Tag Archives: compliance

Making Your Website More Useful For More People

This post was originally published on the LSC Technology Blog in January of 2014. LSC is Legal Services Corporation, my employer.

At LSC, we’ve been taking a critical look at our web site, to see if we can make it a more useful web site by factoring in all of the ways that people might want to view or use our information. In these days of big data and small screens, we realize that we have to be much more attentive to the ways that we present data than we have in the past.

Identifying the different visitors who frequently use our site, we took a closer look at their needs, and how we could improve our delivery of information to them. For example, visitors to LSC’s web site could be:

  • reporters or Hill staffers looking for a quick cut and paste of data on the site that is hard to get out of a linked PDF;
  • general public looking for data to pull into a spreadsheet, who would also be disappointed to find that data in a PDF;
  • visually or physically impaired, and therefore not able to view web content that isn’t compliant with the standards that their specialized software requires;
  • accessing the site on a mobile device that doesn’t display flash or video and has no capability to display a PDF

The PDF Problem

Adobe has done great things with the Portable Document Format, opening it up as a public standard and continually improving the functionality of the format. But this is not an optimal format for web-based content, because PDFs require additional software in order to be viewed, and they need to be created with a solid understanding of how PDFs need to be prepared, so that they are compatible with accessibility standards. Our goal is to ensure content is delivered optimally, and in a format that makes it easy to access for anyone and everyone visiting our site.

In the past, we’ve relied heavily on publishing web content via PDF, and we now have a backlog of documents that aren’t as widely usable as we would like. Our plan is to immediately make two changes:

  1. Use PDF sparingly and thoughtfully as we move forward. Use PDFs as optional downloads for content that is also displayed in HTML, or as appropriate downloads for white papers and legal reports that aren’t the types of things that users will want to quote or edit; design PDFs that are compatible with the section 508 standards for web accessibility.
  1. Determine which of our existing PDFs need to be republished in more accessible formats and convert them. We don’t have the resources to fix everything, but we have good statistical data from Google Analytics to tell us which PDFs our visitors look at and a good idea how to prioritize this content.

Open Web

As a nonprofit that allocates federal funds, we have a responsibility to make data available to the public. But a commitment to open data means more than just making the data available; it needs to be available in formats that people can easily use. Data stored in an HTML table can be copied and pasted into Excel. Data in PDF and image formats can’t be, at least, not easily. As David Ottewell recently tweeted, a PDF of a spreadsheet is not a spreadsheet. These efforts dovetail with our broader efforts to make data available in manipulatable formats.

Wild, Wild Web

It is also important that our web site deliver the same user experience on smartphones or a tablets as it would when viewed on desktop or laptop browsers. This wasn’t high on our radar in 2011, when we redesigned our website in the Drupal content management system. At the time, we developed a mobile site as a separate, fractional copy of our main site.

Looking ahead

A  modest revamp of LSC.GOV is planned for second half of 2014 to improve the site navigation and responsiveness on multiple devices (e.g. one site that alters it’s navigational elements and appearance to properly utilize the screen that it’s displayed on). We also won’t forget the visitors that don’t have smart phones and how best to make information available to them.

Having a website that anticipates their diverse needs of our online visitors is our goal. What’s yours? What are your current challenges?

The Case Against Internet Explorer 6

This post originally appeared on the Idealware Blog in August of 2009.

tombstone.jpg
Photo courtesy JChandler’s Tombstone Generator

Internet culture addicts like me have taken gleeful note of Mashable’s campaign to rid the world of Microsoft’s Internet Explorer version 6.  Anyone who develops public web pages (and cares if they are compatible with other and/or modern browsers) is sympathetic to this cause.  The hoops that we have to jump through to make our pages look acceptable in IE6 while taking advantage of the nearly decade old CSS positioning commands are ridiculous.  When I was doing web consulting a few years back, IE6 compatibility coding generally took up about 20% of the total project time.

