Galaxy Consulting
  • Home
  • About Us
    • Our Process
    • Meet Us at Industry Events
  • Services
    • Business Analysis and Usability
    • Content and Knowledge Management
    • Records Management
    • Information Architecture
    • Enterprise Search
    • Taxonomy and Metadata Development and Management
    • Document Control
    • Information Governance
  • Solutions
    • Information Overload
    • Compliance
    • E-Discovery
    • Internal and External Websites
    • Enterprise Search
    • Collaboration and New Employees’ Onboarding
    • Customer Service
    • Manual Processes
    • Vulnerability of Sensitive Information
  • Portfolio
    • Our Brochure
    • Our Clients
    • Case Studies
    • Presentations
    • Press Releases >
      • Galaxy Consulting Receives 2016 Best of Redwood City Award
      • Galaxy Consulting Receives 2015 Best of Redwood City Award
    • Videos
  • Testimonials
  • Blog
  • Free Consultation
  • Contact Us
  • Terms of Use/Privacy Policy

GDPR Compliance

7/30/2021

0 Comments

 
Picture
GDPR compliance is being enforced. The GDPR has already garnered international attention, with similar legislation in the works in countries like China, Japan, India, Brazil, and New Zealand. Attention around the GDPR has been mounting in US. Beyond the United States and the other countries already mentioned, most experts predict that an even wider rollout of consumer data protections is inevitable.

Since GDPR took effect, Google was fined nearly $57 million for processing personal data for advertising purposes without obtaining the required consumer permissions. Google also failed to adequately inform consumers about how their data would be used, nor did it provide enough information about its data consent policies.


The GDPR requires companies doing business in EU member countries to get consumers' consent via an explicit opt-in process before collecting and sharing information about them; to provide a way for consumers to correct, update, and delete the data that companies hold about them; to fully disclose what information is being collected and how it will be used; and to properly notify all parties involved when there is a data breach.

Most companies are certainly pushing to improve their processes by updating older software solutions and processes where parts of their responsibilities are clear, and others are still in a murky world of gray and uncertainty. Many companies are still looking at their obligations under the legislation, trying to determine what is applicable to them and their portions of processing an individual's data.

In a recent survey from the International Association of Privacy Professionals, less than half of respondents said they were fully compliant with the GDPR, and nearly a fifth said they believed full compliance with the GDPR would be impossible.

One of the biggest shortfalls for businesses right now concerns the GDPR provisions requiring a full accounting of all the information organizations hold on consumers upon request within one month.

Companies should simply assume that all aspects of the GDPR apply to them.

Experts and insiders concede that the GDPR has been successful in one key area: Consumers now have more of an interest in what happens with their personal information. GDPR has made it simple for consumers to understand the important details about their data, such as how it is being used, where it is being stored, etc. Because of the GDPR, consumers are asking more questions and reading companies' privacy policies more closely. And that will ultimately lead to greater accountability.

The GDPR has also changed the entire dialogue between companies and customers.

Whether it was a stated goal of the GDPR or an unforeseen consequence, companies are beginning to self-regulate, knowing that regardless of the form, there is increased need to give consumers greater transparency and control over their data.

Because of the penalties and other negative ramifications of ignoring GDPR, companies have to take GDPR seriously with internal programs to organize their data better. Companies need to provide transparency about the data they capture, as well as a mechanism for consumers to choose which information can be captured and how it can be used.

For companies that have come into compliance, the GDPR has resulted in finely tuned databases and distribution lists, and streamlining email communication has made outreach more impactful with higher-than-before engagement rates.

If GDPR compliance is done right, companies will have the ability to create a master record of customer data on one platform.

That master record could contain all of the customer's allowed permissions, revoked permissions, or any changed notification settings, as well as a unified customer profile that combines details about their behaviors, interests, preferences, purchases, and other information from any engagement system or data source.

GDPR continues to require an investment of time and resources, but it is a worthwhile investment.

When all aspects of the GDPR are carried out fully, companies are able to deepen relationships and profitably grow revenue, consumers are able to gain transparency and control over their data, and regulators are able to safeguard commerce and consumer rights.

Galaxy Consulting has over 15 years in helping companies to achieve compliance in different areas, and since GDPR was released, we are helping companies to achieve compliance with GDPR. Please contact us for a free consultation.

0 Comments

Purpose of Document Control and its Role in Quality Assurance

3/28/2020

0 Comments

 
Picture
GxP/GMP, GDocP, ISO 9000 and documentation

GxP stands for "Good Practice" which is quality guidelines and regulations. The "x" stands for the various fields, for example Good Documentation Practice or GDocP, Good Financial Practice or GFP and so on. There are many instances of these regulations. One instance of GxP is Good Manufacturing practice or GMP.

GMP describes required Quality Management System (QMS) for manufacturing, testing, and quality assurance in order to ensure that products are safe, pure, and effective. GMP has ultimate goal to enable companies to minimize or eliminate contamination and errors which protects consumers from purchasing a product which is not effective or even dangerous. GMP regulations are required to be used in regulated industries such as food and beverages, pharmaceutical, medical devices, and cosmetics.

GMP documentation requirements are aligned with Good Documentation Practice (GDocP). GDocP is the standard in the regulated industries by which documents are created and maintained. It is the systematic set of procedures of preparation, reviewing, approving, issuing, recording, storing, and archiving documents.

The ISO 9000 is a set of standards which deals with fundamentals of Quality Management System (QMS) that helps organizations to ensure that they meet customers’ needs within statutory and regulatory requirements related to a product or service. ISO 9001 deals with the requirements that organizations wishing to meet the standard must fulfil.

