Protecting Records-What the Standards Tell Us: Key Standards Have Been Developed That Aid in Determining the Best Methods, Rationale, Environment, and Housing for Protecting Valuable Records. (Management Wise)

Article excerpt

At the Core

This article

* discusses key standards that comprise a good foundation for records protection

* defines RIM professionals' role in protecting records

One of the key competencies of the records and information management (RIM) profession is the appropriate management of inactive and vital records. Efficient and protective storage procedures, tasks, and processes are important to the success of any RIM program. Records should be available for access throughout their complete life cycle, regardless of the retention value assigned.

Historical records require additional processes not only to protect, but to also preserve the information for future reference. Records protection is also an integral part of a vital records and disaster prevention program. National and international standards have been developed that aid in determining the best methods, rationale, environment, and housing for protecting valuable records.

Foundation for Records Protection

Several key standards interact one with another to form a good foundation for records protection. These standards include

* ISO 15489-1: Information and Documentation--Records Management--Part 1: General

* ISO/TR 15489-2: Information and Documentation--Records Management--Part 2: Guidelines (although this is a technical report and not a standard, it is used in conjunction with the Part 1 standard)

* NFPA 75: Standard for the Protection of Electronic Computer/Data Processing Equipment 1999 Edition

* NFPA 232: Standard for the Protection of Records 2000 Edition

* NFPA 909: Code for the Protection of Cultural Resources 2001 Edition

As with any good investigation or analysis, these standards help resolve the who, what, when, where, and why of RIM protection. Each of the documents cover some aspect of "what" those responsibilities may be, and the meat of each of these documents covers the "when, where, and why." In general, the primary responsibility of developing, implementing, and managing a records and information program includes protecting records and information.

ISO 15489-1 and 15489-2 discuss the entire lifecycle program of records and information. NFPA 75 pertains to the protection from fire of electronic computer/data processing equipment and computer areas, and includes sections on records storage within or immediately outside a computer room. NFPA 232 very specifically applies to protecting all records from loss due to fire. Its requirements cover a range from "useful" short-term records to preservation protection of historical records. It includes separate requirements for vital records protection. NFPA 909 pertains to culturally significant structures, such as museums and libraries, and their contents. For the most part, records storage requirements in this standard point back to NFPA 232.

Some of the requirements are very specific, and others set general guidance for record protection decisions. Each applies to a specific aspect of records and information management.

ISO 15489-1: Information and Documentation--Records Management--Part 1: General

Part 1 of ISO 15489 "provides guidance on managing records of originating organizations, public or private, for internal and external clients." It specifically pertains to managing all records, in all formats and media, for the entire life cycle of the records and information. The standard describes all the elements of an adequate records management program that accurately creates, captures, and manages the records and information.

Clause 6.3 of ISO 15489-1 clearly designates records management professionals as responsible for all aspects of records management within an organization. This includes the "design, implementation, and maintenance of records systems and their operations." Implementing measures for records and information protection is clearly a part of this responsibility.

Records protection is covered in two clauses. Clause 8--Design and Implementation of a Records System includes a section on storage media and protection. Section 8.3.3--Physical Storage Medium and Protection requires consideration of appropriate storage environments for the record media, appropriate storage media for the required retention value of the record, appropriate handling procedures for records protection, and appropriate storage systems for the record value and media. The section also suggests that disaster preparedness is addressed to ensure that risks are identified and mitigated.

Clause 9--Records Management Processes and Controls includes a section on the storage and handling of records. Section 9.6--Storage and Handling sets requirements for the appropriate media, storage conditions, handling processes, accurate conversion of migration of records and the accessibility and reliability of electronic records. Records must be stored on media that ensure usability, reliability, authenticity, and preservation for the required retention value of the information.

Established storage conditions and handling processes must allow for the specific physical and chemical properties of the records media and must be designed to protect records from unauthorized access, loss, or destruction, and from theft and disaster. Higher quality storage and handling must be established for records of continuing value, irrespective of format, in order to preserve them for as long as that value exists.

