RECMGMT-L Archives

Records Management

RECMGMT-L@LISTSERV.IGGURU.US
Options: Use Forum View

Use Monospaced Font
Show Text Part by Default
Condense Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Mime-Version:
1.0 (Apple Message framework v623)
Content-Type:
text/plain; charset=US-ASCII; format=flowed
Date:
Thu, 30 Nov 2006 19:17:35 -0500
Reply-To:
Records Management Program <[log in to unmask]>
Subject:
Re: What should people look for when selecting a Data Protection Service
From:
Hugh Smith <[log in to unmask]>
In-Reply-To:
<[log in to unmask]>
Content-Transfer-Encoding:
7bit
Sender:
Records Management Program <[log in to unmask]>
Parts/Attachments:
text/plain (160 lines) 
On Nov 30, 2006, at 12:00 AM, RECMGMT-L automatic digest system wrote:

Snips from Larry:

> From:    Larry Medina <[log in to unmask]>
> Subject: Re: What should people look for when selecting a Data 
> Protection Service
>
> Generally, RM is responsible for providing the guidance as to the
> specifications that must be met for adequate protection of the media 
> while
> in the control of a third party, from the time it leaves the 
> organization,
> through it's transit, storage and management, and ultimately, its 
> return to
> the organization.

I think this must be more defined across the Board. From some research 
I am doing
the lack of RM supervision creates a weakness in the MIS Program.  
Those who worship at the altar of speed and density (IT)  fail the test 
of protecting media's integrity time and again.

RM's and ARMA should try to standardize the role of RM in corporations. 
  Some report to Facilities, some to the CIO, others to the CFO, some to 
Operations, some to the Corporate Secretary.  RM should be a buffer 
between legal and audit and users of the records. IT is just another 
user of the records, albeit in another format, but records all the 
same.

I think that RM reporting to Audit and legal would give more punch and 
fit nicely with the changes wrought by SOX, Rule 26, SAS 70 Part II and 
the new EIS requirements. If we all act to push for this new role as 
part of Audit and legal compliance we can elevate the role based on 
these new laws. Look at the new positions they keep coming up with to 
do what the RM should rightfully be doing.  ( e.g. CSO, CXO, etc)  Now 
is the time to seize the objective.

As a group, we should lobby to the audit community for this role.  
Audit is struggling with controlling wayward IT managers who fail to 
see the value of the media and as a result we are seeing more articles 
about Spoliation.  Trust me in the last three days of meeting with MIS 
and Auditors, no one wants this role as you go to prison for mistakes. 
If RM's have the courage there is an opportunity here for a real 
improvement in RM and IT management and audit control.  Newt Gingrich 
in an address to technology people stated that huge gains in technology 
are in front of us with 4 to 7 times the increase in technology in the 
next generation.  On top of the base we have, this is HUGE!  (not Hugh 
although some would say they are synonomous?)

With increases like this, we need to manage the information.

I agree with everything you say Larry but offer:
>
> A service provider has to be able to isolate their paper and media 
> service
> components in their offering... about the only thing that can be 
> commingled
> is billing.

I believe the move will steadily go towards media being stored in 
separate facilities or with an adequate fire wall between the two 
service operations. ( A recent fire destroyed hundreds of thousands of 
boxes of paper but the data media in the same facility could have 
represented billions of boxes of data? Is it wise to expose them to the 
same destruction?  Paper and media need to be stored in separate 
facilities for redundancy. I believe that storage below ground is also 
a problem. Even a small event can easily be catastrophic for the media 
but more importantly for the staff in the environment.  Burning media 
is very toxic and evacuation times may not be sufficient.  Smoke 
inhalation kills more than fire, last time the NFPA reported on it.  
Most underground facilities mix the lounge, battery backups, restrooms, 
and all types of storage together. This defeats the purpose of being 
below ground.  In my opinion, there is no such thing as a small fire 
below ground.

> Transportation needs to be independent, as does storage and the 
> tracking
> system.  The vendor needs to have fully independent A/C systems for the
> cargo area that are allowed to run all the while the vehicles are on 
> the
> road, communications and tracking systems in the vehicles, a second
> custodian to stay with the vehicle at all times, systems to secure the 
> media
> while in transport (to minimize shock while moving), a static free
> environment.

I think the second employee is a cost the client base will not pay for 
but more secure lockable containers in the van are easily achieved and 
better locks on the vehicles are readily available.  I am tried of 
seeing pictures of roll up van doors left up or slid open while making 
a delivery.  How negligent can a company be.

>
> Of main interest, what chain of custody criteria would you look for?
>
>
> The ability to scan in the media on receipt, on loading into the 
> vehicle, on
> removal from the vehicle, and on receipt at the facility... as well as 
> once
> placed into storage.

I agree that the steps should be scanned at transfer of custody, the 
van as another scan level location, the dock as yet another and then 
the staging area and then at the loading into the slotted storage 
cabinets or the transfer case being housed in a specific location 
within the vault.  Handheld Scanners make this simple and this along 
with the GPS add a great level of security.  The FileTrail Solution I 
saw at ARMA with RFID at the vault can overlay to insure that what was 
picked up is now in the vault.  RFID is something that should be a part 
of the solution now.

> And while it may cost more for storage, depending on
> the volume of media (and naturally, the value of the information 
> contained
> on the media to the organization) I'd seek dedicated space where my 
> media
> would be stored independent of other customer's media.

This would work for large clients but not workable with small to medium 
accounts.  This is where storing in a locked transfer case may be the 
answer.  Movement of the case without an order from the tracking system 
would trigger an alarm as the RFID could make you aware an improper 
movement was occurring.  This might give you what you want ( and more) 
without the cost of creating private storage boxes for each client.

The failure in this system is that no matter how many containers you 
provide, it is still Julie and Fred opening the boxes with the same 
keys.

I believe encryption of the data and its location in the vault makes 
each unit in a randomly stored environment, simlar to find one hen's 
egg in a henhouse.  The encryption of the client and their final 
storage location might be the solution.

Would that get the job done Larry?

If not how do we overcome the problem of Julie and Fred being the only 
ones in the vault so they can get to everything anyway?

>
> That's my starting list...
>
> Larry

Now in the last week I have been in Canton, Ohio, Dallas, Magnolia, 
Arkansas, Phildadelphia, Greasy Ridge, Ohio, and Georgetown, Texas.  I 
bet Alan Andolsen is jealous as he only travels to places like Paris, 
London, and who knows where in China.

Hugh Smith
FIRELOCK Fireproof Modular Vaults
[log in to unmask]
(610)  756-4440    Fax (610)  756-4134
WWW.FIRELOCK.COM

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance

ATOM RSS1 RSS2