AIIM Best Practice - Email Management Maturity Matrix

ERM Community Wiki

Community Topic(s): ERM

Keywords: email, ERM, email management, best practice

Companies that don't manage their e-mail are asking for trouble.

Ah, the wonders of hindsight. If Enron's upper management had known their email would be involved in their downfall, they might have been more careful about what they wrote. If Morgan Stanley had been able to locate and produce all of their email in one case, they might have avoided a $15 million fine. Organizations large and small have faced problems stemming from email misuse or mishandling. Why is email so hard to manage?

Over 30 years ago, email exchange was limited to a small group of researchers who could only communicate within their own network. The total number of messages was small. But email volume grew when those researchers figured out how to send information to other networks. That opened the floodgates, and today the world exchanges over 90 billion emails each year.

Volume is only part of the problem. Email's convenience—both its blessing and its curse—has made it a multi-purpose communication tool. If email contained only jokes or lunch invitations, or only business-critical decisions, then managing it would be easier. But the mixed bag of content, coupled with a variety of regulatory requirements that dictate what must be kept and for how long, make it impossible to apply one rule across the board.

AIIM's Email Best Practices Group wants to help your organization deal with email. We've developed a document that outlines how to establish and maintain best practices for everything from creating, storing, and finding email to identifying retention requirements. Whether you're just beginning to tackle the problem or you'd like some ideas for improvement, our best practice lists are a good place to start.

Organizations should realize that it takes the efforts of business units, IT, legal and records management to manage email.

This best practice guide was designed to be a maturity matrix that organizations can use to determine where they are on the email management continuum and what they need to do to improve and move toward a better managed position. Each section of this Email Management Best Practice Guide is comprised of three elements: Description, Defining Best Practice, and Establishing and Maintaining Best Practice. The Description provides background information about the element on the maturity continuum. The Defining Best Practice section provides basic steps or concepts that should be addressed by the organization to have the minimum requirements fulfilled for managing email. The Establishing and Maintaining Best Practice section provides advanced steps or concepts that should be implemented to ensure the ongoing management and adherence to legislative regulations. This third section should be regarded as the requirements for a fully mature email management process/program.

This best practice was prepared by the members of the AIIM Email Best Practices Group:

Shirley Dust
Caterpillar

Priscilla Emery
ECM Scope

Rucha Gokhale
Marsh USA

Virginia Jones
Newport News Public Works

Taina Makinen
Canadian Tire Corporation

Bruce S. Markowitz
McKenna Long & Aldridge LLP

Sheri Nystedt, CRM
Janus

Kim K. Scofield
The University of Texas System Administration

Karen Trussler
Maple Leaf Consumer Foods

STANDARDS AND LEGISLATION
DESCRIPTION
Standards identify approved practices that serve as a starting point for organizations that want to develop an email management program. Legislation identifies statutory requirements that organizations must incorporate into their email management procedures. A key first step to providing a unified view of email best practices is to ensure that control objectives are mapped to applicable legislation and documented in the organization's records management policies and procedures.
The resources listed below are only a selection. We encourage you to use these lists as a starting point for your own research.

Selected Standards

  • ANSI/ARMA 9-2004, Requirements for Managing Electronic Messages as Records
  • ANSI/ARMA TR2-2007, Procedures and Issues for Managing Electronic Messages as Records
  • ANSI/AIIM/ARMA TR48-2006, Revised Framework for the Integration of Electronic Document Management Systems and Electronic Records Management Systems
  • DoD 5015.02-STD, Electronic Records Management Software Applications Design Criteria Standard
  • ISO 15489-1:2001, Information and documentation – Records management – Part 1: General
  • ISO/TR 15489-2:2001, Information and documentation – Records management – Part 2: Guidelines
  • MoReq2: Model Requirements for the Management of Electronic Records

Legislative Requirements
Because laws and regulations vary within and between countries, instead of listing selected legislation, we have chosen to identify some of the drivers that have influenced legislative requirements involving email:
  • Privacy and protection of personal information
  • Transparency and accountability in financial reporting
  • Freedom of information in government
  • Occupational health and safety
  • Management of natural resources and concerns about the environment

You should ensure that you have identified the legislation which is relevant to your organization and industry (especially if your organization operates globally). It is also important that you know how your email management is affected by that legislation.

