Commentary: Protect the information first, stupid, not the systems
Homeland security gurus are preoccupied with protecting federal information systems. At a recent AFCEA International conference, speakers exhorted their audience to devote more attention and resources to backing up agency information systems against the possibility of terrorism incidents or natural disasters.
I am all for backing up systems, but those folks are approaching the matter the wrong way. To put it bluntly: You must protect the information first, stupid, not the systems. After you have identified the information critical to the organization's survival and quick recovery, only then do you safeguard the systems that process and store that data.
When agencies approach emergency preparedness and disaster recovery from this viewpoint, they may make several unpleasant discoveries.
First, they learn that the agency may not know what its critical information is because it has no vital records program. An organization needs vital records in order to conduct business outside normal operating conditions, and needs data dealing with the legal and financial rights of the organization and of persons directly affected by its actions. If the agency has not systematically identified those records and located their whereabouts, information system backup plans probably will be wide of the mark.
Second, when agencies look for vital records, they likely will find that much of the data is not in any information system at all. It is on paper in filing cabinets — a single copy only — and no one has ever thought of backing it up. Yet, should the paper go up in smoke, the agency could be out of commission for a long, long time.
Third, some information systems contain no vital data at all and are dispensable in the event of a disaster. The fact that the agency may have spent millions on the systems is certainly important, but the agency could be up and running soon after an emergency without those systems. This may be a deflating finding for information technology champions and caretakers of noncritical systems, but the truth sometimes hurts.
Finally, it astonishes me how often one learns that an agency has a functioning vital records program and a sophisticated continuity-of-operations plan, but the two operate in relative ignorance of each other. Failure to integrate vital records programs with continuity-of-operations planning means the agency understands neither what the programs are for nor the purpose of the planning. This situation is itself a disaster waiting to happen.
So I have a simple proposal for the Office of Management and Budget and the Homeland Security Department. Issue a call for every agency — and for every major component of large agencies — to certify that they have an up-to-date vital records program in place and that the program is integrated with the agency's continuity-of-operations plan. They will be surprised at the number of nonresponses they get.
Sprehe is president of Sprehe Information Management Associates Inc. in Washington, D.C. He can be reached at jtsprehe@jtsprehe.com.