The United Nations describes a vital records program as “a management regimen for vital records that includes preventative and protection measures and procedures, re- tention requirements and locations, staff and service provider contact details together with documentation.” 7
A vital records program requires IG, which means not only protecting vital re- cords from natural or man‐made disasters, but also assuring information confi dence and record integrity , that is, the accuracy, authenticity, and validity of records. Vital records, and most especially electronic vital records, are vulnerable to theft, unauthorized altera- tion, or misuse. So, for instance, a bank or credit reporting company must protect its vital customer records so that they are not used for identity theft or other fraudulent purposes; a university must protect its student academic records from tampering or alteration; and a law fi rm must protect its client fi les from editing, theft, or tampering.
Essential Steps to Implementing a Vital Records Program A complete vital records program must include all of the following:
■ Sponsorship. Announcement, planning, and development of the vital records program by senior management.
the majority of organizations that suffer the loss of critical business records and software from a disaster go out of business within three years, due partly to the inability to recover or regenerate vital records.
■ Policy creation. Establishment of IG policies for vital records.
■ Inventorying. Survey, identifi cation, and inventory maintenance of vital records.
■ Assessing risk. Determination of key threats and potential losses if vital re- cords are lost, damaged, altered, or stolen.
■ Securing. Evaluation and implementation of appropriate protective, preven- tion, and recovery measures, including utilization of external services, archiving of safe copies, physical security, and secure cloud computing.
■ Educating. Training and communicating with employees about vital records issues on an ongoing basis.
■ Auditing. Ensuring vital records program procedures are being followed.
■ Testing. Engaging in actual live testing and mock disaster exercises.
U.S. National Archives Approach to Identify Vital Records
The U.S. National Archives has created guidelines that American federal agencies should follow when identifying critical information and creating document inventories:
■ Consult with the offi cial responsible for emergency coordination,
■ Review agency statutory and regulatory responsibilities and existing emer- gency plans for insights into the functions and records that may be in- cluded in the vital records inventory,
■ Review documentation created for the contingency planning and risk as- sessment phase of emergency preparedness. The offi ces performing those functions are obvious focuses of an inventory,
■ Review current fi le plans of offi ces that are responsible for performing critical functions or may be responsible for preserving rights, and,
■ Review the agency records manual or records schedule to determine which records series potentially qualify as vital.
Agencies must exercise caution in designating records as vital and in conduct- ing the vital records inventory. A review of the available literature suggests that from 1 to 7 percent of an agency’s records may be vital records. Only those records series or electronic information systems (or portions of them) most critical to emergency operations or the preservation of legal or fi nancial rights should be so designated. Agencies must make diffi cult and judicious decisions in this regard.
The inventory of vital records should include:
■ The name of the offi ce responsible for the records series or electronic in- formation system containing vital information.
senior management sets the tone for vital records program governance and compliance.
■ The title of each records series or information system containing vital in- formation.
■ Identification of each series or system that contains emergency‐operating vital records or vital records relating to rights.
■ The medium on which the records are recorded.
■ The physical location for off‐site storage of copies of the records series or system.
■ The frequency with which the records are to be cycled (updated).8 Critical Identifiers for Vital Records
All vital records must contain critical identifying information:
■ Record series title.
■ Rationale for vital record designation, that is, what mission‐critical business functions are dependent on these specific records.
■ Description of the record series’ business role, function, and its medium(s).
■ Department responsible for producing and maintaining the vital records.
■ Department responsible for protecting and preserving the vital records.
■ Protective measures prescribed for safety, preservation, and reproduction.
When identifying which of your records are vital, it may be helpful to divide them into the following categories: (1) vital, (2) important, (3) useful, and (4) nonessen- tial, as shown in Table 8.1, adapted from the vital records policy of the University of Edinburgh in Scotland.9 Please note that the examples are not exhaustive and will vary from organization to organization.
Table 8.1 critical Identifiers for Vital Records 1. Vital Records
Records without which an organization cannot function. these records are essential to the core business of the organization.
Examples:
1. Records that give evidence of organizational legal status
■ current financial and tax records
■ Records that protect the assets and interests of the organization
■ current and recent contracts
■ software source code
■ Research information
■ Records that are subject to a legal retention requirement
■ minutes of board meetings dealing with major policy issues
■ Historical records, if needed for evidential or other legal purposes
■ Business plan 2. Important Records
these records are important to the
continued operation of the organization. Examples:
1. Procedures