lots of it. We like to call this stuff "information". We records managers create governance policies that separate the information into categories of "records" and "non-records". We care about records, so much so that we divide the records into "series", although sometimes we like to call those series, "buckets". Because we give each record an assignment into a series, we can easily find what we need by searching for records that are part of the same series. We make sure that records that are stored are associated with metadata that identifies and categorizes the records by series and dates and lots of other bits of data. To each series, we assign a lifespan called a "retention period". At the end of the lifespan, we expect that the records will undergo "disposition". If found worthy, some dispositioned records find their way to the Historical Archives, where they are carefully cataloged and preserved for all eternity (or until the company has to sell them on E-Bay). Everything else gets deleted, wiped, shredded, pulverized, incinerated, or pulped. That makes for a nice flow chart, a pretty PowerPoint slide, wonderful documentation, and total chaos in the real world. Why? Because no layperson can understand any step in that process to the same degree that we do. And they really don't care. They create stuff all day. Some of the stuff belongs to them; some of the stuff belongs to their employer, but the creator doesn't understand that, either. It's all "their stuff". They know that sometimes their stuff is needed and sometimes no one ever cares about it again. But it really becomes important only when they can't find their stuff. So they create their own means of organization, in a manner that makes perfect sense to them. And try as we may, our equally arbitrary means of creating taxonomies and series and buckets simply doesn't resonate.

So where does that leave us? The basic problem, in my opinion, is that we have spent far too much time dealing with records in a hands on manner. Let's face it: we like to organize all that stuff. We like the comfort of policy and structure and rules. We like to pretend that it is all so very scientific and completely repeatable. So some of us are drawn to a description of records as science. But the problem is that we spend entirely too much time doing the records management equivalent of debating whether or not Pluto is a major planet or a minor planet. It all seems so very important, but it really isn't critical to the big picture. And the problem is that while we focus on the little bits, we miss the bigger issues.

At the Day Job, I don't do as much records management as I used to. But I apply the essential "science" every day. I'm finding that there are many more issues to worry about and that the principles of records management that I learned along the way serve me well on many tasks that I never imagined I'd be doing. Let's look at those...

Litigation and Investigation Support: At the end of the day, it doesn't matter if we spend years organizing stuff into series. If it exists, it is relevant to the litigation, and it's discovered, it's called "evidence". At that point our job will be to explain where it came from, whether or not the court should trust it, and whether or not someone found all of the relevant stuff for the matter. It's real helpful to know where to look and to have mapped the locations of all the stuff in the organization so we can say that we've looked in all the right places.

Data Loss Prevention: This is a biggie. It encompasses privacy and security. It means that someone knows where the "important" (i.e. the stuff that can get us sued for losing) stuff lives and takes steps to protect that stuff and detect when it is "liberated" (to use the Google term) inappropriately.

New Technology Assessment: When someone decides to officially "Tweet", or a bunch of engineers in one part of the world want to stream a live webcam to their colleagues in another part of the world, what do we care about? When the business takes its stuff to the "Cloud", what requirements do we need to draw up?

At the end of the day, my job consists of adhering to two directives:
  1. Prevention of loss of data of concern.
  2. Minimizing disruption to the business.
"But there's so much more in what you do!" Nope. If you focus on records management, Directive 1 means that you can find the stuff that you need (if they need it, it is data of concern) and people or automated processes don't discard stuff that is required to be retained. Directive 2 means that we do whatever is possible to ensure that Directive 1 doesn't cause the business (that would be the people who make / deliver products and services and sell them) to spend a lot of time not being the business. Granted, I work in our company's Asset Protection group, but I don't think that these concepts are really foreign to anyone. Why do we classify records? So people can find them again. Why do we care about retention periods? Because we don't want records to be dispositioned too soon. Why don't people always follow our rules? Because we've somehow gotten in the way of them doing what they were hired to do.

So if it makes you feel better to call yourself a "records scientist" who practices the "science of records", be my guest. If your identity gets wrapped up in your business card, so be it. But don't be deluded into thinking that systems of records can be reduced to mathematical formulae and lines of computer code. There's a human element involved and that element doesn't appear on the Periodic Table, but sure makes a mess when it gets involved in records management. Our job is to find ways to design and govern systems that limit the chaos introduced by the human element.

