Spring World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 27, Issue 4

Full Contents Now Available!

Jon Seals

CIOBYOD is a reality, and we all have to deal with it.

Most of us are used to well-behaved devices such as laptops, netbooks, iPhones and iPads. There are enough mobile device management products to handle remote wipes and other strategies to lock down these devices if they are lost or stolen.

But when the device doesn't have a disk, things get a little dicey. Flash RAM that's soldered into a device can't be removed practically, and if the device is broken, that memory can't be erased. It gets more fun with Android tablets; the hardware may not be all that long-lived, and the myriad software configurations can be hard to manage in the wild.



Usage-based payment systems are becoming increasingly common, but a recent variation in disaster recovery has an interesting twist. A new pricing model from a company called Asigra is based not on how much data an organisation backs up, but how much it restores. In particular, a ‘recovery performance score’ determines the amount of money a customer will pay. The Asigra system emphasises value rather than cost: the value is in the data restored, rather than the data saved. Is a similar pricing model likely to spread to related services such as DraaS (Disaster Recovery as a Service)?



For years, the IT industry has been experiencing growth in outsourcing. Organizations large and small have looked to utilize the promises of lower cost of operation. Witnessing this trend over time has allowed me to see something emerge that I have long-held as truth. Users have a responsibility to be accountable. Accountable to the service that they have contracted for, the information provided, the knowledge of the ownership of information, the recoverability, the usage, and the measurement against established criteria to name a few. Cloud is no different. I like to say, “You cannot manage that which you do not measure, and you cannot measure that which you do not know about”. Nonetheless, countless organizations dive into contracting for a service at one level and demand the service of the levels above that which they have contracted for.

When an organization outsources “backup”, for instance, the act of recovery must have established objectives (both time and point). This may come as no surprise to countless people in the business, but few organization have prioritized which applications are mission critical and need different recovery objectives than say the holiday office party logistics. While some may have done this, too many do not have an application matrix which outlines up-line and down-line dependencies. The number one reason why a “backed” up system cannot be restored, beyond hardware failure, is the lack of synchronization with the application up-line and down-line dependencies. So, why is it that the yelling and screaming commences once the failure occurs and the information provided was incomplete, inaccurate, or simply missing with regard to the actual nature of the criteria for success? It seems that the answer is lack of responsibility and accountability. The user no longer feels any responsibility or accountability for the “backup” since they have contracted for it even though they have not contracted for the level of service they are demanding, nor have they done their due diligence to manage the contracted service.



While three of the major hurricane forecasters have reduced by a smidgen their predictions for the 2013 Atlantic hurricane season, the season as a whole is still expected to be above-average as is the chance of a major hurricane making U.S. landfall.

Bear in mind that to-date the 2013 season has seen four named storms (Andrea, Barry, Chantal and Dorian) – none of which reached hurricane status.

Here’s how the revised forecasts stack up:



August 8, 2013


By Meredith Cherney

When you ask someone what the most important thing to have on hand for a hurricane is, the common answers include food, water, flashlights, batteries, or a radio.  As I read through my student surveys however, I found a different set of answers.  Lifejackets.  Boats.  Buckets.  Axes.

Growing up in New Orleans fosters a unique hurricane perspective. When I stepped into that classroom to teach 9 to 12 year old students about hurricanes and preparedness, I wasn’t sure what to expect.  What do they know about hurricanes?  Do they understand that some evacuations are mandatory? Has their experience with hurricanes fostered a fear or resilience?

I work for Evacuteer.orgExternal Web Site Icon, a private non-profit commissioned by the New Orleans Office of Homeland Security and Emergency Preparedness to help with the City Assisted Evacuation (CAE) plan.  Beyond our role in emergency events we also seek to inform the public about the CAE and foster community preparedness. 

Our EvacuKids program targets a younger demographic.  We’ve already quadrupled our reach since 2012, from 30 to 120 students. Complete with a new curriculum and corresponding science experiments and activities, we not only teach students about hurricanes, but also work to improve literacy, writing, and critical thinking skills. 

