Backup and Backup Retention Policy

The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 format and is easily modified.  This policy is included in the Disaster Recovery / Business Continuity Template.

Below is a table from the policy:

Individual Policies

All of the policies that are provided here are contained within one or more of the templates that are on this site. These policies have been added as individual documents in WORD format (WORD 2003 and WORD 2007) for those clients who just need this particular policy.  All policies are Sarbanes-Oxley, HIPAA, and Patriot Act compliant.

Record Management, Retention, and Destruction Policy

The Record Management, Retention, and Destruction is a detail policy template which can be utilized on day one to create a records management process.  Included with the policy are forms for establishing the record management retention and destruction schedule and a full job description with responsibilities for the Manager Records Administration.

You areas included with this policy template are:

• Record retention requirements for SOX sections 103a, 302, 404, 409, 801a and 802.
• Policy
• Standard
  • Scope
  • Responsibilities
  • Record Management
  • Compliance and Enforcement
  • Email Retention and Compliance
• Job Description Manager Record Administrator
• 12 forms for Record Retention and Disposition Schedule

You can download the Table of Contents and selected pages for this policy template.

Internet,
e-Mail,
Mobile Device,
Electronic Communications, and
Record Retention 
Policy

This policy is is compliant with all recent legislation (SOX, HIPAA, Patriot Act, and Sensitive information), and covers:

• Appropriate Use of Equipment
• Mobile Devices
• Internet Access
• Electronic Mail
• Retention of Email on Personal Systems
• E-mail and Business Records Retention
• Copyrighted Materials
• Banned Activities
• Ownership of Information
• Security
• Sarbanes-Oxley
• Abuse

Included with the policy are forms that can be used to facilitate the implementation of the policy. Included are these ready to use forms:

• Internet & Electronic Communication Employee Acknowledgement
• E-Mail - Employee Acknowledgement
• Internet Use Approval Form
• Internet Access Request Form
• Security Access Application Form

Outsourcing Policy

Outsourcing Policy - This policy is eighteen page in length and defines everything that is need for function to be outsourced.  The policy comes as a Microsoft Word document that can be modified as needed.  The template has been updated to include a HIPAA audit program definition in length and covers:

• Outsourcing Management Standard
  • Service Level Agreement
  • Responsibility
• Outsourcing Policy
  • Policy Statement
  • Goal
• Approval Standard
  • Base Case
  • Responsibilities

Note: Look at the Practical Guide for Outsourcing over 110 page document for a more extensive process for outsourcing

Sensitive Information Policy

Includes HIPAA Audit Program Guide and a PCI Audit Program

This policy is easily modified and defines how to treat Credit Card, Social Security, Employee, and Customer Data.  The template is 29 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799), and HIPAA.  The PCI Audit Program that is included is an additional 50 plus pages in length.

This policy applies to the entire enterprise, its vendors, its suppliers (including outsourcers) and co-location providers and facilities regardless of the methods used to store and retrieve sensitive information (e.g. online processing, outsourced to a third party, Internet, Intranet or swipe terminals). 

The HIPAA Audit Program Guide provides you with a checklist of the must be implemented items which HIPAA mandates. 

You can download the Table of Contents and some sample pages by clicking on the link below.

Travel and Off-Site Meeting Policy

Travel and Off-Site Meeting Policy - Protection of data and software is often is complicated by the fact that it can be accessed from remote locations. As individuals travel and attend off-site meetings with other  employees, contractors, suppliers and customers data and software can be compromised.  This policy is seven (7) page in length and covers:

• Laptop and PDA Security
• Wireless and Virtual Private Networks (VPN)
• Data and Application Security
• Public Shared Resources
• Minimizing attention
• Off-Site Meetings
• Remote Computing Best Practices

This policy has been updated to reflect the requirements of PCI-DSS, Sarbanes-Oxley, HIPAA, and ISO.  The policy comes as both a WORD file and a PDF file utilizing a standard CSS style sheet.

IT and Backup Retention News

Disaster Recovery Business Continuity for Remote Offices

Data residing outside the data center at remote and branch offices (ROBOs) accounts for a significant portion of an enterprise's information store, yet it often either is protected with inefficient backup processes or is not protected at all -- leaving companies at risk on many fronts.