GxP/GMP, GDocP, ISO 9000 are about QMS where an organization needs to demonstrate its ability to consistently provide a product that meets customer and applicable statutory and regulatory requirements.

Documentation is the key to compliance with these regulations and ensures traceability of all development, manufacturing, and testing activities. Documentation provides the route for auditors to assess the overall quality of operations within a company and the final product. GMP, GDocP, and ISO 9000 are enforced by regulatory agencies. Auditors pay particular attention to documentation to make sure that it complies with these regulations.

Therefore, in order for an organization to meet these requirements, it must have documentation procedures in place. Documentation is a critical tool for ensuring this compliance.

​Purpose of document control and its role in Quality Assurance (QA)


The primary purpose of document control is to ensure that only current documents and not documents that have been superseded are used to perform work and that obsolete versions are removed. Document control also ensures that current documents are approved by the competent and responsible for the specific job people and documents are distributed to the places where they are used.

Document control is an essential preventive measure ensuring that only approved, current documents are used throughout an organization. Inadvertent use of out-of-date documents or not approved documents can have significant negative consequences on quality, costs, customer satisfaction, and can even cause death.

The role of QA, in regards to the document control system is one of management and overview.

QA ensures that all documents are maintained in a controlled fashion and that all controlled documents are approved by the appropriate subject matter experts, are consistent with other documents, and are the most current version.

One way that QA ensures this is by being the last signature on all approved documents. All documents - current, obsolete, superseded, as well as all the history on the creation and revision of the document should be kept in Quality Assurance.

0 Comments

508 Compliance and Content Management

2/24/2015

0 Comments

 
Picture
Section 508 compliance seems tricky and confusing, but its implementation on content management systems is vital for many organizations. According to the United States Census Bureau, about one in five Americans are impaired with some sort of disability. That is a rather large number of people that you do not want to ignore.

All federal and state agencies of the U.S. government are required to meet section 508 standards for accessibility. This law was established in 1998 to require that all technology used by the federal government to be accessible to those with disabilities. This includes those with visual, audible, physical or cognitive impairment.

Assistive Technology

Those with disabilities often use assistive technology. This would include things like screen readers for the visually impaired user. Jaws and Microsoft Narrator are a couple of popular software titles that are used for these purposes. 

The Standards of 508 Section

There were 16 standards developed to make information and technology accessible to users with disabilities. These standards are the core requirements to making your content section 508 compliant with the federal government. There is no one automated solution that will magically make your site compliant, unfortunately. 

These days, it is still a mix of manual and automated processes that drive a site’s compliance. Below are the 16 standards. Sites must be accessible by keyboard only (without a mouse). All screens should be readable by screen readers that can also display alt tags and descriptions of images. Closed captioning should be available (or transcripts of audio/video). Online forms should be able to completed using assistive technology (or only the keyboard). 

Good Tips for Usability

Good technology applies great user experience, user interaction and design principles. This is often referred to as UX/UI in the creative and IT industries. The two terms evolved from the guidance involved in usability principles, an area of expertise that has grown over several decades. 

Good usability means the user is able to quickly perform a task with little to no difficulty. This often involves employing sensible and logical navigation, understandable required action items, well defined terms, clean design and smooth workflows. There are other options to consider that vary from project to project, but these are the most basic caveats to understand when dealing with usability as it pertains to section 508 compliance. 

Software and Technology Function Essentials for Section 508

The software and technology fundamentals here are designed to make computing life a bit easier for those with a disability. Your CMS should follow these guidelines and tips. Remember that all things should be executable from the computer keyboard, without a mouse. Some people can’t use a mouse. This should include shortcuts, object/image manipulation and dropdown list operation to name a few on the computer keyboard side. StickyKeys, FilterKeys, MouseKeys and High Contrast are some useful functions for this. 

Your organization should also maintain a well-defined on-screen solution for focusing. An indicator that moves with the other interface elements is the preferred method for your CMS. Assistive technology should help with focus controls. 

Web browsing comes natural to most of us that can use all five senses, but someone with impairment will have trouble. That is why it is important to have sufficient information about the user interface, such as identity, operation and state of the elements, available to the assistive technology. An image that represents a program element (icons) should also display text to define that process. Meaning should also be consistent with icons or bitmap images that are used to define elements of an application. 

Textual information should be provided through the operating system’s (OS) functionality for text display. Text content, text input caret location and text attributes are the minimum textual information that should be displayed in the CMS. 

Display options also need to be tweaked for this with vision impairment. For example, applications should never override a user’s selected contrast levels or color selections on the screen. Display functions should accommodate those with a disability. When there is animation, it should also be available to users as non-animated content or information. The user should also be able to choose the presentation mode of this content prior to viewing or consuming it. 

Organization is also key for some. For instance, for section 508 compliance in the CMS, it is important to label items clearly so they may be easily understood. Color coding or highlighting items should not be the sole way to handle the process of conveying information, indicating an action, prompting a response or distinguishing a visual element. A large range of color and contrast items also helps users stay organized with large loads of information that may need to be categorized and organized in a certain fashion within folders, directories, etc. 

There are also some key elements to avoid. One good example is blinking or flashing elements. Not only can they be annoying and distracting, but they can also be problematic for the end user. The frequency should be somewhere between 2 Hz and 55 Hz. 

Assistive technology should also be available to users who are filling out digital forms. It should be able to assist with accessing information, modifying information and submitting information. 

Contextual information is also very important. Users with all five senses may take certain elements for granted, but these items should be accessible to those with disabilities too. Items in color should also be available without it, like markup or context clues for the user. Documents should be readable without a style sheet. Redundant text links should be there for each active region of a server-side image map (replacement of image elements with text elements). Table data should be clearly defined, including row or column headers. Even frames should be clearly defined as an element. 