Monday, September 14, 2009

OTR: RIP RAZR

It's a sad day. My two year old Motorola RAZR died suddenly. No drama, no heroic measures to save it... it just died. It was fine yesterday afternoon and last night when I went to charge it for the night, it was dead. I attempted a battery transplant and found that the battery was healthy, but the phone was DOA. I left it plugged in overnight in the hope that it might come back, but it was over. Cause of death is undetermined. The phone bore many scars from bouncing off concrete, as well as being pummeled by seat belts on a daily basis.

It is currently lying in repose on my desk at home. I think I will remove the battery for future use as a donor organ for my wife's phone. The phone itself will assume a place of honor in my office at work -- alongside my old pager and a couple of Iridium phone mock-ups.

My Q9h survives and is feeling lonely today without its constant companion next to it, competing for airtime on the Bluetooth headset.

A QA1 Karma is on order to take the place of my RAZR. Life, and technology, go on...

Saturday, September 5, 2009

OTR: Social Media and Intelligence Gathering

Over at the Day Job, a couple of events that highlight how mainstream social media is becoming... and how what you post can come back to haunt you if you're not careful.

Yesterday morning, I was up a little earlier than usual and decided to browse my Google Alerts at home rather than first thing in the morning at the office. One of the alerts was for the Day Job and highlighted a blog posting claiming that the Day Job had a Windows Mobile 7 cell phone in development. That was interesting because all the focus now is on Android. I followed some links and the source of the blog post was a LinkedIn profile for an individual in China claiming to work for the Day Job and claiming to be working on Windows Mobile 7 code for a code-named device. Yep, in his public profile.

As I followed other links, I came to this post. Seems that a blogger had spent some time mining LinkedIn profiles and came up with numerous tidbits about potential features in Windows Mobile 7, simply based upon what various people said they were working on. Interesting stuff there.

The day before, I had a meeting with a vendor that I had never met before. As we talked, it was pretty apparent that he was familiar with my work and my blog. I asked him and he pulled out a print-out of my LinkedIn profile and commented that he had pretty much read all my blog postings. There was a sudden jolt of reality check. I'm pretty transparent. Had I ever bashed this guy's company in any of that stuff? I didn't think so....

But these two events show that the blogosphere and social media are being utilized to find out information about future plans for companies and their products as well as providing a rich source of information for vendors so they can shape their pitches. Some of that is bad; some good, I suppose. But if you ever think that what you post or Tweet or blog or whatever won't someday come back to visit you, or is just between you and your small group of trusted followers, think again. And if what you do on your day job isn't for public consumption, don't go out and highlight it online to impress people or get the eye of a recruiter -- you may find that you'll be looking for work sooner, rather than later.

Wednesday, July 22, 2009

ATR: Information Management Reference Model -- Been There? Done That?

A colleague pointed out this blog post. Seems that the same folks who brought us the Electronic Discovery Reference Model (EDRM) are going to develop the Information Management Reference Model (IMRM). Interesting. Now don't get me wrong, I refer to the EDRM at almost every opportunity -- in fact, my job title is modeled on it. I'm quite pleased to see that the cornerstone of the EDRM is Information Management. If you don't know what you have, you can't find it when you need it. If you don't manage what you have, you will have too much to sift through when you need it.

So I suppose that it is a natural extension of the EDRM to show how that relationship works. The components need to be defined and vendors can then market their services and products around each component of the model. But, haven't we already done this? Sure we have. We like to call it the lifecycle of records. The traditional approach designates the lifecycle as:
  • Creation
  • Distribution
  • Use
  • Maintenance
  • Disposition
There have been a variety of iterations of this model, the latest of which was given the title "Information Lifecycle Management". But the core components remain the same through each evolution, so I would hope that the IMRM would contain the same basic elements.

