Spring World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Spring Journal

Volume 30, Issue 1

Full Contents Now Available!

Industry Hot News

Industry Hot News (7039)

Risk certainly marked the year of 2013, with knock-on effects on business continuity thinking. However, in a year picking up the pieces after different disasters, the real message was a reminder that while we collectively now know a great deal about risk, we don’t always prepare or take action appropriately. The devastation caused by rainfall in the Uttarakhand state of India was one example. Environmentalists blamed what they considered to be haphazard preceding development projects of roads, resorts and hydroelectric stations for the subsequent high level of damage and deaths. Meanwhile in the US and for much of 2013, New York was applying lessons learned the hard way following Hurricane Sandy back in 2012 to produce an improved city resilience plan.



Tuesday, 17 December 2013 16:08

BYOD Has Not Won

Bring your own device (BYOD) has a lot going for it. The simplicity of the approach of letting Jane and Joe use their own devices at work and compensating them in some manner is so simple and so rooted in common sense that the case against it is lost in the shuffle.

Or was lost in the shuffle. The reality is that significant downsides and obstacles to BYOD do exist. That reality may finally be dawning on corporate managers. Strategy Analytics released interesting worldwide research that revealed that everything is growing: the number of BYOD devices, the number of company-owned devices issued to employees, and the total number of devices shipped.

The percentage that deserves the most attention is the portion of corporate-liable devices:



A new study finds that in Seattle more than 10,000 buildings — many of them homes — are at high risk from earthquake-triggered landslides.


By Sandi Doughton

Seattle Times science reporter

With its coastal bluffs, roller-coaster hills and soggy weather, Seattle is primed for landslides even when the ground isn’t shaking. Jolt the city with a major earthquake, and a new study from the University of Washington suggests many more slopes could collapse than previously estimated.

A powerful earthquake on the fault that slices under the city’s heart could trigger more than 30,000 landslides if it strikes when the ground is saturated, the analysis finds. More than 10,000 buildings, many of them upscale homes with water views, sit in areas at high risk of landslide damage in such a worst-case scenario.

“Our results indicate that landsliding triggered by a large Seattle fault earthquake will be extensive and potentially devastating,” says the report published this month in the Bulletin of the Seismological Society of America.



Monday, 16 December 2013 16:23

5 Tips to Keep Your Data Secure on the Cloud

How can you be sure the information you store on the cloud is safe? The short answer is you can't. However, you can take some protective measures. Here five data privacy protection tips to help you tackle the issue of cloud privacy.


CIO — The number of personal cloud users increases every year and is not about to slow down. Back in 2012 Gartner predicted the complete shift from offline PC work to mostly on-cloud by 2014. And it's happening.

Today, we rarely choose to send a bunch of photos by email, we no longer use USB flash drives to carry docs. The cloud has become a place where everyone meets and exchanges information. Moreover, it has become a place where data is being kept permanently.



After years of false starts, virtual desktop infrastructure (VDI) products are here. They work, and if implemented correctly they can deliver substantial cost savings to enterprise IT shops. What are the risks and rewards involved in embarking on a VDI implementation for your organization?

By Ed Tittel and Kim Lindros

CIO — Virtual desktop infrastructure (VDI) is designed to deliver virtual desktops to client computers over a network from a centralized source. With traditional VDI, you create a master image (reference computer, or core) to use for all clients, then personalize images as needed.

The process of distributing patches and updates is simplified because you only have to update images, not every physical desktop. Plus, you can push desktops across a variety of platforms and devices, from desktop PCs to thin clients and mobile devices.



About this time every year, journalists covering the InfoSec beat start seeing prediction lists being pitched. Sadly, we will see the same pitch, from the same vendor, several times, often because we're on multiple blast lists. Thus, our inbox is clogged with pitches and follow-up emails asking if we've seen the pitches, plus the follow-ups to the follow-ups.

Not everyone is a fan of prediction lists. (Other than the vendors who make them.) For example, Martin McKeay, who works at Akamai as a Security Evangelist, holds an opinion shared by many security professionals when it comes to the vendor-driven prediction lists:

- See more at: http://blogs.csoonline.com/pandemic-preparedness/2869/magical-list-security-predictions-2014#sthash.zMOGpHaa.dpuf

About this time every year, journalists covering the InfoSec beat start seeing prediction lists being pitched. Sadly, we will see the same pitch, from the same vendor, several times, often because we're on multiple blast lists. Thus, our inbox is clogged with pitches and follow-up emails asking if we've seen the pitches, plus the follow-ups to the follow-ups.

Not everyone is a fan of prediction lists. (Other than the vendors who make them.) For example, Martin McKeay, who works at Akamai as a Security Evangelist, holds an opinion shared by many security professionals when it comes to the vendor-driven prediction lists:

"Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least. With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year. The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading..."

Dave Lewis, fellow CSO blogger and Security Advocate for Akamai, pointed out that many of the prediction lists from years gone by could just as easily apply to the here and now. In fact, in his blog post on the topic, he proved it. His list comes form the year 2000.

- See more at: http://blogs.csoonline.com/pandemic-preparedness/2869/magical-list-security-predictions-2014#sthash.zMOGpHaa.dpuf

The data integration market is growing faster than security and virtualization, according to Margaret Breya, executive vice president and CMO, Informatica Business Solutions.


Not surprisingly, Breya credits Big Data, machine data and the Internet of Things.

But it’s not just because organizations need to integrate these new forms of data into enterprise systems: A large market for embeddable data management engines is available, both for applications and devices, she said.

“The addressable market is huge, comprising 52 thousand large enterprises and 60 million medium and small enterprises,” Breya told CIOL, an India-based IT publication. “The opportunity is quite huge in the devices space, if you take into account the prediction of 50 billion connected devices by the year 2020.”



Now that a good number of enterprises have gained a modicum of experience with public cloud architectures, attention is turning in earnest toward replicating those environments on internal infrastructure.

The private cloud, in fact, is expected to be one of the chief growth areas for both enterprise-class hardware and software as organizations seek to first build the broad scalability needed to support a functioning cloud, and then the virtual and software layers to make it happen.

Indeed, the private cloud has emerged as a top priority within the enterprise vendor community as it provides a unique opportunity to remake the entire data infrastructure stack from the ground up. Dell, for example, has zeroed in on the private cloud now that its lengthy privatization process is complete, teaming up with Red Hat to integrate the OpenStack-friendly RHEL 6.5 across Dell’s data center portfolio. Dell will also take on RHEL service and support functions, even if the system is deployed on non-Dell hardware, a testament to the company’s desire to function within what is likely to be a broad, multi-vendor environment.



There is a 14-dog race going on, with a goal to win the wallets of the enterprise for mobile security spend. When lined up in the starting blocks, the racers may all seem to have equal chances, but a few are better poised to cross the finish line first and bask in the glory of the winners' circle. Three of these technologies are the odds-on favorites to lead from start to finish, with the rest of the racers struggling to remain relevant.

Coming off the starting block with the "holeshot" are the mobile device management vendors. With huge engines of revenue, large customer counts, and first-mover advantage, this dog is the odds-on favorite to take the championship trophy. Mobile device management vendors are already expanding their technologies and products into security platforms to diversify their rapidly commoditized product offerings. The move is paying off for the biggest and toughest MDM participants in the race, giving them the early, and potentially insurmountable, lead.

CIO — Infrastructure and Operations (I&O) staffing is both your organization's greatest asset and greatest monetary investment, says John Rivard, research director for Infrastructure and Operations at Gartner.

It's on the shoulders of these folks that the future of your organization rests, and if you're not doing everything you can to recruit and retain the best of the best, you could be at a competitive disadvantage, he says.

"I believe there's going to be a battle over the future of your organization, and I&O is at the crossroads," Rivard said. "Your best employees have a greater, more positive impact on your organization than your best customers," he says.



Achieving certifications within the IT field is almost a rite of passage. Most IT workers have a degree, but specialize in a certain technology and may become certified in that area to help prove their mastery of that skill or technology.

However, some professionals are still leery of certifications. Is all that studying and testing really worth it? Do employers really pay attention to certifications on resumes? Which certification would be right for the job? And will you need to keep up the certification after you achieve it?

In our IT Downloads section, you will find an excerpt from the book “The Basics of Achieving Professional Certification: Enhancing Your Credentials.” The download features Chapter 5: Maintaining Professional Certifications.

This chapter discusses the need for keeping certifications current and up to date. According to the chapter:



SPRINGFIELD, Ill. — Federal Emergency Management Agency (FEMA) officials, along with partners from the U.S. Small Business Administration (SBA) are encouraging homeowners, renters and businesses to apply for low-interest disaster loans to help fund their losses.

If Illinois residents apply for assistance with FEMA and are referred to the SBA, it’s important for them to submit a loan application to assure that the federal disaster recovery process continues and they keep their options open:

  • Many survivors who register with FEMA will be contacted by the SBA. Survivors can submit their SBA disaster loan applications one of three ways: by mail, in person at a Disaster Recovery Center or online at DisasterLoan.SBA.gov/ela.
  • It is important for survivors to complete and return the application as soon as possible. Filing the loan application does not obligate people to accept an SBA loan and failure to complete and submit an SBA loan application may stop the FEMA grant process. However, homeowners and renters who submit an SBA application and are declined a loan may be considered for certain other FEMA grants and programs that could include assistance for disaster-related car repairs, clothing and household items.
  • Next to insurance, an SBA loan is the primary funding source for real estate property repairs and replacing lost contents following a disaster like a tornado. Homeowners may be eligible for low interest loans up to $200,000 for repairs.
  • SBA can help renters replace their essential items. Homeowners and renters may be eligible to borrow up to $40,000 to repair or replace personal property, including automobiles damaged or destroyed in the disaster.
  • Loans for businesses and private non-profit organizations. Loans are available up to $2 million to repair or replace disaster damaged real estate, and other business assets.  Eligible small businesses and non-profits can apply for Economic Injury Disaster Loans (EIDL) to help meet working capital needs caused by the disaster. 
  • Do not wait on an insurance settlement before returning an application. Insurance may not pay for any or all of the storm-related damage. Survivors can begin their recovery immediately with an SBA disaster loan.  The loan balance will be reduced by their insurance settlement.

For additional information about SBA low-interest disaster loans, contact the SBA Disaster Assistance Customer Service Center by calling 800-659-2955 or TTY 800-877-8339, emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or visiting sba.gov/disaster. SBA customer service representatives are available at all disaster recovery centers. Centers can be found online at fema.gov/DRC.

For the latest information on Illinois’ recovery from the Nov. 17 storms, visit FEMA.gov/Disaster/4157. Follow FEMA online at twitter.com/femaregion5, facebook.com/fema and youtube.com/fema. The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY call 800-462-7585.

SBA provides low-interest, long term disaster loans for homeowners, renters and businesses of all sizes. For more information, visit SBA’s website at www.sba.gov/disaster.

Friday, 13 December 2013 17:29

Companies Unprepared for DDoS Attacks

What is your plan in case your company is hit by a distributed denial of service (DDoS) attack? Do you have a plan?

If you are like many of the companies surveyed in Corero Network Security’s most recent poll, the answer would be no, you probably don’t have a plan in place, despite knowing what the risks are. The survey of 100 companies discovered that 44 percent have no formal response plan. Worse yet, more than half don’t have the tools in place to defend against a DDoS attack.

Part of the problem, Corero discovered, is that companies tend to under-invest in security for their network infrastructure. And even when they do have security tools in place, no one is ensuring that they work when needed. It’s like having a jack and a spare tire in the trunk of your car but never checking to make sure the jack works or whether there is air in the tire. You might think you are prepared in case of a flat, but when the time actually comes, you are in no better shape than you would be if the jack and tire were at home in the garage.



Friday, 13 December 2013 17:22

Executives Explore Strategic Risk

Quickly made business decisions and innovations in technology—such as big data and social media—can throw a curve to a company’s strategic risk management, according to a survey by Deloitte. As a result, risk managers need to be prepared to act quickly to avoid disruptions that can follow.

The study, Exploring Strategic Risk: 300 Executives around the World Say Their View of Strategic Risk is Changing, found that 81% of companies surveyed manage strategic risk explicitly, focusing on major risks that could impact the long-term performance of their organization.

Strategic risk management is also more of a board level priority, with 67% saying the CEO and board have oversight in managing strategic risk. They also say reputation risk is now their biggest risk concern. Much of this concern is due to the instantaneous aspects of social media globally, which can impact a company’s perception in the marketplace.



The proverbial stitch in time may save nine, but IT operations predicting problems before they occur saves more than just the budget.

TeamQuest, a provider of IT management software, has made available a predictive analytics offering that can be used to identify the root causes of likely future performance issues.

According to TeamQuest product advocate Dave Wagner, TeamQuest Risk Prediction helps IT organizations address the complexity of IT environments where multiple application workloads now routinely run on top of virtual machines that compete for a limited amount of physical resources. By applying predictive analytics to that complexity, Wagner says TeamQuest Risk Prediction can be used to analyze the data it collects as often as every 15 minutes.



Ray Abide looks at the concepts of detail complexity and dynamic complexity in the context of business continuity planning.

Over an extended period of time, I believe that a conventional instinct is to add more specifics and detail to our business continuity plans. This may be guided by increasing complexity in the subject business or by our improved understanding and planning maturity brought about by plan exercises or experience gained by plan activation during a crisis.

While this increasing detail and texture in the plan may seem to be an improvement or an enhancement, it is only true if the incremental planning addresses the type of complexity that can be reduced or eliminated, in advance.



Health care organizations are facing a much more challenging directors and officers (D&O) liability insurance market as they adapt to changes arising from the Affordable Care Act (ACA), according to a new report from Marsh.

It reveals that average primary D&O rates for midsize and large health systems increased by 9.6 percent in the third quarter of 2013, while total program D&O rates renewed with 7.9 percent increases on average.

Nearly all organizations – 91 percent – renewed with rate increases, according to its findings.



Computerworld UK — CFOs are frustrated with "excessive IT costs" and limited insights into their business despite IT investments, acccording to joint research from Oxford Economics and consulting firm AlixPartners.

The two organisations initially brought in CFO Research to survey senior finance executives at large and mid-size North American companies to examine their views on the value of their investments in IT.

Recently they added a further 50 CFOs across four European countries, including the UK, to the research. They found that senior finance executives across both continents were frustated about the same aspects of IT investment.



Thursday, 12 December 2013 17:09

How Much Can You Outsource a Risk?

A common corporate credo nowadays is: ‘make only what you cannot buy’. The idea is that if a supplier is already making an affordable, quality component or product, there is no sense in re-inventing the wheel. The company would be better off using its internal resources to develop more strategic advantages related to its core differentiating competences. Similarly, corporate activities such as accounting, logistics and procurement can also be handled by third parties offering different benefits to the purchaser – sometimes, but not always, in terms of cost reduction. But in such cases, does the purchasing company’s risk go down or up? And to what extent is it still responsible for the outsourced activity?



One of the major challenges with Big Data, I think, is figuring out your options. It is such a new space, so it’s a bit tricky to identify what type of tools you’ll even need, much less figure out which vendors actually offer them.

A large number of lists about Big Data are available: The Big Data 100, the Hot Start-Ups, the Most-Powerful Big Data Companies, and so on. All of these sites are informative, but they don’t necessarily help you piece together a basic Big Data architecture or list of solutions you must have, particularly when it comes to Big Data integration.

Organizations need to realize that not everything changes just because they’re dealing with Big Data.



What links a brand's reputation, a railway sleeper and a telecommunications network? While these things may seem very different, according to experts working on a new International Standard they can all be seen as assets creating value for a company and can therefore be managed in similar ways.

The new International Standard ISO 55001 on asset management systems is set to be published in early 2014 and we asked Rhys Davies, the chairman of the committee developing the standard (PC 251) to give us his lowdown on the document.

So, Rhys what is an asset and why would someone need to manage it?

Well, in this new standard we have defined an asset as an item, thing or entity that has potential or actual value for an organization. This is vague, but in fact purposefully so. We wanted to make it clear to everyone that an asset can be anything from tangible and physical items such as rails, trains and vehicles to the more intangible such as the reputation of a company.

All of these things can bring value to a company and need to be well managed in order to make the most of that value.

These are quite diverse things, is managing rails really the same as managing a brand?

There are many similarities yes, and the fundamental principles are the same. If you do nothing with things, and this applies to both a brand and rails, they deteriorate. Their value, or potential value, decreases. All assets need maintaining so although the actions we take to maintain them might be different (e.g. for rails this might be renewing them, whereas for brands it might be choosing to sponsor new events), both will benefit from long term plans and strategies.

Asset management is about knowing what we want to achieve with an asset and how to make it happen, in addition to assessing risks associated with that asset. It is about having a long term strategy.

Most successful organizations and companies have long term strategies, complete with yearly objectives and so on. Why do we need a strategic asset management plan as well?

