Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Bonus Journal

Volume 29, Issue 5

Full Contents Now Available!

Industry Hot News

Industry Hot News (6944)

When you’re scouring your neighbourhood to detect possible risks to your organisation, a tool like Google Earth can be a valuable asset. Without leaving your desk you can tour streets and advance street view by street view, pinpoint addresses such as the nearest phone service and electricity providers on your map and spot vulnerabilities – that remote site with no surrounding fence, for example. That’s the good side of Google Earth. However, it also has its limitations and even potential drawbacks. Find out more about these below so that you won’t be caught short.



The vision of the cloud as a magical realm of limitless scalability and customized, on-demand data architectures still runs strong in the enterprise industry. This view is not altogether wrong, even though many clouds with various levels of functionality will be created in order to meet the demands of an increasingly diverse data community.

But no matter how the individual enterprise chooses to implement the cloud or what applications it deploys, the fact remains that, as with any other infrastructure expansion, the migration process will be lengthy and complicated.

The good news, though, is that the cloud industry is highly motivated to absorb as much of the existing enterprise data environment as possible and, being already steeped in automated processes, it is working to take on the lion’s share of the migration burden using the latest software platforms.



Tuesday, 12 November 2013 16:32

CFOs More Confident About Risk Management

Nearly two-thirds of CFOs are more confident in their ability to manage risk, with 25% reporting an increased appetite for risk, according to a new national survey from TD Bank. A number of respondents said their organizations have managed risk proactively since 2008 through internal controls and procedures and increased accountability.

“What we’re seeing, both through this survey and in our interactions with clients, is a more positive outlook about the economic environment and the business opportunities coming out of the recession,” Greg Braca, executive vice president and head of corporate and specialty banking at TD Bank said in a statement. “Well over a third of the CFOs surveyed expressed that they’re more confident in the U.S. economy, and more than half viewed their organizations’ prospects in the same vein. CFOs feel better equipped to manage risk, which will enable them to take a more active approach to investing and expansion, even if the economy improves at a slower pace than we’d like.”

CFOs are also apprehensive about the regulatory climate, with more than a third of respondents indicating that regulation is a top concern going forward.

The survey was conducted in September and October 2013 by ORC International. A total of 150 executives were surveyed, half at companies with annual sales of $50 million to less than $250 million (middle-market) and half at companies with annual sales greater than $250 million (corporate).



CSO — As everyone knows, cloud provider Nirvanix recently fell apart, declaring bankruptcy and leaving its customers in the lurch. Nirvanix gave enterprises less than a month to move their data to a new home. To avoid the fate of those customers, follow these best practices for safely moving data in and out of the cloud.

Due diligence: financials first

The Cloud Security Alliance's February 2013 report, "The Notorious Nine: Cloud Computing Top Threats in 2013" has identified a lack of due diligence as a continuing threat to cloud computing. When enterprises do look into cloud providers, their view of things is a bit lopsided. "Cloud consumers place too much emphasis on information assurance and privacy, or focus on cost reduction and savings at the expense of investigating the financial health of candidate providers," says John Howie, COO, the Cloud Security Alliance.

"Perceived profitability does not imply stability for a company or a service provider," says Adam Gordon, CISO, New Horizons Computer Learning Centers; "the management strategies of a company can squander financial success overnight, driving profitability, the company and its partners over a cliff quickly if nobody is paying attention."



Monday, 11 November 2013 17:14

Cybersecurity Threats Are Rising

Cyber security has moved from operations to a concern of the C-suite and the board, EY (formerly known as Ernst & Young before getting carried away with hip rebranding), the consultancy, has found in its work across industries.

“For nearly three- quarters of organizations surveyed, information security policies are now owned at the highest organizational level,” the firm concluded in a recent report on cyber security, “Under Cyber Attack, EY Global information security survey 2013.” Because the attacks are becoming more numerous and more sophisticated, organization have to improve their defenses and get proactive. (For a fascinating look at how Obama’s security is protected — a tent that is erected in hotel or conference rooms with tools to protect against eavesdropping, see The New York Times.)

“The number of threat actors is increasing and each has a different high value target,” said Chip Tsantes, cybersecurity leader for financial services at EY. “Five years ago it was protecting money, but now threat actors, nation states and hactivists are looking to disrupt, embarrass, steal IP or help their domestic industries. The number of targets has increased, techniques have gotten better and they are going after a wide array of targets.”



By Brad Glisson

Experts from the University of Glasgow looked at a sample of mobile phones returned by the employees from one Fortune 500 company and found that they were able to retrieve large amounts of sensitive corporate and personal information. The loss of data such as this has potential security risks, inviting breaches on both an individual and corporate level.

The data yielded by this study on 32 handsets included a number of items that could potentially cause significant security risks and, lead to the leakage of valuable intellectual property or exposed the company to legal conflicts.

The study is an important step in proving that the increasing use of mobile devices in the corporate environments may be jeopardising security and compromising country specific data protection legislation.



Today is National Remembrance Day for Veterans who served their country and across the world. In the US we call it Veterans Day. In the UK, it is called Remembrance Day. Whatever it is called, it is designed so that we may never forget the sacrifices that the men and women made so that we can live in a free society. So today, I ask you to personally thank a veteran, buy them a cup of coffee or simply reflect on those who made the ultimate sacrifice to allow us all to go forward into the 21st Century.

My father is a veteran of both World War II and the Korean Conflict. I saw him this weekend and at 87 he is still kicking along, reading, studying and thinking about the relevant issues of the day. He gave to me a copy of the Fall 2013 issue of the University of Illinois, College of Law, Comparative Labor Law & Policy Journal which had an article, entitled “Toward Joint Liability in Global Supply Chains: Addressing the Root Causes of Labor Violations In International Subcontracting Networks”, by authors Mark Anner, Jennifer Bair and Jeremy Blasi. So to honor my father’s continuing interest in anti-corruption compliance, today I will write about this article and how it informs anti-corruption compliance in the Supply Chain.



MANILA — The super-typhoon that tore through the Philippines and left a feared five-figure death toll touched down in central Vietnam early Monday, already ranking as one of Asia’s most destructive natural disasters in recent decades.

As rescue workers struggled to reach some areas along a heavily damaged chain of Philippine islands, survivors described a toll that this impoverished country will be contending with for years.

Entire regions are without food and water, and bodies are strewn on the streets, after a typhoon that had much the look of a tsunami, with waves as high as two-story buildings. Photos and videos showed towns ground to a pulp.



Monday, 11 November 2013 17:04

Data Quality Enlightenment

A few weeks ago, I wrote about the Five-Fold Path for Ensuring Data = Information, which I drew upon Buddha’s Eight-Fold Path for inspiration.

But to really understand the practices of the eight-fold path, you need to understand the underlying doctrines that motivate it. In Buddhism, those tenets are outlined in the Four Noble Truths.

The five-fold path describes what you need to do to achieve data quality, but that still doesn’t define the realities that drive us to pursue data quality.



Monday, 11 November 2013 16:55

Enterprises Poised to Take on the Real Cloud

To say that the cloud is a common facet of enterprise infrastructure is something of a mistake. While many organizations have embraced the cloud as a means to ramp up storage capacity or even burst workloads during peak activity periods, few have integrated cloud infrastructure into their normal data environments in ways that leading experts say leverages the true value of the technology.

But that may be about to change. New market research is starting to suggest that attitudes are shifting and enterprise executives are warming up to the idea of the cloud as a full functioning extension, or even a replacement, of on-premise infrastructure.

First up is Gartner, which reported recently that cloud computing is on pace to make up half of the total IT market by 2016, with nearly half of all large enterprises deploying hybrid clouds by 2017. The company says virtualization, orchestration, high-speed networking and other cloud-enabling technologies have reached a point at which enterprise executives can finally see the advantages that cloud architectures have over traditional infrastructure, particularly as the industry starts to confront the realities of mobile computing, social networking, Big Data and other trends. The big question for many, however, is whether they will be strictly consumers of cloud services or a provider as well.



MANILA, Philippines -- MANILA, Philippines (AP) — The strongest typhoon this year slammed into the central Philippines on Friday, setting off landslides and knocking out power and communication lines in several provinces. At least four people died.

Huge, fast-paced Typhoon Haiyan raced across a string of islands from east to west — Samar, Leyte, Cebu and Panay— and lashed beach communities with over 200 kilometer (125 mile) per hour winds. Nearly 720,000 people were forced to evacuate their homes.

Due to cut-off communications, it was impossible to know the full extent of casualties and damage. At least two people were electrocuted in storm-related accidents, one person was killed by a fallen tree and another was struck by lightning, official reports said.



Friday, 08 November 2013 16:02

The 4 R’s of Disaster

When the director of technology states that the IT infrastructure is up and available after a disaster, many believe it means that an organization can now begin to operate as normal. This is not completely correct; it’s only part of the solution. It’s like a car salesman pointing out a car on the lot; just because it’s sitting there doesn’t mean it’s ready for use – you need gas, a key and other bits before it’s ready for use. So, just because the technology infrastructure is ready, doesn’t mean it’s ready for use.

What’s happened is that the infrastructure has only been restored; the organization still needs other components in play before it can safely say it is back to operations – not necessarily ‘normal’ operations (Is it ever ‘normal’ to operate in disaster mode??). Yet when technology is restored there is the misconception that all must be well.

I like to keep 4 R’s in mind when an organization is getting back up on its feet after a major situation. Below describe four key stages that an organization must go through before it can state – confidently – that it’s back open for business – albeit, no doubt at reduced capacity and capability.



Friday, 08 November 2013 16:01

Security a Focus after N.J. Mall Shooting

The most recent mall shooting, just a few days ago at the Garden State Plaza in N.J., again heightened the focus on risk management and security nationwide.

Parents have trusted that malls would be safe for teenagers to meet with friends, but places for public gathering can become targets for violence. The pressure is on for organizations to examine their security measures and contingency plans.

David Boehm, with Security USA said in an interview with CBS New York that the U.S. can learn from security experts in Israel. Similar to Israel, he said, our country heading in the direction of having officers stationed at entrances and exits to malls.



Computerworld - The document scanning operations of a massive public online digital archive based in San Francisco suffered $600,000 in fire damage Wednesday night.

The Internet Archive said no one was hurt in the fire that broke out about 3:30 a.m. and caused damage to an electrical conduit and some "physical materials." The cause of the fire is under investigation. The archive has a second facility in Richmond, Calif.



Which situation do you think is worse: Your company getting a public relations and/or consumer confidence hit because you revealed that your network was breached or not disclosing the breach at all?

Based on a recent ThreatTrack report, a lot of employers out there think the PR situation must be the worst scenario. The survey, conducted by Opinion Matters, includes feedback from 200 security professionals dealing with malware analysis within U.S. enterprises. It found that nearly 6 in 10 malware analysts have investigated or addressed a data breach that was never disclosed by their company.

In addition to not being totally open with their customers, the ThreatTrack report shows that the data breach problem is a lot worse than any of us thought. According to Verizon’s 2013 Data Breach Investigations Report, there were 621 confirmed data breaches last year. But if nearly 60 percent of malware analysts say the breaches they investigated internally were never reported, it is a good bet that 621 breaches is a low number. A very low number.



LINCROFT, N.J.  -- From mucking out homes to hanging drywall; from providing cleaning supplies to delivering food and financial assistance, volunteers and charitable organizations from around the nation have worked diligently to help residents of hard-hit New Jersey recover from Superstorm Sandy.

At the one-year anniversary of Sandy, many of the volunteers and sponsoring organizations who lent a hand in the critical first days after the disaster are still here and still helping.

As of the end of September 2013, some 173,544 volunteers had invested more than 1 million volunteer hours in the Sandy recovery effort. The value of their contributions now totals more than $30 million.

“In a disaster such as Hurricane Sandy, the efforts of volunteers are critical to the recovery,” said Gracia Szczech, federal coordinating officer for FEMA in New Jersey. “Volunteers have made a substantial contribution to helping New Jerseyans respond and recover from the challenges they faced after Hurricane Sandy.”

While the volunteer efforts that extend across the state may appear unrelated, in reality, they are all part of a collaborative mission, participating in a massive team effort to assist survivors of Hurricane Sandy in their transition to long term recovery.

“I’ve witnessed how valuable volunteers have been,” said Lt. Joseph Geleta of the New Jersey Office of Emergency Management.  “It’s very important for the OEM to partner with the volunteer community.”

As the Volunteer Agency Liaison for Sandy Recovery, Geleta works in partnership with FEMA and a coalition of volunteer organizations who are members of the NJ Voluntary Organizations Active in Disaster to coordinate a network of resources to assist survivors as they rebuild their lives.

“We have established Long Term Recovery Groups to help survivors,” Geleta said. “Our goal is to try to meet those unmet needs of survivors who have exhausted all of their disaster assistance dollars and who are still in need.”

The task is a big one.

Back in 1999, in the aftermath of Hurricane Floyd, 70,000 people registered for FEMA disaster assistance. “At that time we established a Somerset County Long Term Recovery Group, and they were helping people for five years after the storm hit.”

In 2011, after Hurricane Irene, 90,000 New Jerseyans registered for disaster assistance. “We were still working on unmet needs from Irene when Sandy hit,” Geleta noted.

The number of people seeking help after Hurricane Sandy exceeded the numbers who registered after Floyd and Irene combined.

“More than 260,000 residents of New Jersey registered for disaster assistance,” Geleta said. “Clearly we expect this is going to be a very long recovery.”

During the year after Sandy, the NJVOAD coordinated and supported the volunteer efforts of more than 500 organizations.

These organizations ranged from internationally known agencies like the American Red Cross to smaller groups that regularly travel thousands of miles to assist their fellow Americans when disaster strikes.

Among those groups are the Southern Baptist Men, who applied emergency “blue roof” coverings on over 1,500 homes that had been so damaged by the hurricane that their interiors were exposed to the elements.

Other groups that provided volunteers, resources and skilled workers to Sandy survivors in New Jersey included Habitat for Humanity, Feed the Children, Lutheran Disaster Response, United Jewish Communities, the National Disaster Relief Office of the Roman Catholic Church and Mennonite Disaster Services, to name only a few.

Local churches, charities and nonprofits also worked around the clock to provide the help their neighbors needed to survive, recover and rebuild.

The Foodbank of Monmouth and Ocean Counties regularly provides more than 127,000 people with food and other services. The need for assistance increased substantially with the arrival of Sandy.

“In the immediate aftermath of Hurricane Sandy we provided over 1 million meals to people who were affected by the storm,” said Marion Lynch, marketing and communications coordinator for the Foodbank. And a year after the storm, “Our work continues. We provide food and outreach services to some of the area’s most hard hit communities and support recovery efforts in both counties. We remain committed to helping our neighbors recover and we rely on a caring community to support our work.”

The American Red Cross has also been a major partner in the recovery effort.

In the weeks following the disaster, the American Red Cross’s 5,300 employees and volunteers supported 65 shelters, distributed more than 1.5 million relief items, provided more than 23,000 health and mental health contacts, and served more than 4 million meals and snacks to Sandy survivors in New Jersey.

More than 2,200 Red Cross volunteers came from around the country, working with partner groups like the Southern Baptists, Islamic Relief - USA, Team Rubicon and others to help New Jersey.

Members of the U.S. Naval Academy Midshipmen Action Group, VISTA and AmeriCorps members also served as Red Cross disaster volunteers, joining members of Red Cross societies from Canada, Mexico, Saipan and other locations around the globe who were deployed throughout the state.

Red Cross volunteers contributed over 395,000 hours of service in New Jersey and millions of dollars’ worth of Sandy-specific in-kind donations flowed from generous corporate donors through the Red Cross. The agency delivered everything from batteries to baby food, food trucks to internet access, to the people of New Jersey.

Donations made by Americans around the country to the Red Cross Disaster Relief Fund supported the distribution of more than 47,000 Red Cross Clean-up kits and more than 28,000 Red Cross Comfort Kits in New Jersey.

 “The American Red Cross continues to support residents of New Jersey in their recovery from Hurricane Sandy through a variety of programs, including grant funding to community and faith-based groups actively working to help individuals and families recover,” said Nancy Orlando, regional CEO of the American Red Cross South Jersey Region.  “Additionally, through our Move-in Assistance Program, the Red Cross is providing direct financial assistance of up to $10,000 for housing-related expenses to eligible individuals whose primary homes were destroyed or made uninhabitable by Sandy. As of September, the American Red Cross has given close to $6 million to approximately 1,300 households in New Jersey through the MIAP initiative.”

While volunteer efforts have helped thousands of New Jerseyans repair, rebuild and recover from the devastation caused by Hurricane Sandy, many residents still need help. NJVOAD has been working since before the disaster struck to coordinate and deploy volunteer resources where they are needed.

LTRGs continue to serve survivors in the following locations: Atlantic County, Atlantic City, Bergen County, Camden County, Cape May County, Cumberland County, Essex County/Ironbound, Gloucester/Salem Counties, Hudson County, Middlesex County, Monmouth County, Morris County, Ocean County and Somerset County

 “They are all working hard to help people in their communities,” said Cathy McCann, chair of NJVOAD. “NJVOAD has been hosting six regularly scheduled coordination calls among the different LTRGs so that they can share challenges, successes and support one another and that we can speak as a united group on any issues we see on a statewide basis.  The different coordination calls are Case Management, Volunteers, Construction, Donations, Emotional and Spiritual Care.  

This week we have asked Church World Service to come in and do four workshops on how cases can flow through the Long Term Recovery process.  We have over 200 people scheduled to participate in these workshops. Sometimes it is hard to believe it is a year already and other times it feels like we should be further along, there have been many challenges, and many organizations that have not traditionally worked together are learning to do so, and are finding that we all need to work together to help people recover.” 

If you or someone you know is still in need of assistance with a Hurricane-Sandy related problem, help is available via the web at www.Ready.gov and http://www.state.nj.us/njoem/programs/sandy_recovery.html

Survivors may also find information and access resources by calling 2-1-1 or via the web at https://www.nj211.org.

The confidential service is funded by local United Way chapters in partnership with the State Department of Human Services, the Office of Homeland Security and Preparedness and the Department of Children and Families.

Resource specialists can connect New Jerseyans with community agencies for help with basic human needs such as clothing, food, shelter, rent and utilities, with special needs such as caring for an elderly or disabled person, with child care and with locating health and mental health care services

“The needs are still many,” McCann noted. “So many people are not aware of the Long Term Recovery Groups that are out there and that volunteers are available to help in the rebuilding,” McCann noted.

And as they help our neighbors in New Jersey rebuild, members of the volunteer network are reminding those who still want to help that donations of money and resources are still needed.

For information on making a donation of cash or materials, visit the National Donations Management Network on the web at www.ndmn.us/ to match your donation to the needs of the community.

Video Timeline of the Sandy Recovery Effort

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.


By Rachel Little, FEMA Youth Preparedness Council Member, Region 1

Monson, Mass., July 7, 2011 -- The debris that was left behind by the June 1 tornado that hit the town of Monson and western Massachusetts. Alberto Pillot/FEMA

My name is Rachel Little and I am a junior attending Monson High School.  I have lived in Monson, Massachusetts, my whole life, and couldn’t have grown up in a better place.  My town is full of strong- willed, determined people, always willing to lend a helping hand.

When a tornado struck our town on June 1st, 2011, it brought our small community even closer together.  Everyone was reaching out to give support, from supplying food or water, to giving neighbors hope for a better tomorrow.  It was a very moving event to watch.  Even though I was not directly affected by the tornado, I had people very near and dear to me in the path of the tornado.  I wanted to help out in whatever way I could, because I saw how much the people of Monson were suffering.  I couldn’t stand by and watch -- I had to take action. 

Therefore, I joined the Monson volunteer efforts and eventually became a member of The Street Angels.  The Street Angels is a dedicated volunteer group that brought supplies to families in need after the tornado,  and helped families make connections with landscapers and builders. My fellow Street Angels helped me fill out an application to become part of FEMA’s Youth Preparedness Council, and I am now going into my second year of being a proud member.  To me, the Youth Preparedness Council is the beginning of people realizing that youth can make a difference in emergency preparedness and response -- not just myself and the wonderful people of this council, but the world’s youth.   My fellow members and I are just the beginning of that change.

My plan for 2013 is to collaborate with the Medical Reserve Corps (MRC), or Community Emergency Response Team (CERT), to start a teen readiness club in my town.  I know a lot of people my age wanted to get involved after the 2011 Monson tornado, but they didn’t know how.  If either a Jr. MRC or a Teen CERT had already been in play before the tornado, Monson would have seen a significantly higher amount of youth action.   Being a member of the Youth Preparedness Council, my mission is to increase the amount of prepared youth and families in my region.

I’ve also been trying to share emergency preparedness at my school.  I’ve hit significant road blocks during previous attempts at getting a teen readiness club up and running for Monson High School.  After last year’s Youth Preparedness Council summit in Washington DC, I had my heart set on starting a Teen CERT. The idea of getting my friends and classmates interested in preparedness and prepared for disasters was exciting.  I asked around to see if I could get a trainer to help me get the team started.  I found a man in my neighboring community who seemed very willing to help me out, but unfortunately, that fell through.

I turned to my Local Emergency Preparedness Committee, which was formed after the tornado.  Although I made a presentation to them and they liked my ideas, we weren't able to get the plans off the ground.  I did meet a woman in the Local Emergency Preparedness Committee meetings who happened to be the head of the MRC in my town, and she introduced me to Jr. MRC.   We’re still hoping to get the Jr. MRC started, and it’s a current work in progress.  I anticipate that the challenges for this year will again be finding someone to teach the course or help me with the establishment of the club.  I have a backup plan, so that if things fall through, I will take the Teen CERT “train the trainer” course so I can teach a class myself.

As a result of starting Teen CERT or Jr. MRC in Monson, I want to see this little community become prepared for future emergencies.  I hope never to see another disaster to the extent of the tornado ever again, but it’s better safe than sorry.  I will know I’ve met success when I have a fully functioning teen readiness club in Monson High School.  From there, I can only hope to expand my efforts to other communities and beyond.

Editor’s Note: The views expressed in this blog post do not necessarily represent the official views of FEMA, the Department of Homeland Security, or the United States Government. We are providing links to third party sites and organizations for your reference. FEMA does not endorse any non-government entities, organizations or services.


CSO — Everybody who spends much time on the web knows their activities are tracked for marketing purposes. Do a little online shopping for hats, and you will quickly see ads for hats popping up on other websites you visit.

But, the collection of individual data by so-called Big Data brokers goes well beyond your online shopping. Those companies -- there were 253 of them as of this past March, according to a directory compiled by the Privacy Rights Clearinghouse -- collect and sell information to marketers on everything from your marital status, whether you might be pregnant or have a newborn, have cancer, are trying to lose weight, are gay or straight, how much you make, what credit cards you use, your lines of credit, where you live, what your house cost, what kind of car you drive or if you might be looking to buy a new one, your race, occupation, political leanings, education level, have one or more children in college, have pets to what your hobbies are and more -- much more.

The clichA(c) is that data brokers know more about you than you know about yourself.

But this, according to those brokers, is a very good thing for you, the consumer. One major broker, Acxiom, which has been very much in the news over the past month for allowing consumers to view a portion of the data it collects on them through a new portal -- AboutTheData.com -- is using that higher visibility to assure people that not only is this collection harmless, but it also brings them a host of economic and other benefits.



CIO — A U.S. Senate committee yesterday approved legislation that would encourage government agencies to consolidate their data centers along with a bill to require online disclosures of federal spending data.

The Federal Data Center Consolidation Act, sponsored by Michael Bennett (D-Colo.), would spur on an initiative that the Obama administration launched in February 2010 to reduce the footprint of the government's IT infrastructure as agencies shift toward cloud computing and shared services.

The bill would require the 24 agencies participating in that effort to submit comprehensive inventories of their IT facilities to the Office of Management and Budget, along with long-term plans for phasing out data centers and optimizing performance at the ones that remain open. The agencies would also be expected to submit estimates of cost savings from their consolidation plans.



Thursday, 07 November 2013 17:22

Alternatives to Traditional Risk Assessments

There are limitations to traditional risk maps, heat maps and risk rankings based on subjective assessments of the severity of the impact of potential future events and their likelihood of occurrence. These limitations include the influence of individual biases and “group think,” preempting out-of-the-box thinking, failure to address the unique characteristics of the risks the company faces, undue influence from past experience and successes and little insight regarding what to do about exposures to extreme events. Simply stated, an assessment process that subjects all risks to the same analytical grid has shortcomings that need to be recognized if risk management is to advance as a discipline.

While there may be a place for traditional risk assessment approaches when creating awareness and obtaining a “quick and dirty” overview of risk, more sophisticated assessment mechanisms may be necessary to provide the insights needed by management and the Board. If very little happens as a result of an organization’s risk assessment process, it is a clear sign that alternative approaches should be considered. We will explore alternatives for the four categories of risks: strategic, operational, financial and compliance.



