cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Symantec Archiving Solutions: A Practical Path to Capstone Compliance

Marty_Jost
Not applicable
Employee
‎11-24-2013 08:56 PM

A New Federal Records Management Mandate

Federal agencies were issued a directive in November, 2011 by President Barack Obama to reform records management policies & practices.  The Presidential Records Management Directive (PRMD) instructed Federal Agencies to move from paper based records management to digitized formats – and even convert existing paper records to digital.  It’s a multi-year initiative covering all aspects of government record keeping.  The directive put the responsibility for defining implementation guidelines under the National Archive Records Agency (NARA).

Capstone Background

Today, records management is usually done with manual printing and filing processes.  The massive volume of email has made it difficult to keep up and many agencies have struggled to comply with the Federal Records Act, the Freedom of Information Act, and other information management regulations. 

The Capstone initiative is one of the first PRMD implementation efforts out of NARA and is focused on email.  The initiative seeks to increase compliance with the Federal Records Act, by defining simpler requirements and rules to follow for electronic email management, while shifting from paper-based long term archiving of email to fully electronic capture and store.

NARA has defined Capstone’s top-level goals and requirements as follows:

  • Reduce the use of item by item filing to make email management easier
  • Categorize and schedule email based on the position and/or work of the email account owner
  • Where possible, leverage the agency’s existing technology rather than requiring the purchase and use of specific technology.
  • Allow for the disposition of clearly temporary accounts, while identifying and capturing permanently valuable email accounts.
    • Schedule all of the email belonging to the selected officials as permanent
    • Schedule all other email accounts as temporary to be preserved for a set period of time based on agency needs
  • Allows for the systematic transfer of email accounts scheduled as permanent.
  • Allows for the systematic disposal of entire email accounts scheduled as temporary.
  • Agencies may remove transitory, non-record, and/or personal messages.

What Capstone Means to Federal Agency IT Departments

Since the PRMD in general, and Capstone in particular, is an electronic records initiative it will fall upon Information Technology departments to ultimately put the new rules and procedures into practice.  If your agency is subject to any of the retention or eDiscovery regulations of the Federal Records Act then your IT organization should implement Capstone guidelines. 

While NARA is specifying the core requirements, they are not specifying exactly how Agency IT Departments should deploy solutions to meet those requirements.  They suggest agencies should follow a phased approach.   Email must be fully implemented by December, 2016.

A key principle of Capstone is to define rules for classifying potentially important email records of government employees to enable more purposeful identification of emails that should be kept versus unimportant “chatter” between workers.   Using a role-based classification scheme will help establish consistent decision criteria for what to save and what to discard.

A Capstone target role may include any or all of the following:

  • Officials at or near the top of an agency or an organization subcomponent.  These are generally senior executives – but they do not have to be.
  • Key staff members that may be in positions that create or receive presumptively permanent email records
  • Any individual, based on agency business processes, that create or receive permanently valuable email

The compliance responsibilities for the email of these individuals are summarized below:

  • Ensure all email records are scheduled
  • Prevent the unauthorized access, modification, or deletion of declared records
  • Ensure all records in the repository are retrievable and usable
  • Consider whether email records and attachments can or should be associated with related records
  • Capture and maintain required metadata

Presumably, the approach you take will involve some kind of IT system that can at least partially automate the capture of relevant email messages, and the migration of those messages into long-term record storage repositories.  Capstone implementation requirements are NOT dependent on a specific technology approach.  If you already have a technology solution in place you are free to continue using that solution.  If you are not currently utilizing technology you are free to acquire something that works best for your agency.

Implementing Capstone – How Should IT Organizations proceed?

To get started you must determine the scope of your email that will be subject to record keeping regulations.  Is managing at the account level suitable for your agency – or will you have to retain all employee email?  Here are some of the questions you should ask yourself:

  • Must my implementation manage email for the entire agency or only some groups?
  • Should the email be managed for all offices and regions – or only certain ones?
  • Will I need to apply the solution to legacy email or just to email moving forward?

The decisions you make with regard to these questions are the basis of your email management policies.  Note that if you plan a new solution for data created this day forward you will need to have a separate plan for legacy as well.  For example, you may have to scan existing printed records to meet the Capstone deadline, at the same time you deploy new technology to capture future email electronically as it’s created.

An official of the Federal Office General Council recently  gave a presentation in which 3 key requirements were outlined for Capstone compliance and it’s critical that the technology you use can support these requirements:

  1. Categorize and schedule email based on the position and/or work of the email account owner
  2. Schedule all of the email belonging to selected officials as permanent
  3. Schedule all other email accounts as temporary to be preserved for a set period of time based on agency needs

Capstone allows for culling (any activity, whether automated or manual, that removes non-record and/or transitory material from an email account).   Culling is encouraged by NARA, especially when automated, to reduce capture of non-record and transitory material.  Culling will enhance the accessibility and usefulness of the complete set of records.

Obviously, you’re not going to retain everything.  Capstone recommends identifying ‘non-records’ even for individuals targeted for Capstone.   This classification can be done automatically or via manual identification by the user.  But time has taught the industry that manual data classification systems are typically less successful.   Such systems are too dependent on human behavior and can’t keep up with the data volume that email systems generate.

Finally, one of the considerations that an email record retention policy must anticipate under Capstone is how the agency will be able to execute on a request for information under the Freedom of Information Act or a legal subpoena requiring a litigation hold.  The solution you deploy must be capable of executing appropriate e-discovery and legal hold processes if a request is made of the agency.  What will be the access request procedure and how will the discovery for that process be done?  In the case of a legal hold, what group of records might the hold require to be preserved that would otherwise have been deleted?   Make sure your plan takes these issues into account.

Technology Solutions for Capstone

There is no prescribed technology solution or platform that NARA mandates for Capstone.  But as has been discussed, there are policy and procedural requirements to meet and you should expect there to be a large volume of data to manage.  So you should select and leverage technology solutions that help automate the processes in your agencies Capstone plan.

One of the fundamental technology tools you should use, if you are not doing so already, is an automated email archiving solution.  There are many archiving solutions available on the market but they are not all the same.  All of them will provide a basic mechanism for managing email migration from the email server to tertiary storage but many do not have the classification and discovery sophistication previously discussed as additional capstone requirements.

Many government agencies already use Symantec Enterprise Vault or EV.cloud archiving solutions.  Both solutions provide capabilities needed for Capstone compliance and can be set up to automatically capture email via journaling methods that will capture all messages for designated Capstone “record creators” in a manner which prohibits their modification as mandated in previously explained Capstone requirements.  Capabilities such as Retention Folders will allow staff to manually make retention decisions when desired.

Symantec Enterprise Vault also has classification capabilities that can tag email from non-designated accounts that must be retained for agency business purposes or a formal request for information.  Several advanced automated eDiscovery options will enable agency employees to efficiently search records to find information for research, hold information for legal needs, and export discovered data to various formats for use outside the archive.  Classification can also help to cull email that no longer needs to be retained.

Beyond Capstone, Enterprise Vault provides the capability to use metadata based rules to set retention categories on Microsoft SharePoint servers and File Servers, to assist with other issues that are among the Presidential Records Management Directive requirements beyond the Capstone 2016 milestones.

Symantec has a history of learning and best practice experience with archiving and e-discovery solutions that are appropriate for agencies to deploy – or leverage if already deployed – in order to meet Capstone Guidelines.  For more information about on-premise Symantec archiving and e-discovery solutions visit the Symantec website at http://www.symantec.com/enterprise-vault or visit http://www.symantec.com/enterprise-vault-cloud for information on cloud based archiving solutions.