Over and above the lifecycle concept, ARMA International has developed the Generally Accepted Recordkeeping Principles, or GARP (I'm missing some Service Marks there). GARP has some commonality with the lifecycle model, but GARP is designed to provide organizations with a core governance model for RIM programs. So it is a bit different. ISO 15489, which predates GARP, provides a bridge between the lifecycle model and the governance elements. So arguably, if you were going to build a Reference Model, you may need a starting point of Governance that provides an overall framework for managing records. Within Creation, you'd want to speak to creating records, capturing records, or receiving records and the attendant processes to determine if the information is, in fact, a record. A key element of any RIM program is not retaining all information (even though some vendors believe that "immutable archives" are the way to go and you therefore have to retain everything forever). Distribution likely has to speak to the means of transport of records in an organization and the manner in which those systems add and retain metadata about the record. Use is somewhat outside of scope of services because it speaks to the value proposition of the record. But there are metadata elements that are created and should be associated with the record. The record also has to be protected and secured during Use. Maintenance is a big catch all and includes mechanisms to store and preserve the information. The application of retention periods comes into play here and it is at this point that the IMRM connects most strongly to the EDRM. Lastly comes Disposition. Disposition will involve the final destruction or transfer of the records. It will be important to note that Disposition largely happens outside of the EDRM -- because Disposition can only happen when the records are not required to be retained for legal proceedings.

My expectation is that someone will want to make a major pitch for a step in the process that might be called "Classification". This would be where various attributes are associated with the record. These attributes could include the record series identifier, the vital records status of the record, and the security classification of the record. I would suggest that this is a process within Creation, but I suspect that the vendor community may want to carve this out. I would also expect a push to carve out "Storage" as a separate process, with "Archiving" seen as an additional process, the rationale being that "storage" is really about making records available during Use and archiving processes are about the Maintenance of the information.

The bottom line, however, is that the IMRM should be pretty easy to define -- it's been done before. The challenge will be to ensure that the Model is not too granular and that terminology is what we expect it to be. After all, us records managers have been there and done that -- and do it every day. The folks at EDRM ought to look us up to help out.

Wednesday, May 20, 2009

OTR: 10,000 Hours

I just read Malcolm Gladwell's book, Outliers: The Story of Success. One of his premises is that it takes at least 10,000 hours of practice or effort in a particular craft to be considered expert. He goes on to provide a variety of somewhat anecdotal examples (ranging from the Beatles to Bill Gates) that lend credence to this theory, but it is a compelling argument.

Back in the day, when I played sports (not well) rather than spectated... I had coaches who believed that you needed to drill and drill and drill in the fundamentals. They referred to it is "muscle memory". They wanted us to instantly react to a situation, rather than think about what needed to happen. Once you get to that point, you perform better and often more safely. That point was never more clear to me than when I was learning a technique to split a double team block as a defensive lineman on my high school football team. The coach showed us the technique, then we practiced it a few times in slow motion to get the footwork and body movement correct. Then it was time for full speed. The whistle blew and my brain engaged... "where are my feet, which way do I move, where do my arms go... " Well, by the time my brain was registering where my feet needed to be, one of the blockers had stepped on my foot and I was being pushed over backwards. My next memory was the sound of ligaments snapping as my ankle was seriously sprained. That cost me three weeks on the sidelines. Lesson learned: the less your brain has to worry about technique, the more it can be aware of other things that add value.

Think about it. when you learned how to drive, you had a million things to think about.... where your feet were, maintaining your lane, watching for traffic, looking at the next stoplight, checking blindspots, etc. Today when you drive, do you even think about all of those things? Hardly. In fact, I would hazard to guess that many of you drove to work today and if I asked you if the first traffic light you came across was green or red, you probably couldn't immediately tell me. Your brain simply reacted to whatever color was showing and unless something unusual happened, you never gave it a second thought.

So it goes in the professional world. Think about how long it has taken you to feel comfortable with your job. Think about how long it takes to build an internal network in your workplace. Yep, same idea and I would suggest that you need at least five years to really start to feel comfortable and really start moving forward. Interestingly, five years tends to correspond to the amount of experience that someone needs before being qualified to sit for a certification exam in some professions. Guess that is more than a coincidence, don't you think? So the next time that someone points to a certificate that they got after 30 hours of training and a quick test they took, I'd suggest that they will need to show you some additional proof of their expertise. Because at that point, they are probably still trying to figure out where their feet go and are not able to step up and add value.