There are many other standards and compliance rules of thumb to follow. It is best to consult with an expert on maintaining section 508 compliance.

0 Comments

Compliance With Privacy Regulations

3/13/2014

0 Comments

 
Picture
Recently, high-profile cases involving breaches of privacy revealed the ongoing need to ensure that personal information is properly protected. The issue is multidimensional, involving regulations, corporate policies, reputation concerns, and technology development. 

Organizations often have an uneasy truce with privacy regulations, viewing them as an obstacle to the free use of information that might help the organization in some way. 

But like many compliance and governance issues, managing privacy will offer benefits, protecting organizations from breaches that violate laws and damage an organization's reputation. Sometimes the biggest risks in privacy compliance arise from the failure to take some basic steps. A holistic view is beneficial.

Privacy Compliance Components

Rather than being in conflict with the business objectives, privacy should be fully integrated with it. Privacy management should be part of knowledge management program.

An effective privacy management program has three major components: establish clear policies and procedures, follow procedures to make sure that organization's operation is in compliance with those policies, and provide an oversight to ensure accountability. Example of questions to consider: is data being shared with third parties, why the information is being collected, and what is being done with it.

Expertise about privacy compliance varies widely across industries, corresponding to some degree with the size of an organization. Although large companies are far from immune to privacy violations, they might at least be aware and knowledgeable about the issue.

The biggest mistake that organizations make in handling privacy is to collect data without a clear purpose. You should know not just how you are protecting personal information but also why you are collecting it. It is important for organizations to identify and properly classify all their data.

International Considerations

Increasingly, organizations must consider the different regulations that apply in countries throughout the world, as well as the fact that the regulations are changing. For example, on March 12, 2014, the Australian Privacy Principles (APPs) will replace the existing National Privacy Principles and Information Privacy Principles. 

The new principles will apply to all organizations, whether public or private, and contain a variety of requirements including open and transparent management of personal information. Of particular relevance to global companies are principles on the use and disclosure of personal information for direct marketing, and cross-border disclosure of personal information.

It is important to consider international regulations in those countries where an organization has operations.

Technology Role

The market for privacy management software products is still relatively small. The market for this software is expected to grow rapidly over the coming years. The current reform process for data protection has created a need for privacy managing technology. 

Products from companies such as Compliance 360 automate the process of testing the risk for data breaches, which is required for the audits mandated by the Economic Stimulus Act of 2009. This act expanded the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requirements through its Health Information Technology for Economic and Clinical Health (HITECH) provisions. 

These provisions include increased requirements for patient confidentiality and new levels of enforcement and penalties. In the absence of suitable software products, organizations must carry out the required internal audits and other processes manually, which is time consuming and subject to errors.

Enterprise content management (ECM), business process management (BPM) and business intelligence (BI) technology have important role in privacy compliance because content, processes, and reporting are critical aspects of managing sensitive information. 

As generic platforms, they can be customized, which has both advantages and disadvantages. They have a broad reach throughout the enterprise, and can be used for many applications beyond privacy compliance. However, they are generally higher priced and require development to allow them to perform that function.

Privacy in the Cloud

Cloud applications and data storage have raised concerns about security in general, and personally identifiable information (PII) in particular. Although many customers of cloud services have concluded that cloud security is as good or better than the security they provide in-house, the idea that personally identifiable information could be "out there" is unsettling.

PerspecSys offers a solution for handling sensitive data used in cloud-based applications that allows storage in the cloud while filtering out personal information and replacing it with an indecipherable token or encrypted value.

The sensitive data is replaced by a token or encrypted value that takes its place in the cloud-based application. The "real" data is retrieved from local storage when the token or encrypted value is retrieved from the cloud. Thus, even though the application is in the cloud, the sensitive information is neither stored in the cloud nor viewable there. It physically resides behind the firewall and can only be seen from there.

This feature is especially useful in an international context where data residency and sovereignty requirements often specify that data needs to stay within a specific geographic area.

Challenges for Small Organizations

Small to medium-sized organizations generally do not have a dedicated compliance or privacy officer, and may be at a loss as to where to start.

Information Shield provides a set of best practices including a policy library with prewritten policies, detailed information on U.S. and international privacy laws, checklists and templates, as well as a discussion of the Organization for Economic Co-operation and Development (OECD) Fair Information Principles. Those resources are aimed at companies that may not have privacy policies in place but need to do so to provide services to larger healthcare or financial services organizations.

Among the resources is a list of core privacy principles based on OECD principles. Each principle has a question, brief discussion and suggested policy. For example, the purpose specification principle states, "The purposes for which personal information is collected should be specified no later than the time of data collection, and the subsequent use should be limited to fulfilling those purposes or such others that are specified to the individuals at the time of the change of purpose." The discussion includes comments on international laws and a citation of several related rulings.

Plans for Future

Business users and consumers alike have become accustomed to the efficiency and speed of digital data. However, more strict regulations are inevitable. Organizations should become more aware of having to prevent privacy breaches, and to make sure they have the systems in place to do this. Companies should also be concerned about reputation damage, which can severely affect business. Along with reliable technology, the best way forward is to follow best practices with respect to data privacy. Technology is essential, but it also has to be supported by people and processes.

0 Comments

Information Governance With SharePoint

10/31/2013

0 Comments

 
Picture
The goals of any enterprise content management (ECM) system are to connect an organization's knowledge workers, streamline its business processes, and manage and store its information. 

Microsoft SharePoint has become the leading content management system in today's competitive business landscape as organizations look to foster information transparency and collaboration by providing efficient capture, storage, preservation, management, and delivery of content to end users.

