Spring World 2015

Conference & Exhibit

Attend The #1 BC/DR Event!

Fall Journal

Volume 27, Issue 4

Full Contents Now Available!

Jon Seals

Business leaders and IT professionals don't often like to think about contingency plans. It seems like the more a company plans for a disaster, the more it expects one to occur. This attitude doesn't necessarily cause arrogance or ignorance, but what it can result in is too little attention paid to business continuity plans, of which disaster recovery is a significant component. Denying the problem doesn't make it any less likely to occur, but it can mean taking a harder hit to business-critical functionality if it does. These businesses, in addition to those that do seek out extensive disaster recovery plans, should be aware of the strengths of enterprise cloud computing.

Part of what will drive security and business continuity improvement in enterprise clouds is the oversight inherent in the cloud computing model, according to the Jacksonville Business Journal. Cloud service providers and adopters enter into agreements in which CSPs are responsible for protecting another business' resources, be it data, infrastructure or IT. Further developments in cloud partner programs will only increase the number of businesses that are directly responsible for upholding the integrity of another's networked resources.

...

http://www.peakcolo.com/news/enterprise-clouds-expand-disaster-recovery-possibilities

Techworld — Dutch water experts have teamed up with IBM to launch a new initiative called Digital Delta, which will investigate how to use Big Data to prevent flooding.

The Netherlands is a very flat country with almost a quarter of its land at or below sea level, and 55 percent of the Dutch population is located in areas prone to flooding. The government already spends over 7 billion in water management every year, and this is expected to increase 1-2 billion by 2020 unless urgent action is taken.

While large amounts of data are already collected, relevant data can be difficult to find, data quality can be uncertain and with data in many different formats, this creates costly integration issues for water managing authorities, according to IBM.

...

http://www.cio.com/article/735496/IBM_Uses_Big_Data_to_Improve_Dutch_Flood_Control

Distributed-denial-of-service attacks are the perfect weapons for cybercriminals and political adversaries. And Prolexic CEO Scott Hammack says any organization with an online presence should brace itself for attacks.

"As the world becomes more chaotic - which I do believe it will be - there will be more and more disenfranchised countries or people," Hammack says during an interview with Information Security Media Group [transcript below]. "This is a perfect weapon," he says.

And as the attacks get more sophisticated, defending against them gets more challenging, Hammack says. Today's attacks are increasingly using standard Internet security mechanisms, such as secure sockets layer protocol, to defeat online-outage defenses, he says.

...

http://www.govinfosecurity.com/ddos-perfect-weapon-for-attackers-a-5859

The following guest post is by Dwayne Melancon, CISA, chief technology officer, Tripwire, an IT security software company.

The SEC is getting pretty explicit about information security risk. You have to identify it, you have to declare it, and you have to manage it.  The problem is, a lot of the CEOs I talk with have no clue what they are accepting when they sign off on information security risk.

Sometimes, they blindly accept the cryptic recommendations from their chief information security officers (a.k.a., CISO).  Sometimes, their guts tell them there may be a problem, but they don’t know which questions to ask to figure out what’s really going on.  In both cases, I think it’s a problem that senior business managers are accepting risks they don’t fully understand.  How can this represent the best interests of your stakeholders?

...

http://www.forbes.com/sites/groupthink/2013/06/26/an-executives-guide-to-security-risks/

Yesterday I spent the day with a number of people from across the nation looking at what lessons can be learned from the Hurricane Sandy Experience.  The key person putting this event together was Steven Flynn.  Because he was able to get grant funding to support the work he could sponsor the travel for a variety of people to attend.  Generally he drew on people from other major metropolitan areas that have been doing catastrophic planning and also have significant risks.  I liked the mix of attendees.  Due to the significant business interruptions to the NY/NJ ports there was a number of other port authority representatives in attendance.  

The first panel of the day was a federal one that spoke to what they learned from the Hurricane Sandy Experience.  See my notes below.  Please note that this is what I could capture, certainly not a verbatim record for what was said.

...

http://www.emergencymgmt.com/emergency-blogs/disaster-zone/Resilience-lessons-from-hurricane-sandy-062613.html

When it comes to compliance risk, board members know the drill all too well. Every six months or so, they receive a new report indicating that everything is mostly under control.  So it’s no wonder they’re surprised when a compliance issue blows up – and it’s no wonder they’re asking tougher questions of compliance executives with every passing quarter.

