Monday, July 22, 2013
Government Auditing Standards July 2007 Revision
Government Auditing Standards
July 2007 Revision
http://www.gao.gov/new.items/d07731g.pdf
1.04 Laws, regulations, contracts, grant agreements, or
policies frequently require audits in accordance with
GAGAS.
Friday, July 19, 2013
Beginner Big Data
Beginner Big Data
http://www.wpwkly.com/whitepapers/The-Big-Data%20Holy-Grail.pdf
Key takeaways:
Harness big data
Manage information
Analyse high performance
Deploy big data analytics
This unstructured data is also known as
“dark data,” emphasizing its resistance to
analysis using traditional tools.
Here are a few examples of specific ways organizations can put big data to work:
• Combine analysis of SKUs and Social Media feedback to spot buying trends.
• Combine analysis of inventory levels and customer loyalty program data to craft high-redemption coupon offers that maximize profit and clear out inventory.
• Use email/call-center transcript analysis to improve customer satisfaction
• Examine social media chatter for sentiment analysis
• Analyze collections data to target delinquent accounts with the highest probability of payment
Your big data strategy should factor in three key components: information management, high-performance analytics, and flexible deployment.
First Key:
Information Management
The focus of Information Management (IM) is the ability of your organization to capture, organize, store, and deliver the right information to the right people.
Best Practice: Foster a data-driven culture
Second Key:
High-Performance Analytics
Best Practice: Know what business goals your data will support
Third Key:
Flexible Deployment
Best Practice: Focus on late binding for data analysis
Most data analysis uses an early binding approach, where data is fit into a specific schema and bound to business rules at the outset. This is possible for simple, well-defined, structured data. But, if
you’re searching free text, machinegenerated data, or diverse data sets, it isn’t practical, or even sometimes possible, to understand and model the data at the early stages. And, in most cases, you don’t want to because early binding can irrevocably alter the data, tailoring it for a specific set of analytics
http://www.wpwkly.com/whitepapers/The-Big-Data%20Holy-Grail.pdf
Key takeaways:
Harness big data
Manage information
Analyse high performance
Deploy big data analytics
This unstructured data is also known as
“dark data,” emphasizing its resistance to
analysis using traditional tools.
Here are a few examples of specific ways organizations can put big data to work:
• Combine analysis of SKUs and Social Media feedback to spot buying trends.
• Combine analysis of inventory levels and customer loyalty program data to craft high-redemption coupon offers that maximize profit and clear out inventory.
• Use email/call-center transcript analysis to improve customer satisfaction
• Examine social media chatter for sentiment analysis
• Analyze collections data to target delinquent accounts with the highest probability of payment
Your big data strategy should factor in three key components: information management, high-performance analytics, and flexible deployment.
First Key:
Information Management
The focus of Information Management (IM) is the ability of your organization to capture, organize, store, and deliver the right information to the right people.
Best Practice: Foster a data-driven culture
Second Key:
High-Performance Analytics
Best Practice: Know what business goals your data will support
Third Key:
Flexible Deployment
Best Practice: Focus on late binding for data analysis
Most data analysis uses an early binding approach, where data is fit into a specific schema and bound to business rules at the outset. This is possible for simple, well-defined, structured data. But, if
you’re searching free text, machinegenerated data, or diverse data sets, it isn’t practical, or even sometimes possible, to understand and model the data at the early stages. And, in most cases, you don’t want to because early binding can irrevocably alter the data, tailoring it for a specific set of analytics
Tuesday, July 16, 2013
Litigation Cost Survey of Major Companies
http://www.uscourts.gov/uscourts/RulesAndPolicies/rules/Duke%20Materials/Library/Litigation%20Cost%20Survey%20of%20Major%20Companies.pdf
Litigation Cost Survey of Major Companies
Statement Submitted by
Lawyersfor CivilJustice
CivilJustice ReformGroup
U.S. ChamberInstitute for Legal Reform
For Presentation to
Committee on Rules of Practice and Procedure
Judicial Conference oftheUnited States
2010 Conference on Civil Litigation
Duke Law School
May 10‐11, 2010
Litigation Cost Survey of Major Companies
Statement Submitted by
Lawyersfor CivilJustice
CivilJustice ReformGroup
U.S. ChamberInstitute for Legal Reform
For Presentation to
Committee on Rules of Practice and Procedure
Judicial Conference oftheUnited States
2010 Conference on Civil Litigation
Duke Law School
May 10‐11, 2010
Friday, May 31, 2013
Is online privacy protected under Canadian law?
Is online privacy protected under Canadian law?
Yes, it is. There are two laws that help safeguard your personal information: The Personal Information Protection and Electronic Documents Act (PIPEDA) has existed for a decade and a new anti-spam law was passed in Parliament in December 2010 and is expected to come into force in late 2011or early 2012.
PIPEDA requires private-sector organizations to obtain your consent if they want to collect, use or disclose personal information about you. They can use the information only for the purpose for which you gave consent. Also, even if you agree, businesses and organizations have to limit their disclosure to what a reasonable person would consider appropriate in the particular circumstances. You also have a right to see information that a business has about you, and to request that any errors be corrected.
The Office of the Privacy Commissioner can receive and investigate complaints about possible violations of PIPEDA.
Canada’s new anti-spam legislation is designed to fight unsolicited commercial electronic messages (including e-mails, text messages and social networking messages) by requiring most senders to first obtain a recipient’s consent. There are exceptions, which generally include family, friends, and existing business contacts.