There are four modules: disasters, hurricanes, prepare, and evacuate.  Each week builds upon the previous week, starting with the science of disasters and how hurricanes form to preparing your home for a storm and finding a safe place to stay in the event of a hurricane. 

In addition to academic lessons, we also talk to students about their experience with hurricanes, what they did, and how they felt.  Many students express fear and uncertainty when recalling their experience and as a class we discuss coping mechanisms to help them deal with their feelings.  Additionally, learning how hurricanes form and why they are common in our area can alleviate anxieties and foster a greater sense of understanding, preparedness, and even excitement in students. 

EvacuKids is tailored to the specific needs of the children, those whose families have transportation out of the city and those without it.  EvacuKids is a fantastic opportunity to make a meaningful, sustainable impact on a generation that will someday lead New Orleans in a positive direction.


Today is our 40th wedding anniversary, so naturally it leads to me to think about what love, marriage and life together has to do with crisis communication. A lot I think. And not just because there are plenty of crises in any marriage and communication or the lack of it is often the major cause of such crises.

Though some dispute the statistics, about half of marriages don’t survive–which makes 40 years very much worth celebrating. I’m going to suggest that the primary reasons why some do are very applicable to crisis communication, and for that matter any relationship.

Crisis communication, despite what too many think, is primarily about relationships. The all-important relationships between your company and organization and its most important stakeholders. Trust and respect are key elements of that relationship. What customer will stick with a company, what investor will maintain investment, what donor will contribute, what employee will eagerly produce without those two critical ingredients. Crises are crises mostly because they threaten the trust and respect that the important relationships hold in the leaders and the organization. That’s why whether or not an organization survives a crisis is primarily based how key stakeholders view the character of the leaders–are they worthy of continued trust and respect?



Hello, I’m David Mundie, a CERT cybersecurity researcher. This post is about the research CERT is doing on the unintentional insider threat. Organizations often suffer from individuals who have no ill will or malicious motivation, but whose actions cause harm. The CERT Insider Threat Center conducts work, sponsored by the Department of Homeland Security’s Federal Network Resiliency Division, that examines such cases. We call this category of individuals the “unintentional insider threat” (UIT).

This research includes

  • creating a definition of UIT
  • collecting and reviewing over 60 cases of UIT
  • analyzing contributing factors and observables in those cases
  • recommending preliminary ways to mitigate unintentional insider threats

For the purposes of our research, the team built a working definition of an unintentional insider threat:

An unintentional insider threat is (1) a current or former employee, contractor, or business partner (2) who has or had authorized access to an organization’s network, system, or data and who, through (3) their action/inaction without malicious intent, (4) negatively affects the confidentiality, integrity, or availability of the organization’s information or information systems.

Our preliminary study of the UIT problem identified a number of contributing factors and mitigation strategies. The malicious insider threat and the UIT share many contributing factors that relate to broad areas in security practice, organizational processes, management practices, security culture, etc. However, there are significant differences. Human error plays a major role in UIT. Countermeasures and mitigations to decrease UIT incidents should include strategies for:



CIO — IT walks a fine line between balancing security issues and giving people the tools they need to get the job done. Every day companies move sensitive data around and IT is in charge of securing that data, but what about the little things that tend to fall through the cracks?

According to data from several recent surveys there are a number of things your employees could be inadvertently doing that puts your company's sensitive data and information at risk.

A survey done recently by IPSwitch, an FTP software organization, includes some of the reasons employees are putting sensitive data into places where IT has no control over what happens to it:



CSO — A security researcher has shown that hackers, including an infamous group from China, are trying to break into the control systems tied to water supplies in the U.S. and other countries.

Last December, a decoy water control system disguised as belonging to a U.S. municipality, attracted the attention of a hacking group tied to the Chinese military, according to Trend Micro researcher Kyle Wilhoit. A dozen similar traps set up in eight countries lured a total of 74 attacks between March and June of this year.

Wilhoit's work, presented last week at the Black Hat conference in Las Vegas, is important because it helps build awareness that the threat of a cyberattack against critical infrastructure is real, security experts said Tuesday.



