CBPS RNA Maturity Model Questionnaire - TEST

CBPS RNA

Welcome: You are responding to a survey that will provide feedback on the status of your organization’s records program. Each response is important, so please answer the questions as completely as possible. A brief definition of a generally accepted recordkeeping principle is provided at the beginning of each section to help you understand the purpose of the questions.

Canon Business Process Services defines “Records” as information created, received and maintained as evidence and information by an organization or person in pursuance of legal obligations or in the transaction of business (ISO 15489), regardless of media (paper, microfilm, electronic etc.).

This questionnaire will take approximately thirty to forty-five (30-45) minutes to complete. There are no right or wrong answers, just the responses you believe best fit your organization’s situation. Your survey responses will remain strictly confidential and data from this research will be reported only in the aggregate. Your personal information will be coded and will remain confidential. Thank you for your time and participation in this survey. The results will be analyzed and will be used to provide guidance to your company in the coming months. Please begin by clicking on the Continue button below.

Principle of Accountability: The responsibility for recordkeeping is formally designated to senior executives to ensure program development and program implementation. Policies and procedures are documented, formally approved, and communicated to personnel.

How is the function of Records Management organized in your organization?

Records Management is not a separate business unit; RM activities are handled by various managers as part of their overall duties

Records Management is an established department but operates without direct senior management oversight

Records Management reports into a Director level position

Records Management reports into a VP level position

Records Management reports into a C-level position

I don't know

What is the role of the Records Manager in your organization?

Records Manager is in place but does not own electronic records, only hard copy such as paper and microfilm

Records Manager is in place and owns both paper and electronic records

Records Manager is actively engaged in creating and implementing procedures for paper and electronic records

Records Manager is actively engaged in creating and implementing procedures and reports on non-compliance for paper and electronic records

No identifiable Records Manager position exists

I don't know

How is Records Management viewed within your organization?

Records Management is tactical, i.e. focused on day-to-day activities only

Records Management is mostly tactical with some strategic, long-term initiatives

Records Management has strategic and tactical aspects integrated

Records Management’s strategic goals are overseen by senior leadership

Records Management’s strategic goals are considered by senior leadership to be important for organization’s success

I don't know

How would you define the scope of Records Management in your organization?

Records Management operations handle paper records for a cluster of local departments

Records Management operations’ scope is for a division or region, but covers paper records only

Records Management operations’ scope is for a division or region, and covers both paper and electronic records

Records Management operations’ scope encompasses the entire company but processes paper records only

Records Management operations’ scope encompasses the entire company and covers both paper and electronic records

I don't know

What level of visibility and authority does records management have in your organization?

Only the departments that actively use the records management functions are aware of them

Some departments that do not normally handle documents know to check with Records Management when they have a document-related project

There are ongoing Records Management initiatives within the company

Records Management has full executive sponsorship which in turn makes most departments aware of its functions

Records Management leadership periodically communicates with employees regarding procedures and compliance, supported by senior management

I don't know

Does your disaster recovery plan cover hard copy?

Yes

No, but we have plans to include

No, we do not have funding to include

No, we do not believe this is an important part of our disaster recovery plan

I don't know

When was the disaster recovery plan last reviewed?

Are your Records Management procedures easy to find?

Yes

No, they are not easy to find

Not applicable (Records Management procedures do not exist)

Does your organization have a Records Management email policy?

Yes

I don't know

To what agency or organization regulations is your company accountable? (Choose One)

Principle of Transparency: The requirement that every organization must create and manage the records documenting its recordkeeping program to ensure that the structure, processes, and activities of the program are apparent and understandable to legitimately interested parties.

Which statement describes how your organization views the importance of Records Management?

No emphasis on the importance of records

Some realization of the importance of records

All major departments within the organization have adopted Records Management policies and procedures

Records Management policies and procedures are periodically audited

Results of periodic audits are acted upon

I don't know

How easily can employees access information in your organization?