In a recent research report, high priority projects for ROBOs included improving information security measures; ensuring compliance with government, industry or corporate governance mandates; and improving Disaster Recovery Business Continuity processes.

Disaster Plan & Business Continuity Infrastructure

The key technology elements of a Disaster Recovery Plan and Business Continuity Plan (DRP/BCP) infrastructure are the primary data center, a remote site that duplicates the resources in that primary location and the method used to get files (master and transaction) between the two sites - such as high-bandwidth network connections. The best DRP/BCP strategies follow a "redundant every-thing" philosophy throughout the data center. Multiple mainframes and servers should run in the production and backup data facilities. Then, if a component in the production system encounters problems, it immediately fails over to the local backup as a first line of defense.

Power supplies and communication links are one of the most critical components in a DRP/BCP strategy.

Maximum Tolerable Period of Disruption (MTPOD) is an issue

The concept of Maximum Tolerable Period of Disruption (MTPOD) is an issue with the introduction of British Standard 25999-2.  When applied appropriately, MTPOD will improve management's understanding of your disaster recovery business continuity program and clarifies your enterprise's recovery priorities.

BS 25999-2, Section 4 says that the goal of a business impact analysis is to "determine the impact of any disruption of the activities that support the organization's key products and services." A key aspect of determining the impact of a disruption is identifying what BS 25999 calls the "Maximum Tolerable Period of Disruption," or MTPOD. BS 25999 defines MTPOD as the "duration after which an organization's viability will be irrevocably threatened if product and service delivery cannot be resumed."  MTPOD is the maximum amount of time that the organization's key products or services can be unavailable or undeliverable before its stakeholders realize unacceptable consequences.

The full application of this concept can mean rethinking how a business impact analysis  is approached. While many DRP / BCP professionals start a business impact analysis   by gathering data from individual departments, MTPOD forces them to first look at products and services. Disaster Recovery and Business continuity professionals should understand downtime tolerance, taking into account:

• Customer expectations
• Regulatory requirements
• Reputational issues
• Financial and operational impairment
• Strategic consequences.

Based on management input, disaster recovery / business continuity professionals can propose preliminary Maximum Tolerable Periods of Disruption for key products or services within the scope of the business continuity program.

Once MTPOD is established for key products and services, the traditional business impact analysis  or service. From there, the business impact analysis  can either validate or disagree with preliminary MTPOD conclusions. In addition, the business impact analysis  does identify the department, function and process details that are needed to achieve the MTPOD.

Perhaps most importantly, the disaster recovery / business continuity professional must understand the amount of time required to perform the process or activity in order to deliver the product or service to its key stakeholders (internal or external). This is referred to as cycle time. For example, in a manufacturing company, cycle time would be how long it takes to obtain the necessary stock, manufacture the product, and deliver it to the customer.

With an understanding of MTPOD and cycle time, the business continuity professional can identify what is commonly accepted as the core output of the business impact analysis   - the recovery time objective, or RTO. RTO is the point in time following a disruption when operations must resume (at a minimum level) in order to meet downtime tolerances.

Defining a Functional Disaster Recovery Business Continuity Plan

What makes a truly functional disaster recovery business continuity solution is the ability to restore full systems and enterprise operations quickly, in a matter of hours or even minutes, using available computing resources, which may be local, but may also be remote.

True disaster recovery and business continuity plans must allow for recovery from site-wide disasters, such as a hurricane. The primary site may be completely down, due to a lack of power and network connectivity. The secondary site located in a non-affected area would be used to restore services until the primary site comes back online.

Many enterprises opt for remote Disaster Recovery Business Continuity site(s) for such scenarios. Many system administrators opt for virtual servers, which use asynchronous replication to replicate both the data and virtual machines to the secondary site, which has several standby servers. That way if they need to activate the secondary site, they just direct the activity to the virtual machines and all the systems are back up and running with the latest data.

Template Tools for CIOs

Disaster planning is an essential component of preserving your institution’s collections. With a written disaster plan, libraries, archives, museums, historical societies, and other collection-holding institutions can reduce the risk of disaster and minimize losses. dPlan is perfect for small and medium-sized institutions that do not have in-house preservation staff. dPlan is also valuable for large library systems or museum campuses that need to develop separate but related plans for multiple buildings, locations, or branches.