KANSAS CITY, Mo. – With several areas throughout Kansas and Missouri experiencing bouts of late-summer flooding, the Federal Emergency Management Agency (FEMA) is urging residents to stay informed about the potential hazards of flooding.

Floods, especially flash floods, kill more people each year than any other weather phenomenon. This recent spate of severe weather-related events across the Midwestern states serves as a pointed reminder just how dangerous floods can be and how important it is to stay abreast of weather warnings, understand flood terms, and take action by monitoring, listening, preparing and acting accordingly.

Beth Freeman, Regional Administrator for FEMA Region VII urges residents to be constantly aware of their environment and any potential for flooding. "There's no doubt that when people are aware of the dangers and power of flooding, they can take measures to lessen the exposure to danger for themselves and family members," Freeman said. "When you're driving and you see the road ahead is flooded, be safe. It's best to 'turn around, don't drown.' FEMA is monitoring the situation and is on standby to help states if assistance is requested.”

While floods are the most common hazard in the United States, not all floods are alike. Floods typically occur when too much rain falls or snow melts too quickly. While some floods develop slowly, flash floods develop suddenly. 

One of the most dangerous elements of a flood is floodwaters covering roadways, and motorists are urged to never attempt driving through them.  About 60 percent of all flood deaths result from people trying to cross flooded roads in vehicles when the moving water sweeps them away.

While flood risks can indeed be a formidable threat, there are simple steps citizens can take today to reduce their risk to all types of floods. 

If a flood is likely in your area, you should:

  • Listen to your radio or television for information.
  • Be aware that flash flooding can occur. If there is any possibility of a flash flood that could affect you, move immediately to higher ground. Do not wait for instructions to move.
  • Be aware of streams, drainage channels, canyons, and other areas known to flood suddenly. Flash floods can occur in these areas with or without such typical warnings as rain clouds or heavy rain.

If you must prepare to evacuate, you should:

  • Secure your home. If you have time, bring in outdoor furniture. Move essential items to an upper floor.
  • Turn off utilities at the main switches or valves if instructed to do so. Unplug electrical appliances. Do not touch electrical equipment if you are wet or standing in water.
  • Take essential documents (http://www.ready.gov/evacuating-yourself-and-your-family)

If you must leave your home, remember these evacuation tips:

  • Do not walk through moving water. Six inches of moving water can make you fall. If you have to walk in water, walk in areas where the water is not moving. Use a pole or stick to make sure the ground continues in front of you.
  • Do not drive into flooded areas. If floodwaters rise around your car, abandon the car and move to higher ground if you can do so safely. You and your vehicle can be quickly swept away.
  • Six inches of water will reach the bottom of most passenger cars causing loss of control and possible stalling.
  • A foot of water will float many vehicles.
  • Two feet of rushing water can carry away most vehicles including sport utility vehicles (SUVs) and pick-ups.

Additional tips to consider:

  • United Way’s 2-1-1 is a helpful resource before, during and after disasters. Keeping this number and an up-to-date family communication plan handy is a must-do when preparing for emergencies.
  • Keep emergency supplies on hand, such as non-perishable food, medicine, maps, a flashlight and first-aid kit.
  • Use extreme caution when returning to flood damaged homes or businesses.

Become familiar with the terms that are used to identify flooding hazards:

  • Flood Watch: Flooding is possible. Tune in to NOAA Weather Radio, commercial radio, or television for information.
  • Flood Warning: Flooding is occurring or will occur soon; if advised to evacuate, do so immediately.
  • Flash Flood Watch: Rapid rises on streams and rivers are possible. Be prepared to move to higher ground; listen to NOAA Weather Radio, commercial radio, or television for information.
  • Flash Flood Warning: Rapid rises on streams and rivers are occurring; seek higher ground on foot immediately.

The National Weather Service is the official source for weather watches and warnings.

For more information on flood safety tips and information, visit www.ready.gov/floods or the Spanish-language web site www.listo.gov.

For information on how to obtain a flood insurance policy, visit www.floodsmart.gov.

Follow FEMA online at www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema.  Find regional updates from FEMA Region VII at www.twitter.com/femaregion7. The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.