CREATION
DESCRIPTION
Official email messages are created and captured into organization email archive or corporate recordkeeping systems upon creation or receipt, or as soon afterwards as possible. This activity preserves a record of the related business transaction and demonstrates that the email was generated as part of the normal course of business.

Defining Best Practice
  • Encourage users to ensure email is used primarily for business purposes and personal use should be kept to a minimum.
  • Establish a system for organizing email (e.g., folder hierarchy) that ties in with the retention schedule. This organizing system should be established by the IT department and implemented when a new employee has their email account set up.
  • Enforce policies regarding email use.

Establishing and Maintaining Best Practice
  • Define guidelines for using attachments with email to help manage version control of documents.
  • Define guidelines for use of rich media files; i.e., graphic files, audio, video clips, etc. within the email environment.
  • Encourage the use of email etiquette when composing messages (e.g., use a professional tone, ensure the subject line is specific and to the point, avoid use of all caps).

RETENTION AND DISPOSITION
DESCRIPTION
All official email messages are retained in accordance with the retention schedule, except for any messages that need to be preserved as evidence for anticipated or actual litigation or for any other formal investigation (like an audit).

Defining Best Practice
  • Establish a retention policy for email; ensure all official records are kept.
  • Ensure that email and attachments are retained together; preserve links between the two.
  • Avoid using backup tapes for email retention. Backup tapes are often recycled and emails at have been deleted from the email system may continue to reside on the backup tapes which allow the deleted emails to be discovered.
  • Clearly identify where email is retained (e.g., if multiple systems exist due to the organization’s size or location or due to differences in nearline vs. offline storage).
  • Establish procedures for legal holds so that email destruction can be suspended when required.
  • Enforce the retention policy consistently throughout the organization.

Establishing and Maintaining Best Practice
  • Ensure that email integrity (including links to attachments) is preserved in case of system updates or changes.
  • Know the capabilities and limitations of the search engines used to find email, in order to aid in discovery efforts.

SECURITY
DESCRIPTION
All access to official email messages takes place in a managed manner using prescribed policies and procedures. Securing access to email helps to demonstrate the integrity of the system and enhances the reliability of the email messages (and hence their evidentiary value). The executive office and senior level management must realize the importance of and actively support established email policies and best practices.

Defining Best Practice
  • Consider implementing encryption functionality based on business needs and regulations.
  • Know the industry you are in and set applicable security requirements.
  • Conduct a thorough risk analysis of your email environment, including all applications and devices used that interact with the email client.
  • Model your email best practices to address all identified business risks.
  • Establish access privileges that are in accordance with the industry requirements, business policies, and security best practices.
  • Establish an audit plan for accessing email.
  • Establish email usage policies at the corporate level and audit for compliance on a continuing basis.
  • Ensure that IT and Records Management continue to have an ongoing dialog/interaction regarding all aspects of email management by coordinating policies and best practices.

Establishing and Maintaining Best Practice
  • Monitor access to the email system.
  • Do not utilize the organization's email account for personal communications.
  • Communicate the lack of personal privacy when using the corporate email system or accessing Internet email systems.
  • Monitor use of the email system to ensure appropriate usage.
  • Communicate to all messaging system users that inappropriate use may result in severe consequences—including possible termination—and enforce the policy.
  • Ensure that emails deemed relevant to a legal hold are retained in an isolated environment.
  • Ensure that email that is required for anticipated litigation can be accessed and isolated by establishing a legal discovery protocol.
  • Establish a policy or protocol for identifying email records that have been collected for investigation.
  • Include email disposition on the employee exit checklist.
  • Define naming conventions (taxonomy) and subject headings guidelines.
  • Establish an advisory committee consisting of representatives from all work groups, e.g., Accounting, Human Resources, Auditing, Legal, etc.
  • Provide ongoing training of messaging system use to enforce proper usage.
  • Discourage or disable storage of email outside of the designated archive system (e.g., avoid using .pst files in Microsoft Outlook).