One of the key things with assets is that their life span can be much longer, or much shorter, than the average strategic plan. A brand's reputation will (hopefully!) outlast a five year plan, as will the physical infrastructure of a railway for example, so the long term strategic asset management plan has to take this longer life span into account and plan for it.

This longer term approach also forces us to get to know our assets much better. We may not always be aware of everything that has value or has the potential to create value for our organization. Identifying assets, what we want to achieve with them and how to get there, requires in-depth knowledge of the asset in question, which can help in operational decision making and an organization’s performance overall.

What are the benefits of using this standard?

The major benefit is of course being able to realize value from your assets, and one of the great things about this approach is that there are many quick wins early on in the process. Some are related to the improved knowledge of assets, as I have already mentioned. In addition, the approach can help improve the relationship with stakeholders. Value doesn't necessarily mean monetary gain and defining what the value is for an asset is often a conversation that happens with people outside the company or organization.

For example, there has been a lot of interest from cities in this standard. The notion of value from a public park will not be expressed in monetary terms and defining it will mean getting closer to those using the public park. This is very beneficial for many organizations.

Who is this standard for?

This standard can be used by many types of organizations and companies, public or private. Everything from a city or local service provider to a supermarket chain can benefit from good asset management.

You have been the chairman of the committee for the past 3 years. What is the most exciting thing about its development?

That the standard is soon finished and will soon be available for use. I was involved in the development of BSI PAS 55 (a British standard concentrating on physical assets) and I have seen that grow up and be adopted in lots of different industries. The ISO route and the inclusion of non-physical assets will open up new markets for that story, where previously companies and organizations wouldn't have used that document. This means we are able to get a good story out to more places - more industries and countries can benefit and we can get more feedback to improve the approach even further.

ISO 55001 (and two others in the family ISO 55000 and ISO 55002) will be published in January 2014. Watch this space for more information!


Wednesday, 11 December 2013 16:15

Lessons from the future?

In this op ed thought experiment, David Lindstedt looks back from the year 2027 and highlights some pitfalls that the resilience road could lead to.

We should have been more careful, more disciplined.

But the idea of ‘resilience’ was so alluring.

Not like all the other stuff. IT DR was boring in the details, and it was all about the details. BCP could never get the proper sponsorship from executives. Life safety was tolerated, but never engaging in the corporate space.

But resilience? Now that showed promise.



Three quarters of the world’s 250 largest companies (G250) researched by KPMG acknowledge risks to their business from environmental and social ‘megaforces’, such as resource scarcity and climate change, in corporate responsibility (CR) reports. Yet only one in ten that reports on CR clearly links CR performance to remuneration, suggesting that many companies are failing to incentivise their executives to manage these risks effectively.

The findings from the eighth KPMG Survey of Corporate Responsibility Reporting, published recently, also reveal that only 5 percent of G250 reporting companies quantify and report the potential impact of environmental and social risks on financial performance.

“Environmental and social risks can impact the supply chain, productivity, financial performance, reputation and brand value. So it is disappointing to see that so many companies still shy away from quantifying these risks in financial terms and few factor in the management of these risks into executive remuneration,” said Yvo de Boer, KPMG’s Global Chairman, Climate Change & Sustainability Services.



The European Parliament has voted to adopt new legislation on EU Civil Protection which paves the way for a stronger European cooperation in responding to disasters.

Welcoming the vote, Kristalina Georgieva, the EU Commissioner for International Cooperation, Humanitarian Aid and Crisis Response said: "A rising trend in natural and man-made disasters over the past decade has demonstrated that coherent, efficient and effective policies on disaster risk management are needed now more than ever. This vote brings us a step closer to a predictable and reliable civil protection system at the European level. This can mean the difference between life and death when a disaster strikes. Equally important, the revised legislative proposal includes measures that will help to prevent and prepare better for the upcoming disasters. Successful disaster risk management is first and foremost about providing security to our citizens. I would like to thank the European Parliament for its strong support."

The revised legislation on the EU Civil Protection Mechanism is designed to better protect and respond to natural and man-made disasters. To ensure better prevention, the Member States will regularly share a summary of their risk assessments, share best practices, and help each other identify where additional efforts are needed to reduce the disaster risks. A better understanding of risks is also the departure point for planning an effective response to major disasters.



Wednesday, 11 December 2013 16:12

Collaboration and Social Tools in 2014

For 2014, I predict …

1. The browser becomes the OS. More and more is being added to Google’s Chrome browser; so much so that it is starting to look much like an operating system. You have all of these plug-ins (like applications), you can customize and configure your device or the look and feel of the browser. Nowhere is Chrome more an OS than with Chromebooks, where it is the OS. And it is a very web-oriented OS (thin client), with just the browser, media player and file manager as its only native applications. The question is: will IE or Firefox follow suit? Or are they pursuing different directions?



Wednesday, 11 December 2013 16:11

Survey Shows SMBs Take Compliance, Risk Seriously

Nexia, a London-based consulting company, surveyed small to midsize businesses (SMBs) about compliance and operational risks in its Global Risk Management Report. It found that nearly two-thirds of respondents already have a formal process in place for risk assessment.

Those surveyed identified operational risks and compliance as the top risks facing their companies to date. Glenn Davis, a partner with CohnReznick LLP, explained:

Risk management has become critically important as businesses are challenged to remain competitive while grappling with uncertain operational and financial conditions… Regardless of the size of the entity, the risks are broadly the same, but the ramifications are much greater for small and mid-sized organizations.



CIO — Is the complexity of your company's data making it difficult to make effective IT decisions? If so, you're not alone. Keeping the lights on and systems running while still finding the resources to innovate is a challenge for most IT organizations, and the growing complexity of data about IT environments is making that challenge nearly insurmountable for many.

According to a new study by Forrester Research, commissioned by Data as a Service (DaaS) company BDNA (creator of the Technopedia repository of information on enterprise hardware and software), 73 percent of high-level IT decision makers cite the complexity of data as the largest challenge in making effective IT decisions in the next 12 months.



CSO — No matter how valiant the efforts of chief security officers, or how much businesses say they focus on securing their systems, or the amount of money spent on IT defenses -- many of the same IT security challenges persist.

Enterprises lag in their ability to swiftly detect breaches -- an important measure of security maturity. According to the 2013 Verizon Data Breach Investigations Report, 62 percent of organizations didn't detect breaches for months, or longer -- and partners and customers, or others identified about 70 percent of those breaches.

There's clearly much room for improvement, but as the number, duration, and costs of attacks reveal, as well as our interviews in recent weeks, there certainly won't any quick fixes. However, according to the experts we've spoke there are a handful of areas that, if dramatically improved, would significantly shorten today's chasm between defender and attacker.



There can be a variety of reasons why bad decisions get made in the corporate world. Last week I wrote about psychopaths in the C-Suite and Boardroom. Today I want to look at some less flamboyant, more mundane ways that a company might get into compliance hot water through poor decision making. In an article in the November issue of the Harvard Business Review, entitled “Deciding How to Decide”, authors Hugh Courtney, Dan Lovallo and Carmina Clarke reviewed how senior decision makers in a company might go about strategic decision making. One of the areas that they explored was how systemic roadblocks might get in the way of making a valid decision.

I found their discussion very interesting from the compliance perspective. The FCPA Guidance emphasized the need for companies to have a robust pre-acquisition due diligence process, in addition to a vigorous post-acquisition integration. The FCPA Guidance stated, “In the context of the FCPA, mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” But what are some of the biases which might prevent a company from making a good strategic decision even with adequate pre-acquisition due diligence. The authors set out five which I will explore in more detail.



Tuesday, 10 December 2013 17:35

The Worst IT Project Disasters of 2013

IDG News Service (Boston Bureau) — Trends come and go in the technology industry but some things, such as IT system failures, bloom eternal.

"Nothing has changed," said analyst Michael Krigsman of consulting firm Asuret, an expert on why IT projects go off the rails. "Not a damn thing."

"These are hard problems," he added. "People mistakenly believe that IT failures are due to a technical problem or a software problem, and in fact it has its roots into the culture, how people work together, how they share knowledge, the politics of an organization. The worse the politics, the more likely the failure."

Here's a look at some of this year's highest-profile IT disasters.



CIO — Growth is normally a boon for any business. Servers hum faster when an ecommerce site attracts more customers (and more credit card transactions). When storage requirements for a new business that handles documentation for large companies suddenly escalate, executives high-five each other.

Scaling can be so costly, though, that fast growth isn't always a positive. Fortunately, new technologies can help a company ramp up quickly and efficiently, removing some of the pain of having to expand a data center. Instead of being faced with a major capital outlay that offsets new revenue, these innovations make the impact of scaling up a data center to meet demand less of a drain.



Vendors supplying you with components or services for your infrastructure need to feel confident about working with your organisation. That way they’ll be motivated to give off their best. It could be argued that stressing a vendor with unannounced tests might have a negative impact on their relationship with you. After all, they have a business to run too and your test is a business disruption for them. However, real disasters often arrive unannounced and in order to be realistic tests should be unannounced too. Is there a way out of this conundrum, and if so what is it?



No doubt you’ve heard about a shortage of data analytics specialists.

The data’s getting a bit long in the tooth, but a 2011 McKinsey Global Institute study predicted a shortfall of about 150,000 people with the needed analytic skills to manage Big Data analytics.

That may not be the biggest problem facing analytics, however. An equally important, but less cited, finding in that study was the predicted shortfall of 1.5 million business people who could leverage that data, notes a recent Harvard Business Review blog post.



The hard disk drive’s utility in enterprise settings has been under question since the first enterprise-class, solid-state solutions were introduced nearly five years ago. But now it seems a new challenge is on the horizon, not from advanced technologies like Flash, but from a perceived lower order of storage: consumer disk drives.

A recent blog post from cloud backup provider BackBlaze details the company’s use of both consumer and enterprise-class drives for its Storage Pod service and its own administrative and transactional applications. Over the past two years, the company reports that it has racked up 368 drive years with the enterprise systems—primarily Dell PowerVault and various EMC solutions—and 14,719 drive years with consumer-grade technology. In that time, it reported 17 enterprise-class failures and 613 consumer failures, which produces an annual failure rate of 4.6 percent and 4.2 percent, respectively. So with lower costs and better reliability, why bother with an enterprise drive?



TEKsystems, a company that provides IT staffing and services, recently did a study that essentially took the temperature of IT departments – what they think trends are, where budgets are focusing dollars and the like. One of the areas the survey focused on was security.

Most of the predictions and trend reports I see are from security experts. While I think these predictions are essential for anyone in charge of enterprise network security – it really does help to have an idea of what threats to protect against – it is good to hear about security concerns and predictions from the IT point of view.

What TEKsystems discovered is that security is a rising concern for IT departments. When asked, “Which of the following trends or technology will have the biggest impact on your organization in 2014,” big data came in first, but security moved from third place in 2013 to second place in 2014. Mobile computing also moved up a spot, from fourth to third. It is fitting that security and mobile move together because the two issues are so intertwined. An IT department can’t have a good mobile policy without having a solid security plan built into it.



male student walking to university buildingBy Thomas Clark, MD, MPH

This time last year public health officials were grappling with a meningitis outbreak linked to fungus found in tainted medication.  Now officials are trying to rein in a different outbreak of meningitis, more specifically meningococcal disease, popping up on a college campus, including Princeton University.

Most college freshmen are instructed to get a series of vaccinations before starting school in the fall, including one for meningococcal disease which can spread quickly in close quarters, such as dorms. The meningococcal vaccine routinely given to rising freshman protects against four different serogroups, or types, of meningococcal bacteria – A, C, Y, and W-135. Unfortunately, the cases of meningococcal disease that have been appearing at Princeton University are from a different strain of these bacteria not covered by the vaccine.

male scientist working in labTaking Action

Because meningococcal disease can be deadly or lead to long-term disabilities [LINK], affecting the linings of the brain and spinal cord or the bloodstream, and can spread more easily on college campuses, it’s important that school and health officials take immediate action to stem the spread of disease. Princeton University and the New Jersey Department of Health have launched an aggressive awareness campaign to educate students and the University community about the disease and how to help prevent spreading it.  Individuals who were in close contact with patients diagnosed with meningococcal disease have also been recommended antibiotic treatment as a precautionary measure. But because giving antibiotics to everyone isn’t an effective strategy, CDC has recommended that a vaccine approved in Europe and Australia be imported to try and halt the spread of this outbreak. FDA has given the OK for use of the vaccine at Princeton University under an Investigational New Drug application. This is a term FDA uses to describe a vaccine that’s not licensed (approved) in the US, but which is made available in certain situations. FDA has concluded that the benefits of using the vaccine to prevent meningococcal disease at Princeton University outweigh the risks of possible adverse events. Clinical trials in other countries have shown the vaccine to meet safety and efficacy standards to allow licensure in the European Union and Australia in January and August 2013, respectively.  This is the first time CDC has had the chance to consider using this newly licensed vaccine in response to a serogroup B meningococcal disease outbreak.

female patient receiving vaccination from nurseWhy Vaccinate?

Since students have become ill over the course of two school years, officials believe there will be more cases. And because predicting who meningococcal bacteria will strike next isn’t possible – many people carry the bacteria in their throats without actually get sick – vaccination is the most effective way of controlling future spread of the disease. Unlike antibiotics, a vaccine would protect people for a longer period of time, and could help decrease or stop the spread of the bacteria, which would help protect the University community as a whole. It also avoids some of the complications of antibiotics, such as antibiotic resistance and side effects. The vaccine is recommended for all Princeton University undergraduate (regardless of where they live) and graduate students living in dormitories. Certain other individuals associated with the University may be evaluated for vaccination if they have specific medical conditions. Getting vaccinated would be voluntary and funded by the University. You can get more information on the vaccine at http://www.cdc.gov/meningococcal/vaccine-serogroupB.html

Staying Safe at School

Meningococcal disease can spread from person to person, through saliva (think coughing or kissing) or through lengthy contact (think living in the same dorm room or apartment). Symptoms of meningococcal disease include rapid onset of fever, headache, body aches, and feeling very tired. Individuals may also experience a stiff neck, increased sensitivity to light, feel nauseated or confused, and have a rash. Students should be aware of how they are feeling and look for possible signs or symptoms. If you feel you might be getting sick, seek medical attention immediately and avoid contact with others (don’t go to class or work until you’ve talked to a doctor about how you’re feeling). The same basic health practices that you should normally follow for preventing infection from the flu or colds are also recommended. They include:

  • Covering your mouth and nose when you cough or sneeze,
  • Washing your hands often with soap and warm water, and
  • Practicing good health habits like not sharing utensils, water bottles, or other items that might be contaminated with someone else’s saliva (this means beer pong too!)

***Stay Tuned!  Dr. Clark, Branch Chief of CDC’s Meningitis and Vaccine Preventable Diseases Branch is currently in New Jersey working with Princeton University on their vaccination campaign.***


Monday, 09 December 2013 16:16

Measles Still Threatens Health Security

On 50th Anniversary of Measles Vaccine, Spike in Imported Measles Cases


Fifty years after the approval of an extremely effective vaccine against measles, one of the world’s most contagious diseases, the virus still poses a threat to domestic and global health security.

On an average day, 430 children – 18 every hour – die of measles worldwide. In 2011, there were an estimated 158,000 measles deaths.

In an article published on December 5 by JAMA Pediatrics, CDC’s Mark J. Papania, M.D., M.P.H., and colleagues report that United States measles elimination, announced in 2000, has been sustained through 2011. Elimination is defined as absence of continuous disease transmission for greater than 12 months. Dr. Papania and colleagues warn, however, that international importation continues, and that American doctors should suspect measles in children with high fever and rash, “especially when associated with international travel or international visitors,” and should report suspected cases to the local health department. Before the U.S. vaccination program started in 1963, measles was a year-round threat in this country. Nearly every child became infected; each year 450 to 500 people died each year, 48,000 were hospitalized, 7,000 had seizures, and about 1,000 suffered permanent brain damage or deafness.

People infected abroad continue to spark outbreaks among pockets of unvaccinated people, including infants and young children. It is still a serious illness: 1 in 5 children with measles is hospitalized. Usually there are about 60 cases per year, but 2013 saw a spike in American communities – some 175 cases and counting – virtually all linked to people who brought the infection home after foreign travel.

“A measles outbreak anywhere is a risk everywhere,” said CDC Director Tom Frieden, M.D., M.P.H. “The steady arrival of measles in the United States is a constant reminder that deadly diseases are testing our health security every day. Someday, it won’t be only measles at the international arrival gate; so, detecting diseases before they arrive is a wise investment in U.S. health security.

Eliminating measles worldwide has benefits beyond the lives saved each year. Actions taken to stop measles can also help us stop other diseases in their tracks. CDC and its partners are building a global health security infrastructure that can be scaled up to deal with multiple emerging health threats.

Currently, only 1 in 5 countries can rapidly detect, respond to, or prevent global health threats caused by emerging infections. Improvements overseas, such as strengthening surveillance and lab systems, training disease detectives, and building facilities to investigate disease outbreaks make the world -- and the United States -- more secure.

