Disaster Recovery Journal - Spring 2003 Issue-Security vs. Need-to-Know

Return to the Spring 2003 Index

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER &
EDITOR-IN-CHIEF
Richard L. Arnold, CBCP
richard@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

MANAGING EDITOR
Jon Seals
jon@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Patrick Corcoran, IBM Bus. Cont. & Rec. Services
Jeff Dato, MBCP, KPMG
Edward S. Devlin, E.S. Devlin & Associates
Judith Eckles, SunGard Availability Services
James Hammill, CBCP, JMH Consulting Inc.
John Jackson, Independant

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Brazil: Jose Carlos Ferreira
Disaster Recovery Mercosul
Phone: 55 11 3666-9506
conc2000@uol.com.br
www.drms.com.br

Click Here for a Printable Version

Documentation

Security vs. Need-to-Know

By T.M. SMALLEY, BRP & JOHN GLENN, CRP

Recently there has been some discussion about business continuity plan security. As with most things, there are at least two opposing views, and each can make a valid case – one for an open document and one for a classified document.
And, as with most things, there is a middle ground that may satisfy almost everyone. There are two mutually exclusive givens:
1. There is a need for security; business continuity plans contain information that is valuable to a competitor, terrorist, or vandal.
2. There is a need to share knowledge to enhance the post-disaster event activities.
This article tries to bridge the gap between “security” and “need-to-know.” The information may be applied, with modifications, to any business, any non-profit, and any government agency.

Divide And Conquer
Most business continuity plans are built as “chapter books.”
Each chapter is an independent entity. By dividing the plan into chapters, the planner conquers both the problem of security and broad distribution of information.
There is one constant: the document and all of its components must be a controlled document. At a minimum, you must have an identifying name/ID for the entire document and something that delineates ownership of specific copies (Control ID). A footer must include revision dates, especially if only parts of the document are updated at a time. This helps ensure that everyone has the same information.
Since most document chapters should be short, it is not an onerous expense to reprint and distribute complete chapters when they are modified. Don’t depend on people to update their personal copies of the plan; swapping pages is never a high priority and the document will soon be useless.

Control ID
The control ID, and the related control ID list, let the plan manager know who has a document. If participants only have specific sections or parts of the plan, coding can be used to identify which chapters the plan participant holds.

Assuring Up-To-Date Documents
The most difficult documentation task for a plan manager is ensuring that all documents are up-to-date. A change page noting what changed, why, and when it was changed should be included with each change package, along with a sign-off sheet to be returned to the plan manager showing that the updates have been made. You may also have the replaced copy returned to the plan manager. Draft or updated hardcopy versions should be treated as confidential documents and shredded or disposed of according to company policy.

Chapter By Chapter
Most business continuity plan documents are progressive; each plan phase is added to the book as it is completed. By organizing the plan into chapters, various sections can have different distribution.
Some of the chapters are “public” and should be given the widest possible dissemination. Other chapters have a relatively low security level. A few chapters require more restrictions and should be considered “medium,” and one or two even may be “high.” The table (page 46) provides a “generic” table of contents with suggested security levels.

Publishing Options
There are several publishing options available to most planners.
Paper used to be the best method. Once a document is printed and distributed, it can be easily kept at hand. Multiple copies may be assigned to a single individual so that one copy can be on site and another at the person’s home or vehicle.
Some planners recommend additional methods of safeguarding paper plans such as printing on red paper that will not reproduce on the photocopier. While this may slow down someone who is determined to gain unauthorized access to the plan, it can also greatly hamper response efforts at the time of the emergency and is therefore not recommended.
Having the plan on a CD-ROM is another option, providing the planner can be assured that everyone has a computer on which to play the CD (on-site equipment may be unavailable – destroyed systems, no power, no chargers for laptop batteries, etc). CDs are inexpensive and easily “burned.”
Many people find lengthy documents easier to read, work with and share with others when printed however, so access to a printer and heavy-duty copier (or “quick-print” vendor) will still be needed. Forms and checklists will also require hard copies.
The Internet and Intranet are additional options, but security and resource availability remain concerns. Electronic documentation and/or encryption are possible to increase security, but the concern is the users ability, and authority, to decrypt the data quickly and efficiently.

Bottom Line
Document control, chapterization, and reasonable application of a security scheme, while not guaranteeing sensitive information won’t fall into the “wrong hands,” at least reduces the risk while assuring that everyone with a need to know specific information has the information available.

T. M. Smalley is the manager of business resumption services for Charles Schwab & Co., Inc. She has been involved with disaster planning, management, response and recovery for more than 20 years with various agencies and corporations. Comments may be made to brplanners@hotmail.com.

John Glenn, CRP, has been involved with business continuity planning for Fortune 100s and state government since 1994. Other John Glenn articles are linked from http://johnglenncrp.0catch.com/articles.html . Comments may be made to JGlennCRP@yahoo.com.

Additional input was provided by Martin Ace Jackson, CM (Computer Maven).

To comment on this article, go to 1602-07 at www.drj.com/feedback.