Braving the storm: Maintaining disaster confidence as risk increases

Last year, 980 disasters worldwide resulted in a total loss of $110 billion. Any major disaster, from a severe storm and flooding to a full-blown hurricane, has the potential to hit suddenly and have a devastating impact on the facilities that house physical and digital records. Depending on the importance of the physical or digital records, even small incidents can cause significant financial and operational damages.

In addition to the increased threat of physical disruption, agencies also must contend with the ever-present danger of cyber attacks. Last year’s Sony hack demonstrated that even redundant backup sites are vulnerable when networked and are not a 100 percent effective safeguard. Even more recently, the Office of Personnel Management breaches proved how damaging a focused, sophisticated and large-scale cyber breach can have on the federal government. All of these factors have had an effect on agencies’ confidence, as nearly a quarter (22 percent) of federal records professionals are unsure or not confident that their agencies’ records would be accessible in the event of a disaster.

Agencies have an opportunity to improve these sub-optimal confidence levels and comply with the national preparedness goal in the Presidential Policy Directive 8 (PPD-8) by readdressing some of the key records management aspects of their continuity of operations (COOP) plans.

Establishing a comprehensive COOP plan that guards against the wide variety of risks facing federal agency records is no small task, but is absolutely possible with the right risk-management framework.

To develop COOP solutions that are compliant with federal standards for records and information management, and ready to withstand any of the aforementioned disaster possibilities, agencies must:

1. Organize and Assess
   Agencies looking to establish disaster confidence need to identify all relevant federally compliant records storage and COOP requirements. This includes portions of the federal government’s national continuity policy and federal continuity directives that outline strategies for identifying, protecting and making available vital electronic and physical records during a time of interruption. It is then critical for agencies to educate their employees on relevant requirements through proper training to ensure that the staff understands how these pertain to their day-to-day functions. Once understood, agencies can evaluate their records management policies and procedures by identifying applicable systems, analyzing inventories for federal records, and identifying the locations and volumes of federal records, including the facilities that house them.Through this detailed analysis, agencies should have a fairly complete view of their records, and any shortcomings in their current records management programs that would leave them vulnerable to disaster.
2. Develop and Implement
   Agencies should begin to mitigate any identified vulnerabilities by creating and managing their COOP project plan as well as revising their retention policy. Mitigation includes ensuring the COOP plan complies with appropriate service level agreements and establishing a records management policy. Some data management best practices that federal agencies can apply to address disaster recovery include:
   • Utilizing cloud solutions for automated, hands-off protection;
   • Establishing disk-to-disk-to-cloud solutions for mass recovery capability;
   • Implementing off-site back-up tapes for long-term retention and added security.

   For instance, to mitigate against the wide threat posed by natural disasters and focused cyberattacks, agencies can protect critical data faster by using a combination of cloud data replication and offsite tape vaulting to store backup and archive data. This approach can provide a layer of air-gapped protection from cyber attacks and duplicates agency assets across locations, ensuring one disaster cannot wipe out the entirety of information assets.

3. Manage and Audit
   Even after a COOP-ready records management program is in place, an agency’s job is not done. Establishing accountable oversight is just as important as creating a robust COOP program. This includes coordinating, deploying and managing federal records resources in addition to employing controls to create an auditable chain of custody. To manage the program more easily, following COOP protocols and best practices on a day-to-day basis will help agencies remain compliant. If agency employees are establishing accountability by consistently applying these best practices, such as properly classifying federal records, consistently executing the retention policy, and inspecting operations to confirm faithful execution of policy and procedures, it greatly reduces the risk and compliance burdens on agencies.

Once these components are in place, there is still little room for agencies to ease their efforts. Changing situations, such as a heightened risk of cyber attack or natural disasters (e.g., during hurricane season), mandate that COOP plans are updated to counterbalance introduced uncertainty. It remains vital that even after program managers are satisfied that procedures are being properly adhered to, agencies should continue to monitor COOP requirements for any changes, modifying their plans accordingly and running regular COOP exercises.

The heightened risk environments experienced by federal agencies make now a critical time to update their COOP programs. Although properly anticipating federal information management needs, especially as they relate to unexpected disasters, is a complex and difficult endeavor, it is necessary nonetheless. By following this process, agencies will have the proper framework for better anticipating and deflecting disaster-related risk to their information, no matter the source.

Tyler Morris is the director of product management for Iron Mountain Government Services.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.