“There may be a misconception that infectious diseases are over in the industrialized world. But in fact, infectious diseases continue to be, and will always be, with us. Global health and protecting our country go hand in hand,” Dr. Frieden said.

Today’s health security threats come from at least five sources:

  • The emergence and spread of new microbes
  • The globalization of travel and food supply
  • The rise of drug-resistant pathogens
  • The acceleration of biological science capabilities and the risk that these capabilities may cause the inadvertent or intentional release of pathogens
  • Continued concerns about terrorist acquisition, development, and use of biological agents.

“With patterns of global travel and trade, disease can spread nearly anywhere within 24 hours,” Dr. Frieden said. “That’s why the ability to detect, fight, and prevent these diseases must be developed and strengthened overseas, and not just here in the United States.”

The threat from measles would be far greater were it not for the vaccine and the man who played a major role in creating it, Samuel L. Katz, M.D., emeritus professor of medicine at Duke University. Today, CDC is honoring Dr. Katz 50 years after his historic achievement. During the ceremony, global leaders in public health are highlighting the domestic importance of global health security, how far we have come in reducing the burden of measles, and the prospects for eliminating the disease worldwide.

Measles, like smallpox, can be eliminated. However, measles is so contagious that the vast majority of a population must be vaccinated to prevent sustained outbreaks. Major strides already have been made. Since 2001, a global partnership that includes the CDC has vaccinated 1.1 billion children. Over the last decade, these vaccinations averted 10 million deaths – one fifth of all deaths prevented by modern medicine.

“The challenge is not whether we shall see a world without measles, but when,” Dr. Katz said.

“No vaccine is the work of a single person, but no single person had more to do with the creation of the measles vaccine than Dr. Katz,” said Alan Hinman, M.D., M.P.H., Director for Programs, Center for Vaccine Equity, Task Force for Global Health. “Although the measles virus had been isolated by others, it was Dr. Katz’s painstaking work passing the virus from one culture to another that finally resulted in a safe form of the virus that could be used as a vaccine.”


“A doctor walks into a room…” It sounds like the start of joke, but it’s part of a reality that speaks volumes about compliance. Here’s how this true story begins.

A pharmaceutical sales representative (sales rep) is conducting a typical lunchtime informational session at a doctor’s office. The sales rep’s manager is with the sales rep that day. It just so happens there is another doctor within the same office who – according to the company’s policy – is not permitted to participate in the session since said doctor, based on his specialty, should not (in theory) be prescribing the drug the sales rep is detailing. Note: I say “in theory,” since according to state law, doctors can prescribe any drug they want regardless of their specialty and whether or not the drug is indicated for the condition. But I digress.

The sales rep is engaged in a conversation with the “appropriate” physician when the “not allowed” physician walks into the room, signs the attendance sheet that is required in these sessions, and obtains a drink of water from the office cooler. He then promptly exits the room without talking to the sales rep or partaking of the lunch the sales rep provided. The sales rep’s manager asks the sales rep who the physician is and at this point the sales rep and the manager determine this is a “not allowed” physician.



Monday, 09 December 2013 16:14

You Can’t Outsource Accountability

Needless to say, Indian service providers pioneered and developed the outsourced software development space; currently, they generate a combined $3.2 billion of revenue annually. Although Indian software service providers claim high standards, it is apparent that there are still weaknesses in their delivery. I just published a report that highlights the main culprits for this: a lack of executive commitment, poor application coding, and the industrialization of software development:



WASHINGTON — Seven minutes after the authorities in Sparks, Nev., received a call one day in October that a gunman was on the loose at a local middle school, a paramedic wearing a bulletproof vest and a helmet arrived at the scene.

Instead of following long-established protocols that call for medical personnel to take cover in ambulances until a threat is over, the paramedic took a far riskier approach: He ran inside to join law enforcement officers scouring the school for the gunman and his victims.

“He met the officers right near the front door, and they said: ‘Let’s go. There are victims outside near the basketball court,’ ” said Todd Kerfoot, the emergency medical supervisor at the shooting. “He found two patients who had been shot and got them right out to ambulances.”

Federal officials and medical experts who have studied the Boston Marathon bombing and mass shootings like the one in Newtown, Conn., have concluded that this kind of aggressive medical response could be critical in saving lives. In response to their findings, the Obama administration has formally recommended that medical personnel be sent into “warm zones” before they are secured, when gunmen are still on the loose or bombs have not yet been disarmed.



Springfield, Ill. – In the aftermath of a disaster, misconceptions about disaster assistance can often prevent survivors from applying for help from the Federal Emergency Management Agency and the U.S. Small Business Administration. A good rule of thumb: register, even if you’re unsure whether you’ll be eligible for assistance.

Registering with FEMA is simple. You can apply online at DisasterAssistance.gov or with a mobile device by downloading the FEMA app or by visiting m.fema.gov. You can also register over the phone by calling FEMA’s helpline, 800-621-FEMA (3362). Survivors who are deaf or hard of hearing and use a TTY can call 800-462-7585. The toll-free telephone numbers operate from 7 a.m. to 10 p.m. (local time) seven days a week until further notice.

Clarification on some common misunderstandings:

  • MYTH: I've already cleaned up the damage to my home and had the repairs made. Isn’t it too late to register once the work is done?
    FACT: You may be eligible for reimbursement of your clean up and repair costs, even if repairs are complete.
  • MYTH: I believe FEMA only makes loans so I didn’t apply for help because I don’t want a loan.    
    FACT: FEMA only provides grants that do not have to be paid back. The grants may cover expenses for temporary housing, home repairs, replacement of damaged personal property and other disaster-related needs such as medical, dental or transportation costs not covered by insurance or other programs.    

The U.S. Small Business Administration provides low-interest disaster loans to renters, homeowners and businesses of all sizes. Some applicants may be contacted by SBA after registering with FEMA. You are not obligated to take out a loan, but if you don’t complete the application, you may not be considered for other federal grant programs. You can apply online using the Electronic Loan Application (ELA) via SBA's secure website at https://disasterloan.sba.gov/ela. For more information on SBAs Disaster Loan Program, visit SBA.gov/Disaster, call the SBA Customer Service Center at 800-659-2955 (TTY 800-877-8339 for the deaf and hard-of-hearing) or send an email to This email address is being protected from spambots. You need JavaScript enabled to view it..

  • MYTH: I don’t want to apply for help because others had more damage than I had; they need the help more than I did.        
    FACT: FEMA has enough funding to assist all eligible survivors with their disaster-related needs. 
  • MYTH: I'm a renter. I thought FEMA assistance was only for homeowners for home repairs.
    FACT: FEMA assistance is not just for homeowners. FEMA may provide assistance to help renters who lost personal property or who were displaced.
  • MYTH: FEMA assistance could affect my Social Security benefits, taxes, food stamps or Medicaid.
    FACT: FEMA assistance does not affect benefits from other federal programs and is not considered taxable income.
  • MYTH: I heard registration involves a lot of red tape and paperwork.
    FACT: There is no paperwork to register with FEMA. The process is very easy and normally takes between 15 and 20 minutes.
  • MYTH: Since I received disaster assistance last year, I’m sure I can’t get it again this year.
    FACT: Assistance may be available if you suffered damages from a new federally-declared disaster.
  • MYTH: My income is probably too high for me to qualify for FEMA disaster assistance.
    FACT: Income is not a consideration for FEMA grant assistance. However you will be asked financial questions during registration to help determine eligibility for SBA low-interest disaster loans.

For the latest information on Illinois’ recovery from the Nov. 17 storms, visit FEMA.gov/Disaster/4157. Follow FEMA online at twitter.com/femaregion5, facebook.com/fema and youtube.com/fema. The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. Disaster recovery assistance is available without regard to race, color, religion, nationality, sex, age, disability, English proficiency or economic status. If you or someone you know has been discriminated against, call FEMA toll-free at 800-621-FEMA (3362). For TTY call 800-462-7585.

SBA is the federal government’s primary source of funding for the long-term rebuilding of disaster-damaged private property. SBA helps homeowners, renters, businesses of all sizes, and private non-profit organizations fund repairs or rebuilding efforts, and cover the cost of replacing lost or disaster-damaged personal property. These disaster loans cover uninsured and uncompensated losses and do not duplicate benefits of other agencies or organizations. For information about SBA programs, applicants may call 800-659-2955 (TTY 800-877-8339).

The man who called himself “Mo” had dark hair, a foreign accent and — if the pictures he e-mailed to federal investigators could be believed — an Iranian military uniform. When he made a series of threats to detonate bombs at universities and airports across a wide swath of the United States last year, police had to scramble every time.

Mo remained elusive for months, communicating via ­e-mail, video chat and an ­Internet-based phone service without revealing his true identity or location, court documents show. So with no house to search or telephone to tap, investigators turned to a new kind of surveillance tool delivered over the Internet.



It is a sad fact, that getting people or organizations to discuss disaster preparedness topics is easier to do just after they have experienced a disaster.  Call it human nature, procrastination or avoidance — but, this remains a constant challenge for nearly all emergency management and disaster response professional teams.

In a rather recent posting, however, we are directed to a rather unique approach submitted by one of the neighborhood group organizations of Boston, MA called the Jamaica Plain Neighborhood Development Corporation (JPNDC).  This group encourages people to host a “Preparedness Pie Party” — in order to better engage neighbors to talk about preparedness.

Monday, 09 December 2013 16:08

Big Data Keeps on Truckin'

Many of the early success stories with Big Data came from logistics companies.

For example, UPS used sensor data to improve maintenance and fuel efficiency back in 2010. In 2011, CIO.com ran a story about U.S. Xpress, which used Big Data and sensors to save about $6 million a year across its fleet.

So it really shouldn’t be surprising that an intriguing new Big Data business intelligence platform would be unveiled at a recent American Trucking Associations’ executive summit.



Monday, 09 December 2013 16:07

Train Disaster Calls for Safety Action

At 7:20 a.m., Dec. 1, four people died and more than 68 were injured, 11 critically, when a speeding passenger train headed for Grand Central Terminal derailed on a steep curve.

Brake failure was cited as a possible reason for the crash, but inspections determined that the brakes were in good condition. The train’s operator, who recently had been switched to an early shift, later said he may have dozed off, failing to apply the brakes in time to avoid the crash.

The derailment is of special interest to me. The Hudson line is the one I take to work every day and is the same line that suspended service in July when 10 CSX garbage cars derailed near the same location, just north of the Spuyten Duyvil train station.



As a recent graduate now working in a business continuity role within a leading investment firm, I’ve been looking for a good mentor; someone I could shadow; who I could learn from; and who would help me develop to become the best I could be in the business continuity profession. Looking back it’s not been the easiest process. The most notable advice I have received thus far is as follows.

  • "Always look busy."
  • "Always know more than the person in front of you."

My first mentor was a really great bloke who you would undoubtedly grab a beer with any day. He was considered a subject matter expert for BCM but when asked to develop a business continuity policy his words to me were: "Here is my pal's policy - just change the name and we're good". It was after 120 pages of sifting that I realised two things:



By Paul Clark, AlgoSec.

Security is always walking a fine line between enabling the business, and acting as a brake on agility and productivity.  Unfortunately for many organizations, it seems that their security infrastructure has stepped over the line and is holding them back.  When we surveyed 240 infosecurity, network operations and application professionals in autumn 2013, we found they were struggling with managing their critical business applications effectively, because of the sheer complexity involved.

Over half of the survey respondents reported that they had over 100 critical business applications in their data center /centre.  This means a heavy workload of application connectivity change requests for IT teams, to enable those applications to keep up with the evolving needs of the business.  45 percent of respondents said they have to manage over 11 requests every week, and 21 percent have more than 20 changes per week. 

A majority of respondents (59 percent) said each request takes more than 8 hours to process, with nearly a third saying that each change takes more than one business day.  And the typical time needed to deploy a new data center application was over 5 weeks, and in some cases more than 11 weeks. 



This document builds upon the current practice of CERTs with responsibilities for ICS networks, and also on the earlier work of ENISA on a baseline capabilities scheme for national/ governmental (n/g) CERTs (make an internal link to the main 'baseline capability' page). The document is an initial attempt to provide a good practice guide for the entities that have been tasked to provide ICS Computer Emergency Response Capabilities (ICS-CERC). On the other hand, this guide does not have the ambition to prescribe to the EU Member States which entities should be entrusted with provision of ICS-CERC services.

Dec 04, 2013


When end users circumvent the IT department and start using software-as-a-service (SaaS) applications without permission, the IT pros complain about the plague they call "shadow IT." But it would seem the professionals are also operating in the shadows, according to a survey out today.

The report entitled "The Hidden Truth behind Shadow IT," was a collaboration of consultancy Frost & Sullivan and McAfee. The survey asked 300 IT pros and 300 line-of-business employees whether they used SaaS applications in their jobs without official approval. Eighty percent admitted they did, with only 19% of the business employees and 17% of IT claiming to be innocent.



Wednesday, 04 December 2013 16:31

A Mini-FAQ on Combining MDM and Big Data

I’m starting to see more pieces about using master data management (MDM) with Big Data.

If the very idea gives you a headache, you’re in good company — but stick with me. I’ve been juicing vegetables, and feel energetic enough to tackle some questions about the topic.

Do people really combine MDM and Big Data, or are vendors just piling hype on top of hype?



A recently released study by IBM that involved more than 4,000 C-suite leaders from 70 countries, including hundreds of midmarket leaders, gave interesting insight into digital strategies employed by various companies. Among the results are some compelling facts about how small to midsize businesses (SMBs) view their digital influence on their customers.

Of those SMBs who responded, 43 percent believe their company has an integrated physical and digital strategy already in place. The study identified that digitization of information is changing the way businesses relate with customers:



Wednesday, 04 December 2013 16:16

Beware of Disaster-Related Fraud

CHICAGO, IL -- The U.S. Department of Homeland Security’s Federal Emergency Management Agency (FEMA) and Illinois Emergency Management Agency (IEMA) urge Illinois residents affected by recent severe storms, straight-line winds and tornadoes to be alert for potential fraud and to keep these points in mind:

  • A FEMA inspector will first contact you by phone to arrange a visit to your damaged home or apartment to determine if you have uninsured, eligible losses. A FEMA inspector will always have an official badge visible during the inspection. Ask to see the badge before allowing him/her to enter your home.
  • FEMA will not contact you requesting your personal information to process a prepaid credit card.
  • FEMA does not charge for information that it gives out. Apply free online at www.DisasterAssistance.gov or call 1-800-621-3362 (TTY 1-800-462-7585).
  • FEMA does not send out text messages asking recipients to call fee-based telephone numbers. The toll-free numbers above are used for all contact with FEMA, including applying and follow-up.
  • FEMA and the U.S. Small Business Administration do not charge fees for information regarding filling out the SBA loan applications. Free assistance is available by calling SBA’s toll-free number, 1-800-659-2955 (TTY 1-800-877-8339).

Anyone with knowledge of fraud, waste or abuse may call the FEMA Fraud Hotline at 1-800-323-8603. You may also send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.. Complaints may also be made via the FEMA Helpline at 1-800-621-3362 (TTY 1-800-462-7585) or with state or local law enforcement officials or consumer agencies.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at twitter.com/femaregion5, www.facebook.com/fema, and www.youtube.com/fema.  Also, follow Administrator Craig Fugate's activities at twitter.com/craigatfema. The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.


Tuesday, 03 December 2013 16:32

The Complete Picture of Embedding Agile

If you visit an Agile conference these days, it’s hard not to hear talks like “Scrum within a RUP project” or “Agile in a Traditional Organization.” From a dogmatic Agile point of view, this reminds me a little bit of a veggie-stuffed beef recipe promoted as vegetarian food. From a management perspective, it means that you are only exploiting about 10% or 20% of the potential of Agile . Many consultants would consider such an implementation as failed, and I’m sure you will find a lot of “Scrumbut” practices in these organizations.

But does that necessarily mean such an approach is bad? I don’t think so. To the contrary, a fast judgment of these approaches often mirrors the arrogance of the judge rather than his or her capability to carefully consider the circumstances. I know this is a provoking statement within the Agile community, so let’s dig into it.



In the 20th century, companies waited until their industries and competitors fully vetted technologies before investing in even the most tried and true ones.  Technophobes believed that investing too early was indulgent and reckless.  Executives wore their late technology adoption strategies as badges of corporate honor.  Today, emerging technologies are ready for immediate deployment:  iPads are ready; Dropbox is ready; Skype is ready; ListenLogic is ready; Foursquare is ready; YouTube is ready.

I predict that these and many other hardware and software technologies will be adopted without clear (or “validated”) requirements models, without the venerable SDLC, and even without rapid prototyping. I predict that technology adoption will turbo-charge into instant deployments

The figure below summarizes defined and ready technology adoption and the implications of ready technology adoption.  It also provides some examples.