The Janco Disaster Recovery / Business Continuity Plan Template can help you create a plan for disaster prevention and response. This template will help you:

• Prepare for the most likely emergencies,
• Respond quickly to minimize damage if disaster strikes, and
• Recover effectively from disaster while continuing to provide services to your community.

Google flops on its conversion to IPv6 from IPv4

Google flops on its conversion to IPv6 from IPv4. Widespread outages involving several Google services--including search, Google Docs, and Gmail--were caused by an upgrade gone awry inside of Google, according McAfee.  The outage began at 8:13 a.m. PDT, according to McAfee's data, and was fixed by 9:14 a.m. PDT.  A senior manager at McAfee said that Google attempted to make changes to key Internet routing numbers--known as autonomous system numbers--as part of its ongoing transition from an older networking standard (IPv4) to a newer one called IPv6. An unknown "bug" inside Google's network prevented Internet service providers from finding Google's new ASNs on the Internet--effectively blocking its services.

Not all Internet users were affected, but some that use larger providers--such as AT&T or Verizon--appeared to be disproportionately hurt because large ISPs "peer" with Google, or interconnect their networks with Google's networks in order to improve speed and reduce bandwidth costs. Not all customers at those providers were affected, and smaller ISPs that did not interconnect their networks were able to route around the problem.

Mid-Sized Firms are at Risk When Disasters Occur

Many firms are inadequately protected and mistakenly think that a disaster is rare and won't happen to them anytime soon.

SMBs’ prioritization of disaster recovery, backup and high availability for 2008 shows that businesses understand the risks to their business and the value of protection. However, many organizations still errantly think that backup is a sufficient disaster recovery plan. But, mid-sized enterprises are at the most risk to disaster and are more likely to rely strictly on backup as a disaster recovery plan.

The needs and resources of mid-market firms are unique. Midsized companies must work with limited finances infrastructure and human resources. Robust disaster recovery used to be affordable and manageable only by large enterprises. Mid-sized enterprises relied more on backup than on a formal disaster recovery plan. As businesses' reliance on IT has grown, backup has increasingly shown its weaknesses. However, the introduction and maturation of several key technologies, such as virtualization, have brought affordable and easily implementable disaster recovery  to small and mid-sized companies. SMBs do not always equate virtualization with disaster recovery  because awareness of the many virtualization applications is just starting to grow.

Project plan for developing and maintaining a Disaster Plan

There are a number of approaches that have been used by Janco’s clients to create a Disaster Recovery / Business Continuity Plan.  One, which several have used, is to start with the Janco Disaster Recovery Business Continuity Template and implement a seven-step process (a subset of the project plan which is included in the template) using the tools included with the template.  The process is as follows:

1. Develop the contingency planning policy statement. A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components.
3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
4. Develop recovery strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.
5. Develop an IT contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system.
6. Plan testing, training and exercises. Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
7. Plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements.

Backup Service Providers May Not Be Enough

Your data is only as safe as its most recent backup.  But what happens when you have worked on your laptop with enterprise critical data and it is lost or damaged.  You data is only as redundant as the integrity of the data that you have stored on your servers, but in this case you may have a compliance issue that you have not addressed. For companies that service customers in the cloud, if they cannot offer 99.9999% uptime and absolutely ensure data backup and restoration, they might as well not be in business.

There are a few issues at hand here. Not only must the backup provider ensure that the data is accurately and securely backed up whereby every packet and byte is accounted for, but you must also ensure that when the time comes, the data is "clean" enough to be plugged back into the system without a hiccup. It's the hiccup that companies need to avoid which is why they look for ways to backup their data to begin with, however they aren't always as proactive as the results they were expecting.

Encryption and Disaster Recovery Planning

Common data encryption rules are a requirement and represent interoperability when developing your backup strategy for your disaster recovery business continuity plan.  When enterprise protect data at rest such as when a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it cannot be brought back up and read without first giving a cryptographically-strong password. If you do not have that, the media is a brick and you cannot even sell it on eBay.