Policies and guidelines for converting or migrating records from one records system to another should be developed and implemented. Systems for electronic records should be designed so that records will remain accessible, authentic, reliable, and usable through any kind of system change for the entire period of their retention.

ISO/TR 15489-2: Information and Documentation--Records Management--Part 2: Guidelines

Part 2 of ISO 15489 is a technical report developed as an implementation guide to Part 1. It is intended as one recommended methodology to facilitate the implementation of Part 1 in all organizations. It gives an overview of the processes and factors to consider in organizations wishing to comply with Part 1. Clause 2.3.2 of ISO 15489-2 states that records management professionals have the primary responsibility for the implementation of ISO 15489-1.

Records protection methodologies are covered in Clause 4--Records Processes and Controls.

Section 4.3.7.1--Record Storage Decisions discusses the factors used to develop records storage methods and processes. Desirable results of efficient storage of records include setting storage conditions that ensure the protection, accessibility, and management of records in a cost-effective manner. This is best accomplished by determining the most efficient and effective means of maintaining, handling, and storing records throughout the life cycle of the records. The established storage choices should be integrated with the overall records management program.

Storage options should take into account access and security requirements and limitations in addition to physical storage conditions. Records that are critical for business continuity should be incorporated into a vital records program that may set requirements for additional methods of protection and duplication to ensure accessibility of the records in the event of disaster. Other factors important in selecting storage and handling options include

* volume and growth rate of records

* use of records

* records security

* sensitivity needs

* physical characteristics

* records use as reflected in retrieval requirements

* relative cost of record storage options

* access needs

Section 4.3.7.2--Facility Considerations discusses the factors used to determine adequate and protective storage facilities. These factors include location, building structure, records housing and enclosures, and contracting storage services.

The location of the storage facility should be easily accessed and should not be in areas of known external risk such as a flood plain. The structure of the facility should provide the required range and stability of temperature and humidity levels for the record media to be stored. It also should meet all fire protection requirements and afford protection against water damage. It should provide protection from contaminants (such as radioactive isotopes, toxins, and active growth mold), safety measures, controlled access to storage areas, detection systems for unauthorized entry, and appropriate protection against damage caused by insects or vermin.

Shelving must be suited to the format of the records and be strong enough to bear potential loads. Containers and packaging ought to withstand handling and pressure exerted by the contents and should not damage the records during storage.

When using a contractor to store records and provide access to the information, it is important that service level agreements state the rights and responsibility of the record owners and the storage service provider.

Section 4.3.7.3--Digital Storage discusses the storage of records in electronic form. The most common form of information protection--backup systems--should include a regular backup schedule, multiple copies on a variety of media, dispersed storage locations for the backup copies, and provision for both routine and urgent access to the backup copies. Maintenance processes may be needed to prevent physical damage to the media. Records may need to be migrated to newer versions of the same media (or other new media) to prevent data erosion. Hardware and software obsolescence may affect the readability of stored electronic records and require conversion or migration strategies as part of the records protection plan.

NFPA 75: Standard for the Protection of Electronic Computer/Data Processing Equipment 1999 Edition

NFPA 75 sets the requirements for the protection of electronic computer/data processing equipment and computer areas. It covers risk considerations, structural construction requirements, computer equipment construction requirements, fire protection and detection equipment, utilities, and emergency and recovery procedures. In addition, it sets requirements for materials and equipment permitted in a computer area and records kept or stored in computer rooms.

Clause 4--Materials and Equipment Permitted in the Computer Area, Section 4-2--Records Storage discusses the fire protection of records stored in a computer area. The primary requirement is to limit the amount of records within the computer room to the absolute minimum required for essential and efficient operation. Tape libraries and record storage rooms within a computer area must be protected by fire-suppression systems and must be separated from the computer room and other portions of the computer area by fire-resistant construction rated at no less than one hour. Records storage rooms within a computer area must be used only for the storage of records. All other operations, such as splicing, repairing, erasing, reproducing, and cataloging are prohibited in the record storage room. Spare media may be stored in the records storage room if they are unpacked and stored in the same manner as the media containing records.

