The Pillars of Vital Records Protection

ARMA International: Information Management Magazine

The Pillars of Vital Records Management

More than a half-century ago, the U.S. Federal Civil Defense Administration conducted a test called Operation Teapot to gauge the effects of a nuclear explosion on a variety of business records and records storage equipment. The focus in that era was how to protect vital records – those that are fundamental to an organization’s functioning and needed to continue operations without delay under abnormal conditions – in the nuclear age.

Alan A. Andolsen, CMC, CRM

The conclusions drawn from that test are still valid today (see Operation Teapot sidebar below), including the recommendations that vital records be identified and segregated from other records and that organizations implement a vital records protection program that meets their specific needs.

Although the threat of nuclear attack has diminished since the Operation Teapot test, given the number of recent natural disasters and terrorist attacks that have occurred around the world, today’s records professionals are no less concerned about vital records. In fact, their concerns are magnified by the implications of the technology age, which has produced the need to protect digital records, as well as paper and other physical records.

Protecting vital digital records requires a new set of procedures to ensure that they remain available and retrievable when a disaster occurs. A digital vital records protection program is only partially implemented through the traditional disaster recovery programs created by information systems organizations. These programs are very effective for the protection of active records, which are those records that are needed to perform current operations, subject to frequent use, and usually located near the user. However, not all vital records are active records; some may, in fact, be retained after their active lives for regulatory or business purposes (e.g., tapes that will be used in IRS or other audits).

Planning and Implementing a Vital Records Program

Effective vital records programs do not happen, they are created with care as part of an overall disaster recovery program, which is implemented to ensure that an organization can restore critical business functions and reclaim damaged or threatened records in the event of a disaster. Implementing an effective program requires preparation in three major areas – staff, procedures, and physical location – and a measure of common sense.

Staff Preparedness

Vital records programs will not work if they are not taken seriously by everyone in the organization. An effective program starts with the strong support of management, who must clearly communicate the value of an organization’s information assets to all staff. Moreover, any such program is a cooperative effort. There is no one function or operation within an enterprise that can successfully accomplish all facets of the program. Without management support and a cooperative spirit, no disaster recovery program can succeed.

Training and practice are the two foundation pillars on which a successful program is constructed. The theoretical aims of disaster recovery must be infused with human capability. Written documentation and software applications can never
substitute for staff members who understand the goals of the program and their roles within it. Initial training is crucial not only to ensure that staff can do the job, but also to validate the theoretical program and to make certain that it can be accomplished in the time of crisis. Periodic practice sessions ensure that the program is still on target and that organizational, equipment, or staff changes have not rendered parts of the plan inoperable.

Procedural Preparedness

A consistent approach is one key to effective disaster recovery procedures. In format and language, the actions should be presented straightforwardly and without jargon. The “playscript” approach to procedures documentation described by Peter H. Matthies in The New Playscript Procedures: Management Tool for Action seems to work the best. This method identifies each and every “actor” and states the task, action, or decision that is that individual’s responsibility. When logically constructed to reflect the actual workflow, little doubt remains about who is responsible for what, and when. Thus, all individuals who participate in the vital records process are clearly identified and their responsibilities fully documented.

The procedures themselves must reflect all types of records, not just either paper records or digital records. In the case
of digital records, procedures need to cover all platforms, not just the mainframe or network servers. Information maintained on local hard drives may be just as important as that maintained in shared repositories. The procedures should also make clear whether the protection provided is a simple backup (where the backup would be the only copy of the information remaining after a disaster) or redundancy (where multiple copies of the information may be preserved in many locations as, for example, with databases or invoice copies sent to several locations).

Integral to the procedures is identification of the time span during which the information is vital and needs to be protected. A simple disaster recovery process often focuses only on current production information and its recovery. However, every organization has vital information that may not be a part of the current production information and that needs to be protected with additional procedures. In particular, vital digital information of a historical nature that has been retained separate from active systems requires special attention.