For enterprises rolling out security across PCs, laptops and servers, standardized hardware encryption translates into minimum-security configuration at installation, along with higher performance with low overhead. The specifications enable support for strong access control and, once set at the management level, the encryption cannot be turned off by end-users.

DHS Stresses Need for Communication Capability in Disaster Recovery

The Homeland Security requirements for communications interoperability include:

• Ability of agencies to talk across disciplines - via voice, data, image, video, or multimedia that include multiple forms of information.
• Ability to communicate and share information as authorized when it is needed, where it is needed, and in a mode or form that allows the practitioners to effectively use it.

Since a disaster or business interruption event or incident can happen anywhere, key staff members must have data communications on the scene, as well as away from the scene (at home), for command control and information to complete their missions. Homeland Security requirements have recognized the need for temporary networks that can form automatically on-scene among first responders. Temporary networks must be able to integrate with larger temporary or fixed networks, but need to be independent of fixed infrastructure in case the latter is disabled. Because disaster or business interruption scenes often expand as incidents develop, temporary networks need to be capable of expanding easily with the scene.

Cost of Computer and System Outage

Maintaining productivity during a business interruption

Enterprises are being forced to take a new look at their business continuity and disaster recovery plans because of the prospect of business closures, terrorist attacks, and/or pandemics - epidemics affecting wide geographical areas for weeks or months.

Planners are contemplating new scenarios, in which massive closures in business along with a major disaster like a terrorist attack or a pandemic that limit travel and prevent workers from congregating in offices.

The striking new challenge is how to maintain employee productivity when the workforce is confined to their homes or other remote locations. The question is how can a company go from 10% of its employees working outside of the office to 80%?

Key issues facing enterprises that might need to turn office workers into mobile workers, rapidly and in large numbers include:

• The technical and human challenges of supporting business processes during and after the business interruption event.
• The planning required.
• Procedures to equip employees with the information and technology to remain productive.
• Potential impact on the infrastructure and on support staffs.

Each of these is addressed in the Disaster Recovery Business Continuity Template published by Janco Associates.

Outsouring Can Help in Disaster Recovery Planning

Between hackers, natural disasters,   or even a pipe breaking in the office above yours, every business needs a contingency plan. It could mean the difference between riding out a problem and going out of business. For this reason, most businesses are concerned about the safety of their backups. Data loss is a significant concern for any business - and in healthcare and other industries can have huge financial consequences. Soltions typically require that you spend more money on a third party backup solution.

What is the optimal method of back up for an enterprise's disaster recovery plan?

The Backup and Backup Retention policy is an 11 page sample policy that is a complete policy which can be implemented immediately. 

The document is provided in both Word 2003 and Word 2007 format and is easily modified. 

Impact of Going Green On Disaster Plan

Disaster planning and business continuity planning are often impacted by green initiatives undertaken by enterprises.  One of the prime areas that CIOs often focus is power consumption.  When these are looked at, at least five (5) areas are impacted.

• Data centers
• Desktops
• Working at home
• Services and processes for customers
• Services and processes for suppliers and affiliates

These have to be considered and included in the disaster recovery and business continuity plan.  The question that also has to be answered is what the cost impact in troubled economic times is.

Disaster and Business Continuity Control Points

When selecting the physical infrastructure in which to deploy IT equipment for your remote offices disaster recovery and business continuity plan demand that you consider and IT equipement location as a data center and you will to consider these five controls:

• Access control - Open racks leave equipment vulnerable to accidental or intentional misuse. Enclosures with locking entries provide physical protections from unauthorized access and other environmental hazards, and permit more deployment options.
• Temperature Control - Central air conditioning can only go so far in overcoming the heat output of rack server environment. Enclosures can be equipped with fans to keep temperatures within acceptable levels throughout the equipment.
• Power Control - Power protection and battery backup can be provisioned in compact units to protect servers and enclosures from power problems.
• Cable Control - Look for options that provide for a neat, well-organized arrangement of cables that will not impede airflow or enable cables to be accidentally unplugged.
• Flexibility Control - The server environment should accommodate rack-mounted or shelf-mounted equipment, linking of bays into larger units, graceful management of unused space, and the option to roll the entire unit to another location as needs change.
• Management Control - IT equipment is expected to run unattended most of the time. A monitoring/management system provides good visibility and control of the IT environment from anywhere, over the company network.

