12.1. SharePoint Support for Records Management

There are five core requirements for any records management system:

• Confidentiality—Confidentiality means access control; you can establish clearly defined policies that govern who has access to official records at any time. It is the responsibility of the records repository to ensure that official records are maintained securely. This means that once a record is stored in the repository, no one can access it except those with the appropriate permissions. It is possible that this group may not include the original author of a given document.

• Information integrity—Information integrity means that official records must not be altered after they have been placed in the repository. This includes alteration of the document content as well as the document metadata. Information integrity also covers the need to continuously update records to minimize the presence of outdated or inaccurate information.

• High availability—High availability means that official records must be available at any given time to support outside processes that may have nothing to do with the core business function. This goes beyond network bandwidth and has more to do with the need to decouple the repository from other enterprise information stores so that requests for official records are not tied to other business processes.

• Adherence to policy—It is important to establish clearly defined policies that govern the way in which records are stored, and to prove that those policies were followed. In fact, in some sense all of the other requirements fall under the general umbrella of information management policy.

  It is interesting to note that the records management tools provided by the Office SharePoint Server system are implemented in the Microsoft.Office.Policy assembly.

• Audit ability—Audit ability makes it possible to log all changes made to records after they have been stored in the repository. Once an official file is created, the repository must keep track of everything that happens to the document, including information such as the date and time of a change and who made it.

The central feature of a records management system is the records repository. As the primary access point for records entering and exiting the system, the records repository provides the only real point of control over how official records are stored. You need to control both the storage medium and the mechanisms used to move documents into and out of the repository. By controlling access to the repository, you can ensure the confidentiality of records. By controlling the storage medium, you can ensure record integrity and guarantee high availability. By controlling the mechanisms used to move documents into and out of the repository, you can apply business rules to ensure adherence to established policy and maintain clear audit trails.

Office SharePoint Server 2007 provides several layers of support for building records management solutions. These include the ability to:

• Set up and configure a records repository according to a custom set of rules

• Ensure that records are not altered after being placed in a repository

• Set up multiple locations within a repository to organize different types of records

• Set up retention policies based on retention schedules

• Capture records from external sources

• Route records to the correct location within the repository

• Manage physical (nonelectronic) records

• Specify an action to take when the expiration date is reached

• Set up auditing policies to log all activity against a record library

• Generate administrative reports of record usage

The SharePoint records management components are implemented in the Microsoft.Office.Policy assembly, located in the 12ISAPI folder of the SharePoint server. This assembly contains the namespaces shown in the following table: