A systematic approach to vital records management is an important part of a comprehensive business continuity plan. Additional benefits include:
- Reduced storage costs
- Expedited service
- Federal and state statutory compliance
Records should not be only retained as proof of financial transactions, but also to verify compliance with legal and statutory requirements. In addition, businesses must satisfy retention requirements as an organization and employer. These records are used for independent examination and verification of sound business practices.
Federal and State requirements for records retention must be analyzed by each organization individually. Each organization should have its legal counsel approve its own retention schedule. The attached exhibit contains a suggested format for a records retention schedule.
Potential approaches for protection of vital records include:
- Onsite fire-rated vault, safe or storage cabinet
- Offsite storage at another location of the organization
- Offsite storage at another organization
- Reciprocal agreement with another organization
- Storage at a company that specializes in offsite vital records storage
- Electronic vaulting
- Various combinations of the above approaches
The alternative that is most appropriate for an organization depends on several factors such as risk, type of media, storage quantities, frequency of storage, costs and other considerations.
VENDOR EVALUATION CRITERIA
There are several vendors that provide offsite storage services of vital records. The following criteria can be used evaluate the offsite storage vendor:
1. Location. The location of the offsite storage facility should include the following considerations:
- Distance - the facility should be located a sufficient distance from the organization such that a disaster would not impact both locations similarly.
- Accessibility - the facility should have adequate accessroads with alternate routing if needed. The facility should be accessible within a reasonable period of time such that the records can be obtained quickly.
- Safety - high-risk areas should be minimized such as airports, railroads, chemical plants, flood plains, tornado belts, etc.
- Security - rural and low-traffic areas can be more secure.
2. Building Characteristics. The characteristics of the building construction include:
- Aboveground storage
- Underground storage
- Steel-reinforced fireproof construction
- Concrete versus cement construction
- Walls several inches thick
- Other construction characteristics
The combination of steel and concrete provides dual reinforcement and is therefore less likely to collapse in the event of a natural disaster.
3. Management Policies. Examples of these policies include:
- Restricting storage of high-theft items such as:
- Segregating the storage of paper documents versus computer media
- Record keeping
- Using discretion in revealing the address or phone number of the site
- Reducing exposure by marking buildings in such a way that their exact purpose cannot be guessed
- Other management policies
4. Security. The level of security includes the following considerations:
- Record privacy
- Electronic card access system
- Closed-circuit television
- Security guards and hours of coverage
- Unmarked building
- Unmarked and environmentally controlled delivery vehicles
- Intrusion alarms
- Restricted access areas
- Limited number of windows
- Wired windows to security system
- Absence of glass
- Security system connected to police, fire and security service
- Limited number of access paths (i.e., doors)
- Mantrap area (i.e., two sets of locked doors preventing unauthorized access)
- Sign-in logs
- Visitor badges and escort practices
- Unmarked bin storage locations (i.e., company name)
- Bonded employees
- Background checks
- Data categorization (i.e., classified or highly secretive documents)
- Other security considerations
The facility should be within a chain-link fence. All visits to the facility should be prearranged and use a sign-in log to record the date and time of all visits. Visitors should show a picture ID and wear a badge when in the facility. Visitors must be accompanied throughout the visit. It is also important to determine if high-risk businesses are located in the area as the vendor.
5.Environmental controls. The facility should have several levels of fire detection and suppression equipment and the temperature and humidity should be carefully monitored. Other environmental considerations are:
- Underground telephone lines
- Underground electrical lines
- Internal loading facility
- Emergency lights
- Fireproof vault
- Walls extended to structural ceiling
- Backup power
- Backup heating/air conditioning systems
- Automatic fire dampers
- Floor drains
- Water detectors
- Dry-charged pre-action zoned sprinkler system, where appropriate
- EPA approved fire extinguishing system, where appropriate
- Dust filtration systems
6. Storage techniques. The storage technique is important so that records can be quickly located in an emergency. The vendor should have a locator system that stores the records in a systematic manner. Paper should be stored in a different location than magnetic media because it is a fire hazard and requires special monitoring. In addition, because of the sensitivity of the magnetic media, different fire suppression systems are used on magnetic media than on paper.
The containers in which the offsite medium is stored should be well constructed to prevent damage to contents if dropped, and provide added protection against dust and water. Vaults should be located away from the loading and unloading area.
7. Record Keeping. An automated inventory control system should be used to log all records received and removed by the customer and by storage location. Bar-coding systems can facilitate the inventory management and control techniques and reduce human error. The vendor should provide a monthly report that documents all records presently stored at the offsite location. A high level of logical security should be used to keep client information from unauthorized or illegal users.
8. Convenience. Because of the importance of the files, the offsite storage vendor should offer 24-hour access, courier service, photocopying, notary services, conference rooms and a convenient location. Some vendors also provide tape rotation, cleaning, maintenance and destruction.
9. Atmospheric controls. The climate within a storage vault should be maintained between 60 and 70 degrees Fahrenheit to prevent damage to electronic media. Humidity must be regulated as well, with levels varying between 40-50 percent to prevent harmful condensation. The offsite storage facility should have a ventilation system that eliminates impurities from the air such as dust particles. (The slightest amount of dust may cause read/write errors and damage drives).
The same controls should be present in the delivery van that picks up the media and delivers it. The media should be kept in the correct environment for the entire trip and not be unloaded on an outdoor loading dock, where media could be subject to temperature extremes. The delivery vehicles should be in good working condition and also be equipped with a fire protection system.
Temperature and humidity controls should be based on the needs of the storage media. Overall, it is important to inspect environmental controls carefully, since the presence or absence of these controls will affect the quality of the backups.
10. Contract. The vendor's contract should include proper terms and conditions. It should clearly state the responsibilities of the vendor.
11. References. The vendor should be asked for references; however, if references are provided without permission, it could be a breach of security.
12. Audit. Periodically, there should be an audit of the offsite storage vendor to determine if the proper security and controls are followed. Some of the procedures could include:
- Comparing the perpetual inventory records of the government organization for offsite storage with the perpetual inventory records maintained by the vendor
- Performing a physical inventory of the media maintained offsite and comparing it to the perpetual inventory records of the government organization
- Visiting the offsite storage location and evaluating physical security and controls
- Observing storage techniques and determining the amount of time to locate the specific media
- Evaluating management policies
Most business continuity plans assume that offsite storage of vital records will survive. Accordingly, organizations should safeguard vital records and should carefully evaluate the safety and soundness of the offsite storage facility.
Geoffrey H. Wold, CPA, CMA, CMC, CDP, CSP, CISA, CFSA, CIRM is the Managing Director for LBL Technology Partners. He specializes in providing a wide range of technology planning services for a variety of industries and has written 20 books on several technology topics including eight books on business continuity planning.
Tina L. Vick, CPCP, CFSA is a Senior Manager at LBL Technology Partners. She has national responsibility for their business continuity planning products and services.
Sample Records Retention Schedule
Filing Method _________________________________________________________
Suggested Retention Period _____________________________________________