A frequent part of my disaster recovery/business continuity practice involves reviewing the status, accuracy, and completeness of recovery documentation. In addition to the usual check points, one of my focus questions is how quickly each member of the recovery team can access the complete BCP documentation. In other words, if people need to respond to a disaster situation instantly, will the documents support the effort and can they get at them with no delay? Just picture the call coming at 2 a.m. on Saturday morning. Without being too wordy what I frequently find when I go through the review process includes some of the following:
- Team members that can’t find the current version.
- I have the current document but it is at the office in my desk.
- Finding various (as in more than a few) versions of the same documents.
- Contact lists with names of people no longer employed.
- Missing or out-of-date vendor lists. One vendor phone number yielded a fax machine “squeal.” Yes, you should actually check some of the numbers with a call.
- Inaccurate or old equipment and network documentation.
- Can’t really access the current documentation if the system/network is down.
Sound familiar? We need to make sure the people who need to respond (quickly) have in their possession the proper procedures, supporting information, contact information, and anything else to start the recovery effort immediately. Anything that delays the recovery is to be avoided at all costs, especially given many of the very short recovery times (RTO) for critical business functions.
Historically, most (but not all) BCP documentation is maintained on the company computer. This is fine as long as the computer is available. We have also provided select members of the recovery team a set of documentation, often in hard copy. That is fine, too, as long as it is available, current and complete, 24x7, the recovery effort can begin.
Frequently, recovery documentation is imbedded in the plan documentation, which means it is in fact a duplicate and must be updated as the master list changes. In many BCP plans today, information is “linked” and brought in when the document is used. This makes for a shorter document but one with holes if the system the “linked in” information resides on is not available. Additionally, we live in a world where printing is viewed as something we’d like to limit as much as possible.
Solution In Principle: Utilize A Flash Drive
First, I understand there may be some companies that may have issues with using flash drives. In today’s world, flash drives are everywhere, but that doesn’t mean it is an acceptable data storage standard. Each company needs to determine that for themselves.
The concept is simple: put the entire set of required documents on a flash drive, and provide it to each key recovery team member so they have immediate access to the critical information if the time arises. All they need is a laptop or a desktop system to plug into.
The solution of utilizing a high capacity flash drive to maintain and distribute the BCP documentation is based on working with numerous clients that have used that approach. I promoted the concept and worked with each one in terms of how it should be developed. The technical implementation, however, was completely up to each company. Adequate security is a major concern as you will see as you read on.
A Benefits List Is Important
The list of benefits I include here is basically the results from a number of discussions with the clients. I believe it is important to understand the potential benefits so the initial discussion is not completely viewed as another instance of just trying to implement a technical solution. As a long-term information technology (IT) person, I’m well aware of that possible issue.
- Flash drives, given their capacity, are a low-cost option to distribute a wealth of information. Cost: 8GB drive for less than $20. Amazing.
- Unlike printed materials, the general population isn’t likely to be able to read the information.
- The relative cash value of a flash drive is extremely low, much less perceived value than stealing a laptop computer.
- Security at the password/encryption level is ready to use (more on that later).
- Given no moving parts, the reliability should be very good.
Easy to use, easy to store, easy to protect. All good things to a BCP document.
What Are The Steps?
So, if this solution to use a flash drive appeals to you, it is probably worth at least a test. Based on my exposure to the process I’ve summarized what typically happens in terms of logical steps. Modify and adjust as needed.
Discuss the approach and confirm that this solution fits your company policy. Just as a reference point, of the six clients I’ve worked on this with, four are OK with flash drives, one is not at this moment, and one is not sure yet but leaning that way.
Bring the recovery team together and discuss the approach and also, more importantly, identify what information must be on the flash drive. Just as a sample, the following documents would probably be useful:
- The basic BCP document (as in “The Plan”)
- Company emergency procedures
- Detailed procedures from the offsite vendor to retrieve materials
- If used, include a copy of the alternate site (as in hot site) vendor documentation manual
Step 3 (done same time as step 2):
Next, pose a disaster scenario to the team and see if the flash solution works. I usually present a disaster that takes out all company computer processing and network access. Just to push it, company work space is also unavailable. So, anything at their desk is gone. Talk it through with the team and adjust where needed.