A recent study by the Association for Information and Image Management (AIIM) found that 53% of organizations currently utilize SharePoint for ECM. SharePoint's growth can be attributed to its ease of use, incorporation of social collaboration features, as well as its distributed management approach, allowing for self-service. With the growing trends of social collaboration and enhancements found in the latest release of SharePoint 2013, Microsoft continues to facilitate collaboration among knowledge workers.

As SharePoint continues to evolve, it is essential to have a solution in place that would achieve the vision of efficiency and collaboration without compromising on security and compliance. The growing usage of SharePoint for ECM is not without risk. AIIM also estimated that 60% of organizations utilizing SharePoint for ECM have yet to incorporate it into their existing governance and compliance strategies. It is imperative that organizations establish effective information governance strategies to support secure collaboration.

There are two new nice features in SharePoint 2013 version that would help you with compliance issues. E-discovery center is a SharePoint site that allows to get more control of your data. It allows to identify, hold, search, and export documents needed for e-discovery. "In Place Hold" feature allows to preserve documents and put hold on them while users continue working on them. These features are available for both on-premises and in-cloud solutions.

2013 SharePoint has been integrated with Yammer which provides many social features. This presents new challenge with compliance. Yammer is planning to integrate more security in future releases. But for now, organizations need to create policies and procedures for these social features. Roles like "Community Manager", "Yambassadors", "Group Administrators" might be introduced.

There are 3rd party tools that could be used with SharePoint for compliance and information governance. They are: Metalogix and AvePoint for Governance and Compliance, CipherPoint and Stealth Software for Encryption and Security; ViewDo Labs and Good Data for Yammer analytics and compliance.

In order to most effectively utilize SharePoint for content management, there are several best practices that must be incorporated into information governance strategies as part of an effective risk management lifecycle. The goal of any comprehensive governance strategy is to mitigate risk, whether this entails downtime, compliance violation or data loss. In order to do so, an effective governance plan must be established that includes the following components:

Develop a plan. When developing your plan, it is necessary for organizations to understand the types of content SharePoint contains before establishing governance procedures. It is important to involve the appropriate business owners and gather any regulatory requirements. These requirements will help to drive information governance policies for content security, information architecture and lifecycle management. 

When determining the best approach to implement and enforce content management and compliance initiatives, chief privacy officers, chief information security officers, compliance managers, records managers, SharePoint administrators, and company executives will all have to work together to establish the most appropriate processes for their organization as well as an action plan for how to execute these processes. During the planning phase, your organization should perform an assessment, set your organization's goals, and establish appropriate compliance and governance requirements based on the results of the assessment to meet the business objectives.

Implement your governance architecture. Once your organization has developed a good understanding of the various content that will be managed through SharePoint, it is time to implement the governance architecture. In this phase, it is important to plan for technical enforcement, monitoring and training for employees that address areas of risk or noncompliance. It is important to note that while SharePoint is known for its content management functionality, there are specific challenges that come with utilizing the platform as a content management system for which your governance architecture must account: content growth and security management.

In order to implement effective content management, organizations should address and plan to manage growth of sites, files, storage, and the overall volume of content. Organizations without a governance strategy often struggle with proliferation of content with no solutions to manage or dispose of it. This is a huge problem with file servers. Over time, file servers grow to the point where they become a bit like the file cabinet collecting dust in the corner of your office. It is easy to add in a new file, but you will not find it later when you need it. The challenge comes from the planning on how to organize and dispose of out-of-date content. 

SharePoint offers the technology to address these challenges, but only if it is enabled as part of your governance plan. Information management policies can be used to automatically delete documents, or you may be using third-party solutions to archive documents, libraries and sites. By default in SharePoint 2013, Shredded Storage is enabled to reduce the overall storage of organizations that are utilizing versioning. Remote BLOB Storage (RBS) can also be enabled in SharePoint or through third-party tools to reduce SharePoint's storage burden on SQL Server.

Tagging and classification plays a key role in information governance. Proper classification can improve content findability. Organizations can utilize SharePoint's extensive document management and classification features, including Content Types and Managed Metadata to tag and classify content. Third-party tools that extend SharePoint's native capabilities can also filter for specified content when applying management policies for storage, deletion, archiving, or preservation. Ultimately, however, the people in your organization will play the biggest role here. As such, your plan should identify who the key data owners are and the areas for which they are responsible. This role is often filled by a "site librarian" or those responsible for risk management in the enterprise.

In order to minimize risk to the organization, it is imperative to ensure information is accessible to the people that should have it, and protected from the people that should not have access. SharePoint has very flexible system of permissions that can accommodate this issue.

Ongoing assessments. In order to ensure that established governance procedures continue to meet your business requirements ongoing assessment is required. Conduct ongoing testing of business solutions, monitoring of system response times, service availability and user activity, as well as assessments to ensure that you have complied with your guidelines and requirements for properly managing the content. The content is essentially your intellectual property, the lifeblood that sustains your organization. 

React and revise as necessary. In order to continue to mitigate risk, respond to evolving requirements, and harden security and access controls, we must take information gathered in your ongoing assessments and use that to make more intelligent management decisions. Continue to assess and react and revise as necessary. With each change, continue to validate that your system meets necessary requirements. 

The risk has never been higher, especially as more data is created along an growing regulatory compliance mandates requiring organizations to ensure that its content is properly managed. 

If you develop a plan, implement a governance architecture that supports that plan, assess the architecture on an ongoing basis, and react and revise as necessary, your organization will have the support and agility necessary to truly use all of the content it possesses to improve business processes, innovation, and competitiveness while lowering total costs.

0 Comments

ISO 9001 and Documentation

7/31/2013

0 Comments

 
Picture
ISO 9001 compliance becomes increasingly important in regulated industries. How does it affect documentation? Here is how...