According to new research conducted by the UK Department for Business, Innovation & Skills (BIS) with MI5 and GCHQ, only 14 percent of directors responsible for audit at the FTSE 350 firms regularly consider cyber threats, with a significant number receiving no intelligence at all about cyber criminals.

Espion, a company that specialises in information risk management, believes this research should serve as a wakeup call to those charged with governance and compliance to apply the same rules to information risk that are in place for other forms of corporate risk.

Espion’s head of consultancy, Stephen O’Boyle says: “Whether attacks from data thieves, spies or saboteurs who steal from, gain unfair advantage over or damage companies, the cyber crime threat facing UK organizations is increasing.



‘Trends in extreme weather events in Europe: implications for national and European Union adaptation strategies,’ a new report from the European Academies Science Advisory Council (EASAC), looks at how climate based disasters have changed in frequency and what can be expected in the future.

Key points in the report include:

  • Weather-related catastrophes recorded worldwide have increased from an annual average of 335 events from 1980 to 1989, to 545 events in the 1990s and to 716 events for 2002–2011.
  • Compared with other continents, the increase in loss-relevant natural extreme events in Europe has been moderate, with an increase of about 60 percent over the past three decades. The highest increases have occurred in North America, Asia and Australia/Oceania with today about 3.5 times as many events as at the beginning of the 1980s.



Tuesday, 03 December 2013 16:28

The Top Five Emerging Risks in 2013

Most companies have experienced (or will experience) significant financial damage in their lifetime due to an unforeseen risk event. Companies that fail to proactively identify and prepare for these risks can easily be caught off guard, often exacerbating the financial impact and lengthening the time required to address and mitigate the risk. As part of the quarterly surveys CEB conducts with risk officers at Fortune 500 companies and other organizations around the globe, we have identified the top five emerging risks companies are seeing today. Based on these findings, we are able to capture the impact a risk event has on traditional risk categories regularly tracked by companies, how these risks have changed over time and which risks will likely have greater impact in months to come.



CIO — The latest Bureau of Labor Statistics data reveals that over the last 12 months, only 77,600 IT jobs were added, as CIOs and hiring managers remain cautious about the slow economic recovery, says Victor Janulaitis, CEO of Janco Associates, a management consulting firm that specializes in IT.

According to the BLS data, September's IT jobs number was adjusted down from a gain of 2,500 jobs to a loss of 3,600 jobs. At the same time, the number of jobs reported as gained in October was only 5,200. But amid these dismal numbers, Janulaitis says, there's a bright spot  companies are increasing thier budgets for hiring skilled IT contractors.



Tuesday, 03 December 2013 16:18

Weather Risks Often Overlooked

Unpredictable weather is a risk that can’t be put off or ignored. In fact, insurer payouts for weather-related catastrophes rose from $15 billion a year between 1980 and 1989 to a staggering $70 billion annually between 2010 and 2013, a study found.

While major weather events are a focus of businesses, small events can still have a big impact, according to The Weather Business: How Companies Can Protect Against Increasing Weather Volatility by Allianz Global Corporate & Specialty.

Even though weather volatility is shown to be rising globally, organizations are still failing to protect their revenue from the risks of changes in temperature, snowfall, wind levels, rainfall and too much sun, the report found. Changes in weather can also impact a number of industries including construction, energy, retail, tourism, food, distribution and transport.



Companies that emphasize strong health and safety environments outperform their peers in the market, suggests a new report. It provides evidence that health, wellness, and safety programs not only reduce workers' comp and other health-related costs but may actually lead to better financial performance.


Add to FacebookAdd to TwitterAdd to LinkedInWrite to the EditorReprints

"Evidence seems to support that building cultures of health and safety provides a competitive advantage in the marketplace," says the report. "A portfolio of companies recognized as award winning for their approach to the health and safety of their workforce outperformed the market."

The research was published in the September issue of the Journal of Occupational and Environmental Medicine. While the study does not conclude that a health and safety culture is the cause of better financial outcomes, "results consistently and significantly suggest that companies focusing on the health and safety of their workforce are yielding greater value for their investors as well," the report says.



Cyber attacks have become a top concern for businesses in 2013, with 85 percent of corporate executives naming it their greatest risk – but surprisingly, less than 20 percent of companies purchase cyber insurance for protection against this increasingly common cause of loss.[1] As cybercriminals begin employing more sophisticated tactics, cyber insurance is becoming a necessity; companies hit by hackers could be held accountable with class actions in court for large-scale data breaches.

Cyber insurance is available to everyone and is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage and cyber extortion. The Department of Commerce has deemed cyber insurance an “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures, encourage the implementation of best practices by basing premiums on an insured’s level of self-protection and limit the level of losses that companies face following a cyber attack[2].



By Brian McNoldy

It was a hurricane season almost without hurricanes. There were just two, Humberto and Ingrid, and both were relatively wimpy, Category 1 storms. That made the 2013 Atlantic hurricane season, which ended Saturday, the least active in more than 30 years — for reasons that remain puzzling.

The season, from June through November, has an average of 12 tropical storms, of which six to seven grow to hurricane strength with sustained winds of 74 mph or greater. Typically, two storms become “major” hurricanes, Category 3 or stronger, with sustained winds of at least 111 mph.



Monday, 02 December 2013 17:10

Obsolescence as risk

I don't usually consider obsolescence as a risk.

We usually know when things start to reach the end of their useful life. After all, when we make a Major Purchase (and "major" depends on the budget) we look for a Use By date or MTTF information. Warranties and extended warranties also give us a clue to a product's useful life.

Today, as I tried to enter the gated community in which I reside I - like Froggy the Gremlin - tried to plunk my magic twanger, a/k/a gate clicker, and it once again failed to raise the barrier.
The gate mechanism recently was replaced and the residents were told we would need to buy, at more than $50 each, new clickers. Turns out that the new mechanism could be programmed to receive signals from the old clickers. (Some of the residents suspect shenanigans on the part of the board, but that's another matter.)



During the week (26 November to be exact), The Times (UK) distributed a special  supplement published by Raconteur, entitled “The Agile Business”. This is something I probably would have missed as I don’t live in the UK and even when I am visiting I don’t generally read The Times.

Fortunately I know people who contributed one of the articles and were gleefully engaged in blatant self-promotion on social media – pointing at you Charley Newnham!



Monday, 02 December 2013 17:08

Next Up for the Enterprise: Wearable Gadgets

Most enterprises are still getting used to the idea of employee-owned data access devices and all the architecture-, infrastructure- and policy-related challenges that go with them.

But like virtualization, the cloud and everything else affecting the data center, the Bring Your Own Device (BYOD) phenomenon is only just beginning, and the ultimate ramifications are open to wide interpretation at this point.

Already, the movement is passing by such workaday devices as tablets and smartphones to entirely new classes of hardware that may or may not even require the user’s active participation in order to engage enterprise resources. A case in point is the new lines of wearable devices, spearheaded by Google Glass but potentially encompassing all manner of gadgets like wristbands, lapel pins and even hats and shoes (if someone tries to get me to wear smart-underwear, that may be the day I decide to check out of the human race and go live on a mountain somewhere).



Monday, 02 December 2013 17:05

2013 Atlantic Hurricane Season Roundup

As the 2013 Atlantic hurricane season comes to a close, it may be easy to dismiss the significance of this year’s season.

While it’s true that this year had the fewest number of hurricanes since 1982, the 2013 hurricane season was only the third below-normal season in the last 19 years, since 1995, when the current high-activity era for Atlantic hurricanes began, according to forecasters.

A NOAA press release quotes Gerry Bell, lead seasonal hurricane forecaster at NOAA’s Climate Prediction Center, a division of the National Weather Service:

A combination of conditions acted to offset several climate patterns that historically have produced active hurricane seasons. As a result, we did not see the large numbers of hurricanes that typically accompany these climate patterns.”


Johannesburg – The earth tremor that occurred in Johannesburg earlier on Monday measured a four on the magnitude scale, said the Geo-science Counsel.The tremor was “quite a big guy”, the seismology unit manager, Michelle Grobelaar told News24.He added that the city should expect a similar tremor to occur again, but was unable to say when it could be expected.The tremor’s epicenter was near the University of Johannesburg and struck just before 10am.The quake did not last more than six seconds.“We have not received any reports of damage or injury and are consulting with other regions in Johannesburg Divisional,” said chief for disaster risk management, Tshepo Mothlale.Some people took to popular social networking site, Twitter to describe their experiences.“There was a tremor in JHB about 20mins ago. Building shook for about a minute. I’m still shaking,” said one user. ... http://za.news.yahoo.com/joburg-experiences-magnitude-4-earthquake-another-expected-104017946.html
Search-and-recovery operations are underway today after severe storms and tornadoes wreaked havoc on the Midwest, killing at least six people and injuring dozens more with powerful winds that flattened homes and decimated much of the town of Washington, Ill.A sixth death was confirmed late Sunday night after 81 reports of tornadoes ripped through at least five states in the Midwest earlier in the day. One of the tornadoes in New Minden, Ill., was estimated to have winds up to 200 mph.Jonathon Monken, the director of the Illinois Emergency Management Agency, said a third person was confirmed dead Sunday night in Massac County. An elderly couple was killed in Nashville, Ill., and another person was killed in Washington. ... http://gma.yahoo.com/least-6-dead-illinois-tornadoes-storms-damage-homes-061534702--abc-news-topstories.html
Monday, 18 November 2013 15:00

CDC accredited for emergency management

The Centers for Disease Control and Prevention received accreditation from the Emergency Management Accreditation Program (EMAP)External Web Site Icon for its excellence in emergency management. CDC is the first federal agency to attain full accreditation of its emergency management program.“CDC’s emergency management program has seen the nation through flu emergencies, multistate foodborne outbreaks, hurricanes and more,” said CDC Director Tom Frieden, M.D., M.P.H. “CDC is the first federal agency to attain full accreditation of its emergency management program.”Accreditation means a program has completed the six step EMAP processExternal Web Site Icon, including a self-assessment, an on-site appraisal, and a committee review. The on-site assessment and follow up report includes a summary of compliance against 64 EMAP standards set out in the Emergency Management StandardExternal Web Site Icon. Included in the EMAP standards are program management; administration and finance; laws and authorities; operational planning; exercises, evaluations and corrective action; and crisis communication, public education and information.“Accreditation is a serious accomplishment for CDC and the emergency management community we support,” said Ali S. Khan, M.D., M.P.H., director of the Office of Public Health Preparedness and Response. “Preparing for and responding to emergencies of any kind – natural disasters, bioterrorism events, chemical terrorism or pandemics – is a core function of public health. Everyone at CDC has a hand, at one point in time, in emergency management and execution.”Since 1997, EMAP’s independent assessors and program review committee evaluates local, state and national emergency management programs to ensure they meet nationally set standards for emergency management and promote consistent quality of in emergency management programs. The cost of accreditation is $50,000 and is valid for five years. Thirty one states, the District of Columbia, and 14 cities and counties in the United States are accredited.CDC is hosting a recognition ceremony today. For more information, please visit http://www.cdc.gov/about/newsevents/events.htm.
Computerworld — A high-potential millennial told the CIO at a big-name pharmaceutical company during her exit interview that she found the work environment toxic. Her main complaint was that the enterprise did not allow use of the modern consumer technologies and applications that she perceives as comprising her personal and professional identity. This is mobility's rock: People want the interface, the ease of use, the "cool" factor, the freedom and the functionality of consumer technology in the workplace.Recently, about 100 CIOs sat mesmerized as two clean-cut, well-groomed and impressively articulate young men demonstrated an exploit that breached two smartphones (iOS and Android). This is mobility's hard place: Smartphones don't meet enterprise security requirements.All CIOs today find themselves caught between the two. ... http://www.cio.com/article/743361/Caught_Between_Mobility_s_Rock_and_Hard_Place
CIO — If you want to learn how to succeed with predictive analytics at your business, CIO.com can help. These three CIOs say it takes a lot of front-end data work and angst about cultural change. Expect Culture ShockChris Coye, Senior Vice President & CIO, Disney ABC Television Group: We've implemented three predictive analytics tools this year: One analyzes what-if ad sales scenarios, another is a promotional media-optimization tool, and a third will help our executives decide which pilots to pick up. We created a small data analytics team in IT, but the models are built by Disney's revenue sciences group.The biggest technical challenge was getting the right source data. We have multiple divisions, and that data had to be standardized. We built our own extract, transform and load tool, but we're migrating to a commercial tool to speed the process. ... http://www.cio.com/article/742867/3_CIOs_Reveal_How_They_Got_Started_With_Predictive_Analytics
WASHINGTON – The Federal Emergency Management Agency (FEMA), through its regional offices in Chicago and Kansas City, is monitoring severe weather, including strong tornadoes, that continues to impact the Midwest and staying in close coordination with officials in affected and potentially affected states. Earlier today, FEMA elevated its National Watch Center in Washington, D.C. to a 24/7 enhanced watch, and has deployed liaisons to support state emergency operation centers in a number of impacted states."Residents should continue to monitor weather conditions as they develop and follow the direction of local officials,” said FEMA Administrator Craig Fugate. "Be prepared for power outages and dangerous road conditions as a result of downed power lines and flooding – remember if you encounter a flooded road while driving, turn around, don't drown."Since before the storm system developed, FEMA has been in close coordination with state and local partners through its regional offices. FEMA's Region V Administrator, Andrew Velasquez III, has been in close contact with the Ohio Emergency Management Agency, the Wisconsin Emergency Management Agency, the Michigan Homeland Security and Emergency Management Division, the Illinois Emergency Management Agency, and the Indiana Department of Homeland Security regarding the potential impacts in those states.FEMA has deployed an Incident Management Assistance Team (IMAT) to support the State of Illinois. FEMA also has deployed liaison officers to emergency operations centers in Illinois, Indiana, and Ohio, and additional liaison officers are on standby and ready to deploy, if requested. FEMA is in continued contact with its emergency management partners in Illinois, Indiana, Michigan, Ohio, and Wisconsin.According to the National Weather Service, numerous fast-moving thunderstorms, capable of producing strong tornadoes along with widespread damaging winds and large hail, will move across portions of the middle Mississippi and Ohio Valley region and the southern Great Lakes region for the remainder of today into this evening.Visit www.ready.gov to learn more about what to do before, during, and after severe weather. Here are a few safety tips to keep in mind should severe weather occur in your area:Familiarize yourself with the terms that are used to identify a tornado hazard. A tornado watch means a tornado is possible in your area. A tornado warning is when a tornado is actually occurring, take shelter immediately. Ensure your family preparedness plan and contacts are up to date and exercise your plan. If you haven’t already, now is the time to get prepared for tornadoes and other disasters. Determine in advance where you will take shelter in case of a tornado warning: Storm cellars or basements provide the best protection. If underground shelter is not available, go into an interior room or hallway on the lowest floor possible. In a high-rise building, go to a small interior room or hallway on the lowest floor possible. Stay away from windows, doors and outside walls. Go to the center of the room. Stay away from corners because they attract debris. Vehicles, trailers and mobile homes are not good locations to ride out a tornado. Plan to go quickly to a building with a strong foundation, if possible. If shelter is not available, lie flat in a ditch or other low-lying area. Do not get under an overpass or bridge. You are safer in a low, flat location.Follow FEMA online at blog.fema.gov, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.
As far as pissing matches go, the emerging dispute over public vs. private cloud is right up there with Microsoft vs. Apple, Ford vs. Chevy and Pepsi vs. Coke. And the funny thing is, no controversy really exists at all, except in the minds of service providers and vendors who have product lines to protect.Amazon’s Andy Jassy was at it again this week, telling the audience at the company’s Reinvent conference that private clouds are simply a rouse on the part of “old-guard” companies like IBM to keep the enterprise in thrall to yesterday’s hardware and software platforms. The public cloud, he argued, is not only cheaper and more agile but more reliable and, yes, more secure than any internal infrastructure you care to name. And even though AWS provides tools like VPNs and access management to help the enterprise with its hybrid infrastructure, this is merely the first step in porting the entire enterprise data center to the public cloud. ... http://www.itbusinessedge.com/blogs/infrastructure/private-vs.-public-for-the-enterprise-its-mostly-irrelevant.html
Continuity Central has launched its annual business continuity trends survey which looks at the changes the profession can expect to see in the year ahead. One week into the survey the results are looking interesting.So far, responses show that most respondents expect to see some changes in the way their organization manages business continuity during 2014. Just over half (51 percent) expect to see small changes and almost a quarter (23 percent) expect to see large changes.Trends that are emerging in terms of the changes that business continuity professionals expect to see include:10 percent are anticipating changes in incident / crisis management processes; 8 percent expect to see greater integration with the wider business; 5 percent expect ISO 22301 implementation projects to drive change in 2014.Business continuity budgetsThe majority (53 percent) of respondents state that their 2014 spending will be the same as 2013. However more than a third say that their business continuity budgets will be increased: 22 percent state that spending will be higher in 2014 compared to 2013; and 15 percent state that it will be much higher.RecruitmentThree quarters (77 percent) of respondents believe that their organization’s business continuity team will remain the same size in 2014. However a fifth (21 percent) expect the team to grow with new additions being made. Only 2.5 percent of respondents expect their business continuity team to shrink.Please take part in the survey: go to https://www.surveymonkey.com/s/businesscontinuityin2014To read the results of last year’s survey click here.