OTR: If Cars Were Sold Like Printers and Cell Phones

I think I can save General Motors. Give away the cars, but lock them in to buying gas from GM gas stations for $25 a gallon for the first two years (economy cars), three years (mid-size), etc. But remember, you have to buy that special GM gasoline or you'll void the warranty and have to pay a penalty.

Wednesday, May 6, 2009

OTR: Sounds

I live in an urban area, about a half block from a major railroad line. As I start to type this, I'm hearing a freight train. Steel wheels on welded rail, suspension squeaks and the clanks of wheels over switch joints. When a train comes through, I'll often first hear the horn blowing a warning for a crossing or to warn away workers on the tracks. Sometimes a long horn blast makes you hold your breath to listen for a crash or the screech of braking wheels. After the horn sounds, I'll hear the rumble of the locomotives. I can usually tell if it is a freight train or a passenger train just from the engine sound.

Mixed with those sounds are many other sounds -- motorcycles, sirens, barking dogs. Daylight brings leaf blowers and lawnmowers, kids playing, birds, an ice cream truck.

On my way home tonight, I got thinking about sounds. I tried to decide what sounds brought me the most pleasure -- what sounds I liked the most. At the top of the list, I decided that I most liked the pure sound of a baby that can't stop laughing at something. You've heard it -- an adult is playing peek-a-boo and the baby finds it to be the most amusing game on the planet. Sometimes it is just a particular noise or a face made by someone. That belly laugh is the best sound on the planet.

I then decided that what I liked next best was the sound of a well-played piano (Vince Guaraldi playing "Linus & Lucy") or a pronounced bass guitar in a rock and roll band (love the bass line line in the Rolling Stones' "Satisfaction").

Last in this list is the sound of a Merlin aircraft engine (yes, this is something completely geeky). I suppose a lot has to do with the change in sound created by the Doppler effect of a moving object, but the sound of a Merlin engine flying overhead will get me outside and looking up.

Certainly a series of interesting contrasts, but representative of the sounds that get my attention and put a smile on my face.

Saturday, April 18, 2009

ATR: Bring Your Own Computer

One of the scariest trends in corporate America these days is the movement towards "bring your own computer". The Day Job has been looking at this for a while, I just had some correspondence with an attorney for a large manufacturing concern, and one of my RIM colleagues with a Fortune 100 company mentioned it in an email.

"Uh, Pat", you ask, "thousands of people are being laid off every week and you think that THIS is scary?" Yes grasshopper, this is also scary.

The trend that I'm observing is that IT departments are under tremendous pressure to cut costs. Computing infrastructures have grown so large that "KTLO" (keeping the lights on) costs -- effectively the costs to just make sure nothing dies in the computing environment -- continue to grow even when the organization is shrinking. Couple in with that the high costs of supporting the desktop and laptop computing infrastructure (with the planned obsolescence of hardware and software), and IT departments are having a heckuva time finding ways to make meaningful cost cuts in order to free up money for investment in new technologies that will add value to the business.

So if you read ARMA's journal, Information Management, you know that one of those cost savings trends is "cloud computing" -- the movement to hosted applications and data storage. And if you read my article, you know my position there. The other alleged savings opportunity is the movement to requiring employees to purchase and support their own computing hardware and software. I call this "Bring Your Own Computer" or BYOC.

The premise is that a company can write a check to an employee, have the employee purchase the box that they want to use, and it is win-win for everyone. That check is less than it would cost to purchase and support the hardware. The company doesn't have to have a fleet of spares. And the IT department doesn't need a platoon of desktop support guys and gals. The employee can buy a Mac or an Alienware or whatever cool computer they want. Everyone's happy.

Uh huh. Everyone but me. Why? False economy is at the top of the list. I work in the midst of a herd of uber-nerds (something way beyond the "Nerd Herd"). These guys can make a computer sing. For the most part, they get the company laptop and then rebuild it to their specifications, adding software, tweaking features, etc. So these guys know how to make a computer work and what to do when something goes wrong. We're a pretty cheap group to support because most computing nerds either know how to diagnose and fix computer problems or they don't want the local desktop services person to have to understand what they have done to the standard corporate computing build. The problem with that is that a computer problem can suck up hours of productivity for these guys. A rebuild for many of them means days of futzing with the computer, even when they have taken steps to have disk images staged, backups, and all of their software. Some things just take time. So what might be a day of lost productivity for someone who blows up a computer and has to wait for the desktop guys to reimage to the corporate standard, can be several days for someone doing it themselves, even when they know what they are doing.

