November 28, 2012 1:59 PM
Posted by: David Scott
1 year plan
, content management policy
, content management system
We know that business success will increasingly depend on the most efficient use of its information assets. These assets must be centrally managed for security purposes, and for quick dissemination to where they’re needed. To do this, we need a special structure around data – all data – to manage it. But in the vast majority of organizations, information is scattered throughout a variety of resources and vessels. There is no cohesive, managed plan of access according to actual work, leverage, or liability to be had by the content of the individual information asset. The data is “unstructured” – that is, there is no ready “handle” by which to identify data according to its relevancy, its level of importance, or its possible liability.
We have things locked up on servers, workstations, filed in various cabinets, and piled on desks. Content is parsed, fragmented, dispersed, etc., between electronic documents, e-mail, images, and hardcopy – all being managed, if at all, within discreet “silos” of various “systems.” Under these circumstances, the content is not only difficult to leverage – it is difficult to ensure that the most current version of information is shared across the organization. It is even difficult to guarantee that the organization’s various disciplines are presenting compatible information to the outside. Yet, The Gartner Group reports that 80% of all information generated by business today consists of unstructured data. Compounding this situation is the estimate that the average employee spends 50% of his or her time looking for things.
What exactly is unstructured data? Unstructured data is anything that lies outside of a centrally managed, and accessible, “repository.” (A repository can have special meaning, and we’ll revisit it shortly). Unstructured data is generally in the form of documents, spreadsheets, presentations, e-mails, and any other electronic form for which no automated central control can be exercised.
A piece of unstructured electronic content (such as a document) does not represent a “record.” It does not belong to a community of other records, sharing similar structure and collective maintenance, through a common base of data: a database. Therefore, it’s not that we’re refusing to leverage these unstructured items (through the lever of common, related, or timely content) it’s that we’ve never had that lever with this unstructured material.
Unstructured data also exists in the form of hardcopy data. When hardcopy has no centrally managed measures for leveraging content, we know that reinforcing subject matter can be scattered throughout all manner of departments and disciplines; residing in filing cabinets, on shelves, on desktops and in desk drawers. Frequently it’s stacked on the floor, or hidden away in boxes. Industry analysts estimate that Fortune 500 companies lose $12 billion each year because they cannot manage and take full advantage of unstructured content.
Regardless of your size – if you don’t know something exists, you can’t use it; if you can’t find it, you can’t use it; if you’ve lost it, you must recreate it; and if it takes time to find it, you’ve lessened your efficiency in using it. This kind of inefficiency and duplicated effort is plain unaffordable.
Unstructured Data’s Other Liability: Consider too that it is impossible for a central authority to state with ringing certainty that your organization is not harboring inappropriate content. Are you certain that employees aren’t downloading obscene or illegal material? Can you certify that people aren’t passing around defamatory information through e-mail? Can you be certain that employees are not using company e-mail accounts to post to Internet sites and blogs (web logs, message boards) that support positions or advocacy that is contrary to your organization’s positions? Can you be certain that employees aren’t using these same company accounts as reference when ordering products and services of questionable repute? All of these things leave an audit trail, outside the scope of your control in the absence of content management. These things can impact your organization’s good name and can bring harm to your business.
What about hardcopy? How can you know that laxity and carelessness aren’t contributing to loss of this material? Anyone can print out sensitive information, take it to an offsite meeting, and leave it behind. How do you know whether staff is complying with your Acceptable Use Policy for this content and associated resources? Without some kind of structure for review and report on data, you can be certain of nothing. This is the gross inefficiency and liability that springs from unstructured data, the associated lack of control, and the uncertainties it brings. Uncertainties will be increasingly unaffordable to business, as we shall see…
November 28, 2012 1:51 PM
Posted by: David Scott
acceptable use policy
, content management policy
, content management system
We must realize that managing your organization’s content requires a strong, steady commitment on Business’ part, and it must in fact be Business’ lead in getting this off the ground. There must be understanding and sanction from the top. There must be enterprise-wide sponsorship. There must be a strong business presence in the BIT meetings. In specific project management meetings, there must be a solid, knowledgeable business representative for each phase of the project’s implementation. In this regard, and most others, IT will help design and will deliver the crank that turns and satisfies the process – but Business must define the business requirements and expectations of the crank. The business process that the crank will turn must first be identified.