What is Document Control?

Document control means that the right persons have the current version of the documents they need, while unauthorized persons are prevented from use.

We all handle many documents every day. These documents include forms that we fill out, instructions that we follow, invoices that we enter into the computer system, holiday schedules that we check for the next day off, rate sheets that we use to bill our customers, and many more.

An error on any of these documents could lead to problems. Using an outdated version could lead to problems. Not knowing if we have the latest version or not could lead to problems. Just imagine us setting up a production line to outdated specifications or making strategic decisions based on a wrong financial statement.

ISO 9001 gives us tools (also referred to as "requirements") that show us how to control our documents.

ISO 9001 Documents

There are no "ISO 9001 documents" that need to be controlled, and "non ISO 9001 documents" that don't need control. The ISO 9001 system affects an entire company, and all business-related documents must be controlled. Only documents that don't have an impact on products, services or company don't need to be controlled - all others need control. This means, basically, that any business-related document must be controlled.

However, how much control you apply really depends on the document.

The extent of your approval record, for example, may vary with the importance of the document (remember, documents are approved before they are published for use).

The Quality Policy, an important corporate policy document, shows the signatures of all executives.

Work instructions often just show a note in the footer indicating approval by the department manager.

Some documents don't even need any approval record: if the person who prepared a document is also responsible for its content (e.g., the Quality Manager prepares instructions for his auditors), a separate approval is superfluous.

On the other hand, identifying a document with a revision date, source and title is basic. It really should be done as a good habit for any document we create.

Please note that documents could be in any format: hard copy or electronic. This means that, for example, the pages on the corporate internet need to be controlled.

Responsibility for Document Control

Document control is the responsibility of all employees. It is important that all employees understand the purpose of document control and how to control documents in accordance with ISO 9001.

Please be aware that if you copy a document or print one out from the Intranet and then distribute it, you are responsible for controlling its distribution! The original author will not know that you distributed copies of this documents, so the original author can't control your distribution.

Dating Documents

ISO 9001 requires to show on every document when it was created or last updated. Many of us may have thought to use our word processor's automatic date function for this, but... should we use the automatic date field on documents?

Generally not. If you enter the automatic date field into a document, the field will automatically be updated to always show the current date, no matter when you actually created or updated the document.

Example: For example, if you use the automatic date field in a fax and you save the fax on your computer for future reference, you won't be able to tell when you wrote the fax: when you open the fax on your computer, it will always show today's date.

The automatic date field is not suitable for document control. Therefore, as a general rule, don't use the automatic date field to identify revision status.

ISO 9001 Documentation

ISO 9001 documentation includes:
  • the Quality Procedures Manual, which also includes corporate policies and procedures affecting the entire company;
  • work instructions, which explain in detail how to perform a work process;
  • records, which serve as evidence of how you meet ISO 9001 requirements.

Policies and Procedures

Our ISO 9001 Quality Manual includes the corporate Quality Policy and all required ISO 9001 Procedures. While most procedures affect only managers, every employee must be familiar with the Quality Policy and with the Document Control procedures. The Quality Policy contains the corporate strategy related to quality and customer satisfaction; all other ISO 9001 documents must follow this policy. The Document Control procedures shows how to issue documents, as well as how to use and control documents.

Continuous Improvement

Implementing ISO 9001 is not a one-time benefit to a company. While you are utilizing the quality manual, quality procedures and work instructions in daily business activities, you are not only benefiting from better quality and increased efficiency but you are also continually improving. In fact, the ISO 9001 requirements are designed to make you continually improve. This is a very important aspect because companies that don't continue to improve are soon overtaken by the competition.

0 Comments

Information - Governance, Risk and Compliance – GRC - Part 3

1/31/2013

0 Comments

 
Picture
In part 1 and 2 of my post about governance, risk, and compliance, I have described why information governance is important, where to begin with the information governance, and I started to describe what needs to be considered in information governance polices. In this my post I will describe information governance policies as they relate to crisis management and e-discovery, and list general information governance control.

Information Governance for Crisis Management

Crisis management is set of procedures for unplanned situation that would prevent you from doing critical functions on your job. 

Such situations can be:
  • Availability – illness, weather, turnover, fire, flood, severe weather, facility issues
  • Technology – phone cut-off, system outage, applications is down, network problems
  • Volume/Capacity – huge number of calls (in the example of call center)
  • Special situations – pandemic, loss of facility, tornado, etc.
An approaching storm or disaster does not provide much leeway to assess your disaster recovery preparations. 

For example, if your CMS is down, what happens to those departments who need to use critical documents?

Solutions: 

What you need to do is to develop a plan for each crisis situation. It should be designed to implement disaster recovery. Planning is very important.

Prioritize requirements – short, medium, long-term. Assess business needs. For example, how do you want to handle spike of calls (if you are in the call center)? Short term plan could be such as – re-route calls for live answer where there are people. Medium to long term could be such as plan for alternative site, work from home.

Make your plan flexible. Have incident coordinator. Create communication plan which should include who is responsible for coordinating the recovery process. Create crisis team which could include IT, QA, management, business partners. Outline responsibilities and procedure in the document.

Test this procedure at least once a year. Do post-analysis – timing, access gaps, communications of results, recommend changes and training plan for next testing, maybe next quarter, not next year. Evaluate your systems when you have no crisis.

Other points:
  • Address disaster recovery in addressing planned and unplanned downtime.
  • Virtualize your data center.
  • Ensure swift restoration of content items following corruption or accidental deletion.
  • Maintain all metadata during and after recovery events.
  • Ensure seamless transition to a warm stand-by system should the main system fail.
  • Plan what to do if outage happens.
  • Maximize platform up-time and swift restoration of platform following a disaster event.
  • Users need to feel confident that the system will protect content and will be available regardless of any disaster, otherwise user adoption will fail – users will go back to their old habits essentially halting KM effort in its tracks.