Thursday, 07 November 2013 17:21

What Are Your Top Ten Organisational Risks?

Organisational risk is in the eye of the beholder. What you see as being the main risks as an innovative small business serving the Melbourne metropolitan area may be very different from the point of view of a multinational corporation with projects all over the world. It’s wise however for both types of organisation to consider different perspectives. They can help reveal risks hitherto ignored or that lurk in the background, ready to increase in importance as conditions change. They also help enterprises to remain flexible in their outlook and more resilient to problems, whether inside or outside the business. Here are a few different takes you might consider.




London’s Royal Courts of Justice was the perfect setting for the Business Continuity Institute’s gala Global Awards dinner on November 6th at the conclusion of Day 1 of the BCM World Conference & Exposition.

The High Court was not in session, but the esteemed judges empanelled by The BCI rendered its verdicts – recognizing the outstanding achievements of Business Continuity professionals and organizations worldwide.

In the Consultancy & Individual categories:

Business Continuity Consultant of the Year was awarded to Saul Midler, LINUS.

Tom Clark, Liberty Mutual Insurance was named Business Continuity Manager of the Year.

And Standard Life PLC won the award for Business Continuity Team of the Year.

The award for Public Sector Manager of the Year award was presented to Alan Jones.

Andrew MacLeod, Needhams 1834 Ltd was named Business Continuity Newcomer of the Year.

In the Corporate categories:

The Business Continuity Innovation Award was presented to Vocal Ltd..

SunGard Availability Services was named Business Continuity Service Provider of the Year, and the Business Continuity Product Provider of the Year was presented to eBRP Solutions Network, Inc..

The award for Most Effective Recovery of the Year went to Etihad Etisalat – Mobily.

Finally, the public vote for the Industry Personality of the Year resulted in this year’s coveted honor being bestowed on Richard L. Arnold, recognizing his career-long contribution to the Business Continuity industry.

Congratulations to all of these worthy winners.  Each exemplifies the best in our industry – the highly skilled, the thought leaders, those who have leveraged their experience or demonstrated their acumen to have a positive impact both locally, and on the Business Continuity industry globally.  But simply being nominated for one of these awards should be considered an honor; only the select few are singled out as Regional Award winners and qualify as nominees for these Global awards

Here at eBRP Solutions we’re very, very proud of this honor.  Our award is testimony to the hard work of our designers and developers, and the incalculably valuable input of our customer worldwide.  We were thrilled to win this year’s Regional awards in North America, Europe, Asia and the Middle East.  We know that without the collaboration of our customers and other partners, eBRP and our flagship product- eBRP Suite – would not be what is today: recipient of the 2013 BCI Global Business Continuity Product of the Year Award.

The Business Continuity Institute (BCI) has named eBRP Solutions winner of the 2013 Global Business Continuity Product Provider of the Year award, for its flagship Business Continuity Management software eBRP Suite.


The award was presented at a gala Global Awards dinner concluding the open session of the 2013 BCM World Conference and Exposition on November 6th at the Royal Courts of Justice in London, UK.

The BCI Global awards are the culmination of a year-long program of Regional awards by BCI Chapters across the globe.  Winners of each of seven Regional award competitions were entered as nominees for the Global awards.  Earlier this year eBRP captured 4 Regional Business Continuity Product of the Year awards – honoring its flagship software eBRP Suite – in the North American, European, Middle Eastern and Asian BCI award competitions.

“2013 has been proven to be a banner year for eBRP,” according to Jim Mitchell, an eBRP Director. “Last year we were named the BCI’s North American Business Continuity Software of the Year, and this year we were delighted to pick up 4 additional Regional awards.  But the Global award is much more significant; it solidifies our standing a Thought Leaders in the Business Continuity industry.”

BCI Award

According to The BCI, the Global Awards “recognize the outstanding achievements of Business Continuity professionals and organizations worldwide and pay tribute to some of the finest talent in the industry.  Becoming a winner of a BCI Award gives international recognition for hard-earned achievements and is considered a great accolade within the BCM profession.”

“More than ten years of hard work has gone into the design and continuing development of eBRP Suite,” added eBRP Managing Director Ramesh Warrier.  “This award is shared with the entire eBRP Team – and with our Customers, whose collaboration has helped us evolve eBRP Suite to become a globally-acclaimed leader in the BCM industry.”

Want to find out what earned eBRP Suite the Global BC Product Award?  Simply click the Show Me button below, or the Request a Demo button to the left of this page – or email us directly at This email address is being protected from spambots. You need JavaScript enabled to view it., or phone us at  +1-888-480-3277 or (905) 677-0404.  We’ll be happy to show you how eBRP Suite can take your organization’s Business Continuity Management program to the next level.

Jennifer Craig Jennifer has been the cheerleader for everything eBRP – from designing & coordinating tradeshows, print ads, press releases and building eBRP’ s web presence. Strategic efforts with LinkedIn, Twitter, Word-press and Hoot Suite makes Jen the key social media marketing champion at eBRP. Her efforts have greatly enhanced eBRP’ s brand image globally and is credited for many of the accolades & awards in eBRP’ s trophy showcase.

Recently a group of executives, including myself, formed a new council whose aim is to increase disaster recovery preparedness and improve disaster recovery practices. The idea is to study current DR practices and develop DR standards and best practices for the industry to follow. Our initial research surprised us.

Initial results from the Disaster Recovery Preparedness online benchmark survey show the dismal state of DR preparedness of companies worldwide. Using a common grading system from A (the best) to F (the worst), 72% of survey participants, or nearly 3 out of 4 companies worldwide, are failing in terms of disaster readiness scoring ratings of either a D or F grade.  (You can take the test yourself at www.drbenchmark.org).



As I discussed in a previous post, for small to midsized businesses, cloud backup services can simplify the process of backing up data and storing it offsite. Such services are available in many service levels and fit the budgets and data storage needs of a variety of businesses.

Before a company signs on with a managed service provider (MSP) for backup services, however, it should answer questions to head off potential issues:

  • What type of service does the company need?
  • Will there be latency issues?
  • What is the service provider’s availability?
  • How will security be handled?
  • Are there compliance policies that will need to be followed?
  • How will cloud backups mesh with current policies for data recovery and/or disaster recovery?



Techworld — Enterprises should aim to create "business-defined data centers", according to IT analyst house Forrester Research.

In recent years, there has been a big push towards software-defined data centres, which aim to improve overall data centre performance by optimising the application layer and the hypervisor layer.

However, Forrester argues that the business-defined data centre cares about real services as opposed to less important applications.

Speaking at the annual Fujitsu Forum event in Munich today, Rachel Dines, senior analyst at Forrester, said: "Software-defined was a good step but it doesn't go far enough. We want to think about order to cash, payroll, supply chain management. Actual business processes instead of [applications like] ERP and CRM and HCM and a million other acronyms."



WILLISTON, Vt. – It usually takes a disaster like Tropical Storm Irene – which knocked out roads, electricity, water, and communications – to remind us how important our infrastructure is to our communities and our way of life.

The Federal Emergency Management Agency is urging Vermonters to become more aware of critical infrastructure and the need to protect it from disasters or other hazards.

President Barack Obama has declared November Critical Infrastructure Security and Resilience Month, and officials say disasters like Irene and this year’s flooding events demonstrate the importance of expanding and reinforcing critical infrastructure security and resilience.

“The memory of Irene is still strong in Vermont,” said Federal Coordinating Officer Mark Landry, the head of FEMA’s Vermont operations. “Now is a good time to think about how important our transportation, communication, and utility infrastructure is and what we can do to protect it.”

Critical infrastructure is the systems that form the backbone of America’s national and economic security, including the electric grid, communications structures, transportation systems, and utilities like water and sewer, as well as the cyber-security of these systems.

“In this day and age, protecting critical infrastructure means more than safeguarding electric substations or bridges,” said Ross Nagy, Deputy Director of the Vermont Division of Emergency Management and Homeland Security. “It also means ensuring that the control systems for these facilities are safe from cyber-attack or human error that could disrupt crucial networks.”

The U.S. Department of Homeland Security – FEMA’s parent agency – urges all Americans to do their part in ensuring critical infrastructure security and resilience by doing the following:

  • Learn about steps you can take to enhance security and resilience in your businesses and communities and how to handle certain events.
  • Make a plan with your families to keep your loved ones safe.
  • If you run a business, make a plan to keep your employees and community safe and enhance your ability to recover operations quickly. If you are an employee, ask your management whether there are plans in place and get a copy.
  • Report suspicious activity.

To learn more visit: http://www.dhs.gov/critical-infrastructure

On October 28, New York Governor Andrew Cuomo announced the establishment of a new Emergency Disaster Protocol that insurers should expect to follow in the event of a future natural disaster. The protocol was communicated to insurers in the form of a circular letter on the same day. The new protocol includes many of the same measures that were put into place following Superstorm Sandy.

“During Superstorm Sandy these steps helped us speed up relief to New York families and businesses, and they will now become a standard part of our storm response arsenal,” said Governor Cuomo. “Insurance companies have a vital responsibility to promptly process claims for consumers hit by a natural disaster and this new emergency protocol will help make sure that they live up to that standard.”



By Joshua Ottow, Assistant Principal, Yarmouth High School 

Yarmouth, Maine, Sep. 9, 2013 -- Assistant Principal Josh Ottow (center) talks about emergency preparedness with Yarmouth High School students on the opening day of school.

My name is Josh Ottow, and I am the assistant principal at Yarmouth High School in Maine. Yarmouth is a suburban town of approximately 8,000 residents and 1,400 students, with 500 students at our high school. I serve on a team of administrators that helps plan for security and emergency preparedness in our district. Currently, we have an emergency management protocol that applies to all schools, and has additional specific information and plans for individual schools.

We feel that Yarmouth High School is already a safe school, in that we foster a trusting and respectful school culture, where positive relationships between students and teachers are of the utmost importance. For example, we do not have locks on our lockers, bells between classes, or hall passes. It’s important to us to add measures that make our school more prepared for emergencies without losing that trusting culture.

This can be a challenge because, in the eyes, of students, things like locked doors, buzz-in systems, cameras in the parking lot, and lockdown drills can feel like we are assuming the worst in them, as opposed to trusting them to do the right thing.

At Yarmouth High School, the centerpiece of our emergency preparedness is having a strong Advisor/Advisee program. We believe in the innate strength and potential of a small group of students working together with an advising adult for four years. A student’s advisor is a person to rely on for advice, information, and genuine help and support in moments of distress.  Each teacher’s group of advisees comprises a unique combination of students, who might not otherwise have become friends. We see this as an opportunity for students to offer support and receive support from a group that will be a constant in students’ life for four years at Yarmouth High School. Because of our commitment to this program, we knew that it would be critical to our emergency preparedness implementation efforts.

Over the past year we spent considerable time in our Advisor/Advisee groups, talking about new emergency preparedness measures. The key is doing so in the context of keeping our school culture intact and making the school a safer place. One way we approach this is by employing discussion questions in our Advisor/Advisee groups to stimulate conversation, build understanding within our student body, and give students an opportunity to share their opinions and concerns. Example questions include:

  • What makes Yarmouth High School a secure place?
  • What makes the culture of Yarmouth High School unique?
  • Do you feel safe at Yarmouth High School?
  • Do you know what you would do in an emergency at school? Do you feel prepared?
  • What can we, as a school, do to ensure that we foster and maintain our positive, trusting, and respectful culture AND have a more secure school?

Teachers are advised to be sensitive to potential stress-level increase and emotional reactions surrounding these discussions, and are aware that student reactions may vary widely, and everyone’s opinion should be given its due. Our hope is that this conversation is honest and impactful for students as they wrestle with these tough issues.  We are also hoping that this conversation spills into “dinner time” talk with their parents at home. Parents are always invited to play a contributing role in these emergency preparedness plans via community-based forums, where they can express their opinions, make requests, and give suggestions.

Another method that we use to address emergency preparedness is collecting direct feedback from students. For example, we ask students (through their Advisor/Advisee groups) for feedback on our response plan and suggestions for future protocols each time we hold a lockdown drill. Advisors are given a detailed, play-by-play lockdown drill guide that they go over with their advisees after each drill. Sometimes, we get great suggestions from the students that we may not have thought about otherwise.

For example, during a recent lockdown drill we asked students to hand over their phones to their teacher. One student asked his Advisor why we did that, and he was told that one reason was to minimize light and noise coming from the classroom.  In response, he suggested that teachers should also close the lids of their laptops, because his teacher had his laptop open during the lockdown and it was emitting light. This was not something we had specified in the plan and may not have thought to add if this student hadn’t brought it up. Advisors have access to a shared online document where they can note these suggestions, and then we talk about the responses and potentially revising our plans at a school-wide faculty meeting.

Our emergency preparedness efforts in the past several months, from new plans and new equipment to authentic and honest discussions amongst students and staff, have shown me that involving students and being open with them about how preparedness measures could impact school culture is the best way to ensure a safe and positive school.

Editor’s Note: The views expressed in this blog post do not necessarily represent the official views of FEMA, the Department of Homeland Security, or the United States Government. We are providing links to third party sites and organizations for your reference. FEMA does not endorse any non-government entities, organizations or services.

Wednesday, 06 November 2013 14:53

Are enterprises losing the cyber-war?

Bit9 has published the results of its third-annual Server Security Survey of nearly 800 IT and security professionals worldwide.

Server security remains one of the most critical aspects of any company’s security posture. Servers are where the majority of customer data, intellectual property and user credentials are stored, which is why they are the target of most advanced threats. Failure to protect servers from advanced threats can lead to significant data loss, brand damage, large financial penalties, and diminished customer confidence.

Key survey findings included:

  • 55 percent of security professionals were concerned about targeted attacks and data breaches on servers in 2013 - up 3 percent from 2012, and up 18 percent from 2011.
  • Only 13 percent of respondents are ‘very confident’ in their ability to stop advanced threats targeting servers.
  • 26 percent of respondents admitted their servers were hit by advanced malware, up 1 percent from 2012 and up 9 percent from 2011.
  • 25 percent of respondents ‘don’t know’ if they’ve been hit by a server attack, up 7 percent from last year.
  • 92 percent of respondents use signature-based antivirus software on their servers, while only 29 percent use a new-generation security solution, such as application control or whitelisting.

Click here to read the Bit9 2013 Server Security Survey Report (after free registration).

Wednesday, 06 November 2013 14:52

BCM World Conference 2013 – Special Edition

have changed the front page of the blog this week to promote the BCI’s World Conference.

I will be live blogging from the sessions I attend and trying to generate some engagement and discussion with other practitioners on a range of Social Media.

The aim is to promote discussion, rather than monologue.

Perhaps to even find an answer to one of the more perplexing question ..

How do we get BC folks to engage and debate issues and ideas?



Could the integration challenges of cloud computing trigger an organizational shift for IT?

IT tends to swing from centralized control to decentralized control every two or three decades, anyway. In times of strong centralized control, which is what we’ve seen in recent times, most of IT will report to a CIO. When the pendulum swings to de-centralized control, you’ll typically find IT workers reporting to specific LOB managers, although a smaller central IT organization may remain.

Already, cloud and SaaS have moved many IT decisions out of the CIO’s domain and down into the line of business.  In fact, Gartner is predicting that chief marketing officers alone will outspend CIOs on technology by 2017, according to “Maintaining IT Relevance in a Hybrid Environment.”

 In that Cloud Times column, Scribe Software’s VP of Technical Resources Mark Walker discusses the unique challenges of managing IT in a decentralized, cloud-based environment.



Wednesday, 06 November 2013 14:50

Fast Forward to the Software-Defined Data Center

It seems that all the virtual pieces are finally in place and the enterprise is poised to embark on an unprecedented journey into data performance and flexibility.

The arrival of software-defined networking has heralded the drive to the fully software-defined data center (SDDC), in which all physical aspects of the data environment—servers, storage, networking and the host of specialty appliances on the market—can be created, provisioned and decommissioned entirely via software. It is essentially the difference between data users’ behavior conforming to the dictates of infrastructure and the infrastructure conforming to the needs of users.

But just because we can now envision such a scenario, does not mean getting there will be easy, or cheap. A host of issues must be confronted—everything from systems and data migration to policy development and resource allocation—in order to bring the SDDC from the lab to the real world.



Wednesday, 06 November 2013 14:49

Replacing Your Important Papers

DENVER - Not only were Colorado homes damaged by the recent severe storms, flooding, landslides or mudslides, but many survivors also lost valuable personal documents.  The documents include everything from Social Security cards to driver licenses to credit cards. 

The following is a partial list of ways to get duplicates of destroyed or missing documents:

Birth and Death Certificates – Birth and death certificates can be replaced by visiting your county vital records office or on line http://go.usa.gov/DFbw

Marriage Certificates – The online link for replacement of marriage certificates is http://go.usa.gov/DFbw

Marriage Dissolutions (divorces) – The online link for divorce decree replacements is http://go.usa.gov/DFbw

Adoption Decrees – The Colorado District Courts link for adoption records - if the adoption was finalized in Colorado - is http://go.usa.gov/DFbw

Immigration Documents – Contact your county office or the site below for citizenship, immigration, permanent resident card (green card), employment authorization, re-entry permit and more. uscis.gov

Driver Licenses – Visit any Colorado driver license office with acceptable identification and proof of address. Fee required.

Vehicle Registration, License Tab or Title – Contact your county motor vehicle office. You will need proof of insurance and Colorado vehicle emissions. Fees administered by county.  http://tinyurl.com/m2hchyh

Passport – Complete form DS-64 from http://tinyurl.com/ld6z28k

Military Records – Request Standard Form 180 (SF-180) from any office of the Veterans Administration, American Legion, VFW or Red Cross, or download from http://tinyurl.com/lnu2pmt

Mortgage Papers – Contact your lending institution

Property Deeds – Contact the recorder’s office in the county where the property is located

Insurance Policies – Contact the insurance company for replacement papers

Social Security Card – Go to a Social Security Administration office. You also can request a copy of your Social Security statement online www.ssa.gov

Transcript of Your Tax Return – Call nearest Treasury Department office, IRS office or 800-829-3646; request form 4506. To find your local IRS office, go to http://tinyurl.com/mvk5dvu

Savings Bonds/Notes – Complete Form PDF 1048 (Claim for Lost, Stolen or Destroyed U.S. Savings Bonds); available by calling 304-480-6112 or at www.treasurydirect.gov/forms/sav1048.pdf

Credit Cards – American Express, 800-528-4800; Discover, 800-347-2683; MasterCard, 800-622-7747; Visa, 800-847-2911

In February, President Obama issued an executive order instructing the Commerce Department to lead a task force of security experts and industry insiders to develop a voluntary framework to reduce cyberrisk. Last week, the National Institute of Standards and Technology officially released an initial draft of the cybersecurity framework and announced a 45-day open comment period for public input.

The full Preliminary Cybersecurity Framework can be viewed here on the NIST website. After the review period and subsequent revisions, a more complete version will be released in February.

Risk management is a primary focus of the new framework, from the language used to analyze potential exposure to express endorsements in the policy itself. According to a press release, “The Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals.”



Wednesday, 06 November 2013 14:45

… Jet lag, Standards and novel practice

An early start today with  arrival in the UK. In the spirit of my conference presentation I am experimenting with a novel practice to counter jet lag. You can read my BCEye blog post about adopting different mind sets and thinking differently.

It is a shame nobody comments on these posts – hopefully the audience at the conference will be more engaged in person than they are online.

My novel practice involved registering to attend a British Standards Institute launch event for ISO 27001. Conventional thinking would assume that an Infomation Security standards seminar is more likely to encourage sleep than keep it at bay.

Wednesday, 06 November 2013 14:44

Crisis management - achieving control in a crisis

Dominic Cockram

I will be talking on the topic of 'achieving control in a crisis' at the BCM World Conference 2013, and focussing on the key areas of:

  • What happens in a crisis?
  • What are the challenges you face?
  • How can you achieve control in such a situation?
First of all, one must understand just what a crisis means in terms of the characteristics of the actual crisis itself and the impacts on an organisation.  It is generally accepted that crises are characterised by:

Wednesday, 06 November 2013 14:43

Agile Organisations and Business Continuity

‘Agile’ is a common buzzword in organisations today. Intuitively, it fits well with the notion of business continuity – an agile enterprise, able to respond iteratively to whatever today’s business conditions or events throw at it. The old concept of long-term corporate planning is light years behind; many businesses don’t know what will happen in five months, let alone five years. But does it make sense to try to define ‘Agile’ further; even with a praiseworthy goal of trying to create a blueprint for ever more effective enterprise resilience? After all, the more you try to nail down ‘Agile’, the less agile you are likely to become. What’s the solution?



As a job title, chief data officer (CDO) generates as much confusion as it does excitement. More organizations are appointing CDOs, particularly in government organizations such as the FCC, the Army and the Federal Reserve.

But questions remain about this new role, as IT Business Edge’s Governance and Risk blogger Kachina Shaw pointed out in an earlier post. Among the questions she and others ask:

  • Do we really need another C-level executive?
  • Would this task be better handled by the CIO?
  • Could the CDO usurp the CIO?
  • What will CDOs accomplish?
  • Who’s qualified to be a CDO?
  • What the heck does a CDO do, anyway?



Data is the lifeblood of the business. Vast amounts of enterprise information is backed up, filtered, stored, retrieved and mined. For small to midsized businesses, dealing with data can seem daunting, though—especially when it comes to backup and recovery.

According to a Spiceworks survey, the top three issues for SMBs that prevent them from achieving success with backup and disaster recovery are:

  • Tight budgets
  • Lack of IT expertise
  • Constantly changing technology and solutions

Another study by Sage found that only 38 percent of those SMBs surveyed had a formal disaster recovery plan in place for accessing data after such an event. This same survey found that 72 percent of SMB respondents say that they back up their data on-site only, which poses a major challenge should a crisis occur such as a fire, flood, tornado or theft.



James Stevenson
Rolls-Royce plc

The experts keep telling us that supply chain risks are important and it is old news that:

  • An interruption could damage the business
  • Customers should work with their suppliers to reduce the risk of interruption
  • Sometimes the problem is with supplier’s supplier, or their suppliers
  • Unfortunately, supply chain risks seem to be increasing in scale and complexity

Occasionally, this kind of alarm call reaches the Board or Executive Management responsible for understanding the significant risks facing their business. They realise that the threat is real and ask around to see who is managing this area of risk.



Monday, 04 November 2013 15:34

Big Data Blues: The Dangers of Data Mining

Computerworld — More than simply bits and bytes, big data is now a multibillion-dollar business opportunity. Savvy organizations, from retailers to manufacturers, are fast discovering the power of turning consumers' ZIP codes and buying histories into bottom-line-enhancing insights.

In fact, the McKinsey Global Institute, the research arm of McKinsey & Co., estimates that big data can increase profits in the retail sector by a staggering 60%. And a recent Boston Consulting Group study reveals that personal data can help companies achieve greater business efficiencies and customize new products.

But while harnessing the power of data analytics is clearly a competitive advantage, overzealous data mining can easily backfire. As companies become experts at slicing and dicing data to reveal details as personal as mortgage defaults and heart attack risks, the threat of egregious privacy violations grows.



The FINANCIAL -- With information security functions not fully meeting the needs in 83% of organizations, 93% of companies globally are maintaining or increasing their investment in cyber-security to combat the ever increasing threat from cyber-attacks, according to a new survey released by EY.

Under cyber-attack, EY's 16th annual Global Information Security Survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives globally. This year’s results show that as companies continue to invest heavily to protect themselves against cyber-attacks, the number of security breaches is on the rise and it is no longer of question of if, but when, a company will be the target of an attack.

Thirty-one percent of respondents report the number of security incidents within their organization has increased by at least 5% over the last 12 months. Many have realized the extent and depth of the threat posed to them; resulting in information security now being ‘owned’ at the highest level within 70% of the organizations surveyed.



Monday, 04 November 2013 15:32

October Was a Busy Month for Big Data Tools

October was a busy month for integration announcements. A few news highlights from the past week include:

Oracle Amps Up Data Integration Portfolio

Big announcements in October for Oracle included the upgrades to Oracle Data Integrator 12c and Oracle GoldenGate 12c. Oracle says these “future proof” updates are one of the biggest to data integration in years. What that means is more support for cloud, real-time, analytics, Big Data and other new projects that require integration of new types of data. Integration Developer News offers a thorough summary of the improvements.



Converged infrastructure (CI) is about to make a big push in the enterprise channel. Sitting directly at the crossroads of Big Data, the cloud, energy conservation and dynamic data architectures, converged or modular systems are viewed as the next, and probably final, major change in physical-layer infrastructure.

But while most people agree that converged server-storage-networking systems are cheaper than traditional IT platforms and easier to deploy and maintain as well, it seems that few are considering the broader implications behind the technology. In what way will converged topologies alter the way we consume IT, and will it be for the better?