These needs of the business are based on its size, nature, number of locations, volume of content, regulatory requirements, risk management, protection against liabilities, employee oversight, and anything else the business requires of content management. Don’t make the mistake that so many other organizations make, on so many other initiatives: do not try to make this an IT-driven initiative: Business cannot drop content management on IT and say “take care of us.” This must be Business-driven. It is, after all, business-content that will be managed according to internal and external requirements and standards best known by Business.
Remember that IT can, and should, do research and make suggestions. But remember too that IT’s primary purpose is to align a right-sized solution to the policy and process defined by, and required by, Business. When we make projects such as Content Management, and the creation of associated policies, Business-driven, we guarantee Business sanction, Business sponsorship, and full Business participation and commitment. IT’s participation in these regards is already guaranteed by its report to, and subordinate status to, Business. For Business and IT: Make sure that these understandings are “Where You Are.”
November 28, 2012 1:47 PM
Posted by: David Scott
1 year plan
Once an organization’s documents are categorized, their content’s retention is then managed on a schedule. The schedule simply lists various categories of content based on taxonomy, each category’s retention period, and action taken on that content after the retention period expires. Only your organization can capture the comprehensive categories of documents relevant to your business. We cannot craft “generic” retention, and content management, policies here. Therefore, purely as an aid to understanding, let’s show some broad examples.
An organization should have a schedule for its “defining” documents; things such as records of incorporation, charters, business agreements, etc. These things are permanent. Other permanent items may include meeting minutes of board committees, minutes of evidentiary actions and consents, and records of settlements and releases, for example.
Beyond foundational documents, there will usually be a general schedule for organization-wide content types – things that any department grapples with (such as working papers, minutes to meetings, confidentiality agreements, personnel records, etc.).
In addition to this, each department will have it’s own schedule for content that is specific to that department (a Marketing department, for example, would produce a retention schedule for things such as marketing plans, sales reports, forecasts, etc.).
Taking Action on Content: Each department’s schedule rolls up to the organization’s main retention policy. As time goes by, reports are run on a routine basis – usually monthly, and usually by a person in the form of a content/records manager. The reports identify that month’s actionable content, in various categories. Action is driven according to content’s age from date of creation, and its having reached the end of the retention period. After review by appropriate authorities, the content is either archived or destroyed according to instruction in the Schedule.
Many templates for schedules of content management are available on the web. Organizations with their own legal resources will generate a good part of their retention schedules and content management policies there. Here it is important to understand the concepts so that you can begin to plan your system, and deliver proper expectations when evaluating vendors and implementing a solution.
A Retention Review: Retention drives a large part of your Content Management policy. All content should have a retention period based on categories of subject material (taxonomy); it is the categories that yield the length of the retention period based on business value of that particular category of content. A retention period can be extremely short, extremely long, and anything in between, from months to years. For example, meeting notes’ retention period can be extremely short: the schedule can dictate that once formal meeting minutes are produced, the notes are to be immediately destroyed. At the other end of the scale are things such as records of incorporation or organization, partnership and membership agreements, etc. These would be permanent. Other content can have a conditional retention period: you may choose to retain employee attendance records for a period of four years after the end of employment, for example.
Retention must comply with any laws governing content, and any other regulations. Also, your organization will be legally obligated to retain all content relevant to pending or reasonably anticipated litigation, investigations and administrative proceedings. Here, we cannot and do not want to be seen as advocating a system for obfuscating truth or sheltering an organization from consequence to actions of bad faith or bad business. However, in an age of many frivolous lawsuits, we can see value in reviewing content for potential liability on a proactive basis. We must recognize the importance in moving and removing “dead-value” content from our active environment.
We must maintain an efficient, relevant, useful, bank of content, and that is a laudable goal and achievement. In fact, archiving and destructing content on a disciplined retention schedule has become a duty within the true Business-Technology Weave, and is a crucial process in our overall management of content.
November 28, 2012 1:01 PM
Posted by: David Scott
acceptable use policy
, content and systems management
, content management policy
We mentioned policy last time: Without a policy, your means of reporting on content will be less than comprehensive. Therefore, we must develop a specific Content Management Policy that concentrates on three basic things:
– Category of content (identifying it according to taxonomy [subject matter]). This categorization leads to our leverage of content;
– Retention of content: Retaining content for a period of time as defined by its category, against a prepared schedule for the retention/disposition of the various categories of content within compliance of laws and any other regulations. This allows us to ensure that content remains reportable, known, and available during its useful life; and
– Disposing of it in an efficient manner (removing it from the active business environment at the end of its life, either through deletion or archiving). This allows us to remove content from the active environment, and helps to prevent the “glut” and liability of unmanaged information.
