Will key information be available during a crisis?

Will key information be available during a crisis? This is an essential question when you consider your crisis management and IT disaster recovery strategies.

Information is critical to our businesses. We cannot make good decisions without it. We identify the cause of issues based on it. In a crisis, without information, we may be making decisions or trying to contact appropriate parties like a myopic without his glasses.

What is the information that may be required during a crisis?

• The severity of the impact to business processes
• How long the crisis may last
• Internal contact lists
• External contact lists
• Crisis & Recovery Team members and responsibilities
• Recovery plans and checklists
• Business processing requirements
• Manual processing procedures
• Information on business risks

You have probably documented much of this information already. The questions to ask are: where is this information? Will it be readily available? Is it up-to-date? The following are issues we at MHA have seen as related to information needed during a crisis:

• Contact lists are out of date or not accessible.
  • Electronically stored information may or may not be available, even if it is in the “cloud.”
    • Cloud-based information requires Internet access – are you sure that is completely redundant with no single points of failure?
    • If it is on Exchange or some other system – what is the recovery timeframe? Are there any single points of failure? Can you access it remotely?
  • Paper in storage or soft copies on storage devices are often out of date the day after they are printed or stored.
  • Contact lists are constantly changing. In our experience developing contact lists, we see that sometimes team members have left the organization before the list has even been finalized.
    • This is the nature of lists. Only you can determine the appropriate update schedule and identify the single points of failure. Annual or bi-annual updates are not enough.
  • Secondary or tertiary team members are not identified.
    • People cannot work 24X7; secondary and tertiary team members are critical.
  • Risks to the business are not documented, but the Crisis Management team depends on this information.
  • Without basic risk information, time must be taken to perform the analysis and figure it out. Having critical process risk impacts identified ahead of time speeds up decision making during events.
  • Business processing requirements are not documented and require multiple teams – IT & business – to identify impacts and what processes are critical, their dependencies, and how to manually run those processes if necessary. Most organizations assume they can just start processing after systems are available. It is assumed everything is self-healing. We have found this is not the case.
  • Teams are hesitant to make decisions without first having all the information available. Some information may not or cannot be gathered. It is critical to determine if it is reasonable to expect that needed information can be obtained in a timely manner. If not, make the best decision based on the information available.
    • Preparing more information as part of the crisis management documentation will enable better decision making during a crisis situation.

The issue is not that the information cannot be obtained, but it may be difficult or take significant time to do so, restricting quick action or decision making that could minimize impact. Take a few minutes to assess if critical information is truly available during different crisis scenarios.

Read More about data backups and integrity in our post: Ransomware Defense