Information Governance for E-Discovery

E-Discovery preparedness makes it imperative for organizations to develop an enterprise wide strategy to manage the volume of electronic information. The discovery process affects many individuals in an organization, not just lawyers and others involved in discovery, but also IT professionals and records managers, who have to be prepared to produce electronic content for discovery and litigation.

You need to have an ability to respond to legal request, to solve litigation issue, mitigate the risk of sanctions, reduce impact and cost associated with future litigation.

For legal counsel, it means having a review process to determine what discovered content is relevant to the case. For an IT person, it means restoring backup tapes to show evidence on file shares, content management systems, e-mail systems, or other applications. But for records managers, this work will have begun long before any lawsuit with managing records for retention, placing legal holds, and finalizing disposition.

E-discovery could be costly because it requires organizations to retrieve content from servers, archives, backup tapes, and other media.

In some cases, an organization is unable to execute a discovery order because it is unable to locate all content in a timely manner, or it is unable to place holds on all content and some of it is deleted during the lawsuit. The inability to do this correctly also has a cost, and it can be considerable.

To address these costs, many organizations are looking at e-discovery solutions that will enable them to review the found content and take it through litigation.

But organizations can also lower costs for archiving and restoring, legal review, and sanctions by simply cutting down how much content it retains. Less stored content means less content on which to perform discovery.

Developing a strategy and a plan of action for handling e-discovery will help organizations mitigate their risk and save them a significant amount of money in the event of litigation. Organizations need to have a retention policy to determine which content can be destroyed and at what time and which content should be kept and for how long. The key is to have a retention program that is flexible enough to keep content for the right retention period.

By categorizing content, creating a catalog of the content, creating a retention plan, implementing a hold methodology, and having disposition procedures, an organization will benefit in many ways.

Solutions: Integrate e-discovery into information governance practice. Include key capabilities:
  • understand and secure – identify and categorize docs; docs are distributed globally; find and correctly identify them
  • automate and enforce - extend policies to docs within unmanaged repositories such as file shares, SharePoint, etc. Automate processes in a transparent manner to manage and control docs. Retention and disposition policies that can be enforced within ECM.
  • protect and control – regulate how docs accessed and used; security controls over docs; control who can access protected docs
  • discover and produce – ability to produce relevant docs upon demand is a mandatory requirement.
Develop retention programs. Create committees within your organizations and bring their expertise together with legal counsel and IT to prepare for e-discovery and litigation.

General Governance Controls
  • Understand your data topology – holistically across the enterprise: how much, where, who owns it, and what value does it provide.
  • Employ real-time indexing of content – to keep track of its changes.
  • Store the intelligence about your content (metadata).
  • Create an information intelligence service center and include data analysis, governance analysis.
  • Employ change management to stay current of new forms of content and new business requirements.
  • Become proactive in deploying policies for securing data, storing data, sharing data and enforcing compliance.
  • Remove obsolete or unnecessary content.
  • Define content life cycle and retention policies.
  • Tier your access to enable relevant data to be closer to users and devices that are local.
  • Educate the organization on the value of good governance; it is less about control and more about raising the intelligence and health of information.
  • Categorize your information and determine its value and rank.
  • Use content approval function in your CMS.
  • As deployments grow, organizations must also find ways to efficiently store records in compliance with retention of records management policies.
  • Create retention schedule, content controls, consistent disposition of content in accordance with records management policies for content preservation, remediation, retention.
  • Keep track of what info is created, stored, and accessed.
  • Use auto-classification and semantic tools within the search engines.
  • Move relevant documents from desktops and shared drives to your central docs repository.
  • Create efficient document versioning and check-in/check-out management for information consistency.
  • Create robust administration of users to ensure that each as access rights for only documents that they are authorized to have access to.

0 Comments

Information - Governance, Risk and Compliance – GRC - Part 2

1/29/2013

0 Comments

 
Picture
In my last post about governance, risk, and compliance, I have described why information governance is important and where to begin with the information governance. Today, I will describe what needs to be considered in information governance polices and will give some recommendations.

What needs to be considered in information governance polices?

Government mandates - If you are in a regulated industry, you need to consider first and foremost government mandates such as GMP/GxP, ISO 9001. You need to make sure that your documents management and IT are compliant with these requirements.

Proliferation of content - there has been explosive growth in the creation and collection of content by organization and individuals. Content is stored in CMS, data warehouses, physical warehouses, desktop computers, file shares, back-up archives, mobile devices, cloud services, employees personal computers and other devices such as tablets, smart phones, etc. To complicate matters this information is also geographically disbursed.

In SharePoint, for example, you get a small department that has a site, other departments take notice and start their own sites. Suddenly you have small SharePoint instances pervading everywhere. What organization should do instead is take those separate silos of SharePoint and combine them into one centrally managed environment. It is the matter of having a plan in place first, then applying the technology to achieve those business goals.

Information governance policies should cover desktops and shared drives, CMSs, databases and data warehouses, email systems, cloud based apps, social media platforms, physical warehouses. Content may be stored with the 3rd party, this needs to be considered.

Employees send email with documents attachments. This email and attachments have significant value to the business whether they contain contract terms, meeting notes or even employees opinions on a given topic. Email requires governance and so it needs to be included in your information governance policies.

Big data – are you prepared? What measures your IT has taken to help with this issue?

Cloud computing – If you use cloud computing, you need to create governance policy for it.