In this manner we help to secure content through its lifecycle. In defining the terms of content management, we’ll see that retention drives the policy.
Retention: Retention is the expected length of time that a piece of content will be in your active business environment. Retention helps to drive the efficiency that content management delivers. It sets the periods and dates whereby you can remove data from the active business environment, generally through deletion. A retention policy is part of your overall content management policy, and ensures that all business records are retained for a period of time that will reasonably assure the availability of those records when needed. Certain fundamental, vital, records are identified and appropriately safeguarded – their retention period is “permanent.”
Due to growth in business content and increasingly stringent compliance requirements, Business must recognize that we can’t keep everything forever – much content steadily loses value, ultimately having little or no value. Here we must recognize that over the course of time, any record that is not required to be maintained for legal or business reasons should be destroyed (or at the very least, removed from the active business environment, by virtue of some kind of archiving). This removal is necessary to reduce the high cost of storing, indexing, and handling the vast amount of documents and paper that otherwise accumulate. The retention part of content management ensures the minimization of storage and maintenance costs. It also helps to increase the efficiency in finding documents, and is an overall lever in building a tight, solid, fit of content to your business-intelligence needs. It becomes much easier to repurpose and combine data that is reinforcing to the projects and initiatives that business pursues.
So, how long do we retain specific information against the measure of time? For that, we refer to a retention schedule. Retention schedules indicate every major category of information the organization has, and the schedule for a disposition – such as destruction, or archiving. For our early understanding now, appreciate that once the schedule exists, we remove specific content according to that defined schedule of retention.
For example, you may have royalty records, within a comprehensive category. Your portion of the retention policy, and your chosen, defined, retention period for such records, may look something like this:
VII. Copyrights, Patents, Royalties, Licensees, Trademarks, Intellectual Property Rights, General Business Relation Agreements:
- Royalty records: Life of the patent or trademark, plus 5 years.
There are categories of documents that you would never archive or destroy. The retention policy accommodates these too – in fact, it protects them. For example, general corporate records specific to the creation of an organization, and detailing its constitution, partnerships, and qualifications to do business, etc. would be indicated as being ‘Permanent.’
Another example common to all organizations would be your handling of various personnel records. Your organization may choose to destroy performance appraisals five years after an individual’s departure, for example. Regardless of commonalities, a retention schedule acts on categories of content that the organization defines – the organization is serving itself. It sets retention according to its need, and in compliance with all Federal and State laws, and any other applicable regulations.
Further, our retention schedule can help clean up hardcopy content. We can help to eliminate the divide of electronic content from its hardcopy counterparts through an understanding of taxonomy (subject matter) – for purpose of categorization. We can then set an associated schedule for the management of retention according to the content of documents and records – regardless of physical form or media type. (This also leverages content’s use, removing liabilities of its form and even physical location).
A table of taxonomies will help your organization and its members to define types of content for categorization. Your retention schedule then defines the term for which you keep various kinds of content (according to category) – starting from an individual piece of content’s original creation date.
November 28, 2012 12:56 PM
Posted by: David Scott
, content management policy
, content management system
Beyond mere accountability, the modern and evolving discipline of managed content is more sophisticated and powerful than anything previously established. We make content searchable and relevant to people in powerful new ways, in support of projects and disciplines within the organization. We find supporting and illuminating relationships between existing content that were previously hidden because there was no way to find or readily expose these relationships. We see new clues regarding markets, customers, products, services, trends, activities, and risks. As importantly, when new content is developed, we automate the assignment of key information fields to it so as to make this new content a part of our leveraged information assets. Instead of being buried under an explosion of content, we explode content to splay its purpose, relevancy and value. We then snap content together with other content to form a completed picture.
Imagine this: a scrambled jigsaw puzzle where the pieces reside in various departments, in various physical locations – perhaps all around the world – with individuals and groups working the various pieces in some measure of ignorance for the efforts and work of others. We now connect all the pieces with an interwoven thread. The thread guards against loss, and identifies puzzle pieces as relating to each other, among other things. On demand, an authority pulls a master thread, and all the pieces come together to form as complete a picture as the moment allows: not part of a picture, not a picture with missing pieces, not a picture that requires recreation of missing parts that had already been created – but a 100% collection of parts with corresponding context and fit to the other parts.
