If you are responsible for managing a business continuity management system, you will need to establish a process...
for managing a lot of information -- in the form of documents and other electronic records -- as part of your BCMS activities.
These will probably be among the documents that you will find need to be included in your document management systems:
Project plans, reports to management, requests for proposals (RFPs), service-level agreements (SLAs), vendor contracts, maintenance contracts, emails and other messages.
Business continuity reports
Business impact analysis reports, risk analysis reports, assessments and gap analysis reports, internal and external audit reports, supply chain analysis reports, vendor assessment reports, post-exercise reports and post-event after-action reports.
Emergency response team rosters, incident response team rosters, BC/DR team rosters, first-responder rosters and lists of authorized system users.
Awareness materials, training program materials, network diagrams, data center diagrams, alternate office location details and work area recovery site details.
Standards and regulations
Domestic and global standards, federal and state regulations, industry (e.g., banking) regulations, pecialized regulations (e.g., Health Insurance Portability and Accountability Act, Occupational Health and Safety Act), and Section 7.5, Documented Information, of the global business continuity standard ISO 22301:2012, Societal Security -- Business Continuity Management Systems -- Requirements, provides a useful foundation for establishing the procedures and controls for a document management system. In addition, both the companion document to ISO 22301, ISO 22313:2012, and the Business Continuity Institute's Good Practice Guidelines (2013 edition), provide guidance on document management systems.
Tips for document management systems
Secure storage and ease of retrieval are two key criteria in effective document management systems. Such systems can be far reaching, often including primary storage systems, backup systems, desktop systems, laptops, collaboration systems (e.g., SharePoint), cloud-based storage systems, remote data centers and others.
Be sure that access control of your document management systems is limited to those with a need to know; unauthorized access may result in stolen or damaged files and information.
Hard-copy documents (e.g., system contracts, SLAs, warranties and maintenance agreements) may be scanned into a PDF format for storage. Ensure that document originals are stored in secure, environmentally safe and fireproof locations.
Store primary copies of relevant files on-site for ease of access, and ensure they are also backed up to an off-site location that is secure.
Document management systems should include a document management policy that specifies which files and documents must be stored, how they are to be stored, where they can be stored, how and when they are updated, and when backups must occur., The policy should also specify access rules for document retrieval, version control rules, document approvals, document distribution, archival time frames, and rules for file or document destruction.
Include document management controls as part of BCMS audit activities. Review document management procedures at least annually, and update them when appropriate.
Include procedures in BC/DR plans to access and retrieve documents during an actual disaster, especially one that requires relocation to an alternate office, alternate work area, DR hot site, local hotel or other venue. Establish a priority list of critical documents (e.g., BC/DR plans, emergency contact lists, incident response plans) that you must have so you can effectively manage response and recovery efforts.
If you use an emergency toolkit to provide you with the resources you'll need for a disaster, be sure to include copies of all relevant documents in the toolkit, including hard copies of key documents, as well as thumb drives or other convenient storage devices.
When planning a BC/DR exercise, consider adding a document retrieval component to the exercise script. This will ensure that you and your emergency teams can quickly locate the information you need to manage a BC activity (e.g., relocating to another office) or facilitate the recovery of a critical IT system at a backup location.
Your document management systems should also include a document-naming convention (specify this in the policy) to simplify the process of locating and retrieving documents.
Check out ARMA International's Generally Accepted Recordkeeping Principles to identify additional ways to manage your documents. ARMA has also developed the Maturity Model for Information Governance, which specifies five levels of excellence in records management.
If you store documents in a cloud-based storage solution, ensure that the firm's security provisions are strong enough so that your information cannot be viewed or stolen.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at [email protected].