On 7/27/06, Hugh Smith <[log in to unmask]> wrote:
(Snipped a lot of good stuff about the changes in design and apparent
increased risk to Information Assets stored commercially going forward based
on these pending changes)
I guess in one way, a client could STILL require in their T&C for a provider
to comply with an earlier version of a Standard, if they know the new
version puts their organization's assets at too great of a risk... and if
the prospective provider refuses to comply with the request in the T&C,
they could look elsewhere.
Similar to the finding in the Diversified Fire that although the system was
"state-of-the-art" and "operated as designed", it was insufficient to
mitigate the type of fire that occurred, the question I'd ask is:
What protection was provided at all, if the protection was insufficient?
And in this case, the provider and the designer were held liable for being
negligent. And in the case of the two major plaintiffs, their judgements
went from $40M to over $60M because of the delays in being settled after the
judgement was given initially.
Now, I may be wrong, but $20M sounds like it could have bought a lot of fire
science and testing to determine why the design was flawed and what it would
take to provide sufficient protection... or maybe the time spent in appeals
would have been better spent reading reports related to past similar
incidents that have indicated CLEARLY that firewalls (NOT fire barriers)
dividing facilities in to smaller compartments will effectively limit the
spread of fire, smoke and water damage to holdings.
> So what do we concur as a group is the "REK" from these events:
> (Comment on what I provide or provide your own list.)
> 1) That paper documents really have little value based on what we read
> in the articles and the impact of these fires will be non-events?
In this day and age, and the compliance related environment businesses
operate in, all paper based records in storage presently to satisfy
retention requirements have anything BUT "little value" as indicated in the
comments by a commercial provider in two recent events. Their comment that
these information assets that were lost simply represented "...archived,
inactive business records..." was at minimum insulting to their clients and
the owners of these records.
This is especially true in the London fire, as many of the clients were
local Government entities storing public records, and law firms who had
active case files stored. Doesn't exactly sound like an appropriate
response from someone who identifies themselves as "...the global leader in
information protection and storage..."
2) That RM is now totally dependent on IT to provide the records that
> are required in a disaster like this? ( or flooding, or tornado?)
There is a lot of truth in this, especially for records being produced NOW,
not 4, 5 or 6 years ago that were generated in paper form and/or printed and
stored. If the records are generated and exist in an electronic form, RMs
need to work with their IT counterparts to ensure policies, practices and
procedures are in place to effectively manage and control these information
assets according to RM practices. In this way, if there is a need to access
the information (as in the cases of the two Diversified plaintiffs) and
regenerate paper records to satisfy regulatory requirements, it can be
done... but in both of these cases, it was going to be at a great cost.
For this reason, it is critical that you can assign responsibility for the
adequate protection being provided contractually. You must have clear,
concise, T&C in your contract assigning responsibility for INFORMATION
PROTECTION while it is in storage to the storage provider, and not allow
them to limit their liability to $1-2 per CF. It's apparent that if you are
storing records for 6-7 years and occasionally accessing those records that
the absolute MINIMUM value for those stored records should be the cost of
storing and managing them over their life in storage.
3) Selecting a vendor who compartments into rational bays and vaults is
> an added benefit to be sought out and therefore must be written into
> future RFP's?
Hopefully, when the ARMA Guideline for selecting storage providers is
finally issued, RMs and non-RMs alike will have a tool to assist them in
evaluating potential providers against a set of criteria that is important
to their organizations. As said many times in the past, almost ALL RM is
about risk management and a willingness to assign that responsibility to
others. If you're planning to store your records, whether they're inactive
or not, with a commercial provider under a contractual agreement, you need
to evaluate their facilities, practices, and policies and determine if the
risk to your information assets is reasonable in comparison to the potential
for loss.
4) Total loss is a given, based on the recent changes to the Standards,
> so the RM must select multiple vendors to divide their records
> collection to minimize loss?
This is all part of a risk management scenario. Many organizations already
divide their information assets between multiple providers, or between
multiple facilities of the same provider... and some go even further to
ensure they have second copies of critical records, or pay for vaulting or
other higher cost options for storage. It's all based on the level of risk
you're willing to accept, and the level of responsibility you can assign to
others.
As with vital records, you have to make choices what is required to provide
the level of protection you need... and you're willing to pay for.
5) Storing your media and paper documents with the same vendor, when
> that vendor is using an uncompartmented approach is foolhardy?
Well, I'm sure many of my comments over time make my views on this clear.
There is no question that if there is less material subject to risk, the
potential for loss is lower. You can only lose a maximum of what's exposed.
The questions people/organizations need to ask is WHY are you choosing to
store these information assets in the first place, and WHY are you electing
to assign the responsibility for providing this service to someone else?