Natural and manmade disasters underscore the challenges of seamless disaster recovery in the real world. Having a comprehensive business continuity plan isn't just an IT concern; though. Nothing less than the survival of your company is at stake.

By Ed Tittel and Kim Lindros

CIO — We rarely get a head's up that a disaster is ready to strike. Even with some lead time, though, multiple things can go wrong; every incident is unique and unfolds in unexpected ways.

This is where a business continuity plan comes into play. To give your organization the best shot at success during a disaster, you need to put a current, tested plan in the hands of all personnel responsible for carrying out any part of that plan. The lack of a plan doesn't just mean your organization will take longer than necessary to recover from an event or incident. You could go out of business for good.



Cloud services whether PaaS (platform), SaaS (software), DraaS (disaster recovery) or another ‘as a service’ option are part of the business landscape now. However, in the vast majority of cases, using them means that your data is stored outside your organisation. No matter what the cloud vendor’s reputation, security must be evaluated, confirmed and applied. Here’s a list of ten security questions to help you safeguard your data, your confidentiality and quite possibly your business.



Thursday, 14 November 2013 15:32

FEMA to Evaluate Readiness of Pennsylvania

PHILADELPHIA – The Department of Homeland Security’s Federal Emergency Management Agency will evaluate a Biennial Emergency Preparedness Exercise at the Limerick Generating Station.  The exercise will take place during the week of November 18, 2013 to test the ability of the Commonwealth of Pennsylvania to respond to an emergency at the nuclear facility.

“These drills are held every other year to assess government’s ability to protect public health and safety,” said MaryAnn Tierney, Regional Administrator for FEMA Region III.  “We will evaluate state and local emergency response capabilities within the 10-mile emergency-planning zone of the nuclear facility.”

Within 90 days, FEMA will send their evaluation to the Nuclear Regulatory Commission (NRC) for use in licensing decisions.  The final report will be available to the public approximately 120 days after the exercise.

FEMA will present preliminary findings of the exercise in a public meeting at 11:30 a.m. on November 22, 2013 at the Hilton Garden Inn Valley Forge/Oaks, 500 Cresson Blvd, Phoenixville, PA 19460.  Scheduled speakers include representatives from FEMA, NRC, and the Commonwealth of Pennsylvania.

At the public meeting, FEMA may request that questions or comments be submitted in writing for review and response.  Written comments may also be submitted after the meeting by emailing This email address is being protected from spambots. You need JavaScript enabled to view it. or by mail to:

MaryAnn Tierney
Regional Administrator
615 Chestnut Street, 6th Floor
Philadelphia, PA 19106

FEMA created the Radiological Emergency Preparedness (REP) Program to (1) ensure the health and safety of citizens living around commercial nuclear power plants would be adequately protected in the event of a nuclear power plant accident and (2) inform and educate the public about radiological emergency preparedness.

REP Program responsibilities cover only “offsite” activities, that is, state and local government emergency planning and preparedness activities that take place beyond the nuclear power plant boundaries. Onsite activities continue to be the responsibility of the NRC.

Additional information on FEMA’s REP Program is available online at fema.gov/radiological-emergency-preparedness-program.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. FEMA Region III’s jurisdiction includes Delaware, the District of Columbia, Maryland, Pennsylvania, Virginia and West Virginia.  Follow us on Twitter at twitter.com/femaregion3.


By Ali S. Khan

Waives battering wooden pier and houses

Seeing images of the devastation in the Philippines reminded me of my own experiences with Hurricane Katrina and the Asian Tsunami. During both of those events, I had the honor to join CDC (and WHO in the case of Indonesia) teams to help re-establish crucial public health services and support the impacted communities. Disaster recovery isn’t just about rebuilding damaged homes and businesses; it has everything to do with health.

When something as devastating as Typhoon Haiyan occurs, it can be daunting to consider what a recovery effort might look like. Providing for basic needs and preventing potential injuries and outbreaks are usually at the forefront of any recovery plan. Despite the widespread devastation and lack of infrastructure people still need access to food and water. Groups with special needs, such as pregnant women or the elderly, still need care. These basic needs can present a host of health problems in the face of disaster. And as people begin to get their lives back in order, injuries from cleanup efforts and potential outbreaks due to contaminated food or water sources are a constant concern.

Men and women in a makeshift clinic wearing face masks

Clinic set up in Haiti following the cholera outbreak. Photo by Kendra Helmer/USAID

Stabilizing and Surveillance

The initial health response usually centers on setting up field hospitals, to take care of those who need immediate medical attention. We then turn our attention to disease monitoring efforts to understand the needs within the community and provide critical public health services. These services initially focus on environmental health concerns such as food and (especially) water safety, worker safety, and injury prevention.  

Following an event such as a hurricane or typhoon – where you have excess flood waters – communities must be vigilant about preventing the spread of water borne illness (think E. coli or cholera), which often cause diarrhea and severe dehydration. Although these are two seemingly treatable symptoms, they can be difficult to manage when infrastructure is down and basic supplies (such as clean water) are hard to come by. Crowded and unsanitary conditions can also lead to the spread of disease. Following Hurricane Sandy, several recovery centers had to act quickly to halt the spread of norovirus, a common “stomach bug” that can spread quickly in close quarters. We’ve also learned about the risk of spread of communicable diseases within shelters and the need to provide select immunizations.

building and cars destroyed by a tornado

broken glass, metal, and other debris can pose a serious risk of infection following a disaster.

Cleanup can be a mess

Aside from possible disease outbreaks, one of the most common health problems we saw post-Katrina were injuries related to cleanup, people falling from ladders, carbon monoxide poisoning from generators, and cuts and lacerations people got moving through the rubble. Following a disaster health officials are often on the lookout for cases of tetanus or other wound infections. In 2011, after the F5 tornado struck Joplin, Missouri, a deadly fungal outbreak was discovered among those who had sustained wounds from the cleanup effort. Public health officials work around the clock after a disaster to warn the public of these dangers and track potential disease outbreaks before they get out of hand.


As the Philippines grapple with the mammoth effort of rebuilding their homes, roadways, and towns, they will first have the task of addressing the health needs inherent to a major disaster.  Disease pathogens and hazards are opportunistic and strike when we are at our most vulnerable. My thoughts are with the people of the Philippines and the aid workers helping to get the country back on their feet.

If you would like more information about recovery efforts or how you can help, please visit: http://www.usaid.gov/haiyan/External Web Site Icon.

Thursday, 14 November 2013 15:29

Role of CDO Still in Question

What if organizations don’t need a chief data officer so much as they need an executive team that understands and relies on data?

I stumbled backwards into this idea by misreading a shortened UK CIO headline: “Bank of England doesn't need a CDO, claims CIO.” As happens too often with tech, it turns out CDO is short for chief digital officer, not chief data officer.

Chief digital officers have more to do with transforming paper tasks to digital. If you want to read more about their job duties, ZDNet published a good trends piece about the role.



Thursday, 14 November 2013 15:28

Low Insurance Impact Expected from Haiyan

Damage in the Philippines from Typhoon Haiyan is widespread, with new information emerging daily. Insured losses, however, are expected to be low, with the greatest impact on smaller reinsurers, according to insurance industry reports.

A.M. Best said in a briefing that it expects insured losses to be minimal, as non-life insurance is less than 1% of the country’s gross domestic product.

“Insured losses in the Philippines will be spread across many segments, including per­sonal lines, fire and property, and marine hull. Fire/property and marine hull will be well reinsured through the major global reinsurers and through Lloyd’s, which will also absorb some marine losses on a primary basis. Net losses to primary insurers will be limited, and some commercial losses also may be covered through captives or other forms of self-insurance,” the report said.



Thursday, 14 November 2013 15:27

6 Tips to Help CIOs Manage Shadow IT

CIO — With the increase in cloud computing and BYOD in the workplace, it's become increasingly difficult for IT departments to keep track of and manage software and hardware -- and maintain a secure environment.

So what can CIOs and other IT leaders do to identify and manage Shadow IT -- software and hardware not directly under the control of IT -- and mitigate the potential risks? CIO.com asked dozens of IT, mobile and cybersecurity professionals to find out. Here are their top six tips for managing Shadow IT in the enterprise.

1. Monitor your network -- to find out if or where you have a Shadow IT problem. "Regardless of whether employees use company-issued or personal (i.e., BYOD) hardware, organizations need to identify where all their data resides -- [in house], in the data center, at the edge or in the cloud," says Greg White, senior manager, product marketing, CommVault, a provider of data and information management software.



Thursday, 14 November 2013 15:26

Amazon vs. IBM Conflict Conceals Real Problem

I’ve been thinking about the fight between Amazon Web Services and IBM for the CIA and other U.S. government business and it strikes me that something is really screwy. I’m not talking about the bid process, which both IBM and the General Accounting Office (GA0) called out. I’m talking about how, in the age of Manning and Snowden, no Web service provider should have made the cut for a CIA service no matter how benign. The very fact that Amazon had to go to war with the GAO, which you’ve got to believe will have implications for how supportive they will be to other CIA budgetary requests, points to a real failure to understand the dynamics here.

It should have been too politically risky and it suggests that the unique services that a company in IBM’s class provides were taken for granted or completely ignored, which likely goes to its complaint about the bid process, in which Amazon shouldn’t have been able to comply—not technically, but in terms of meeting the security and compliance requirements unique to the federal government.



Thursday, 14 November 2013 15:25

Colorado Flooding: Two Months Later

DENVER – In the two months since heavy rains brought flooding, Colorado survivors have received more than $117.4 million in state and federal assistance and low-interest loans and an additional $35.1 million in FEMA’s National Flood Insurance Program (NFIP) payouts.

To date, more than $52.7 million in Individual Assistance (IA) grants has helped more than 15,000 Colorado households find safe, functional and sanitary rental units or make repairs to primary homes and cover other disaster-related expenses, such as medical needs or personal property loss. Nearly $48.7 million of IA grants have been issued in housing assistance and $4 million in other needs assistance, such as medical or personal property loss. Flood survivors have also received disaster unemployment assistance and disaster legal services.

The U.S. Small Business Administration (SBA) has approved $64.7 million in disaster loans to Colorado homeowners, renters, businesses of all sizes and private nonprofit organizations. Of that amount, $54.3 million was in loans to repair and rebuild homes and $10.4 million in business and economic injury loans. Approved loan totals in some of the impacted areas are currently $40 million in Boulder County, $8.9 million in Larimer County and $7.7 million in Weld County.

In addition:

  • FEMA housing inspectors in the field have looked at more than 24,000 properties in the 11 designated counties for Individual Assistance.
  • In coordination with the State and local officials, FEMA Disaster Survivor Assistance specialists have canvassed Colorado neighborhoods, helping 37,180 survivors connect with recovery services. Survivors have talked to local, state, nonprofit, nongovernmental and FEMA specialists at the Disaster Recovery Centers (DRCs). At the DRCs, in the field and on the phone, FEMA provides information in Spanish and many other languages.
  • More than 50 national, state and local voluntary and faith-based organizations have spent 269,330 hours helping people as they recover from the flooding. The 27,655 volunteers are providing donations, volunteer management, home repair, child care, pet care, counseling services and removal of muck and mold from homes.
  • In the 18 counties designated for Public Assistance, 190 Applicant Kickoff Meetings have been conducted and so far FEMA has obligated $9,451,743 for eligible projects for debris removal, emergency protective measures and the repair of critical public-owned infrastructure.
  • FEMA and the State’s Private Sector team has contacted organization leaders from 33 Chambers of Commerce, six Economic Development Centers and 38 colleges and universities to share disaster assistance information.
  • The Federal Disaster Recovery Coordination group is coordinating disaster recovery across the entire federal family of agencies, facilitating long-term relationships among agencies, identifying technical expertise and funding opportunities; suggesting strategies for addressing specific needs, and generally encouraging a whole community approach to disaster recovery.
    • Coordinating agencies represented in FDRC include U.S. Army Corps of Engineers, U.S. Department of the Interior, U.S. Department of Housing and Urban Development, and U.S. Department of Commerce.
  • Speakers Bureau has received 71 requests from local officials throughout the affected area and 363 State/FEMA specialists and SBA representatives have spoken at town hall meetings and other venues. More than 7,600 attendees received information about FEMA’s IA program, Hazard Mitigation, flood insurance and SBA.
  • Mitigation specialists have counseled 15,250 survivors during outreach efforts at area hardware stores and more than 4,300 survivors at Disaster Recovery Centers in Colorado.
  • In the first 60 days of the Colorado flooding disaster, there have been 96,375 total page views on the disaster web page, fema.gov/disaster/4145, or an average of 1,606 daily. More than 500 tweets in the last 60 days were posted on the FEMA Region 8 Twitter feed, an average of eight daily tweets. The R8 Twitter feed has increased its followers to 9,000, an increase of nearly 600 new followers in the past 60 days.
  • At the request of the State, the 11 counties with FEMA IA designations are Adams, Arapahoe, Boulder, Clear Creek, El Paso, Fremont, Jefferson, Larimer, Logan, Morgan and Weld.
  • At the request of the State, the 18 counties with FEMA Public Assistance (PA) designations are Adams, Arapahoe, Boulder, Clear Creek, Crowley, Denver, El Paso, Fremont, Gilpin, Jefferson, Lake, Larimer, Lincoln, Logan, Morgan, Sedgwick, Washington and Weld.

County-By-County Breakdown of State and Federal Grants

Adams County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Arapahoe County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Boulder County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Clear Creek County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



El Paso County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Fremont County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Jefferson County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Larimer County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Logan County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Morgan County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:



Weld County

Housing Assistance:



Other Needs Assistance:



Total State/FEMA Assistance:


Register with FEMA by phone, 800-621-3362, from 5 a.m. to 8 p.m., MST, seven days a week.  Multilingual phone operators are available on the FEMA helpline. Choose Option 2 for Spanish and Option 3 for other languages. People who have a speech disability or are deaf or hard of hearing may call (TTY) 800-462-7585; users of 711 or Video Relay Service can call 800-621-3362.

Register online: DisasterAssistance.gov. Register by Web-enabled device, tablet or smartphone: type m.fema.gov in the browser.

OKLAHOMA CITY – Nearly six months after the start of deadly tornadoes that struck the state, the Oklahoma Department of Emergency Management (OEM) and FEMA urge Oklahomans to continue to stay prepared for severe weather.

During this time of year, that means being ready for hazardous winter weather conditions. Wednesday, Nov. 13 is Winter Weather Preparedness Day in Oklahoma. As we near the winter weather season, this is a time for Oklahomans to become prepared for freezing temperatures and the snow and ice that may accompany them.


Before traveling, prepare your vehicle:

• Pack blankets, emergency food and water, flashlights, a radio and a cell phone with extra batteries in case you and your family become stranded due to weather.
• Make sure you have plenty of fuel; a good rule of thumb is to keep your fuel tank at least half full.
• Check antifreeze, washer blades and tire pressure.

Always heed the warnings of law enforcement and transportation officials regarding road conditions and refrain from traveling when possible.

If you must travel during a snow or ice event, allow extra time to reach your destination, and make sure you have plenty of fuel.

Be particularly cautious on bridges and overpasses as they will be the first to freeze. Stay back at least 200 feet behind salt and sand equipment in order to stay safe.

Always wear your seat belt.

Bring a cell phone with an emergency roadside assistance number. (In case of emergency, you can call the Oklahoma Highway Patrol at *55 or 911.)

If you must go out during a winter storm, let someone know your destination, as well as your route and when you expect to arrive.

If you get stranded, stay with your vehicle. After snowfall has stopped, hang a brightly-colored cloth on the radio antenna and raise the hood.

Carry extra clothing, blankets and high energy snacks, such as cereal or candy bars in your car for protection if car stalls.

Pack a kit that includes:

• A cell phone with extra batteries or two-way radio
• A windshield scraper, a shovel and small broom for ice and snow removal
• Blankets or sleeping bags
• Rain gear and extra sets of dry clothing, mittens, socks and a cap
• Water and non-perishable, high-energy foods
• A small sack of sand or kitty litter for generating traction under wheels and a set of tire chains or traction mats
• Jumper cables
• A first aid kit
• A flashlight with extra batteries
• A brightly-colored cloth to tie to the antenna if you get stranded.

Be Aware

Know what winter storm and blizzard watches and warnings mean:

• A National Weather Service winter storm watch is a message indicating that conditions are favorable for a winter storm.
• A National Weather Service warning indicates that a winter storm is occurring or is imminent.
• A blizzard warning means sustained winds or frequent gusts up to 35 mph or greater and considerable falling or blowing snow are expected to prevail for a period of three hours or longer.

