Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2007 >  March 2007 >  Protecting and recovering vital records from disaster

Protecting and recovering vital records from disaster

OUT-LAW News, 23/03/2007 

Hurricanes Katrina and Rita have put the spotlight on the need to protect and recover vital records. Gary Rossell of information protection firm Iron Mountain suggests a plan for protecting a company's vital records against disaster, natural or man-made.

The following is by Gary Rossell

Vital records are the records that contain information critical to the continuation or survival of your company during or immediately following a crisis. They can be paper records, database records, email with attachments, voicemail, instant messages, or any other official record documenting company business. Proper protection of these records starts with proper planning.

One: Designate a Vital Records Programme “Owner”

For your vital records programme to succeed there must be one individual accountable for planning and maintaining the programme. The business continuity or records manager are likely candidates due to their involvement with records programmes or business continuity planning. You also need a clear definition of responsibilities between records management, business continuity, risk management, and emergency preparedness.

Two: Assess Your Current Vital Record Programme

The next step is to determine what (if any) vital records or risk assessment programmes already exist within the organisation. If these programs do exist, examine how much of this work can be leveraged for a comprehensive vital records programme. Typical departments to consider are:

  • Records management – they may have vital record classes identified.
  • Business continuity – they may have criticality assigned to business functions from a Business Impact Analysis.
  • Risk management – they may have rated company business function loss.
  • Emergency preparedness – they may have specified an order to re-establish company business functions.

If you currently do not have any relevant programmes, you will need to complete a Business Impact Analysis (BIA) of the company business functions. Your BIA will give you a recovery priority rating that is a key component for aligning business function recovery priorities with vital records priorities.

Three: Identify and Assess Vital Records

Conduct surveys of business functions to document business function records, and collect information to identify and assess vital records. The following three risk categories should be included in the assessment survey:

  • Probability of loss or damage.
  • Recovery priority analysis (from the business impact analysis).
  • Financial or time impact of loss or damage.

Next, the responses for each risk category should be rolled up into an overall risk rating for each vital record. Your plan will include all records, but of course scarce resources should be allocated to the highest risk records first.

Four: Create an initial plan to protect and recover your vital records

Build your initial vital records recovery plan with the following in mind:

  • Include high-ranked vital records in the business continuity plan and provide for their quick and easy access.
  • Develop a protection plan with record owners for records that are not on the short-term risk reduction list.
  • Include a corporate compliance/governance summary for corporate compliance use.
  • Coordinate the vital record programme with the business continuity plan.
  • Develop training and rollout plans including a policy and procedure document.
  • Obtain approval for the plan to reduce vital record risk.
  • Include external processes like e-commerce, voice mail, or web hosting in your plan.
  • Include vital records protection within existing security, records management, and recovery processes when possible.

Five: Maintain and Update Your Vital Records Plan

Vital records are dynamic and change with the business, so your vital records plan needs to be updated on a regular basis. Keep your plan up to date by remembering to:

  • Include vital record recovery and reconstruction in your business continuity plan exercises.
  • Plan and fund continuous risk reduction for vital records.
  • Include vital records in new application development processes.
  • Update vital records risk at a minimum of every two years.
  • Train new employees and managers responsible for vital records.
  • Produce an annual compliance report for vital records.
  • Encourage internal audits to ensure compliance with the vital record programme.

Summary

Vital records are essential for the recovery of any business. If you follow this pragmatic approach, a disaster doesn't have to mean you can't quickly recover the most vital records you need to keep your business running.

This article was adopted from Business Continuity Relies on Records, by Gary Rossell, a senior consultant with Iron Mountain. Iron Mountain will be exhibiting at the Business Continuity Expo and Conference held at EXCEL Docklands.

 

 

OUT-LAW Recommends

Data Protection training
We offer training courses on Data Protection and Freedom of Information laws

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.