IT DR Plan and Business Continuity go Hand-in-Hand?

Protecting businesses and more importantly the people who work and spend time in facilities against intrusions is an important and necessary activity. We usually think of larger organizations, universities, hospitals, government facilities, banks etc as needing protection systems. In my experience, smaller entities (under 1000) rarely have the time, motivation, money, or energy to draw on to implement elaborate protections. Many do have rudimentary preventions like badge access, redundant information backups, and password protections. Some use security cameras and might have a small backup power supply like a generator.

Depending on the nature of the business and the historical incidents (of intrusions), an organization may be more or less compelled to consider protection against intrusions in their IS Continuity Plan[example].

I think there is a strong relationship between protection and continuity, especially at the enterprise level. I’m a fan of strategic planning. As such, when considering continuity planning, it makes sense to me that the security protection systems is part of an overall continuity planning process. There may be times or situations when a security system is stand-alone due to the size or complexity of a facility. In such cases, the IT continuity plan would certainly contain a ‘chapter’ on how the IT protection is being handled and how that set of methods interfaces with the overall security infrastructure.

Often, the IT function can implement its own protection system (including data, cyber, physical, logical) without the need for integration into the larger company scheme.

However, given the choice, I am in favor of an integrated protection system. The reason for this is that trade-offs and comprises, cost-benefit analysis, and budget constraints can possibly be optimized more efficiently when a more global perspective is considered by the organization. Also, sometimes one type of prevention or mitigation can easily include wider scope without much additional cost. Examples might include physical facility access/egress installations, fire protection systems, or building design and layouts.

Should Private Sector Adopt NIMS?

After absorbing readings on protecting the information infrastructure (Platt), and a lecture and commentary (Miora) on physical security and government directives (to private sector), I’m left with that uneasy feeling that comes from government acronym overload and bureaucracy.

We know that the National Incident Management System-NIMS (DHS 2004), has been declared by the DHS as a priority for managing major incidents. NIMS is a comprehensive standardized approach to guide the public sector to respond to major emergencies and disasters with a systematic and consistent approach. The intention is that NIMS provides principles and concepts that can be jointly followed by multiple organizations, jurisdictions, and entities for the purpose of successfully preventing, responding, and recovering from disasters and major incidents

The National Response Framework -NRF (2008) is a guide and template of how the nation manages all hazards response to small and large incidents and disasters. Stated in the primary NRF document is the concept that non-governmental organizations-NGOs and other private sector entities can and do play a vital role in how the nation plans, responds and recovers from a disaster.

I hearken back to an early lesson in business continuity which says that ‘all disasters are local’. This statement was no more true than when our county recently experienced a devastating and major wildland fire (Fourmile Canyon Fire 2010). Quick highlight is that it took more than adherence to the NRF or NIMS to respond to, contain, and control this fire and I think it will take more than ‘the government’ to manage the recovery and help with restoration. I consider this phase, recovery and restoration, vital elements of the NIMS philosophy.

Therefore, I believe that while I don’t usually favor heavy government involvement in my everyday life, these major events can and do require a larger scale response from multiple resources. Utility companies are working day and night to restore power to residents within the fire containment area. Service providers, electricians, plumbers, construction companies, realtors, banks, non-profits are all busy trying to help. Much of it sounds chaotic. It was chaotic (but effective) during the height of the response and it remains so now. Case in point is the (wonderful) but disjointed fund raising in outpouring of community empathy.

If private sector organizations get up to speed and adopt national framework systems it will make preparation, response, recovery and restoration that much more efficient and effective. The most obvious program is PS-Prep, a private and public sector partnership which essentially extends much of the same guidance for systematically managed disaster response to the private sector. I do not believe this should be mandatory, but I do think that many prominent and well-funded organizations will adopt the PS-Prep system. To the extent that large companies do so, we as a nation will be better off and better prepared.