For more information on the new anti-spam law, please visit www.fightspam.gc.ca
Best Practices for Legal Hold Processes 2009
Best Practices for Legal Hold Processes
Jeffrey J. Beard, esq. daticon eed
Litigation Support
Document Forensics and Legal Holds 2009
Ten Legal Hold best Practice Tips
http://www.lawtechguru.com/files/ILTA-Legal_Hold_Best_Practices-Jeff_Beard.pdf
Jeffrey J. Beard, esq. daticon eed
Litigation Support
Document Forensics and Legal Holds 2009
Ten Legal Hold best Practice Tips
http://www.lawtechguru.com/files/ILTA-Legal_Hold_Best_Practices-Jeff_Beard.pdf
Wednesday, March 20, 2013
Mastering Reference Data
Master data and reference data are not exactly the same. Understand and manage the difference and you can improve planning, business processes, reporting, and service delivery.
- December 4, 2012
By Robert Rowe, Senior marketing manager for MDM, Software AG
When it comes to master data management (MDM) and reference data management (RDM), there remains disagreement about the distinction between master and reference data. One expert says that reference data is master data (or at least a subset of master data). Another says that reference and master data are two different things.
Listening to these expert discussions can induce a kind of deer-in-the-headlights paralysis among those responsible for enterprise-wide data management. This is problematic because instinctively we know that we have to manage this data regardless of what we call it.
The real difficulty is that we have to manage master and reference data differently, to some degree, and that gives rise to other questions that are hard to answer: If you've deployed tools to manage and master your master data, have you implicitly brought in the tools to also manage and master your reference data?
Let's step back and consider a practical distinction between master data and reference data, one that people who do not spend their lives doing research and analysis on such matters can use to improve operations within their organizations.
Working Definitions
Let's start with master data. What is it? Master data documents and describes the data that is part of your organization's core business processes. It's data whose definitions are defined within your organization and are not necessarily recognized by anyone outside your organization. One set of master data elements might be related to your customers: a customer number, a contact name and address, phone numbers, and shipping addresses, for example. Another set of master data elements might cover your products, and for any given product there may be a set of master data elements that identify component parts, each of which would have a unique part number. Other product attributes that would be mastered include the product description, packaging information, engineering documents, and images.
Reference data is different. In many (if not most) instances, reference data is created and defined externally by a governmental or independent agency or the International Organization for Standardization (ISO). Reference data elements have meaning and significance that is shared among many users, organizations, and companies. A ZIP code, for example, should be viewed as a reference data element. ZIP codes are defined by the postal service, and any organization that sends a package to Reston, Virginia, will use the same ZIP code -- 20190.
From this one example, you may begin to see a wide range of data elements in use throughout your enterprise that should be viewed as reference data elements: medical procedure and billing codes, time zones, industry codes (SIC and NAIC), airline flight schedules, currency codes, currency exchange rates, and much more. These data elements may be intimately tied to master data, but they are reference data elements and not so frequently changed. We obtain and use them differently, and certain aspects of them are managed differently.
Distinct Management Challenges
There are some similarities in the mastering and management of master and reference data, and there are also differences. For example, both require the application of security and data governance. Only specifically designated people should be authorized to contribute to, change, or delete this data. However, data cleansing operations, such as removing duplications and merging records, is really focused on master data, not reference data, and mainly for customer and product domains. Let's investigate some other differences in managing this data.
Data Creation or Sourcing
Fundamentally, creating or sourcing reference data is easy. Much of it is created and maintained by an external agency, and you can obtain it directly from its source. That's rarely even a manual process today; you can rely on a data feed from the agency that owns the data.
Thus, you could use an ISO exchange rate code in your accounts receivable system, for example, instead of a specific exchange rate. The ISO exchange rate code would always refer to the actual value of the exchange rate prevailing in the market at that moment. By deriving the exchange rate from the ISO exchange rate code, you eliminate the need to enter a new exchange rate every time the rate changes -- but your reference data for exchange rates is always up to date.
The ability to rely on an externally maintained reference data element, however, poses its own challenges. If a new currency is introduced, for example, or if one member of the Eurozone decides to abandon the Euro and return to a sovereign currency, the owning organization will update the exchange rate codes themselves. If you are relying on ISO currency codes and exchange rate codes, you'll need to version the ones in use for auditing purposes and then publish the updates to subscribing systems.
You'll want to be able to master and manage this updated reference data in a carefully planned and coordinated manner. A workflow process is critical, as is an approval process that considers your organization's policies about data governance Should subscribing systems fall out of sync, there is a real danger that the organization will encounter inconsistencies that could affect everything from business planning and purchasing to manufacturing, financial reporting, and auditing.
A mastering tool that can version reference data is key. Once the previous data is versioned, the updated data can then be provided to subscribing systems simultaneously to ensure that the same version is being used throughout the enterprise. Additionally, storing previous versions assists with compliance reporting because the actual version used during a given reporting period can be easily produced.
In addition to the externally sourced reference data we have so far described, organizations may also produce their own reference data elements, such as a set of mapping codes that references a supplier's part numbers and maps them to your internal part numbers. You might use the mapping codes to map the part numbers from several vendors to your own product codes so that parts from alternate vendors could be substituted if one vendor cannot deliver the quantity needed for a production cycle. Even though these mapping codes are created internally, they act as reference data elements in this scenario and must be managed with the same attention to governance, versioning, and subscription synchronization discussed previously with regard to externally generated reference data elements.
Data creation or sourcing for master data is handled differently. In mergers and acquisitions, many times data is acquired from legacy systems, cleansed, and mastered in the centralized MDM hub. New data may be created directly in the MDM system because it provides a collaborative environment for each department to contribute their respective part of the data, it provides a user-friendly authoring interface, and because it'll end up there anyway. The MDM system then becomes the single source of truth, containing that "golden record" that applications and business processes all access.