Understand the hazards of wind chill. A strong wind combined with a temperature of just below freezing can have the same effect as a still air temperature of 35 degrees or colder.

Check for weather-related road conditions through the Oklahoma Department of Public Safety at dps.state.ok.us or by calling toll free, (888) 425-2385 or (405) 425-2385.

At Home

Check on friends, relatives and neighbors who live alone, especially seniors and those with disabilities.

Develop a family disaster plan for winter storms. Discuss with your family what to do if a winter storm watch or warning is issued. Everyone should know what to do in case all family members are not together when a winter storm hits.

Make sure pets have food and water and a place to seek shelter.

While indoors, try to keep at least one room heated to 70 degrees to prevent hypothermia. This is especially important for seniors and children.

Stay warm at night with extra blankets, a warm cap, socks and layered clothing.

To keep pipes from freezing, wrap them in insulation or layers of old newspapers. Cover the newspapers with plastic to keep out moisture. Let faucets drip a little to avoid freezing. Know how to shut off water valves if necessary.

Keep safe emergency-heating equipment, such as a fireplace with wood. Always be cautious in using a portable space heater and never leave the heater on when you are not in the room or when you go to bed.

Avoid carbon monoxide poisoning:

• Do not use an unvented gas or kerosene heater in closed spaces, especially sleeping areas.
• Do not use gas appliances such as an oven, grill, range or clothes dryer to heat your home.
• Do not burn charcoal inside a house, garage, vehicle or tent for heating or cooking, even in a fireplace.
• Look for carbon monoxide exposure symptoms including headache, dizziness, weakness, sleepiness, nausea and vomiting that can progress to disorientation, coma, convulsions and death.
• If you suspect carbon monoxide poisoning, open doors and windows, turn off gas appliances, and go outside for fresh air. Call 9-1-1 emergency medical services in severe cases.
• Install and check/replace batteries in carbon monoxide and smoke detectors.

Stay informed:

Find a full list of winter weather preparedness tips or sign up now to receive weather alerts on your cell phone or other email address at ok.gov/OEM/.

The National Oceanic and Atmospheric Administration provides additional information online about winter weather watches, warnings and advisories: srh.noaa.gov/ama/?n=wwad.

For more information on Oklahoma disaster recovery, visit the Oklahoma Department of Emergency Management site at oem.ok.gov or fema.gov/disaster/4117.

Wednesday, 13 November 2013 17:05

The quest for weak links in information security

CSO - A widely accepted definition of information security risk is the potential of a specific threat exploiting the vulnerabilities of an information asset, with the following formula used to represent information security risks: Risk = Likelihood x Impact.

The potential impact on information, processes and people is typically estimated during a business impact analysis as part of corporate business continuity planning. However, estimating likelihood of information security risks is often guesswork resulting from combined vulnerability assessments and threats assessments. While assessing the likelihood of risks, many IT security teams will categorise risk using the traffic light system for high, medium or low level. Those responsible for information security in a company should estimate risk levels for all corporate information systems and apply control measures accordingly. Estimating risk levels is a continuous process and it requires the use of tools such as vulnerability assessment scanners and/or contracting the services of companies specialized in ethical hacking.

In May this year, the Financial Times was hacked via the exploit of one of its many blogging systems. The system in question was based on the vulnerable version of a content management system. This case illustrates that the principle of the weakest link in the security chain could affect complex information systems with many interconnected components. To maintain a high level of protection of vital corporate information, it is necessary to assess vulnerabilities of all information systems, since those that are less critical could be exploited to provide access to other, more critical systems.



The credit card details of about 376,000 European citizens have been put a serious risk after a data breach affecting the Co Clare based company Loyaltybuild, making it what one industry person described today as perhaps the “largest data protection breach in western Europe in the last three years”.

Up to 1.5 million have had their personal information compromised - details such as names, addresses, phone numbers and email addresses.

Data Protection Commissioner Billy Hawkes had not been made aware of the full extent of the breach until Monday night, he indicated.

Supervalu, which uses Loyaltybuild to process customer data for its Getaway Breaks scheme, initially brought the issue to light last week when it said about 39,000 of its customers had been exposed to credit card fraud.



Wednesday, 13 November 2013 17:03

Disaster Update – Typhoon Haiyan

Typhoon Haiyan swept across the central Philippines on Friday leaving a trail of massive destruction in its wake. With sustained winds reported at over 145 miles per hour, and significantly stronger gusts, Haiyan was the second category 5 typhoon to strike the Philippines this year. The typhoon affected 4.3 million people across 36 provinces.

Philippine Red Cross volunteers throughout the region are reporting significant damage and a growing death toll, while the full extent of the devastation continues to unfold. While relief efforts are underway, blocked roads, destroyed infrastructure and downed communication lines are making the response particularly challenging.

The Philippine Red Cross is leading the response effort and their volunteers have been caring for people even before Typhoon Haiyan made landfall—working closely to support pre-emptive evacuations of more than 125,000 families. The Philippine Red Cross is the largest humanitarian organization in the country, with 1,000 staff and an estimated 500,000 active volunteers engaged in response to this emergency. Red Cross has begun distributions of relief supplies, but delivery in the worst affected city of Tacloban has been significantly constrained by damage to local infrastructure.

The American Red Cross has deployed four people to the Philippines. These include two people who specialize in telecommunication and who are traveling with satellite equipment, and two others who specialize in disaster assessment. The Red Cross network has deployed teams in logistics, disaster assessment, shelter, health, water and sanitation.

In addition to supplying people, expertise, and equipment, the American Red Cross is helping reconnect families separated by Typhoon Haiyan. People searching for a missing family member in the Philippines should remember that many phones lines are down. If still unable to reach loved ones, people contact their local chapter of the American Red Cross to initiate a family tracing case.

Wednesday, 13 November 2013 17:02

Supertyphoon Haiyan Devastates Philippines

Supertyphoon Haiyan hit the Philippines on Friday, leaving at least 10,000 residents dead and hundreds of thousands without reliable food, shelter or water. One of the strongest storms ever recorded, Haiyan’s winds surpassed 140 miles per hour, bringing record storm surges. The full extent of the damage remains uncertain, with communication and transportation severely restricted.

The World Bank has called the Philippines one of the most hazard-prone countries in the world. Closed roads and airports restricted aid efforts after Supertyphoon Haiyan, and communication failures posed some of the greatest challenges to both assessing and recovering from damage.

“Under normal circumstances, even in a typhoon, you’d have some local infrastructure up and some businesses with which you can contract,” Praveen Agrawal, the World Food Program’s Philippines representative and country director, told the New York Times. “Being as strong as it was, it was very much like a tsunami. It wiped out everything. It’s like starting from scratch” in terms of delivering the aid, he said.



One of the most important jobs in IT is that of the IT asset manager. Knowing the status of all software and hardware in the organization at a moment’s notice is a necessity. It takes a very detail-oriented person to plan for the life cycles of software, track all software licenses, and ensure that the company stays in compliance with its contracts.

When a company finds itself in need of just such a person, having the proper job description is integral to locating a candidate who captures all of the skills necessary. Our IT Download, “Job Description: IT Asset Manager,” provides the most detailed listing of skill sets and experience that a capable IT asset manager should possess.

According to this job description, duties and responsibilities of an asset manager include:



Wednesday, 13 November 2013 17:00

NFPA 1600 2016 edition development update

The NFPA Technical Committee on Emergency Management and Business Continuity, which is responsible for developing the 2016 edition of NFPA 1600, the Standard on Disaster/Emergency Management and Business Continuity Programs, met on October 22nd and 23rd in Salt Lake City, UT.

The draft minutes of the meeting have just been published and contain, amongst other items, details of critical milestone dates within the development process. These include:

  • First revision electronic filing must be completed by task groups
    by January 3, 2014;
  • The deadlines for submission of public submittal are November 29 (paper submissions) and January 3, 2014 (online submissions).
  • The First Draft meeting must be held by June 13, 2014, and
  • The first draft will be balloted no later than August 22, 2014.

Read the draft minutes (PDF).

The Business Continuity Institute has announced that Business Continuity Awareness Week 2014 (BCAW) will take place between March 17th and 21st.

BCAW is an annual global event to raise awareness of business continuity management, to demonstrate the importance of business continuity and to help people understand why they should apply it to their organization.

Business Continuity Awareness Week will include a number of regional events as well as a series of webinars.

More details will follow when they are available.

To see what took place during BCAW 2013 click here.

Wednesday, 13 November 2013 16:52

Social Media use at BCM2013

Back in June I was critical of Social Media usage at the Australasian BC Summit, suggesting that one of the reasons why there was no use of social media was the age of attendees. It was not a young audience.

If we did not make an issue of the need to use social media  at the time of a disruption it probably would not matter – but we do and at the same time when we don’t practice, nor understand, it.

The audience at BCI World Conference in London last week was not much younger – it is still an older person’s discipline. But there was a little more use of Social Media. But still remarkably disappointing – especially as there had been good promotion of the Twitter hashtag (unlike the Australasian conference) and clear exhortation to people to join discussion on social media.



Wednesday, 13 November 2013 16:51

Typhoon Haiyan: The Insurance Perspective

Amid the pictures and stories of destruction from Typhoon Haiyan come some facts that put the damage from this storm in perspective, at least in insurance terms.

Typhoon Haiyan hit the central Philippines as an extreme Category 5 storm, with winds of 195 miles per hour as well as a massive storm surge on November 8. It then traveled across the South China Sea and made landfall on the north Vietnam coast as a Category 1 storm with 75 mile per hour winds on November 10.

Latest media reports put the death toll in the city of Tacloban alone at more than 10,000. While this figure seems high, the Capital Weather Gang blog notes that even if the death toll estimate holds up Haiyan would rank outside the top 35 deadliest tropical cyclones on record.



Wednesday, 13 November 2013 16:31

Microsoft Ups Its Game in CRM and ERP

According to the Chinese calendar, 2014 is supposed to be the year of the horse. However, Microsoft prefers to dub it the year of the customer, a consideration that has led it to add new features to its Dynamics CRM software.

Kirill Tatarinov, executive vice president, Microsoft Dynamics explained that the millennial generation (born between the early 1980s and early 2000s) is more informed, has radically different expectations and is changing the market dynamics for every industry. This new breed of consumer, he said, has a constant connection to the Internet and uses social networks for feedback that can quickly go viral. They feel empowered.

"Over 90 percent of people today never complain when not served well," said Tatarinov. "They just leave and never come back."



In life, and in business, reputation is everything. That said, reputation is very fragile and it only takes one mistake to cause irreparable damage to your company’s image. This is especially true in the digital world where radical transparency and high customer expectations reign supreme. Ignoring strong public digital voices isn’t an option any more. Companies have to learn to not only communicate effectively in the social media age, but to truly listen to the social chatter and respond in the way that align with both brand and customer expectations.

In the online era, it becomes critical for the business of any size to have a social media crisis management plan – or even better, a crisis prevention plan – in place for those times when things go wrong. And it is truly the matter of “when” vs. “if.”

Let’s take a look at some of the ways to avoid social media disasters, prevent them from escalating, or handle things if everything goes sideways.



Some 62,500 customers of Supervalu are now thought to have been affected by a security breach, significantly more than the 39,000 originally thought, and there is a “high risk” their payment details have been accessed by an unauthorised third party, the supermarket chain said last night. In a statement, it said those affected paid for Supervalu Getaway Breaks between January 2011 and February 2012.

The supermarket said the 62,500 customers who made bookings during the period have been advised to contact their bank or financial institution as soon as possible. They should “immediately check the transactions on their payment cards for any suspicious activity”, the statement said.

Customers are also being warned to treat any unsolicited communication claiming to represent Supervalu Getaway Breaks or Loyaltybuild with “extreme caution."



When you’re scouring your neighbourhood to detect possible risks to your organisation, a tool like Google Earth can be a valuable asset. Without leaving your desk you can tour streets and advance street view by street view, pinpoint addresses such as the nearest phone service and electricity providers on your map and spot vulnerabilities – that remote site with no surrounding fence, for example. That’s the good side of Google Earth. However, it also has its limitations and even potential drawbacks. Find out more about these below so that you won’t be caught short.



The vision of the cloud as a magical realm of limitless scalability and customized, on-demand data architectures still runs strong in the enterprise industry. This view is not altogether wrong, even though many clouds with various levels of functionality will be created in order to meet the demands of an increasingly diverse data community.

But no matter how the individual enterprise chooses to implement the cloud or what applications it deploys, the fact remains that, as with any other infrastructure expansion, the migration process will be lengthy and complicated.

The good news, though, is that the cloud industry is highly motivated to absorb as much of the existing enterprise data environment as possible and, being already steeped in automated processes, it is working to take on the lion’s share of the migration burden using the latest software platforms.



Tuesday, 12 November 2013 16:32

CFOs More Confident About Risk Management

Nearly two-thirds of CFOs are more confident in their ability to manage risk, with 25% reporting an increased appetite for risk, according to a new national survey from TD Bank. A number of respondents said their organizations have managed risk proactively since 2008 through internal controls and procedures and increased accountability.

“What we’re seeing, both through this survey and in our interactions with clients, is a more positive outlook about the economic environment and the business opportunities coming out of the recession,” Greg Braca, executive vice president and head of corporate and specialty banking at TD Bank said in a statement. “Well over a third of the CFOs surveyed expressed that they’re more confident in the U.S. economy, and more than half viewed their organizations’ prospects in the same vein. CFOs feel better equipped to manage risk, which will enable them to take a more active approach to investing and expansion, even if the economy improves at a slower pace than we’d like.”

CFOs are also apprehensive about the regulatory climate, with more than a third of respondents indicating that regulation is a top concern going forward.

The survey was conducted in September and October 2013 by ORC International. A total of 150 executives were surveyed, half at companies with annual sales of $50 million to less than $250 million (middle-market) and half at companies with annual sales greater than $250 million (corporate).



CSO — As everyone knows, cloud provider Nirvanix recently fell apart, declaring bankruptcy and leaving its customers in the lurch. Nirvanix gave enterprises less than a month to move their data to a new home. To avoid the fate of those customers, follow these best practices for safely moving data in and out of the cloud.

Due diligence: financials first

The Cloud Security Alliance's February 2013 report, "The Notorious Nine: Cloud Computing Top Threats in 2013" has identified a lack of due diligence as a continuing threat to cloud computing. When enterprises do look into cloud providers, their view of things is a bit lopsided. "Cloud consumers place too much emphasis on information assurance and privacy, or focus on cost reduction and savings at the expense of investigating the financial health of candidate providers," says John Howie, COO, the Cloud Security Alliance.

"Perceived profitability does not imply stability for a company or a service provider," says Adam Gordon, CISO, New Horizons Computer Learning Centers; "the management strategies of a company can squander financial success overnight, driving profitability, the company and its partners over a cliff quickly if nobody is paying attention."



Monday, 11 November 2013 17:14

Cybersecurity Threats Are Rising

Cyber security has moved from operations to a concern of the C-suite and the board, EY (formerly known as Ernst & Young before getting carried away with hip rebranding), the consultancy, has found in its work across industries.

“For nearly three- quarters of organizations surveyed, information security policies are now owned at the highest organizational level,” the firm concluded in a recent report on cyber security, “Under Cyber Attack, EY Global information security survey 2013.” Because the attacks are becoming more numerous and more sophisticated, organization have to improve their defenses and get proactive. (For a fascinating look at how Obama’s security is protected — a tent that is erected in hotel or conference rooms with tools to protect against eavesdropping, see The New York Times.)

“The number of threat actors is increasing and each has a different high value target,” said Chip Tsantes, cybersecurity leader for financial services at EY. “Five years ago it was protecting money, but now threat actors, nation states and hactivists are looking to disrupt, embarrass, steal IP or help their domestic industries. The number of targets has increased, techniques have gotten better and they are going after a wide array of targets.”



By Brad Glisson

Experts from the University of Glasgow looked at a sample of mobile phones returned by the employees from one Fortune 500 company and found that they were able to retrieve large amounts of sensitive corporate and personal information. The loss of data such as this has potential security risks, inviting breaches on both an individual and corporate level.

The data yielded by this study on 32 handsets included a number of items that could potentially cause significant security risks and, lead to the leakage of valuable intellectual property or exposed the company to legal conflicts.

The study is an important step in proving that the increasing use of mobile devices in the corporate environments may be jeopardising security and compromising country specific data protection legislation.



Today is National Remembrance Day for Veterans who served their country and across the world. In the US we call it Veterans Day. In the UK, it is called Remembrance Day. Whatever it is called, it is designed so that we may never forget the sacrifices that the men and women made so that we can live in a free society. So today, I ask you to personally thank a veteran, buy them a cup of coffee or simply reflect on those who made the ultimate sacrifice to allow us all to go forward into the 21st Century.