Finally, the procedures need to identify clearly how copies of vital information are to be created, transported to alternate sites, and maintained. It is not sufficient simply to identify the information that needs to be protected without providing detailed instructions about its format, its movement and protection during transport, and the environment within which it is stored.

To ensure that these procedures remain on target and realistic, the program should have a mandated audit on a regular basis. A function of the audit is to test and to validate the procedures against changes in organization, staff, and equipment.

Physical Preparedness

The disaster recovery program must focus on the location where business operations will resume in the event of a disaster. One of the major lessons learned from the events of the 2001 attack on New York City’s World Trade Center is that a computer-based site, while important, may not be the only requirement. It is short-sighted to presume that a disaster recovery pro-gram is complete if provisions are made only for computer equipment and applications. Many organizational functions still require substantial space for handling paper. A comprehensive vital records program will identify the information that is in hardcopy format and how much workspace is necessary to complete the tasks related it.

Another key element about location is how safely and quickly both staff and information can arrive there. In many cases, provisions can be made to ensure that the information – most obviously digital information on backup tapes or optical media, but also copies of key paper documents – is transported to the work site on an ongoing basis. The important element is to ensure that all the information maintained at the alternate work site is renewed on a regular basis, not left to accumulate.

The media on which vital records are maintained should be a major focus of the disaster recovery program’s effort. Obviously, copies of paper records should be reviewed to ensure that the images are legible and understandable. More importantly, however, vital digital records need to have an initial quality control review when they are created to ensure that the tapes or optical media actually have recorded the expected information. In addition, if the information is being maintained at the alternative work site for extended periods (for example, copies of application software), regularly scheduled tests should check the reliability of the media and the information.

Finally, the environment in which vital records are being maintained is crucial to ensure that disaster recovery efforts are successful. Among the environmental problems that must be avoided are dust, water, and stray magnetic fields (e.g., from motors). Past experience has shown that some organizations will choose the least expensive space to serve as a disaster recovery work site. Often this is warehouse space they already have under lease. However, the temperature and humidity fluctuations within such a facility often far exceed what is acceptable for the preservation of digital information, even if the effects of the fluctuations on paper records are minimal.

Common Sense

Fundamental to a successful vital records program is the element of common sense.

Because paper records are so visible, it is relatively easy to maintain awareness of the need to manage and protect them. But digital records are another issue. Because they do not take up much physical space, it is easy to forget about them. So, it is important for staff members to use their common sense to realize that vital information is not appropriately protected and cannot be retrieved if it has been retained on local hard drives and not on network servers that are regularly backed up.

Vital Digital Records Principles

Rather than searching for esoteric formulas that will guarantee the success of the vital records program, concentrate on the following four principles:

All vital digital records must be clearly identified by the information owner and the information system operator, and appropriate protection responsibilities must be assigned. This is particularly important for systems that are not maintained by the organization’s information systems unit or information that is not regularly backed up.
Periodic audits of the protection process must be scheduled to ensure that the digital records are actually being protected as specified in the procedures and that organization, equipment, and staff changes do not mitigate the protection efforts.
Correct maintenance procedures must be in place to ensure that the digital information is not compromised by inappropriate environmental storage conditions (e.g., heating/ventilation/air conditioning, moisture, electrical current).
Appropriate equipment must be selected for housing, transporting, and storing vital digital records.

Events like the attacks on the World Trade Center have changed the world, and RIM professionals must adjust in response to those changes. Developing and implementing vital records and disaster recovery programs are no longer a luxury that organizations have the option to omit. These programs must now be an integral part of organizational and business life. While historical lessons are often valuable for helping to ensure effective records management operations, organizations must also recognize and address the additional requirements that technological progress impose on those operations.

Sidebar: Operation Teapot Provides Lessons for Vital Records Protection

In the spring and early summer of 1955, the Federal Civil Defense Administration attempted to gauge the effects of a single nuclear explosion on a variety of industrial, office, and household items, including a wide variety of business records and records storage equipment.The main focus of the test,“Operation Teapot,” was how to protect vital records in the nuclear age. Participants in the test included the National Records Management Council (NAREMCO), this author’s current company.