The first thing to understand, according to solutions provider Logicalis, is that convergence affects more than just data and data environments – it reaches deep into business processes and the relationships between individuals and business units. In fact, it has been said that the biggest obstacle to converged infrastructure is not technology, but politics. After years of silo-based architecture in which key people and applications enjoy one-to-one relationships with dedicated resources, shifting to a shared-use model can be rather unnerving. But shedding legacy systems is a necessity if the organization hopes to achieve the broad scalability and highly dynamic requirements of rising virtual ecosystems. Plus, migration to a new converged platform is a great time to shed unpopular and unproductive systems and processes.



Monday, 04 November 2013 15:30

2013 HSEEP Overview, Part 2

Contributed by Frank Kriz, MS, CEM, CPM, PEM

In Part 1 of this overview introduced the Presidential Policy Directive 8: National Preparedness (PPD-8) and the National Preparedness Goal (NPG). In addition, the five (5) Mission Areas and the Core Capabilities identified in the NPG were reviewed.

PPD-8 and the NPG are the base documents that set the outline for the overarching National Preparedness System (NPS) (November 2011). The National Preparedness System outlines an organized process for the whole community to move forward with preparedness activities and ultimately achieve the National Preparedness Goal.

One term that will be repeatedly seen throughout this and other NPS documents is “Whole Community.” This includes individuals, families, and households; communities; the private and nonprofit sectors; faith-based organizations; and local, state, tribal, territorial, insular, and federal governments. Whole Community is defined in the National Preparedness Goal as “a focus on enabling the participation of federal, state and local government partners in order to foster better coordination and working relationships.”



Monday, 04 November 2013 15:29

Adobe Data Breach Highlights Security Risk

The impact of a data breach at software maker Adobe appears to be worsening. When it first announced the breach on October 3, Adobe said that cyber attackers had compromised accounts and passwords of nearly 3 million users. Now that number has jumped to at least 38 million users.

What’s more a blog post at PCWorld indicates that a further 150 million usernames and hashed passwords were taken from Adobe. While Adobe says these could include inactive IDs, test accounts and IDs with invalid passwords, the company is still investigating.

PCWorld also reports that the hackers stole source code for flagship Adobe products such as Photoshop, Acrobat, and Reader.



A revolutionary new architecture aims to make the internet more “social” by eliminating the need to connect to servers and enabling all content to be shared more efficiently.

One colleague asked me how, using this architecture, you would get to the server. The answer is: you don’t.

Dirk Trossen

Researchers have taken the first step towards a radical new architecture for the internet, which they claim will transform the way in which information is shared online, and make it faster and safer to use.

The prototype, which has been developed as part of an EU-funded project called “Pursuit”, is being put forward as a proof-of concept model for overhauling the existing structure of the internet’s IP layer, through which isolated networks are connected, or “internetworked”.

The Pursuit Internet would, according to its creators, enable a more socially-minded and intelligent system, in which users would be able to obtain information without needing direct access to the servers where content is initially stored.

- See more at: http://www.cam.ac.uk/research/news/future-internet-aims-to-sever-links-with-servers#sthash.doUoCvJ5.dpuf

BSI has opened a consultation period for its new 'BS 11200 Crisis Management - Guidance and good practice' standard.

According to BSI, BS 11200 will provide guidance on crisis management to help top managers in an organization to implement and develop a crisis management capability. It is intended for any organization regardless of location, size, type, industry or sector.

Feedback can be given about BS 11200 until 10th January 2014.

Go to http://drafts.bsigroup.com/Home/Details/52021 to read the draft and submit your comments.

Monday, 04 November 2013 15:25

The State of Risk-Based Security 2013

The State of Risk-Based Security Management is an in-depth study conducted by Ponemon Institute and sponsored by Tripwire. The study is designed to reveal how organizations are applying rigor­ous and systematic analytical techniques in order to quantify and evaluate the security risks that impact an organization’s information assets and IT infrastructure.

Andrew Scott
Business Continuity Institute

The BCI is a global organisation with Members, Forums, Chapters and Partners all across the world, but whether it is due to time, distance or perhaps even environmental concerns, unfortunately not everyone who would like to attend the BCM World Conference and Exhibition on the 6th and 7th November will be able to do so. Sadly some people will miss out…

I don’t know about you but I sometimes feel like I’m doing several jobs at once. I'm sure we all do at times but even so, and with the best will in the world, none of us will be able to attend all three streams of the conference at the same time, not to mention the packed exhibition that will be going on or the free seminar programme taking place. With so much happening, we simply cannot attend everything. Again, sadly some people will miss out…



Despite a dramatic increase in mobile device sales in the past year, BYOD security among employees remains static. Gartner forecasts 2013 tablet shipments to grow 67.9 percent, with shipments reaching 202 million units, while the mobile phone market will grow 4.3 percent, with volume of more than 1.8 billion units.

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure.  Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.



Wednesday, 30 October 2013 15:35

Cyber threat opportunity

Ken Simpson
The VR Group

Only a week to go until the BCM World Conference!

What if we took a different approach to our reflective learning this time?

Instead of waiting until after the conference to reflect and integrate what we have learned, what if we took a proactive approach and spent some time ahead of the conference reflecting on what aspects of our current practice we need to change.

What if that reflection also included reframing the problem – not just how can I fine tune my practices within current frameworks and constraints, but how would I want to transform my practice going forward and remove some of those constraints.



CIO — When George Borst made the jump in 1997 from general manager of Toyota's Lexus division to head of the company's finance group, he was faced with a big decision.

The finance group's four core systems were in woeful shape, needing upgrades to improve performance and keep up with the rapid growth of finance operations. Borst came to the job long on strategy but admittedly a bit short on the intricacies of IT and finance, having come from sales, marketing and product-planning groups.

"I wish I'd paid a lot more attention in college to my economics and finance courses," he jokes. "But I was sent over there for a reason: to help increase sales and get closer to the dealers."



Wednesday, 30 October 2013 15:33

New England: One Year After Hurricane Sandy

BOSTON – One year ago today, on October 29th, 2012, the Northeast braced for impact as Hurricane Sandy came barreling toward our coastline. Although New England was spared the brunt of the storm, residents and businesses along the shores of Connecticut, Rhode Island, Massachusetts and New Hampshire suffered severe damages from wind and water, many losing homes and livelihoods. Towns along the coasts of Connecticut and Rhode Island were nearly impassable after the storm, roadways choked with debris and sand from a significant storm surge that swept through beachfront communities.

The Department of Homeland Security’s Federal Emergency Management Agency (FEMA) continues to work closely with its partners to help individuals and communities recover from Hurricane Sandy.

In the past year over $125.9 million in FEMA funding has been obligated toward Hurricane Sandy recovery in New England:

Individual Assistance

More than $15.5 million in Federal Emergency Management Agency grants approved for individuals and households region-wide, which includes:


  • More than $13.8 million for housing assistance
  • More than $1.1 million for other needs assistance

Rhode Island

  • $378,748 for housing assistance
  • $42,592 for other need assistance

More than $51.6 million in Small Business Administration disaster loans approved for homeowners, renters and businesses in Connecticut.

More than $285.3 million in National Flood Insurance Program payments made to policy holders. Including:


  • More than $249.5 million paid to flood insurance policy holders

Rhode Island

  • More than $35.8 million paid to flood insurance policy holders

Public Assistance

More than $59.1 million in Public Assistance grants to reimburse local, state and tribal governments and eligible private nonprofits region-wide for some of the costs of:

  • Emergency response
  • Debris removal
  • Repairing or rebuilding damaged public facilities

The committed efforts of  many additional federal, state and local agencies and organizations continue to assist  states, towns, communities and individuals in the recovery process.

IDG News Service (Brussels Bureau) — Europe's Justice Commissioner warned Tuesday that data privacy concerns could derail a major trade deal between the U.S. and the E.U.

"The U.S. will have to take European concerns about privacy and data protection very seriously ... otherwise, the European Parliament may decide to reject the TTIP," Commissioner Viviane Reding said at a conference in Washington.

TTIP -- the Transatlantic Trade and Investment Partnership -- is being negotiated in secret between the E.U. and U.S. It has provoked concerns in Europe that it could weaken citizens' privacy rights.

The issue of protection of personal data could "easily derail" the negotiations, Reding said, and she warned against including the topic in the trade talks. "Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable," she said.



Religious Discrimination apparently is alive and well in the workplace according to Newsmax in an article hededCQ Steep Rise in Workplace Religious Discrimination Claims .

Suggestions on what to do about the situation are given at the Ohio Employer's Law Blog under the heading Halting the tide of religious-discrimination claims .

According to Newsmax,

    "Religious discrimination complaints in the workplace have more than doubled over the last 15 years and appear to be growing faster than other types of complaints.

    "In 2012, there were 3,811 religion-based complaints filed with the Equal Employment Opportunity Commission, the second-highest number in a year ever recorded, after 2011, when 4,151 complaints were filed, The Wall Street Journal reports.

    "While age, sex, race, and disability claims are still much higher, religious claims are increasing at a faster rate and have doubled in the last decade and a half."



Wednesday, 30 October 2013 15:29

Big Data, Big Warehousing and the Cloud

In physics, the nightmare scenario is when an unstoppable force encounters an immovable object. In the enterprise, that would be like Big Data volumes becoming so large that even your expensive new data warehousing solution can’t handle it.

Warehousing vendors have always prided themselves on their ability to scale, but with Big Data about to make the jump from generalized shopping patterns and mobile app usage to highly granular details like how hot an individual car engine is running or whether the fridge needs a new water filter, it’s starting to seem that yesterday’s version of big wasn’t as future-proof as it seemed.



Wednesday, 30 October 2013 15:28

Hurricane Sandy One Year On

Pictures are often more powerful than words and so it is as we mark the first anniversary of Hurricane Sandy.

This NASA image shows Hurricane Sandy approaching the U.S. East Coast at 1:35pm Eastern Daylight Time on October 29, 2012.



CIO — The myriad glitches that have marred the rollout of the Web portal for Americans to sign up for health insurance stand as what the CIO of the federal government calls a "teachable moment."

Speaking at a government IT conference on Tuesday, U.S. CIO Steven VanRoekel acknowledged that the launch of Healthcare.gov has been troubled, but suggested, hopefully, that it will serve as an object lesson that will inspire, rather than deter, ambitious government IT projects in the future.

"Our goal, number one, hands down, the president reminds every day: get this thing fixed, make sure it's working and meet Americans' expectations on this," VanRoekel said. "As an aside, our focus, my focus, is also about what can we learn from this. How can we learn? And what can we take from this experience to say we shouldn't do things this way?"



Tuesday, 29 October 2013 15:02

The Risky Business of Not Taking Risks

In my work, I frequently engage in a broad-based leadership development program to prepare top talent for advancement. That was the case when I recently worked with a large construction company to groom Mike, one of the presidents, and Joe, the lead risk officer, for advancement.

During the 360-degree peer interviews I asked Mike how Joe could improve in general and how he could specifically help Mike with his growth objectives. Without hesitation, Mike answered, “I need for Joe to take me right to the edge of the cliff without letting me fall over. Right now he’s serving as the business-prevention arm of the business.”

I don’t think I’ve ever heard a better definition of what those in risk and compliance can do to support the organization. Take them as far as ethics and good sense will allow without letting them hurt themselves or the company, but don’t serve as the business prevention unit.



Tuesday, 29 October 2013 15:01

Crossing boundaries

John Robinson

Our BCM World Conference presentation is an illustration of how BCM can pleasantly surprise business leaders with the value it brings. Our case study will be about Reed and MacKay, a £200M turnover top-end executive travel firm located in Farringdon close to the heart of London’s legal, media and financial district. This is a multi-faceted, time-pressured and highly successful business and illustrates perfectly the importance of accurate and decisive BIA. The following explains why I believe they found it so valuable, noting that Reed and Mackay subsequently gained accreditation to ISO 22301 at the first attempt.



The ‘new normal’ propounded by management gurus a few years back was that ‘change is the only constant’. Companies, said the gurus, must constantly change, innovate and reinvent themselves in order to remain competitive and successful. They applied their mantra to everything from marketing to manufacturing to supply chain – with varying results. Victories included moves to lean and green manufacturing that saved money and the planet at the same time. Less fortunate changes have included Microsoft Windows 8 and (some time ago) Coca-Cola’s new Coke. Sometimes continuity itself is the best business continuity there is, but how can you tell?



Tuesday, 29 October 2013 14:59

Hurricane Sandy, A Year of Recovery

FEMA Helping Survivors and Communities Rebuild

WASHINGTON – On the evening of October 29, 2012, Hurricane Sandy made landfall in southern New Jersey, with impacts felt across 24 states. The storm battered the East Coast, particularly the densely-populated New York and New Jersey coasts, with heavy rain, strong winds, and record storm surges.  In Sandy’s immediate aftermath, more than 23,000 people sought refuge in temporary shelters, and more than 8.5 million customers lost power. The storm flooded numerous roads and tunnels, blocked transportation corridors, and deposited extensive debris along the coastline.

At the direction of President Barack Obama, the U.S. Department of Homeland Security's Federal Emergency Management Agency (FEMA) and its federal partners are worked closely with disaster survivors to ensure they received all the assistance for which they are eligible under the law. Over the course of the year, more than $1.4 billion in Individual Assistance has been provided to more than 182,000 survivors, and an additional $2.4 billion in low-interest disaster loans have been approved by the U.S. Small Business Administration.  More than $7.9 billion in National Flood Insurance Program (NFIP) payments have been made to policy holders.

Over the last twelve-months, more than 11,900 grants totaling over $3.2 billion have been approved for emergency work, to remove debris and rebuild or replace public infrastructure in the hardest hit areas.  This includes more than $1.3 billion for first responder costs for personnel overtime, materials and equipment used to save lives and protect property; more than $400 million obligated toward repairs to storm damaged homes so that disaster survivors could safely remain in their homes; and more than $19 million toward the costs to repair storm flooded and damaged schools.  FEMA has been working in concert and integrating with all levels of government, private and nonprofit sectors, faith-based organizations, communities and individuals to provide a whole community approach to recovery and leverage the capabilities of the entire nation. 

While supporting disaster survivors and communities on their road to recovery, FEMA has been aggressive in its implementation of new authorities granted in the Sandy Recovery Improvement Act of 2013 (SRIA). In many ways, the passage of SRIA represents the most significant legislative change to the FEMA’s substantive authorities since the enactment of the Robert T. Stafford Disaster Relief and Emergency Assistance Act.  The changes have nationwide impact and provide greater flexibility to state, local, tribal and territorial governments, allow FEMA to operate more effectively and efficiently, and provide tribal nations options for seeking emergency and disaster declarations for their tribes.  To date, 13 of the 17 provisions outlined in this legislation have been completed, implemented via a pilot program, or are otherwise immediately available.

FEMA is encouraging everyone to take steps to become better prepared for an emergency, whether or not the event occurs while they are at home, at work, at school, or in the community. For more information on preparing for severe weather events and other disasters, visit www.Ready.gov or www.listo.gov on the Internet. Information regarding emergency preparedness and what to do before and after a disaster can also be found at m.fema.gov or by downloading the FEMA app from your smartphone’s app store.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema.  Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.The social media links are provided for reference only. FEMA does not endorse any non-government websites, companies or applications.


Tuesday, 29 October 2013 14:58

Has Anything Changed a Year After Sandy?

Hurricane/Superstorm Sandy hit the east coast of the United States a year ago this week. It’s a time to take a quick look backward to some pretty dire days and then look ahead to assess whether readiness has improved in the areas impacted by the storm.

At a luncheon presentation at last week’s Cable-Tec Expo ’13 in Atlanta—a technical conference sponsored by The Society of Cable Telecommunications Engineers (SCTE)—Time Warner Cable Chief Security Officer Brian Allen took a look back at how the operator handled the storm.

The big lesson, according to Leslie Ellis’ report on the presentation at Multichannel News, is to create plans and put them in place ahead of time. Her story touches on the two big issues: fuel and power. The story concludes with Allen’s point that post mortems—figuring out what worked and what didn’t—are important.



Tuesday, 29 October 2013 14:56

Electronic Privacy? There's No Such Thing

Computerworld — Most people suffer from the delusion of privacy. They think it can be guaranteed somehow for their various electronic gadgets. But that is a delusion, and sadly even many in the information security field don't know it. Still, it's surprising how strong the desire to believe otherwise is, and how tech companies will sometimes try to feed that illusion.

Take the news that the encryption in Apple's iMessage can potentially be cracked. I was surprised, but not because the encryption could be cracked. That's a given, no matter the encryption algorithm. I was surprised because I didn't know that iMessage used point-to-point encryption. I just assumed that Apple could always read my messages. Call me uninformed for having missed that news, but what I think is that I was actually better informed than those people who saw Apple's promise that it couldn't decrypt iMessage traffic and let the delusion of privacy lull them into thinking that was really true. Believe me, we'd all be better off if we just acted on the theory that there is likely to be a back door every time.

Don't get me wrong. The fact that iMessage uses encryption is refreshing. Such encryption will do a lot to protect most of us in most of what we do (but more on that later). What is not refreshing is that Apple at best implied and at worst misrepresented that its encryption was uncrackable. Any computer professional in this day and age who thinks that any form of electronic communications is completely secure really doesn't know his profession.



LINCROFT, N.J. – The devastating aftermath of Superstorm Sandy left survivors and businesses in New Jersey with large-scale recovery needs. Throughout the year, the state’s private sector has made significant contributions to the recovery process and continues to play a key role.

FEMA Private Sector Specialists discuss disaster mitigation with business ownersMore than 600 businesses, utility companies, banks, insurance companies, colleges and universities, and professional organizations stood with local, state and federal agencies, voluntary agencies and faith-based organizations to strengthen the recovery efforts.

They disseminated information about disaster assistance to 7.2 million New Jersey residents through bill inserts, newsletters, signage and other means.

“One fast-food chain, which asked to remain anonymous, distributed 7,000 sandwiches with disaster-assistance information at 32 distribution points in three counties,” said Federal Coordinating Officer Gracia Szczech of the Federal Emergency Management Agency. “That’s just one example of how essential the private sector is to a strong recovery effort.”

Immediately after Sandy struck, specialists with FEMA’s Private Sector Division in External Affairs deployed to New Jersey to work with chambers of commerce, industry associations, individual companies, colleges and universities and other organizations.

Kathy Cook, Public Information Officer, explains her role in assisting Sandy survivors to roundtable of federal and insurance industry partners

Response was immediate. Utility companies inserted messages in billing statements, reaching 3.3 million customers. The South Jersey Transportation Authority featured registration information on its Vehicle Messaging Systems at toll plazas, and the ticker messaging system on its website, reaching an estimated 2.9 million people a month.

Chambers, associations and businesses shared FEMA’s electronic newsletter (the E-News Update) for the private sector stakeholders with their memberships and contacts. The access to recovery information proved invaluable to their members and had far-reaching effects.

“To have the opportunity to interact directly with representatives, ask questions and get answers has helped not only members, but their clients as well,” said New Jersey Association of Realtors Chief Executive Officer Jarrod Grasso. “The recovery process in the aftermath of Sandy has not been easy, but getting the correct facts to our members has relieved a great deal of the uncertainty related to flood maps, insurance and elevation that so many New Jersey residents felt."

Home Depot Hurricane Workshop

Two FEMA program areas, Private Sector and the Federal Disaster Recovery Coordination group, facilitated an Insurance Industry Roundtable. The resulting public-private partnership engaged the insurance industry in a series of four meetings to explore how to enhance and expedite the disaster assistance process. A roundtable work group identified issues impeding the process and then developed recommendations that were submitted to President Obama’s Hurricane Sandy Rebuilding Task Force.

The private sector reached out in more basic ways as well. Sometimes it was as simple as offering a space to work. Operation Photo Rescue, a nonprofit organization of volunteer photojournalists from around the country, wanted to help Sandy survivors restore treasured photos. The organization began helping disaster survivors during Hurricane Katrina recovery. Volunteers need to set up a temporary shop close enough for survivors to access the free services.

“Finding a place for us to host our copy run was turning into a major problem as we could not secure a building close enough to where Sandy hit,” said Operation Photo Rescue President Margie Hayes. “We were coming up empty handed until Chris Spyridon, regional pro sales manager for Home Depot, offered us space at a Home Depot in Seaside Heights.”

The business of recovery is long-term, and an important part of that is preparedness, which not only helps individuals survive a disaster but can help businesses endure as well. FEMA’s Private Sector specialists have covered the state to help executives and officials understand the need for a continuity plan so work continues once the emergency is over. Montclair State University recorded FEMA’s preparedness webinar to share with all of New Jersey’s colleges and universities.

Amy Ferdinand, the university’s director of Environmental Health and Safety, said, “With the recent trend of ever-increasing disasters – whether natural or manmade – being the ‘new normal,’ there is a definite need among business leaders and stakeholders to become better informed on the topic of continuity and business planning.”

Next in the One Year Later series: the role of Environmental and Historic Preservation in disaster recovery.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema

The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.


Monday, 28 October 2013 15:33

Electronic privacy? There's no such thing

Most people suffer from the delusion of privacy. They think it can be guaranteed somehow for their various electronic gadgets. But that is a delusion, and sadly even many in the information security field don't know it. Still, it's surprising how strong the desire to believe otherwise is, and how tech companies will sometimes try to feed that illusion.

Take the news that the encryption in Apple's iMessage can potentially be cracked. I was surprised, but not because the encryption could be cracked. That's a given, no matter the encryption algorithm. I was surprised because I didn't know that iMessage used point-to-point encryption. I just assumed that Apple could always read my messages. Call me uninformed for having missed that news, but what I think is that I was actually better informed than those people who saw Apple's promise that it couldn't decrypt iMessage traffic and let the delusion of privacy lull them into thinking that was really true. Believe me, we'd all be better off if we just acted on the theory that there is likely to be a back door every time.



More often than brands would probably like, we’re given opportunities to learn about social media crisis management through the highly visible fallout from the experiences of others. This weekend, social sharing platform Buffer was hacked, resulting in a Saturday afternoon and evening crisis for the start-up.

I wouldn’t say it was a positive experience for Buffer, but I will say this: it turned out okay. Not awesome, but okay. That’s about the best you can hope for when hackers cause an interruption in service for your customers that lasts several hours.



NEW YORK (TheStreet) -- On the one-year anniversary of Hurricane Sandy, the New York Stock Exchange's (NYX_) Head of Operations, Lou Pastina, tells TheStreet that the Exchange's emergency backup plans are more robust than ever. Even pre-scheduled events such as initial public offerings would have the option of moving forward in the face of another weather-triggered event in New York, he says.

The New York Stock Exchange's Print as "P" plan, allowing the switch to an electronic trading system through the NYSE Arca platform, formerly known as the Archipelago Exchange, has undergone numerous tests over the past year involving trading firms throughout the U.S. financial sector, Pastina said. The NYSE Arca's key datacenters are located in both New Jersey and Chicago.

The most difficult task for the NYSE is preparing systems to assure that enormous amounts of data are sufficiently backed up, including trades that may be in the process of being executed, Pastina said. And though machines handle the bulk of the chores, a minimum staff presence may be needed at the NYSE floor in Manhattan to help facilitate some aspects of the electronic trading system, he added.



Dejan Kosutic is an expert in information security management and business continuity management. In this interview he talks about the key changes in the ISO 27001: 2013 revision, the new security controls, mandatory documentation, implementation challenges, and much more.

What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?

The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.

What are the new security controls and how does the 2013 revision deal with new risks?



Dejan Kosutic is an expert in information security management and business continuity management. In this interview he talks about the key changes in the ISO 27001: 2013 revision, the new security controls, mandatory documentation, implementation challenges, and much more.

What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?

The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.

What are the new security controls and how does the 2013 revision deal with new risks?It could have been so much worse.

A year ago this week, the 1,000-mile-wide monster known as Sandy bashed into the coast, causing massive tidal flooding and wind damage before moving inland, knocking out power to hundreds of thousands of people in South Jersey and Southeast Pennsylvania.

But a change in its path could have brought here the widespread destruction and misery seen in New York and Northern New Jersey's shore. The story of the superstorm could have been much different given that so many residents of Philadelphia and its suburbs were unprepared, officials say.

Read more at http://www.philly.com/philly/news/229258261.html#UeHx7sp2VkP4hD3x.99

Everyone old enough to remember will recall Y2K – the year our world was supposed to end in a catastrophic transition from December 31, 1999 to January 1, 2000.  Instead, since we are still here, we all recall what happened: nothing.

September 23, 2013 was the day when the new HIPAA regulations for covered entities came into effect.  Despite all the whining and predictions of disaster, we all continue to exist and the world did not end.  What happened?  A lot has happened.

The regulations gave all covered entities 180 days to comply with the new HIPAA requirements, which impose new and significant obligations on covered entities to revise their HIPAA policies.  Covered entities should have updated their HIPAA compliance policies and procedures, their notices of privacy practices and their business associate agreements for protecting sensitive health information from disclosure.