My father is a veteran of both World War II and the Korean Conflict. I saw him this weekend and at 87 he is still kicking along, reading, studying and thinking about the relevant issues of the day. He gave to me a copy of the Fall 2013 issue of the University of Illinois, College of Law, Comparative Labor Law & Policy Journal which had an article, entitled “Toward Joint Liability in Global Supply Chains: Addressing the Root Causes of Labor Violations In International Subcontracting Networks”, by authors Mark Anner, Jennifer Bair and Jeremy Blasi. So to honor my father’s continuing interest in anti-corruption compliance, today I will write about this article and how it informs anti-corruption compliance in the Supply Chain.



MANILA — The super-typhoon that tore through the Philippines and left a feared five-figure death toll touched down in central Vietnam early Monday, already ranking as one of Asia’s most destructive natural disasters in recent decades.

As rescue workers struggled to reach some areas along a heavily damaged chain of Philippine islands, survivors described a toll that this impoverished country will be contending with for years.

Entire regions are without food and water, and bodies are strewn on the streets, after a typhoon that had much the look of a tsunami, with waves as high as two-story buildings. Photos and videos showed towns ground to a pulp.



Monday, 11 November 2013 17:04

Data Quality Enlightenment

A few weeks ago, I wrote about the Five-Fold Path for Ensuring Data = Information, which I drew upon Buddha’s Eight-Fold Path for inspiration.

But to really understand the practices of the eight-fold path, you need to understand the underlying doctrines that motivate it. In Buddhism, those tenets are outlined in the Four Noble Truths.

The five-fold path describes what you need to do to achieve data quality, but that still doesn’t define the realities that drive us to pursue data quality.



Monday, 11 November 2013 16:55

Enterprises Poised to Take on the Real Cloud

To say that the cloud is a common facet of enterprise infrastructure is something of a mistake. While many organizations have embraced the cloud as a means to ramp up storage capacity or even burst workloads during peak activity periods, few have integrated cloud infrastructure into their normal data environments in ways that leading experts say leverages the true value of the technology.

But that may be about to change. New market research is starting to suggest that attitudes are shifting and enterprise executives are warming up to the idea of the cloud as a full functioning extension, or even a replacement, of on-premise infrastructure.

First up is Gartner, which reported recently that cloud computing is on pace to make up half of the total IT market by 2016, with nearly half of all large enterprises deploying hybrid clouds by 2017. The company says virtualization, orchestration, high-speed networking and other cloud-enabling technologies have reached a point at which enterprise executives can finally see the advantages that cloud architectures have over traditional infrastructure, particularly as the industry starts to confront the realities of mobile computing, social networking, Big Data and other trends. The big question for many, however, is whether they will be strictly consumers of cloud services or a provider as well.



MANILA, Philippines -- MANILA, Philippines (AP) — The strongest typhoon this year slammed into the central Philippines on Friday, setting off landslides and knocking out power and communication lines in several provinces. At least four people died.

Huge, fast-paced Typhoon Haiyan raced across a string of islands from east to west — Samar, Leyte, Cebu and Panay— and lashed beach communities with over 200 kilometer (125 mile) per hour winds. Nearly 720,000 people were forced to evacuate their homes.

Due to cut-off communications, it was impossible to know the full extent of casualties and damage. At least two people were electrocuted in storm-related accidents, one person was killed by a fallen tree and another was struck by lightning, official reports said.



Friday, 08 November 2013 16:02

The 4 R’s of Disaster

When the director of technology states that the IT infrastructure is up and available after a disaster, many believe it means that an organization can now begin to operate as normal. This is not completely correct; it’s only part of the solution. It’s like a car salesman pointing out a car on the lot; just because it’s sitting there doesn’t mean it’s ready for use – you need gas, a key and other bits before it’s ready for use. So, just because the technology infrastructure is ready, doesn’t mean it’s ready for use.

What’s happened is that the infrastructure has only been restored; the organization still needs other components in play before it can safely say it is back to operations – not necessarily ‘normal’ operations (Is it ever ‘normal’ to operate in disaster mode??). Yet when technology is restored there is the misconception that all must be well.

I like to keep 4 R’s in mind when an organization is getting back up on its feet after a major situation. Below describe four key stages that an organization must go through before it can state – confidently – that it’s back open for business – albeit, no doubt at reduced capacity and capability.



Friday, 08 November 2013 16:01

Security a Focus after N.J. Mall Shooting

The most recent mall shooting, just a few days ago at the Garden State Plaza in N.J., again heightened the focus on risk management and security nationwide.

Parents have trusted that malls would be safe for teenagers to meet with friends, but places for public gathering can become targets for violence. The pressure is on for organizations to examine their security measures and contingency plans.

David Boehm, with Security USA said in an interview with CBS New York that the U.S. can learn from security experts in Israel. Similar to Israel, he said, our country heading in the direction of having officers stationed at entrances and exits to malls.



Computerworld - The document scanning operations of a massive public online digital archive based in San Francisco suffered $600,000 in fire damage Wednesday night.

The Internet Archive said no one was hurt in the fire that broke out about 3:30 a.m. and caused damage to an electrical conduit and some "physical materials." The cause of the fire is under investigation. The archive has a second facility in Richmond, Calif.



Which situation do you think is worse: Your company getting a public relations and/or consumer confidence hit because you revealed that your network was breached or not disclosing the breach at all?

Based on a recent ThreatTrack report, a lot of employers out there think the PR situation must be the worst scenario. The survey, conducted by Opinion Matters, includes feedback from 200 security professionals dealing with malware analysis within U.S. enterprises. It found that nearly 6 in 10 malware analysts have investigated or addressed a data breach that was never disclosed by their company.

In addition to not being totally open with their customers, the ThreatTrack report shows that the data breach problem is a lot worse than any of us thought. According to Verizon’s 2013 Data Breach Investigations Report, there were 621 confirmed data breaches last year. But if nearly 60 percent of malware analysts say the breaches they investigated internally were never reported, it is a good bet that 621 breaches is a low number. A very low number.



LINCROFT, N.J.  -- From mucking out homes to hanging drywall; from providing cleaning supplies to delivering food and financial assistance, volunteers and charitable organizations from around the nation have worked diligently to help residents of hard-hit New Jersey recover from Superstorm Sandy.

At the one-year anniversary of Sandy, many of the volunteers and sponsoring organizations who lent a hand in the critical first days after the disaster are still here and still helping.

As of the end of September 2013, some 173,544 volunteers had invested more than 1 million volunteer hours in the Sandy recovery effort. The value of their contributions now totals more than $30 million.

“In a disaster such as Hurricane Sandy, the efforts of volunteers are critical to the recovery,” said Gracia Szczech, federal coordinating officer for FEMA in New Jersey. “Volunteers have made a substantial contribution to helping New Jerseyans respond and recover from the challenges they faced after Hurricane Sandy.”

While the volunteer efforts that extend across the state may appear unrelated, in reality, they are all part of a collaborative mission, participating in a massive team effort to assist survivors of Hurricane Sandy in their transition to long term recovery.

“I’ve witnessed how valuable volunteers have been,” said Lt. Joseph Geleta of the New Jersey Office of Emergency Management.  “It’s very important for the OEM to partner with the volunteer community.”

As the Volunteer Agency Liaison for Sandy Recovery, Geleta works in partnership with FEMA and a coalition of volunteer organizations who are members of the NJ Voluntary Organizations Active in Disaster to coordinate a network of resources to assist survivors as they rebuild their lives.

“We have established Long Term Recovery Groups to help survivors,” Geleta said. “Our goal is to try to meet those unmet needs of survivors who have exhausted all of their disaster assistance dollars and who are still in need.”

The task is a big one.

Back in 1999, in the aftermath of Hurricane Floyd, 70,000 people registered for FEMA disaster assistance. “At that time we established a Somerset County Long Term Recovery Group, and they were helping people for five years after the storm hit.”

In 2011, after Hurricane Irene, 90,000 New Jerseyans registered for disaster assistance. “We were still working on unmet needs from Irene when Sandy hit,” Geleta noted.

The number of people seeking help after Hurricane Sandy exceeded the numbers who registered after Floyd and Irene combined.

“More than 260,000 residents of New Jersey registered for disaster assistance,” Geleta said. “Clearly we expect this is going to be a very long recovery.”

During the year after Sandy, the NJVOAD coordinated and supported the volunteer efforts of more than 500 organizations.

These organizations ranged from internationally known agencies like the American Red Cross to smaller groups that regularly travel thousands of miles to assist their fellow Americans when disaster strikes.

Among those groups are the Southern Baptist Men, who applied emergency “blue roof” coverings on over 1,500 homes that had been so damaged by the hurricane that their interiors were exposed to the elements.

Other groups that provided volunteers, resources and skilled workers to Sandy survivors in New Jersey included Habitat for Humanity, Feed the Children, Lutheran Disaster Response, United Jewish Communities, the National Disaster Relief Office of the Roman Catholic Church and Mennonite Disaster Services, to name only a few.

Local churches, charities and nonprofits also worked around the clock to provide the help their neighbors needed to survive, recover and rebuild.

The Foodbank of Monmouth and Ocean Counties regularly provides more than 127,000 people with food and other services. The need for assistance increased substantially with the arrival of Sandy.

“In the immediate aftermath of Hurricane Sandy we provided over 1 million meals to people who were affected by the storm,” said Marion Lynch, marketing and communications coordinator for the Foodbank. And a year after the storm, “Our work continues. We provide food and outreach services to some of the area’s most hard hit communities and support recovery efforts in both counties. We remain committed to helping our neighbors recover and we rely on a caring community to support our work.”

The American Red Cross has also been a major partner in the recovery effort.

In the weeks following the disaster, the American Red Cross’s 5,300 employees and volunteers supported 65 shelters, distributed more than 1.5 million relief items, provided more than 23,000 health and mental health contacts, and served more than 4 million meals and snacks to Sandy survivors in New Jersey.

More than 2,200 Red Cross volunteers came from around the country, working with partner groups like the Southern Baptists, Islamic Relief - USA, Team Rubicon and others to help New Jersey.

Members of the U.S. Naval Academy Midshipmen Action Group, VISTA and AmeriCorps members also served as Red Cross disaster volunteers, joining members of Red Cross societies from Canada, Mexico, Saipan and other locations around the globe who were deployed throughout the state.

Red Cross volunteers contributed over 395,000 hours of service in New Jersey and millions of dollars’ worth of Sandy-specific in-kind donations flowed from generous corporate donors through the Red Cross. The agency delivered everything from batteries to baby food, food trucks to internet access, to the people of New Jersey.

Donations made by Americans around the country to the Red Cross Disaster Relief Fund supported the distribution of more than 47,000 Red Cross Clean-up kits and more than 28,000 Red Cross Comfort Kits in New Jersey.

 “The American Red Cross continues to support residents of New Jersey in their recovery from Hurricane Sandy through a variety of programs, including grant funding to community and faith-based groups actively working to help individuals and families recover,” said Nancy Orlando, regional CEO of the American Red Cross South Jersey Region.  “Additionally, through our Move-in Assistance Program, the Red Cross is providing direct financial assistance of up to $10,000 for housing-related expenses to eligible individuals whose primary homes were destroyed or made uninhabitable by Sandy. As of September, the American Red Cross has given close to $6 million to approximately 1,300 households in New Jersey through the MIAP initiative.”

While volunteer efforts have helped thousands of New Jerseyans repair, rebuild and recover from the devastation caused by Hurricane Sandy, many residents still need help. NJVOAD has been working since before the disaster struck to coordinate and deploy volunteer resources where they are needed.

LTRGs continue to serve survivors in the following locations: Atlantic County, Atlantic City, Bergen County, Camden County, Cape May County, Cumberland County, Essex County/Ironbound, Gloucester/Salem Counties, Hudson County, Middlesex County, Monmouth County, Morris County, Ocean County and Somerset County

 “They are all working hard to help people in their communities,” said Cathy McCann, chair of NJVOAD. “NJVOAD has been hosting six regularly scheduled coordination calls among the different LTRGs so that they can share challenges, successes and support one another and that we can speak as a united group on any issues we see on a statewide basis.  The different coordination calls are Case Management, Volunteers, Construction, Donations, Emotional and Spiritual Care.  

This week we have asked Church World Service to come in and do four workshops on how cases can flow through the Long Term Recovery process.  We have over 200 people scheduled to participate in these workshops. Sometimes it is hard to believe it is a year already and other times it feels like we should be further along, there have been many challenges, and many organizations that have not traditionally worked together are learning to do so, and are finding that we all need to work together to help people recover.” 

If you or someone you know is still in need of assistance with a Hurricane-Sandy related problem, help is available via the web at www.Ready.gov and http://www.state.nj.us/njoem/programs/sandy_recovery.html

Survivors may also find information and access resources by calling 2-1-1 or via the web at https://www.nj211.org.

The confidential service is funded by local United Way chapters in partnership with the State Department of Human Services, the Office of Homeland Security and Preparedness and the Department of Children and Families.

Resource specialists can connect New Jerseyans with community agencies for help with basic human needs such as clothing, food, shelter, rent and utilities, with special needs such as caring for an elderly or disabled person, with child care and with locating health and mental health care services

“The needs are still many,” McCann noted. “So many people are not aware of the Long Term Recovery Groups that are out there and that volunteers are available to help in the rebuilding,” McCann noted.

And as they help our neighbors in New Jersey rebuild, members of the volunteer network are reminding those who still want to help that donations of money and resources are still needed.

For information on making a donation of cash or materials, visit the National Donations Management Network on the web at www.ndmn.us/ to match your donation to the needs of the community.

Video Timeline of the Sandy Recovery Effort

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.


By Rachel Little, FEMA Youth Preparedness Council Member, Region 1

Monson, Mass., July 7, 2011 -- The debris that was left behind by the June 1 tornado that hit the town of Monson and western Massachusetts. Alberto Pillot/FEMA

My name is Rachel Little and I am a junior attending Monson High School.  I have lived in Monson, Massachusetts, my whole life, and couldn’t have grown up in a better place.  My town is full of strong- willed, determined people, always willing to lend a helping hand.

When a tornado struck our town on June 1st, 2011, it brought our small community even closer together.  Everyone was reaching out to give support, from supplying food or water, to giving neighbors hope for a better tomorrow.  It was a very moving event to watch.  Even though I was not directly affected by the tornado, I had people very near and dear to me in the path of the tornado.  I wanted to help out in whatever way I could, because I saw how much the people of Monson were suffering.  I couldn’t stand by and watch -- I had to take action. 

Therefore, I joined the Monson volunteer efforts and eventually became a member of The Street Angels.  The Street Angels is a dedicated volunteer group that brought supplies to families in need after the tornado,  and helped families make connections with landscapers and builders. My fellow Street Angels helped me fill out an application to become part of FEMA’s Youth Preparedness Council, and I am now going into my second year of being a proud member.  To me, the Youth Preparedness Council is the beginning of people realizing that youth can make a difference in emergency preparedness and response -- not just myself and the wonderful people of this council, but the world’s youth.   My fellow members and I are just the beginning of that change.

My plan for 2013 is to collaborate with the Medical Reserve Corps (MRC), or Community Emergency Response Team (CERT), to start a teen readiness club in my town.  I know a lot of people my age wanted to get involved after the 2011 Monson tornado, but they didn’t know how.  If either a Jr. MRC or a Teen CERT had already been in play before the tornado, Monson would have seen a significantly higher amount of youth action.   Being a member of the Youth Preparedness Council, my mission is to increase the amount of prepared youth and families in my region.

I’ve also been trying to share emergency preparedness at my school.  I’ve hit significant road blocks during previous attempts at getting a teen readiness club up and running for Monson High School.  After last year’s Youth Preparedness Council summit in Washington DC, I had my heart set on starting a Teen CERT. The idea of getting my friends and classmates interested in preparedness and prepared for disasters was exciting.  I asked around to see if I could get a trainer to help me get the team started.  I found a man in my neighboring community who seemed very willing to help me out, but unfortunately, that fell through.

I turned to my Local Emergency Preparedness Committee, which was formed after the tornado.  Although I made a presentation to them and they liked my ideas, we weren't able to get the plans off the ground.  I did meet a woman in the Local Emergency Preparedness Committee meetings who happened to be the head of the MRC in my town, and she introduced me to Jr. MRC.   We’re still hoping to get the Jr. MRC started, and it’s a current work in progress.  I anticipate that the challenges for this year will again be finding someone to teach the course or help me with the establishment of the club.  I have a backup plan, so that if things fall through, I will take the Teen CERT “train the trainer” course so I can teach a class myself.

As a result of starting Teen CERT or Jr. MRC in Monson, I want to see this little community become prepared for future emergencies.  I hope never to see another disaster to the extent of the tornado ever again, but it’s better safe than sorry.  I will know I’ve met success when I have a fully functioning teen readiness club in Monson High School.  From there, I can only hope to expand my efforts to other communities and beyond.