Access to information is difficult

User access rights to information have been defined and controls exist

Information is available on demand depending on privacy and confidentiality access controls

Authenticated users have defined access rights to information

Audit trails exist for volume control and access monitoring

I don't know

What type of controls around information access are in place in your organization?

No established controls for information access exist

Control of information access exists in some areas but practices are not consistent

Availability of information is consistent

Information access is monitored for compliance

There are continuous improvement programs covering transparency

I don't know

Which system does your company use to differentiate between official record copies and duplicates?

Publication to an electronic content management application

Publication to a Records Management application

We do not use a system for differentiating between official record copies and duplicates

I don't know

Other

Does your company cover Records Management procedures in its new hire orientation?

Yes

I don't know

Does your company require periodic training on Records Management procedures for existing employees?

Yes

I don't know

Does your company include Records Management procedures when onboarding new vendors, or initiating strategic partnerships?

Yes

I don't know

Are your company’s Records Management policies and procedures available electronically on the intranet?

Yes

I don't know

Are terminated employees’ computing devices analyzed for business records at exit?

Yes

I don't know

Does your company have an enterprise-wide records repository?

Yes

No, but it is a future consideration

Not currently but we are in the process of developing

No, we do not have funding to support

No, we do not see value or have interest in implementing

I don't know

Principle of Integrity: The ability to prove that a record is authentic and unaltered. Authentication requires proof that a document comes from the person, organization, or other legal entity claiming to be its author or authorizing authority.

What is the process for authentication in your organization?

There is no defined process for authentication

There is some data for authentication such as indices for physical records and metadata for electronic records but there is no systematic process

There is a formal process for integrity authentication

There is a clear, well-established process for integrity authentication

There is a clear, well-established process for integrity authentication that is applicable to new systems as they are developed

I don't know

How is the “chain of custody” process defined in your organization?

Chain of custody processes are ad hoc

A chain of custody is currently being formulated

There is a formal process for chain of custody covering physical and/or electronic records

The process for chain of custody has security and signature requirements for both physical and electronic records

There is a clear, well-established process for chain of custody that is applicable to new systems as they are developed

I don't know

What is the process for confirming the integrity of Records Management in your organization?

Integrity processes are ad hoc

Integrity processes are currently being formulated

Compliance of the integrity process has been verified

Metadata is managed as part of the Records Management process

The integrity process is consistently applied across the enterprise

I don't know

What is your process around integrity audits?

Integrity audits are not conducted

Integrity audits are conducted but are not regularly scheduled

Audits are conducted regularly

Audits are conducted regularly but results are not shared with employees

Results are published and acted upon as a result of the regularly scheduled audits

I don't know

Are employees allowed to bring their own devices, such as smartphones, tablets or external storage devices to work?

Yes

I don't know

Does your organization operate corporate wikis, blogs or social media applications?

Yes

I don't know

Who monitors those wikis, blogs or social media applications for business-related postings?

Internal employee

External party or vendor

Not applicable

Are private clouds addressed in a policy that is used to back up personal devices such as tablets, smart phones, and laptops?

Yes

I don't know

What information management systems are utilized? (select all that apply)

Where is data stored? (select all that apply)

What information sharing tools are used? (select all that apply)

Do you permanently remove the information from information sharing tools?

Yes, by request

Yes, we use a schedule for removing

I don't know

Principle of Protection: The requirement that a security structure is in place so only personnel with the appropriate level of security or clearance can gain access to varying levels of information.

How is privacy of information handled in your organization?

No consideration is given to the protection and/or privacy of information in the records being created

Some consideration is given to the protection of information

A formal written policy and supporting procedue(s) exist for the protection of information

Training is provided on the written policy and procedure so that employees are aware of what behavior is acceptable

The importance of protecting information privacy is enforced by audits and results reporting

I don't know

What types of access controls are in place?

Access control to a record is assigned by the author

Access control is centralized but not uniformed and automated

Uniform procedures and automated systems provide access control protection

Continuous improvement programs exist to make sure access control stays compliant

Continuous improvement programs exist to ensure access control is integrated with technology upgrades and changes

I don't know

What policies are in place around storage and transmission of information?