The key areas to change included:



Monday, 28 October 2013 15:19

Managing supply chain continuity

David Window
Continuity 22301 Ltd

As a member of three institutes - Institute of Risk Management, Business Continuity Institute and the Chartered Institute of Purchasing and Supply - I hope to explain why as business continuity professionals, we struggle to engage with my alter ego - the procurement professional.

Over the last two years I have been debating this topic with a colleague who is an accomplished procurement professional and we have challenged each other considerably in our efforts to justify the question, “why bother doing business continuity in supply chain”. We have also interviewed other procurement professionals to gauge our opinions against theirs.



NEW YORK — A year after Hurricane Sandy catastrophically flooded hundreds of miles of eastern U.S. coastline, thousands of people still trying to fix their soaked and surf-battered homes are being stymied by bureaucracy, insurance disputes and uncertainty over whether they can afford to rebuild.

Billions of dollars in federal aid appropriated months ago by Congress have yet to reach homeowners who need the money to move on. Many have found flood insurance checks weren’t nearly enough to cover damage.

And worse, new federal rules mean many in high-risk flood zones may have to either jack their houses up on stilts or pilings — expensive, and sometimes impossible — or face insurance premiums of $10,000 or more per year.



LINCROFT, N.J. -- The devastation Superstorm Sandy left behind changed the face of many New Jersey communities, perhaps none more so than along the Shore. With individual homes and businesses and even whole communities swept away, many people were left wondering if it’s even possible to live at the Shore.

But also along the Shore are homes that stand like lone sentinels, a testament to mitigation techniques that make structures stronger and safer. Mitigation construction practices such as elevation, berms and use of damage-resistant materials help reduce the risk of future damage. More and more, buildings throughout the country, and along the Shore, are constructed with these techniques.

Mantoloking home surrounded by Sandy floodwaters



When Mantoloking resident Ed Wright built his home 30 years ago, he used a classic mitigation technique: elevation. Last October, that decision proved to be a good one. The storm surge from Sandy swept away five neighboring homes and left his standing alone at the end of the Mantoloking Bridge.

Wright had seen photos of debris washing down the street and elected to elevate the home rather than build on a standard foundation. He built it on 35- to 45-foot pilings sunk into the ground and later enclosed the ground level with breakaway walls, which are designed to collapse in flood waters.

Elevation is a tried-and-true mitigation technique. After a major disaster declaration, the Federal Emergency Management Agency makes Hazard Mitigation grants available to the designated state for projects that reduce or eliminate losses from future disasters.

Projects eligible for hazard mitigation grants include retrofitting buildings to minimize damage from high winds and flooding; elevation of flood-prone buildings; minor flood-control projects; and the purchase of property at risk of repetitive flooding for conversion to open space. The state works with local communities to determine the focus of the Hazard Mitigation program.

Hazard Mitigation grants cover up to 75 percent of approved project costs. State and local governments pay the remaining 25 percent (in-kind donations of labor and materials can contribute toward this share). A project's potential savings must be more than the cost of implementing the project.

A completely restored Mantoloking home, one year after Sandy

While the state sometimes pays for mitigation projects through FEMA grants after a disaster, Wright paid for his home’s elevation as part of the construction cost. It was an investment in the future.

The day after Sandy struck New Jersey, a friend called Wright to tell him his home was the only one standing. When he returned home, he didn’t know what to expect.

“We had no clue,” he said. “It was very emotional to see it standing there all by itself.”

The home experienced minimal damage, losing the furnace, air conditioning unit, washer and dryer, and vehicles.

“We’re very fortunate,” Wright said. “We’re very happy to be here.”

Property owners who are interested in the Hazard Mitigation programs available in New Jersey after Sandy should contact their local emergency management office.

Video-links: Elevation Helps a Home Survive Hurricane Sandy,
What To Do About Mold (in American Sign Language)

Next, the One Year Later series examines the ways in which New Jersey’s private sector got down to business to aid in the recovery process.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.



The tricky part about data is learning to accept what it says without imposing your own agenda.

It seems Big Data is no exception — at least, when it focuses on traditional, structured data, according to a Harvard Business Review Blog post written by Prof. Theos Evgeniou, Assoc. Prof. Vibha Gaba and consultant/visiting professor Joerg Niessing of international business school, INSEAD.

“A large body of research shows that decision-makers selectively use data for self-enhancement or to confirm their beliefs or simply to pursue personal goals not necessarily congruent with organizational ones,” they write. “Not surprisingly, any interpretation of the data becomes as much an evaluation of oneself as much as of the data.”



IDG News Service (Brussels Bureau) — European Union leaders have given themselves room for maneuver in implementing new data protection laws, while pledging to introduce them in a timely fashion.

All 28 leaders of the E.U. member states discussed issues of data protection, mass surveillance and the digital economy at a meeting that continued late into the night on Thursday.

They agreed that there is a strong need for an improved, robust digital economy in Europe and that artificial barriers between member states must be removed to create the so-called "digital single market."



Sandy facts

  • October 29, 2012, Hurricane Sandy strikes with a storm surge weather experts had never seen before
  • 37,000 primary residences destroyed or damaged
  • 8.7 million cubic yards of debris left behind
  • 2.7 million New Jerseyans without power

The first 48 hours

  • 548 FEMA specialists on the ground in New Jersey
  • Three mobile disaster recovery centers open
  • 3 States responded with Emergency Medical Services – 385 people
  • 8 Disaster Medical Assistance Teams and U.S. Public Health Strike Teams arrive
  • October 31, 2012, the first FEMA Individuals and Household Program disbursement of $155,027

Response milestones at one year

  • More than $5.67 billion in total federal assistance approved for Individual Assistance grants, SBA low-interest disaster loans, National Flood Insurance Program payments and Public Assistance grants.

Individual Assistance

  • More than $413 million approved for individuals and households including:
    • Nearly $356 million for housing assistance
    • More than $56.6 million for other needs, including clothing, household items, disaster-related damage to a vehicle, and disaster-related medical and dental expenses
  • More than 261, 000 people contacted FEMA for help or information
  • 127,046 housing inspections completed
  • 36 disaster recovery centers opened
  • 90,000 visits to disaster recovery centers
  • 5,546 individuals and families housed temporarily in hotel rooms under the Transitional Sheltering Assistance program
  • 3,410 survivors received disaster unemployment assistance

U.S. Small Business Administration

  • More than $819.8 million in SBA low-interest disaster loans approved for homeowners, renters and businesses

National Flood Insurance Program

  • More than $3.5 billion paid on all claims in flood insurance payments made to policyholders

Public Assistance

  • More than $926 million was approved in FEMA Public Assistance grants to communities and some nonprofit organizations that serve the public
  • 4,959 projects approved so far

A whole community response

  • 507 voluntary agencies were involved in recovery
  • More than 1.6 million meals and 1.4 million liters of water were distributed
  • 21 languages were used to communicate assistance information to survivors
  • More than 1 million multilingual fliers were distributed
  • Nearly 8.7 million cubic yards of debris was removed
  • At peak, more than 2,429 people were deployed to New Jersey by FEMA and other federal agencies
  • 36 federal agencies assisted FEMA during Hurricane Sandy in New York
  • The U.S. Army Corps of Engineers received 335 requests for generators – 106 installed at peak
  • Approximately 300,000 pounds of food was provided by the U.S. Department of Agriculture
  • The Defense Logistics Agency delivered 2.3 million gallons of fuel to distribution points in New York and New Jersey
  • The Port of New Jersey was closed to incoming and outgoing vessel traffic because of Superstorm Sandy, according the U.S. Coast Guard


Friday, 25 October 2013 18:05

Whose job is business continuity?

John Stagl weighs into an ongoing debate which is taking place on Continuity Central about what the role of the business continuity planner is.

We have over the past couple of decades developed an entire industry of business continuity planners and planning trainers to help companies deal with unanticipated events that can impact a company’s performance in the market place. This entire effort is founded on the assumption that companies will go out of business without these plans in place. Too often, these plans are developed by individuals who do not have access to, nor completely understand the strategic goals and pressures impacting the company. In most cases these well intentioned individuals do not even understand the dynamics of the competitive market in which the company functions every day. Even more importantly, these ‘planning individuals’ have not been trained to look for external factors that may influence the success of their company as part of their planning efforts. They have been educated to believe that all of the information they need is present within the company and known by the various levels of management in that company. The consequence of this naïve orientation is a business continuity plan document that is obviously lacking in fundamental information to achieve the company’s goals and long term success.

For years these planners have been trying to find ways to convince upper management that this planning effort is valuable to the company. At the same time professional and certification groups staffed with individuals who have also been trained with this inadequate planning method have created ‘standards’ of best practices for companies. Auditing firms, sometimes with a profound lack of complete business understanding, have embraced these planning methods and standards as critical factors that must be present in order for a company to be managed effectively. The result is a planning process within a company that is still, after all of these years, viewed as a necessary expense and not an asset.



Friday, 25 October 2013 18:04

Overcoming data residency issues

Dave Anderson looks at how organizations can overcome a common barrier to cloud computing adoption.

The benefits of adopting cloud technologies have been widely reported, and are commonly understood. However, the decision to adopt a cloud strategy brings with it many questions and concerns about jurisdictional and regulatory control over the privacy and protection of sensitive data. For instance, data residency and sovereignty requirements often insist that certain types of sensitive and private data are stored where the government will have legal jurisdiction over it. More often than not, this means within its borders. But the cloud allows providers to possibly store, process or back-up data across several global locations, as well as allowing organizations to freely move data outside of national borders. So, how does this impact compliance to data residency requirements?

Addressing data residency, protection and privacy concerns requires an understanding of both international and domestic regulations. Companies that do business in Europe must understand the implications of regulations such as the European Data Protection Law, as well as local data mandates. The EU’s Data Protection Directive is an example of this, as it prohibits personal data that can be linked to an individual from moving outside the EU, sometimes even outside of a specific country’s borders. Data residency is also particularly concerning for multi-nationals that have offices all over the world, covering several jurisdictions.



LINCROFT, N.J. -- One month after Superstorm Sandy, Dan Shields and his business partner, Robert Higgins, were thanking their lucky stars.

Their waterfront restaurant, Windansea in Highlands, had withstood the raging flood tides and winds of Sandy with only relatively minor damage.

The Windandsea restaurant overlooks a sandy beach and a calm sea.

Atlantic Highlands, N.J., Oct. 10, 2013 -- The Windansea restaurant withstood flood tides and winds with minimal damage from Hurricane Sandy. By renovating with FEMA's building recommendations prior to Sandy, the restaurant was able to open shortly after storm. Rosanna Arias/FEMA

The rest of Highlands was not so fortunate. Flood waters had inundated dozens of homes and businesses in the low-lying sections of the borough. Debris littered the streets; a mobile home park on the north side of the borough was in shambles.

As flood waters receded in the business district, store owners had to reckon with the physical destruction of their businesses and the loss of their livelihoods.

Many of Shields’ and Higgins’ fellow restaurateurs were essentially out of business for the long term, faced with major damage from the storm.

What saved Windansea?



The borough’s new building code that required properties in flood zones to comply with tough new Federal Emergency Management standards. “We had to stick to ‘V’ zone construction,” said Shields, referring to the strictest standards for properties located in high-risk flood zones. “I felt like we were the poster child for FEMA.”

When the business partners bought the restaurant in 2000 for $690,000, they planned to invest approximately $300,000 in renovating the old restaurant, formerly known as Branin’s Wharf. But as work on the building progressed, hidden problems came to the surface. “It was just a terrible, terrible building.” Ultimately, more than 50 percent of the existing building had to be demolished. One day, as they worked on the restaurant, officials from FEMA and the borough drove up and told them to stop work. “You’ve got to do it our way,” they told the partners.

The structure would have to be rebuilt in compliance with FEMA standards for “V” zone construction, the strictest standard that applies to properties at high risk of flooding.

Patrons sit in the undamaged outdoor seating area of the Windandsea restaurant.

Atlantic Highlands, N.J., Oct. 10, 2013 -- Hurricane Sandy damaged many businesses along the waterfront with floodwater and wind. The Windansea Restaurant received little damage because of mitigation measures taken prior to Hurricane Sandy. Rosanna Arias/FEMA To put it mildly, the partners were not happy. The shoestring budget they had assembled to pay for what they thought would be a fairly simple remodeling job wouldn’t cover the extensive construction that the town demanded. “It was a completely different animal from buying a little restaurant and (fixing it up),” Shields said.

Making the bayfront building flood-resistant required driving 80 pilings that measured 12 inches in diameter into the ground to a depth of 30 to 40 feet, reinforcing the roof and walls with steel rods and connecting the elements of the entire structure with steel plates and structural steel to hold the floor to the walls.

The project took a year longer than the partners anticipated and cost over $1 million more than they had originally budgeted.

“I felt like I was victimized,” Shields told the Asbury Park Press a few weeks after the storm, “like FEMA was trying to prove a point, trying to flex their muscles and trying to take it out on a little guy like me.”

He doesn’t feel that way anymore.

Though the building sustained some damage to its first floor lobbies and outdoor Tiki bar, Windansea was able to re-open less than three weeks after the storm. “There was not a crack in the sheetrock, not a thing out of place.”

Video-links: Avanti Linens Recovery and Mitigation Efforts, NJ Stronger Than The Storm Ribbon Cutting

Next, the One Year Later series examines the ways in which New Jersey’s private sector got down to business to aid in the recovery process.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema

The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.


With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure. 

Forrester expects that we will see the following in the next 12-18 months:



By Martin Welsh and Keith Taylor

Too often information security incident response plans, disaster recovery and business continuity plans are not aligned with the overall corporate crisis management process. Now, more than ever, an organization must be able to quickly respond to a security breach, both from a tactical response and via a strategic corporate message. In this article we will discuss the benefits of, and offer an approach to, integrating the security response process into the overall corporate crisis management plan.

Similar efforts go into building, managing, exercising and maintaining both security incident response plans and overall corporate crisis management plans. For most organizations the escalation, notification and decision making process is similar, regardless of the incident. The struggles organizations encounter, while developing these plans, also tend to be similar. Building awareness, understanding roles and responsibilities, allocating time and resources (financial and human), can all be impediments to sound response plans.

Better plans can be developed by overcoming these shortcomings through integration.



Friday, 25 October 2013 18:00

The road to fire safety resilience

Russ Timpson

The key messages when it comes to fire safety resilience are that:

  • Prescriptive approaches to fire risk mitigation are reactive, cumbersome and commercially irrelevant
  • Fire risk ownership will only be achieved through linkage to business imperatives such as resilience, supply chain integrity and insurance
  • Tools and techniques do exist to assist those tasked with risk ownership to understand the scope and scale of the risks involved



With the retail industry’s biggest season quickly approaching, every facet of the sector needs to reevaluate plans to mitigate the increased risk that comes with increased demand. The holidays are certainly not the time to lose out on business due to breakdowns in the supply chain, loss of inventory from theft, or the fallout from credit risk. Yet a shocking 13% of retailers are doing nothing to manage their risk, according to a new study.

Insurance giant Allianz recently surveyed British retailers to see how they are managing changing risks within their business, and what steps retailers are taking to manage risk while growing businesses. This new infographic of their findings from Premierline Direct, which is part of the Allianz UK Group, offers some insight into the risks and concerns of major retailers, how these risks can be managed, and where insurers can better fit into the process.



Prepping for a webinar presentation next week for the oil and gas industry, I’ve been going back to some of the basics of crisis communications. Why do crisis communication efforts fail? Indeed, what constitutes failure? How is the success of a communication effort measured?

Seems to me the primary measure is on reputation–which translates to brand value, closely related to share or company value. That’s measured by those who have a stake in the company, sometimes called “stakeholders.” A communication fail occurs when there is an “unnecessary” loss of reputation, trust, brand value and/or share value. The “unnecessary” is necessary.



Friday, 25 October 2013 17:57

American Blackout


By Kristen Nordlund

This Sunday night there might be a few things vying for your attention – it’s Game 4 of the World Series, the Packers face the Vikings, and there’s a new episode of The Walking Dead. In addition to sports and the undead, the National Geographic Channel is debuting a movie about what happens when the lights go out. Literally.

American Blackout chronicles five groups of people during a ten-day power outage caused by cyber criminals.  How realistic is this scenario? Considering that since 2000 there have been more than 60 wide-scale power outages, including one in India lasting two days and affecting 670 million people, and it might not seem so far-fetched. Adobe PDF file

Although “American Blackout” may seem like an extreme example, many areas of the country have already experienced blackouts (like the Northeast blackout in 2003 that lasted up to 3 days for some areas) or other places like California that experience controlled blackouts (when a utility company shuts off power to an area).  Many areas experience blackouts after natural disasters like hurricanes or extreme weather.  Either way, being without power to control the lights, charge your phone, and use every day household appliances like the refrigerator or the heat, could become an emergency situation.  This is where being prepared can come in handy.

Nearly half of U.S. adults do not have the resources or plans in place in the event of an emergency.  So take this opportunity to check out the resources CDC’s Office of Public Health Preparedness and Response have put together on what you can do during an emergency. In order to make sure viewers have information about how to be prepared in the event of a blackout, CDC’s Office of Public Health Preparedness and Response and National Geographic ChannelExternal Web Site Icon worked together to provide important personal preparedness messages that will appear during the movie.

Thanks to this joint effort, CDC is providing tips on how everyone can get prepared by getting a kit, making a plan, and being informed.  First, put together a kit with water, food, and other supplies like medications, copies of personal documents, sanitation and personal hygiene products and more.  Second, make a plan with your family or friends in case something happens.  Third, be informed by learning how to shelter in place, understand what kinds of emergencies you should be prepared for in your area and make sure you know to manage stress during emergencies.  

A wise man once said, ”Happiness can be found even in the darkest of times, when one only remembers to turn on the light.” Okay, so that wise man was Albus Dumbledore, but the point is if the power is out, it’s best to be prepared. Visit CDC’s preparedness website for more information and to get started.


CityPoint, a 36 floor, 706,557sq ft. tall building, managed by CBRE, a real estate services company, and located in Ropemaker Street, London, believes it is the first tall building to achieve ISO 22301:2012 certification against its scope, successfully coordinating seven individual service providers: security, engineering, cleaning waste, IT, telecoms, lift and building management under one umbrella to deliver resilient building management services.

Stephen Massey, head of BCM (EMEA) for CBRE, interviewed Lee Murray, building manager for CityPoint, to get his insights and advice for those wishing to implement ISO 22301:



Patrick Roberts
Cambridge Risk Solutions

Ever since becoming involved in the profession, nearly ten years ago, I have been constantly intrigued by the attitude of different organisations towards business continuity. Simplistically, I began by assuming that large well known companies, with both assets and reputation to protect would be universally receptive to the idea of BCM, but (painful) experience has taught me that this is not the case. Equally, since starting our own BCM consultancy in the east of England, we have been surprised by the number of very small organisations that have asked us for assistance, organisations that we would never have considered approaching as potential clients. The same surprising pattern is borne out if you look at the firms which are certified to BS 2599, and are now certifying to ISO 22301. It is a curious mixture of large household names and much smaller firms.



What goes on inside your enterprise is of prime importance for your business continuity management. However, so are the actions and attitudes of vendors on which you rely to run your business.  In the same way that you regularly check on BC processes and awareness inside, you should also conduct periodic investigations of key business partners. The first thing to know which vendors should be on the critical list. Essentially, a critical vendor is one on which you are heavily dependent and which cannot easily be replaced in-house or by another vendor. Such a vendor may also have access to confidential information in order to make the relationship work. Let’s suppose you’ve identified such partners. What are your next steps?



In the U.S., small to midsized businesses are feeling more confident in their futures than they have been in several years, says the Sage Business Index for 2013. Sage Group conducted the survey of 11,000 SMBs from around the world from July through August and found that global confidence is up, but it is much higher in the U.S.

After several years of global economic issues, these findings show that the economy may be finally beginning to mend. Connie Certusi, executive vice president of Sage Small Business Accounting said in a statement:

‘Small businesses continue to be the driver of the U.S. economy and it is inspiring that business owners are confident in their prospects. With that said, many business owners have legitimate concerns about the variables that can impact their bottom line, namely the rising cost of energy, raw goods and inflation. Small business owners are always more vulnerable to these concerns so it is wise to be mindful of the challenges that these businesses will continue to face in 2014.’



Thursday, 24 October 2013 13:58

FEMA Corps Members Training in Vermont

WILLISTON, Vt. – A team of young Americans who have volunteered to serve their country during disasters is in Vermont learning more about the science of disaster response and recovery from observing Vermont’s recovery from flooding earlier this year as well as Tropical Storm Irene.

The Federal Emergency Management Agency welcomed a team of FEMA Corps members to the Joint Field Office in Williston for a two-week stint of education, which will be highlighted by actual site visits, as part of their nine-month assignment to FEMA’s Region I office in Boston.

“These young people embody the true spirit of FEMA,” said Federal Coordinating Officer Mark Landry, the head of FEMA’s operations in Vermont. “They have volunteered to help their country, and through their service our nation will be better prepared for disasters in the future.”

The seven FEMA Corps members – who range in age from 18 to 24 and hail from seven different states – have met with and gained valuable insights from state and local officials as well as veteran FEMA personnel.

FEMA and the Corporation for National and Community Service (CNCC) launched FEMA Corps in 2012 to strengthen the nation’s ability to respond to and recover from disasters while expanding career opportunities for young people.

FEMA Corps is a new unit of AmeriCorps’ National Civilian Community Corps (NCCC) whose members will be devoted solely to FEMA disaster response and recovery efforts. The five-year agreement provides for a full service corps of 1,600 members annually who will be an additional workforce in support of FEMA’s current disaster reservist workforce.

Once trained by FEMA and CNCS, members will provide support in areas ranging from working directly with disaster survivors to supporting disaster recovering centers to sharing valuable disaster preparedness and mitigation information with the public.

FEMA Corps members will serve for a 10 month term with an option to extend for a second year. The program will prepare thousands of young people for careers in emergency management and related fields. During their service, they will gain significant training and experience in disaster services and will provide important support to disaster survivors.


Thursday, 24 October 2013 13:56

Difficulty in Modeling for Terrorism

The following is an excerpt from the RIMS executive report “Terrorism Risk Insurance Act: The Commercial Consumer’s Perspective.” The report is available for download here.

For any insurer to operate successfully and avoid going out of business, it must be able to accurately estimate the probability of its losses, the severity of those losses, and then determine the amount of premium that must be charged to cover those losses should they occur. Historical data from past events is used to predict the losses from future events and pric­ing is set accordingly. Even extraordinary events like Hurricane Sandy or the recent tornadoes in Oklahoma, while harder to accurately estimate, can be predicted to a certain degree based on historical data and experi­ence. Terrorism risk, however, differs substantially from these other risks in several different ways.



Drug-resistant germs called carbapenem-resistant Enterobacteriaceae, or CRE, are on the rise and have become more resistant to last-resort antibiotics during the past decade, according to a new CDC Vital Signs report.  These bacteria are causing more hospitalized patients to get infections that, in some cases, are impossible to treat. 

CRE are lethal bacteria that pose a triple threat:

  • Resistance: CRE are resistant to all, or nearly all, the antibiotics we have - even our most powerful drugs of last-resort.
  • Death: CRE have high mortality rates – CRE germs kill 1 in 2 patients who get bloodstream infections from them.
  • Spread of disease:  CRE easily transfer their antibiotic resistance to other bacteria.  For example, carbapenem-resistant klebsiella can spread its drug-destroying weapons to a normal E. coli bacteria, which makes the E.coli resistant to antibiotics also. That could create a nightmare scenario since E. coli is the most common cause of urinary tract infections in healthy people.

Currently, almost all CRE infections occur in people receiving significant medical care.  CRE are usually transmitted from person-to-person, often on the hands of health care workers.  In 2012, CDC released a concise, practical CRE prevention toolkit with in-depth recommendations to control CRE transmission in hospitals, long-term acute care facilities, and nursing homes.  Recommendations for health departments are also included.  CRE can be carried by patients from one health care setting to another.  Therefore, facilities are encouraged to work together, using a regional “Detect and Protect” approach, to implement CRE prevention programs.

In addition to detailed data about the rise of CRE, the Vital Signs report details steps health care providers, CEOs and chief medical officers, state health departments and patients can take now to slow, and even stop, CRE before it becomes widespread throughout the country.



Wednesday, 23 October 2013 17:10

Supply chain resilience

Lyndon Bird
Business Continuity Institute

In 2009 The Business Continuity Institute decided that more research was needed into the level of business disruption being caused by supply chain problems. The challenge we set ourselves was to provide data to help organizations develop and enhance resiliency within their supply chains. This work was done with the strong support of Zurich Insurance Services and in collaboration with the Chartered Institute of Purchasing and Supply.