Microsoft’s response to the Mashable campaign was to defend the brontosaurus-like pace of corporate IT Departments in performing application updates. Here’s the pertinent MS Spokesperson quote:

“[Corporate IT departments] balance their personal enthusiasm for upgrading PCs with their accountability to many other priorities their organizations have. As much as they (or site developers, or Microsoft or anyone else) want them to move to IE8 now, they see the PC software image as one part of a larger IT picture with its own cadence.”

Huh! This from the company that kept threatening to drop Windows XP support in order to force us to Vista.

But, sarcasm aside, this is a flawed argument.  The “cadence” in which an IT Department upgrades software should be influenced by changes in the general technology landscape. Business (and nonprofit!) networks use the Internet. Those networks are already integrated with the world at large. Since the web browser is one of the primary interfaces to external data, it’s easy to make the case that it needs to be upgraded more often than word processors and spreadsheets.

Many major webs sites are design with CSS 3.0 formatting. IE6 doesn’t fully support the  11 year old CSS 2.0 specification. IT departments that aren’t prioritizing this upgrade are providing poor support for users who need such websites.  They’re also creating more work for themselves supporting the workarounds. Large companies might have far more computers to upgrade, but they also have software that automates that process.  The key issue is training. Microsoft dramatically changed the user interface of Internet Explorer with version 7, but there are options to default back to the IE6 layout. The hassle of learning the new interface is certainly not as bad as not being able to properly use websites that are designed for more modern browsers.

What really irks me is the way that Microsoft has described the “IE6 must die” campaign’ as being intended to appease “technology enthusiasts”. The push to move users to modern browsers is not about my desire to use non-business applications like Facebook, Digg and YouTube (and classifying these web sites as “non-business”is a pretty debatable point as well).  It’s about my desire to benefit from advancements in web technology, and provide my staff with new tools that promote their mission-focused work.

With the HTML 5 specifications about to become the new standard, IE6 is obsolete. The types of things that IE6 doesn’t support are the things that are making web-based applications viable, affordable alternatives to traditional software.  Microsoft has been in the driver’s seat of the companies that set the pace of technology advancement. They should be consistent in supporting the migration and adoption to those new standards, given a reasonable amount of time.  Eight years is reasonable.  IE6 must die, and Microsoft should join the chorus.

Pop Quiz: PCI Compliance

This post was first published on the Idealware Blog in August of 2009.

The credit card industry is doing the right thing by consumers and enforcing proper security measures regarding the handling of credit card information.  You might have heard about this – a number of the popular vendors of donor databases are recommending upgrades based on their compliance with these regulations. The “Payment Card Industry Data Security Standard”, commonly known as PCIDSS, is a set of guidelines for securely handling credit card information.  The standard has been around for about four years, but early enforcement efforts focused on companies with a high volume of credit card transactions.  Now that they’re all in compliance, they’ve set their sites on smaller businesses and nonprofits. So, what does this mean? Here’s the simplest F.A.Q. that you’re likely to find on the topic:

  • Do you ever process online, phoned in, or mailed-in credit card donations in-house? e.g., do you maintain the credit card number, expiration date and name of a donor?

If no, you don’t have to worry about this.

  • If yes, do you have more than 20,000 such transactions annually?

Well, if you do, congratulations!  Most nonprofits don’t, so they qualify for level 4 of the PCI Compliance scale. That results in a Self Assessment Questionnaire (SAQ) Validation type of “4”.  Higher validation types are subject to stricter security standards.

The Self-Assessment Questionnaire will ask you all sorts of technical questions about your network and security procedures.  Do you have a firewall?  Are all of your transactions encrypted?  Do you use anti-virus software?  Is credit card information properly restricted to authorized staff?

Depending on your network, you might already comply with a lot of the requirements.  If you don’t, then it might require a significant investment to get there.

  • What will happen if I ignore this?

This isn’t government regulation (although your state might have laws in place that do mandate some similar response). Participation is not mandatory.  But, should your security be breached, two things will happen:

  1. The compliance requirements for your organization will be reassessed to level one or two, and they’ll be much more costly and complicated to meet.  The credit card companies might decline to do business with you if you don’t comply.  Can you afford to not take Visa?
  2. You will likely be indirectly fined for non-compliance.  The credit card companies will hold your bank liable for losses due to credit card theft in situations where your security was substandard.  Your bank will likely pass that fine on to you.
  • So what’s the easiest way to deal with this?