A Virus by any other name: IT and BC work together

Business continuity and disaster recovery planners should work together to understand the potential for health related pandemics and determine how combined strategies can help mitigate impacts to a business.

A virus by any other name. Viruses are introduced into a host, spread via either standard or mutated means, and intend to do harm, either biological affecting humans or electronically infecting computer systems. (Note: Some viral activity can provide benefits, as in ‘viral ideas‘ that take hold and help spread good news or ideas.)

It’s interesting to consider how a health pandemic might impact or disrupt information systems or how a cyber attack could impact humans. In the first case, we understand that workers who become sick need to stay home and not interact with people physically. However, of course, many companies now provide remote access and work from home capabilities.

In the case of cyber attack, we don’t usually associate direct impact to humans (health). However, there are other considerations, for example, people can be stressed over the feeling of intrusion into the work environment, or they may lose work time because systems are unavailable, morale can be impacted, and a general distrust of the IT department may develop – because we expect modern IT departments to understand all the hazards and ‘take care of that for us’.

Imagine how insecure we might feel if national military defense IT systems were hacked?

Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.” [1]

As this week’s author points out, the costs of cascading events can overwhelm an otherwise ready organization. Continuity and disaster planners should consider both types of virus in their planning process.

References:

[1] Nakashima, Ellen (Aug 2010). “Defense official discloses cyber attack“. Retrieved 9-19-10: http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html

Are We More At Risk Today?

Are we more at risk for attacks and disasters today than we were in the past? Yes, I think we are.

As a society it’s probably true primarily because of extraordinary changes in technology (increased reliance on complex interconnected systems), new and more bold motivations (human factors for attacks), and what I would describe as the ‘dumb down’ factor – that is, there seems to be less numbers of qualified and talented specialists who can help us prevent, defend, recover, and survive a disaster. This last point, less qualified individuals, I offer as a teaser for us to consider: “What can I fix at home or work by myself without relying on another human being to help me with a life-line?” Not much, I imagine.

Thinking in broader terms, larger centers of population may incur similar attacks or natural disasters as in the past, but the destruction and damage could be greater due to the higher concentration of people and infrastructure. The infrastructures are more complex and often interconnected, so damage or disruption to a utility service, for example, drastically impacts our routine way of life including how we commute, our ubiquitous reliance on the internet, reliance on transportation for many of our food sources, and our ability to recover swiftly and efficiently.

A task as simple as balancing an online bank account, when unavailable, can wreak havoc with an individual’s ability to manage finances. What about a cyber attack, flood damage in the data center, or major winter storm directly impacting major financial institutions?

I revel in the latest gadgets and I use many technology tools everyday to make my life easier. I just don’t think we are as resilient as we once were because of our extremely heavy reliance on technology.

While lessons from the past and statistics of probability of occurrence can inform our strategies, I don’t see history alone providing a complete picture of future threats and risks to ourselves or our businesses. For that, we should combine both historical perspectives (especially trends in naturally occurring weather patterns, sans climate change ), with current and up to date threat analysis. This combined approach gives us a better chance of understanding our exposures and planning suitable strategies to mitigate and recover.

References:

Platt, Franklin (2010). “Physical Threats to the Information Infrastructure”, found in Readings in IT Business Continuity, Norwich University, Chapter 22.

Fourmile Canyon Fire Boulder CO

Fire began mid morning on Labor Day 6-Sept10 and continues with devastating impact on Boulder County Colorado community.

Latest information on donations, fire status etc can be found at some of the following websites:

www.boulderOEM.org

A bank account and a text donation have been set up to benefit the firefighters who lost their homes while fighting the fire.Please forward this information to anyone who is interested.
Donations can be made to :

Boulder Canyon Firefighter’s Donation
Guaranty Bank and Trust
1650 Pace Street
Longmont, CO 80501

Also, you can text FIRE to 27722 to give $10 to BCFFA to directly benefit these firefighters as well.

Twitter at:  BoulderRescue

Uses wordpress plugins developed by www.wpdevelop.com