HOME  |   SOLUTIONS  |   PRODUCTS  |   SERVICES  |   RESOURCES  |   PARTNERS  |   OUR COMPANY

By Dennis Hines, PureSafety

It's 8:15 Monday morning. You've just poured yourself your first cup of coffee and slid into your well-worn chair - gently settling into a new week. As you sip your coffee, staring expectantly at your slowly booting computer, your phone rings loudly beside you - it's the IT department. They tell you that system you've been storing your compliance records on has just done a triple back flip and crashed hard. They're working on it, but it doesn't look good. It may be a complete loss.

How would you respond? Could you relax and enjoy your coffee - knowing that your data is protected, or would you quietly begin collecting your personal belongings and sneak out the back door before management catches wind of the impending disaster. Hopefully, you would be savoring your coffee and not making a 100-yard dash toward unemployment, but if you can't say for sure it might be a good idea to make a quick assessment of just how well your electronic records are currently being protected.

The amount of data that an average business can generate is staggering. Budgets, agendas, policies, and, yes, even compliance data can accrue at a dizzying pace.

As more and more safety departments go digital, so too do their safety records. Collecting and organizing this information can become a daily burden for an average safety professional and most simply don't have the time to worry about the systems storing their information.

In an ideal world, each company's IT group would seamlessly handle the management and protection of this data. Armed with unlimited resources and scores of engaging technology professionals they would silently ensure that business systems perform flawlessly. Of course the vast majority of us are not so lucky. The reality in most businesses is that, like EH&S departments, IT shops are typically overwhelmed with responsibilities and are pressured to get the job done with the least overhead possible. As a result, some things inevitably slip through the cracks.

So how then do safety departments make sure that their data is protected? The answer, obviously, is not to expect safety personnel to become technology experts and begin administering their own systems (though as an IT guy I do understand the allure - computers can be awfully exciting!). However, taking a little time to learn a little about the systems and processes that protect your data could mean the difference between a minor inconvenience and a major catastrophe.

Here are a few tips to help ensure that your important EH&S data is secure and accessible 24/7:

For records stored on internal systems, it is obviously important to work with your company's internal IT department or technical consulting firm. Request a meeting with the group that is responsible for maintaining the systems your data is stored on so that you can get a good feeling for the technological safeguards that have been put in place. If they're resistant to your inquiries, offer them doughnuts. IT guys will do anything for doughnuts.

Once you have them softened up with sweets, here are some important questions to ask about the technologies and processes that they should have in place to protect your data.

• Where is the data being stored? Obviously it's being placed on some sort of computer, but what type? Is it a server-class machine with a redundant architecture or simply a glorified PC? PCs have come a long way over the years, but as most of us know, they are prone to problems and the occasional catastrophic failure. Server-class machines on the other hand are built specifically to act as file or application servers and have more robust architectures that are less likely to experience problems.
  
  If your data is being stored on a server-class machine, just how reliable is the equipment? Does it have built in redundancy so that the failure of one device (like a power supply or network card) doesn't render the system inoperable? Is it located in a protected room with fire suppression and environmental controls? Of particular importance here is insuring that the system uses redundant disk drives known as RAID's (Redundant Array of Inexpensive Disks). In a RAID, your data is written across several different drives so that the failure of one drive will not result in the loss of your records. Items like spare power supplies or network cards ensure that your systems maintain availability, but a RAID maintains both data availability and integrity. While the availability of your data is important, it is typically far more critical that the data be preserved. I think we would all rather risk a system outage - even for a day or two - than potentially risk losing years worth of critical data.
• Is the data regularly backed up? This is your last line of defense against data loss - the one that you hope you never have to use. In the event of a catastrophic system error or a disaster (fire, tornado, etc.) at your site, having your data safely stored on some type of offline media (tape, CD, etc.) is obviously critical. Determining how often your data should be backed up will depend on a number of factors, but most businesses that I've worked with have, at a minimum, performed daily backups of all important data and moved their media offsite on a weekly basis. Whatever the case, it is imperative that regular copies are made and that they are periodically moved to a secure offsite location.

• What security mechanisms are in place to protect systems from hackers, viruses, etc? The risks discussed so far have mainly revolved around system failures or, on the extreme end, natural disasters. As anyone who has spent much time online will attest, there are other, more nefarious risks to computer systems. Hackers, viruses, worms, disgruntled employees, etc. can all pose a risk to data that is not adequately secured. Although many lengthy books have been dedicated to computer security, there are a few basic safeguards that every company should consider:
  • Who has access to the data? Too many companies make the mistake of granting virtually unlimited access to company data - assuming the best of their employees. Even if no one were to intentionally delete or alter records (a generally poor assumption to make), employees all too often accidentally overwrite or delete files. Preventing this can be as simple as setting restrictive permissions on files or within applications. For example, don't grant someone the ability to alter data if all they need to do is lookup records.
  • Is an antivirus package installed? Viruses are simply a fact of life for computer users these days. Simply put, no system should be operated without an antivirus package that is regularly updated against new attacks. The risk of infection in today's interconnected world is just too high to risk going without one.
  • Is the system protected from malicious activities? The most well known protection for systems against hackers is a firewall. Firewalls are devices that restrict the network activity between networks and are absolutely essential - particularly as a buffer between a company's internal network and the Internet. However, firewalls are not a silver bullet against hackers. Systems must also be configured so that they are resistant to remote exploits. This is known as "hardening" a system. Most successful hacker attacks are the result of systems not being hardened against known vulnerabilities in the software that they are running. Ongoing software updates (or hotfixes) are also absolutely critical.

Needless to say, the items listed above apply not only to internal systems, but external ones as well. If your company uses a 3rd party application service provider (ASP) to assist with EHS process management and to store related records, it is equally important to make sure that the ASP is following best practices for protecting your data. Before deciding on a particular provider, ask them about the systems and processes that they have in place to address the questions posed above. All too many ASP's cut corners on data protection to save costs, potentially putting your data at significant risk. Don't be fooled by professional marketing materials or their salesperson's good poker face. Call their bluff and ask that they put their cards on the table. Many companies are getting by without a winning hand.

If you've made it this far, your head is likely spinning from everything that it takes to adequately protect your electronic records. While it can seem daunting at first, like any business initiative the difficulty is getting the systems and processes established. Once in place, they require surprisingly little effort to maintain. Of course, hopefully when you sit down with your IT group or ASP, you'll find that they already have their bases covered and you can sleep peacefully, knowing your records are safe and secure. If so, at worst you'll only be out a box of doughnuts.

Written by Dennis Hines, in the September issue of ISHN (Industrial Safety & Hygiene News)

Articles/White Papers » Article List Brochures » Download Center Demo Center » Online Safety Training » Prognos™ Software » EHS Course Demos » Custom Course Demos » OSHA 10-Hour Demos » Request Live Demo eNewsletter » Archive » Subscribe Industry Links » Agencies, Associations    and Resources Success Stories » Amerex » Cricket Communications » Darling International » Harvey Industries » Pacific Coast Steel » View All Success Stories