That is a large part of what content management delivers to business. It can be the assembly of information regarding something in process, such as status that reflects the true moment of progress. Or, it could be the review of completed project materials and all related effort. It can be a search for relevant supporting content when mounting a new initiative. Or, it can just be general research within your assets.
What’s important to recognize is that you get the complete, best, picture of the situation according to all assets, according to the moment. When we achieve this system of confidence and control, we gain enormous efficiency and leverage by reusing, re-purposing, and assembling content by optimizing its formerly hidden business value.
Reducing Exposure – Minimizing Liability: We’re also talking about a comprehensive process that can give a central authority a ready report, at any time, on all content in your organization, according to any criteria by which they query: What is its subject matter? Who created it; who has it; who’s been using it? What is its useful life? How does it relate to and support other content? Which members, customers, staff, projects, products, services, regulations, agencies, etc. does this content pertains to? Where are versions of similar content residing? Which version is current?
Accumulation of content contributes to inefficiency. Multiple versions and drafts of documents can exist in all sorts of locations. As things get passed around within the organization, and saved in various user and departmental folders, you build all sorts of redundant, near-redundant, and ultimately erroneous data. There may be content that was created by persons who have left the organization – there may be no one who can readily answer whether the content is correct. Outdated content, or content whose value is murky, should be weighed against some standard in order to determine its disposability.
Content management goes beyond eliminating “glut,” and yields the possible exposures (liabilities) that certain content may represent. For example, your organization may have all manner of outdated business policies, stored in various departments, which may be based on expired outside law and regulation. You wouldn’t want anyone taking action within such policy that no longer applies. How can you be sure that everyone is operating on the most recent issue of organizational policies? Another example may be emerging client relationships: relationships to you, and their relationships to other agencies. How do you best disseminate breaking information throughout the organization? How do you ensure it’s received? How do you ensure it supplants the old? How do you remove the old?
Policy: Content Management vs. Acceptable Use: Sooner or later, every organization is going to have some measure of policy for content’s management, and that measure will likely increase as time goes by. It is important to note here what a Content Management policy is, and what it is not.
It is for leveraging content, exposing and reducing specific liabilities, and for taking action on content in an administrative sense – reporting on, archiving, and destroying. It is not the central policy regarding expectations of appropriate use, and regarding actions taken in circumstances of willful abuse of content. Content management measures certainly do help to identify and expose abuse; however, the definitions of abuse, and measures regarding them, will be contained in the organization’s Acceptable Use Policy.
Jumping ahead slightly, this Acceptable Use Policy details appropriate use of all business resources, tools, and assets – including information. Your content management policy can point to the Acceptable Use Policy (or contain extracts from it) regarding things such as the improper access, accumulation, dissemination, removal, and destruction of information. But again, content management helps us to identify and leverage content toward a positive purpose; helps to limit liability and exposure; and to take administrative action on content. [We will discuss the Acceptable Use Policy later on this blog – if your organization is lacking such a policy, or needs a better one, stay tuned…].
Pairing Process and Policy: Any policy simply formalizes and documents the understanding of needs, shows the value to be had, and details the mandatory course and standards of actions – the process – in satisfying those needs and requirements. However, many processes find their way into practice without a formal policy. Either they don’t require much formal documentation and standards, or they stagger along without them. But, that cannot be the case with content management. There really is no middle ground with content: you either know what you have, or you don’t. You’re either actively managing your data environment – culling bad and leveraging good – or you’re not.
More to come…
November 26, 2012 11:03 AM
Posted by: David Scott
1 year plan
Please see Part I below, or here.
