Contractor pulls records from Courthouse for triage
Hurricane Katrina Success Story USDA National Finance Center Vital Records & COOP
Laws, Regulations, and Guidance 44 U.S.C. 3101, assigns to agency heads responsibility for the proper management of records Executive Order 13231, Critical Infrastructure in the Information Age, assigns roles and responsibilities for the protection of critical information systems. Federal Preparedness Circular 65, explicitly requires the agency COOP to incorporate vital records planning 36 CFR 1236, Management of Vital Records lays out in detail the elements of a comprehensive program.
What are Federal Records? The definition of a record, according to the Federal Records Act, is: "...all books, papers, maps, photographs, machine- readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the U.S. Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the Government or because of the informational value of the data in them." (44 U.S.C. 3301, Definition of Records)
What are Vital Records? Vital records mean essential agency records that are needed to meet operational responsibilities under national security emergencies or other emergency or disaster conditions (emergency operating records), or to protect the legal and financial rights of the Government and those affected by Government activities (legal and financial rights records)
Record Value Scale IMPORTANT USEFUL NONESSENTIAL 3%–7% 50%–75% 15%–25% 20%–30% VITAL
Type I Emergency Operating Records Records needed to resume and/or continue operating during an emergency or disaster –Emergency plan, Delegation of Authority, building plans, system manuals, files plans/records locations, vital records inventories, and equipment inventories
Type II Legal and Financial Rights Records Records needed to re-create legal and financial operations and safeguard the interests of the organization, its employees, and its clientele –Accounts receivable –Social Security, payroll, and retirement –Land titles, deeds, treaties, leases, contracts, insurance, licenses –Research findings, licensing and compliance, product development –Obligations whose loss would pose significant risk
An Effective Vital Records Program Issuance of a directive establishing the program, assigning responsibilities, and instituting vital records policies Provides for staff training Requires periodic review and testing Official establishment of the program and assignment of responsibility :
An Effective Vital Records Program Provides for: Identification. Protection. Ready availability.
Identification First, determine the essential functions that the agency must continue to perform under adverse operating conditions Then, analyze and prioritize your agency and departmental essential functions Next, conduct a records inventory to identify the mission-critical data and vital records that support those functions
Tools for Identifying Vital Records Mission and departmental functional statements Recordkeeping policies and procedures Critical agency functions as stated in COOP Plan Inventories File plans Records schedules
Identification Maintain a complete inventory of records Including the location of the records With complete access information
Protection Identify the risks involved if vital records are retained at their current locations and in their current media—and the difficulty of reconstituting them if they are destroyed. Risk Assessment
Vital Records Storage Considerations: Needed during and immediately following a disaster/emergency –Store those vital records in close proximity to your office and have 24- hour availability (which may mean storage at a "hot" site, and storage in a format that does not rely on special equipment to read the records) You might not need your legal and financial rights records as quickly –These records might be stored in facilities farther away with less need for quick access Protection
Examples of Storage Options: On-site storage in vaults, fire-resistant containers, or secure central file rooms Off-site storage at another office, in a Federal Records Center, in a "hot" or “cold” site, in a commercial storage facility
Things to Consider When Choosing Off-Site Storage Equipment and electricity may be needed to read the records Off-site facilities chosen by your agency must meet standards in accordance with NARA regulations—36 CFR 1228.156 The facility should have 24-hour security and be environmentally controlled (temperature and humidity) The facility should allow 24-hour access by appropriate agency officials The facility should be inspected for water leaks along walls and floors, and around windows The facility should have fire suppression and/or smoke detection systems that are connected to local emergency officials Cost of storage may depend on the volume of vital records and the storage format
Protection - Electronic Vital Records Are vital and non-vital electronic records being backed up en masse with no distinction between the two? Backup data frequently, on a scheduled basis, and store at COOP sites and on redundant systems as applicable. Encourage users to save vital records to the server and not their hard-drives.
Protection - Electronic Vital Records Ensure appropriate IT infrastructure at alternate site(s) to support critical information systems and data. Provide computer system documentation at the alternate site. Select personnel (primary/backup) for the IT support team based on their normal responsibilities, system knowledge, and availability to recover systems on an on- call basis.
Protection - Electronic Vital Records Implement security procedures and enforce virus scans and updates. Identify preventive controls to mitigate outage impacts. Uninterruptible power supply (UPS) Fire suppression systems Gasoline or diesel-powered generators Air conditioning systems with excess capacity to overt the failure of certain components Heat-resistant and waterproof containers for backup media
Protection - Electronic Vital Records Determine the appropriate protection strategy for your vital records (tape backup vs. remote data replication, use of multiple techniques, etc.) Commit to ongoing hardware/equipment upgrades and software migration for the long haul as part of the vital records program
Ready Availability An appropriate medium for accessing vital records within 12 hours of COOP activation: LAN Vital electronic records Critical information systems and data Internal and external e-mail and archives Vital hardcopy records
Ready Availability Procedures for Routinely Updating Vital Records: Cycling needs to be part of the plan Cycling may be done on a daily, weekly, quarterly, or annual basis—depending on the need
Development of Procedures to Ensure Access: Availability of critical information is crucial to the continuation of operations. Therefore, agencies must develop procedures for the use of vital records during an emergency Document the policies, authorities, and responsibilities of agency officials, and procedures governing the vital records program, in appropriate issuances such as directives or procedural manuals Ready Availability
Development and maintenance of a vital records packet that includes : A list of key personnel and disaster staff with up-to-date telephone numbers. A vital records inventory with precise locations of all vital records. Necessary keys and/or access codes. Alternate operating facility locations.
Training Development of training for all involved staff: Periodic briefings to managers Staff training
Testing Testing capabilities for : Protecting classified and unclassified vital records and databases. Providing access to vital records from alternate operating facilities. Testing and drills serve to assess, validate, or identify for subsequent correction all elements of the vital records program
Program Review Periodic program review that: Addresses new security issues. Updates information. Identifies additional vital records. Provides an opportunity to familiarize staff with the program.