Creation and maintenance of an information management disaster plan is a never-ending task. While it can be cumbersome, hard to obtain buy-in, and require an upfront cost, it is one of the most important documents that your office can create. Protecting your information is protecting your assets. You will be able to continue operations and meet objectives with less risk of serious disruption if you ensure that you have continuous access to your information.
This article will promote critical thinking and provide some guidance for developing your office’s information management disaster plan.
When reviewing this article and establishing your plan, keep in mind the impact of losing information is not always immediately apparent. Think of it like the domino effect. Lack of preparation may lead to permanent information loss, and permanent information loss leads to more time and expense when rebuilding. So, prepare with a short-term and long-term impact in mind.
What types of information is your government creating?
Where are your government’s offices geographically located?
Research which natural disasters the geographical location is prone to experiencing. Natural disasters are things like flooding, hurricanes, winter storms, strong winds, etc. Identifying the natural disasters will help to determine what emergency prevention and resources are required. The Federal Emergency Management Agency (FEMA) maintains the National Risk Index that helps identify the most applicable natural disasters to a geographical location.
Also research the impact of the information’s proximity to potential man-made hazards, for example the airport, military bases, plants or factories that handle hazardous or flammable material. Also, assess infrastructure that if faulty would cause lose of information. For e.g. If crossing a bridge is the only entry to the site, analyze how your government will access the information if that bridge were to collapse. Perform an inspection of any building that houses your government information. Check for mold, mildew, fire hazards, etc. You will not be able to predict all of the non-natural disasters that surround the location, but this will help you perform a thorough evaluation you can use to better target your plan.
What formats are the records in?
Is the information stored on a printed physical record, electronically, on a CD, microfilm? Each type of format is associated with a preparedness benefit and disaster risk. For e.g. Information on paper is secure based on papers longevity. Paper records lasts hundreds of years, if not thousands. However, paper records must be protected from water damage, sunlight, and on-site storage security risk.
On TSLAC’s website, we publish various security, storage, and preservation standards based on record format. These standards are implemented to mitigate the common disasters to which each format is prone. Review the applicable format laws, rules, and best practices for your government’s information when constructing the disaster plan. Contact your TSLAC analyst if you need further guidance or clarification.
Do you have a plan for your confidential and vital/essential records?
Both state agencies and local governments are required to identify vital/essential records and implement strategies and procedures that will protect these types of records during a disaster. For state agencies, State Records Management Law, Section 441.183 requires state agencies to “identify and take adequate steps to protect confidential and vital state records.” For local governments, the Local Government Records Act, Section 203.021 requires local governments “to facilitate the identification and protection of essential local government record.”
Both vital and essential records are defined as any government “record necessary to the resumption or continuation of government operations in an emergency or disaster, to the re-creation of the legal and financial status of the government, or to the protection and fulfillment of obligations to the people of the state.”
To help assess what constitutes “vital” and “essential” records, consider what information is absolutely critical and sensitive to your office’s financial, legal, and administrative responsibilities. Does your office create and/or maintain any of the following information?
- Information to ensure operations function;
- Information affiliated with your relationships with stakeholders;
- Information with ties to a legal or regulatory requirement;
- Information about employees, customers, or the general public; or
- Passwords.
To further help determine what information constitutes essential and vital, we have included some slides from our Introduction to Records Management training session.
What records require critical security measures?
Evaluate what type of information your government creates to determine what others might find valuable to use for their personal benefit or in bad faith and identify current access protections. It is never a good feeling to question others’ motives, but unfortunately, evaluating this question could identify gaps in your government’s disaster preparedness and mitigate the chance of the records being subject to illegal disclosures, access, or alterations. For e.g. If you are an ISD that is responsible for maintaining records of student transcripts, recognize in your plan that this is of high value to someone hoping to sell doctored transcripts. Outline and implement security measures to protect this information. A case study for how a government’s disaster preparedness plan can prevent harmful alteration and how a bad actor attempted to use government information in bad faith is the Oldsmar, Florida water treatment breach. This case study reveals the importance of implementing cybersecurity training to all employees, implementing systems that alert a government of risky alterations, and restricting the ability to alter information to specific locations to avoid bad actors from altering the information that results in a change to operations.
Prevent the risk within your capability.
Enlighten your employees on the associated risk and what they can do to mitigate the risk today.
Implement regular emergency training. A recurring training program ensures that employees are mindful of the prevention and response duties they are assigned and helps address any questions they have, such as, how to identify a risk or report their concerns related to a potential risk.
Outline the prevention methods in your government’s policies and procedures. Ensure employees are aware and understand their role and expectations in your government’s emergency prevention setup. Provide employees with a safe outlet for reporting potential risks. This ensures employees feel comfortable coming forward with any concerns.
Don’t do it alone.
Establish disaster preparedness teams. Put subject matters experts in a room together to brainstorm how to effectively approach the information management disaster plan. Once ideas are gathered, determine if the expectations are realistic. For e.g. If you have brainstormed that employees should work from home during winter storms, this makes sense on paper, but question if it will really work. Create and email a survey to all employees asking them if they are able to effectively work remotely. This will help determine potential broadband issues or tasks that cannot be performed remotely, etc.
Have teams establish an emergency response contact list. Include any external contacts your government has established a relationship with that should be notified by your government and will respond in an emergency event. Ensure all employees with a role in the emergency response are aware of their responsibilities and how to access the contact list during each type of disaster.
Routinely practice the emergency responses to help ensure employees are familiar with their role during disasters. Remember, when emotions are high it is easy to become overwhelmed and forgetful. Understand that generally an employee’s mind will be on their home life during a disaster, so you want to make this process as familiar and easy as possible. Routinely testing the emergency responses will help assess kinks in the plan. Talk to others within your industry about their emergency responses. This will help identify prevention methods that your government can utilize to untangle the kinks.
Other resources
- Disaster Preparedness Brief Checklist based off this TSLAC article. Note, this checklist does not constitute an extensive overview of what should be accounted for in a disaster preparedness plan.
- Essential record priority ranking spreadsheet based off TSLAC article, Hurricane Season Records Preparation.
- TSLAC article – Disaster Recovery Resources
- TSLAC article – Guest Blog: Preparedness Awareness – Hear thoughts from another Texas government office
- Research ARMA’s Maturity Model. Which is an assessment of five different levels of information vulnerability and brief action plans.