SOX, GLB, HIPAA, SEC 17a-3 and 17a-4, NASD 3010 and 3110, NYSE rule 440, SEC 17ad-6 and 17ad-7, 21 CFR Part 11, 17 CFR Part 1, FERC Part 125, IRS Rev. Proc. 97-22, NARA Part 1234, NARA GRS, DoD 5015.2 and the Federal Rules of Civil Procedure 1, 26 and 34.
It is also called for by records management regulations and best practices, such as DIRKS, CobiT, COSO, ISO 15489-1 and -2, the Sedona Principles, ARMA and AIIM.
So the question you should ask yourself and your organization is, are you prepared to archive anything? Remember, this is a legal document. Here's how you'll know:
1. Have you created an organizational records management methodology that separates data and information from legal records that need to be maintained?
2. Does that methodology define business functions, activities and transactions?
3. Have you documented these functions, activities and transactions as a part of an official organizational classification scheme that produces a classification thesaurus for document metadata?
5. Have you documented this into a set of policies?
6. Have you designed a "document capture, registration and disposition authority" guideline that your board has accepted? This is a legal document that you should have before you decide to create an archive and disposition plan.
NOW comes the part about e-mail archiving:
7. Does the e-mail archiving tool you are working with integrate into your record-keeping system (which should entail documents, data tables and messages)?
8. Does the e-mail archiving tool support the same registration and categorization metadata that the rest of your recordkeeping systems support?
9. Does the e-mail archiving system support categorized e-discovery of records for selection during discovery collection procedures required by a compliance audit or e-discovery in a court case?
10. Does it show contextual reference?
11. Does the e-mail archiving system allow production of discovered documents in PDF format?
12. Have you investigated whether or not you CAN create a set of procedures for how you would integrate the capture, registration and disposition in the e-mail system so that it directly correlates with the rest of the records management program?
Items 7-12 will determine whether or not the system you want to include into your record-keeping program will fit your legal and regulatory requirements. However, you won't know whether or not you are doing the right thing or spending money on the right tool if you haven't already worked through steps 1-6.
In other words, if you haven't conducted steps 1-6, don't waste your money and don't put the organization at risk by archiving something you shouldn't be archiving.
Read Doug Owens' answer to this question.
This was first published in August 2004