Get started Bring yourself up to speed with our introductory content.

Enterprise document management FAQ: IT operations and compliance

Find answers and resources to frequently asked questions about the relationship of enterprise document management to IT operations and compliance.

Compliance with an increasing number of regulations requires a strategy for enterprise document management wherever content crosses an organization's network. Information technologies that facilitate the secure and controlled handling of documents are the foundation of such a strategy.

More compliance FAQs?

Get caught up on regulations and more with our IT compliance FAQs.

As compliance-related enterprise document management requirements grow, improved document management systems and strategies will become an increasingly critical aspect of IT operations. Below, you'll find answers and resources to frequently asked questions about enterprise document management.

Table of contents

What is enterprise content management?

Table of Contents

According to, electronic document management (EDM) is "the management of different kinds of documents in an enterprise using computer programs and storage. An EDM system allows an enterprise and its users to create a document or capture a hard copy in electronic form, store, edit, print, process and otherwise manage documents in image, video, and audio, as well as in text form. An EDM system usually provides a single view of multiple databases and may include scanners for document capture, printers for creating hard copy, storage devices such as redundant array of independent disks systems, and computer server and server programs for managing the databases that contains the documents."

Content management is a more general term, although it's often used interchangeably with electronic document management. According to, content management is the administration of digital content throughout its lifecycle, from creation to permanent storage or deletion. Enterprise content management (ECM) is a more specific term that applies to larger organizations with more complex data collections. According to, ECM is "used to describe a set of tools and methods that allows a corporation, agency or organization to obtain, organize, store and deliver information crucial to its operation. The fundamental objectives of ECM are to streamline access, eliminate bottlenecks, optimize security, maintain integrity and minimize overhead." In some contexts, document management may refer to just text-based documents, and ECM may refer to all information, including images and video. In other contexts, content management refers solely to handling content on Web pages. The two terms, however, are often used interchangeably, along with records management.

In general, enterprise document management describes the process of handling an organization's information so it can be tracked, stored, retrieved and otherwise controlled. This process typically represents just one aspect of an organization's effort to comply with regulatory obligations. Documents and other content relevant to a given regulation, like email, faxes, Word documents or PowerPoint presentations, must be easily accessible and available when requested during a compliance audit.

In the context of regulatory compliance, enterprise document management systems must address the following:

  • How documents are created, organized, indexed, secured, preserved, retrieved, authenticated and recovered in the event of a disaster.
  • How long they should be retained.
  • Where they should be stored.
  • How changes can be traced.

In general, enterprise document management systems will create a central location to maintain documents and provide workflow tools to control any modifications or other work done on them.

Discovery process puts onus on electronic document management tools
Electronic documents are now considered equivalent to paper records in the discovery process for regulatory compliance.

Effective compliance document management in five days
Effective compliance document management can be simple or quite complex and costly. Here are some steps to get your priorities in place to help survive those audits.

What laws and regulations require EDM?

Table of Contents

Many state and federal laws or regulations involve enterprise document management. The Sarbanes-Oxley(SOX), Health Insurance Portability and Accountability (HIPAA) and Gramm-Leach-Bliley acts (GLBA) are among the most wide-reaching and complex regulatory compliance laws to include enterprise document management requirements.

Other laws with document management requirements include:

The Securities and Exchange Commission (SEC) and the Internal Revenue Service (IRS) also have established enterprise document management rules for the industries they oversee.

Industry-established regulations can also impose document management obligations. The National Association of Securities Dealers (NASD) and the New York Stock Exchange (NYSE) require their members to have records retention, supervision and evaluation systems. Merchants and other organizations that process, store or transmit credit card numbers are required to comply with the Payment Card Industry Data Security Standard.

E-document management moves up the state CIO agenda
Electronic document management requires an enterprise-wide approach that includes careful planning and a whole host of players.

What regulations require compliance audits?
Learn which regulations require compliance audits, which in turn will drive better enterprise document management strategies.

What compliance requirements are there for EDM?

Table of Contents

Enterprise document management requirements vary depending on which laws or regulations pertain in a given industry. Some industry associations have established document management standards that are independent of state or federal regulations.