Data Distribution
Reference data can also reside in an MDM or RDM system to be accessed there via pointers or "look ups" from other systems. That makes it easy to ensure that these systems are using the same reference data without the need to publish to subscribing systems. If the data element is updated, all systems see the updated information immediately.
This is not the only way to enable the consistent use of reference data. Some departments may want a local copy of the reference data. Others may be using legacy systems that cannot perform external lookups easily. To support these systems, your RDM system must be able to push mastered reference data out to the systems that will use them. As noted earlier, a critical aspect of this approach is that the dissemination of updated reference data must take place in a coordinated and synchronized manner so that all systems have access to the same release of reference data at the same time.
Whether you use a publish-and-subscribe approach or a lookup approach really depends on the architecture of your organization and the needs of the groups and systems involved. Both approaches are viable as long as the approach you choose is undertaken in a well-considered and mindful manner.
For centralized master data architectures, the data in the repository is accessed through Web services, JDBC, or other means by the applications and processes that need the data at runtime. It is equally important that the MDM system be able to export data easily for downstream systems such as data warehousing and business intelligence systems. High-quality, cleansed data provides the basis for better forecasting and business decisions.
Developing a Master Plan
All this brings us back to consideration of the systems you use to master your data. You need a tool that can ensure the consistent use of master data throughout the enterprise -- and that's exactly what MDM tools are designed to do. You also need tools that can enable you to acquire, master, version, and distribute your reference data because it, too, must be used consistently throughout your enterprise.
Multi-domain MDM solutions typically are more oriented toward mastering reference data. This is because - single domain, or template-driven MDM solutions, may not provide the necessary flexibility for mastering comprehensive, internal reference data with all its potential domain overlaps.
That said, with the right MDM tools you can, in fact, manage both master data and reference data successfully. The tools should be able to ensure oversight and governance of master and reference data. For reference data, these tools also need to provide features for version management and auditing. It could be argued that any good MDM system should have these as well because the versioning of hierarchies is not uncommon, nor are regulatory compliance and auditing needs for master data.
Ultimately, well-managed reference data is a key contributor to operational efficiency and clarity of business insight. Any organization that expects accurate information from diverse organizational units and data sources needs reference data that has been mastered and managed for consistency across all the units and all the systems in use. Without well-mastered and well-managed reference data, there is real potential for reporting errors that can affect outcomes at every level, from the manufacturing floor to the board room. Choose your data mastering tool(s) wisely to ensure that they will suit your needs now and the future.
Robert Rowe is senior marketing manager for MDM at Software AG where he is responsible for master data management product marketing. Rowe holds over 20 years of experience in the software industry where he has held positions in marketing, IT, engineering, training, and account management. You can contact the author at robert.rowe@softwareag.com.
Monday, January 14, 2013
Naming convention
Naming convention
http://www.techwr-l.com/archives/0711/techwhirl-0711-00444.html#.UPSDDuTO2mk
http://www.techwr-l.com/archives/0711/techwhirl-0711-00444.html#.UPSDDuTO2mk
Standard Naming Conventions for Electronic Records
http://www.dcc.ac.uk/resources/external/standard-naming-conventions-electronic-records-0
Chapter 10. File Specification and Naming
http://pds.jpl.nasa.gov/
2.0 Best Practices for File Naming
http://www.library.illinois.edu/dcc/bestpractices/chapter_02_filenaming.html
File:ISO naming convention.gif
http://en.wikipedia.org/wiki/File:ISO_naming_convention.gif
The ISO-9660 file naming rules (also known as 8:3)
http://www.planetoftunes.com/computer/isoname.html
DOCUMENT TYPES AND NAMING CONVENTIONS electronic documents
http://lhc-proj-qawg.web.cern.ch/lhc-proj-qawg/CD-ROM-v4-0/Quality/QA202.pdf
DOCUMENT TYPES AND NAMING
CONVENTIONS
Date:2003-04-03
Abstract
The purpose of this document is to identify the types of document used for the
construction of the LHC and to define the naming conventions applicable to
documents.
An overview of the purpose of the different document types, and their role in the
Project, is presented. This aims at helping all technical and administrative staff
working with LHC documents, either as authors, editors, controllers, reviewers or
other, to have a common understanding of the use of each document.
considerations for Records creation
Creation of records:
This may require a resource reallocation—but should not necessarily result in a cost to the overall budget. Though short-term expense may be incurred in changing recordkeeping frameworks, this can be offset by increased productivity by freeing up the time of most APS employees, and the expected efficiency gains from more ready access to useful records
This may require a resource reallocation—but should not necessarily result in a cost to the overall budget. Though short-term expense may be incurred in changing recordkeeping frameworks, this can be offset by increased productivity by freeing up the time of most APS employees, and the expected efficiency gains from more ready access to useful records
Archives’ DIRKS process
Workflow and risk analysis is a key consideration when developing policies and directions to support good recordkeeping.
Workflow and risk analysis can be achieved through the DIRKS process (Designing and Implementing a Recordkeeping System) developed by the National Archives.
The DIRKS methodology consists of the following eight steps:
1. preliminary investigation (Step A)
2. analysis of business activity (Step B)
3. identification of recordkeeping requirements (Step C)
4. assessment of existing systems (Step D)
5. identification of strategies for recordkeeping (Step E)
6. design of a recordkeeping system (Step F)
7. implementation of a recordkeeping system (Step G)
8. post-implementation review (Step H).
AS ISO 15489).
For agencies, the new process will:
· comprise only one step with one supporting document
· focus only on higher level business activities (i.e. high level roles and responsibilities)
· be supported by implementation advice so that they can take prompt disposal action
· be flexible so that agencies can:
o focus on core business for disposal authorisation
o focus on particular categories of records that are creating storage problems and incurring costs.
As a simple guiding principle, the more important the occurrence the greater the requirement to create a record, and the more comprehensive that record needs to be.
· Context—is it an important communication? Generally speaking, all official external communications will be important, while internal communications will generally be more important the more senior the people involved, or if they document a direction or decision that authorises action.
· Financial value—the higher the value, the more likely due care and diligence require the making of a record in relation to any decision or action with financial implications (see also Financial Management and Accountability Act, Regulation 12), which requires any approval of expenditure of public money to be recorded in writing as soon as practicable.
· Benefit—would ready access to such a record materially benefit the Commonwealth or the agency, as distinct from being of mere transitory, facilitative use to individuals? And would access to such a record provide a material benefit greater than the cost of producing such a record?
· Potential loss or liability—would the lack of access to such a record expose the Commonwealth to loss or liability?
The level and standard of documentation needs to match the circumstances.
· programme decisions, including decisions affecting individuals or individual businesses that may be subject to administrative review, together with the basis for the decisions and the authority for making the decision;
significant events,
Work Process Analysis for Records
http://aiimknowledgecenter.typepad.com/weblog/2010/04/isotr-261222008-part-3-sequential-analysis.html
ISO/TR 26122:2008, Functional Analysis

http://aiimknowledgecenter.typepad.com/weblog/2010/02/work-process-analysis-for-records.html
Submitted by Carl Weise - AIIM In 2008, ISO published ISO/TR 26122:2008. This technical report describes a framework for conducting a work process analysis for those processes that are used to create and/or manage records...
ISO/TR 26122:2008, Information and documentation – Work process analysis for recordsmakes it clear that the first step in any process analysis is to review the context in which the organization operates. This consists of two steps: a review of the regulatory environment and a review of the operational environment.
It consists of two types of analysis: a functional analysis to break functions into component work processes, and a sequential analysis within each process to identify the flow of information as the transactions progress.
Some processes and some transactions are isolated and stand alone, but many of them are interdependent
First, the assessment helps to identify dependencies between processes and/or transactions.
The assessment can serve to identify the contextual links between certain records. This can be useful to determine how best to categorize and classify records. This is also important because logically categorized and arranged records are easier to manage throughout their lifecycle.
This review should determine whether the processes are centralized or decentralized and who is responsible for the performance of them – both at the individual staff/transaction level and from a management perspective.
ISO/TR 26122:2008, Functional Analysis
Submitted by Carl Weise, AIIM Industry Advisor
In 2008, ISO published ISO/TR 26122:2008, Information and documentation – Work process analysis for records. This technical report describes a framework for conducting a work process analysis for those processes that will be used to create and/or manage records.
In a previous blog, I mentioned that it consists of two types of analysis: the functional analysis to break functions into component work processes, and the sequential analysis within each process to identify the flow of information as the transactions progress.
Part 2: Guidelinesrecommends a functional classification structure. ISO 26122 outlines the following basic process to conduct the functional analysis.
The first step is to identify the goals and strategies of the organization. Information to support this can be found in your organization’s business plan, its charter, its mission and vision, and other key strategic planning documents. Next, the analysis seeks to identify which functions carry out the strategies in support of the goals. At the same time, this provides an opportunity to review the various functions and map them to the goals and strategies – and perhaps identify functions that do not align properly (or at all). Some of this information will come from surveys and interviews, particularly from management, while other information will be found in the various strategic planning documents listed above and from the plans created to achieve the goals.
For each function identified, you need to determine what processes the function performs, and again, look at the processes identified in the contextual review and determine which function performs them. In some cases, some processes may be performed in different parts of the organization; in other cases, a similar process occurs in multiple areas within the organization. For example, planning, project management, and recordkeeping tasks will likely occur throughout the organization.
Finally, the functional analysis concludes by identifying the specific tasks and transactions that make up the individual processes which is produced primarily through the sequential analysis,

Submitted by Carl Weise, AIIM Industry Advisor In 2008, ISO published ISO/TR 26122:2008, Information and documentation – Work process analysis for records. This technical report describes a framework for conducting a work pro...
In a previous blog, I mentioned that it consists of two types of analysis: a functional analysis to break functions into component work processes, and sequential analysis within each process to identify the flow of information as the transactions progress.
For example, municipal police issue vehicular moving violations for things like speeding, etc. The “ticket transaction” begins with the issuing of the ticket to the motorist and most commonly ends with the motorist paying a fine. A routine variation involves a court date, either because the motorist is contesting the ticket or because the violation was significant enough to mandate a court date. A less common exception might be the case of a motorist who mails in the ticket without payment, or using a payment method that is declined (bad check or credit card number).
Here is the process to conduct a sequential analysis. The first step is to identify the transactions that make up a particular process and the tasks associated with each transaction, as noted earlier. This information will come from interviews and surveys of the users performing the tasks but may also come from existing process documentation and outputs of the process, including audit trails. Once the baseline, most common sequence has been established, the next step is to identify variations in the process and determine whether they are routine variations that are handled as part of the overall transaction and process, or whether they constitute exceptions to the process. Exceptions still need to be handled, but they may be handled in a more manual fashion or require exceptional intervention such as from a manager or specialist.
