Disaster Recovery Journal- Volume 19, Issue 3 - Summer 2006 Issue - Preventing, Limiting the Impact of Disasters in the First Place

Return to the
Summer 2006 Issue

DISASTER RECOVERY
JOURNAL

P. O. Box 510110
St. Louis, MO 63151
(314) 894-0276
Fax: (314) 894-7474
Internet www.drj.com
E-mail drj@drj.com

PUBLISHER
Richard L. Arnold, CBCP
richard@drj.com

EDITOR-IN-CHIEF
Jon Seals
jon@drj.com

SENIOR EDITOR
Janette Ballman
janette@drj.com

COPY EDITORS
Richard Sandhofer
richards@drj.com
Pamela Clifton
pamelaclifton@hotmail.com

ADVERTISING
Robert Arnold
bob@drj.com

_____________

Corporate

President/CEO
Richard L. Arnold, CBCP
richard@drj.com

Vice President
Robert Arnold
bob@drj.com

CONFERENCE COORDINATOR
Patti Fitzgerald, CBCP
patti@drj.com

CONFERENCE REGISTRAR
Merce Knese
mercedes@drj.com

CIRCULATION
Laura Baugh
laurab@drj.com

EXECUTIVE COUNCIL
Jeff Dato, MBCP, KPMG
John Jackson, J Albright Advisors
Edward Devlin, E.S. Devlin & Associates
James Hammill, CBCP, JMH Consulting
Pat McAnally, SunGard Availability
Brian Turley, Strohl Systems
Belinda Wilson, Hewlett-Packard

INTERNATIONAL
CONTACTS
England: Thom Hetherington
Business Continuity
Phone: 0161-237-1007
thomh@tempus.demon.co.uk

Australia: Anthony J. Harvey
Journal of Business Continuity
Phone: 0011-613-953-0055-8
fax: 0011-613-953-0528
sector@notability.com.au

Japan: Shinji Hosotsubo
Quake Japan Co., Ltd.
Phone: 03-3215-2880
fax: 03-3215-2881

Click Here for a Printable Version

Preventing, Limiting the Impact of Disasters in the First Place

By MARTY WATTS

The best disaster recovery (DR) plan becomes problematic if little or nothing is done to prevent or limit the impact of disasters before they occur. Disaster recovery plans are strengthened by a pre-disaster program of physical security in place prior to the advent of hurricanes, earthquakes, accidental and intentional explosions and other potentially life and business threatening events. Good advice, but obvious?
Apparently not.
According to a recent article in the business magazine Japan Inc., “businesses have gotten so caught up in technological security that they have forgotten the more basic, yet salient, notion of physical security.” Money that had once been spent on physical security has been shifted to IT security to the extent that some observers believe many organizations are now vulnerable to physical security breaches.
To make matters worse, a recent vendor survey found that only 2 percent of corporations grouped IT security and building security in the same department, and only 36 percent organized formal communications between building and IT security managers.
More troubling, in many organizations, IT security is run by one department, personnel security by another, physical security by another and network operations by yet another. Each may have its own budget, priorities and processes in whose defense and justification cooperation and even communication among those responsible for security may not occur. Surely this is not the optimum way to prevent and mitigate a disruptive event, nor ensure in the immediate aftermath of such an event, the success of even the best-planned disaster recovery program.
No matter how extensive the existing DR plan, the corporate security department, or whomever is responsible for physical security, needs to develop a comprehensive disaster prevention/mitigation plan designed to protect people, property and to reduce company liability from business-threatening events. Note that a comprehensive disaster prevention/mitigation plan recognizes threats from both those who intentionally would disrupt a business and possibly threaten lives and the dangers and risks from interruptions of business caused by natural disasters and catastrophic accidents.
In either case, input from the IT department in the planning process is imperative so that the disaster prevention/mitigation plan and the DR plan are mutually supportive and not establishing policies and procedures that are in conflict. The end result needs to be an integrated and seamless security program that details a course of action to prevent and mitigate disruptive events as well as steps to be taken in the event, that despite all preventive efforts, such an incident occurs.
Computer security, perimeter control, asset protection, business continuity and risk management constitute general areas of concern to be addressed by those responsible for security. The following suggestions are not meant to be all-inclusive but are among those that need to be considered in any organization’s physical security plan.