Sarbanes-Oxley Act: SOX has wide-ranging implications for document management, as it affects all publicly traded companies, along with assorted auditors, brokers, public accounting firms and securities analysts. When these entities experience material changes in their financial condition or operations, they have to disclose it rapidly. They must also be able to retrieve the relevant data, such as email messages, when requested by auditors or regulators. The Sarbanes-Oxley Act sets out rules on financial reporting, audit committees, executive loans, insider trading and how management assesses controls, all of which can have implications for enterprise document management.

Learn more in this SOX FAQ.

HIPAA: The health care industry is subject to substantial compliance requirements under HIPAA, including data management rules. HIPAA privacy regulations create limits on how businesses covered under the law can use and disclose patients' individually identifiable data. It also defines procedures for notifying victims of data breaches and allows patients to access their own data. HIPAA security regulations require covered businesses to put technical, as well as administrative and physical, safeguards in place to protect against data breaches.

Health care and pharmaceutical companies also face Food and Drug Administration regulations for enterprise document management. Title 21 CFR Part 11 sets out guidelines for how to manage data retrieval, access control and audit trails.

Learn more in this HIPAA FAQ.

Gramm-Leach-Bliley: Financial services faces substantial compliance challenges, given the industry's strict enterprise document management regulations. The Gramm-Leach Bliley Act, pertains to banks, insurance companies, financial brokers, dealers, members of stock exchanges and other entities. GLBA established rules for protecting the confidentiality of financial information. A privacy rule defines how personal financial data is collected and disclosed, and a safeguards rule requires financial institutions to have systems for protecting the data.

Financial services also face data management rules under SEC rule 17a-4, which requires that electronic records be stored in a format that cannot be written over or erased. It also sets forth rules on retaining records, requiring the ability to store and manage communications about business transactions, such as how long records have to be retained. While the rule does not require specific technology, it mentions imaging as one possibility.

IRS rules include records management for financial services firms as well, as defined by GLBA. As set out by the Federal Trade Commission, financial services firms must use an electronic storage system that either keeps images of paper records or transfers electronic records to electronic storage, which has to be able to preserve, retrieve and reproduce the records.

Members of the National Association of Securities Dealers and the New York Stock Exchange are subjected to additional rules for email communications set forth by the organizations. Members of either must install an enterprise content management system and evaluate it regularly, including compliance with requirements for managing email.

Discovery process puts onus on electronic document management tools
Electronic documents are now considered equivalent to paper records in the discovery process for regulatory compliance.

What is the role of IT in EDM?

Table of Contents

IT is at the foundation of enterprise document management, along with the training, processes and procedures that underpin an overall compliance effort. As with any successful approach to regulatory compliance, IT departments must work with other sides of the business -- such as legal, financial and internal audit -- to create the most effective enterprise document management environment.

Avoid enterprise risk with compliance system controls
A lack of internal controls over activities and systems can lead to failed compliance initiatives and increased risk to the enterprise.

IT compliance documentation: Do it now
This tip from contributor Rebecca Herold drives home the urgency on moving forward on implementing enterprise content management systems.

Case Study: Document Management System Deployment Part of Law Firm's IT Overhaul
Law firm Paul Hastings had a case for migrating to Voice over Internet Protocol, centralized storage and document management: entering the 21st century

What are the penalties for noncompliance?

Table of Contents

Failure to comply with regulatory obligations can result in fines and prison terms, depending on the regulation. Under the Sarbanes-Oxley Act, the destruction of email can result in fines of up to $5 million and 20 years imprisonment. Noncompliance with the Gramm-Leach-Bliley Act can result in five years in prison as well as fines.

Industry-established regulations, such as those established by the New York Stock Exchange or the Payment Card Industry Security Standards Council, don't threaten imprisonment for noncompliance but can impose fines.

For more on regulation-specific fines, review HIPAA penalties, HITECH penalties, PCI DSS penalties and SOX penalties.

Let us know what you think about the FAQ; email [email protected].

Dig Deeper on Regulatory compliance reporting