Finally, many processes are dependent on other processes. The output of a process or transaction becomes the input to another process or transaction. Sometimes this dependency is strictly sequential – something has to be completed before something else can be begun.
To use our court example, there can be no scheduling of a court case until either the date for payment passes or the motorist makes a formal request to the court. In other cases the dependency is only partial – perhaps the process allows the motorist to stop by the courthouse and pay the ticket fine immediately, without having to wait for the ticket to be formally processed into the system.
Is the process complete? Are all steps listed? Are all cases, conditions, and exceptions identified?
Is the process correct? Are the steps in the correct order?
Monday, January 7, 2013
Electronic Signature and Records Association (ESRA)
About
The Electronic Signature and Records Association (ESRA) is an important initiative focusing on e-signatures and electronic records.
Its original founding members — AIG, Adobe, DocuSign, eOriginal, Genworth Financial, Silanis and Wells Fargo Home Mortgage — represent a prestigious group of corporations, both technology-providers and “user” companies offering technology applications to their customers.
Education is the primary mission of ESRA. The association is a centralized educational resource for its members and the public with respect to the legal, regulatory and operational issues in relation to the use of electronic signatures and records.
silanis
Silanis is the world’s leading electronic signature provider. Since the company was founded in 1992, our software has automated business transactions that require secure, compliant and enforceable e-signatures. Recognized as the enterprise market leader, we are responsible for processing more than 600 million e-signed transactions annually – more than any other e-signature vendor. These transactions represent billions of dollars worth of regulated business processes taking place 24/7 around the globe, from insurance applications and consumer loans to federal procurement contracts. Our customers represent the leading organizations within their respective fields, including four of North America’s top 10 banks, eight of the top 15 insurers and the entire US Army, among others.
http://www.silanis.com/about-us
http://www.silanis.com/about-us
Patrick Cormier
Court Technology and the Private Sector:
Bridging the Chasm
An announcement from Patrick Cormier, CEO of the CCCT-CCTJ
Every day, Canadian courts and tribunals help resolve thousands of cases under the rule of law in a civilized, fair, impartial and independent manner. Technology has held, for decades, the promise of increased effectiveness and better efficiency. Ah… The plain enjoyment of one’s day at work when the right information is at your fingertips! If the technology objectives are simple and the outcomes easy to imagine, then why is it so difficult to rejuvenate courts and tribunals with better technology?
http://ccct-cctj.ca/
e-Discovery Update: Increasing
Judicial Acceptance of ComputerAssisted Document Review
http://www.whitecase.com/files/Publication/fde5ec0a-a8e5-4312-ba01-42754c35ac47/Presentation/PublicationAttachment/a7905254-a0c4-4626-b23d-4b330ea14e89/alert-e-discovery-update-increasing-judicial-acceptance-of-computer-assisted-docum.pdf#page=1
Standards and Procedures For Electronic Records and Signatures
http://www.spers.org/spers/index.htm
Standards and Procedures For Electronic Records and Signatures
Standards and Procedures For Electronic Records and Signatures
ELECTRONIC RECORDS AND SIGNATURES -- CHALLENGE AND OPPORTUNITY
New eCommerce laws make possible the widespread replacement of paper documents with electronic records. They also enable the broad use of electronic signatures. Many businesses have begun converting their operations to avail themselves of the enormous advantages offered by electronic records systems.
While the new eCommerce laws permit the use of electronic records and signatures, they also require that electronic systems and processes meet specific standards for:
- Obtaining consent to use electronic records and signatures,
- Presentation of information,
- Execution of signatures and creation of agreements,
- Record retention,
- Printing, and
- Delivery.
SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
http://esignrecords.files.wordpress.com/2009/03/spers-summary1.pdf
SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 1
Section 1 Summary Statement of Standards to Guide Systems Design Teams
STANDARD 1-1. IDENTIFYING AND EVALUATING THE APPROPRIATE
AUTHENTICATION STRATEGY – CREATING THE RELATIONSHIP
SPERS STANDARD 1-1
The System Design Team should determine the appropriate Authentication Process for
establishing a Relationship with each Transaction Participant. The assessment and selection
Process should include:
• Assessing the legal liability and Transaction risk associated with failing to correctly
identify the Transaction Participant,
• Assessing the practical and system considerations that may affect the choice of an
Authentication Process,
• Determining whether the Authentication Process for the Transaction must comply with
specific legal or regulatory requirements,
• Selecting an Authentication strategy that provides an appropriate level of security and
certainty, based on the preceding considerations, and
• Determining what information will be required in order to implement the selected
Authentication strategy.
STANDARD 1-2. IDENTIFYING AND EVALUATING THE APPROPRIATE
AUTHENTICATION STRATEGY – CREDENTIALS
SPERS STANDARD 1-2
The System Design Team should determine the appropriate Credential for a Participant
conducting a Transaction as part of an established Relationship. The process for selecting a
Credential should include:
• Assessing the risks associated with unauthorized access to conduct the Transaction,
• Determining whether there are specific legal or regulatory requirements for a Credential
associated with the Transaction;
• Determining the types of Credentials appropriate to the Transaction based on the risk
assessment and any applicable legal or regulatory requirements,
• Determining the cost of establishing and using a particular Credential,
• Assessing the relative speed with which the Credential may be established and used,
• Assessing any specific hardware or software requirements to use a particular Credential
and whether such requirements are appropriate to the Transaction, and
• Evaluating the information that needs to be obtained from, and provided to, the
Transaction Participant to implement and maintain a particular Credential.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 2
STANDARD 1-3. PROVIDING CONSUMERS INFORMATION CONCERNING THE
DISTRIBUTION OF RISK OF UNAUTHORIZED TRANSACTIONS
SPERS STANDARD 1-3
Where appropriate, and particularly in Consumer Transactions, the System Design Team should
consider providing a Transaction Participant with an opportunity to obtain information
concerning the risks associated with unauthorized Transactions, including:
• The Transaction Participant’s responsibilities with respect to protecting Credentials,
• The potential consequences of unauthorized use of Credentials, and
• The procedure for giving notice that a Credential has been stolen or compromised.