SEARCH AND ACCESS
DESCRIPTION
Specific email messages can be found upon demand or with the minimum of extra effort regardless of whether they are located in an email inbox or the email archive. Much of this is accomplished by established corporate archiving/backup preferences.

Defining Best Practice
  • Determine a category and folder schema for email.
  • Analyze email sent and received in the organization to determine the categories that could be linked to retention periods or establish folders with retention in the background of the folder.

Establishing and Maintaining Best Practice
  • Determine location of where email records should be stored, for example, in the records management system or in the email archiving system.
  • Accurately categorize email official records by their content in accordance with the records management master retention schedule.
  • Establish a corporate policy on retention of other email documents (i.e., non-records).
  • Limit the levels of taxonomy or folder structure to one or two levels (keep it simple) and rely on the text search capability if it is available.
  • Encourage users to provide clear and concise email message subject names.
  • Consolidate servers to better control the email and enhance the effectiveness of searches.

RELIABILITY
DESCRIPTION
Email is managed to preserve its authenticity and ensure its evidentiary value for the organization as well as to support litigation or other formal investigations.

Defining Best Practice
  • Understand what constitutes an email business record within your organization. For example, are emails generated as part of a routine and systematic business activity?
  • Ensure all business- and technology-related aspects for managing and controlling email from the point of creation forward are addressed.
  • Establish appropriate policies and controls to preserve email authenticity.
  • Protect email management systems from unauthorized access.
  • Prevent malicious or accidental alteration or destruction of email
  • Ensure senior management is aware of the importance of preserving email authenticity.
  • Ensure email is not altered during a system upgrade or conversion.
  • Preserve links between email and attachments, regardless of the format of the attachment.

Establishing and Maintaining Best Practice
  • Develop policies and guidelines describing the expectations of email use for business purposes.
  • Identify and document the determining factors of what constitutes an email business record.
  • Establish appropriate access and security protocols.
  • Develop a risk management plan to assess your organization’s exposure to litigation, audits, and other potential investigations.
  • Create and routinely monitor audit trails for identifying unauthorized access to or alteration of email and take the necessary corrective actions.
  • Identify procedures and remediation actions if email is altered in violation of established policies.
  • Confer with your Records Management and Information Technology departments for the applicable policies to be followed.
  • Demonstrate how email is captured into a storage system and/or printed to paper (including all metadata).
  • Assess the current use and rotation practices of backup tapes for disaster recovery and/or the archiving of official records.
  • Establish appropriate backup tape use policies and methodologies and document them as part of the organization’s disaster recovery/business continuity plan.
  • Avoid using backup tapes as a method of retention for email; tapes should primarily be used for disaster recovery/business continuity efforts.
  • Evaluate/audit email use at the time of employee annual reviews to ensure that employees are adhering to established email policies and related procedures.

TECHNOLOGY PLANNING
DESCRIPTION
The email management system infrastructure is planned in such a manner as to address the organization’s strategic business and technology objectives. Email is managed in accordance with established policies to comply with all applicable laws and regulations, as well as the organization’s overarching business requirements.

Defining Best Practice
  • Ensure records management principles as well as business and technology needs are defined as part of the overall email management system strategic plan.
  • Assess current and legacy aspects of the organization’s email management system architecture, including, but not limited to: servers, backup methodology, network stability, and email archiving, retention, and compliance monitoring practices (as applicable).
  • Ensure that email management systems have the ability to securely retain, archive, and monitor email activities, as well as to provide the ability to promptly retrieve records in accordance with relevant regulatory, legal, and business recordkeeping requirements.
  • Assess business growth requirements to ensure Information Technology can properly plan for current and future storage capacity needs.
  • Develop yearly user workflow and storage audit reports to enhance monitoring activities.
  • Establish a standardized category/folder plan for email management.
  • Develop a migration plan to ensure email records will be preserved and kept accessible throughout their defined retention period.
  • Ensure that any recordkeeping related issues that may be associated with phasing out legacy systems and moving to the new system are addressed.