Guidelines for Disaster Recovery and Business Continuity Planning

Disaster recovery and business continuity are important business issues that require awareness and planning.  Guidelines that can be used in this process are:

• Look at the big picture – your business processes, systems, networks, data, and people all need to be considered when planning and implementing these processes.
• Understand your levels of tolerance for lost work, missing data, and unproductive time.
• Document and test your plans, and update them when business needs change.
• Configure your environment to minimize the likelihood of a failure escalating into a disaster.
• When evaluating technology solutions, take into account meeting your recovery objectives, kinds of disasters you’re likely to face, and levels of cost, complexity, and disruption involved.
• Know the advantages and limitations of each technology, and adjust your expectations accordingly.
• Remember that backing up your data is the most reliable form of protection, without which your business is vulnerable.

Why Have a Disaster Plan

In the event of a disaster, will your enterprise have the ability to pick up the pieces and get back to work, or will things grind to a halt? While it isn't possible to plan for every event, a solid disaster recovery plan can make all the difference. A disaster recovery plan is one of those difficult but necessary aspects of a successful business.

The first step to crafting an individual disaster recovery plan is mapping out the most critical aspects of day to day business. If a great deal of time is spent communicating with clients over the phone, then a backup phone system needs to be addressed. This can be as simple as having employee cell phones, so that if the office's land line is damaged, workers can call clients using their cell phones. It may also be as complex as having a backup call center located in another state, so that traffic can be routed to another location if problems arise at a certain call center.

Data safety is a crucial and overlooked aspects of disaster recovery. Being able to call your customer and clients on another phone system is little help if you do not have a list of customers and clients, their orders, and their phone numbers. You cannot take new orders if you do not have access to your inventory system or are unable to put in new shipping orders. Data disaster recovery often includes making frequent backups of all critical data and records, both digital and hard copies, and storing them in a secure, remote location.

It is also important to keep in mind the time frame for disaster recovery. If your company needs to be able to recover almost instantly from a disaster, much more complex and redundant steps must be taken than if you have the ability to spend more time recovering. If your company works in a real time, online environment, you need multiple backup systems standing by so that, in the event of a disaster, they can instantly come online. If your company works in longer time frames, then allowing for several hours or days to recover records, organize documents, and resume work may be acceptable.

In the event of a disaster, will your business have the ability to pick up the pieces and get back to work, or will things grind to a halt? While it isn't possible to plan for every event, a solid disaster recovery plan can make all the difference. A disaster recovery plan is one of those difficult but necessary aspects of a successful business. With luck, you may never need to rely on your disaster recovery plan, but if you ever do, you'll be glad that you planned ahead.

Roles in Developing a Disaster Recovery Plan

The disaster recovery policy must be reviewed at least annually to assure its relevance. Just as in the development of such a policy, a planning team that consists of upper management, and personnel from information security, information technology, human resources, or other operations should be assembled to review the disaster policy. Roles and responsibilities of the planning team should be as follows:

• Perform an initial risk assessment to determine current information systems vulnerabilities.
• Perform an initial business impact analysis to document and understand the interdependencies among business processes and determine how the business would be affected by an information systems outage.
• Take an inventory of information systems assets such as computer hardware, software, applications, and data.
• Identify single points of failure within the information systems infrastructure.
• Identify critical applications, systems, and data.
• Prioritize key business functions.

The Disaster Recovery Plan Template has tools that can be used immediately and defined in detail all of these responsiblities and provides a work plan that can be use as is.

What Should a Data Center Disaster Plan Have

There is More to Disaster Planning Than Creating Backup Files

The definition of the necessary level of data backup and restoration processes are crucial components of business continuity and disaster recovery planning. But they are not the only factors that the enterprise and its IT organizations need to consider when defining the strategy they will use in protecting critical data against various disasters including unforeseen events such as severe weather, natural disasters or power failures. They also need to take into account applications, servers, networks, communications, work spaces, and the people who run the applications.