Clause 7--Records Kept or Stored in Computer Rooms discusses requirements for protecting records both within and outside computer rooms. Section 7-1--Protection Required for Records Within the Computer Room specifies protection requirements for vital, important, and other records. Vital or important records that have not been duplicated must be stored in listed record protection equipment with a Class 150 one-hour-or-better-fire-resistance rating as outlined in UL 72--Standard for Tests for Fire Resistance of Record Protection Equipment. All other records must be stored in closed metal files or cabinets.

Section 7-2--Records Stored Outside of the Computer Room requires all vital and important records to be duplicated and the duplicated records to be stored in a remote location that would not be exposed to a fire involving the original records. Vital and important records must be stored in fire-resistant rooms in accordance with NFPA 232--Standard for the Protection of Records.

Though not a part of the standard requirements, Appendix C of NFPA 75 contains excellent information called What to Do in the First 24 Hours for Damaged Electronic Equipment and Magnetic Media.

NFPA 232: Standard for the Protection of Records, 2000 Edition

NFPA 232 sets the requirements for records protection equipment and facilities and record-handling techniques that provide protection from the hazards of fire. It covers the following four categories of records storage environments and corresponding levels of risk tolerance:

* Records vaults--highest level of protection

* File rooms--intermediate level of protection for active and semi-active records

* Archival storage--high level of protection for permanently valuable records

* Records centers--intermediate level of protection for temporary records

Clause 1.7--Required Levels of Protection specifies defined levels of protection for vital, permanent, and long-term temporary records. These requirements include maintaining vital records in a records vault or, for small volumes, a listed one-hour device in a fire-resistive building; maintaining permanent records in a records vault, a file room, an archive, or a records center; and maintaining long-term temporary records in a file room or a records center. Other clauses of the standard define and describe each of these types of protection.

Clause 2.1 of NFPA 232 assigns the responsibility of determining which records require higher levels of protection provided by special storage housing as described in the standard.

Other chapters of the standard set requirements for a number of elements that affect the protection of records, including

* the construction of new file rooms, vaults, archives, and records centers, including general requirements, records storage areas, and protection against outside exposure fires

* building equipment and facilities, including heating systems, electrical systems, service aisles, locking devices, air-conditioning and ventilation systems, and lightning protection

* standard records vaults, including design, location, size, foundations, floor, walls, independence from building structure, roof, vault door, electrical service, operating practices, fire suppression and signaling equipment, and oversize vaults

* emergency planning including responsibility, planning for response, recovery plan, fire protection plan, and training

* file rooms including design, location, size, supporting structure, floor, walls, roof, file room door, damp proofing, electrical service, heating and ventilation, fire suppression and signaling equipment, and operating practices

* records protection equipment including classification of devices and selection of equipment

* preservation of records including fire-resistive buildings and non-fire-resistive buildings

Of particular interest are Chapter 8--Records Protection Equipment and Chapter 9--Preservation of Records. Chapter 8 discusses the classification of fire-resistant devices including safes and cabinets. The chapter specifically requires all records protection equipment to be UL listed or labeled. A clause in Appendix A lists the requirements for classification of the equipment based on UL testing. Selection of the class of records protection equipment to be used must be based on the requirements in this chapter and in Chapter 9. The requirements include equipment labeling and prohibited equipment construction materials. Chapter 8 also discusses the fire resistance requirements for the various levels of records protection as specified throughout the standard. It includes a table of requirements for fire-resistive buildings and non-fire-resistive buildings.

Clause A.8.2--Classification of Devices in Appendix A--Explanatory Material lists the requirements for records protection equipment as tested by Underwriter Laboratory (UL). Records protection equipment is classified in terms of an interior temperature limit and a time in hours. The following three temperature and humidity limits are employed:

* 125 degrees Farenheit with 80 percent relative humidity (RH), which is regarded as limited conditions for floppy disks

* 150 degrees Farenheit with 85 percent RH, which is regarded as limited conditions for photograph, magnetic, or similar non-paper records

* 350 degrees Farenheit with 100 percent RH, which is regarded as limited conditions for paper records

This is tested in accordance with ANSI/UL 72--Standard for Tests for Fire Resistance of Record Protection Equipment.

