Records Management Session 8

1
Records ManagementSession 8

• University of Alberta

2
Agenda for Session 8

• Vital Records
• Records Disaster Prevention and Recovery
• Business Continuity Planning

3
Vital Records

4
What are Vital Records?

• Vital Records are records that are essential to
  an organizations functions and ongoing business
  operations and that are impossible and/or
  expensive to replace
• For example, accounts receivable records
• On average, no more than three to five percent of
  an organizations records have vital status

5
What are Vital Records? (continued)

• Vital records are irreplaceable because they give
  evidence of an organizations legal status,
  financial status, and/or basic operations
• Vital records are required for any organization
  to be able to resume operations in the immediate
  aftermath of a disaster

6
Other Classes of Records

• Important Records are records that are necessary,
  but not essential, to an organizations functions
  and ongoing business operations
• For example, accounts payable records
• In the event of theft or unscheduled destruction,
  these records can be replaced or reproduced
  (although this may involve substantial costs
  concerning time and/or money)

7
Other Classes of Records (continued)

• Useful Records are records that are required to
  support the organizations functions and ongoing
  business operations
• For example, bank statements
• Loss of these records typically results in
  inconvenience
• In the event of theft or unscheduled destruction,
  these records can be readily replaced or
  reproduced

8
Other Classes of Records (continued)

• Nonessential Records are records with no ongoing
  value to the organizations functions and ongoing
  business operations
• For example, vendor advertisements and
  announcements

9
Identifying Vital Records

• See Handout
• If left to their own devices, end users will most
  likely identify most to all of their records as
  being vital
• Records management personnel must determine
  records status based on information provided
  about the records themselves

10
Importance of Identifying Vital Records

• Vital records must be protected so that they are
  readily available, as they are crucial for
  business operations
• Must be protected from loss/destruction
• Protection methods can be costly, so no sense in
  protecting all records just vital records

11
Vital Records Protection Standard

• The American National Standards Institute
  (ANSI), in conjunction with the Association of
  Records Managers and Administrators, Inc.
  (ARMA), has produced the following standard
  Establishing a Vital Records Program
• This standard states the requirements, including
  best vital records protection methods, for
  establishing and maintaining a vital records
  protection program for any organization

12
Vital Records Protection Requirements

• The standard states that protection methods are
  chosen based on the following factors
• Record media format
• Available resources (e.g., financial, space,
  systems, staffing, etc
• Environmental and security requirements.
• The two primary protection methods are dispersal
  and protective storage
• A vital records program may implement a
  combination of these two methods

13
Records Dispersal

• Dispersal constitutes the scheduled distribution
  of duplicate copies of vital records to locations
  other than those where the original records are
  stored

14
Routine Dispersal

• Routine Dispersal constitutes part of a routine
  business process and is not specific to vital
  records protection
• Records are routinely copied, and the duplicates
  are sent to one or more alternate facilities
  and/or locations
• Examples include computer backup tapes and
  creation/distribution of duplicate copies of
  paper records that are required simultaneously by
  multiple users in different locations

15
Designed Dispersal

• Designed Dispersal is a protection method
  specific to vital records
• Duplicate copies are produced and stored at
  alternate facilities and/or locations
• This may include photocopying paper records, as
  well as copies made on alternate media formats
  (e.g., digitally imaging paper records, etc.)

16
Records Dispersal Tips

• When dispersing vital record copies, it is
  necessary that the offsite storage facilities
  and/or locations be appropriate both for the
  storage of records, and also for the protection
  of vital records
• Records storage requirements include temperature,
  humidity, security, and access controls that are
  common for the routine maintenance and protection
  of all records

17
Records Dispersal Tips (continued)

• The offsite location should be located far enough
  away from the main organization facility so that
  an extreme or severe disaster would not heavily
  impact both locations
• The offsite location should be readily accessible
  on a 24 hour basis, with well-constructed access
  roads, and be close enough to the main
  organization so that vital record duplicate
  records can be obtained relatively quickly in the
  event of a disaster
• The offsite location should not be situated in
  the proximity of facilities and/or sites which
  are prone to disaster risks, such as airports,
  railroads, chemical plants, unstable ground,
  seismically-prone ground, floodplains, etc.