Simple: don’t handle credit cards.  There are a number of services that, for a price, will do this for you, from Paypal and Google Checkout to CharityWeb and Blackbaud’s BBNow. Outsourced ECRM software (NetCommunity, Convio, Democracy in Action, etc.) will also handle it. The cost is likely not as significant as that of maintaining compliance or suffering the consequences of a non-compliant breach.

I’ll share that, at the Goodwill where I used to work, outsourcing wasn’t an option, because we were both a charity and a retailer. Our frustration was not that we didn’t have good security in place.  It was that there were differences in how we had set up our security and the PCIDSS requirements.  So, while we had done a lot of work and made significant investments, we still had to reconfigure things and spend more in order to be compliant.  In addition to making our internal IT changes, we had to switch software programs in order to avoid storing credit cards unencrypted in our database, a typical problem.  We also engaged a consultant.  Once you are reasonably sure that you comply, then you must pay a security service to verify your efforts, another non-trivial expense.

Blackbaud has put together some good further reading on this topic (and they are one of the vendor’s whose latest software is compliant; ask your eCRM vendor!).

The Silo Situation

This post originally appeared on the Idealware Blog in May of 2009.

The technology trend that defines this decade is the movement towards open, pervasive computing. The Internet is at our jobs, in our homes, on our phones, TVs, gaming devices. We email and message everyone from our partners to our clients to our vendors to our kids. For technology managers, the real challenges are less in deploying the systems and software than they are in managing the overlap, be it the security issues all of this openness engenders, or the limitations of our legacy systems that don’t interact well enough. But the toughest integration is not one between software or hardware systems, but, instead, the intersection of strategic computing and organizational culture.

There are two types of silos that I want to discuss: organizational silos, and siloed organizations.

An organizational silo, to be clear, is a group within an organization that acts independently of the rest of the organization, making their own decisions with little or no input from those outside of the group. This is not necessarily a bad thing; there are (although I can’t think of any) cases where giving a group that level of autonomy might serve a useful purpose. But, when the silo acts in an environment where their decisions impact others, they can create long-lived problems and rifts in critical relationships.

We all know that external decisions can disrupt our planning, be it a funders decision to revoke a grant that we anticipated or a legislature dropping funding for a critical program. So it’s all the more frustrating to have the rug pulled out from under us by people who are supposed to be on the same team. If you have an initiative underway to deploy a new email system, and HR lays off the organizational trainer, you’ve been victimized by a silo-ed decision. On the flip side, a fundraiser might undertake a big campaign, unaware that it will collide with a web site redesign that disables the functionality that they need to broadcast their appeal.

Silos thrive in organizations where the leadership is not good at management. Without a strong CEO and leadership team, departmental managers don’t naturally concern themselves with the needs of their peers. The expediency and simplicity of just calling the shots themselves is too appealing, particularly in environments where resources are thin and making overtures to others can result in those resources being gladly taken and never returned. In nonprofits, leaders are often more valued for their relationships and fundraising skills than their business management skills, making our sector more susceptible to this type of problem.

The most damaging result of operating in this environment is that, if you can’t successfully manage the silos in your organization, then you won’t be anything but a silo in the world at large.

We’ve witnessed a number of industries, from entertainment and newspapers to telephones and automobiles, as they allowed their culture to dictate their obsolescence. Instead of adapting their models to the changing needs of their constituents, they’ve clung to older models that aren’t relevant in the digital age, or appropriate for a global economy on a planet threatened by climate change. Since my focus is technology, I pay particular attention to the impacts that technological advancement, and the accompanying change in extra-organizational culture (e.g., the country, our constituents, the world) have on the work my organization does. Just in the past few years, we’ve seen some significant cultural changes that should be impacting nonprofit assumptions about how we use technology:

  • Increased regulation on the handling of data. We’re wrestling with the HIPAA laws governing handling of medical data and PCI standards for financial data. If we have not prioritized firewalls, encryption, and the proper data handling procedures, we’re more and more likely to be out of step with new laws. Even the 990 form we fill out now asks if we have a document retention plan.
  • Our donors are now quite used to telephone auto attendants, email, and the web. How many are now questioning why we use the dollars they donate to us to staff reception, hand write thank you notes, and send out paper newsletters and annual reports?
  • Our funders are seeing more available data on the things that interest them everywhere, so they expect more data from us. The days of putting out the success stories without any numbers to quantify them are over.