Controlled access at all entrances with particular attention to receiving areas, parking lots and outdoor smoking areas. In the rush to focus on IT security concerns controlling access to physical facilities has been overlooked and discounted in evaluating threat scenarios.
Appropriate alarm systems in high value storage areas and electronic monitoring of specific valuable pieces of equipment must act as a second line of defense to overall perimeter security.
Replacing video tape based surveillance cameras with digital video is imperative in increasing the efficacy of archival monitoring as well as facilitating video integration into broader digital security databases.
Availability of backup electrical generators that operate on diesel, propane or natural gas is essential as electric power will be off line for extended periods in any major disruptive event. Gasoline powered generators may be problematic due to limited storage capacity and the relatively short shelf life of gasoline. Generators should be hard-wired to building systems utilizing automatic transfer switches so that manual operation is not necessary.
Stocking of emergency medical supplies, food, water and communications gear should support an extended on-site stay by staff in a major emergency. Generic unisex clothing such as jumpsuit coveralls and sturdy footwear to protect from the likelihood of leaking water and injury-prone debris should be routinely stored. Portable cook stoves, sealed drums of potable water and sufficient numbers of chemical toilets should be available. Training of employees in the use of these items is essential.
A review of how security/safety measures can be added incrementally over the coming five years during routine office renovations/redesigns should be part of a comprehensive security plan. The ability to integrate security measures into facility upgrades reduces cost and shortens pay back periods.

Examples of Built-In Safety & Security
There are many examples of how safety and security can be seamlessly built into an organization’s physical environment resulting in dramatic increases in the protection of building occupants and the ability to recover from potentially disruptive events. They include the following:
Security window film – Security window film can strengthen windows to withstand hurricane driven wind-blown debris that can cause glass shards to strike building occupants. Security window film helps windows withstand earthquake stress, accidental and intended impact and explosive force. Tests verify that many security window films provide equivalent, or in some cases superior, performance compared to laminated glass.
Securing furniture and equipment to prevent injury – Facilities in areas prone to earthquakes need to secure large file cabinets, shelving and pieces of equipment to the walls or floors to prevent injury when seismic events occur. If hurricane or tornado force winds penetrate building interiors secured objects will not become a source of injury.
Safe rooms – Safe rooms offer protection against hurricane and tornado force winds and can be constructed to protect key executives from attempted kidnapping. To save space and reduce cost, an existing interior restroom can be retrofitted as a safe room in which emergency supplies can be stored. In larger facilities it may be necessary to retrofit several restrooms or other spaces to provide adequate staff protection.
Using aesthetics to enhance safety & security – Building-in safety and security does not have to compromise a facility’s aesthetic character. Protecting computers from electronic eavesdropping by vehicles in the street can be accomplished with ordinary-looking electronic signal- blocking window glass. Protecting building entrances from intrusion by bomb-carrying vehicles can be accomplished by heavy flower and shrubbery containers, decorative fountains and ornamental but secure fencing. Don’t engage a security consultant, engage a security firm employing both experts in security and building and landscape design.
Maintenance of environmental quality – a workforce suffering from indoor air compromised by the off-gassing of building components and furnishings and exposed to moisture-induced mold formation will experience increased sick time and noticeable decreases in productivity. Offices burdened by sick building syndrome are an example of a disaster occurring incrementally over an extended period that can have the same negative impacts on business performance as any more quickly-occurring disruptive event. Remedies include replacing building components and office furniture with substitutes made of non-toxic materials and providing adequate heating, ventilating and air conditioning to mitigate moisture and humidity problems.
The extent to which building-in safety and security limits injury and property damage and protects access to computer systems, the more quickly full data system recovery will be possible if a disruptive event occurs. An appropriate disaster prevention/mitigation plan should prioritize which renovations and redesigns to the physical facility need to be made and equipment and supplies purchased. Most importantly, the disaster prevention/mitigation plan should assign responsibility to specific individuals and departments for the implementation of the steps identified to be taken.
Above all, full coordination and ongoing communication between those responsible for disaster prevention/mitigation and DR planning is imperative. So too, endorsement and support by senior management of such joint organization-wide efforts is necessary to overcome turf battles among those entities tasked with carrying out the wide range of security initiatives that need to be implemented. Anything less than the total commitment of an organization’s top leadership will increase the likelihood of failure and impede the clear establishment of lines of accountability necessary to achieve successful implementation of the program.

Marty Watts is president & CEO, of V-Kool, Inc., a Houston-based North American distributor of security and energy efficient applied window film. His articles on security and energy efficiency have appeared in Correctional News, Security Products, the Journal of Air Traffic Control and the Washington Business Journal.