18
Vital Hard-Copy Records Protective Storage

• Protective storage constitutes storing vital
  hard-copy (paper, microform) records in
  fire-resistant and environmentally-controlled
  equipment and/or rooms (e.g., vaults)

19
On-Site Protective Storage

• On-Site Storage constitutes storing vital
  hard-copy records onsite in the main organization
  facility, so users may readily access them
• This approach, however, cannot guarantee vital
  records protection in the event of extreme or
  severe disasters
• It is also important to note that vital hard-copy
  records may not be readily accessible following a
  disaster, as emergency service authorities may
  bar access to the facility for a potentially
  lengthy period of time.

20
Off-Site Protective Storage

• Off-Site Storage constitutes storing vital
  hard-copy records in protective storage in a
  location other than the main organization
  facility
• This approach, however, also leaves vital records
  susceptible to destruction in the event of
  extreme or severe disasters that affect the
  storage location
• The vital records may also not be readily
  accessible following a disaster
• However, the probability of a disaster affecting
  a well-chosen separate location is typically
  lower than for the main organization facility

21
Vital Electronic Records Protective Storage

• Protective storage for electronic records
  constitutes storing the data in an alternate
  processing or electronic storage site
• This does not typically include electronic
  records stored on tapes, optical disks, or
  compact disks (CDs)

22
Electronic Vaulting

• Electronic Vaulting constitutes transferring
  vital records to an alternate server in a data
  warehouse or electronic vault

23
Data Replication

• Data Replication constitutes replicating vital
  records from a primary processing site (e.g., the
  main organization facility) to an alternate site
• The data stored at the alternate site will be
  used in the event the primary processing site is
  unavailable and/or inaccessible
• Data replication is recommended when electronic
  data are continuously required or when the data
  must be recovered in a very short period of time

24
Data Replication (continued)

• Transaction-aware replication involves
  electronically transmitting changes to the
  alternate site and applying them to a replicated
  dataset
• Mirroring involves maintaining a replica of
  databases and/or systems by simultaneously
  applying changes at both the alternate site and
  the primary processing site
• Shadowing involves maintaining a replica of
  databases and/or systems by continuously
  capturing changes and applying them at the
  alternate site

25
Records Disaster Prevention and Recovery

• All records, not just vital records, must be
  protected

26
Requirements

• Records disaster planning must address the
  following
• Actions to take to prevent, or minimize the
  probability of, potential disasters
• Actions to take in the event of an actual
  disaster
• Actions to take to restore business operations
  after an actual disaster

27
Preventing Records Disasters

• Preventing a disaster is as important as
  establishing processes to follow in the event of
  an actual disaster
• Although it is rarely possible to completely
  eliminate the probability of a risk or disaster
  from occurring, a records disaster recovery
  plan should identify potential hazards and
  mitigation strategies so as to minimize the
  probability of occurrence as much as possible

28
Identify Existing Risks to Records

• A risk is any potential obstacle preventing an
  organization from achieving its goals and
  objectives
• A risks assessment will include the following
• Identification of all actual and/or potential
  risks
• The potential impacts of these risks on the
  organizations mandate and operations
• The probability (e.g., high, medium, low) of
  these risks occurring
• Recommended methods to mitigate these risks

29
Identify Existing Risks to Records (continued)

• See Handout for illustration of sample risks
  identification

30
Preparation for Records Disasters

• Facility and/or building layout
• Detailing the locations of records, electrical
  boxes, fire extinguishers and alarms, heating and
  ventilating control panels, plumbing shutoff
  valves and/or switches, and any other pertinent
  issues
• List of emergency equipment and supplies needed
  to recover records
• For example, fans, electrical extension cords,
  portable generators, flashlights, records storage
  containers, plastic sheeting, gloves, safety
  helmets, etc.
• Also information on where exactly these items are
  stored and how they may be obtained on very short
  notice

31
Staff and Contractor Responsibilities

• A records disaster and recovery plan must address
  duties associated with all issues that may relate
  to protection of records and records recovery in
  the event of an actual disaster
• Define and assign staff and/or external
  contractor roles with regard to the comprehensive
  range of specific areas of responsibility

32
Staff and Contractor Responsibilities (continued)

• Follow all corporate policies and procedures re
  records protection and security
• In the event of an actual records disaster
• Procure all necessary equipment and supplies
• Secure any required and/or additional facility
  space for salvage operations
• Arrange for necessary funding and/or credit to
  cover all expenses

33
Staff and Contractor Responsibilities (continued)

• Conduct public and/or client relations activities
  as necessary
• Liaise with appropriate public authorities, such
  as police and fire services
• Liaise with insurance agency representatives
• Clean and restore the damaged facility and/or
  equipment
• Initiate and maintain backup and/or offsite
  operations