As regulatory oversight continues to grow, the challenge of dealing with compliance risk will only become more pressing.  It’s not just an item on the agenda – compliance is its own agenda these days.  Given the pace and scale of change, both compliance executives and boards are increasingly concerned that old, reactive ways of managing compliance may cause them to fall behind the competition — or leave them exposed to new regulatory and reputational risks.

If your organization is looking to increase its Risk Intelligence quotient through full-spectrum compliance, three broad areas will command your attention:  Environment, execution, and evaluation.

...

http://www.corporatecomplianceinsights.com/when-the-board-comes-calling-about-compliance-a-risk-intelligent-approach

So, what do you do when the sky caves in, as it has in the last week for Savannah culinary personality Paula Deen? What do you do when the past comes knocking in a most unfavorable way? What are the steps for digging out from under a public relations disaster?

Without speaking directly to the still-unfolding Deen contretemps, Jennifer Abshire, of the Savannah public relations firm that bears her name, said there are three basic rules for dealing your way out of any PR crisis.

“If you’re looking at a crisis, I think dealing with it directly is extremely important,” Abshire said Monday. “I do, however, believe that a simple statement is sufficient. And I think the most important thing for anyone who has dealt in crisis PR is to immediately get as much good news out as possible of the wonderful things the client or person has done to help the community.”

...

http://savannahnow.com/sean-horgan-and-mary-carr-mayle/2013-06-25/wading-through-pr-crisis#.Ucsb39iDmJQ

This was only an exercise.

Police, firefighters and medical technicians swarmed onto the grounds of Canopy Oaks Elementary on a cloudy Friday morning.

They lined up stretchers and plastic kiddie pools in the parking lot behind the school. They set up washing stations to rinse hazardous chemicals off the 15 high school students who spilled into the breezeway in the middle of the school grounds, and doused the students with fire hoses.

Sheriff's deputies interviewed the students one at a time, and one of them admitted there was a bomb in a car parked out front.

The Big Bend Regional Bomb Squad arrived and deployed remote-control robots with mechanical arms that shattered windows and ripped doors off a beat-up Dodge Stratus parked out front.

Friday’s “chemical chaos” drill involved 10 agencies — from Leon County Schools to the Florida Department of Law Enforcement and the hazardous materials unit of the Tallahassee Fire Department. Evaluators followed them every step of the way, taking notes and film that will help them analyze their performance and look for ways they could respond better in the event of a real disaster.

...

http://www.tallahassee.com/article/20130625/NEWS01/306250011/-Chemical-chaos-drill-chance-practice-response-disaster

LAFAYETTE — Sussex County amateur radio operators recently concluded a 24-hour emergency preparedness drill that saw them contact more than 2,600 other operators throughout North America and overseas.

The annual exercise, conducted this past weekend in Lafayette, afforded members of the Sussex County Amateur Radio Club an opportunity to showcase their craft to the public and, just as importantly, contributed to the group's ongoing partnership with the Sussex County Office of Emergency Management.

"We want the community to know that in the event of an emergency, we will be ready to assist in any way we can," said John Santillo, the group's president. "While people often think that cell phones or other communications technologies have replaced ham radio, we can provide vital communications in an emergency that others can't."

...

http://www.njherald.com/story/22687960/2013/06/26/ham-radio-operators-test-emergency-preparedness

The day you need business continuity planning isn’t the day to start thinking about implementing a program.

In the wake of devastating flood waters that hit Calgary and parts of southern Alberta, many organizations in Wild Rose Country have had to flip the switch on their continuity plans to ensure operations continue on as close to normal as possible.

That’s not easy, given the scope of the damage. How bad is the flooding? One need look no further than the city’s iconic Saddledome, home of the Calgary Flames, which filled with water like a giant bathtub up to row 10.

According to estimates from the Calgary Chamber of Commerce, somewhere between 150,000 and 180,000 people work in the city’s downtown core, and the city has a $120-million a day economy. That’s a huge number of displaced employees with a giant price tag, and Calgary Mayor Naheed Nenshi says it will likely be mid-week before most employees can return downtown. It’s hard to imagine the city returning to business as usual this week at all.

- See more at: http://www.hrreporter.com/blog/Editor/archive/2013/06/25/dont-have-a-business-continuity-plan-start-working-on-it-today#sthash.ozTfxrRt.dpuf

 

In my career as an asset manager, and as a manager of financial risk, I have learned that all good risk management is done upfront, before the first purchase is made or product is sold.  Secondarily, good risk management relies on the concept of feedback, i. e., are the results expected at inception happening?  If not, are they happening in a way that makes us doubt the margin of safety that we thought we had?

...

http://www.valuewalk.com/2013/06/risk-management-lessons-from-the-insurance-industry/