1. RECORD KEEPING REQUIREMENTS/CONTINUITY OF OPERATIONS

 

11.1 AMCs shall adopt a records retention policy that identifies and defines the information and records that are to be retained (electronic or hard copy).

Degnon Associates creates, collects and maintains records for its clients based upon the guidelines outlined below.

 

All client records, both manual (hardcopy) and electronic, are the property of the client. Attachment 11A lists the types of records DEGNON maintains and their retention period.

 

In addition, our client agreements (see Section 3) define explicitly how client assets are to be handled in the event of termination:

 

All records, files and computer data of “CLIENT” shall remain the property of “CLIENT”.  All systems and programs, templates and procedures utilized by Degnon shall remain the property of Degnon.

 

Upon termination of this agreement, all property of “CLIENT” shall be transferred to “CLIENT”.  All outstanding management fees and expenses shall be paid by “CLIENT”.  The goodwill of each party shall be extended in any transition process.

 

11.2 AMCs shall adopt procedures to maintain and control a record keeping system to:

 

11.2.1 Collect and record information (create records);

Records are created to facilitate the flow and tracking of information pertaining to clients and projects, as well as to meet the demands of corporate accountability.

New files are created when:

– A new client is acquired

– A new member joins a client association

– A non-member attends a client conference

– A new supplier is engaged

– A new employee is hired

Records are organized according to the following system:

Recent working files that may need to be referenced are kept in designated areas in the Degnon offices.  Files needed on a daily/regular basis are kept within the working areas of the relevant staff.

 

Degnon also maintains rarely used or archival documents in an offsite storage facility.  These file boxes are marked showing client name and content.

 

The bookkeeping files and records are processed and stored as shown in Attachment 11A.

 

11.2.2 File, index, store and maintain records, both hardcopy and electronic;

Manually archived records are maintained in a designated area for client files and later placed in storage boxes or drawers.  Records are kept on premise and records to be stored greater than 3 years are placed in boxes and stored at storage lockers in Reston, VA.

 

11.2.3 Remove, archive, or destroy old records on a predetermined time basis;

The records retention schedule utilized by Degnon for all clients is featured in Attachment 11A. When a manual record reaches its disposal date, it is disposed in the recycling bin unless personal information is present, in which case the record will be shredded. Electronic records that reach their maturity date are erased by the account manager or the Executive Director depending on the nature of the record. Financial records with personal information (social security or credit card) that reach their disposal date are shredded before they are discarded.

 

11.2.4 Prevent records from being altered without approval of a designated authority;

The Executive Director of each client is ultimately responsible for the integrity and security of the client records. S/he is the only one with the authority to modify any client record although s/he may delegate the execution to the appropriate individual.

 

Client records are accessed only by Degnon staff, primarily those working on with each client or the need to know.

 

Financial records are accessed only by Degnon staff working on each client.  The bookkeeper and senior management have access to all client accounts.  All financial (QuickBooks) records are password protected.

 

Sensitive records (financial records, employee files) are kept in a secure location.

 

11.2.5 Safeguard records from damage or deterioration;

All the records and files that Degnon maintains are in an office environment with good security and fire protection. In addition, all the key documents are available in electronic format, and can thus be reproduced should the hardcopy versions become damaged. The Degnon servers are backed up on a regular schedule.

 

11.2.6 Protect records from unauthorized access

Section 11.2.4 describes which individuals have access to the various records.  Sensitive records which require limited access are kept in a secure location.

 

11.3 AMCs shall adopt a business continuity plan that will include at a minimum:

 

11.3.1 Procedures for the management of electronic back-up of software and electronic records.

Electronic records are created, maintained, and safeguarded with the same degree of confidentiality and security as the physical records.

 

Electronic records are securely stored remotely using cloud storage technologies provided by Microsoft Office 365 and Amazon Web Services, as well as servers at the Degnon facility. Access to these records is limited only to users with sufficient level of authorization. Web site files are located on a designated remote server housing only website files. Client databases are hosted remotely by NeonCRM and working files are kept on a designated Office365 SharePoint server within a folder named for each client. Each client’s QuickBooks file is kept in a designated folder on a server at the Degnon facility and the file is password protected. The Executive Director and bookkeeper for each client have access to these passwords. Email correspondence is stored remotely on Office365 and email archives are stored on each employee’s computer. The Degnon servers and individual computers all reside on a local network. Access to these resources is shown in the table below.:

 

Resource How Accessed Access control
Web/Internet servers Via network Protected areas need pre-approval
Email server Via network Individual userid and password
LAN servers Via connection to the LAN Individual userid and password
Desktop or laptop Individual or via LAN connection For remote access:  userid and password

 

Resource How accessed Access control

Since most Degnon staff work with multiple clients, it is not possible to assign a single type of access by individual for the web and Internet servers. Instead access is given to the function and position as follows:

 

Function/Position Access Level
Executive Director Owner, Group, Individual
Web services Owner (when applicable), Group, Individual
Member services Group, Individual
All Others Individual

 

The Executive Director is the only individual who can set and modify access permissions.

 

All servers located at the Degnon facility are backed up daily.  For a detailed description on Degnon’s Data Backup Policy, please refer to Attachment 11B.

 

Degnon uses standard naming conventions for its electronic records whenever possible. A combination of subdirectory and file naming conventions capture enough information to find, identify, and access each electronic document. Naming conventions are based on factors such as business processes, retention requirements, location of users and retrieval requirements.

 

Electronic records are kept until they become obsolete or according to the schedule in Exhibit 11A, whichever comes later. Documents and files that form the basis of a web site usually have a much shorter life span. The electronic documents that can serve as templates for other documents are kept permanently.

 

11.3.2 Communication to inform staff, members, vendors, etc., about recovery plan

The Degnon recovery plan as outlined in section 11.3.4 will be reviewed with each new employee and will be periodically reviewed at staff meetings.

 

11.3.3 Building evacuation plan

See attached Evacuation Plan (Attachment 11C) as maintained on the server and evacuation diagram

 

11.3.4 Options for temporary facility in the event current office is not available.

In the event the Degnon facility is not available, the company Owner’s home will become the temporary office facility.  Each employee has full remote access to the Degnon servers so they will conduct business as usual from home.  Each employee has an individual phone number which will accept voicemail messages and forward them to the employee.  The general office phone number will be forwarded to one employee to answer during regular business hours.  Key personnel will report to the Owner’s home to provide mail service and any copying and faxing.  Degnon has an independent IT contractor that provides technical services that would handle recovering data from the backup tapes and setting up IT temporary workstations in the headquarters.