34
Staff and Contractor Responsibilities (continued)

• Install software and files as needed to aid in
  recovering electronic records
• Test and examine the computer systems, software,
  operating programs, and electronic records
• Ensure building and/or facility security, as well
  of protection of all damaged and/or exposed
  records

35
Staff and Contractor Responsibilities (continued)

• Staff and/or contractor roles may be assigned to
  individual persons, or they may be allocated to
  designated groups or teams of persons (e.g., a
  security team, etc.)
• Emergency contact information, such as both work
  and home telephone numbers, must be documented
  for all parties that may play a role in disaster
  recovery (e.g., building security, building
  maintenance, insurance representatives, internal
  disaster recovery team members, internal systems
  staff, fire, police, etc.)

36
Requirements in Event of Records Disaster

• Resource requirements
• An offsite area (i.e., Backup Control Centre
  (BCC)) to be used for business resumption
  activities
• Identification of critical business information
  resources
• Initial assessment of disaster or situation
• Meeting areas for team members involved in
  records recovery
• Records recovery processes

37
Requirements in Event of Records Disaster
(continued)

• Also identify and document all other requirements
  regarding the following
• Stabilizing business operations
• Mitigating emergency situations (e.g., fires,
  etc.)
• Recovering damaged records
• Resuming normal business operations as quickly
  and as efficiently as possible

38
Records Recovery Techniques

• Vacuum Freeze Drying (best method, but expensive)
• Vacuum Drying (not recommended)
• Freezing (temporary measure)
• Air Drying
• Must then restore the facility!

39
Records Disaster Recovery Plan Testing

• Once formally established, the Records Disaster
  and Recovery Plan must be periodically tested to
  ensure it will function effectively in the event
  of an actual records disaster
• The testing will help to identify areas where
  processes and/or procedures should be improved or
  modified
• There is a high probability that the Plan will
  not achieve all desired results in the event of
  an actual records disaster if it has not been
  periodically reviewed and revised as necessary

40
Records Disaster Recovery Plan Testing (continued)

• The Plan will be tested via simulations or
  components checking (i.e., a dry run)
• In this way, the problems that could occur during
  a major disaster can be addressed and mitigated
  but without the accompanying losses and costs
  associated with an actual disaster

41
Records Disaster Recovery Plan Testing (continued)

• May consider the following
• Interactive discussion of possible test scenarios
  (i.e., visualizing the Plan being activated)
• Disaster simulations and actual rehearsals (NOTE
  may be costly and must be closely monitored to
  ensure proper control)
• Inventorying and testing all onsite required
  resources, including computer systems
• Inventorying and testing alternate site
  locations equipment, systems, and all other
  resources
• Checking the response time and effectiveness of
  third parties (i.e., external contractors and/or
  vendors) to ensure they meet their mandated
  commitments

42
Records Disaster Recovery Plan Testing (continued)

• After the initial comprehensive test, subsequent
  tests need not occur as regularly (i.e., less
  often than once every two months) or necessarily
  be comprehensive in scope
• However, it is recommended that a Plans
  components be tested at least once a year

43
Records Disaster Recovery Plan Testing (continued)

• Testing must be performed regularly and
  consistently, as opposed to being done on an
  ad-hoc basis
• A test schedule must be prepared, indicating when
  each Plan individual component will be tested,
  and this schedule must be adhered to unless
  approved extenuating circumstances apply

44
Records Disaster Recovery Plan Testing (continued)

• After a test has been conducted, the following
  steps must be performed
• Document the test results
• Determine if future testing should be performed
  differently
• Identify Plan deficiencies and/or inadequacies
  and take appropriate action

45
Business Continuity Planning

• Moving Records to Offsite/Offline Storage

46
ISO Standard

• The International Organization for
  Standardization (ISO) is the world's largest
  developer of internationally recognized and
  accepted standards
• ISO has created a Standard that sets guidelines
  for the development, implementation, and
  maintenance of Business Continuity Plans
• ISO/IEC 17799 Information technology Code of
  practice for information security management was
  formalized and published in 2000
• This Standard contains a section (Section 11)
  discussing business continuity management

47
ISO Standard

• Identify Events that Can Interrupt Business
  Processes
• Single Framework Exists for Business Continuity
  Plans
• Will Ensure Restoration of Critical Business
  Processes
• Regularly Tested
• Maintained and Reassessed as Necessary
• Reflect organizational and other changes

48
See you next class!