Since then, this has become a regular annual survey and its findings have become increasingly influential to the business continuity, purchasing and supply and insurance communities. At BCM World 2013, the findings from the most recent survey will be announced and I will be leading a discussion on these alongside Nick Wildgoose of Zurich Insurance Services.

This is the first release of data from 2013 survey and those attending the session will be given a printed copy of the full report. Although the methodology used in 2013 was consistent with previous years, some additional questions were added.



Keeping your doors open for business is a concept that the Insurance Institute for Business & Home Safety (IBHS) has promoted for many years with its long standing popular business continuity planning toolkit.  Many of our website readers are familiar with this disaster preparedness planning tool.

As the anniversary of Hurricane Sandy approaches, our staff research team found that IBHS has just recently launched a free, online version of their business continuity planning toolkit —-entitled OFB-EZ™ (Open for Business-EZ).  This online version is a somewhat streamlined version which guides users through an easy process to create a recovery plan that will help even the smallest businesses recover after a disaster.

CIO — Social media can be a powerful marketing tool. But used the wrong way, social media sites can have a negative impact on your business -- costing you goodwill and prospective customers. So how can you create a positive impression of your business and/or your products on popular social media sites, such as Facebook, Twitter, LinkedIn, Google+ -- and avoid potentially costly social media blunders? CIO.com asked dozens of social media experts and managers to find out. Here are their top 15 picks for the most common social media mistakes businesses make and how to avoid them.



Wednesday, 23 October 2013 17:07

Disaster Alert: Hurricane Raymond

Hurricane Raymond is a category 3 hurricane, heading toward the Mexican states of Guerrero and Michoacán. Mexico’s Civil Protection agency has declared a red alert in three municipalities: one in Guerrero and two in Michoacán. Some preventative evacuations of at-risk communities have also been undertaken and school classes have been suspended. The Mexican Red Cross has put all of its delegations on alert and is in permanent contact with Mexico’s Civil Protection agency to continue monitoring the event. Some 15,000 food parcels, 3,000 hygiene kits, 1,000 kitchen kits and 500 home-cleaning kits have been pre-positioned close to the area.

There are currently 50 damage evaluation personnel in Acapulco, Mexico and 250 volunteers in the area. Along with rescue units, Mexican Red Cross staff and volunteers are supporting evacuations, as well as assisting at the shelters equipped for food delivery. Since Monday evening, rains have continued along the Pacific coast, causing water levels of some rivers to increase—but have not yet resulted in flooding.


Wednesday, 23 October 2013 17:06

Privileged Users Abusing Data Access

Privileged access. Privileged users. These words should make us all uncomfortable at this point. While IT, management and users are all bombarded with and distracted by daily news of new malware attacks or software vulnerabilities, the more serious threat to network security and data integrity continues quietly: insider threats. Whether the initial intent is malicious or not, once the breach occurs, even if it is accidental, the damage is done.

So-called privileged users are a big part of the problem. Whether “privileged” because they are power users of some sort or have reached that rank through a different path, or are “privileged” because their access was never restricted through an oversight, the temptation to access data not necessary to their daily tasks proves too tempting to users on a regular basis. IT is not exempt from that group, either. Results from BeyondTrust’s recent survey, “Privilege Gone Wild,” for example, show that in many companies, controls on access to data are still lacking, or easily circumvented. The responses from 265 IT decision makers across a variety of industries are disheartening:



When it comes to data silos, nobody does it quite as well as the government.

This makes government agencies the butt of a lot of jokes, but there are actually some pretty good reasons for these silos.

First, most government agencies have been around for nearly 100 years and counting. Second, these agencies have usually grown through Congressional action, which can by act establish a whole new division to support new services.



We are about to kickoff our next Forrester Wave on web content security.  The inclusion criteria for vendor prequalification will be sent out within the next two weeks. We will be focusing on both traditional web gateways as well as the hybrid and SaaS delivery models. What does this mean for you?

  • Vendors:  If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey.  We will be limiting the number of vendors participating in this evaluation. 
  • Enterprises:  If you would like to provide us feedback on your experience with web content security solutions and vendors, we would love to hear from you.  We plan to leverage your feedback for evaluation criteria as well as score weighting.  

Please contact Kelley Mak (kmak at forrester.com) if you are interested in participating.   We expect this Wave will publish in the Spring of 2014. (Fine print: This is a publication estimate and this date is subject to change.)


By William Heisel

One year ago, valley fever was a disease that few people outside of Arizona or Central California had heard of.

Caused by breathing in spores from a fungus that grows in the dirt throughout the Southwest, coccidioidomycosis – as it is formally known – can cause serious illness and a painful death. It spreads from the lungs to the bones, skin, and organs. It can cause lifelong pain and disability and require years of expensive medications. If you live in one of the 15 states that are required to report cases of the disease to the CDC, you have a greater chance of getting valley fever than you do AIDS, hepatitis, or Lyme disease.

I lived south of Los Angeles for 10 years and never heard about it. Nobody I know in Seattle had ever heard of it, either.

“Is that like yellow fever?” is a typical response.

It might have remained a poorly understood and under-the-radar disease if it weren’t for three things: an intense regional media campaign to focus attention on the disease, a new wave of scientific interest led by the CDC, and the intervention of local and federal policymakers.

Now people throughout the United States know about the disease through big stories in the national media. And two of the top health officials in the country – Dr. Thomas Frieden from the CDC and Dr. Francis Collins from the NIH – have pledged to pull together a multi-million-dollar clinical trialExternal Web Site Icon to find better treatment protocols.

This all started in the summer of 2012 when ReportingonHealth.orgExternal Web Site Icon’s editor-in-chief and I (in the role of project editor) convened a group of Southern California media outlets  to talk about the possibilities for collaborating together on untold health stories. The news website is an initiative of The California Endowment Health Journalism FellowshipsExternal Web Site Icon at the University of Southern California’s Annenberg School for Communication and Journalism, and the reporters who took part in the initial discussions were all former fellows in the professional journalism training program. The project was supported by The California Endowment and, from the onset, we set out to have an impact and make a different through investigative and explanatory journalism. 

From Bakersfield to Fresno to Merced to Stockton, the story we heard from editors and reporters was consistent: people in Central California communities had been hit hard by valley fever, but the news outlets had only scratched the surface reporting on it.  Over the next year, the Bakersfield Californian, the Merced Sun-Star, Radio Bilingüe in Fresno, The Record in Stockton, Valley Public Radio in Fresno and Bakersfield, Vida en el Valle in Fresno, the Voice of OC in Santa Ana and ReportingonHealth.org banded together under the Reporting On Health Collaborative banner.

We called our series Just One BreathExternal Web Site Icon because all it takes to catch valley fever is to breath in the fungal spores. The series documented the rise of the disease epidemicExternal Web Site Icon, the toll on familiesExternal Web Site Icon and the financial costsExternal Web Site Icon, the stalled attempts to find a vaccineExternal Web Site Icon, and a range of other issues. Throughout, the collaborative identified the levers that – if switched – could prevent infections and improve the lives of patients afflicted with the disease. And we ultimately provided a five-point road mapExternal Web Site Icon for changing the course of the disease. We coupled the reporting with an innovative community engagement campaign.

Our stories led to coverage by some of the best-read media outlets in the worldExternal Web Site Icon, including the Associated PressExternal Web Site Icon, the New York TimesExternal Web Site Icon, and the BBCExternal Web Site Icon.

At the same time, the CDC began ramping up its publication of journal articles related to valley fever. Between 2000 and 2011, there were an average of two articles on valley fever in CDC publications: MMWR Weekly and Emerging Infectious Diseases. In 2012 alone, though, the CDC published six articles that provided new information about the disease.

Among these studies was one particularly important report. Coccidioidomycosis-associated Deaths, United States, 1990–2008 detailed the mortality from valley fever, the age groups being hit the hardest and the ethnic differences in death rates. Jennifer Y. Huang, Benjamin Bristow, Shira Shafir, and Frank Sorvillo reported:

During 1990–2008, a total of 3,089 coccidioidomycosis-associated deaths among US residents were identified; these deaths represent 55,264 years of potential life lost. The overall crude mortality rate was 0.58 per 1 million person-years (95% CI 0.56–0.61); after age adjustment, the mortality rate was 0.59 deaths per 1 million person-years (95% CI 0.57–0.61).

That report was followed by an update on the upswing in reported valley fever cases in March 2013, in Morbidity and Mortality Weekly Report (MMWR). The study, Increase in Reported Coccidioidomycosis – United States, 1998-2011, was co-authored by two of the CDC’s lead experts in fungal diseases: Dr. Tom Chiller and Dr. Benjamin Park, along with Clarisse A. Tsang, Farzaneh Tabnak, Dr. Duc J. Vugia, and Kaitlin Benedict. They wrote:

This report describes the results of that analysis, which indicated that the incidence of reported coccidioidomycosis increased substantially during this period, from 5.3 per 100,000 population in the endemic area (Arizona, California, Nevada, New Mexico, and Utah) in 1998 to 42.6 per 100,000 in 2011. Health-care providers should be aware of this increasingly common infection when treating persons with influenza-like illness or pneumonia who live in or have traveled to endemic areas.

Soon, it wasn’t just the media and the scientists who were calling attention to valley fever this past year. Politicians started to move, too.

Within a few weeks of the Just One Breath kickoff in September 2012, Michael Rubio, then a California state senator, called a town hall meetingExternal Web Site Icon in Bakersfield that brought together community leaders, clinicians, researchers, and patients to talk about how to deal with the disease. He then formed a valley fever committee in the state Senate.

“Let’s have a competition: Who can come up with a better test so we can achieve it?” Rubio said to the crowd. “Who can come up with a better treatment so we can have a cost-effective way of treating this very serious disease?”

At the federal level, Sen. Kevin McCarthy, R-Bakersfield, contacted Dr. Frieden at the CDC. McCarthy told reporters earlier this yearExternal Web Site Icon that he knew there had to be a better way to deal with valley fever.

“What I would like to do in the short-term is a randomized clinical trial, because no facts are proven out there for the best treatment for valley fever,” he said. “It’s still unknown.”

That was in April. Last month, McCarthy helped make something unprecedented happen when he brought Drs. Frieden and Collins to Bakersfield for a two-day symposium on the disease.

The unknowns about valley fever are starting to give way to concrete, concerted action. As developments unfold, you can be assured that many more people are going to be paying attention. Gone are the days when valley fever was thought of as an unavoidable risk, the downside of all the upsides of living in the Southwest. People have seen what is possible when the science, policy, and advocacy communities put their heads together, and they want to see that same attention paid to valley fever.

William HeiselExternal Web Site Icon is a Contributing Editor at ReportingonHealth.org and the Project Editor on the Just One Breath series about valley fever. A reporter for 20 years, Heisel lives in Seattle, where he works as the Director of Communications for the Institute for Health Metrics and EvaluationExternal Web Site Icon.

Comments Icon  Post a Comment


One in three British companies is putting business operations at risk by storing data back-ups on-site, according to new research by Onyx Group and Computing magazine.

The research, which took place among IT managers in UK SMEs, shows that less than half back-up data off-site in a secure data centre, despite the risk that loss of IT poses to business continuity.

The research also revealed that just 16 percent of businesses are confident that their disaster recovery procedures are as good as they could be. A further 14 percent did not know whether they could be improved.

Neil Stephenson, CEO at Onyx Group commented: “This research shows a real lack of confidence in existing disaster recovery procedures and an obvious need to review and improve the business continuity plans that many UK SMEs currently have in place.



Network WorldThis vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Cloud computing has transformed the way IT resources are utilized, but the externalization of infrastructures and applications has brought with it the perception of increased risk, which seem to swirl around visibility and control.

This perception of increased risk has prevented the adoption of cloud solutions in a number of industries, so the key question is how to make decisions about moving your organization's IT solutions to the cloud while considering the risks involved. A

Let's review the key advantages of cloud computing:



Alan Elwood
Risk and Resilience Ltd

So far I have posted about the need to concentrate on ensuring your OODA Loop can operate faster than the emergency and talked about how to manage information and actions in a crisis. To complete this series of three blog posts I am going to look at how you can structure crisis decision making. Decision making in a crisis is not the same as in everyday circumstances so you will need access to different tools. Here are five things to consider:

Key Questions: Have a system to guide your decision making that analyses the situation but also allows you to use your experience and intuition. Think about the key set of questions you need to ask yourself and write them down in advance. These questions should help you (1) understand what is going on and the implications of that; (2) appreciate what needs to be done and why it needs to be done; (3) be clear on where your priority lies; and (4) identify, resource and co-ordinate tasks. Once you have this in place make its use is second nature - rehearse, rehearse, rehearse!



Tuesday, 22 October 2013 15:51

5 Tips for Managing Clouds at Scale

Network World — The enterprise adoption of cloud computing resources has taken a precarious path. Many organizations have started by running small workloads in the public cloud, reticent to use the platform for bigger mission-critical workloads.

But once they get comfortable with say a test and development use case in the cloud, or an outsourced e-mail platform, perhaps CIOs and CTOs warm up to the idea of using outsourced cloud resources for more jobs.

At a recent panel of cloud users, one thing became clear though: Managing a public cloud deployment at small scale is relatively straightforward. The problem comes when that deployment has to scale up. "It gets very complex," says IDC analyst Mary Turner, who advises companies on cloud management strategies. "In the early stages of cloud we had a lot of test and development, single-purpose, ad-hoc use case. We're getting to the point where people realize the agility cloud can bring, and now they have to scale it."

And doing so can be tough. The panelists at the recent Massachusetts Technology Leadership Cloud Summit had some tips and tricks for users though. Here are five.



While good planning and processes are at the heart of business continuity and disaster recovery, technology can accelerate the benefits as well. We live in an age of cloud computing and smartphones. Both can be used to help an organisation get back on its feet after incidents, or simply ride them out without severe or permanent consequences.

Mobile Apps. With a billion smartphones in the world, the mobile app is now a familiar concept. The MIRA smartphone app makes use of the extensive capabilities of mobile devices to communicate with and localise respondents in order to coordinate DR and BC processes and exchange crucial information.



Tuesday, 22 October 2013 15:48

Thornton May: The Future Will Need CIOs

Computerworld — Several weeks ago, a group of enterprise CIOs gathered to celebrate the 32nd birthday of CIO-ness. That's right, the "chief information officer" job title is 32 years old.

There are several origin myths associated with the CIO position floating around our industry, but all of them roughly place the moment of CIO conception as sometime during 1981. I asked the hundred-plus CIOs in attendance to think back to what they were doing when they were 32. Doing pattern recognition on the responses revealed much. The most important observation was that by age 32, the executives in the room emphatically concluded that their careers were not over. They unanimously agreed that from age 32, their jobs got bigger, better and different.

We should all be able to conclude with equal certainty that at age 32, CIO job is not over either. Not even close. Things are going to get bigger, better and different on a massive scale.



Tuesday, 22 October 2013 15:37

Picking Up the Insurance Tab

Your broker will help you determine your insurance needs, go out to market, and obtain competitive quotes. She’ll guide you through the buying process, price negotiations and policy terms. She might even take you out to a nice lunch and introduce you to the key players at your carrier. There’s no debating it – your broker is a great help when you’re purchasing insurance.

But the one thing your broker won’t help you with is paying your insurance bill. For that, you’ll need a budget.

Preparing an insurance budget is a lot like splitting the tab after an expensive meal. You’re pretty sure that everyone sitting at the table should pay something, but how much? Should the bill be divided evenly? Should each person pay according to what he ordered? Should you skip all the awkwardness and just pay the thing yourself?




In 2011, Chris Kloosterman joined the IT team at Saint Michaels University School (SMUS) in Victoria, BC, Canada after leaving his position at nearby Brentwood College School. St. Michaels University School is a private co-educational, independent day and boarding school of 930 students from kindergarten through grade 12.

The timing of Kloosterman’s hiring as the new systems administrator could not have been better as SMUS was facing major challenges with its data backup and recovery system. Fortunately, he had just spent months in his previous role evaluating backup solutions and had great insight to share with SMUS manager of computer services, Rob Przybylski.

With the previous system, Symantec Backup Exec 2010 version 13, the school was backing up full plus incrementals over seven days, but wanted the ability to back up all data every day. SMUS also needed an easier and more robust solution for performing file level restores and looking at data retention policies to ensure they had copies of data where they needed copies. With Backup Exec 2010 version 13, doing multiple copies was cumbersome. During testing, they generally did not work. SMUS went to disk and archive to tape, but because tape was so unreliable, they had to back up to two different disk boxes in two different locations. That was problematic.

As it came time to evaluate and implement a new backup solution, Przybylski relied heavily on Kloosterman who had been part of Brentwood College School’s extensive research into backup systems. With his thorough knowledge of the available systems, SMUS didn’t need to replicate his research efforts.

Based on Kloosterman’s endorsement of the STORServer Backup Appliance, SMUS implemented the system in June 2011. The competitive solutions were either significantly more expensive or lacked the robust features that the Appliance offered.

Driven by IBM® Tivoli® Storage Manager (TSM) and other proven technologies, the STORServer Backup Appliance is a comprehensive, fully integrated, backup, archive and disaster recovery solution in a single, easy-to-use configuration of hardware and software technologies.

STORServer has enabled much faster backups for SMUS. Previously, with Backup Exec 2010 version 13, the school was doing incremental backups daily and full backups during the weekend, which proved to be incredibly challenging for performing restores. In order to restore a file, Przybylski had to go to the latest full backup and look up all backups since then. If a file changed daily, that meant they backed it up daily. So, if a file changed every day for 30 days, SMUS had 30 copies of it due to a 30-day retention requirement. STORServer enabled the school to get proper file retention policies back to a year and eliminated the worry about all the different data sets they were backing up every day.

SMUS is currently backing up 17.5 terabytes (TBs) of raw data across two locations—one at its main facility and the other at a nearby junior school. The school is fully virtualized with 60 virtual servers and runs Windows and Linux and a 10 gigabyte network in its server room.

Using Backup Exec 2010 version 13, backups started running at 10 p.m. every evening and usually finished by 7 a.m. the next day. However, if there was ever an issue, backups would go into the next work day and make the system very slow. The backup window was growing and growing and Przybylski feared SMUS would eventually run out of physical time to perform backups. Now, STORServer’s backup window is a quarter of that—mere hours.

The Appliance has saved the school immense amounts of time. Restores previously took half an hour to 40 minutes depending on when the file was deleted. Now, restores happen instantly with STORServer.

In October 2013, SMUS had a major storage crash. The process of restoring all of the data using the STORServer Backup Appliance included more than 7.1 million files restored to the main file server, 900 student email boxes and a couple of bare metal server restores. With no hiccups, problems or errors, STORServer had all of the data restored in a matter of a few days.

Although quantifying a cost savings of implementing the Appliance is difficult, Przybylski says the peace of mind the solution offers is invaluable.

The daily time period we would need to spend on managing the STORServer Backup Appliance is probably a quarter of the time we were spending on the old system,” says Przybylski. “We now spend at most 10 minutes a day maintaining the system. Time wise, it is a huge savings. And, my level of comfort is priceless.”

Since implementing the Appliance, the system has been able to meet SMUS’s growing needs. The school has bought extra tapes—as its backup data set has grown—and changed out the hard drives in the unit with help of STORServer. According to Przybylski, there wouldn’t be any issue expanding the system even if their file data volume doubled, which it likely will. STORServer could handle that growth.

STORServer is quite a hands-off system,” says Przybylski. “You set it up at the beginning with the retention policies, and then it really does run itself. Restores are instant and can be done by any of our technical staff. It doesn’t require expertise of the TSM platform. But, the biggest benefit is the peace of mind that my data is backed up and I can get it back in case of disaster. That was not the case with our old system.”

One of the biggest topics in IT today, specifically for anyone in the backup field, is deduplication. Using STORServer, SMUS is able to store 17 TBs of data on 9 TBs with compression and data deduplication.

Our WAN backups used to take seven nights to get a full backup, but with deduplication, we now get a full backup every night in just minutes over the same WAN connection,” says Przybylski “This has helped us out more than any of the other features of the Appliance. Compression and deduplication mean we have a quarter of the disk space our old system had. Now, we can store more data and archive sets than was previously possible. We don’t have to store data for specified periods of time. Some files are archived forever and most have retention policies.”


Katie Collison

Crossrail is the biggest construction project currently in Europe and is one of the largest single infrastructure investments ever undertaken in the UK. It is a rail link that will run 118km from Maidenhead and Heathrow airport to the West of London, through new twin bore 21 km tunnels under central London to Shenfield and Abbey Wood, east of London. Crossrail will increase London’s rail based transport network capacity by 10% and bring an additional 1.5 million people to within 45 minutes of commuting time to London’s key business districts, supporting regeneration across the capital. It represents construction on a staggering scale.



Over the past few months, the discoveries of two engineers have led to a steady trickle of alarms from the Department of Homeland Security concerning a threat to the nation’s power grid. Yet hardly anyone has noticed.

The advisories concern vulnerabilities in the communication protocol used by power and water utilities to remotely monitor control stations around the country. Using those vulnerabilities, an attacker at a single, unmanned power substation could inflict a widespread power outage.

Still, the two engineers who discovered the vulnerability say little is being done.

Adam Crain and Chris Sistrunk do not specialize in security. The engineers say they hardly qualify as security researchers. But seven months ago, Mr. Crain wrote software to look for defects in an open-source software program. The program targeted a very specific communications protocol called DNP3, which is predominantly used by electric and water companies, and plays a crucial role in so-called S.C.A.D.A. (supervisory control and data acquisition) systems. Utility companies use S.C.A.D.A. systems to monitor far-flung power stations from a control center, in part because it allows them to remotely diagnose problems rather than wait for a technician to physically drive out to a station and fix it.



It seems many organizations are starting where they are with Big Data. On a practical level, what that means is:

Now, I’m not going to be the one to say whether that’s a good idea or not at this point. You do what you need to do.



There was a time when data facilities had to be kept close to the knowledge workforce because the cost of building and maintaining broadly distributed network architectures was just too high, as was the latency they created.

Today’s high-speed, high-bandwidth networks have put an end to that, however, resulting in global cloud configurations that can connect data to virtually any device at a moment’s notice. The end result is that data centers are starting to crop up in the most unusual places, most often driven by the desire to implement the broadest possible data footprint while keeping costs to a bare minimum.

In many cases, this has led to a building boom of sorts in the coldest climates of the globe. Facebook, for one, recently took the wraps off its newest hyperscale facility, located in the small town of Lulea, Sweden. The facility lies just south of the Arctic Circle where the temperature rarely hits 70 degrees F and can easily slip to below zero in the dead of winter. Using ambient air and Sweden’s ample supply of renewable energy (mostly hydroelectric), the facility boasts a PUE of 1.04, which means that just about all the energy it consumes goes to data infrastructure, not cooling or power generation. For a center that handles upwards of 10 billion messages per day, that adds up to quite a savings for Facebook.



Friday, 18 October 2013 19:11

Be Cyber Smart. Stay Cyber Secure

CHICAGO – Cybercriminals don’t discriminate, so don’t be a target - protect your privacy and guard against fraud by practicing safe online habits. Cyber security threats and attacks are gaining momentum. With more than $525 million in losses due to online criminal activity in 2012, proper security measures are a critical component in keeping your identity and finances secure. <?xml:namespace prefix = o />

October is National Cyber Security Awareness Month (NCSAM), and the Federal Emergency Management Agency (FEMA) is taking this opportunity to remind our partners and the general public to create a safe, secure, and resilient cyber environment.

“Computers, smartphones and other electronics have become a prevalent part of our daily lives,” said FEMA Region V Administrator Andrew Velasquez III. “Everyone needs to understand how frequently cybercrimes occur and arm themselves with the latest information and tools necessary to protect their families against potential fraud.”

Helpful information on protecting kids online, securing your computer and avoid scams can be found at OnGuardOnline.gov. Here are a few tips to safeguard yourself and your computer:

Set strong passwords, change them regularly, and don’t share them with anyone.

Keep your operating system, browser, and other critical software optimized by installing updates.

Maintain an open dialogue with your friends, family, colleagues and community about Internet safety.

Use privacy settings and limit the amount of personal information you post online.

Be cautious about offers online – if it sounds too good to be true, it probably is.

Report a cybercrime to the Internet Crime Complaint Center (www.ic3.gov) and to your local law enforcement or state attorney general as


FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at twitter.com/fema, twitter.com/femaregion5, www.facebook.com/fema, and www.youtube.com/fema.  The social media links provided are for reference only.  FEMA does not endorse any non-government websites, companies or applications.



One thing that has become all too transparent with social media and the Internet is that there are an awful lot of ugly, nasty people out there. And when they can hide behind anonymity they can get real ugly. That reality has driven a whole new class of reputation crisis. But left many with the question of what do you do when the uglies, nasties and digital mob start creaming you online?