Mobile Devices - Employees use mobile devices to do their job. Many companies don’t have policies that cover things like tablets and handhelds. They are starting to, but it is just a beginning. You need to create polices for mobile devices and a mechanism to enforce those policies. And in the regulated environment, you would need to prove that you are enforcing those policies.

Social media - effectively leveraging social media while protecting the organization from non-compliance.

Create comprehensive social media governance plan. It should include compliance, supervision to interactive social content; perform conceptual search and policy-based monitoring of all info, inside and outside the firewall; establish social media usage policies and procedures and then train staff on them; preserve and collect relevant social media content for compliance and litigation purposes.

Consider all content and access methods involved as users connect via smartphones and tablets.

Employ solutions that capture additional approval on a site-by-site basis to verify assent for capturing and monitoring.

Wherever possible create separate business identities for social media to minimize capture of personal or private information.

Govern employees interactions. Most regulated organizations are taking a measured approach to social media, starting with small number of employees and approved social media sites.

Monitor and capture inside-based interactions within a corporate networks. Moderate inside-based interactions. Be mindful of legal and regulatory guidelines.

BYOD phenomena – “bring your own device”. People bring their iPads, iPhones, etc. to conferences, work, taking notes, making presentations, responding to email, updating pipeline,etc. All this content belongs to the organization but the device is not. What happens when this employee leaves the company? Or that employee loses the tablet? What happens to information?

I read about the case where a doctor had all his patients’ medical records unencrypted on his laptop. The laptop was stolen.

It could also be that there are multiple versions of documents floating around, gets passed from one person to another person, maybe tweaked a little along the way. And they each are legally discoverable. 

Be sure that the official version of the document is stored in your CMS and managed by your governance program.

It is imperative to have a policy to protect this information and to enforce that policy across all those devices.

Security – sensitive information must be protected – encrypted. LinkedIn got hacked and all passwords got stolen. What are you going to do that this does not happen to your organization?

Intellectual property - What about a pharmaceutical company developing a new drug, not yet under patent protection, and an employee takes that information to a competitor?

Of special importance is information related to future revenue. For example, a pharmaceutical company should place a high priority on protecting information related to future products which are not covered by patents.

It is vital for companies to have a system in place to protect sensitive content such as for example product roadmaps, manufacturing plans, vendor supply lists, marketing and promotional strategies.

In my next post, I will describe information governance for crisis management and e-discovery.

0 Comments

Information - Governance, Risk and Compliance – GRC - Part 1

1/27/2013

0 Comments

 
Picture
Governance is about securing the information and also about using information for greater value. People don’t talk much about value of information but information is strategic asset of a company. 

What makes a company great among other things is the ability to take information and use it as an asset. Information is what drives an organization, whether it is through development of new drugs, new products, looking into new geographic regions to expand to, etc.

Governance is like an insurance policy that that you feel like you are paying for nothing, until you need it. You don’t know when and if an “accident” will happen and you don’t know how big it will be, but when it does happen, you are very happy that you have that insurance policy. Until then you resent having to pay for it. Governance which is controls is your insurance policy.

KM can be costly in terms of fines, brand reputation, legal fees. In case of a legal discovery, the lack of documents means a disaster. Absence of document control in place will result in violating regulatory compliance.

To an increasing extent, organizations are focusing on risk management as a central issue in GRC equation. Enterprise Risk Management (ERM) is now a bigger driver for GRC than Sarbanes-Oxley or other compliance requirements. Organizations want a top-down viewpoint on risk, whether it is resulting from non-compliance or operational issues and want to know what is being done to mitigate it. ERM is increasingly considered as a strategic tool to support governance and improve business performance.

Governance and compliance are essential business functions. Risks need to be understood and managed. Risk management does not mean that every risk can be anticipated but it can plan for the risk and have alternatives ready.

Information governance – effective content controls, allowing all info to be securely and properly shared across departments, geographic locations, and systems.

Organizations need a closed loop environment for assessing business risks, documenting compliance and automating control monitors to sift through their business systems.

For example, SharePoint is widely adopted system for knowledge management. According to a recent AIIM report, more than 60% of organizations have yet to bring their SharePoint deployment into existing compliance, retention, and long-term archive policies.

To prevent potential exposure of sensitive or classified information, it is imperative for organizations to bring their SharePoint in line with existing compliance policies.

Benefits of information governance: helps management to enforce focus on business mission, employees have information that is accurate, current and is in suitable format for their use; employees are more efficient and productive; removing duplicate and unnecessary content reduces the time needed to find information, derive higher profits; operational cost is lowered; retention management optimizes cost-effectiveness of storage platforms; legal fees are reduced in case of litigation.

Where to begin?

To start information governance initiative, create steering committee – CIO, legal officer, compliance officer, other main stakeholders.

Outline the scope, timeline, budget.

It should be rolled out from the top. This way everybody will be on the same page.

Have a strategy. Strategy should drive what is measured and monitored for compliance and performance.

Information governance strategy must account for the value of information and how it is classified and accessed.

Info governance policies should support all of the organization’s governance controls – retention, disposition, legal hold, data privacy and security.

Policies need to be scalable, enforceable, and measurable. It is better not to have a policy than to have a policy which can’t be enforced.

Policies should change depending on new business requirements, regulatory demands, rising costs, litigation. Companies must have a process to update, validate, deploy, and enforce these policies. They should be deployed without negatively impacting users and operations.

Rank the value of information depending on its type and where it is coming from. For example, information created by VP of sales should be ranked higher that information created by a marketing intern.

More about governance in the next post.

0 Comments

Change Control in the Regulated Industries

2/15/2012

0 Comments

 
Picture
In my last post, I described change control process in general and I mentioned that in the regulated industries, manufactures are required to use a change control procedure. I am going to describe this change control procedure in this post.