The storage and transfer of information and records is not regulated by policy and is inconsistent

An incomplete policy exists for storage and transmission of managed information

There is a formal written policy and procedures are in place that cover the key aspects of records and information asset storage and transmission

Systematic protection of information and records is provided by a uniformly applied policy and assisting technology

Continuous improvement programs exist to make sure that storage and transmission protection stays compliant and tracks technology changes

I don't know

What compliance measures are in place?

Monitoring and enforcement of protection policies is decentralized

Information is protected by a written policy but has limitations

Compliance audits are conducted in regulated areas of the company

Employees are trained and tested for competency

Results of testing are reported to senior management’s attention

I don't know

How often does the company conduct a test of the privacy protections in place?

Once a year

Once every two years

When there is a problem

I don't know

Principle of Availability: The ability to identify, locate, and retrieve the records and related information required to support business activities and having an efficient and intuitive set of methods and tools to organize records.

How available is information when you need it in your organization?

Records and other information assets are not readily available

Records retrieval mechanisms have been deployed in some areas

There are established standards of availability for guidance but no enforcement

Clear policies exist and are implemented to make records and information readily available when and where needed

Policies and processes concerning the availability of information are reviewed and supported by senior management

I don't know

What statement best describes the availability of records in your organization?

Retrieval of records takes time and the 'official' record is difficult to identify

No standards exist as to how readily information should be available to knowledge workers

The ‘official' record is identifiable and retrievable most of the time

Records are readily available so employees have access to needed information

Continuous improvement programs exist to make sure implementation is state of the art

I don't know

What tools do you have at your disposal to aid with retrieval of records?

There are few automated retrieval tools to assist availability of records

No standard tools are deployed enterprise-wide; limited classification and/or retrieval tools exist in some areas

Consistent classification, storage and retrieval mechanisms are deployed across the enterprise

There is a centralized inventory of identified information assets that is used to assist access to records

The centralized inventory processes and tools are continuously upgraded to better meet the needs of employees

I don't know

What is the state of your legal discovery process?

Legal discovery is difficult due to limited availability of records

Legal discovery is more complicated and costly than it should be due to inconsistent availability of information

A well-defined, systematic process exists to execute legal discovery

Appropriate systems are in place to implement the legal discovery process including an automated hold process

Continuous improvement programs with senior management support exist to make sure the legal discovery process is state of the art

I don't know

Not Applicable

Is there an enterprise-wide classification plan in place?

Yes

I don't know

Is remote access provided to business records?

Yes

I don't know

How does an employee know that a record exists?

They have tools to conduct their own repository search

They can put in a request directly to the Records Management department

They must put in a request to IT for the record

They must put in a request to the right business unit for the record

I don't know

Other

When does the records department know that a record exists?

When created

When an employee experiences an issue with locating the correct version

When an employee experiences an issue with locating the document or file

When sent to offsite storage (if paper)

I don't know

Other

Does the records department provide instruction on record creation?

Yes

I don't know

Are barcodes used when creating a hardcopy record?

Yes

I don't know

Has your company ever settled a lawsuit because responsive materials could not be found?

Yes

I don't know

Has your company ever paid a fine to a government agency because records could not be produced in an audit?

Yes

I don't know

Principle of Compliance: The adoption and enforcement of policies to direct and control recordkeeping and ensure proof that the organization’s activities are conducted in a lawful manner and legal requirements are being adhered to.

What guidelines exist in your organization around compliance?

Clear guidelines for records retention do not exist

Some policies and procedures related to compliance exist but are not complete or are too vague

Relevant laws and regulations have been identified, addressed by compliance programs, and employees understand how to behave

Records are retained and linked to compliance metadata for automated tracking in addition to employees' observance

Policies and procedures are in place and audited to ensure compliance so employees know the consequences

I don't know

What is the process for following those guidelines?