Are we making changes in response to these continually evolving expectations? Or are we still struggling with our internal expectations, while the world keeps on turning outside of our walls? We, as a sector, need to learn what these industrial giants refused to, before we, too, are having massive layoffs and closing our doors due to an inability to adapt our strategies to a rapidly evolving cultural climate. And getting there means paying more attention to how we manage our people and operations; showing the leadership to head into this millennia by mastering our internal culture and rolling with the external changes. Look inward, look outward, lead and adapt.

SaaS and Security

This post was originally published on the Idealware Blog in May of 2009.

My esteemed colleague Michelle Murrain lobbed the first volley in our debate over whether tis safer to host all of your data at home, or to trust a third party with it. The debate is focused on Software as a Service (SaaS) as a computing option for small to mid-sized nonprofits with little internal IT expertise. This would be a lot more fun if Michelle was dead-on against the SaaS concept, and if I was telling you to damn the torpedos and go full speed ahead with it. But we’re all about the rational analysis here at Idealware, so, while I’m a SaaS advocate and Michelle urges caution, there’s plenty of give and take on both sides.

Michelle makes a lot of sound points, focusing on the very apt one that a lack of organizational technology expertise will be just as risky a thing in an outsourced arrangement as it is in-house. But I only partially agree.

  • Security: Certainly, bad security procedures are bad security procedures, and that risk exists in both environments. But beyond the things that could be addressed by IT-informed policies, there are also the security precautions that require money to invest in and staff to support, like encryption and firewalls. I reject the argument that the data is safer on an unsecured, internal network than it is in a properly secured, PCI-Compliant, hosted environment. You’re not just paying the SaaS provider to manage the servers that you manage today; you’re paying them to do a more thorough and compliant job at it.
  • Backups: Many tiny nonprofits don’t have reliable backup in place; a suitable SaaS provider will have that covered. While you will also want them to provide local backups (either via scheduled download or regular shipment of DVDs), even without that, it’s conceivable that the hosted situation will provide you with better redundancy than your own efforts.
  • Data Access: Finally, data access is key, but I’ve seen many cases where vendor licensing restricts users from working with their own data on a locally installed server. Being able to access your data, report on it, back it up, and, if you choose, globally update it is the ground floor that you negotiate to for any data management system, be it hosted or not. To counter Michelle, resource-strapped orgs might be better off with a hosted system that comes with data management services than an internal one that requires advanced SQL training to work with.

Where we might really not see eye to eye on this is in our perception of how ‘at risk” these small nonprofits are, and I look at things like increasing governmental and industry regulation of internal security around credit cards and donor information as a time bomb for many small orgs, who might soon find themselves facing exorbitant fines or criminal charges for being your typical nonprofit, managing their infrastructure on a shoestring and, by necessity, skimping on some of the best practices. It’s simple – the more we invest in administration, the worse we look in our Guidestar ratings. In that scenario, outsourcing this expertise is a more affordable and reliable option than trying to staff to it, or, worse, hope we don’t get caught.

But one point of Michelle’s that I absolutely agree with is that IT-starved nonprofits lack the internal expertise to properly assess hosting environments. In any outsourcing arrangement, the vendors have to be thoroughly vetted, with complete assurances about your access to data, their ability to protect it, and their plans for your data if their business goes under. Just as you wouldn’t delegate your credit card processing needs to some kid in a basement, you can trust your critical systems to some startup with no assurance of next year’s funding. So this is where you make the right investments, avail yourself of the type of information that Idealware provides, and hire a consultant.