A change control procedure is usually one of standard operating procedures (SOP's). It usually includes a change control form. Some companies also use change request forms for suggested changes. This procedure usually includes the following components:

Identification

The identification of the changed device, assembly, component, labeling, packaging, software, process, procedure, manufacturing material, and any other related item or document. The change control form has blank spaces for recording this data.

Effective Date

The effective date of the change which is usually a completion date, or an action to be performed when a specific event occurs, such as "implement the change when the new part is installed, validated, and operational." The blank on the change control form for recording the effective date should not be left empty.

Responsibility

The change procedure should state which department or designee is responsible for each function to be performed.

Revision Number

The change procedure should describe the way the revision level is to be incremented. It is common practice to use sequential numbers for revisions.

Communication

The change procedure should describe the communication of changes to all affected parties such as production, purchasing, contractors, suppliers, etc. As appropriate, the document might include activities that apply to internal operations. Examples are employee training, rework, or disposition of in-process assemblies, use of revised drawings and/or procedures, and disposition of old documents.

Updating Documentation

The change procedure should cover updating of primary and secondary documentation such as instruction manuals. Usually there are no problems with updating or revising primary documentation -- in fact, that is a major reason the given change order is being processed. In contrast, it is rather easy to forget that related secondary documents such as component drawings, instruction manuals or packaging require revision if affected by a given change. The use of a good change control form can alleviate this problem.

Documentation Distribution

Revised documentation should be distributed to persons responsible for the operations affected by the change and old documents removed and filed or discarded, as appropriate. After updated documents have been approved, these documents have to be made available at all locations for which they are designated, used, or otherwise necessary, and all obsolete documents have to be promptly removed from all points of use or otherwise prevented from unintended use.

Remedial Actions

Certain changes may require remedial action. Changes of this nature should be addressed in the change control procedure.

Regulatory Submissions

There may be changes may that require a regulatory submission. The change control procedure should specify if regulatory submissions should be considered when making a change.

Business Factors

The change procedure should also cover other factors such as financial impact, modification of sales literature, update of products in commercial distribution, etc.

Quality Assurance Review

The change procedure should cover if the quality assurance review is required for the change.

This change control procedure is also used for document control.

Changes to documents have to be reviewed and approved by an individual(s) in the same function or organization that performed the original review and approval of these documents unless there is a specific designation that states otherwise. These approved changes have to be communicated to the appropriate personnel in a timely manner. A company has to maintain records of changes to documents.

Change control for documents should include:
  • identification of the affected documents;
  • a description of the change;
  • revision number
  • the signature of the approving individual(s);
  • the approval date;
  • the date when the change becomes effective.
In a case of the regulatory agencies inspection, the change control procedure is usually audited. 

0 Comments
<<Previous

    Archives

    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    October 2022
    September 2022
    August 2022
    April 2022
    March 2022
    January 2022
    July 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    July 2020
    April 2020
    March 2020
    December 2019
    November 2019
    September 2019
    August 2019
    July 2019
    May 2019
    March 2019
    February 2019
    January 2019
    December 2018
    October 2018
    July 2018
    June 2018
    May 2018
    March 2018
    February 2018
    January 2018
    December 2017
    September 2017
    July 2017
    June 2017
    May 2017
    April 2017
    January 2017
    December 2016
    November 2016
    September 2016
    July 2016
    June 2016
    May 2016
    April 2016
    March 2016
    February 2016
    January 2016
    December 2015
    November 2015
    October 2015
    September 2015
    July 2015
    June 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014
    March 2014
    February 2014
    January 2014
    December 2013
    November 2013
    October 2013
    September 2013
    July 2013
    June 2013
    May 2013
    April 2013
    March 2013
    February 2013
    January 2013
    December 2012
    November 2012
    October 2012
    September 2012
    August 2012
    July 2012
    June 2012
    May 2012
    April 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011

    Categories

    All
    Alfresco
    Arena
    Automatic Classification
    Autonomy
    Big Data
    Business Analysis
    Case Studies
    Change Control
    Change Management
    Cloud Content Management
    Cloud Ecm
    Cloud Enterprise Content Management
    Cms
    Collaboration
    Compliance
    Concept Searching
    Confluence
    Content Analysis
    Content Localization
    Content Management
    Content Management Systems
    Content Strategy
    Controlled Vocabulary
    Coveo
    Crisis Management
    Dams
    Data Integrity
    Data Security
    Digital Asset Management
    Digital Asset Management System
    Digital Transformation
    Dita
    Document Control
    Document Control Systems
    Documents Management
    Documentum
    Drupal
    Dublin Core Metadata
    Ecm
    E Discovery
    Engineering Change Process
    Enterprise Content Management
    Enterprise Search
    ERoom
    E-Signature
    Exalead
    Fatwire
    Gamification
    Gmp
    Gxp
    Hadoop
    Information Architecture
    Information Governance
    Information Overload
    Information Technology
    Iso 9001
    IT Systems Validation
    Joomla
    Knowledge Management
    Knowledge Management Applications
    Metadata
    Mobile Devices
    Naming Conventions
    Ontology
    Open Source Cms
    Open Text
    Oracle
    OWL
    Personalization
    RDF
    Records Management
    Risk
    Search Applications
    Self Service
    SEO
    Sharepoint
    Social Media
    Structured Content
    Taxonomy
    Teamsite
    Thesaurus
    Tridion
    Twiki
    Unified Data
    Usability
    User Adoption
    User Centered Design
    Vasont
    Vivisimo
    Web Site Content
    Web Site Design
    Wiki

    RSS Feed

Powered by Create your own unique website with customizable templates.