Management of content is already well underway in some organizations – with varying degrees of success. But for most others it is a looming imperative. If you do not have a method for determining and using your information effectively throughout the organization, you will grow an ever-widening divide between your needs and your reality. That is, between the sheer necessity for effective use/leverage of business information – and the conditions of inefficiency and diminished returns that accrue with the accumulated glut of unmanaged information. You must avoid or close that divide now. Here’s why:
Business is faced with an explosion: it is the exponential growth of content. What exactly is “content”? It is any information that your business holds, whether known or unknown, and whether asset or liability. Whatever electronic information resides in your business systems, on your network, on workstations, in your e-mail system, on backup tapes, on all those scattered discs – is content. It also includes whatever information exists in the form of hardcopy – printed reports output, written notes, mail you’ve accumulated, etc. – things existing in filing cabinets, bookshelves, and piled on desks. Whether electronic or hardcopy, content can exist as text, artwork, photos, presentations, etc. Really anything in your enterprise containing information of any sort, business and non-business related – is content. That menu from the corner deli is content, and if it’s in someone’s desk drawer, it is part of your organization’s content: your organization contains it. The importance of that realization will be made evident, but for now it is imperative that we understand that the organization is liable for all content it harbors. This is whether it’s harbored by design, or by accident. This understanding will be necessary as we talk about specific liabilities imposed by certain content.
Content: A Basic Understanding of Need
Content management can be illuminated further in very practical terms. Remember the old WYSIWYG (Wiz-ee-wig) acronym? What You See Is What You Get. WYSIWYG came about around the time of Windows-based applications, as they replaced DOS-based applications. At that time, a graphical user interface replaced a text interface. Software applications delivered to the screen the exact font, formatting, colors, and images that would be produced when you printed your work. Before WYSIWYG, what you saw on the screen was an approximation of your output – the screen showed, primarily, same-sized text. Fonts, sizes, graphics, and colors were represented by codes and symbols – you couldn’t confirm what you were getting until you printed, and often what you got was wrong.
Obviously ‘getting what is wrong’ is inefficient, counterproductive, and frustrating. This is no less true in the realm of content. Today’s challenge isn’t aesthetic correctness; it’s content correctness. Getting what you need. Content management can be thought of as WYNIWYG (Win-ee-wig): What You Need Is What You Get. And just as importantly, what you don’t need is what you get rid of.
The growth in content is paired with an increasingly important requirement. Whereas data management, or information management, was once viewed primarily as a concern regarding simple access, delivery, storage, and space – this data is now understood to have value beyond its face and local residency. It often has continued value beyond any immediate need, and becomes a leveraged asset across the organization as we develop, share, combine and repurpose content. Data’s content can also pose a potential liability – to the organization and to those with whom we do business. Content’s liability depends on its nature and, further, its exposure.
For these reasons there is a whole new realm of standards, within an already established (yet evolving) discipline, in basing the management of information according to content. This isn’t something that’s never been done before: electronic information on any computer network is managed to some degree according to content. Things are filed in specific folders, according to subject matter. Permissions are granted to users based on their need and the data’s nature and sensitivity, and so on. Hardcopy information too is filed, often locked in filing cabinets; access granted according to the content and who is authorized to access it. Your HR department’s hardcopy files, for example.
A Missing Accountability: But until fairly recently, most organizations had no comprehensive view of their content – those paper and electronic files that comprised the whole of their information. It’s true that IT had a certain handle on information – regarding disk space utilization, allocation of storage to users, and administering of electronic security. Too, departments, various bridging teams, and ad hoc groups would have some measure of knowledge regarding their specific content’s information. But no central authority knew, indeed no one could know, what exactly was on the organization’s computers or in its files in any comprehensive manner.
There was simply no practice, discipline and allied system for the central control of, knowledge of, and reporting for, content. An absence of accountability.
Next: Getting it; Using it; Re-using it; and Getting Rid of It
November 23, 2012 1:46 PM
Posted by: David Scott
1 year plan
Business success requires the ability to develop, acquire, secure, make effective use of, and dispose of, information – content. Content is simply the information that your business contains, or harbors (as to the latter, harboring can be thought of as a virtual containment – such as in The Cloud). To start with, there are two basic categories of content: business content and non-business content. Within those are two subcategories: appropriate, and not appropriate. It’s quite simple.
Most business content is appropriate, so long as it has value and relevancy. Appropriate content is that information which is necessary in the pursuit and support of your business. Non-business content is those things that aren’t of direct necessity to business. Much non-business content is tolerated, and some is even essential: as a normal lubrication in your staff’s managing of important personal affairs, and in the support of general employee morale. In either main category of content, business or non, we’ll see that inappropriate content can exist, and can pose extreme liabilities. We’ll define inappropriate content shortly. We’ll see too that there are even emerging perils to the efficient use of appropriate content.
