Vital records protection
Due to the cyclone of last week I have had quite some thoughts on DRP and BCP, and concluded that the scope of this should be pretty limited. Risk management is a good way of scoping (only records unavailability that causes a high risk needs to be considered as part of the scope), but this can be a slightly too narrow approach and may lead to short term gains and longer term problems. Therefore it is important to define for a company the vital records. A simple definition is: Without these records you can close the shop. So what are the main parameters in defining vital records?- Legal: By law you need to have these records - usually these records are related to agreements, contracts, financial transactions and people. Quite often these records have a legal retention date (think Sarbanes-Oxley act). Obviously these records need to be properly protected. The most important (and therefore vital documents) are the ones related to major agreements. The bulk type (invoices) need less protection.
- Asset Integrity: Records on the structure and state of maintenance (integrity) of facilities are vital for any operation. Think drawings, designs, inspections. Quite often these records need to be retained indefinitely and they require a high level of protection in terms of protection against damage or loss. Quite often they're not confidential.
- Confidentiality: Some records in the company are company secrets that can be the differentiator for doing business (think intellectual property, major strategic documents). These records need protection both from a confidentiality and a physical protection perspective.
So what to do? I think first of all it is important to have records in an open digital format, i.e. stored on a computer and easy to open with normal desktop tools (think PDF). Paper is great to work with, but digital is the only proper backup mechanism. So if you have paper than it is important to have at least good quality scans of all vital records. The scans need to be indexed properly and need to be made available online (with sufficient security of course). Obviously some records (like facility drawings) may have a more specific format (e.g. Autocad).
Further it is important to have the digital records protected physically against any disaster (flooding, storm, fire, ...) and the easiest way to establish this is having them stored in more than one place (preferably more than two). Note that these places need to be geographically apart. In some countries companies have decided to have their information backup abroad (especially recommended for more volatile places). So if you have your records in Amsterdam (or New Orleans), than it is wise to have a backup in place in a higher place (so not next door, but say in the Alps or the Rocky Mountains).
The backups have to be made on a regular basis (daily) and more importantly: you have to test if the backup can be restored! Note that the same security measures (on accessibility) need to be in place on the backup (so confidential data is also protected in the backup site).
So bottom line: it is important to know what is vital for your business and it is important to have good protection in place for them. Not just in terms of security, but also in terms of physical protection against disasters and the best protection for the latter is replication.
Labels: business continuity, disaster recovery, retention, Risk Management, security
posted by Evert Ruijs @ 8:48 PM
1 Comments:
Nice post Evert!! Vital Records
Post a Comment
<< Home