Now, add in the factor that most employees have not mastered the art of diagnosing and fixing their computer's maladies. I know people that are absolute application wizards -- they can make an Excel spreadsheet that would bring a CPA to tears of joy. But try to explain to them that they have to turn off the corporate proxy setting when they go to Starbucks with their laptop and they stand there blinking dumbly at you, not comprehending a word of what has been said.

I could write a humorous dialogue here about what happens today when your work computer blows up, but I think we all know how that goes... in most cases, you either have a new or repaired computer within a few days, but your IT department brings in a spare for you so you can minimally function for however long it takes to get you back to normal. Some of your time gets lost, but generally it is nothing more than an annoyance.

So flash forward to BYOC... the company has told you to buy a good quality computer that meets certain specifications. They have also told you to buy the super duper 24 by 7, anywhere on the planet support package for your computer. So you do that. The computer blows up. You call. They promise a tech "the next business day", Guy comes out. Doesn't have a part. Too late in the day to FedEx the part, so he'll be back two days later. In the meantime, you have to figure out how you're going to work. You have a PDA, but that just serves to allow you to triage things. Your other home computer belongs to the kids or the spouse. You pry the kids off of the computer and find out that when you try to connect to the corporate VPN, you get bounced out because that computer is full of spyware and viruses. Or doesn't have the correct setup. Or whatever. And it's a desktop, so you can't schlep it to the office anyway. You've played by all the rules and you have no way to work. Now what?

So there are two points of view here... For corporate bean counters, BYOC is seen as akin to the tradesman or mechanic who purchases his or her own tools and brings them to work. The analogy is that in this day and age, a computer is the cubicle dweller's set of tools and the employee should take responsibility for purchasing and maintaining those tools in order to function in the modern world. So with that analogy, I expect to see the big Snap-on Tools trucks parked outside of the office any day now, with a full offering of computer hardware and tech services.

The other point of view is that the analogy doesn't work. If I am a carpenter and my hammer breaks, I usually have a backup hammer or can borrow a hammer from another guy for a little while. Worst case, I can run down to Home Depot and pick one up at lunchtime. While a good hammer does cost a few dollars, it won't break the bank. Additionally, I don't have to do much to make the hammer work. I don't have to customize the grip or install a laser sight or register the serial number. I just pick it up and bang away. And most hammers don't require technical support. So while a carpenter or a mechanic may have thousands of dollars of tools to purchase and maintain, the failure of any one tool generally does not amount to much more than a small inconvenience -- and one that can be solved, in most cases, by a trip to the store. A computer failure amounts to the simultaneous failure of the entire toolbox -- my hammer broke, so now I can't use the cordless drill. And the problem with the computer is, you often don't know if the hammer or the drill is the cause of the failure.

Now in talking to people who advocate BYOC about this issue, they are usually able to get their heads around it and explain that they have contingencies and no one will get fired because their BYOC computer vendor failed to perform. (By the way, those contingencies add cost back in to the program.)

So enter the other problems...

I believe that another driving factor in the BYOC movement is the fact that many (if not most) employees in Corporate America do not see their work computer as exclusive property of the employer. After all, it is a "personal" computer, right? So the logic goes, "Well, if they are going to treat their work computer as primarily a personal computer, then let's allow them to bring their personal computer to work and use that as a work computer."

I know plenty of people who do not own their own computer at home. Or, if they do, the kids and the spouse use it most of the time. So iTunes gets installed on the work computer, then TurboTax, then they see if World of Warcraft will work, then... You know the drill. Pretty soon, the work computer is the employee's only real computer. Corporate bean counters hate that. IT departments really hate that. Corporate lawyers REALLY hate that. It becomes a very logical evolution to simply turn that approach on its head. Allow the company to carve out a little space on the employee's computer.