Establishing and Maintaining Best Practice
  • Obtain executive support for the email management initiative by outlining the business drivers and demonstrating how it fits in with the organization’s strategic business plan.
  • Ensure that records management policies and procedures are integrated into the strategic email management system plan.
  • Establish procedures for the creation, use, and disposition of emails.
  • Identify a disaster recovery/business continuity plan for the email management system.
  • Form a steering committee (or something similar) to include representatives from Records Management, Information Technology, Legal and other business functions to ensure all applicable requirements are identified, understood, and agreed upon.

TRAINING
DESCRIPTION
All staff receive training on email management as outlined in the email management training plan. Refresher training on email management and policies governing the use of email is provided on an annual basis. Advice for better email management is provided as necessary.

Defining Best Practice
  • Create an awareness of what email is and its capacity for holding records.
  • Customize the training for the audience.
  • Communicate policies and procedures.
  • Communicate what constitutes an email record.
  • Ensure IT/Records Management policies contain guidance on retention of email.
  • Enforce the removal of messages from the system and movement of emails that must be maintained to the archive system.

Establishing and Maintaining Best Practice
  • Review established policies and procedures on an ongoing basis to ensure an understanding of proper handling of email records.
  • Establish an audit process to ensure end users are following the email management policies and are managing their email effectively.
  • Ensure that IT staff are available to assist end users with the first review and classification process walk through.
  • Recommend that employees review emails in small segments to determine what they receive, the impact of deleting based on age.
  • Establish and communicate the purposes for which an employee should use email.

Training Elements:
  • Discuss content – what is and is not acceptable.
  • Emphasize that email is a communication tool that is owned by the organization and that employees are accountable for proper use of email.
  • Establish that there should be no expectations regarding privacy of email.
  • Establish retention requirements so that users know what to keep and for how long as well as the relevant roles.
  • Explain email liabilities that the organization may face, e.g., legislation, regulations, and the discovery process.
  • Cover any exceptions to the norm.
  • Emphasize that one should keep personal and business communications in separate emails.
  • Review the folder and classification/taxonomy structure.

BIBLIOGRAPHY
ANSI/ARMA 9-2004, Requirements for Managing Electronic Messages as Records. Lenexa, KS: ARMA International, 2004.

ANSI/ARMA TR2-2007, Procedures and Issues for Managing Electronic Messages as Records. Lenexa, KS: ARMA International, 2007.

ANSI/AIIM/ARMA TR48-2006, Revised Framework for the Integration of Electronic Document Management Systems and Electronic Records Management Systems. Silver Spring, MD: AIIM International, 2006.

DoD 5015.02-STD, Electronic Records Management Software Applications Design Criteria Standard. Washington, D.C.: U.S. Department of Defense, April 25, 2007. Available from: http://www.dtic.mil/whs/directives/corres/html/501502std.htm

Email Management (EMM) Certificate Program. Silver Spring, MD: AIIM. Information available from: http://www.aiim.org/Education/Email-Management-Training-Courses.aspx

Glossary of Records and Information Management Terms, 3rd edition. Lenexa, KS: ARMA International, 2007. Available online at: http://www.arma.org/standards/glossary/

ISO 15489-1:2001, Information and documentation – Records management – Part 1: General. Geneva, Switzerland: International Organization for Standardization, 2001.

ISO/TR 15489-2:2001, Information and documentation – Records management – Part 2: Guidelines. Geneva, Switzerland: International Organization for Standardization, 2001.

MoReq2: Model Requirements for the Management of Electronic Records. Update and Extension 2008. Prepared by Serco Consulting for the European Commission. Available from: http://www.moreq2.eu/downloadsa.htm


The wiki text is available under the Creative Commons Attribution License agreement.

Blog email facebook linkedin Rss Twitter Youtube

Copyright © AIIM 2013 Privacy Policy