Industrial facilities are vulnerable to innate risks, targeted threats, and security breaches. These vulnerabilities vary according to the location, site characteristics, operations, and hazards. Site-specific response plans are often required by regulatory agencies to address these vulnerabilities. To counteract potential incidents relating to vulnerabilities and comply with government mandates, response plans are shared with regulators, auditors, inspectors, and responders. However, in order to minimize additional vulnerabilities, applicable confidential information should be secured from unauthorized individuals.
Response Plans must be shared, but information security must be a priority. There are generally three basic means to share response plans with recipients.
1) Paper plans
Long before tablet computers and smart phones, companies composed and shared binder-bound response plans. These plans, which are still used in large numbers today, were/are mailed to agencies, printed for auditors and inspectors, and reproduced for response stakeholders. Paper plan accessibility is limited to physical distribution tactics. This traditional concept may not provide the security measures necessary for the modern world. Paper plans share the following common pitfalls, possibly rendering non-compliance and an ineffective response.
Paper plans are often:
- Inaccessible: Most plan users will only have a paper copy and will not carry it wherever they go. Because of the lack of accessibility, it is often difficult for a program managers to know when plans were last updated, or approved by regulatory agencies.
- Inefficient: Repeated information updates, especially in multiple plans, is time consuming There are often duplicate or overlapping information requirements from one plan type to another, and for multiple facilities.
- Out of date: Having multiple versions of plans in various locations leads to version confusion. It is often difficult to determine and document when company, site, or personnel information has changed. Example: Corporate emergency manager's contact information may reside in many plans. If/when that person's contact information changes, it has to be physically changed in each plan.
- Inconsistent: Plan formats usually vary from one facility to another, making it difficult to manage training and compliance efforts.
- Cumbersome: A company may have multiple plan types, documents, and records for various regulatory agencies. During an audit, inspection, or response, the pure physicality of paper plans can be hindering.
2) Intranet-based plans
Some companies host response plans on their local intranet, or company network. These plans can often be accessed remotely through a Virtual Private Network (VPN). In order to establish a VPN connection with a company's server, the endpoints are typically authenticated to secure access. Plans can be shared through a VPN connection, potentially expanding the accessibility to approved viewers.
Secured access has been historically accomplished through passwords, personal data advanced biometrics, or a combination of security means. Once the connection is made, authorized individuals should be able to securely access a company's network. However, as recent headlines have revealed, company networks are often vulnerable to hackers, data breaches, and network attacks, potentially exposing private company information and broadening vulnerabilities. Companies must prioritize network security, especially when response plans are hosted within this critical business function.
In a variety of scenarios or in the event of an emergency, company servers may be inaccessible; rendering responders ill informed when response information is needed most. It is imperative to regularly back up response data and establish an alternate means to retrieve necessary response information in the event that site and/or company network is involved in the incident.
Although plan accessibility may be improved with an intranet system, the plans may still be subject to some of the same pitfalls as paper plans:
Efficiency and consistency across multiple plans remains challenging and time consuming when documents utilize separate static word-based files.
As mobile technology advances and becomes more commonplace, many companies are beginning to realize the benefits of web-based emergency response planning systems. Web-based emergency response planning systems offer secured, immediate, and direct access to your emergency response plans from any computer. Since company response plans are no longer stored in a single, centralized location, the risk of inaccessibility, loss, or damage of these critical records in an emergency situation is minimized. More importantly, since every member of your team can easily locate and navigate your emergency response plans at a moment’s notice through a password protected website, your incident response time and management capabilities improve dramatically.
For organizations with multiple facilities and locations, web-based response planning provides site-specific emergency response plans that integrate seamlessly with your organization-wide procedures and policies. This optimizes the opportunity for every location to remain in compliance with state, federal and municipal regulations.
Response plans that utilize an informational database, plans securely open to the latest plan version, providing ability for plans to be shared or printed for auditor analysis and inspectors’ review.
Some benefits of a web-based business continuity system include:
- Instantaneous Accessibility: A web-based planning system software offers every option of instant accessibility:
- Viewed via the Internet from any location
Web-based response plans increase accessibility options while improving efficiency, functionality, and effectiveness.
- Efficiency: The most advanced web-based software programs utilize a database, allowing for repetitive information to be duplicated in all plan types across an entire enterprise. By minimizing administratively tasking duties, plan changes are more likely to be performed, thereby improving accuracy of the plans. Web-based plans can provide hyperlinks, forms libraries, simplified interfaces, and other tools designed to improve functionality for plan users.
- Instantaneous Updates: Revised information is immediately available to all stakeholders. Web-based, database driven plans utilize one database to manage this information, effectively leveraging plan revision efforts to all plans that utilize that data.
Web-based response plans offer the greatest secured accessibility option for stakeholders, auditors, and inspectors while bolstering an entire emergency management program.