Document Disaster Preparedness
How to Protect Yourself from Information Loss Due to a Disaster
For most organizations, it’s not if a disaster will happen, but when it will happen and how severe it will be. Nearly three out of four organizations (73%) are at risk of failing to recover from a serious outage or disaster, according to the Disaster Recovery Preparedness Council.
What follows is an overview of how to protect mission-critical documents in the event of a natural, man-made, or IT disaster. Although this is not the same as a disaster recovery plan, your first focus should be on preventing or minimizing information loss.
How to Develop a Records Disaster Preparedness Plan
The first step is to inventory your most critical documents. You may be wondering what constitutes a critical document, and how long you need to keep those documents. The most obvious definition of a mission-critical document is any document that your organization can’t afford to lose. Additionally, make sure to include documents regulated by state and federal compliance standards.
There are numerous laws and regulations regarding document retention, including tax audit procedures by the Internal Revenue Service (IRS), employment laws such as the Fair Labor Standards Act (FSLA), the Health Insurance Portability and Accountability Act (HIPAA), the Employee Retirement and Income Security Act (ERISA), and mandates by the Occupational Safety and Health Administration (OSHA). To help you get started on a critical document inventory, consider our example Document Retention Schedule with links to state-specific guidelines:
For each critical document, answer the following questions:
- Where is the original document/file?
- Are there at least two backup copies?
- Where are the backups located?
- What are the steps to retrieval/recovery?
- Are all versions user-restricted?
After you have identified and inventoried your critical documents, the next step is to assess threats:
The easiest disasters to prepare for are the ones experts usually see coming: natural disasters. Your business or organization will face different environmental threats based on your location, but it’s important that you carefully consider all types of natural threats (and your associated risk) to ensure that all appropriate steps are taken to protect critical data in the event of a disaster. When evaluating natural disasters (earthquakes, hurricanes, tornadoes, etc.), use the following assessment levels to measure your risk:
- Defined: Events of this nature occur frequently in the immediate vicinity
- Credible: Events of this nature occur periodically in the immediate vicinity
- Potential: Events of this nature occur sporadically in the region
- Minimal: There is no history of this type of event in the area
As part of your assessment, you’ll need to examine supporting information to evaluate the relative likelihood of occurrence for each threat. For natural disasters, historical data concerning frequency of occurrence and forecasting tools can be used to determine the credibility (and potential impact) of environmental threats to mission-critical documents. Here are some resources that can help:
- USGS Earthquake Map
- USGS National Landslide Hazards Map
- NTHMP Tsunami Map
- FEMA Flood Map
- FWAC Wildfire Map
- US Tornadoes Tornado Threat Forecast
The steps you take to secure and protect documents should account for the threat posed by the above natural threats. For example, if you determine there is a credible threat of wildfire, consider storing mission-critical documents in a fireproof safe.
Natural disasters pose a threat to your documents, and so does the very building in which they’re housed. As part of your document disaster threat assessment, carefully consider the state of your facilities and how to mitigate potential loss from a structural collapse or flooding. This is not an easy assessment to do yourself; it requires knowledge of building elements such as structural engineering, plumbing, and electrical wiring.
Questions you will need to answer to assess structural threats to your critical documents and data include:
- Are there any plumbing lines (cold water, hot water, sewage, etc.) in the immediate vicinity of filing cabinets, document safes or servers? If so, are any sections at risk of leaking or bursting?
- Are there sprinklers or other fire suppression systems within the immediate vicinity? Are they functional? Have they been tested?
- Are the main utility shut-off valves and switches (water, gas and electricity) easily accessible? Are any special keys or tools needed to access to turn off these valves and switches?
- Is there a threat of collapse immediately above or below document and data storage areas? If you have a large document repository or heavy server stack above the first floor, is the floor strong enough to support the added weight?
Your building manager or facilities director will be able to assist you with the requested threat assessments. To help narrow the focus of your “investigation,” ask your building expert to look specifically for threats immediately near areas of data and document storage. Site-specific hazards include:
- Water leakage
- Foundation damage
- Building integrity
- Drainage obstruction
- Utilities damage
- Insulation damage
- Safety system integrity
- Control system access
Make sure you have your building manager’s emergency contact information in case you need to contact him or her in the event of a disaster to mitigate document damage and loss.
As reported in Computer Weekly, figures obtained by Egress Software Technologies (via a Freedom of Information request) found that human error accounted for almost two-thirds (62%) of data breaches reported to the UK’s Information Commissioner’s Office in 2016. By comparison, insecure webpages and hacking were only responsible for 9% of the incidents reported.
That’s not to say that IT security is a non-factor, but in the limited scope of document retention and emergency preparedness, you are more likely to lose data resulting from a natural disaster or accidental deletion than an intrusive data breach. Even in a worst-case scenario, cyber criminals usually only steal data—they don’t necessarily delete it. You should make sure your IT department has measures in place to prevent intrusions, but equally important is to make sure that all critical digital information is backed up and accessible in the event of a power outage or data loss.
A good starting point is to make sure your critical documents adhere to the “3-2-1 rule” of data backup.
- Create three copies of data (one primary + two backups)
- Store data on at least two types of media (local network, USB drive, private server, etc.)
- Keep one copy offsite (secure physical storage, cloud service, etc.)
Another IT consideration is how often critical data is being backed up (locally or in the cloud). Important files should be backed up at a minimum once a week, preferably once every 24 hours. If you utilize a cloud-based document hosting service, find out how often data is backed up and whether it occurs automatically or needs to be performed manually.
Finally, make sure that your digital data recovery strategies are working. Every so often, perform a “test” to see if you can access backup copies at a moment’s notice. To do this, simply save a test file and go through the actual steps of backing it up. Then, delete the primary version (the original) and see whether you can easily access the backups, how soon you can access them, and if they are identical to the original.
Ask your IT department for help developing a data backup plan if you don’t currently have one in place.
When disaster strikes, will you know who to call? Your ability to get in touch with the right people at a moment’s notice can mean the difference between a hiccup and a catastrophe. As part of your contingency planning efforts, collect contact information for anyone you may need to reach in the event of an emergency:
- Building Manager/Facilities Director
- IT Administrator
- Office Administrator
- Human Resources Manager/Director
- Cloud-Service Provider
Putting It All Together – Free Document Disaster Preparedness Template
We’ve put together a template to help you plan for and mitigate a document-related disaster. This should be a “living” document that is updated regularly to ensure all information is accurate and up-to-date. Also consider printing out a physical copy and keeping with other disaster preparedness and recovery documents for access in the event of a power outage.
Other Document Retention and Disaster Preparedness Resources
Disaster preparedness is a weighty topic, and our overview is by no means exhaustive or definitive. To help you learn more, below are some additional resources related to document retention and disaster preparedness:
Have You Considered the Cloud?
Whether you’re trying to get more from an existing document management system or are considering a new approach altogether, BMI can improve your secure storage and your access to critical information. In addition to our secure, cloud-hosted document hosting applications, our partnership with RagingWire allows us to lay that extra blanket of security on your records before they go to sleep at night.
Learn more about BMI’s cloud document management and hosting solutions.