Secondly, if you're doing it because you're required by law, statute or
regulation to, WHAT are the consequences if you lose the information and WHO
accepts the financial responsibility for the protection?
Once you have the answers to these questions, it's a bit easier to know hat
you need to do to make the determination how great the risk is and if the
protection is sufficient to expose your organization to that risk. And once
armed with this information, you will be able to provide insight into the
decision making process for your organization when selecting a service
provider... and you can tell them that based on past incidents, it's not a
simple matter of "cents per box" that should make the decision where you
store your organization's information assets.
I learned that believing a sprinkler system, (no matter whether it is
> "state of the art" or an older system) can actually stop a fire is a
> fantasy.
And hopefully, if others read legal decisions such as these:
http://www.palawweekly.com/plw/printarticle.aspx?ID=20318
http://www.archives.gov/preservation/emergency-prep/special-challenges.html
they will be similarly armed with relevant knowledge.
Add to this Recent Event Knowledge (REK) that the Diversified Fire
> Court Rulings have been upheld, so it is possible to recover the value
> of your records in court.
Yep, it is... but it takes a large investment of time and resources. And the
better choice may be to spend the time up-front selecting a provider that
places your assets at a lower risk.
But what is the value of the records? But
> if you are storing them as media, as well then the paper, does this
> make them less of a loss? Or less valuable?
Less of a loss? Not really, but at least you can reconstruct your
information. But there's risks and costs associated with properly managing
information in electronic forms, especially information that is required to
be retained for long periods of time. And yes, I realize that some people
"hate paper" and others can't understand why if you're managing information
electronically you'd also retain it in paper form, but that's not what this
discussion is about... if an organization has made a conscious decision to
do this as part of their business practices or has this figured into their
business continuity or disaster recovery plans, then that's their decision.
I think it does,
> therefore it is a responsibility of the RM to assure that two different
> mediums are employed. Media and paper and maybe microfilm for
> permanent records.
Whatever the choice, it's incumbent upon the RM to provide information to
their organization relative to the risks and costs associated with the
options for storage, and the better informed the RM is, the better input
they can provide.
> But many of the world's largest corporations choose to store all their
> documents with one company and no requirement to store in multiple
> facilities to spread the risk? So for those who choose to store in that
> manner, should there be any liability? Let the buyer beware.
This is the case in ALL business decisions. You should carefully weigh the
alternatives, determine how much risk you're willing to accept and then use
this information to make your decision.
Like other things in life, obviously, it's cheaper (and sometimes faster) to
eat lunch off the dollar menu at the local grease pit... but what are the
risks and are you willing to accept them?
I believe they are negligent as they could have chosen any vendor but
> selected one that lowered their cost but with the full awareness that
> they were increasing their risk exposure. After all, in the end, we
> cannot outsource the prudent management of the corporation. SOX
> clearly put the burden on the CEO and the CFO as they must weight cost
> savings here versus risk there?
Risk is a peculiar thing. Depending on the scenarios, all organizations
have a certain level of risk aversion and/or tolerance... and some have a
much higher level of tolerance than others. I'm not sure I'd go as far as
to say they're "negligent", but I doubt I'd make the same decision to base
my choice on the lowest cost rather than the lowest TOTAL EVALUATED COST.
And you're right, the "C-level" positions are the ones that must make the
decision as to whether they look good in pinstripes or orange, because once
the decision is made, it's up to them to shoulder the burden.
The argument of the offsite storage industry is that, "This is what we
> offer! If you want more it has to come from your management style!" So
> this now makes it your opportunity to choose a matrix of vendors and
> security measures based on this knowledge.
Again, I hope the ARMA Guideline will assist organizations in making solid,
well-informed decisions. And with any supplier, if all they have is one
level of product or service, the choice is yours to go elsewhere
So is the REK on this that you just gained a powerful argument for your
> insertion into all the phases of records management, including
> oversight of IT. After all, they are a back up to your system. A
> combined matrix of protection must now exist.
You bet you need to work with your partners, and you need to understand the
role you have in the process.
So the rules have changed based on REK. How do you see it affecting
> your organization?
Every organization has to make this decision for themselves. In most cases,
the RM has input into the decision making process, but doesn't make the
final decision. I've known for years how it impacts the organizations I
work for, and I see my role as providing the best information I possibly can
to those making the final decisions, and documenting the information I
provide. I'd strongly suggest to other RIMs that they become informed and
be an asset to their organization when it comes time to make these
decisions.
I'd also suggest that if you're involved in the process of evaluating
providers, you make sure that the responsibility for "...providing
information PROTECTION and storage..." is fully that of the commercial
provider if you elect to choose one.
Larry
--
Larry Medina
Danville, CA
RIM Professional since 1972
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|