Research a flash drive manufacturer that provides very easy-to-use software that allows two critical requirements:
- Password protection
- Data encryption
There are lots of options when it comes to flash drives. The Web is a good source. I myself tried several before selecting one I was comfortable with (as in easy to use). Usually the technical people are involved in the evaluation. Also, one of my clients has a flash drive that is water proof and crush proof. It resembles a small silver cylinder with a screw cap at one end. You’ll find this type on the Web also. I was impressed by this.
After flash drive procurement, give them to the technical services people who can set them up according to the proper procedures (formats, password structure, standards, etc). Just a note: don’t bypass the technical folks.
Next, run through the basic BCP document (“The Plan”) and gather all linked and referenced files. This creates a rather large consolidated vs. linked file, but it should contain everything called out in the BCP document. And, if done correctly, it will be in sequence. I believe one client went over 1,000 pages (no, they did not print a copy) doing this process. Save that file to the flash drive. Add anything else to the flash drive as identified in step 2 above. Err on the side of including only those documents that are really needed to start the recovery process.
Make appropriate copies and distribute to only the key recovery team members for their confirmation process. Ask them to use it and report back.
Reconvene the recovery team members that received a flash drive and confirm that the proper information was included and work out any issues or problems. Following that, instruct flash drive holders how maintenance will be done. See the next section.
A Word On Maintenance
It does no good to prepare this flash drive and not include a structured way to make sure it is current and complete. That was the idea up front in this article. Keep the most current version in the proper people’s hands and ready to use quickly.
One of the current methods to do this, at least from my experience, is to provide an automated way for each flash drive owner to log on quarterly and download the current information to the flash. This requires a procedure and conformance. It also requires a person or group to manage the process and be sure to have the consolidated BCP documents ready for download. Two of the clients have created such a procedure. It briefly involves a notification (e-mail) to each flash owner that a new version of the information is available for download. This is done quarterly. Then as each owner signs on for the download the monitoring process notes who has and has not done the required download.
Each company in the end did it their own way. The point is that there has to be some way to track and maintain the flash drive.
A Few Security Concerns
Anytime critical company information is distributed – be it on a CD, laptop, printed materials, flash drive, tape, etc. – there are valid concerns, such as:
- How do you keep track of who has a flash drive?
- Who gets one in the first place?
- How can I manage this?
- What if it is lost?
- What if it gets stolen?
- Is HR (human resources) OK with this?
Why HR? The issue is privacy of information. Typically, plans include home phone numbers, cell numbers, etc. Check with HR and see what their position is.
I find in most ways using a flash drive isn’t any different than any other method of distributing critical information to those who need it. It is new. However, that alone is not a reason to ignore it. Our job is to give the information to trusted people and put in place a method to secure and manage it. All, of course, if it fits within company policy.
I like to share things that work. It’s a solution you may or may not be interested in. Give it a try if you feel it fits your situation. Remember, we all want to be able to respond quickly. Embrace the technology, but don’t do it without password and encryption capability.
To end, I can share that I’ve now worked with six companies to implement this approach – three are complete and three are in the evaluation process. One CIO did not like the idea initially. Control, distribution, security? All fair and valid concerns.
However, after the team members tested it, they all said it was a great value in terms of having the BCP documentation available and complete, even if the main computer center was down. The CIO kept an open mind, and when his issues were solved he became a complete supporter. I thank him for his concerns. It pushed us to find the correct solution.
Jan Persson, CDP, CBCP, has worked in the IT field since 1967. He began his formal disaster recovery involvement in 1980 by developing DR plans for numerous companies within a large conglomerate. In 1985 he started his own disaster recovery consulting practice, Persson Associates, a sole proprietor. He has written and/or audited more than 400 DRP/BCP plans, worked closely with the three major disaster recovery vendors, conducts DR/BC seminars, test exercises, DRP/BCP plan development workshops, and continues to take an active, hands-on role in DRP/BCP project activities in all sizes of shops and environments.