My sense is that the standard answer (certainly mine has been) is that it doesn’t make sense to respond to any and every gratuitous attack. Monitor, monitor, monitor and if it looks like some accusation is getting legs then respond. However, I continually am surprised by the remnants of the old Mark Twain comment (I think it was Twain) who said never pick a fight with someone who buys ink by the barrel. While that refers to news, because of the impossibility of determining a meaningful distinction between new media and old media, it also applies in some thinking to online attacks as well. Particularly if the attack is coming from someone with a large following.



As the one-year anniversary of Hurricane Sandy approaches in late October, Allianz Group’s specialist corporate insurer, Allianz Global Corporate & Specialty (AGCS), warns that while there is heightened awareness, many businesses have not yet implemented adequate changes.

A new Risk Bulletin from AGCS entitled ‘Superstorm Sandy - Lessons Learned: A Risk Management Perspective’ examines the cost of the disaster and outlines what businesses need to do now to ensure they can mitigate the adverse financial impact of future storm events.

“Many businesses are not as prepared as they could be. Today businesses need to prepare for the new normal of weather events and this can be a laborious process,” said Tom Varney, Regional Manager for Allianz Risk Consulting in the Americas. “For many companies it takes time—in some cases years—to appropriate funding and actually make the much needed changes. For others it may just be about focusing on the right things at the right time. Allianz is committed to helping clients identify vulnerabilities, mitigate risk and be as prepared as possible.”

Superstorm Sandy - Lessons Learned: A Risk Management Perspective identifies four key steps that businesses can implement now to be better prepared for future extreme weather events:



Friday, 18 October 2013 19:08

Horizon Scanning

Colin Ive

As new threats appear, it is easy for busy Business Continuity practioners to miss these with their heads so deeply burrowed into the challenges of organisations. Practitioners are already overloaded with work and, as we have seen in recent years, this is often due to cutbacks, to having an amalgamation of roles or simply by being directed to focus on achieving compliance with new standards and increasing demands from customers etc. Yet without an effective and externally focused ‘risk radar’ seeking out these threats on a permanent, efficient and effective basis, an organisation can find itself suddenly confronted with unwelcome surprises which could impact their business either directly or via a failing supply chain. Surprises which can severely damage their bottom line!



Being involved in a legal action, even it the organization prevails, is expensive and can lead to an interruption to "business as usual."


Lately I have been reading about more and more court cases on complaints by workers claiming they were not paid for mandatory work done prior to, and following, work hours.

For example, a bus driver has to report 15 minutes early to inspect and prepare his bus to accept passengers. His formal work shift begins at 7 a.m., but because he has 15 minutes "prep" time, he actually begins work at 6:45 a.m.

Think about the person who has to "suit up" to work in either a clean room or a potentially contaminated area - a nuclear plant, for example. Not only does the employee have to take time to prepare for the job, the employee also needs time to doff the protective gear after the work day is complete.



Thursday, 17 October 2013 15:05

Walk a mile in their shoes

David Tickner
Computrix Services

Whether a consultant or an internal business continuity planner, it’s never easy to get management to commit to a continuity program. Perhaps it’s the approach you take or that you find management a bit too bottom line focussed.

Where is the key to gaining corporate commitment for BC programs - the CEO’s office, the CFO or the Risk Manager? Perhaps it’s not even inside your organisation, there could be other options.



One of the biggest factors in helping people to get along and making businesses profitable is communication. Mobile phones in particular have become the symbol of this: depriving somebody of his or her mobile phone is today akin to torture, at work, at home or anywhere else. The trend continues too towards more advanced and more diverse communications technology, as workers bring in their own mobile devices for work and customers increasingly put their faith in the cyberspace.  Yet, our communication fails when we’re in an elevator, in a tunnel, underground or any place similarly isolated from the business network. Do military communications hold an answer?

If communications are important to most businesses, for the armed forces they are vital. With this in mind, military communications have often been in the forefront of communications technology in sophistication, performance and availability. The Internet that we now take for granted was originally a DARPA (US Defense Advanced Research Projects Agency) project. The goal was to construct a communications network that would automatically reroute information to deal with any part of the network breaking down or being destroyed. Similarly, the army, navy and air force (and the police) had two way radios and radio networks long before the first mobile phones became available for consumers.



I’ve flogged this horse before, but this new info graphic from istock (and video version of it) reminded me of the importance of video on the web.

Imagine it was 1994 and we were having a conversation about crisis communications. You said to me, “You know, this Internet thing might be big. I think crisis communicators ought to look at how this thing called a ‘web site’ might help in a crisis.”

“Pah, fooey,” I would say. “Why would anyone need that? Everyone knows that crisis communication is about putting out press releases and handing them out to the waiting press mob outside the door.”



by Hilary Tuttle


In the October issue of Risk Management, social media and eDiscovery expert Adam Cohen chatted with me about the biggest corporate risks in sites like Facebook and Twitter, and outlined some best practices for developing and enforcing a social media policy. But behind every account sits one major risk that’s hard to control: a person.

Not all of Cohen’s advice could make the magazine, so here are some of his extra tips for how to mitigate the risks of personal social media – both to protect your company and to protect yourself.



It’s sometimes easy to forget that, as far as most end users are concerned, analytics is merely a means to an end. As such, those users are generally a lot more interested in the path of least resistance when it comes to applying analytics.

With that issue firmly in mind, Adobe this week at the Digital Marketing Association 2013 conference updated Adobe Analytics, a service that allows users to analyze massive amounts of unstructured Big Data.

Nate Smith, product marketing manager at Adobe, says Adobe Analytics eliminates all the complexity associated with Big Data by exposing analytics applications as a service. As a result, organizations don’t have to invest in expensive data scientists to organize their data; they just load it into the Adobe Marketing Cloud.



It’s sometimes easy to forget that, as far as most end users are concerned, analytics is merely a means to an end. As such, those users are generally a lot more interested in the path of least resistance when it comes to applying analytics.

With that issue firmly in mind, Adobe this week at the Digital Marketing Association 2013 conference updated Adobe Analytics, a service that allows users to analyze massive amounts of unstructured Big Data.

Nate Smith, product marketing manager at Adobe, says Adobe Analytics eliminates all the complexity associated with Big Data by exposing analytics applications as a service. As a result, organizations don’t have to invest in expensive data scientists to organize their data; they just load it into the Adobe Marketing Cloud.

How would you coordinate 30,000 volunteers in 5,000 locations across an arc 500 miles long in just eight weeks?

That was the challenge Aaron Titus faced in the wake of Superstorm Sandy. Undaunted, he went to work. Realizing he couldn't do it alone, he focused on building a solution that decentralized the coordination process, worked across agencies, and empowered leaders in the field. He succeeded. 

- See more at: http://blogs.csoonline.com/security-leadership/2802/conversation-aaron-titus-using-open-source-coordination-transform-disaster-recovery#sthash.dSBium9X.dpuf

Our staff recently was informed of a new emergency and disaster preparedness free mobile app solution called the “In Case of Crisis” mobile solution.

The “In Case of Crisis” mobile solution —  created and developed by Irving Burton Associates (IBA) –allows institutions – e.g. educational, corporate, government or hospitality — convenient and secure access to emergency information with features such as easy-to-read instructional and building diagrams, one-tap key contact calling, and push notifications for updates/alerts and maps.

The app includes access to a library of 85 possible emergency event scenarios with templates and images or organizations can customize with their own event details. A dedicated client success team provides hands-on coaching and best practice tips for publishing emergency plans to mobile devices.

Thursday, 17 October 2013 14:48

Cavalcade of Risk #194: Is this just fantasy?

Is this the real life? Is this just fantasy? Either way, we’re delighted to be taking our first turn at hosting Cavalcade of Risk #194. For those of you who, like us, are new to this, the CavRisk blog carnival is a round-up of risk and insurance-related posts from around the blogosphere.

Our debut as a Cav host kicks off with a post on fantasy insurance in which Hank Stern of InsureBlog poses the question: What if your Fantasy Footballer gets sidelined in real life? The good news is there’s an insurance policy for that. Game on.

Next up, at Workers’ Comp Insider, Julie Ferguson, brings us back to real life with a roundup of the impact that the government shutdown is having on workplace health & safety and various regulatory and employment-related matters. It’s her second, and hopefully last, roundup on the shutdown, Julie notes.



with Dan Zitting

5 Steps to Integrating Governance, Risk Management and Compliance Activities Across the Organization

Governance, risk management and compliance (GRC) efforts are often spread across an organization. Each department takes a different approach with its own systems, technologies and tools to engage in risk management activities. Senior management is often stymied in trying to get a clear picture of risk across the organization, having to compare apples and oranges served up from various silos of GRC activity.

Without a consistent way to look at the universe of risk across the organization, how can you weigh impact and likelihood and keep up to date on ever-changing risk profiles?



Wednesday, 16 October 2013 14:51

Recovery Strategies

Ian Charters
Continuity Systems Ltd

It is a pity that the term ‘recovery strategy’ was ever coined. It gives the impression that an organisation has one high level recovery strategy which will provide a response to all BC issues and around which all recovery plans and procedures will be based. For example – “in the event a disruption the organisation will move priority staff to operate from its recovery centre at...” which is seen as a solution to all problems.

Instead the ‘recovery strategy’ of an organisation is likely to be a whole raft of measures put in place before an incident occurs that will, hopefully, give it some workable options for response when an incident occurs whatever the circumstances.



Wednesday, 16 October 2013 14:49

Disaster Update: Cyclone Phailin

Cyclone Phailin made landfall on October 12th, striking the East coast of India including the states of Odisha and Andhra Pradesh.  Wind speeds reached 130 miles per hour and the storm surge reached 10 feet in some areas.

The storm triggered India’s biggest evacuation operation in 23 years with close to one million people evacuated by government authorities with support from the Indian Red Cross.  More than 110,000 are taking refuge in Red Cross run cyclone shelters. Phailin had a devastating impact damaging or destroying more than 250,000 homes and nearly 1 million acres of crops. 

The emergency response has been constrained by the cancellation of air-flights and trains, damage to highways and roads along the coastline, and disruption to mobile communication.

The Indian Red Cross (IRCS) has deployed teams to assess the affected areas and is mobilizing emergency relief items, clean water, and shelter materials.  More than 2,500 volunteers are responding. Three water treatment units have been deployed along with 11,000 tarps. The IRCS is planning to support some 200,000 people with initial assistance including distribution of shelter and relief supplies, health checks and provision of safe water.

The cyclone affected 11 million people but due to intensive preparedness efforts few lives were lost. In 1999 Cyclone Orissa made landfall in a similar area and killed more than 10,000 people.  Since that time the Indian Red Cross has increased its disaster preparedness efforts and training in the communities. 

 “Disaster risk reduction interventions for the last many years in Odisha, especially the construction of 75 cyclone shelters and training of large number of volunteers made it possible for nearly 110,400 people to get protection in these Red Cross Cyclone Shelters during the evacuation,” said Dr. S.P. Agarwal, Secretary General of the Indian Red Cross.


Wednesday, 16 October 2013 14:46

Listen to Understand – Not Simply to Reply


I have worked for a few organizations where the concept of the CEO was to help customers improve their business by understanding their business and business needs, create solutions via services with hardware and software, and provide support throughout the entire life-cycle.  Using these concepts in addition to my own beliefs, I recently presented to a group of prospects and customers.  I have long been convinced that selling a widget only goes so far.  Solving business problems, embeds you into the fabric of an enterprise.

Far too often, people believe in what they are doing without understanding it.



By Loraine Lawson

You hear it all the time: There simply aren’t enough trained data scientists to support the demand for Big Data analytics.

But here’s an interesting fact from TDWI’s best practices report on “Managing Big Data”: The data scientists aren’t really managing it now.

Actually, there’s an incredible range of job titles that manage Big Data. Out of 297 responses from 166 respondents (they could choose multiple options), only 6 percent said data scientists manage Big Data in their organizations.



Wednesday, 16 October 2013 14:43

What the Internet of Things Means for Security

You've probably been hearing a lot lately about the Internet of Things (IoT). The IoT (see: "The IoT: A Primer" at the end of this piece), while still in the early stages of development, is slowly making its way into the mainstream as more objects become connected via technology such as radio frequency identification (RFID) and the iniquitousness of the Internet.

By Bob Violino


CSO — You've probably been hearing a lot lately about the Internet of Things (IoT). The IoT (see: "The IoT: A Primer" at the end of this piece), while still in the early stages of development, is slowly making its way into the mainstream as more objects become connected via technology such as radio frequency identification (RFID) and the iniquitousness of the Internet.

Regardless of how the development of the IoT plays out in the months and years to come, or what specific plans organizations have for deploying related projects, there will clearly be security implications. IT and security executives might want to start thinking about the security aspects of IoT today, even if they have no immediate plans to link objects via the Internet.



Wednesday, 16 October 2013 14:42

Insider Threats and How They Can Be Mitigated

Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.

By Grant Hatchimonji

CSO — Any employee with access to sensitive data is a potential threat, whether they know it or not. Even if they don't have malicious intentions, the inherent nature of their privilege is what makes them so dangerous.

Vormetric recently published its 2013 Insider Threat Report exploring the very nature of these dangers while also tallying the results of a survey it conducted over two weeks in August of this year. The numbers, which were tabulated in September, indicated the responses from 707 IT professionals to questions regarding insider threats and they choose to combat them. Needless to say, the pervasive theme of the survey results was that insider threats are a very serious concern to just about everyone.



Wednesday, 16 October 2013 14:41

Plan to fail for better security and continuity

Tom Davison looks at how failures can be used to boost security and help business continuity: if approached in the right way.

We’ve all heard the old saying: “If you fail to plan, you’re planning to fail.” Of course, it’s true: and from a security viewpoint, it’s also interesting to turn the cliché on its head. Shouldn’t a major part of any robust IT security strategy be about planning to fail? About preparing for the ‘what if’ scenarios that can disrupt normal business operations, and attempting to mitigate the potential impact of those disruptions?

A majority of businesses already do this to some extent, by performing regular vulnerability scans and penetration tests on their networks. But all too often these tests will look only at issues such as vulnerabilities on Internet gateways, systems with out-of-date patches or the presence of malware. They don’t include other security problems that are just as capable of causing outages, failures and damage – such as DDoS attacks, phishing attempts and more – which almost always strike seemingly at random and unexpectedly.

So how do you widen the scope of your security planning to ensure you’ve covered all the outage and security scenarios that could have a catastrophic effect on your business?



The Business Continuity Institute has published the shortlist for its annual Global Awards, which will be presented at a ceremony on 6th November in London.

The BCI Global Awards ‘recognise the outstanding achievements of business continuity professionals and organizations worldwide and pay tribute to some of the finest talent in the industry’.

The shortlist for the BCI Global Awards is as follows:

Business Continuity Consultant of the Year

  • Louise Theunissen MBCI
  • Thomas Keegan MBCI, Director of Business Resilience, PwC
  • Saul Midler MBCI, Managing Director, LINUS Information Security Solutions
  • Muhammad Ghazali MBCI, Head of BCM Services, Protiviti
  • Pierre Wettergren AMBCI, Senior Consultant, 5G Continuity AB

Business Continuity Manager of the Year

  • Millington Gumbo MBCI, Head of BCM, Standard Bank
  • Arnab Kumar Mukherjee MBCI, Business Continuity Manager, Colt Technology Services India Pvt. Ltd.
  • David Clarke MBCI, Business Continuity Manager, Telefónica UK Limited
  • Neyaz Ahmed MBCI, Ag. Director – Business Continuity, Etihad Etisalat - Mobily
  • Tom Clark MBCI, Director of IT Business Continuity Management Services, Liberty Mutual Insurance
  • Elaine Tomlin MBCI, Business Continuity Manager, Certus
  • Abdulrahman Alonaizan MBCI, Business Continuity Manager, Arab National Bank
  • Nisar Ahmed Khan MBCI, Manager – Business Continuity Management, Kuwait Finance House

Business Continuity Team of the Year

  • BT
  • Orion Group
  • Standard Life plc

Public Sector Business Continuity Manager of the Year

  • Glen Redstall CBCI, Manager, Business Continuity & Emergency Management, Inland Revenue
  • Mary-Ellen Lang MBCI, Resilience Manager, The City of Edinburgh Council
  • Brian Duddridge MBCI, Business Continuity Manager, Welsh Government
  • Alan Jones MBCI, Head of Resilience & Emergencies, West Sussex County Council

BCM Newcomer of the Year

  • Akintade Ayelomi AMBCI, Senior Manager, Business Continuity Management, MTN Nigeria (MTNN) Communications Limited
  • Andrew MacLeod AMBCI, Consultant, Needhams 1834 Ltd
  • Maan Al Saqlawi, Head of BCM, Bank Muscat
  • Nicola Huxley, Security Risk and Resilience Manager, British-American Tobacco (Holdings) Limited

Business Continuity Innovation of the Year (Product/Service)

  • Blue Zoo
  • Fusion Risk Management, Inc.
  • Vocal Ltd
  • Everbridge

Business Continuity Provider of the Year (BCM Service)

  • NCS Pte Ltd
  • Continuity Shop
  • SunGard Availability Services

Business Continuity Provider of the Year (BCM Product)

  • IBM
  • LINUS Information Security
  • eBRP Solutions Network, Inc.

Most Effective Recovery of the Year

  • Etihad Etisalat - Mobily
  • NHS Blood and Transplant
  • Citi
  • NCB Capital

Industry Personality of the Year

  • Abdulrahman Alonaizan MBCI
  • Richard L. Arnold
  • Tim Janes MBCI
  • Mark Penberthy FBCI
  • Iain Taylor (Hon) FBCI

More details.

Daniel Dec
Cognizant Technology Solutions

The answer to that question is 'yes' - security and business continuity are a good fit and my reasons for this are based on observations and experiences over my career, along with some research evidence to support my position. My reasons can be summarised under five broad headings and these are:

Availability, core in security and BC
The definition of Information Security focuses on three main principles - confidentiality, integrity and availability. It is the availability part of this triad that illustrates the close relationship that BC has with security. Computerized information is only of value if it is available when needed. The concepts and objectives of BC support the availability of Information Security. In addition, there is more relevance as the need for high availability has increased which we will talk more about in a future section.



Controlling costs and improving clinical outcomes for injured workers are among the top priorities for workers' compensation payors. As the cost of medical care continues to rise and as the proportion of medical expense in the overall claim increases, a pharmacy benefit manager (PBM) is often looked upon to interject; lending insight and assistance to control pharmacy utilization and cost.


Add to FacebookAdd to TwitterAdd to LinkedInWrite to the EditorReprints

Today's workers' compensation claims environment requires a PBM to provide pharmacologic expertise, a robust network and service excellence while melding together the characteristics of analyst, clinician, processor, service representative, problem solver, educator, mentor, advocate, investigator, researcher and partner into one solution.

For even the most experienced this can be quite a challenge. Progressive Medical, however, is one PBM rising to the occasion.



Tuesday, 15 October 2013 13:21

Stretching Risk Management


Visit the offices of progressive, safety-minded construction companies these days and you'll see each and every employee -- management level and otherwise -- stretching, bending and reaching before starting the workday.

    In an industry where strains and sprains are by far the most frequent and costly injuries -- followed by falls, which are less common but more severe in terms of the damage -- more and more construction professionals have adopted a "stretch and flex" regimen to minimize on-the-job hazards.

    To protect their bottom lines, they need to. In some regions of the country, New York City in particular, some insurance carriers have found the workers' compensation market for construction so troubling they have withdrawn from it altogether. Contractors have taken on more retentions and are much more vigilant about safety as a result.



    IT is at the heart of most business today. Whether it’s in marketing systems and CRM, design software applications, production line automation or finance and accounting, if the information technology being used breaks down, so do business operations. Conversely, when service from the IT department is defined in terms of the business objectives of the organisation, business continuity can be positively reinforced. ITIL (IT Infrastructure Library) and ITSM (IT Service Management) both take business goals as the starting point for defining and implementing levels of IT service. How then do ITIL and ITSM compare and what are their roles in helping to improve business continuity?



    Early in the summer, I noticed quite a few social media intern positions on some of the online job boards. Although I could see how it would make sense to some companies to get their feet wet in social media without spending much money, it gave me shivers to think that a solid business with good community standing might turn over its public media strategy to a kid whose only social media expertise was tweeting and Facebooking with friends.

    And apparently I’m not alone in my fears. I’ve read several articles that warn SMBs to not hire interns to take on social media—or at least not to hire them to be the sole voice of your company’s social media campaign.

    Although the younger crowd is quite familiar with the ins and outs of most social media platforms, it’s mostly what they aren’t yet familiar with that counts the most—your company’s relationship with its customers. I’m not saying that young men and women of college age have no understanding of business or marketing. What I am saying is that it often takes months or even years for a new employee to learn the real inner workings of a business and its marketing needs. Interns sign on for only a few months. By the time he or she begins to get into the groove, it’s time to move on.



    Tuesday, 15 October 2013 13:18

    Is Big Data Really a Problem?

    Only 8 to 10 percent of organizations have actually spent any money or time building Big Data applications or systems, according to a recent article in Datanami. But does that mean we’re all being conned about the growth of Big Data?

    Probably not. Even though that 8 to 10 percent figure was consistent when Datanami looked at surveys by Gartner, The Data Warehouse Institute (TDWI) and data integration vendor Talend, that particular statistic offers only a small view of the Big Data picture.

    As the article goes on to explain, there are other reasons to believe Big Data is still a major issue for organizations. In fact, the same Gartner study also found 64 percent of respondents either are investing or have plans to invest in Big Data technology this year. Other surveys show similar results.



    October, as you may know, is Cyber Security Awareness Month. The event is sponsored by the Department of Homeland Security, which means that Cyber Security Awareness Month is affected by the government shutdown.

    Luckily, the event has taken off since its inception and other organizations are instituting cyber security awareness programs. That’s the great news. The not-so-great news is the shortage of “cyber warriors” to stand on the front lines of cyber security.

    I’ve written about this security professional shortage before, of course. Even as more universities are stepping up cyber security education programs, there is still a lack of good, trained security professionals in the private sector – and even fewer in the public sector. As SourcingFocus.com put it:



    Tuesday, 15 October 2013 13:05

    Florida Looking for NFIP Alternatives

    Last week, Florida Insurance Commissioner Kevin McCarty announced that his office is in the process of developing guidelines for insurance companies to request approval to write primary flood insurance in the state. This announcement came just one day after Rebecca Matthews, McCarty’s deputy chief of staff, told the Florida Senate Banking and Insurance Committee that the Florida Office of Insurance Regulation (FLOIR) was in talks with various insurance companies regarding writing primary flood coverage in the state. These developments are in response to continuing concerns about escalating flood insurance rates due to the Bigger-Waters Act of 2012.

    The Biggert-Waters Act of 2012 extended the National Flood Insurance Program by several years while also putting in place several reforms meant to make the program more solvent. One of those reforms was a phasing in of actuarial flood insurance rates over time. For many the increased premium will be significant, if not severe. In Florida, the biggest hit will be to homes built prior to 1974 in high risk flood zones. At last week’s hearing it was reported that some of those homes could see rates rise from $500 to $16,000. Current owners of those properties will continue to receive subsidized rates, but those subsidies will discontinue once the property is sold thus hindering the Florida real estate market.



    NEW DELHI — India breathed a sigh of relief Sunday as assessment teams fanned out across the eastern part of the country in the wake of the biggest storm in 14 years and found extensive property damage but relatively little loss of life.

    The state news service, Press Trust of India, reported that 23 people died as a result of Cyclone Phailin, most from falling trees or flying debris.

    Many had predicted a far higher death toll from the storm in this country of 1.2 billion people, where crisis management, regulation, planning and execution are often inadequate and thousands lose their lives each year to natural disasters, building collapses, train accidents and poor crowd control.



    So how do you influence decision making as a compliance professional? That topic was explored in a session at this year’s Society of Corporate Compliance and Ethics (SCCE) annual Compliance and Ethics Institute by presenters Jennifer O’Brien, Chief Medicare Compliance Officer for UnitedHealthcare Medicare & Retirement and Shawn DeGroot, Associate Director for Navigant. They, together with a very participative audience, had some insightful thoughts for the compliance practitioner on “how to get to effective.”

    The single best piece of advice O’Brien said that she had ever received came from the recently retired Chief Compliance Officer (CCO) of Microsoft, Odell Guyton. It was to “be relevant.” Although Guyton used that term in the context of senior management meetings, O’Brien thought it so profound that she applied it to all of her work as a compliance professional. In meetings, you have to know both when to speak up at the relevant times and when to keep quiet.