We find that we must first identify content. We’ll explore its relationship to successful business, understand how to maximize use of content as a leveraged asset, define and minimize liability posed by all content, and learn the importance for disposing of content that has lost its value. Once we have a good understanding to all of content management’s implications, we’ll examine ways to put a system of content management in place. Different organizations will need systems of differing sizes and sophistication. Therefore, a part of our discussion of systems will include your identification of a solutions partner – a vendor – and appropriate product.
However, long before we get to the “system,” we must have a thorough understanding of what content is, what a policy of content management really constitutes, and what the solution really entails:
The ‘Solution’ Must Solve
IT and Business have to keep something simple in mind. Remember that the policy, associated process, and support system must represent a solution: everything must leverage as being helpful to Business. This is a solution – not an empty burden. Here, as anywhere, we cannot afford the false “solution.”
This solution must:
1) Identify and leverage existing, new, and accumulating content for maximum business use and success,
2) Minimize liabilities involving: inefficient access and loss of business content; the unwanted accumulation of outdated content; the distribution of conflicting content; cost of storage; damage posed by unnecessary discovery and exposure; the unwanted accumulation of non-business and inappropriate content; and burgeoning overhead in meeting necessary regulatory requirements.
3) Enable our ability to audit and report on content in an uncomplicated, fast, and effective way (in direct support to 1 and 2 above).
This will be a pairing of Business-driven policy and process with an appropriate technical solution; a further weave of business and technology. We build a sound policy, we define our process, including the right-sized technical support, we train staff, and we manage content. We complete a people, policy and process model: therefore we manage content by virtue of knowledgeable people, supported by a defined policy, supported by a sound process.
… So – how do we get there? Like most things, the devil is in the details.
Next: A Divide That Will Grow
November 11, 2012 9:45 AM
Posted by: David Scott
, data theft
, ID theft
, identity theft
As identity theft grows in terms of volume, and awareness, evermore folks are taking precautions online. Job seekers can be at particular risk, as one’s guard is often down when the excitement of a strong job opening comes our way.
We know there are spurious websites offering products and services, while at the same time soliciting personal information: Name; address; date of birth; credit card number; expiration; and so on. There are many other websites, legitimate and otherwise, that make the simple divulging of e-mail address necessary – and frankly, that can be the beginning of identity theft.
Fortunately, most of us have robust malware protection, virus protection, and even spam guards in place. But recognize that most data breaches and identity thefts are due to human error and misjudgments. Even a routine online job search can have peril.
In particular, be wary of job proposals or company notices that come your way on an unsolicited basis. Invitations to apply will include the divulging of highly personal information – and I don’t even give my name and address to someone or any entity that I don’t know, or can’t research to a very high degree of certainty for legitimacy.
As to that last point, it may in fact be difficult to certify a company as “legitimate.” Social media and marketing make it easy for false-front organizations to pose as a legitimate enterprises, with products, services, and testimonials handily displayed on Facebook and social media accounts or fancy webpages. However, regardless of your ability to certify the positive, you can dig for the negative: Search the company’s name on the web with the word “scam” after it. Other terms that come to mind are “ripoff,” “illegal,” “court action,” “shut down,” etc. You get the idea.
These days, sad to say, you must limit personal information when sending a resume. Even when sending to a trusted, known, entity or person, you cannot be entirely sure to whom that person will pass the information… and so on… through each iteration of pass. So: Don’t divulge your birthday or your social security number. In the case of your present and past jobs, don’t reveal employee ID numbers. Professional certifications, licenses, badge numbers, etc., are also a no-go. Also keep in mind that there are websites that merely pose as known, high-profile, organizations: Verify web addresses. Search to any company’s legitimate website – for example, don’t take hyperlinks that are delivered in e-mails for granted.
You should also be very circumspect about your education. Schools, years graduated, and other attendance information can give thieves a ready handle by virtue of alumni information, opening a view to all sorts of other data regarding you.
While online enablements offer broad powers to all sorts of human endeavor, be aware that these same deliver power to identity and data thieves. Job seekers need to exercise extreme caution: be sure to vet all sources and contacts.
October 31, 2012 2:13 PM
Posted by: David Scott
1 year plan
When we talk about Disaster Awareness, Preparedness, and Recovery, we stand a better chance for securing business in the real world.
The leverage to understanding and compliance is essential - DAPR forces, not a different question but, a set of questions:
“Are we prepared for disaster?”
“I guess so – we have a disaster recovery plan.”
“Do you have an updated awareness for current, evolving, and new disasters?”
“Well, let’s see – I guess we should list them.”
