Fall World 2016

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 29, Issue 2

Full Contents Now Available!

Jon Seals

Historic flooding has left the Houston metropolitan area inundated once again this week, killing at least seven people, flooding 1,000 homes and causing more than $5 billion in estimated damages in Harris County alone. Gov. Greg Abbott declared a state of disaster for nine counties in and around the Houston area. The widespread nature of the disaster prompted the city of Houston to call this the largest flood event since Tropical Storm Allison, which devastated southeast Texas in 2001, causing $9 billion in damage and $1.1 billion in insured losses.

According to Harris County Judge Ed Emmett, about 240 billion gallons of rain fell on the Houston area this week. That’s the equivalent of 363,400 Olympic-size swimming pools, CNN reported. After 10 inches of rainfall fell in six hours Sunday night into Monday, powerful, slow-moving thunderstorms had paralyzed the region Monday, but storms continued through Wednesday.

Having some of the hardest rainfall overnight helped a bit to mitigate the dangers this week. While this made it difficult to predict, it allowed people to better make choices about going out, as opposed to last year’s floods around Memorial Day, Emmett told the Houston Chronicle. Nevertheless, emergency crews made more than 1,200 high-water rescues, many residents had to evacuate to shelters, and for those who were able to shelter in place, 123,000 homes had no power at the height of the flooding. Officials have also expressed concern about two local dams that have been rated “extremely high risk and are at about 80% capacity, but they are not in immediate danger of failing.



The fight between Apple and the FBI brought the concept of using backdoors to break encryption to the mainstream. The initial battle may have ended with the FBI hiring someone to hack into the phone (and I have to ask – was anyone surprised that an outside hacker was able to do the deed?).

The battle from Apple’s point of view also drew a lot of support from tech companies and IT professionals. A new study from Spiceworks provides some insight as to why IT pros are concerned about backdoors, encryption and overall security. In general, IT pros believe the existence of backdoors, whether they are there for government agencies, law enforcement, or anyone else, puts their company at greater risk of a cyberattack or data breach. The reason, according to the survey, is simple: Hackers are already very good at outsmarting security systems, and if backdoors are provided as a way to help solve legal and national security concerns, it is only a matter of time until hackers are using them for their own nefarious goals. Backdoors, the IT pros believe, put personal and financial data at greater risk.

The survey revealed something else that I found more surprising. Although 57 percent said that they believe encryption actually helped prevent a data breach, encryption isn’t as widely adopted as a security layer as one would think, as the Spiceworks report stated:



RIDGELAND, Miss. – All applicants receive letters from FEMA explaining the status of their applications and whether or not they are eligible for assistance from FEMA. Some may receive text messages about their application.

Take the time to read the document thoroughly. Sometimes people do not immediately qualify for financial help and the reason may be fixed simply. The following are some common reasons for not qualifying:

  • The applicant did not sign the required documents;

  • Proof of ownership or occupancy was not supplied;

  • No proof the damaged property was the primary residence at the time of the disaster.

  • Someone else in the household may have applied and received assistance.

  • No paperwork showing the damaged property was the primary residence at the time of the disaster.

If questions arise, call the FEMA helpline (voice, 711 or relay service) at 800-621-3362. (TTY users should call 800-462-7585.) The toll-free lines are open 7 a.m. to 10 p.m. seven days a week. You also can take the letter to a visit a disaster recovery center and talk with staff individually. To locate the nearest center, visit FEMA.gov/DRC or call the FEMA helpline.

FEMA can never duplicate insurance benefits or other government sources, but if insurance is not enough to cover all the eligible damage, FEMA’s initial determination of ineligibility may change.

Every applicant has the right to file an appeal. The original letter provides an explanation of what steps need to be taken to appeal FEMA’s decision. Bring the letter to a disaster recovery center for help with the appeals process or call the FEMA helpline. Appeals must be filed in writing within 60 days of the date of the determination letter. The letter must explain why the initial decision was wrong and provide any new or additional information.

Appeals can be mailed to:

FEMA – Individuals & Households Program

National Processing Service Center

P.O. Box 10055

Hyattsville, MD 20782-7055

For more information on Mississippi’s disaster recover, visit FEMA.gov/Disaster/4268 and MSEMA.org.


FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). If you are deaf, hard of hearing or have a speech disability loss and use a TTY, call 800-462-7585 directly; if you use 711 or Video Relay Service (VRS), call 800-621-3362.

The U.S. Small Business Administration is the federal government’s primary source of money to help business of all sizes, private non-profit organizations, homeowners and renters rebuild and recover after a disaster. SBA low interest disaster loans repair and replace property losses not fully compensated by insurance and do not duplicate benefits of other agencies or organizations.

Friday, 22 April 2016 00:00

BCI: Cyber Resilience Survey

How does your organization perceive the cyber threat? Have you suffered from some form of cyber security incident during the last year, and what impact did it have on your organization? Do you feel you have adequate measures in place to deal with such an event, and perhaps just as importantly, do you have the backing of senior management to put measures in place to deal with them?