    Kathleen Lucey
    Montague Risk Management
    The bleeding edge of our profession is now resiliency – not recovery, not continuity. But the most interesting part of this is the analysis of events as they occur: calculating the effects of these events and responding in new and different ways.
    Coupled with detailed current information and analytics engines to help us to understand the impact of events on our markets, our competitors, and our operations, we are now beginning not just to respond faster and better, but to position ourselves to be able to manage improbable, adverse events – sometimes called 'black swans' – to our advantage. We are able to generate additional revenues and/or open new markets for existing products, rather than just minimizing event damages.
    I don’t know about you, but I would like to move to the side of the organization that deals with revenue enhancement – marketing and new product development – and move away from compliance. There is more funding there to get the job done right!

    Kathleen will be discussing this and the issue of resilience within the 'Thought Leadership' stream at the BCM World Conference on Thursday 7th November, starting at 10:35.


    NEW DELHI — A powerful cyclone whose spinning arms engulfed much of the Bay of Bengal weakened Sunday morning as it crashed into India’s eastern coast, flooding homes and roads throughout the region and disrupting electricity and communications.

    The authorities evacuated about 800,000 people, one of the largest such evacuations in India’s history. The storm’s maximum sustained winds, which were approximately 124 miles per hour when the storm made landfall about 9 p.m. Saturday, had dropped to less than half that strength nine hours later.

    At least five people were killed in the coastal city of Gopalpur because of heavy rain and high winds before the storm made landfall, officials said. The storm was expected to drop up to 10 inches of rain over the next two days in some areas.



    I know the Terminator mythology dictates that Skynet is a military system, but personally, I think we might want to keep tabs on IBM.

    Everyone knows about Watson, which topped PC Magazine’s “Five Real Computer Systems That Could Become Skynet” list back in 2011. And we know IBM is putting Watson to work in new, more commercial ways.

    But a recent CMSWire article, “Has IBM Just Changed the Big Data Analytics Market?” only adds to my suspicions.

    IBM announced this week it would offer a new type of Big Data solution — the Accelerated Discovery Lab (ADLab), which is based in IBM’s Almaden facility in San Jose.



    In times of momentous change such as the enterprise is undergoing right now, it is easy to forget that most organizations are still trying to deal with some very mundane issues. Although it has largely dropped off the radar in the trade press, one of the most crucial is the ongoing integration of virtual technology into legacy data infrastructure.

    Server virtualization, in particular, has progressed unabated to the point that it is now the common approach to hardware consolidation and the development of all the software-defined, cloud-ready architectures that are remaking the data center. And yet, we are still struggling with ways to implement virtualization on the server side without overloading resources elsewhere, namely storage.

    This may seem odd, given that the public cloud provides virtually limitless storage for all manner of functions. But the fact remains that those who prefer to keep data in-house need to find innovative solutions to scale storage on par with servers and networking if they are to have any hope of maintaining on-premise infrastructure in support of private cloud deployments. Fortunately, storage can be ramped up in a virtual environment in a number of ways.



    David Clarke
    Telefónica UK

    At Telefónica UK we are proud to be one of the first UK businesses to achieve the international ISO 22301 accreditation for business continuity management. We’ve always worked hard to ensure that all parts of our business are robust. Our business continuity provisions were accredited under the former British standard BS 25999, so the transition to ISO 22301 was a natural one for us.

    Our COO and business continuity champion on the Board, Derek McManus, summed it up nicely when he said: “Achieving ISO 22301 accreditation demonstrates our commitment to providing a reliable, high quality service to our customers. It shows that we have the resources, investment and processes in place to protect ourselves from potential service disruption – minimising the impact on our customers.”



    Friday, 11 October 2013 12:37

    The State of HP, As Told by Meg Whitman

    CIO — HP CEO Meg Whitman provided a financial update this week during the firm's securities analyst meeting. It's a pleasure to see someone like Whitman speak; she prepares properly, articulates her points clearly and has been trained to pace a talk.

    Often the folks giving financial statements seem ill-prepared. One, they don't rehearse enough. Two, edits are being made right up to show time. These are bad practices that distract significantly from the presentation and from the appearance of capability for both the CEO and the firm.



    The first I ever heard of the WhatsApp mobile messaging app was a couple of months ago, when a friend told me she had downloaded it. Two days later, I began getting messages in my inbox telling me that I had voicemail on WhatsApp. Obviously it was spam, since I didn’t have that app installed on any of my devices, but it was an odd coincidence. I warned my friend about the spam, which was loaded with malware. She thanked me profusely; she was using her phone for BYOD purposes as well as personal, and you can imagine the problems that could have ensued.

    As if the malware spam wasn’t enough for WhatsApp’s reputation, the site was one of several sites—including several antivirus software sites—to be hit with a DNS attack this week. As Grayson Milbourne, security intelligence director at Webroot, explained to me in an email:



    A mere 16 percent of companies support full integration between CRM and other business systems, according to a recent survey by Scribe Software.

    The integration vendor annually conducts a State of Customer Data Integration survey. This year, it received 900-plus responses.

    If full integration strikes you as perhaps an over-ambitious goal, the findings are still troubling when you look at just general integration of CRM with any other business systems.



    Friday, 11 October 2013 12:34

    Testing DR/BC: What’s the Point?

    All too often, organizations that do have Business Continuity Plans (BCP) in place rarely test them.  Those that do, go through a typical tabletop exercise.  Organizations that have Disaster Recovery Plans (DRP) generally test them, but why?  I ask why because it has been my experience that the “tests” are an exercise in futility.  I say futility because they are tests to satisfy an audit that prove very little.

    It is kind of like high school in that class you had to take.  It was being audited by the state so the administration made certain to put it on display.  Funny thing was that everyone knew the answers to the questions because they had taken previous tests over the same topics many times. This is what a great majority of Disaster Recovery (DR) tests mimic.



    Friday, 11 October 2013 12:33

    How to Build the Immortal Data Center

    Network World — Orlando -- If your data center is reaching capacity and you're thinking about cracking open the corporate piggy bank to fund a new data center, stop right there.

    By following some simple best practices, you may be able to take your existing data center and retrofit it to last pretty much forever, says Gartner analyst David Cappuccio.

    "If you do it right, there's a good chance you could live in a fairly well designed data center for decades,'' Cappuccio says.

    So, how do you get there? First, you need to identify the goals of the infinite data center. It needs to be energy efficient. It needs to be economical to build. It needs to be able to adapt to new technologies. And it needs to be able to support continuous growth.



    Friday, 11 October 2013 12:32

    7 Top Wishes of IT Project Managers

    CIO — Ah, the joys of being a project manager. From being treated like a servant of management and not being included in key decisions, to having priorities, tasks and deadlines constantly changed on them -- and then being blamed for delays and slipups -- IT project managers have a lot to deal with.But what if project managers could change all that? What if a genie could grant IT project managers three (project-related) wishes? What would project managers wish for?

    CIO.com decided to find out -- and asked IT project managers, If you could have three project management-related wishes, what would they be? Here are the seven most-wished-for items.



    Friday, 11 October 2013 12:31

    A Thorough Guide to IT Security Challenges

    For IT security professionals, the game is to always stay a step ahead of hackers, security standards and governing regulations. The best way to keep on top of everything is research—reading up on the latest threats, vulnerabilities, and secure hardware and software.

    The book “Information Security Management Handbook,” is one detailed source for all things IT security. The integral security topics covered in this book include:

    • Networking
    • Telecommunications
    • Cloud computing
    • Policies and standards
    • Application development
    • Architecture
    • Training

    It goes beyond typical security books and provides detailed practices for many areas for which IT provides security. The intro provides a look at threats and vulnerabilities that have cropped up since the last version of the book and that the publishers predict will pervade IT security for years to come:



    In my previous post about Lionbridge, I wrote about how its enterprise crowdsourcing division is challenging the traditional outsourced services model with “business process crowdsourcing” for the enterprise. This managed crowdsourcing strategy adds governance and high quality to the crowdsourcing approach to provide an alternative that Lionbridge says is in the range of 30 percent cheaper than what traditional business process outsourcers charge. So how does Lionbridge do it?

    According to Dori Albert, Lionbridge’s enterprise crowdsourcing practice manager, it starts with attracting qualified workers for the company’s private crowd. She explained that these workers are thoroughly screened and tested before they’re accepted into the crowd, and that they’re paid an “equitable wage.” I asked Albert if she could quantify what Lionbridge considers to be an equitable wage, and she said it depends on the task:



    Thursday, 10 October 2013 17:46

    Technology Use by MSSPs - CHECK OUT OUR SURVEY

    Technology is essential in any managed security operations center. Technology has come a long way to create an active defense of the enterprise. There are vendors that offer solutions for log management, web application defense, firewall, incident event correlation, and many others. In order to understand the size of the security technology market Forrester and the MSP Alliance are partnering in a survey to look at the managed security functions and the technology MSSPs use to deliver their services. If you are an MSSP or an end-user of these technologies you can complete this survey at:


    For completing the survey you are automatically entered into a contest to win an I-Pad mini. Also for completing the survey you will receive a complimentary copy of the resulting research paper.

    Thursday, 10 October 2013 17:45

    Implementing BCM through complexity

    Thomas Puschnik
    Zurich Financial Services

    Leading a BCM framework in a complex and challenging operating environment is no easy task but one potential key to success is effective relationship management. There are at least two key components to achieving this.

    First is in terms of the BCM workforce. Having a team identity or common purpose, a set of agreed goals and clear roles and responsibilities all help to form the basis of a good team. Going from 'good' to 'great' requires a focus and commitment to building strong trusted relationships and recognising there will be setbacks along the way. This requires strong leadership and the will to take time out to listen and get to know team members and to understand their needs and concerns. This is especially true in regions where languages and cultures differ significantly.



    Privacy and compliance laws are significantly expanding, the need for transparency is increasing and how organizations use and share private information is evolving. All this means the role of  Chief Audit Officer (CAO) is an essential one in many corporate and healthcare organizations. A CAO has several key responsibilities, including conducting a thorough examination of an organization’s business operations, recommending operational efficiencies, ensuring compliance with privacy and security laws such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX) and the various state breach notification laws. And if the organization operates globally, the governance mandate of the CAO grows exponentially as the organization must comply with regional and international privacy and compliance laws.

    Often it becomes the responsibility of the CAO to recommend ways the organization can improve operating efficiencies. As part of making such recommendations,  the officer needs to perform risk assessments, identifying areas where the organization may be vulnerable now or in the future.

    Being able to identify these vulnerabilities quickly and address them is one of several key attributes of an effective chief audit officer. Other key attributes include:



    Thursday, 10 October 2013 17:43

    How to Beat Storage Bottlenecks in a Flash

    CIO — It's difficult to identify and address application performance issues when they're tied to storage I/O bottlenecks, but a company that specializes in data analysis has found a way to eliminate those storage performance roadblocks - it hopes once and for all.

    Pete Koehler, the IT Manager and Virtualization Architect for Tecplot, says his company was looking for a storage acceleration option that didn't involve buying an entirely new array.



    Thursday, 10 October 2013 17:42

    How Not to Be a Victim of Your Own Data Centre

    Nowadays, IT plays a vital role in supporting business functions for many organisations. They depend on their data centres to keep their activities going and to come up with new ideas about how to improve them. However a report by research company IDC (International Data Corporation, 2012) suggests that both business operations and innovation may be compromised in the majority of cases (84 per cent). The issues are mainly data centre power, space, cooling capacity, assets and uptime. The consequences can be degradation in customer service, the need to reverse gears on a key application deployment or other impacts on business continuity.



    It seems that most SMBs have or are considering adopting some sort of cloud computing technologies. Recent surveys, like this State of SMB IT Report from Spiceworks (registration required), have shown that 61 percent of SMBs are using cloud-based technologies in some form within their organizations. But how will this trend play out in coming years?

    A recent report from TechNavio forecasts SMB IT spending market for the next four years. The report indicates that global SMB spending in the IT arena has increased in the sector of cloud technologies. Though deploying cloud infrastructure, it says, is becoming increasingly expensive and could pose a threat to its future growth and adoption by SMBs.



    Thursday, 10 October 2013 17:39

    Big Data, the Cloud and the Exascale Dilemma

    For enterprises looking to build their own private clouds, the rule of thumb is quickly becoming: Go big or go home.

    It’s been clear from the beginning that one of the chief advantages the cloud brings to enterprise data environments is scale. But even the most advanced cloud architecture in the world can only expand so far before it hits the limits of physical infrastructure. That’s why enterprises that have the resources, like General Motors, are doing their best to match the hyperscale infrastructure of Amazon, Google and other top providers. With a big enough physical footprint, they will be able to broaden scalability and flexibility without having to entrust critical data and applications to public resources.

    Naturally, building data infrastructure on a grand scale is not without its challenges. One of the chief obstacles is delivering adequate power to hyperscale, or even exascale, architectures – something the NSA has apparently discovered at its new Bluffdale, Utah, facility. To the joy of civil libertarians everywhere, the plant has been experiencing unexplained electrical surges that have fried components and caused mini explosions. The situation is so bad that insiders are reporting that the center is largely unusable, and even leading experts in the facilities and data fields are at a loss to explain what is going on.



    An earlier blog article by my colleague highlighted the importance of understanding the Causality Chain in effective Incident Management.  Underlying the Causality Chain is the knowledge of the interdependencies of organizational assets which enable the delivery of products and services.

    The same dependency mapping that enlightens the Causality Chain also produces information which, if used properly, can aid both Risk Management and Recovery Strategy planning.  That tool is commonly referred to as a “What-if?” Analysis.



    Thursday, 10 October 2013 17:37

    Lessons learned from a cloud evaporation

    Computerworld - Cloud capacity provider Nirvanix croaked recently, giving clients two weeks to get their data out of there. I estimate that most clients would require two months or more to accomplish this. Some need two years. There is physics involved, unfortunately. The "Beam My Data Up" feature turns out to be fictitious. Go figure.

    If you never contracted with Nirvanix, it's easy for you to think, "Well, serves them right for using a little startup. I would never do that!" Think again. IBM and HP resold Nirvanix. They put a lot of customers on that cloud.

    Fortunately for many Nirvanix customers, it may not be catastrophic if they can't get their data out. The cloud provider mostly handled fixed file content, and 99% of the data was non-transactional -- and not the only copy. It was mostly cold storage. Nonetheless, some customers are screwed. And all will suffer in one way or another.



    Wednesday, 09 October 2013 13:54

    The Top 10 IT Altering Predictions for 2014

    Gartner analysts today whipped out their always interesting and sometimes controversial look at what the consultancy thinks will impact the IT arena in the near future.

    By Michael Cooney

    Network World — Gartner analysts today whipped out their always interesting and sometimes controversial look at what the consultancy thinks will impact the IT arena in the near future.

    Some of the technology trends are not new The so-called Internet of Things and cloud computing for example, but there are some hot new areas A like 3D printing and Software Defined Networking that will be making an impact on IT sooner rather than later.

    These changes are due in no small part to the fact that by 2020, there will be up to 30 billion devices connected with unique IP addresses, most of which will be products. "This creates a new economy. Gartner predicts that the total economic value add for the Internet of Things will be $1.9 trillion dollars in 2020, benefiting and impacting a wide range of industries, such as healthcare, retail, and transportation."



    Wednesday, 09 October 2013 13:53

    The return on investment of a BCM programme

    Rainer Hübert
    HiSolutions AG

    When will the investment for a BCM programme pay off? Most people think that the only correct answer is when a damage scenario has taken place. Hopefully then an effective BCM programme will reduce an otherwise much more costly, or even possibly fatal financial impact to a bearable amount. Then, and only then, will the investment in BCM be paid off – just like insurance policy.

    In our finance driven business world however, investment in BCM needs to be justified in financial terms, unless a BCM programme is forced upon an organization by its clients or by regulatory authorities.



    Wednesday, 09 October 2013 13:52

    Downtime, data loss and natural disasters

    As the anniversary of Hurricane Sandy approaches, a Carbonite survey has found that most small businesses in the affected area are not prepared for the next disaster.

    The survey, conducted by Wakefield Research, found that more than 40 percent of small businesses in the tri-state area hit by Superstorm Sandy last October (NY, NJ, and CT) think it's likely they will be impacted by a natural disaster in the next year, and that only 22 percent feel they are ‘very prepared’.

    Downtime and data loss caused by natural disasters can be detrimental to any small business. On average, survey respondents said it would take 16 days to recreate or recover their files – and nearly a third said they would never be able to recover or recreate all of their important business data if it was lost.

    In addition to lost time, data loss can hit a small business where it hurts – their bank account. Carbonite found that on average, small businesses would lose $2,976 per day if they were unable to operate. This means the average small business could lose a devastating $47,616 over the 16 days it takes them to recover their data.



    HP has published the results from a study conducted by the Ponemon Institute, indicating that the cost, frequency and time to resolve cyber-attacks continue to rise for the fourth consecutive year.

    Conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, the 2013 Cost of Cyber Crime Study found that the average annualized cost of cybercrime incurred by a benchmark sample of US organizations was $11.56 million, representing a 78 percent increase since the initial study was conducted four years ago.

    The results also revealed that the time it takes to resolve a cyber-attack has increased by nearly 130 percent during this same period, with the average cost incurred to resolve a single attack totalling more than $1 million.

    Key findings from the 2013 study include:




    I love it when technology people start to focus on a new area, because they always seem to offer a fresh view, even when the topic is well dissected. I think that’s one reason why tech is known for lowering costs in all industries, except one: health care.

    MIT Technology Review recently published an excellent package, “A Cure for Health-Care Costs.” At the heart of the articles is this question: Why is it that technology raises the costs of health care, rather than lowering it, and how can we change that?

    “Computers make things better and cheaper. In health care, new technology makes things better, but more expensive,” quips Jonathan Gruber, an economist at MIT who leads a heath-care group at the National Bureau of Economic Research, in one article.



    SDN benefits include automating and easing network administration duties and improving application performance. But it also introduces a number of potential threat vectors into your environment. What should you know before you invest in SDN?

    By David Geer

    CSO — Software defined networking (SDN) moves networking from hardware to the software plane, under management of a software controller. Benefits include automating and easing network administration duties and improving application performance. As a new technology, SDN is subject to vulnerabilities.

    But with SDN, the industry knows certain vulnerabilities are native to the approach. First, according to Chris Weber, Co-Founder, Casaba, centralizing control in an SDN controller removes protective, layered hardware boundaries such as firewalls. Second, according to Gartner analyst Neil MacDonald, by decoupling the control plane from the data plane, SDN introduces new surface areas such as the network controller, its protocols and APIs to attack.



    Wednesday, 09 October 2013 13:41

    Cloud And Cloud Security – Get Rid Of The Box

    by Edward Ferrara

    Peter Kujawa CEO of Locknet, Steve Tallent from Fortinet, and I were speaking at the recent  Conference in San Jose, California about the cloud revolution. Steve was interested in the conversation because Fortinet is now offering virtualized versions of their Fortigate UTM solution. Peter was interested because his business is built on taking the pain away that platform management entails. Obviously security intersects both of these worlds.

    We discussed the changes cloud computing was making to the MSP/MSSP markets and the differences between the SMB and enterprise businesses and what motivates them to consider the cloud IaaS, SaaS, and PaaS model.

    Peter talked about one of his clients – a smaller client – that managed their business from a small server stashed in the closet of their offices. Peter’s company offered to replace the box with a cloud-based system that took over patching, updates, and maintenance for the system for a simple monthly fee. The client would access their applications via the Internet.  The risk to this business was huge for so many reasons. The customer leapt at the chance to get rid of the box.



    by Hilary Tuttle

    In an interview for this month’s issue of Risk Management magazine, lawyer and social media specialist Adam Cohen cautioned businesses that the risks of social networking sites extend beyond explosive posting faux pas.

    “In most cases, corporations don’t realize that what they put on these social media services is all subject to the privacy policies and terms and conditions of the services,” said the eDiscovery expert and author of Social Media: Legal Risk and Corporate Policy. “Those provide a shocking amount of access by the social media services where they may take your data.”

    As Twitter prepares for its much-anticipated IPO, the social media giant has released a torrent of information on its financial standing and practices. One of the most important tidbits for users concerns the site’s lesser-known side-business: data mining. In the first half of 2013, Twitter made $32 million by selling its data—namely, tweets—to other companies, a 53% increase from the year before.



    by Renee Murphy

    Outside of Tempe is a place called Sahuarita, Arizona. Sahuarita is the home of Air Force Silo #571-7 where a Titan missile, that was part of the US missile defense system and had a nine-megaton warhead that was at the ready for 25 years, should the United States need to retaliate against a Soviet nuclear attack.  This missile could create a fireball two miles wide, contaminate everything within 900 square miles, hit its target in 35 minutes, and nothing in the current US nuclear arsenal comes close to its power. What kept it secure for 25 years? You guessed it...four phones, two doors, a scrap of paper, and a lighter. 

    Photo Credit: Renee Murphy

    Technology has grown by leaps and bounds since the cold war. When these siloes went into service, a crew supplied by the Air Force manned them. These men and women were responsible for ensuring the security and availability of the missile. Because there was no voice recognition, retinal scanning, biometric readers, and hard or soft tokens, the controls that were in place were almost entirely physical controls. All of the technology that we think of as keeping our data and data centers secure hadn’t been developed yet. It is important to note that there was never a breach. Ever.



    David Hawkins
    Institute for Collaborative Working

    Over the past three decades the sourcing programmes and supply chains have increased exponentially not simply in terms of commodities and products, but also in a wider variety of outsourcing and service propositions. These extended networks have now bridged the traditional boundaries between organisations and in doing so introduce a significant spectrum of risk to business continuity and reputation. At the same time the implications for both natural and manmade disasters highlights the interdependence of companies of all sizes and in all sectors. Reliance on these extended relationships to deliver business performance raises the prospect that resilience and business continuity is no longer simply an internal issue for companies and prompts consideration for a much greater awareness in the identification of risk, selection of suppliers and increased focus on collaborative working and the capability of third parties to jointly perform when necessary.



    Wednesday, 09 October 2013 13:10

    Lesson from a doctor

    According to an article in the San Antonio Express-News’ mySA site heded Poor penmanship costs doctor $380,000, “A local physician whose illegible handwriting led to the fatal overdose of an elderly patient was ordered by a civil court jury Thursday to pay $380,000 in damages to the woman's family.”

    While most Enterprise Risk Management (ERM) and Business Continuity/COOP practitioners eschew the pen in favor of a keyboard, the point of the article, at least as this practitioner sees it, is the necessity to make certain the audience gets the correct message.

    It is not the audience’s job to try to interpret the practitioner’s words; it is the practitioner’s job to communicate to the audience in a manner the audience comprehends.

    By the way, the operative word is “comprehend,” not “education” or “position.” Neither necessarily equates to comprehension of a specific subject.

    According to the San Antonio paper, the doctor “changed his mind about the dosage, intending to increase it (from 10) to 20 millamoles(NB), testimony during the weeklong trial indicated.

    “However, instead of scratching out the original amount on the form or starting over, he attempted to write a “2” over the “1,” the doctor acknowledged.



    Tuesday, 08 October 2013 15:58

    Dell Creates Virtual Storage Blend

    When it comes to data storage, the less IT organizations have to think about it the happier they are. That’s the guiding principle behind a hybrid approach to data storage that spans magnetic disks and multiple types of solid-state drives (SSDs) that is being pursued by Dell.

    To bolster that strategy, Dell today announced that is offering a Flash optimized storage system that is priced less than 15K magnetic disk systems. In addition, Dell has developed a 5U rack capable of holding 336TB of magnetic disk storage.

    According to Bob Fine, senior product marketing manager for Dell Storage, these two announcements highlight an effort by Dell to bring Flash storage to IT organizations at a cost they can afford, while making management of that storage seamless. To achieve the latter goal, when data is first stored on a Dell Compellent system, it is automatically deposited on an SSD based on multi-level cell (MLC) technology that is optimized for enterprise applications. As usage of the data declines, the data is then automatically moved to less expensive single level cell (SLC) SSDs. If it’s not used for an additional period of time, the Dell Compellent array will automatically move that data to magnetic storage.



    Tuesday, 08 October 2013 15:55

    Maintaining Some Professional Distance

    Do you know your coworkers’ hometowns? Their favorite colors? Their current level in Farmville? If you answered “yes” to all three questions, there may be a very serious management concern here. More and more studies show that rather than creating tighter bonds, the intensifying drumbeat of social media is actually driving us further and further apart.

    A University of Birmingham (UK) researcher has gone so far as to suggest (in an extensive study) that the image-happy individuals among us actually harm personal and professional relationships with each new image they post (see “Tagger’s Delight? Disclosure and Liking in Facebook: The Effects of Sharing Photographs Amongst Multiple Known Social Circles“). And it’s not just that we’re getting to the point of annoyance with those who overpost. A University of Michigan study posits that the more time we spend in social media, the more depressed about our relationships we become (see “Social Relationships and Depression: Ten-Year Follow-Up from a Nationally Representative Study“).