Records are not managed in accordance with generally recognized principles

Some compliance policies and operational procedures have been implemented but are not complete

There is a systematic program to track creation, capture, storage and disposition of records enterprise-wide

Compliance policies are regularly audited

Audit gaps are addressed

I don't know

What is the structure for managing compliance in your organization?

Compliance activities are decentralized and there are no compliance standards

Sporadic compliance policies exist but there is no accountability

There is a strong code of business conduct integrated into Records Management and Information Governance policies

Audits and reviews are conducted

Audit gaps are addressed

I don't know

What is your organization’s approach to the “Hold Process”?

No defined or well-understood legal hold process exists

A hold process exists but is not integrated with information management and discovery processes

An integrated hold process exists but is for critical systems only

An integrated, repeatable, enterprise-wide legal process exists with defined roles

The hold process is integral with the organization’s information management, records management and discovery processes

I don't know

When was the last recordkeeping compliance audit conducted?

Has your company undergone any of the following audits? (Select all that apply)

Has your company experienced a judgment of spoliation or adverse inference because records could not be produced for court?

Yes

I don't know

Principle of Retention: The concept of document life cycle, which is the time period from the creation of a record to its final disposition, which addresses legal and regulatory compliance, fiscal accountability, operational business needs and historical information.

What is the status of records retention in your organization?

There is no Retention Schedule or other official procedure for controlling the life cycle of documents

A Retention Schedule has been created but is not actively updated or maintained

A formal Retention Schedule exists and is being consistently used

The Retention Schedule is periodically reviewed and adjusted as needed

Records Retention is a senior management priority

I don't know

How is the Retention Schedule managed?

Retention Schedule is haphazard

Retention Schedule does not cover all organization records and/or information needs

Retention Schedule is being implemented

Records Retention is well implemented

Retention is integrated with business processes (such as Human Resources, Finance)

I don't know

How familiar are employees with the Retention Schedule and what is their role in it?

Employees retain and dispose potential records based on organizational needs

A Retention Schedule exists but is not well known

Current Retention Schedule is well known and applied by many employees

Employees know how to classify/process records

Records are retained for appropriate periods of time

I don't know

What types of records does your organization's Retention Schedule cover?

Electronic Records alone

Physical Records alone

Redundant copies alone

All of the above

None of the above

Does the Retention Schedule apply to shared drives?

Yes

Not applicable

Does the Retention Schedule apply to back up tapes?

Yes

Not applicable

How often is the Retention Schedule updated?

Once a year

Once every two years

As needed for business needs

I don't know

Does your company hold an annual clean up day for records?

Yes

I don't know

Is there a procedure to ensure that records that are eligible for destruction are, in fact, destroyed?

Yes

I don't know

Principle of Disposition: At end of lifecycle, there is a schedule in place for the destruction, return to clients, transfer to another organization in connection with a divestiture, or transfer to an historical archive of records. Disposition can be suspended in the event of pending or ongoing litigation or audit.

What is the process for disposition in your organization?

No documented processes for disposition exist

Preliminary guidelines for disposition have been established

Official procedures for disposition have been developed

Disposition procedures have been adopted and are understood by all

Disposition processes are continually applied and regularly evaluated

I don't know

How is the process of disposition managed in your organization?

Individuals take disposition actions without documented processes

There is sporadic enforcement and auditing of disposition processes

Disposition policies and procedures are not standardized

There is consistent application of disposition procedures across the enterprise

The disposition process covers all records, for all media

I don't know

Do individual employees have the right to delete electronic records from shared and personal drives?

Yes

I don't know

Are there guidelines that cover data stored on office equipment such as multi-function devices, replaced workstations, and replaced laptops?

Yes

I don't know

How is the destruction of electronic records documented?

Email confirmation from individuals that electronic records have been deleted

Signed form from department head that electronic records have been deleted

Signed form from IT that electronic records have been deleted

No process is in place

I don't know

Other

Do you believe all corporate goals related to Records Management are being met?

Yes

If not, what remains to be done?

I am not aware of any formalized goals

Please explain

Are there any comments you would like to make regarding any of the above questions?