Divide And Conquer
Most business continuity plans are built as “chapter books.”
Each chapter is an independent entity. By dividing the plan into chapters, the planner conquers both the problem of security and broad distribution of information.
There is one constant: the document and all of its components must be a controlled document. At a minimum, you must have an identifying name/ID for the entire document and something that delineates ownership of specific copies (Control ID). A footer must include revision dates, especially if only parts of the document are updated at a time. This helps ensure that everyone has the same information.
Since most document chapters should be short, it is not an onerous expense to reprint and distribute complete chapters when they are modified. Don’t depend on people to update their personal copies of the plan; swapping pages is never a high priority and the document will soon be useless.
The control ID, and the related control ID list, let the plan manager know who has a document. If participants only have specific sections or parts of the plan, coding can be used to identify which chapters the plan participant holds.
Assuring Up-To-Date Documents
The most difficult documentation task for a plan manager is ensuring that all documents are up-to-date. A change page noting what changed, why, and when it was changed should be included with each change package, along with a sign-off sheet to be returned to the plan manager showing that the updates have been made. You may also have the replaced copy returned to the plan manager. Draft or updated hardcopy versions should be treated as confidential documents and shredded or disposed of according to company policy.
Chapter By Chapter
Most business continuity plan documents are progressive; each plan phase is added to the book as it is completed. By organizing the plan into chapters, various sections can have different distribution.
Some of the chapters are “public” and should be given the widest possible dissemination. Other chapters have a relatively low security level. A few chapters require more restrictions and should be considered “medium,” and one or two even may be “high.” The table (page 46) provides a “generic” table of contents with suggested security levels.
There are several publishing options available to most planners.
Paper used to be the best method. Once a document is printed and distributed, it can be easily kept at hand. Multiple copies may be assigned to a single individual so that one copy can be on site and another at the person’s home or vehicle.
Some planners recommend additional methods of safeguarding paper plans such as printing on red paper that will not reproduce on the photocopier. While this may slow down someone who is determined to gain unauthorized access to the plan, it can also greatly hamper response efforts at the time of the emergency and is therefore not recommended.
Having the plan on a CD-ROM is another option, providing the planner can be assured that everyone has a computer on which to play the CD (on-site equipment may be unavailable – destroyed systems, no power, no chargers for laptop batteries, etc). CDs are inexpensive and easily “burned.”
Many people find lengthy documents easier to read, work with and share with others when printed however, so access to a printer and heavy-duty copier (or “quick-print” vendor) will still be needed. Forms and checklists will also require hard copies.
The Internet and Intranet are additional options, but security and resource availability remain concerns. Electronic documentation and/or encryption are possible to increase security, but the concern is the users ability, and authority, to decrypt the data quickly and efficiently.
Document control, chapterization, and reasonable application of a security scheme, while not guaranteeing sensitive information won’t fall into the “wrong hands,” at least reduces the risk while assuring that everyone with a need to know specific information has the information available.
T. M. Smalley is the manager of business resumption services for Charles Schwab & Co., Inc. She has been involved with disaster planning, management, response and recovery for more than 20 years with various agencies and corporations. Comments may be made to firstname.lastname@example.org.
John Glenn, CRP, has been involved with business continuity planning for Fortune 100s and state government since 1994. Other John Glenn articles are linked from http://johnglenncrp.0catch.com/articles.html . Comments may be made to JGlennCRP@yahoo.com.
Additional input was provided by Martin Ace Jackson, CM (Computer Maven).