    Since the financial collapse of 2008, new banking regulations have been put into place to prevent a similar crisis from reoccurring.  With these new regulations, banks are re-evaluating the way they enforce governance, risk and compliance (GRC) processes.  The purpose of GRC is to help these institutions identify and protect against unknown risks, monitor practices more closely and improve their overall operations.

    While an effective GRC strategy benefits the financial institution by helping saving both time and money, the challenges associated with implementing GRC can often seem overwhelming.  GRC entails changing the processes an organization is accustomed to, and as we all know, change is not easy to embrace.  As such, GRC implementation can present challenges, such as adapting the new processes and re-training the employees to do the same, leading to a new learning curve for the entire organization.  As a first step, it is important for banks to fully understand the new regulations and their impact before changing their processes. Incorrect interpretations of these new regulations can lead to confusion and even reputational damage in some instances.



    Tuesday, 08 October 2013 15:53

    Reputation becomes the top strategic risk

    Company reputation and the fallout from reputational damage are the highest priority strategic risk for large companies, according to the results of a global survey report by Deloitte.

    Reputational risk was ranked third among strategic risk concerns three years ago, according to companies surveyed. Also back in 2010, brand and economic trends were identified by senior executives as the key strategic risks, though both have fallen since. In some industry sectors, reputation has risen from outside the top five strategic risk concerns to the top of the list. In the energy and resources sector, for example, reputation ranked only 11th on the list of strategic risks in 2010, though three years later has risen to the top spot.

    The rise of reputation risk as the key strategic risk is mirrored by executives listing social media, which has transformed reputation management as the biggest technology disrupter and threat to their business model. Nearly 50 percent listed this above other technologies such as analytics, mobile applications, and cyber-attacks.

    “The rise of reputation as the prime strategic risk is a natural reaction to recent high profile reputational crises, as well as the speed of digital and social media and the potential loss of control that accompanies it,” explained Henry Ristuccia, Deloitte Global Leader, Governance, Risk and Compliance. “The time it takes for damaging news to spread is quicker, it goes to a wider audience more easily, and the record of it is stored digitally for longer. Even in an environment where economic conditions remain tough and technology threatens business models, this is why companies place reputation at the top of their strategic risk agenda.”



    IDG News Service (Miami Bureau) — A majority of CEOs are failing to steer their companies towards effective use of new computer technologies, which precludes their organizations from making major business improvements.

    That's the conclusion of a new study released Tuesday by the MIT Sloan Management Review and Capgemini Consulting titled "Embracing Digital Technology: A New Strategic Imperative."

    The study was based on a survey of more than 1,500 executives and managers worldwide and its authors sought to examine the concept of "digital transformation," which they define as the use of new digital technologies to trigger significant improvements.



    The big selling point about virtualisation, at least in disaster recovery terms, is the power it gives to handle single points of IT failure. The idea is to distribute applications the right way over a number of servers; then if one physical machine crashes, another one should be available to ensure that applications can continue to run.  However, if virtualisation is simply bolted on in the hopes that this alone will protect an IT installation, then you may be in line for a rude awakening. Virtualisation needs to be deliberately integrated into an overall DR plan.



    A Wall Street Journal article on its Corporate Intelligence page titled A Note to Firefighters: How Not to Extinguish a Flaming Tesla showed a photo of a crumpled Tesla with flames coming from beneath the vehicle followed by the following text:

    “In trying to put out that stock-market fire (caused by the accident and fire), Tesla founder Elon Musk has let real-world firefighters know that standard operating procedures aren’t going to work when dealing with a flaming electric luxury sedan. From Musk’s blog post on the incident.”

    According to the blog, “When the fire department arrived, they observed standard procedure, which was to gain access to the source of the fire by puncturing holes in the top of the battery's protective metal plate and applying water. For the Model S lithium-ion battery, it was correct to apply water (vs. dry chemical extinguisher), but not to puncture the metal firewall, as the newly created holes allowed the flames to then vent upwards into the front trunk section of the Model S. Nonetheless, a combination of water followed by dry chemical extinguisher quickly brought the fire to an end.”



    Computerworld — Any IT leader in the mood to complain about excessive regulation should first have a cocktail with Murat Mendi of Nobel Ilac, an Istanbul-based manufacturer of generic pharmaceuticals.

    Mendi, formerly CIO and now general manager of the company, which operates in 25 countries around the world, can talk about the time an overzealous bulldozer operator started excavating the foundation for a new structure next to his company's building without bothering to first confirm what might have been underground. It tore through Nobel's Internet cables, leaving hundreds of employees offline all day.

    Arguably, something like that could happen in Indianapolis too, but there would still be key differences: In Turkey, there aren't many rules or regulations regarding the protocol that should be followed before excavation begins and there are few options for restitution if something goes wrong. "That's part of the culture here," Mendi says. "If something happens, they'll say, 'Oops, sorry,' and move on."



    Tuesday, 08 October 2013 15:47


    DENVER – Volunteers who want to help the Colorado flood recovery efforts are being asked to look carefully before they leap.  Do not just show up in disaster areas hoping to help out; go first to www.HelpColoradoNow.org.

    The Colorado Office of Emergency Management and the Federal Emergency Management Agency (FEMA) urge agencies and individuals to use this website to register what they have to donate and how many volunteers they can provide.

    “Our goal is to coordinate and organize the many volunteer groups that are critical to helping their own communities come through a disaster,” said Robyn Knappe, Human Services Branch director for the Colorado Division of Homeland Security and Emergency Management. “When un-authorized or un-registered volunteers just show up at a location, it often interrupts the organized flow and pre-planned assistance.”

    Knappe explained that the Colorado Volunteer Organizations Active in Disaster (VOAD), FEMA Corps, and authorized volunteer organizations look at these on-line offers and pull what’s needed now from this database to help those affected by the flooding. “This lets us grab from the website and deliver goods or volunteers to the folks that need it most,” she said. 

    Jennifer Poitras, the state’s Volunteer Coordinator Lead, said, “This was a huge disaster. There will be a need for donations and volunteers to work for many weeks, months and even years to help those hit hardest recover. Just don’t get discouraged if you don’t get an immediate reply about your donation,” she added. “This website registration is critical to helping us maintain a coordinated response for a long time to come.”

    Knappe added that many new charities have registered with the authorized Colorado VOAD group lately, “often bringing their national affiliations to help. Citizens and volunteers have been extremely generous—an unprecedented response from citizens and groups statewide.”

    As of mid-September, approximately 52 national and state VOADs had been a part of Colorado’s disaster response and recovery operations. In that time, just five of these agencies reported nearly 100,000 volunteer hours valued at more than $2 million.  “It’s been a massive response from our existing volunteer agencies,” Knappe said.  “And new charities joining the authorized VOAD network have made a huge difference in our outreach efforts.


    By Eric Thomas

    Employees that expect federal paychecks, veterans that need benefits, impoverished families that rely on government programs, and federal CIOs that are mandated to meet the IT demands of a diverse stakeholder community are all adversely affected by the U.S. government shutdown.

    Of course, federal CIOs do not engender the most sympathy from the public or garner the most press coverage when it comes to the government shuttering many services. In fact, they might not receive any public sympathy and I have yet to see any mention of the plight of federal CIOs on CNN. But that is all the more reason they, and their staff, must be aptly prepared. The following is a list of seven things each federal CIO should understand about the government shutdown. Of course, many of these items are applicable to any CIO or IT leader who has to deal with business continuity, disaster recovery and other unexpected crisis situations.



    As I set out to write my column this month, I popped over to the NIST website to check some facts. The National Institute of Standards and Technology publishes security standards and guidelines for the U.S. government in its "800 series," and they are generally useful in the private sector as well. I visit the NIST website occasionally to check the facts on topics ranging from encryption algorithm lifespans to risk assessment methodology. But this week, the NIST website has been taken down due to the U.S. government shutdown.

    The NIST website is displaying a maintenance page saying, "Due to a lapse in government funding, the National Institute of Standards and Technology (NIST) is closed and most NIST and affiliated web sites are unavailable until further notice. We sincerely regret the inconvenience." I hope they do, because a lot of professionals rely on information provided by government agencies.

    This is a somewhat jarring experience. I hadn't realized the government affected my daily life in any meaningful way, but now that the documents I'm looking for are not available to me, I'm starting to wonder what preparations I should have made to account for this situation. In fact, I'm thinking like a business continuity planner.



    Risk groups produce tons of pertinent information that can be used by portfolio managers to generate superior returns, says a recent report from Woodbine Associates.  Yet, because risk management is often viewed purely for control or regulatory purposes, a lot of great information that is produced is simply overlooked and wasted.

    Risk management groups that calculate VaR for regulatory and/or control purposes also produce a host of timely information that could benefit groups charged with investment return generation, writes Jerry Waldron, director of risk and portfolio analytics at Woodbine. “But in firms that treat risk management as a control function, this information is walled off from the investment process.  The result is missed opportunities – day after day after day.”

    The risk management function aimed at regulation misses the upside opportunity in its focus on potential loss, he added.



    My last post opened the topic of cyber security for small business owners – what to worry about and when?  This post is going to focus upon Spear Phishing.   I asked for the help of one of our information security specialists, Scott “Shagghie” Scheferman to help with the technical details for this post. Spear phishing differs and is more serious than a simple phishing attach in that it is targeted either at a group, or worse, at the recipient specifically. Spear Phishing is an attack typically carried out via a targeted email sent with either a malicious attachment or with a link to a malicious website.  Most of our readers also know this is a bad thing, and that one shouldn’t click on links in emails sent from people the reader don’t know or trust.  A targeted and elegant spear phishing attack, however, is designed to bypass all of the conditioned barriers a typical user has to the “noise” on the Internet.

    To truly protect yourself from spear phishing attacks, it is critical to understand what happens both before and after the nasty email in your inbox got there, and what happens when someone in your organization falls prey.  Having better insight into the attack from cradle to grave is itself a part of defending your organization.



    NASA and the U.S. Department of Homeland Security are collaborating on a first-of-its-kind portable radar device to detect the heartbeats and breathing patterns of victims trapped in large piles of rubble resulting from a disaster.

    The prototype technology, called Finding Individuals for Disaster and Emergency Response (FINDER) can locate individuals buried as deep as 30 feet (about 9 meters) in crushed materials, hidden behind 20 feet (about 6 meters) of solid concrete, and from a distance of 100 feet (about 30 meters) in open spaces.

    Developed in conjunction with Homeland Security's Science and Technology Directorate, FINDER is based on remote-sensing radar technology developed by NASA's Jet Propulsion Laboratory in Pasadena, Calif., to monitor the location of spacecraft JPL manages for NASA's Science Mission Directorate in Washington.



    The latest research suggests that the Pacific Northwest may get slammed by a giant, coastal earthquake of magnitude 8 to 9 every 250 years on average — and it's been 313 years since the last one. Earthquakes may be unpredictable — but they are also inevitable. Here are some tips to help you get ready before the next one hits. Read the story for more.

    By Kelly Shea

    The Seattle Times


    Create a family emergency plan

    • Hold a home evacuation drill.
    • Choose a nearby meeting place.
    • Have a plan for reuniting.
    • Anticipate transportation failures.
    • Designate an out-of-state relative to be a check-in contact for everyone.
    • Mobile apps, like the Red Cross’ earthquake app, can allow family members to communicate.
    • Keep photos of family members and pets in your wallet, in case they turn up missing.
    • Text messages often go through when phone service is down.



    You know the adage. For want of a nail, the shoe was lost, triggering a chain of events that leads to much greater debacles. For want of a nail, ultimately, the kingdom was lost.


    Traders work on the floor of the New York Stock Exchange on October 1, 2013 in New York City. (Spencer Platt/Getty Images)

    That’s a great lesson in leverage—how the removal of one small, seemingly insignificant item can trigger much larger consequences. It’s also a great metaphor for the way in which the government shutdown is affecting the economy.

    Fox News may tell its audience that the shutdown is in fact a “slimdown.” Talking points may hold that the only federal employees furloughed are nonessential—useless, unproductive bureaucrats—so the effect on the private sector will be minimal. If you see the private sector as something that operates largely independent of government—a bunch of heroic entrepreneurs running around and getting things done as bureaucrats, politicians, and regulators try to hold them down—this view makes complete sense.



    Monday, 07 October 2013 15:37

    Promiscuous Authentication

    A growing number of customers use a single NetScaler Gateway virtual server to access XenApp/XenDesktop/XenMobile delivery controllers residing in multiple domains in the corporate network. One of the reasons might be that StoreFront, different to Web Interface, requires domain membership – so when you use Single Sign-On with NetScaler Gateway you need to know to which StoreFront cluster to direct users after a successful authentication at NetScaler.

    While the NetScaler 10.1 allows group extraction to map authentication to session policies (see https://www.citrix.com/content/dam/citrix/en_us/documents/downloads/netscaler-adc/Citrix%20NetScaler%2010.1%20Release%20notes.pdf), currently there are two ways to use multiple authentication policies with a single NetScaler Gateway vServer.



    Heavy Rains and Flooding Possible in Some Areas

    WASHINGTON – The Federal Emergency Management Agency (FEMA), through its national response coordination center in Washington, D.C. and its regional offices in Atlanta, Ga., and Denton, Texas remains in close coordination with states potentially affected by Tropical Storm Karen.  According to the National Weather Service, tropical storm conditions are expected along areas of the Gulf Coast as early as this afternoon and into Sunday.

    “Residents along the Gulf Coast are encouraged to continue to monitor local conditions and follow the direction of local officials,” said FEMA Administrator Craig Fugate.  “As the storm continues to move toward land, residents may begin to experience strong winds and flooding. Remember that conditions can change with little or no notice.”

    Based on applicable legal requirements and consistent with its contingency plan, FEMA has recalled currently furloughed employees necessary to serve functions of the agency that protect life and property as they prepare for potential landfall of Tropical Storm Karen.

    FEMA has recalled staff necessary to deploy four incident management assistance teams (IMAT), including a national incident management assistance team (IMAT), to potentially affected states. Each IMAT is supported by its defense coordinating element staffed by the Department of Defense.  Liaison officers are currently positioned in emergency operations centers in Alabama, Florida, Louisiana, and Mississippi to assist with the coordination of planning and response operations. Additional teams are on standby and available for deployment as needed and requested.

    FEMA Administrator Craig Fugate spoke with Alabama Governor Robert Bentley, Florida Governor Rick Scott, Louisiana Governor Bobby Jindal, and Mississippi Governor Phil Bryant this week about ongoing efforts to prepare for Tropical Storm Karen. Fugate reiterated that Gulf Coast states have the full support of FEMA and the rest of the federal family in advance of the storm making landfall. Fugate’s calls were preceded by outreach from FEMA’s Regional Administrators to emergency management officials in potentially impacted states.

    According to the National Weather Service, a tropical storm warning remains in effect from Morgan City, La. to the mouth of the Pearl River. A tropical storm warning means that tropical storm conditions are expected within 36 hours.  Also, a tropical storm watch remains in effect for metropolitan New Orleans, Lake Maurepas, Lake Pontchartrain and from east of the mouth of the Pearl River to Indian Pass, Fla. A tropical storm watch means that tropical storm conditions are possible, generally within 48 hours.

    Severe Weather Safety and Preparedness Tips for Potentially-affected Gulf Coast areas:

    • Have important supplies ready to sustain you and your family, if needed. This includes water, a battery-powered radio, flashlight, extra batteries, cell phone charger, medicines, non-perishable food, and first aid supplies.
    • History shows that storm tracks can change quickly and unexpectedly, so FEMA encourages coastal residents to monitor weather conditions and take steps now to get prepared for potential severe tropical weather.  
    • Tropical storms can bring high winds and heavy rains, so listen to local officials and follow their instructions.

    FEMA, through its regional offices in Chicago, Ill and Kansas City, Mo., also is monitoring the storms affecting and potentially affecting areas of the Central U.S., including portions of Iowa and Nebraska, and has been in touch with state and local officials. FEMA deployed a liaison to the emergency operations center in Nebraska and activated an incident management assistance team (IMAT), positioning the team for immediate deployment should assistance be requested by the states affected.  FEMA continues to stand ready to support the states, as requested.   

    For more information on preparing for hurricanes, severe weather and other natural disasters, and what you can do to protect yourself and your family, visit www.Ready.gov or www.listo.gov. Information regarding emergency preparedness and what to do before and after a disaster can also be found at m.fema.gov or by downloading the FEMA app from your smartphone’s app store.

    Follow FEMA online at blog.fema.gov, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema.  Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.



    CIO — Why are pirates called "pirates"? Because they just aaaargh! (OK, my niece told me that one, and it's better when she tells it.) This is a cheesy way for me to say that pirates are a good metaphor for BYOD, because confidential data theft is public enemy number 1 for CIOs setting sail for BYOD.

    In fact, in many of my stories I've described CIOs as navigating BYOD's troubled waters or making a journey to an undiscovered country with dangers lurking at every turn. Truth be told, BYOD is risky business. Here's a slideshow that shows you what I mean: 12 BYOD Disaster Scenarios.

    In July, TEKsystems seemed to agree and created a video called "Navigating Through BYOD: Bring Your Own Device." It touches on a lot of the complex issues CIOs face when implementing a BYOD program, but does so in a very simple way. You're aboard a cartoonish Old World sailing ship embarking on a journey of exploration, one wrought with dangers.



    IDG News Service (Washington, D.C., Bureau) — As a tropical storm and possible hurricane bears down on the Gulf Coast of the U.S., the National Weather Service's website was churning out weather alerts Friday, despite a partial U.S. government shutdown that has affected citizens' access to other online resources.

    The National Weather Service's website, Weather.gov, was one officials deemed as essential after a budget fight in Congress led to a partial government shutdown Tuesday. The website for weather service parent agency, the National Oceanic and Atmospheric Administration, displayed a notice saying it was unavailable during the shutdown.

    "Only web sites necessary to protect lives and property will be maintained," said a message at NOAA.gov.



    WASHINGTON – Federal Emergency Management Agency (FEMA) Administrator Craig Fugate today completed calls with Alabama Governor Robert Bentley, Florida Governor Rick Scott, Louisiana Governor Bobby Jindal, and Mississippi Governor Phil Bryant about ongoing efforts to prepare for Tropical Storm Karen.

    Fugate reiterated that Gulf Coast states have the full support of FEMA and the rest of the federal family in advance of the storm making landfall. The governors did not express any unmet needs at this time. Fugate’s calls were preceded by outreach from FEMA’s Regional Administrators to emergency management officials in potentially impacted states.

    FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

    Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema.  Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.The social media links are provided for reference only. FEMA does not endorse any non-government websites, companies or applications.


    Prompting readers at The Wall Street Journal to comment that he may be making the situation more precarious, Steven VanRoekel, U.S. CIO, said this week that he is worried about the U.S. federal government shutdown’s effect on cyber security within the government’s systems. VanRoekel describes a multi-layered series of consequences, in which he is unable to even determine definitively which employees in which departments may be designated exempt from furlough. Agencies, other than the Department of Homeland Security, says VanRoekel, are running on “skeleton crews” and would have to call in staff should an emergency occur – a time-consuming process in itself.

    While it seems unlikely that his comments would alert any cyber terrorists or hackers to a situation that has been leading the news for weeks, the cascading effects are becoming more widely known.



    Monday, 07 October 2013 15:32

    Data Quality for the Rest of Us

    By now, most of us are familiar with data quality “best practices.” Involve the business user. Correct the source. Establish data governance.

    It sounds great—but it often falls flat in the real world. Why?

    It’s too difficult, states Lyndsay Wise, president and founder of the independent research and analysis BI firm, WiseAnalytics.



    Monday, 07 October 2013 15:30

    Climate Change Report Causes Alarm

    by Caroline McDonald

    New findings on climate change, establishing it as a manmade phenomenon, are garnering attention from the insurance industry, which recommends immediate action.

    The Intergovernmental Panel on Climate Change’s (IPCC) newest report  ”clarifies what businesses and investors already know, that climate change is happening now and human activity is the dominant reason why,” Mindy Lubber, president of CERES, a nonprofit organization that works with insurers and investors said recently on a conference call. “Climate change is disrupting all aspects of our global economy, including supply chains, commodity markets and the entire insurance industry, which is seeing exponentially large losses from extreme weather events.”



    Posted by: Lars Anderson, Director, Public Affairs

    nrcc staff work at desks
    Caption: October 4, 2013 - Staff work in FEMA's National Response Coordination Center in Washington, D.C. in response to Tropical Storm Karen.

    FEMA is preparing and coordinating with our partners for Tropical Storm Karen and the severe weather threat for the Central U.S. We’re encouraging those in the Gulf Coast and Central U.S. states to take time to make sure they’re getting prepared.  Here are some steps you can take today to prepare for any severe weather threat, including tropical storms, damaging winds, and severe thunderstorms:

    • Finish reviewing your family’s emergency plan (include your kids, too).  Plan for scenarios such as how you’d stay in touch during a storm, where you could meet up in the event of an emergency, and who your out of town contact is, should communications become difficult in the impacted areas.
    • Check on your family’s emergency supplies.  Basic supplies include:
      • battery-powered radio
      • flashlight
      • extra batteries
      • cell phone charger
      • medicines
      • non-perishable food
      • first aid supplies.

        red cross emergency kit photo

    • Stay up-to-date with the latest forecast in your area by monitoring local radio and TV reports. It’s also important to note that local officials may send out Wireless Emergency Alerts to provide brief, critical instructions to warn about imminent threats like severe weather. If you receive an alert like the one below, please follow the instructions in the message.

      emergency alert photo

      During all phases of a storm, continue to listen and follow the instructions of local officials. If Tropical Storm Karen brings significant rainfall to your area, follow local safety instructions and stay away from flooded roads – remember, Turn Around Don’t Drown. Follow ongoing updates from trusted emergency management accounts on social media, visit our Social Hub on your mobile device and computer

    • Download the FEMA app.  It’s packed with tips on how to stay safe before, during, and after a tropical storm.  You can also use it to track what’s in your family’s emergency supply kit, as well as store your family’s emergency meeting locations.

      google play store

      apple app store logo

      blackberry app world

    Finally, here is an update on what FEMA is doing to prepare for the impacts of Tropical Storm Karen:
    • Today, FEMA activated the National Response Coordination Center in Washington, D.C., a multi-agency coordination center that provides overall coordination of the federal response to natural disasters and emergencies, to support state requests for assistance from Gulf Coast and Southern states.  Regional response coordination centers in Atlanta, Ga. and Denton, Texas are also activated.
    • FEMA has begun to recall currently-furloughed employees necessary to serve functions of the agency that protect life and property as they prepare for potential landfall of Tropical Storm Karen, and for severe weather in the central U.S. based on applicable legal requirements and consistent with its contingency plan.
    • FEMA Regional Administrators for Regions IV and VI have been in touch with emergency management partners in Alabama, Florida, Louisiana and Mississippi.

      weather service official on phone
      Caption: October 4, 2013 - An official at the National Weather Service office in Tallahassee, FL speaks with emergency management partners. (Courtesy of @NWSTallahassee on Twitter)

    • FEMA has recalled and deployed liaisons to emergency operations centers in each of these states to coordinate with local officials, should support be requested, or needed.
    • Today, three FEMA Incident Management Assistance Teams (IMAT), recalled from furlough, are deploying to the potentially impacted areas to assist with the coordination of planning and response operations.
    We’ll continue to provide updates as needed.


    The cloud has proven itself to be an effective, efficient means to scale resources as the enterprise tries to cope with rising data loads and increasingly complex infrastructure challenges. But is it ready for prime time? Are we at a tipping point for the widespread migration of mission-critical applications to public cloud services?

    This is more than just an academic question given that many organizations have spent decades building rock-solid safety and availability into traditional infrastructure in order to keep core business activities afloat. Turning those responsibilities over to the cloud is not just a standard development in the evolution of data environments but a giant leap of faith that places crucial aspects of your business on still largely unproven infrastructure.

    Vendor-driven surveys should always be taken with a grain of salt, but if the latest report from Virtustream is even half-right, it seems many top data executives are ready to make that leap. The company reports that nearly 70 percent of respondents to a recent survey say they are planning to move mission-critical apps to the cloud within the next year. Although security, risk and loss of control still rank among the top concerns, the low cost of the cloud compared to traditional infrastructure is causing many organizations to put their fears aside. ERP applications have emerged as the leading candidates for groups looking to expand beyond mere cloud-based storage and backup.



    Company reputation and the fallout from reputational damage are the No. 1 strategic risk for large companies, according to a global survey released this week by Deloitte.  Overall, progress on strategic risk management is evident, though most executives admit that their programs do not support their business strategy well enough.

    Reputational risk was ranked third among strategic risk concerns three years ago, according to companies surveyed.  Also back in 2010, brand and economic trends were identified by senior executives as the key strategic risks, though both have fallen since. In some industry sectors, reputation has risen from outside the top five strategic risk concerns to the top of the list.  In the energy and resources sector, for example, reputation ranked only 11th on the list of strategic risks in 2010, though three years later has risen to the top spot.