To me, there are two types of risk: The type you take, and the type you foster by assuming that your current practices will suffice in an ever-changing world (more on this next week). Make no mistake, SaaS is a risky enterprise. But managing your own technology without tech-savvy staff on hand is something worse than taking a risk – it’s setting yourself up for disaster. While there are numerous ways to mitigate that, none of them are dollar or risk free, and SaaS could prove to be a real bang for your buck alternative, in the right circumstances.

Balancing Act

My friends at Blackbaud referred me to this excellent post by Jay Love, CEO of ETapestry, once a small donor database service, now a subsidiary of the mother of all donor database companies. Jay’s timely caution to nonprofits is that they be skeptical about all of the for-profit folk answering their employment ads in the face of the poor economy. People from that side of the dollar fence are generally unprepared for the culture of nonprofits. His story about vendors trying to break into our sector with no experience or research into our needs is fascinating. But I have a different take on hiring people from the for-profit world, and while Jay seems t be saying “don’t do it”, I’m on the “be sure to do it – in moderation” side.

Of course, the healthy disclaimer is that I never worked for a nonprofit, or knew all that much about the culture, before I took a job at Goodwill in late 2000. But I did have enough sense to pick an NPO that ran more like a traditional business than most, at least in some ways, and I took some time to adjust to the culture before I tried to push through any changes. Which isn’t to say that I blend all that well – I’m one of the people complaining that we move to slowly and that consensus is not a value, it’s a tool that, like most tools, is better suited for some tasks than others.

Any business (and nonprofits are businesses) benefits from diversity, just as any business benefits by retaining internal expertise. Businesses suffer when they lean too far in one direction or the other. If your hiring policy is to only hire people who are lifetime nonprofit workers, you run the risk of stifling innovation and you court stagnation. The world doesn’t sit still around us, so we have to dynamically adapt to it. A key tool for managing that adaption is to maintain a diversity of experience and skills in your organization.

Think about it: ten or fifteen years ago, non-profits were largely unregulated. There was no HIPAA. There was no Sarbanes-Oxley, which, while not designed for NPOs, is generally agreed to impose guidelines on us. There was no PCI compliance, the next wave of external oversight that will demand that we modify our processes and investments. Beyond the 990 and what we chose to disclose about our outcomes, there was little demand for detailed metrics. These are all circumstances that the for-profit world, with traditional government oversight and accountability to shareholders has dealt with for decades. We need some of that expertise.

Of course, it’s a scale, and just as we can suffer from cultural insulation, we can suffer by turning over too dramatically. While I would steadfastly debate that we need some of that for-profit perspective on board, I’ve seen a few examples of for-profit executives that take over as CEOs and — because the nonprofit style is so antithetical to the big business style — quickly replace everyone that, to them, looked like they weren’t up to the task of running “a business”. This type of culture change, in a nonprofit, is deadly, because it is a misconception to think that we can run like normal businesses. When that happens, the nonprofit runs the risk of losing all of the internal historical expertise, as the people who aren’t squeezed out don’t stick around for the cultural change, and the new execs face the budgeting challenges with no perspective to draw on.

So, a businessman like me – and I absolutely consider myself a businessman — gets frustrated with the slow pace at the nonprofits that I work for. And I beg, moan and try and shame my boss into adopting more business-like practices. But I don’t sweat it too much, because, at the end of the day, even if we don’t do things in the efficient and productive ways that I’m so stuck on adopting, we still do an amazing job of defending the planet, or, you can fill your mission in here. I’d hate to see it fall apart because we didn’t properly comply with regulations or we simply didn’t manage our resources well, and we have to staff to address that. So my shoutback to Jay Love is that the bunker mentality is a bit much. Let a few for-profit types in the door. But, until they understand and value our culture, don’t let them drive.

Complying with Data Security Regulation

This post was originally published on the Idealware Blog in November of 2008.
An article appeared in the NonProfit Times this week regarding a recent ruling in Nevada requiring that all personal information be securely transmitted, e.g. encrypted. The article, States Push To Encrypt Personal Data is by Michelle Donahue, and quotes, among others, me and our friend Holly Ross, Executive Director of NTEN — it’s a worthwhile read. The law in question is a part of Nevada’s Miscellaneous Trade Regulations and Prohibited Acts. I’ve quoted the relative pieces of this legislation below, but I’ll sum it up here:

Personal information can not be transferred to you by your customers (donors) without encryption. Personal information is defined as any transmittal of someone’s name along with their credit card number, driver’s license, or other data that could be used to access their financial records.

