Interesting question, Rick. The standard give no indication how to protect records. Nor does it say to what extent they have to be protected. Companies I work with adapt the protection to the importance of the record. For example, an aerospace company safeguards records that FAA requires by placing them in a fireproof room. They protect training records as they would any other personnel record. Once a year, they copy all paper records to CD and copies of the CDs are distributed to their Mexico plant, their Michigan plant and their attorney’s office. The thought is if they had three separate, simultaneous disasters that destroys all the records, they would be out of business and wouldn’t care anymore. Should a singular event destroy all the records, they wouldn’t care either because with an event large enough to destroy everything from Mexico to Michigan none of us would have to worry.
Once you determine how long each record is to be kept, then determine how to reasonably protect them. The extent and degree of protection is strictly up to you.