NFPA 909: Code for the Protection of Cultural Resources, 2001 Edition

NFPA 909 applies to culturally significant structures and their contents. Such structures include, but are not limited to, buildings that store or display museum or library collections, historic buildings, and places of worship. These structures also include spaces within other buildings used for such culturally significant purposes.

Section 1.5.12 defines "collections" as "... archival documents, ... library media, and cultural materials assembled according to some rational scheme and maintained for the purposes of preservation, research, study, exhibition, publication, and interpretation for public benefit."

Three clauses in the standard cover the protection of records. Clause 8.9--Storage of Records applies to museum records and Clause 9.10--Storage of Records requires library records to be stored in accordance with NFPA 232. Clause 10.6--Historical Records and Artifacts requires historical records such as marriage, birth, and baptismal certificates, to be identified and, for protection planning, to include their removal during fire, salvage, or both. Valuable record storage must be protected in accordance with NFPA 232. In addition, Clause A.2.3.1 in Appendix A recommends the development of an emergency plan that is in accordance with NFPA 1600--Standard on Disaster/Emergency Management and Business Continuity Programs, which provides guidance for managing the emergency condition to minimize loss of life, collections, and property and for planning recovery from the emergency situation.

READ MORE ABOUT IT

ANSI/UL 72: Standard for Tests for Fire Resistance of Record Protection Equipment. Available at www.ansi.org/public/std_info.html (accessed 25 November 2002).

ISO 15489-1:2001(E). Switzerland: ISO. 2001. Available for purchase at www.iso.ch or www.arma.org/bookstore (accessed 25 November 2002).

ISO/TR 15489-2:2001(E). Switzerland: ISO. 2001. Available for purchase at www.iso.ch or www.arma.org/bookstore (accessed 25 November 2002).

NFPA 75: Standard for the Protection of Electronic Computer/Data Processing Equipment 1999 Edition. Quincy, MA: National Fire Protection Association. 1999. Available for purchase at www.nfpa.org (accessed 25 November 2002).

NFPA 232: Standard for the Protection of Records 2000 Edition. Quincy, MA: National Fire Protection Association. 2000. Available for purchase at www.nfpa.org (accessed 25 November 2002).

NFPA 909: Code for the Protection of Cultural Resources 2001 Edition. Quincy, MA: National Fire Protection Association. 2001. Available for purchase at www.nfpa.org (accessed 25 November 2002).

NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs. Quincy, MA: National Fire Protection Association. Available for purchase at www.nfpa.org (accessed 25 November 2002).

RELATED ARTICLE: Proposed vital records standard nearing completion.

ARMA International soon will submit its newly revised vital records guideline to the American National Standards Institute (ANSI) to be considered for adoption as an American national standard. The proposed standard sets the requirements for establishing a vital records program, including requirements for vital records identification and protection, assessing and analyzing vulnerability of the vital records, and determining the impact on the organization.

Clause 5 of the proposed ANSI/ARMA vital records standard requires assigning responsibility for vital records to one individual with authority to carry out the tasks for the whole organization and recommends that that individual be the records and information practitioner for the organization.

Record protection requirements are set in Section 8--Protection Methods. This section discusses dispersal methods including routine and designed dispersal; protective storage including onsite storage and offsite storage requirements; and electronic protection storage including electronic vaulting and data replication. Each method is defined and the means of meeting the requirements are discussed.

Though awaiting its approval as an ANSI standard, the revised publication is available for purchase through the ARMA bookstore at www.arma.org/bookstore.

Virginia A. Jones, CRM, is Records Manager for the Newport News Department of Public Utilities in Newport News, Virginia. She may be contacted at vjones@nngov.com.