Nevada is the first state to pass legislation like this, but it’s a good bet that they are the first of fifty. Massachusetts is right behind them. And if the government won’t get you, the credit card industry might. The regulations that they impose on larger retailers for credit card security are even tougher. These initially applied to retailers bringing in far more money via credit card than most of us do, but they have lowered the financial threshold each year, bringing smaller and smaller organizations under that regulatory umbrella.

So, the question is, how many of you receive donations via email? If you do accept donations over the web, are you certain that they’re encrypted from the time of input until they land inside your (secured) network? What do you do with them when you receive them? Do you email credit card numbers within the office? Retain them in a database, spreadsheet or document?

Most nonprofits are understaffed and unautomated. We accept donations in any manner that the donors choose to send them, and get them into our records-keeping systems in a myriad of fashions. The bad news here is that this will have to change. The good news is, if you do it right, you should be able to adopt new practices that streamline the maintenance of your donor data and reduce the workload. Even better, if the solution is to move from Excel or Word to Salesforce or Etapestry, then you’ll not only have a better records-keeping system, you’ll also have good analytical tools for working with your donors.

Automating systems, refining business processes, improving data management and maintenance — these are all of the things that we know are important to do someday. It looks like the urgency is rising. So don’t treat this threat as an impediment to your operations — treat it like an opportunity to justify some necessary improvements in your organization.

The relevent snippet from the Nevada law:

” 1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

2. As used in this section:

(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.

“Personal Information” is defined as:

“Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

1. Social security number.

2. Driver’s license number or identification card number.

3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

Better Organization Through Document Management Systems

This article was originally published at Idealware in January of 2007.

Is your organization drowning in a virtual sea of documents? Document management systems can provide invaluable document searching, versioning, comparison, and collaboration features. Peter Campbell explains.

tax-468440_640For many of us, logging on to a network or the Internet can be like charting the ocean with a rowboat. There may be a sea of information at our fingertips, but if we lack the proper vessel to navigate it, finding what we need — even within our own organization’s information system — can be a significant challenge.

Organizations today are floating in a virtual sea of documents. Once upon a time, this ocean was limited to computer files and printed documents, but these days we must also keep track of the information we email, broadcast, publish online, collaborate on, compare, and present — as well as the related content that others send us. Regulatory measures like the Sarbanes-Oxley actand the Health Insurance Portability and Accountability Act (HIPAA) have created a further burden on organizations to produce more documents and track them more methodically.Taken as a whole, this flood of created and related content acts as our nonprofit’s knowledge base. Yet when we simply create and collect documents, we miss the opportunity to take advantage of this knowledge. Not only do these documents contain information we can reuse, we can also study them to understand past organizational decisions and parse them to produce metrics on organizational goals and efficiencies.

Just as effective document management has become an increasing priority for large companies, it has also become more important — and viable — at smaller nonprofits. And while free tools like Google Desktop or Windows Desktop Search can help increase your document-management efficiency, more sophisticated and secure document-management tools — called Document Management Systems (DMSs) — are likely within your reach. Document management systems offer integrated features to support Google-esque searching, document versioning, comparison, and collaboration. What’s more, when you save a document to a DMS, you record summary information about your document to a database. That database can then be used to analyze your work in order to improve your organization’s efficiency and effectiveness.

Basic Document Management

One way to increase the overall efficiency of your document management is simply to use your existing file-system tools in an agreed upon, standardized fashion. For instance, naming a document “Jones Fax 05-13-08.doc” instead of “Jones.doc” is a rudimentary form of document management. By including the document type (or other descriptive data) your document will be easier to locate when you’re looking for the fax that you sent to Jones on May 13, as opposed to other erstwhile “Jones” correspondence. Arranging documents on a computer or file server in standard subfolders, with meaningful names and topics, can also be useful when managing documents.

