Disaster Recovery: Personal and Up Close
As we move into what the National Oceanic and Atmospheric Administration (NOAA) predicts as an above normal Atlantic hurricane season, this month's column will focus on a little considered aspect of disaster recovery, personal business continuity. What does business continuity have to do with security? Both are based anticipating and planning for bad things. So don't be surprised when your boss wants you to be on the organization's disaster recovery team. You may be surprised at how much you can contribute.
By now most organization have or are developing business continuity strategies and disaster recovery plans. (Disaster recovery is the act of recovering from a disaster, whereas Business Continuity is a broader term that includes anticipating and planning for bad things, as well as disaster recovery itself. Example: After the flood, Noah was practicing disaster recovery; before the flood, he was practicing business continuity.) Unfortunately, many plans ignore the human aspect. What about the people you expect to show up during and after the disaster?
The reality is that during a disaster most people's first concern is the survival and welfare of their family. A
Kennedy School of Government study of the response to hurricane Katrina observed that in addition to flooded firehouses and equipment the New Orleans Fire Department struggled with depleted manpower because some firefighters didn't show up for work. Similarly, when asked why city buses weren't used to evacuate more low-income citizens from the city before the hurricane, New Orleans Mayor Nagin stated, "Sure, there was [sic] lots of buses out there, but guess what? You can't find drivers that would stay behind with a Category 5 hurricane." (
Lessons From Katrina and Rita, Todd Litman)
One of the nine general problems identified by Litman during Katrina and Rita was the failure to help evacuate families of essential staff (police, fire, transit, healthcare, utility, etc.) so they could concentrate on emergency response. It seems to me that if we want key employees to show up to assist in disaster recovery, we should implement procedures that provide for their families security.
Fortunately, excellent assistance for individuals and families is available. Organizations such as the
American Red Cross and the
Federal Emergency Management Agency outline effective family emergency strategies. Organizations would be well served to work with key employees to assist them in implementing a family emergency plan. If they feel that their families are prepared to handle an emergency, a key employee is more likely to focus their primary attention on the organization's disaster recovery efforts.
When I began preparing a personal business continuity plan, however, I noticed that all of the recommended strategies had a 19th-century flavor. They focused on things like having three days of food and water but said very little about rebuilding your life in a 21st-century environment.
Where I live (the mountains of Montana), hurricanes aren't much of an issue, but forest fires, earthquakes, and volcanoes are. The most likely threat is a forest fire that would call for a sudden, perhaps very sudden, evacuation. If the gulf coast residents felt rushed when they had several days warning, imagine an evacuation with five minutes' warning. The good news is that if my family and I make it out alive, food isn't a problem. We can buy some at a grocery store. Water will be available in the rest room of our new shelter, probably a high school gymnasium. What will be a problem is the information--financial information, personal information, business information, and medical information--that we will need to rebuild our century lives.
That was the genesis of the "Get And Go" bag--something we can grab on the way out the door. (Our bag is actually a small fire-proof box.) If we have the luxury of more time, then we can add stuff from the FEMA and Red Cross lists plus our computer backup hard disk. The contents of the "Get and Go" bag is coordinated with the contents of our safety deposit box. One of the problems encountered by New Orleans residents was that in many cases they couldn't access critical documents located in safe-deposit boxes for several weeks or more. On the other hand, the risk of house fire or theft makes it foolish to only store records at home. Both the safety deposit box and the "Get and Go" bag contain sufficient data to rebuild our lives. Deciding what is stored in each is an exercise in risk management.
The following list is meant as a starting point; it contains things on my list as well as items that might apply to others. Every individual's list is unique and should reflect their personal situation.
Grab and Go Bag- Will and/or trust documents
- Powers of attorney
- Insurance policies
- Copies of birth/marriage certificates
- Social Security cards
- Passports & other identity documents
- Copy of vehicle titles
- Contact list: names, phone numbers, and email addresses
- Copy of driver's license
- Two week supply of medications
- List of prescription medications and medical history
- Emergency cash
- Recent investment statements
- Recent tax return
- List of financial account numbers and institution (e.g. savings/checking information and credit card information)
- Safe-deposit box keys
- List of computer user names and passwords
- DVD of business and home computer contents
- DVD containing scans of documents in Safety-Deposit box
- Safe combinations
Safety Deposit Box- Copies of will and/or trust
- Copies of powers of attorney
- List or copy of insurance policies
- Family birth/marriage/death certificates
- Copies of Social Security cards
- Copy of passports and other ID documents
- Vehicle titles
- Contact list: names, phone numbers, and email addresses
- Real estate deeds
- Loan agreements
- List of financial account numbers and institution (e.g. savings/checking information and credit card information)
- Mortgage paperwork
- Retirement Account Contracts
- Inventory of home contents (photos/list)
- Employment & Business contracts
- Adoption papers
- Citizenship papers
- Military service records
- Certificates of deposit
- Stock and bond certificates
- Jewelry/precious metals
One danger, of course, is that if someone steals your "Get and Go" bag, they potentially have everything needed to steal your identity. Prudence dictates that you encrypt or blank out sensitive data. For example, many of the documents can be scanned and stored on encrypted DVDs. (I use gold-backed archival DVDs for reliability.)
As security professionals, it is important that we convey the right message. Just as we buy life insurance to free ourselves from worry, we prepare for bad things, not because we are paranoid or paralyzed by fear, but rather because we accept that reality of our world, and, by preparing for bad events, we free ourselves to embrace life enthusiastically and optimistically.
