IMAGENOWMeeting Compliance

Understanding Standards & Procedures

WHY ARE WE HERE?

• To learn the steps each office needs to take to meet the compliance requirements for NDSU’s internal document imaging audit.

• Campus Audit is reported to NDUS each year (June) by NDSU Chief IT Security Officer

• Audit is conducted to meet requirements of NDUS Policy 1901.4

NDUS POLICY 1901.4

Purpose:“The purpose of this procedure is to establish an imaging procedure for all NDUS institutions that create, use, and

manage digital images on optical imaging systems.”

NDUS POLICY 1901.4Procedure Summary:2. “Institutions shall create and follow documentation that

outlines and describes system hardware and software specifications and written policies and procedures that document the creation, maintenance, use and preservation of digital images within the system.”

3. “Training schedules that include initial instruction as well as regular, ongoing retraining must be implemented to ensure that employees understand the policies and procedures and any changes that may occur.”

INITIAL ACCESS & TRAININGChecklist Item #1• Procedures for electronic imaging of documents have

been formally documented and are provided to individuals who have been given access or duties related to imaging documents.

Translation:• Do you have training documents and/or user manuals

prepared for first-time ImageNow users?

INITIAL ACCESS & TRAININGCreate Tutorials for the Basics:• Logging In, Logging Off, & Password Changes• Toolbar Icons, Interface & Default Settings• How to Search• How to Scan/QA/Link • How to Upload & Link using ImageNow Printer

Resources:• ImageNow User Manual (PDF, hard copy, Client Help)

• Internal Customized Tutorials

CONFIDENTIAL DATA TRAININGChecklist Item #2• Individuals with access to data and system have been

given appropriate training regarding policies and procedures for security and safety of data stored and manipulated within system. The training is ongoing and is updated according to changes in policy and federal law.

Checklist Item #9• All those assigned access and use the system have

undergone basic training on handling and use of confidential data and have signed confidentiality agreements.

CONFIDENTIAL DATA TRAININGTranslation:• Have users reviewed data privacy policy & completed

confidential data training before using ImageNow?

How do we Comply?• Log and file (date of training, who attended, who provided training)

NDUS Data Privacy Training Signed Confidentiality Agreement Responsibility Review Security/Confidentiality Topic during Staff Meeting

SCANNING & QA TRAININGChecklist Item #10• Individuals who perform the scan or validation function

have received additional training on document quality assurance.

How do we Comply?• Create separate training tutorial for scanning process• Make sure VRS settings are optimized for all documents• Do not allow “Bypass QA” setting for scanning profiles

SYSTEM OVERSIGHTChecklist Item #3• An individual(s) has been assigned the responsibility to

oversee and manage the training of assigned personnel.

Translation:• Each participating office needs to have a designated

ImageNow “Manager”

Why is this Required?• Act as a “point of contact” for each office• Limits number of users who can access & change security• In charge of keeping & collecting audit compliance data

SYSTEM OVERSIGHTChecklist Item #12• Logs of individual training are maintained by the

person(s) managing the oversight of those who use the system.

Translation:• ImageNow “Managers” need to keep track of which

users have received which types of training and when.

How do we Comply?• A spreadsheet will be developed and distributed to help

managers track user training.

SYSTEM OVERSIGHTProposed Spreadsheet:• Record completed training dates for each user• Submit copy of spreadsheet for audit each year

Name RoleData

PrivacyConf.Data

1st TimeUser

Scan& QA

Resp.Review

StaffMeeting

User #1 PowerUser 08/23/2004 07/01/2012 09/15/2010 10/10/2010 03/01/2011 04/26/2012

User #2 Manager 11/03/1995 07/01/2012 05/21/2007 10/10/2010 06/01/2011 04/26/2012

User #3 Staff 03/17/2008 07/01/2012 09/15/2010 10/10/2010 09/01/2011 04/26/2012

User #4 Student 09/30/2011 07/01/2012 10/15/2011 10/15/2011 12/01/2011 04/26/2012

SECURITY MANAGEMENTChecklist Item #4• Separation of duties is in place for individuals who have

been given access to the imaging system. (For example the person who scans in a document does not have the ability to delete a document.)

Checklist Item #6• Formally documented procedures have been established

to ensure that only authorized personnel can create, copy, annotate, or access digital images within the system. This access is granted based on specific need for use of the system.

SECURITY MANAGEMENTTranslation:• Assign user security settings according to function• Don’t grant more access than absolutely necessary

Keep track of:• Who is responsible for scanning?• Who can delete linked documents?• Who can view documents in which drawers?• Who can view certain document types?• Who can edit custom properties, notes, annotations?• Who can print, save, or email imaged documents?

DOCUMENT VALIDATIONChecklist Item #5• A validation process using a sampling technique has been

implemented to verify that the scanned document matches the original document. This process is conducted and documented each quarter.

Checklist Item #11• Logs are collected, monitored and documented to verify

reproduction accuracy and reliability according to the original document.

DOCUMENT VALIDATIONValidation Process:• ImageNow Documents

1. Search for documents created on certain date2. Randomly select documents (note Date, ID#, DocType, & # of pages)

3. Locate selected documents in hard copy archive4. Confirm quality of the documents

• Hard Copy Documents1. Randomly select documents from hard copy archive2. Search for documents in ImageNow3. Confirm quality of scanned documents

DOCUMENT VALIDATION

VALIDATION PROCESS DEMONSTRATIONNancy Kasper

Registration & Records

USER MANAGEMENTChecklist Item #7• Those employees no longer needing access to the system

have been removed.

Process:• ImageNow “Manager” deactivates user account in

ImageNow and removes user from all associated groups Or contact Viet to have him deactivate the user

• Notify your IT Liaison to include removal of “ImageNow service tag” when the Help Desk ticket requesting end of IT services is submitted

DOCUMENT MANAGEMENTChecklist Item #8• Digital images that are the records of documented

business processes have been linked to the business processes that created them.

Translation:• Documents are stored in “Drawers” of the department

that created them• Drawer names are changed when documents transfer

between departments “View” access is usually retained by original department

DOCUMENT MANAGEMENTChecklist Item #13• All digital images are destroyed according to NDSU

Records and Retention policy and procedure 713.

Translation:• Documents need to be purged based on the document

retention schedule (www.ndsu.edu/recordsmanagement)

Process:1. Query is run for ID#s of “inactive students” (last 5 years?)

2. ImageNow is searched for documents “In List”3. Index fields & custom properties determine purge items

DOCUMENT MANAGEMENTChecklist Item #14• All data that is stored as an image is classified according

to NDUS policy and procedure 1901.2.

Translation:• “Any electronic data asset of the NDUS or Institution shall

be classified as Public, Private or Confidential according to the following standards.” – NDUS 1901.2

How do we comply?• “Confidential” drawers can be created for highly sensitive

documents that can only be accessed by designated users

DOCUMENT AUDITINGChecklist Item #15• A system “audit trail” is in place to document who, the

date and time, and what was accessed for the previous 12 months. This “audit trail” is maintained and available for review.

How do we comply?• “Audit” setting in ImageNow is turned on for:

Add Annotations Document Copy Document Create Document Create via Batch Document Delete Document Move

Document Page Delete Document Restore Document Send to Recycle Bin Document View User Login

QUESTIONS?