STANDARD 1-4. ESTABLISHING THE AUTHORITY OF REPRESENTATIVES
SPERS STANDARD 1-4
Where appropriate, the System Design Team should consult with legal counsel or compliance
personnel to determine whether it is likely that individuals will be representing Transaction
Participants (either individuals or legal entities such as corporations or trusts) other than
themselves, and if so:
• Determine whether it is advisable to obtain some representation or evidence of the
individual’s authority to act as a representative, and
• Establish appropriate methods for obtaining representations or evidence of the
representative’s authority.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 3
Section 2 Summary of Statement of Standards
STANDARD 2-1. GENERAL AGREEMENT TO USE ELECTRONIC RECORDS AND
SIGNATURES
SPERS STANDARD 2-1
Systems should be designed to obtain either:
• The Transaction Participants’ express Agreement to use Electronic Records and
Signatures; or
• The Transaction Participants’ implied Agreement in a fashion that allows a reasonable
inference that Transaction Participants have assented to use Electronic Records and
Signatures.
STANDARD 2-2. APPLICABILITY OF THE ESIGN CONSUMER CONSENT PROCESS
SPERS STANDARD 2-2
With respect to business to-Consumer Transactions, the System Design Team should consult
with legal counsel or a compliance officer concerning application of the ESIGN Consumer
Consent Process. The ESIGN Consumer Consent Process should be used if:
• The Consent Process is required by any Rule of Law, or
• The System Design Team determines that its voluntary use would be beneficial and its
use would not hamper, confuse or unduly complicate the Transaction.
1
STANDARD 2-3. THE ESIGN CONSUMER CONSENT DISCLOSURES
SPERS STANDARD 2-3
When the System Design Team has determined that the ESIGN Consumer Consent Process
should be employed, it should implement the Consent Process:
• In compliance with the requirements of the ESIGN Consumer Consent Disclosures; and
• With the goal of providing the Consumer with information designed to assist the
Consumer in making an informed choice with respect to the use of Electronic Records
and Signatures.
1
“Voluntary use” refers to the use of all, or part of the ESIGN Consumer Consent Process.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 4
STANDARD 2-4. THE ESIGN CONSUMER CONSENT DISCLOSURES – FORMAT
AND TIMING
SPERS STANDARD 2-4
When presenting the ESIGN Consumer Consent Disclosures to the Consumer they must be
provided:
• In a clear and conspicuous format;
• At a meaningful time in the Transaction; and
• Prior to the Consumer providing his or her affirmative consent to engage in business
electronically.
2
STANDARD 2-5. OBTAINING THE CONSUMER’S AFFIRMATIVE CONSENT -
METHODS AND TIMING
SPERS STANDARD 2-5
When employing the Consumer Consent Process systems will need to be designed to obtain the
Consumer’s affirmative consent to access Required Consumer Information.
Providers should obtain the Consumer’s affirmative consent either::
• Prior to, or at the time Required Consumer Information is presented, or
• After Required Consumer Information is presented but before the time when the
Consumer becomes obligated on the Transaction.
STANDARD 2-6. REASONABLE DEMONSTRATION OF ACCESS
SPERS STANDARD 2-6
If the ESIGN Consumer Consent Process will be employed, the System Design Team should
create a mechanism, method of process that enables a Consumer’s provision of consent to
Reasonably Demonstrate that the Consumer can access the electronic method(s) and format(s)
the system will use to provide or make available Electronic Records such as notices, disclosures,
and agreements over the course of the Transaction.
2
The methods for, and the timing of obtaining the Consumer’s affirmative consent are discussed in SPeRS
Standard 2-5.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 5
Section 3 Summary Statement of Standards
STANDARD 3-1. GENERAL PRINCIPLES FOR DISPLAY AND PRESENTATION OF
INFORMATION
SPERS STANDARD 3-1
The System should be designed to display and present information efficiently and effectively.
Absent special circumstances, the System Design Team should provide a reasonable opportunity
to access information, whether it is part of an agreement, Notice or Disclosure, so that:
• The information is displayed or made available in a manner and/or format that complies
with any applicable Rule of Law.
• The opportunity to access the information occurs:
• At the point in the Transaction required by an applicable Rule of Law, or
• If there is no applicable Rule of Law, at or before the point in the Transaction where
having access to the information is appropriate for the recipient, but not later than the
point at which the recipient is asked to indicate agreement with, or acknowledge
access to, the information.
• During the course of the Transaction, the information may be retained by the recipient, or
accessed by the recipient at a later time, consistent with the purpose of the Transaction, the
nature of the information and applicable Rule of Law (See SPeRS Section 5).SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 6
STANDARD 3-2. DELIVERING AND DISPLAYING RECORDS AND INFORMATION
SPERS STANDARD 3-2
When developing a process that includes the electronic display and delivery of Agreements,
Notices or Disclosures, the System Design Team should:
• Identify the Records and information that will be delivered electronically to each
Transaction Participant in the course of the Transaction;
• Consult with legal counsel or compliance personnel to determine whether any of the
Records or information to be provided are subject to any specific delivery requirements
under an applicable Rule of Law;
• Accomplish delivery by providing access or the opportunity to access the Record, as
applicable;
• Determine the appropriate method(s) for providing access to the Records and
information, taking into account:
• The nature of the Transaction and the intended audience,
• Whether the Records and information will be provided or made available as part of an
interactive session with the recipient, as part of a unilateral transmission to the
recipient, some combination of the two, or through other means,
• Whether the Records and information to be provided or made available include
sensitive or confidential information,
• The time period for which the Records and information should remain available for
access by the recipient during the course of the Transaction, and
• Whether the recipient should be required to access any of the Records and
information in order to proceed with the Transaction.
STANDARD 3-3. DELIVERING AND DISPLAYING RECORDS AND INFORMATION –
RETENTION OF RECORDS BY OTHER TRANSACTION PARTICIPANTS
SPERS STANDARD 3-3
For Electronic Records that must be signed, or that contain Required Information, the System
Design Team:
• Should provide the Transaction Participant signing or accessing an Electronic Record
with:
• An explanation of the options that the Transaction Participant will have during the
Transaction to retain a copy of the Record, including any Disclosure or explanation
required by the ESIGN Consumer Consent Process (See SPeRS Standard 2-2), and
• A reasonable opportunity to retain a copy of the Record for later reference.
• May wish to provide the Transaction Participant with an opportunity to agree to the
methods being provided for retaining a copy of the Record.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 7
STANDARD 3-4. INDICATING AGREEMENT
SPERS STANDARD 3-4
When developing a process that includes the electronic delivery or display of agreements to
Transaction Participants, the System Design Team should:
• Consult with legal counsel or compliance personnel to determine:
• Which Records or information being delivered or displayed require some indication
of agreement by a Transaction Participant
• The level of formality or ceremony required for each indication of agreement
• Implement a process design which, in the context of the Transaction and the particular
information or Record in question:
• Offers the Transaction Participant:
• A clear choice to either agree or decline to agree, and
• A clear method to express agreement or decline to agree
• Provides an explanation of the consequences are inherently obvious in the context of
the Transaction, and
• When appropriate, offers the Transaction Participant an opportunity to correct an
election to assent or refuse assent made in error except when impractical or
unnecessary.
SECTION 3-5: ACKNOWLEDGING ACCESS OR DELIVERY
SPERS STANDARD 3-5
When developing a process that includes the electronic display and of and opportunity to access
Disclosures and Notices to Transaction Parties, the System Design Team should:
• Consult with legal counsel or compliance personnel to determine:
• Which Records or information being displayed or provided require some
acknowledgement of access or opportunity to access by a Transaction Participant, and
• The level of formality or ceremony required for each acknowledgement of access or
opportunity to access.
• For Records that require acknowledgement of access or delivery, implement a process
design which, in the context of the Transaction and the particular information or Record
in question, offers the Transaction Participant a clear method to acknowledge access or
opportunity to access.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 8
STANDARD 3-6. CLEAR AND CONSPICUOUS DISCLOSURE
SPERS STANDARD 3-6
When developing a process that includes the electronic display of or access to agreements,
Notices or Disclosures to Transaction Parties, the System Design Team should:
• Consult with legal counsel or compliance personnel to determine whether any of the
Records or information to be provided are subject to “conspicuous disclosure”
requirements under an applicable Rule of Law, and
• If “conspicuous disclosure” is required:
• Implement a process design which, in the context of the Transaction and the
particular information or Record in question, delivers the required Record or
information in a form which is:
• Reasonably understandable, and
• Designed to call attention to the information that must be disclosed.
• Employ electronic tools and display techniques so as to effectively convey the
information.
STANDARD 3-7. USING HYPERLINKS AND OTHER NAVIGATIONAL CUES
SPERS STANDARD 3-7
When displaying information electronically, the System Design Team should consider using
navigational cues in order to better organize, enhance or protect the presentation of information.
When using a navigational cue, the System Design Team should label or title the navigational
cue, or provide explanatory information for use of the navigational cue, reasonably sufficient to
permit the Transaction Participant to understand the general nature of the Records or information
associated with the navigational cue.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 9
Section 4 Summary Statement of Standards
STANDARD 4-1. SELECTING A SIGNATURE PROCESS
SPERS STANDARD 4-1
The selection of an appropriate signature technology for a particular application should be based
on a determination of the relevant factors and circumstances, including:
• Applicable hardware and software requirements
• Any Rule of Law limiting the type of Electronic Signature that may be used
• Characteristics of the signer
• Susceptibility of the technology to repudiation
• Ability of the signature to protect the Record from undetected alteration after signing
• Portability of the signature process
• Suitability of the signature for:
• non-repetitive in-person Transactions
• repetitive in-person Transactions
• non-repetitive remote Transactions
• repetitive remote Transactions
• Ease of use for multiple signatures by same signer in one Record
• Ease of use for multiple signers in one Record
STANDARD 4-2. PROVIDING INFORMATION ON THE SIGNING PROCESS
SPERS STANDARD 4-2
The execution of an Electronic Signature should be preceded by an opportunity for the signer to
review:
• A description and explanation of the procedure used to create the Electronic Signature,
and
• A description of the sequence of events that will result in the signature becoming final
and effective.