Project Design

The project included a wide variety of typical records, including correspondence, paper samples, checks, documents, facsimile paper, microfilm, photographs, and telegrams and telegraph tape. The records storage equipment included various examples of corrugated boxes and transfer files, steel shelving, insulated and annulated file cabinets, steel transfer files, a money chest, and Class A, B, and C safes. Samples of the records were placed on the desert floor or in the records storage equipment noted above without shielding at 500 to 4,700 feet from ground zero of the blast.

At 4,700 to 10,500 feet from ground zero, records and record storage equipment were placed within (basement, first floor, or second floor) or behind homes that had been built to gauge the effect of nuclear blasts on homes with frame, brick veneer, and pre-cast concrete construction. Test effects measured included the maximum temperature reached and the amount of gamma radiation penetrating inside the records storage equipment, as well as blast pressures.

Test Results for Operation Teapot

The detonation, which had a force of 30,000 tons of TNT, took place on a 500-foot tower. As a result, it did not create a crater. Of the 22 pieces of equipment located on the desert floor, 14 were destroyed by the blast. All equipment at the 4,700 foot line and further out was recovered. There was no damage to any of the 12 units located at the 5,500- and 10,500-foot lines.

Records were recovered from one unit placed at the 1,050-foot line, one at the 1,840-foot line, and two at the 2,250-foot line. From the 2,750-foot line and beyond, records were recovered from all pieces of equipment.

Only one unit – a money chest – survived from the 500- to 1,050-foot range. It was thrown 350 feet from its original location, the exterior was burnt, and the dial lock was broken off. After the manufacturer replaced the dial lock, the contents were recovered in excellent condition.

Evaluation of the paper samples at the 4,700-foot line immediately after the blast and six months later showed minimal radiation damage, so no samples located farther away were tested.

The only radiation in the telegraph tape and paper and facsimile paper samples came from blast particles that penetrated the boxes holding the items. All items were tested and performed satisfactorily under actual operating conditions. Recovered microfilm and photographic paper showed no effects from radiation. Unexposed film and photographic paper were tested and performed satisfactorily under actual operating conditions.

Pieces of metal recovered from the various records storage equipment were twisted and telescoped. Ruptures showed along the welding bead lines, leading to the conclusion that the units had burst from internal pressure – the result of the difference between the normal internal atmospheric pressure and the external sub-atmospheric pressure from the negative phase of the blast that followed the shock front. Additionally, the intense heat of the blast closer to ground zero may have caused the accumulation of gases from the insulation used in the equipment. The rapid accumulation and expansion caused the explosive bursting of some of the units. These results led to the conclusion that the structural design of vital records storage equipment should take into account internal, as well as external, pressures.

The test demonstrated that records and record storage equipment within structures are shielded from damage from the primary effects of the nuclear explosion. In these cases, the greater portion of damage was caused by falling debris.

Operation Teapot Recommendations

The final report for Operation Teapot outlined a classic vital records program with the traditional means of protection (built-in dispersal,designed dispersal,duplication of the original,and vaulting). The report also noted that there was greater danger from what may occur after the blast, such as fires, broken water mains, and destroyed dams, than from the blast itself.

In its discussion of a vital records center, the report specified a reinforced concrete structure as the best design, coupled with placement on high ground (to avoid floods) and away from other buildings (to lower the chance of fire and damage from debris).

The report’s conclusion summarized what can be viewed today as a judicious and cost-sensitive approach to vital records:

Identify and segregate vital records.
Design a balanced protection program that meets the organization’s specific needs.
Be selective in use of vaults, safes, and insulated file cabinets.
Use less costly means of protection first.

Alan A. Andolsen, CMC, CRM, can be contacted at alandolsen@naremco.com.

From March - April 2008