We defined these issues as follows:
The complete plan and supporting documentation must be widely distributed, geographically and within the corporate structure, to ensure redundancy in the event of personnel loss. Plan holders must be able to access their plans immediately and easily wherever they are, whenever needed.
The versions held by the plan holders must be the latest version of the plan.
The plan must be easily used when needed. This obviously requires it to be written, structured and accessible in an intuitive and searchable format. Ideally, the solution should have use beyond the BCP to encourage familiarity with technology.
Our plan contains information that the company would prefer to keep confidential. Other information is subject to privacy protection legislation, thus imposing a legal duty on us to ensure its protection.
The individual copies of the plan and supporting documents must be maintained with a minimum of manual intervention.
Each member of the senior executive and selected personnel across the organization now carries the entire BCP with him or her. A USB memory device (we call it a “fob”), not much larger than a car’s ignition key, is attached to a key ring or ID lanyard. The corporate BCP master copy is retained on a central server; when the master plan is updated, all holders are sent an e-mail reminder requesting them to insert their fobs into their desktop or laptop PCs and click on an icon to automatically update their plan. The batch file synchronises their copy with a password protected and encrypted version of the master copy and leaves a record of their plan having been updated. From inserting the fob to removing it after updating takes under a minute. With the latest version of the plan and a record of updates, this current system meets our selection criteria.
Smart-drives are sold under a variety of brand names with prices ranging from as low as $30 for 32-64 megabytes of memory. Using the USB port, current operating systems in both the PC and Mac worlds instantly recognize the device much like a removable hard drive or re-writeable CD. To the user, the fob becomes just another drive and its contents accessed just like files on any other media at speeds similar to most hard drive access.
By making the physical plan small enough to hang on a key ring, chances of the plan holders actually having the plan with them at all times are greatly increased. A drawback, of course, is that a PC is needed to actually access the information. Our plan holders have corporate laptops and home PCs but with USB connectivity increasingly wide spread, the entire plan may be accessed by its holder on virtually any available PC or Mac.
By geographically and organizationally distributing the holders, we have ensured that at least some copies and holders will survive anything short of a province-wide meteorite strike.
By using a relatively automated process to ensure that the plans are updated and to record the updating, BCP versions in circulation are current. Our current plan is organized into a set of resource and contingency files which are updated individually; the security encryption and compression process ensures only the most recent files are downloaded and replace out-of-date versions.
Essential to the plan is the accessibility of the information. To test this, plan holders have walked into computer retailer show rooms and simply inserted their fobs into any available computer. To ensure maximum usability, “viewers” are included on the fob to ensure that the PC does not need anything more than a compatible operating system to read all files within the plan.
An old paradox applies to security issues: to ensure redundancy, distribution should be widespread but to ensure privacy, distribution should be limited. We used software to create “self decrypting archives” at 128-bit AES encryption, a balance in security is achieved. Self-extracting, encrypted files require a “pass phrase” to decrypt themselves. No special software is required on the PC. Security for parts of the plan can be maintained through nested passwords and separately encrypted files. While the whole plan exists on all holders’ fobs, only those with the password have access to critical files. Designing and controlling who gets those passwords maintains security. The loss of a fob will be detected by the absence of an entry for a required update. However, the finder of a fob is extremely unlikely to be able to unlock the files under current cryptography conditions.
There are two levels of automation available to us. The most automated simply requires the holder to insert the fob into their office PC. Vendor-supplied software offers an “auto-run” option; as soon as the fob is detected, the synchronisation process begins and the log entry is made. The less automated option requires the plan holder to click on an icon to initiate a batch file on the fob. This method avoids tampering with “administration” rights on individual PCs and is nearly as simple as the auto-run option.
Our current plan uses less than 10 percent of the 256-megabyte capacity of the fob. We expect this to grow but the extra capacity is available for day-to-day use by its holder. Slide show presentations, large documents and personal files may be added or deleted without affecting the BCP files quietly residing on the fob. In a test or an actual disaster, the time from inserting the fob into a BCP port and entering the relevant pass phrases to being able to access, print or copy BCP plan components is a matter of minutes. The large capacity of the current fobs means the entire plan may be decrypted on to the fob without accessing other drives or files. We have also implemented a “clean-up” batch file that allows holders who test their BCP to delete all decrypted files without harm to their own data also residing on the fob.
Paper-based business continuity plans presented significant challenges to ensuring availability, security and currency. Plans distributed on CD are often too large to carry and less easily updated while those on floppy diskettes lack the capacity and security required for effective plan use. The arrival of affordable and small electronic storage options provides the opportunity to improve the effectiveness of our corporate BCP. There are drawbacks: a functioning PC must be available. However, our testing shows that virtually any relatively current PC in an Internet café, home, office, retailer, or hotel business centre is fully compatible so this limitation to the solution is not fatal.
This solution offers a low-cost, high-value method of distributing and keeping our BCP in the hands of key people. As technology improves, smaller fobs with greater capacity are likely to make this approach even more portable.
Andrew Wilson, B.A. (Hons), manager of corporate business continuity planning for Workers’ Compensation Board of British Columbia, has a background in research, information technology and systems, Internet, training and development, and most recently, business continuity. E-mail: firstname.lastname@example.org.
Terry Bogyo, B.S., M.B.A., has 22 years of experience in workers’ compensation and is the director of corporate planning for the Workers’ Compensation Board of British Columbia. E-mail: email@example.com.