These are the questions the BCI is asking as part of its latest research project – the cyber resilience survey – which will inform a new report to be published later this year.

Please do take the time to complete the survey. It will only take a few minutes and each respondent will be in with a chance of winning £100 of Amazon vouchers.

Find the survey here: https://www.surveymonkey.co.uk/r/BCI-Cyber-Resilience-Survey-2016

An interesting “separation of church and state” conundrum is bubbling up in the software industry. While the new public cloud model demands developers to take ownership of security, there’s still room and reason for security controls to become an entity handled on their own—separate and transparent from the developer.

Historically developers have focused on developing software, not on configuring a security posture, but that model has changed of late. In today’s dev-ops world, everything has converged. The software developer has become responsible for many operational aspects, including security. A lot of this change stems from the rise of the self-service model. Developers go to AWS and they’re on their own; nobody else is in charge of security. Therefore, software developers have to think about security—how do I set up access control, how do I set up security groups, and how do I encrypt data, or not? Security controls are built into the developer workflow.

As I see the world evolving, I believe IT needs will drive us back to a paradigm where security controls are independent of developer activity. There’s a strong appetite on the part of customers to have a set of controls that are managed independently of developers and operations. I think that’s a good thing.



What do you think when you hear Hybrid IT?   Does your mind go to a 3rd kind of not quite private, not quite public cloud that your team needs to build?

Fear not.  Hybrid IT is not another type of cloud but rather a strategy for your organization to quickly and cost-effectively deploy technology across multiple platforms.  It is a service delivery strategy that places the right workload into the right environment based on business need.  That need could be speed of deployment, performance, cost, or security.  The essence of hybrid IT can be summarized in the following quote from EMC World last year:

“I want to be able to tell our business units, if you want to stand up services on the private cloud, go ahead.   We have the technologies and operating processes to do that.  And when it’s time to move appropriate workloads to a public cloud, we have the technologies and operational processes to do that too.” – Eric Craig, CTO, NBC Universal



Moore’s Law may well be coming to an end with respect to microprocessors, but if the speed of processing power is to continue to develop (especially in today’s digital world of Big Data), other areas of computing need to be examined if it is to progress and improve.

Drawing on vast numbers of crunching resources in the cloud is one of the main ways that computing can continue to advance. By sharing computer capacity, processing capability improves which enables businesses to be more effective and innovate.

I am old enough to remember SETI (Search for Extra-Terrestrial Intelligence) when it was big in the ’90s. It was software that you could download so when you were offline your computer capacity could be shared with systems around the world and mine massive data to search the universe for extra-terrestrial intelligence. This is one of the first examples of cloud – using shared resources.



This perspective provides an overview of the Business Continuity Institute’s Professional Practice 5 (PP5) – Implementation, which is the professional practice that “executes the agreed strategies and tactics through the process of developing the Business Continuity Plan (BCP)”. As part of the business continuity planning lifecycle, Implementation activities continue following strategy selection in PP4, with the goal of documenting business continuity plans that aid the organization in recovery at the strategic, tactical, and operational levels.


PP5 provides the business continuity practitioner with guidance on two topics specific to documenting the organization’s business continuity plans. First, the Good Practice Guidelines (GPGs) provide a detailed description of a business continuity plan, including general principles, as well as concepts and assumptions for documenting plans. Second, PP5 provides guidance on developing a business continuity plan, as well as managing the plan after creation. Let’s take a deeper dive into each area.



Edge data centers have been a hot topic since about two years ago, fueled by the grand expansion ambitions data center providers that chose to go after the edge market had.

Companies like EdgeConneX, whose expansion ambitions were the grandest (it went from zero data centers to 20 in a period of two years), and vXchnge, which also expanded quickly, primarily by buying existing facilities (in one deal last May, for example, it acquired eight SunGard facilities), have gone after the demand for data center space outside of the top markets.

An edge data center, essentially, is a facility where long-haul network carriers interconnect with local ISPs and internet content providers who cache their data in the facility so that they don’t have to pay to transport it from the big cities. The effect is described as extending the internet’s edge, “edge” meaning the last stop from where content is delivered to the consumer.



It’s your job to walk into a conference room full of Board directors and, in a short presentation, convey a holistic, accurate picture of all the information technology risks across your entire organization. Now, imagine you were expected to prepare for this make-it-or-break-it meeting, which may involve delivering negative and expensive news to executives, using only email and spreadsheets. Ready? Go!

Communicating risk posture and assessments to the highest levels of an organization is a demanding and increasingly pivotal responsibility in businesses that rely on information technology—in other words, almost every business. In a world where business and infrastructure run on digital technology that is vulnerable to highly skilled hackers, protecting those technology assets is quickly becoming Job #1.

In fact, a recent survey showed that, of IT professionals who responded that security was their main focus, 34 percent spend most of their time on IT risk management and 25 percent primarily spend time on regulatory compliance. IDC projects that by 2018, the financial services sector will spend more than 18 percent ($96 billion) of their total IT dollars on risk management technology and services.