“Now that you have an awareness, are you prepared?”
“No. We’ve added some events, and we have a better understanding of others.”
“Are we properly prepared to prevent certain outcomes?”
“Prevention? I thought this was Disaster Recovery…?”
“Can you prevent harm where appropriate? For any “unpreventables” or the truly unforeseen, can you recover from those harming events – have you tested your preparedness?”
“Well, we’ll have to develop some tests, and then conduct them…”
As usual, we can leverage understanding in a powerful way when we set simple and accurate identifiers right up front. DAPR helps us to better know ‘where we are’ in getting to where we’re going (the destination of ultimate security). Disaster’s potential is a part of where we are, and we need an awareness of our surroundings as a part of that. Preparedness is a route to a destination – a journey – a ‘how do we get there’ factor. It leads us to the ‘where we’re going’ zones of prevention and recovery.
Awareness is required before you can achieve preparedness, and preparedness is necessary for requirements supporting prevention and recovery. Can you see the ‘where are we’, ‘how do we get there’, and ‘where are we going’ elements of the previous statement?
We then require the satisfaction of a test to indicate your level of success in arriving at a state of prevention or recovery – and in arriving at a properly sized DAPR position for any moment in time.
Who drives DAPR? One guess… particularly for Business, it is inadvisable to rely on a simple conversation with IT regarding this area. This is not to put down anyone’s IT endeavors, or disaster recovery efforts. This is simply because IT may feel that they’ve done the best they can regarding security of business in this regard, based on the resources they’ve been able to lobby for (including Business’ attention). It also includes IT’s belief (whether erroneous or actual) that they’ve met the Business expectation, and mounted the best mission. But here again there is an ignorance in many organizations. Business may like the numb comfort they often have in this area: Walking away with a simple “Yes, we’re covered” allows Business to go back to the core business focus of the day.
There is also a certain denial at work in many organizations, or a simple pushing aside of DAPR: “We’ll get to that next quarter, next year, soon,” etc. – or – “our vendor handles that.” But like all things in the Business-Technology Weave, the IT Enlightened Organization makes disaster awareness, preparedness, and recovery a Business-driven initiative too. Who owns “business-continuity?” IT? After all, it’s Business’ continuity. Further, IT can only establish DAPR according to its own allowance, safe-channel and lead – from Business’ sanction and support. When IT fulfills a Business expectation, Business has to make sure the expectation is sized appropriately.
To Business: You own it. It is your business that will suffer from a state of non-recovery. You must oversee DAPR, its maintenance, its evolution, its testing, and you must believe that you can rely on it to your satisfaction, values, and standards. IT will serve, participate, suggest, focus, and implement the mechanics of preventions and recoveries. IT will lead when that lead is designated by Business – but policy and planning must be driven by Business.
Understanding the Elements of DAPR: Because prevention of, and recovery from, harm is so central to security, let’s take a closer look at some of the fundamentals:
Awareness: Awareness starts with the board or governing body’s commitment to establish and maintain a Disaster Awareness, Preparedness, and Recovery (DAPR) policy and planning process. From here, all management and staff are made aware of their requirements. Everyone has a duty to conduct business in the best possible way, in the most secure fashion, in
compliance with all policies and protections. Prevention of harm begins with awareness.
If harm comes, everyone has a duty in ensuring the ability to recover from it. It requires planning at every level in order to ensure that essential business of the organization is able to continue in the face of adverse events and circumstances.
Important projects like DAPR planning have to be approved and sanctioned at the highest level in order to secure the required level of commitment and resources throughout the organization. The sale for DAPR planning should be easy to make in today’s environment – for reasons we’ve touched on. Primary is one of business’ most important foundations, which we touched on earlier:
- An Awareness Regarding the Business Foundation: Business has shifted from a mostly linear, non-abstract system of paper, filing cabinets, adding machines, and largely non-intermediary systems of support – to a virtual, almost abstract environment. It is now one of electronic bits and bytes, accessible only through the intermediary of computer systems, allied applications, and associated availability. Further, there has been a steady expansion of this foundation. Growth of wide-area networks, their ties to the internet, their ties to other business locations, and remote access that ties in home and mobile computing and all manner of other access, has exploded the vulnerabilities to be managed. Thus, through the corresponding expansion of access to this foundation – there has been expansion of exposure and expanded risk of harm.