But within this particular issue comes problems of data privacy and e-discovery. In today's world, the theory is that regardless of what you may have put on the company's computer, it remains the company's property and you should not expect privacy (ok, there's a not so small matter of Europe in that regard, but you know what I mean). So when the company is conducting an investigation or has to collect data for litigation, the employee needs to give up their computer. And generally, that isn't a problem. We ignore the personal stuff for the most part, gather what we need, and hand back the computer... unless there is something really bad on the computer. You can insert whatever horrible nastiness you'd like in this scenario. If we find it, we have to do something about it. The employee will not like the outcome and often thinks we've over-stepped, but at the end of the day, the computer belongs to the company and the company has set out policies for use.

So switch things around. Now the computer belongs to the employee. We (the employer) have content on that computer at the employee's consent. Now perhaps the employee signed an agreement of some sort that allows the employer a bit more intrusion. But at the end of the day, the computer belongs to the employee. Now things get interesting. I can't (and won't) go into great detail here, but most information security and computer forensics teams have considerable capability to be very quietly intrusive into computing resources. If a company has intellectual property or trade secrets to protect, it has to take defensive measures to protect that information. When something happens, we have to very thoroughly look at what has been going on inside that computer to determine if a subject of interest is a bad actor or innocent. When the company owns the environment and the resources, we have a lot of capability. But that capability stops at the employee's physical and virtual property line unless the employee allows us to do our thing. What I have learned, since becoming more involved in information security, is that you often need to not tip your hand in an investigation. So if you have to ask an employee for permission to poke around in their computer, you're going to have problems conducting a thorough examination.

So that's the risk for internal investigations. The other issue is e-discovery. Very similar problems. If the company's data is mixed with the employee's personal data on the employee's personal computer, how do we do discovery? And how do we determine which is which? Furthermore, how do we ensure that the employee doesn't retain our information after separation?

So what solutions are in play? Generally, most organizations will look at virtual machine technology. What this means is that you install software that creates, effectively, a computer within a computer. You launch the software, maximize the window, and you are looking at a new desktop. The company creates this environment (or "image") with all of your familiar desktop tools from work. The work data and the applications live inside this "machine", while your personal stuff exists locally on your computer. The virtual machine occupies an encrypted segment of the hard drive and data generally cannot pass from the virtual machine into the personal machine. In addition, the technology will often create a backup image on a corporate server, so data loss is minimized. If the employee is terminated, the company can disable access to the virtual machine. (Most of that is the theoretical thinking on how to deploy the technology. Sometimes compromises have to be made.)

There are still plenty of issues with virtual machine technology, but it seems to be a promising solution that will solve most concerns. A key advantage is that since the virtual machine is backed up to a corporate server, the employee who has a computer breakdown can connect to that image and work from just about any other computer. Their applications and data and environment are all saved. With the employee's "work" environment nicely encapsulated, the e-discovery issues can mostly go away. The internal investigation issues may remain, to some extent.

For all of this to work, however, some additional controls still need to be in place, in my opinion. The company has to have a proper document management system. And that means a central repository where business documents and objects are stored. That system has to include records retention and legal hold capability. That system also has to track access and downloads. The company has to make a clear declaration that the virtual machine environment belongs to the company and the employee is not allowed to do any personal business within the company environment -- and that means email as well.

Now that runs contrary to the "Web 2.0" movement. People are blurring their work and personal lives every day. That's true, but it makes for very messy situations. On the one hand, people want greater privacy; on the other, they seem to want to put everything that they are doing in front of the world... so go figure. Nonetheless, I think that the evolution of the manner in which information is collected for litigation will ultimately require that companies draw very clear lines between what is the company's information and what is the employee's. We have to do that. And we particularly have to do that if the employee is going to be bringing their personal property to work in order to perform their jobs.

Writer's Block

Funny thing about blogging... you get the bug and the entire world is your source of inspiration. Then you start thinking about what to write and the wheels come off... then you get busy... and six months go by without a post.

When last I left you, I was getting all melancholy about our new President. Shortly after that, I was asked to write (with Jesse Wilkins) an article for Information Management. That sucked up a bunch of time. Throw in holidays and an ever-increasing workload, and it is April.

So for those of you who have asked, everything is fine. Just haven't had a lot of inspiration or time of late. I have a couple of ideas for some topics, so I may get back into the habit now and then.
Powered By Blogger