For small organizations with a manageable level of document output, these basic document-storing techniques may suffice, especially if all document editors understand the conventions and stick by them. But this kind of process can be difficult to impose and enforce effectively, especially if your organization juggles thousands of documents. If you find that conventions alone aren’t working, you may wish to turn to a Document Management System.

One huge advantage of this system is that it names and stores your documents using a standardized, organization-wide convention, something that can be difficult to maintain otherwise, especially given a typical nonprofit’s turnover rate and dependence on volunteers. What’s more, a DMS will track not just the date the file was last modified (as Windows does), but also the date the document was originally created — which is often more useful in finding a particular document.

In fact, a DMS’s “File > Open” dialogue box can locate files based on any of the information saved about a document. A DMS can narrow a search by date range, locate documents created by particular authors, or browse through recently modified documents, sparing you the necessity of clicking through multiple folders to find what you’re looking for. It will also allow you to search the content of documents using a variety of methods, including the Boolean system (e.g. “includes Word A OR Word B but NOT Word C”) and proximity criteria (e.g., “Word A and word B within n words of each other”). Just as Google has become the quickest way to pull Web-page “needles” out of a gigantic Internet haystack, a solid DMS allows you to quickly find what you’re looking for on your own network.

A good DMS also allows the document creator to define which co-workers can read, edit, or delete his or her work via the document profile. On most networks, this type of document protection is handled by network access rules, and making exceptions to them requires a call to the help desk for assistance.

  • Document check-in and check-out.

    If you try to open a file that someone else is already editing, a network operating system, like Windows Server 2003, will alert you that the file is in use and offer you the option to make a copy. A DMS will tell you more: who is editing the document, what time she checked it out, and the information she provided about the purpose of her revision and when she plans to be done with the document.

  • Document comparison.

    A DMS not only supports Word’s track-changes and document-merging features, but allows you to compare your edited document to an unedited version, highlighting the differences between the two within the DMS. This is a great feature when your collaborator has neglected to track his or her changes, particularly because it allows you to view the updates without actually adding the revision data to your original files, making them less susceptible to document corruption.

  • Web publishing.

    Most DMSs provide content-management features for intranets and even public Web sites. Often, you can define that specific types of documents should be automatically published to your intranet as soon as they’re saved to the DMS. (Note, however, that if your core need is to publish documents on a Web site, rather than track versions or support check-ins and check-outs, a dedicated Content Management System [CMS] will likely be a better fit than a DMS.)

  • Workflow automation.

    A DMS can incorporate approvals and routing rules to define who should see the document and in what order. This allows the system to support not only the creation and retrieval of documents, but also the editing and handoff process. For example, when multiple authors need to work on a single document, the DMS can route the file from one to the next in a pre-defined order.

  • Email Integration.

    Most DMSs integrate with Microsoft Outlook, Lotus Notes, and other email platforms, allowing you to not only view your document folders from within your email client, but to also to save emails to your DMS. If, for example, you send out a document for review, you can associate any feedback and comments you receive via email with that document, which you can retrieve whenever you search for your original file.

  • Document Recovery.

    DMSs typically provide strong support for document backup, archiving, and disaster recovery, working in conjunction with your other backup systems to safeguard your work.

Three Types of Document Management Systems

If you decide that your organization would benefit from a DMS, there are a variety of choices and prices available. In general, we can break up DMSs into three types:

  • Photocopier- and Scanner-Bundled Systems

    Affordable DMS systems are often resold along with photocopiers and
    scanners. While primarily intended as an image and PDF management
    system, these DMSs integrate with the hardware but can also manage files created on the network. Bundled systems may not include the very high-end features features offered by enterprise-level DMSs, but will offer the basics and usually come with very competitive, tiered pricing. A popular software package is offered by Laserfiche.

  • Enterprise-Level Systems

    These robust, sophisticated systems usually require a strong database
    back end such as Microsoft SQL or Oracle and tend to be expensive.
    Enterprise-level systems include the advanced features listed above, and some are even tailored to particular industries, such as legal or
    accounting firms. Examples of powerful enterprise systems include Open
    Text eDocs, Interwoven WorkSite, and EMC’s Documentum.