Provided, however, that the signature process may be sufficiently familiar or self-explanatory
that a description is superfluous or would be repetitive.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 10
STANDARD 4-3. ESTABLISHING THE INTENT TO SIGN
SPERS STANDARD 4-3
The process used to create an Electronic Signature should be designed so that:
• It is clear that the signer intended to create a signature, and
• When not reasonably apparent under the circumstances, the signer is advised that the
signature fulfills one or more purposes:
• Affirming the accuracy of information in the record
• Affirming assent or agreement with the information in the Record
• Affirming the signer’s opportunity to become familiar with information in the
Record,
• Affirming the source of the information in the record, or
• Other specified purposes.
STANDARD 4-4. ASSOCIATING A ELECTRONIC SIGNATURE WITH A RECORD
SPERS STANDARD 4-4
A process for signing records should be designed so that:
• The Record is presented for signature before the signature becomes effective, and
• The signature is attached to, or logically associated with, the Record presented.
STANDARD 4-5. ATTRIBUTING A SIGNATURE
SPERS STANDARD 4-5
A process for signing Records should be designed so that either:
• The signature itself provides evidence of the signer’s identity, or
• The process surrounding creation or affirmation of the signature:
• provides evidence of the signer’s identity, and
• is in some manner preserved, evidenced, or capable of recall or recreation during the
life of the Transaction.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 11
STANDARD 4-6. ELECTRONIC AGENTS
SPERS STANDARD 4-6
A system designed to implement an agreement and signature by an Electronic Agent:
• Should require a clear and detailed definition of the parameters of the electronic agent’s
authority to form an agreement and sign on behalf of the represented Participant, and
• May either reflect the use of an electronic agent in the signature information provided as
part of the signed Record, or present the signature as the act of the represented Participant
without reference to the use of an electronic agent.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 12
Section 5 Summary Statement of Standards
STANDARD 5-1. MEETING ACCURACY, ACCESSIBILITY AND RETENTION
REQUIREMENTS
SPERS STANDARD 5-1
Electronic Record retention systems should be designed to ensure the information contained in
the Electronic Records remain:
• Protected from undetected and unauthorized alteration, and
• Accessible to the Record Holder and others entitled by Rule of Law or Agreement to
access, or obtain a copy of, the Record Holder’s copy of the Record
See also SPeRS Standard 3-3 for the Record Provider’s obligation to provide access or copies of
Records to other Transaction Participants (e.g., Consumers).
STANDARD 5-2. VERIFYING THE INTEGRITY AND ACCURACY OF ELECTRONIC
RECORDS/THE PHYSICAL AND LOGICAL ENVIRONMENT
SPeRS STANDARD 5-2
As part of the infrastructure necessary to protect the integrity of Electronic Records, the System
Design Team should establish a commercially reasonable design for:
• The physical environment in which the records are maintained that takes into account:
• The types of transactions evidenced by the Electronic Records,
• The value of the transactions evidenced by the Electronic Records,
• The value or confidentiality of the information contained in the Electronic Records,
including whether the record is subject to state or federal privacy laws, and
• The impact of loss, destruction or theft of the Electronic Records on the operations of
the Record Holder.
• The technical environment in which the records are maintained that takes into account:
• · Network controls,
• · Hardware controls, and
• · Software controls.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 13
STANDARD 5-3. VERIFYING THE CONSISTENCY AND INTEGRITY OF
ELECTRONIC RECORDS
SPERS STANDARD 5-3
When appropriate, the System Design Team should consider including in the process for
creating, delivering and submitting Electronic Records commercially reasonable checks to
confirm that:
• The Record:
• Contains information that is both internally consistent and consistent with other
Transaction Records;
• For signed Electronic Records, the Record appears to have been electronically signed
by each of the targeted signers before being accepted as final and complete;
• Has not been altered without authorization once it is effective; and
• Is retrievable in a form perceivable by an individual.
• Any set of Transaction documents intended to be reviewed, completed, and/or signed as a
group is complete and that all necessary tasks have been performed before being
submitted and/or accepted in final form.
STANDARD 5-4. DOCUMENT CONVERSION
SPERS STANDARD 5-4
System design teams should develop guidelines and procedures for the preservation and
conversion of paper to electronic documents to meet the following objectives:
• Promote cost and organizational efficiency;
• Ensure safekeeping of documents;
• Ensure compliance with state and federal requirements regarding Record retention,
access to Records, and document destruction;
• Maintain secure, reliable, long-term access to Records; and
• Establish data integrity to satisfy the Rules of Evidence.SPeRS APPENDIX B – SUMMARY OF SPeRS PRINCIPLES
Appendix B - 14
STANDARD 5-5. VENDOR RELATIONSHIPS
SPERS STANDARD 5-5
When using third party vendors to perform Record retention functions, Providers should adopt a
risk management process that includes:
• Proper due diligence to identify and select a third-party provider;
• Contracts that outline duties, obligations, and responsibilities of the parties involved; and
• Ongoing oversight of the third parties and third-party activities.
STANDARD 5-6. INTERACTION WITH GOVERNMENTAL AGENCIES
SPERS STANDARD 5-6
The System Design Team should consult with legal counsel or compliance personnel to
determine whether there are any state or federal regulatory requirements that may affect the for
or methods used to create, file or maintain the Records.
STANDARD 5-7. TRANSFERABLE RECORDS AND ELECTRONIC CHATTEL PAPER
SPERS STANDARD 5-7
If the system is intended to manage the creation, execution, transfer and/or storage of electronic
equivalents of negotiable promissory notes, bills of lading, warehouse receipts, retail installments
sales contracts, debt obligations secured by personal property, or leases of tangible personal
property, the System Design Team should consult with legal counsel or compliance personnel to
determine the special requirements for:
• Controlling the transfer of ownership of the Electronic Record
Subscribe to:
Posts (Atom)