How can organizations effectively evaluate their business continuity needs and ensure that the technologies in place are effective? One key step is to conduct a business impact analysis which examines all the business functions and assesses the damage if a function suffers outages. Storage systems - and more specifically the data that’s stored in them - are extremely relevant for business continuity. But so are the applications, servers, networks and people who run the applications.

Metric for business continuity and disaster recovery include timelines for recovery point objectives (RPOs) and factors defined as recovery time objectives (RTOs).  For data to be available when needed, it needs to be replicated to a remote site. Depending on the desired RPO, that could be synchronous or asynchronous data transfer. In some cases it could be a combination of data that is replicated synchronously to a location that is geographically close and then asynchronously replicated to an out-of-region recovery center.

But data is only part of the equation. Servers, networks and other IT components also play a major role. Just having the data replicated might be okay for a disaster recovery environment with longer acceptable recovery time objectives.  The high cost of storage, communications, network access, and software replication are just a few of the challenges in implementing adequate business continuity.  For a complete real business continuity plan, more than just the data needs to be replicated and available at a secondary site - employee workstations, communication, servers, and applications need to be available. Only with a complete business continuity and disaster recovery plan and strategy in place can organizations ensure continuous operation of the enterprise and availability of vital information.

Risk Assessment is First Step in Disaster Recovery and Business Continuity Planning

The first step in creating a disaster recovery plan (see Disaster Recovery Plan Template Business Continuity - http://www.e-janco.com/DisasterPlanning.htm) is conducting a risk analysis of your business operation, (see Threat Vulnerability Assessment - Sarbanes Oxley 
Compliance Tool - http://www.e-janco.com/threat.htm) computer applications, and your computer systems.  List all the possible risks that threaten the continuity of your business operations, system uptime, and evaluate how imminent they are in your particular IT entity. Anything that can cause a system outage is a threat, from relatively common man-made threats like virus attacks and accidental data deletions (most common occurrence) to more rare natural threats like floods and fires. Determine which of your threats are the most likely to occur and prioritize them using a simple system: rank each threat in two important categories, probability and impact. In each category, rate the risks as low, medium, or high.

For example, a small distribution company (revenues of $25,000,000) located in Florida could rate  a hurricane an high probability with a high impact, an earthquake threat as low probability and high impact, while the threat of utility failure due to a power outage could rate high probability and high impact. So in this company's risk analysis, a hurricane and power outage would be a higher risk than an earthquake and would therefore be a higher priority in the disaster recovery plan.

Disaster Recovery Communication Requirements Defined

Disaster Recovery Planning requires a communication network in place that meets at least the following requirements:

• Voice: It would be absolutely essential for disaster recovery personnel to communication with one another on a common voice channel. A useful service in this regard is provided by the push-to-talk voice call system that has been incorporated by the GSM standard in its Phase 2+ version as an additional service. The push-to-talk system enables an almost instant voice connection to be setup between the speaker and the intended call recipients, thus saving precious time in emergency situations.
•  Data: Disaster recovery personnel at the disaster site must be able to exchange data with the Remote Command Center in real time. Further, the personnel must be able to exchange data with one another. Lastly, they should be able to connect to the public internet and possibly to a remote third party via a secure link.
• Location information: Each of the disaster recovery personnel at the disaster site must be able to ’see’ the locations of all other active personnel in a specified area, relative to their own positions. This service may prove crucial in situations where in a worker want to warn nearby workers of dangerous conditions (e.g. collapsing buildings after an earthquake) or wants to request backup for immediate help in rescuing disaster victims.

Staff Training Critical for Business Continuity

 
A statistic that may be alarming to those with remote locations who may not be properly managing the storage at those sites is that up to 80 percent of the information deemed "important" to "critical" for the average multiple-location business resides in their branch offices. That means the office manager, salesperson, or computer-savvy marketing guy is responsible for 80 percent of the company’s future! Whether that person takes vacation, business trip, gets too busy or simply forgets to perform the nightly backup, your data is at risk.

Even if the job is assigned to the most responsible person in the entire company – the person who’s always around – there's no guarantee that the job will be done correctly, consistently, or in a timely manner across sites. The office manager at one site may have a different method than the inside sales representative in another location. The marketing manager at a third site may perform the task with less consistency than the other two.