  • Microsoft Office SharePoint (MOSS 2007)

    Microsoft SharePoint is an interesting and fairly unique offering in the DMS area. While it’s best know as a corporate intranet platform, the 2007 version of the package provides building blocks for content-, document-, and knowledge-management, with tight integration with Microsoft Office documents, sophisticated workflow and routing features, and extensive document and people-searching capabilities. It is a powerful tool and — typically — an expensive one, but because it is available to qualifying nonprofits for a low administrative free through TechSoup (which offers both SharePoint Standard Edition andEnterprise Edition), it is also a far more affordable option for nonprofits than similar DMS products on the market. One caveat: Sharepoint, unlike the other systems mentioned above, stores documents in a database rather than in your file system, which can make the documents more susceptible to corruption. (Note: SharePoint Server is a discreet product that should not be confused with Windows Shared Services, which comes bundled with Windows Server 2003.

The Future of Document Management

The most significant changes in document management over the last decade have been the migration of most major DMS systems from desktop to browser-based applications, as well as their ever-increasing efficiency and search functionality. The growing popularity of Software as a Service (SaaS), tagging, and RSS tools are likely to impact the DMS space as well.

Software as a Service

SaaS platforms like Google Apps and Salesforce.com store documents online, on hosted servers, as opposed to on traditional internal file servers. Google Apps doesn’t currently offer the detailed document profile options standard DMSs do, but it will be interesting to see how that platform evolves.

Another SaaS product, Salesforce, has been active in the document management space. Salesforce’s constituent relationship management (CRM) platform currently allows organizations to simply upload documents for a constituent. Salesforce has recently purchased a commercial DMS called Koral, however, and is in the process of incorporating it into its platform, an enhancement that will help tie documents to the other aspects of constituent relationships.

Tagging

A startup called Wonderfile has introduced an online DMS that incorporates the heavy use of tagging to identify and describe documents. Using this software, you would move your documents to the Wonderfile servers and manage them online with Del.icio.us-style methods of tagging and browsing. A drawback to Wonderfile is that, although a creative solution, storing and sharing your documents online is more valuable when you can edit and collaborate on them as well. As full-fledged, Web-based document creation and editing platforms, Google Apps and its peers are a better alternative, despite their lack of tagging functionality.

Microsoft has also been quietly adding tagging capability to their file-browsing utility Windows Explorer, allowing to you add keywords to your documents that show up as columns that you can sort and filter by. This works in both Windows XP and Vista.

RSS

While none of the existing DMSs are currently doing much with RSS — an online syndication technique that could allow users to “subscribe” to changes to documents or new content via a Web browser — Salesforce plans to integrate RSS functionality with its new Koral system. This type of syndication could be a useful feature, allowing groups of people to track document revisions, communicate about modifications, or monitor additions to folders.

Finding What You’re Looking For

Is it time for your organization to trade in that rowboat for a battle cruiser? With an ever-expanding pool of documents and resources, nonprofits need ways to find the information we need that are richer and more sophisticated than the standard filenames and folders. If your organization struggles to keep track of important documents and information, a DMS can help you move beyond the traditional “file-and-save” method to an organizational system that allows you to sort by topics and projects using a variety of techniques and criteria.

But we should all hope that even better navigational systems are coming down the road. Having seen the creative advances in information management provided by Web 2.0 features like tagging and syndication, it’s easy to envision how these features, which work well with photos, bookmarks, and blog entries, could be extended to documents as well.

 

Peter Campbell is the director of Information Technology at Earthjustice, a nonprofit law firm dedicated to defending the earth, and blogs about NPTech tools and strategies at Techcafeteria.com. Prior to joining Earthjustice, Peter spent seven years serving as IT Director at Goodwill Industries of San Francisco, San Mateo, and Marin Counties, and has been managing technology for non-profits and law firms for over 20 years.

Thanks to TechSoup for their financial support of this article. Tim Johnson, Laura Quinn of Idealware, and Peter Crosby ofalltogethernow also contributed to this article.