Remember that we are talking about a foundation to business here – not some “enhancement,” appendage, or luxury. This is a foundational underpinning that you cannot allow to be knocked out from under – otherwise your business “crashes”, and you cannot “do.”
Harm to this foundation can be unintentionally sourced: things such as earthquakes, power failures, weather damage, etc. Short of nature, harm can arise from simple human mistakes or oversights: someone can corrupt the content of a database by transferring the wrong information into it. Someone may accidentally delete or move (lose) entire structures of data, break important links, and throw crucial parts of business offline.
Harm from human interaction can also be intentional: things such as acts of sabotage from within or with-out, or terror attack. We’ll take a closer look at a number of specific risks when we discuss Threats. For now, awareness starts with a true appreciation for the vulnerability to this foundation, the sheer weight and range of disruption to business should this foundation be removed for any period, and the absolute necessity in securing it to the best possible degree.
Preparedness: Preparedness should first and foremost be seen as a posture of prevention from harm. Preparedness next defines action and resources in the event of harm. Preparedness begins with its contribution to policy, such that our awareness gets translated into a plan and an outcome. The plan can then be affected to meet the policy’s stated objectives.
You can combine your policy and plan: The XYZ Corporation’s Disaster Awareness, Preparedness & Recovery Policy and Plan. In fact, your policy will not completely take shape without the plan – they are reinforcing, particularly as they develop. But a firm sense of policy must precede the plan; so as to identify your organization’s concept of DAPR, and the basic principles and levels of prevention and recovery expected (you must know the ‘where you are’ of expectations before you can plan to your ‘where you’re going’ destination of deliverables).
The policy states the mission – the detail you deem essential in explaining your organization’s critical business functions, the expectations for preventions, the required recovery protocols for disastrous harm, and responsibilities. Further, it should expose the beliefs, values, and standards for these essential business functions and their dependencies, or supports.
Because resources are not unlimited, the organization must arrive at agreement for what constitutes the greatest risks, the likelihood of events, and the impact of those events on various ranked business elements. Once your organization has agreement among various lines of business, practices, departments, agencies, etc., you then have common beliefs in what merits protection – values – and can proceed with the plan for protection and recovery of those things. We can note here that you may not achieve total agreement, but in that case the belief will at least be acknowledgment of, and agreement to, compromises made, and actions resulting.
Once things have been prioritized, you can set various standards for prevention and recovery: the planning of the what, when, how, and where. When you’ve established the mission, beliefs, values, and standards through policy, and made the plan for meeting the policy’s objectives, we define the tests that we’ll employ to validate our recovery plan.
Recovery: Unlike other Business and IT objectives, your disaster recovery posture is usually never fully realized, and never fully known. That is to say, your ability to recover from disaster does not usually evidence itself (hopefully) in a real-world manifestation – and certainly (hopefully) not at the “10” of a 10-scale catastrophic chart. Conversely, almost anything else you do is reflected back to you in the form of real-world success and feedback. For example, if you launch a new product, it either succeeds in the marketplace, or it doesn’t. You may have tested it beforehand through survey or some small market, but you will have the ultimate arbiter of the real marketplace as your final ringing authority; it will either deem your product some measure of success, or deem it a failure. You won’t have to wonder.
Disaster recovery is something we hope never to test in the real world. Of course, right up front we know that we don’t want to experience disaster – that’s obvious. But secondarily, if there is a disaster, we don’t want our recovery efforts to be the first test. A test implies an unknown – will we pass or fail the test? That is the test’s purpose – to eliminate that unknown by exposing a true level of knowledge and ability.
Therefore, we want to test beforehand by virtue of simulations – and on some regularized basis, so as to expose points of failure, and areas where we can improve. Therefore, as our environment changes, our disaster recovery testing continually exposes and helps us to eliminate unknowns – divides between our ever-new requirements, and standards for recovery. This way, we can reasonably expect a yield of success in the form of a recovery that goes according to our plan, and meets our policy’s requirements when we have to deliver on a real-world “test.” As we eliminate those aforementioned unknowns, we – do what? – we add to our awareness – a key component of DAPR.
As best we can make it, recovery from disaster needs to be efficient, effective, predictable – and safe.
NP: Ringside at Condon’s: Eddie Condon and his combo, featuring “Wild Bill” Davison. Early microgroove 33 1/3 RPM on the Savoy label. Live and jammin’ in the club. Same signal chain. Great cover shot on the jacket.