Editor’s Note: The views expressed in this blog post do not necessarily represent the official views of FEMA, the Department of Homeland Security, or the United States Government. We are providing links to third party sites and organizations for your reference. FEMA does not endorse any non-government entities, organizations or services.


CSO — Everybody who spends much time on the web knows their activities are tracked for marketing purposes. Do a little online shopping for hats, and you will quickly see ads for hats popping up on other websites you visit.

But, the collection of individual data by so-called Big Data brokers goes well beyond your online shopping. Those companies -- there were 253 of them as of this past March, according to a directory compiled by the Privacy Rights Clearinghouse -- collect and sell information to marketers on everything from your marital status, whether you might be pregnant or have a newborn, have cancer, are trying to lose weight, are gay or straight, how much you make, what credit cards you use, your lines of credit, where you live, what your house cost, what kind of car you drive or if you might be looking to buy a new one, your race, occupation, political leanings, education level, have one or more children in college, have pets to what your hobbies are and more -- much more.

The clichA(c) is that data brokers know more about you than you know about yourself.

But this, according to those brokers, is a very good thing for you, the consumer. One major broker, Acxiom, which has been very much in the news over the past month for allowing consumers to view a portion of the data it collects on them through a new portal -- AboutTheData.com -- is using that higher visibility to assure people that not only is this collection harmless, but it also brings them a host of economic and other benefits.



CIO — A U.S. Senate committee yesterday approved legislation that would encourage government agencies to consolidate their data centers along with a bill to require online disclosures of federal spending data.

The Federal Data Center Consolidation Act, sponsored by Michael Bennett (D-Colo.), would spur on an initiative that the Obama administration launched in February 2010 to reduce the footprint of the government's IT infrastructure as agencies shift toward cloud computing and shared services.

The bill would require the 24 agencies participating in that effort to submit comprehensive inventories of their IT facilities to the Office of Management and Budget, along with long-term plans for phasing out data centers and optimizing performance at the ones that remain open. The agencies would also be expected to submit estimates of cost savings from their consolidation plans.



Thursday, 07 November 2013 17:22

Alternatives to Traditional Risk Assessments

There are limitations to traditional risk maps, heat maps and risk rankings based on subjective assessments of the severity of the impact of potential future events and their likelihood of occurrence. These limitations include the influence of individual biases and “group think,” preempting out-of-the-box thinking, failure to address the unique characteristics of the risks the company faces, undue influence from past experience and successes and little insight regarding what to do about exposures to extreme events. Simply stated, an assessment process that subjects all risks to the same analytical grid has shortcomings that need to be recognized if risk management is to advance as a discipline.

While there may be a place for traditional risk assessment approaches when creating awareness and obtaining a “quick and dirty” overview of risk, more sophisticated assessment mechanisms may be necessary to provide the insights needed by management and the Board. If very little happens as a result of an organization’s risk assessment process, it is a clear sign that alternative approaches should be considered. We will explore alternatives for the four categories of risks: strategic, operational, financial and compliance.



Thursday, 07 November 2013 17:21

What Are Your Top Ten Organisational Risks?

Organisational risk is in the eye of the beholder. What you see as being the main risks as an innovative small business serving the Melbourne metropolitan area may be very different from the point of view of a multinational corporation with projects all over the world. It’s wise however for both types of organisation to consider different perspectives. They can help reveal risks hitherto ignored or that lurk in the background, ready to increase in importance as conditions change. They also help enterprises to remain flexible in their outlook and more resilient to problems, whether inside or outside the business. Here are a few different takes you might consider.




London’s Royal Courts of Justice was the perfect setting for the Business Continuity Institute’s gala Global Awards dinner on November 6th at the conclusion of Day 1 of the BCM World Conference & Exposition.

The High Court was not in session, but the esteemed judges empanelled by The BCI rendered its verdicts – recognizing the outstanding achievements of Business Continuity professionals and organizations worldwide.

In the Consultancy & Individual categories:

Business Continuity Consultant of the Year was awarded to Saul Midler, LINUS.

Tom Clark, Liberty Mutual Insurance was named Business Continuity Manager of the Year.

And Standard Life PLC won the award for Business Continuity Team of the Year.

The award for Public Sector Manager of the Year award was presented to Alan Jones.

Andrew MacLeod, Needhams 1834 Ltd was named Business Continuity Newcomer of the Year.

In the Corporate categories:

The Business Continuity Innovation Award was presented to Vocal Ltd..

SunGard Availability Services was named Business Continuity Service Provider of the Year, and the Business Continuity Product Provider of the Year was presented to eBRP Solutions Network, Inc..

The award for Most Effective Recovery of the Year went to Etihad Etisalat – Mobily.

Finally, the public vote for the Industry Personality of the Year resulted in this year’s coveted honor being bestowed on Richard L. Arnold, recognizing his career-long contribution to the Business Continuity industry.

Congratulations to all of these worthy winners.  Each exemplifies the best in our industry – the highly skilled, the thought leaders, those who have leveraged their experience or demonstrated their acumen to have a positive impact both locally, and on the Business Continuity industry globally.  But simply being nominated for one of these awards should be considered an honor; only the select few are singled out as Regional Award winners and qualify as nominees for these Global awards

Here at eBRP Solutions we’re very, very proud of this honor.  Our award is testimony to the hard work of our designers and developers, and the incalculably valuable input of our customer worldwide.  We were thrilled to win this year’s Regional awards in North America, Europe, Asia and the Middle East.  We know that without the collaboration of our customers and other partners, eBRP and our flagship product- eBRP Suite – would not be what is today: recipient of the 2013 BCI Global Business Continuity Product of the Year Award.

The Business Continuity Institute (BCI) has named eBRP Solutions winner of the 2013 Global Business Continuity Product Provider of the Year award, for its flagship Business Continuity Management software eBRP Suite.


The award was presented at a gala Global Awards dinner concluding the open session of the 2013 BCM World Conference and Exposition on November 6th at the Royal Courts of Justice in London, UK.

The BCI Global awards are the culmination of a year-long program of Regional awards by BCI Chapters across the globe.  Winners of each of seven Regional award competitions were entered as nominees for the Global awards.  Earlier this year eBRP captured 4 Regional Business Continuity Product of the Year awards – honoring its flagship software eBRP Suite – in the North American, European, Middle Eastern and Asian BCI award competitions.

“2013 has been proven to be a banner year for eBRP,” according to Jim Mitchell, an eBRP Director. “Last year we were named the BCI’s North American Business Continuity Software of the Year, and this year we were delighted to pick up 4 additional Regional awards.  But the Global award is much more significant; it solidifies our standing a Thought Leaders in the Business Continuity industry.”

BCI Award

According to The BCI, the Global Awards “recognize the outstanding achievements of Business Continuity professionals and organizations worldwide and pay tribute to some of the finest talent in the industry.  Becoming a winner of a BCI Award gives international recognition for hard-earned achievements and is considered a great accolade within the BCM profession.”

“More than ten years of hard work has gone into the design and continuing development of eBRP Suite,” added eBRP Managing Director Ramesh Warrier.  “This award is shared with the entire eBRP Team – and with our Customers, whose collaboration has helped us evolve eBRP Suite to become a globally-acclaimed leader in the BCM industry.”

Want to find out what earned eBRP Suite the Global BC Product Award?  Simply click the Show Me button below, or the Request a Demo button to the left of this page – or email us directly at This email address is being protected from spambots. You need JavaScript enabled to view it., or phone us at  +1-888-480-3277 or (905) 677-0404.  We’ll be happy to show you how eBRP Suite can take your organization’s Business Continuity Management program to the next level.

Jennifer Craig Jennifer has been the cheerleader for everything eBRP – from designing & coordinating tradeshows, print ads, press releases and building eBRP’ s web presence. Strategic efforts with LinkedIn, Twitter, Word-press and Hoot Suite makes Jen the key social media marketing champion at eBRP. Her efforts have greatly enhanced eBRP’ s brand image globally and is credited for many of the accolades & awards in eBRP’ s trophy showcase.

Recently a group of executives, including myself, formed a new council whose aim is to increase disaster recovery preparedness and improve disaster recovery practices. The idea is to study current DR practices and develop DR standards and best practices for the industry to follow. Our initial research surprised us.

Initial results from the Disaster Recovery Preparedness online benchmark survey show the dismal state of DR preparedness of companies worldwide. Using a common grading system from A (the best) to F (the worst), 72% of survey participants, or nearly 3 out of 4 companies worldwide, are failing in terms of disaster readiness scoring ratings of either a D or F grade.  (You can take the test yourself at www.drbenchmark.org).



As I discussed in a previous post, for small to midsized businesses, cloud backup services can simplify the process of backing up data and storing it offsite. Such services are available in many service levels and fit the budgets and data storage needs of a variety of businesses.

Before a company signs on with a managed service provider (MSP) for backup services, however, it should answer questions to head off potential issues:

  • What type of service does the company need?
  • Will there be latency issues?
  • What is the service provider’s availability?
  • How will security be handled?
  • Are there compliance policies that will need to be followed?
  • How will cloud backups mesh with current policies for data recovery and/or disaster recovery?



Techworld — Enterprises should aim to create "business-defined data centers", according to IT analyst house Forrester Research.

In recent years, there has been a big push towards software-defined data centres, which aim to improve overall data centre performance by optimising the application layer and the hypervisor layer.

However, Forrester argues that the business-defined data centre cares about real services as opposed to less important applications.

Speaking at the annual Fujitsu Forum event in Munich today, Rachel Dines, senior analyst at Forrester, said: "Software-defined was a good step but it doesn't go far enough. We want to think about order to cash, payroll, supply chain management. Actual business processes instead of [applications like] ERP and CRM and HCM and a million other acronyms."



WILLISTON, Vt. – It usually takes a disaster like Tropical Storm Irene – which knocked out roads, electricity, water, and communications – to remind us how important our infrastructure is to our communities and our way of life.

The Federal Emergency Management Agency is urging Vermonters to become more aware of critical infrastructure and the need to protect it from disasters or other hazards.

President Barack Obama has declared November Critical Infrastructure Security and Resilience Month, and officials say disasters like Irene and this year’s flooding events demonstrate the importance of expanding and reinforcing critical infrastructure security and resilience.

“The memory of Irene is still strong in Vermont,” said Federal Coordinating Officer Mark Landry, the head of FEMA’s Vermont operations. “Now is a good time to think about how important our transportation, communication, and utility infrastructure is and what we can do to protect it.”

Critical infrastructure is the systems that form the backbone of America’s national and economic security, including the electric grid, communications structures, transportation systems, and utilities like water and sewer, as well as the cyber-security of these systems.

“In this day and age, protecting critical infrastructure means more than safeguarding electric substations or bridges,” said Ross Nagy, Deputy Director of the Vermont Division of Emergency Management and Homeland Security. “It also means ensuring that the control systems for these facilities are safe from cyber-attack or human error that could disrupt crucial networks.”

The U.S. Department of Homeland Security – FEMA’s parent agency – urges all Americans to do their part in ensuring critical infrastructure security and resilience by doing the following:

  • Learn about steps you can take to enhance security and resilience in your businesses and communities and how to handle certain events.
  • Make a plan with your families to keep your loved ones safe.
  • If you run a business, make a plan to keep your employees and community safe and enhance your ability to recover operations quickly. If you are an employee, ask your management whether there are plans in place and get a copy.
  • Report suspicious activity.

To learn more visit: http://www.dhs.gov/critical-infrastructure

On October 28, New York Governor Andrew Cuomo announced the establishment of a new Emergency Disaster Protocol that insurers should expect to follow in the event of a future natural disaster. The protocol was communicated to insurers in the form of a circular letter on the same day. The new protocol includes many of the same measures that were put into place following Superstorm Sandy.

“During Superstorm Sandy these steps helped us speed up relief to New York families and businesses, and they will now become a standard part of our storm response arsenal,” said Governor Cuomo. “Insurance companies have a vital responsibility to promptly process claims for consumers hit by a natural disaster and this new emergency protocol will help make sure that they live up to that standard.”



By Joshua Ottow, Assistant Principal, Yarmouth High School 

Yarmouth, Maine, Sep. 9, 2013 -- Assistant Principal Josh Ottow (center) talks about emergency preparedness with Yarmouth High School students on the opening day of school.

My name is Josh Ottow, and I am the assistant principal at Yarmouth High School in Maine. Yarmouth is a suburban town of approximately 8,000 residents and 1,400 students, with 500 students at our high school. I serve on a team of administrators that helps plan for security and emergency preparedness in our district. Currently, we have an emergency management protocol that applies to all schools, and has additional specific information and plans for individual schools.

We feel that Yarmouth High School is already a safe school, in that we foster a trusting and respectful school culture, where positive relationships between students and teachers are of the utmost importance. For example, we do not have locks on our lockers, bells between classes, or hall passes. It’s important to us to add measures that make our school more prepared for emergencies without losing that trusting culture.

This can be a challenge because, in the eyes, of students, things like locked doors, buzz-in systems, cameras in the parking lot, and lockdown drills can feel like we are assuming the worst in them, as opposed to trusting them to do the right thing.

At Yarmouth High School, the centerpiece of our emergency preparedness is having a strong Advisor/Advisee program. We believe in the innate strength and potential of a small group of students working together with an advising adult for four years. A student’s advisor is a person to rely on for advice, information, and genuine help and support in moments of distress.  Each teacher’s group of advisees comprises a unique combination of students, who might not otherwise have become friends. We see this as an opportunity for students to offer support and receive support from a group that will be a constant in students’ life for four years at Yarmouth High School. Because of our commitment to this program, we knew that it would be critical to our emergency preparedness implementation efforts.

Over the past year we spent considerable time in our Advisor/Advisee groups, talking about new emergency preparedness measures. The key is doing so in the context of keeping our school culture intact and making the school a safer place. One way we approach this is by employing discussion questions in our Advisor/Advisee groups to stimulate conversation, build understanding within our student body, and give students an opportunity to share their opinions and concerns. Example questions include:

  • What makes Yarmouth High School a secure place?
  • What makes the culture of Yarmouth High School unique?
  • Do you feel safe at Yarmouth High School?
  • Do you know what you would do in an emergency at school? Do you feel prepared?
  • What can we, as a school, do to ensure that we foster and maintain our positive, trusting, and respectful culture AND have a more secure school?

Teachers are advised to be sensitive to potential stress-level increase and emotional reactions surrounding these discussions, and are aware that student reactions may vary widely, and everyone’s opinion should be given its due. Our hope is that this conversation is honest and impactful for students as they wrestle with these tough issues.  We are also hoping that this conversation spills into “dinner time” talk with their parents at home. Parents are always invited to play a contributing role in these emergency preparedness plans via community-based forums, where they can express their opinions, make requests, and give suggestions.

Another method that we use to address emergency preparedness is collecting direct feedback from students. For example, we ask students (through their Advisor/Advisee groups) for feedback on our response plan and suggestions for future protocols each time we hold a lockdown drill. Advisors are given a detailed, play-by-play lockdown drill guide that they go over with their advisees after each drill. Sometimes, we get great suggestions from the students that we may not have thought about otherwise.

For example, during a recent lockdown drill we asked students to hand over their phones to their teacher. One student asked his Advisor why we did that, and he was told that one reason was to minimize light and noise coming from the classroom.  In response, he suggested that teachers should also close the lids of their laptops, because his teacher had his laptop open during the lockdown and it was emitting light. This was not something we had specified in the plan and may not have thought to add if this student hadn’t brought it up. Advisors have access to a shared online document where they can note these suggestions, and then we talk about the responses and potentially revising our plans at a school-wide faculty meeting.

Our emergency preparedness efforts in the past several months, from new plans and new equipment to authentic and honest discussions amongst students and staff, have shown me that involving students and being open with them about how preparedness measures could impact school culture is the best way to ensure a safe and positive school.

Editor’s Note: The views expressed in this blog post do not necessarily represent the official views of FEMA, the Department of Homeland Security, or the United States Government. We are providing links to third party sites and organizations for your reference. FEMA does not endorse any non-government entities, organizations or services.

Wednesday, 06 November 2013 14:53

Are enterprises losing the cyber-war?

Bit9 has published the results of its third-annual Server Security Survey of nearly 800 IT and security professionals worldwide.

Server security remains one of the most critical aspects of any company’s security posture. Servers are where the majority of customer data, intellectual property and user credentials are stored, which is why they are the target of most advanced threats. Failure to protect servers from advanced threats can lead to significant data loss, brand damage, large financial penalties, and diminished customer confidence.

Key survey findings included:

  • 55 percent of security professionals were concerned about targeted attacks and data breaches on servers in 2013 - up 3 percent from 2012, and up 18 percent from 2011.
  • Only 13 percent of respondents are ‘very confident’ in their ability to stop advanced threats targeting servers.
  • 26 percent of respondents admitted their servers were hit by advanced malware, up 1 percent from 2012 and up 9 percent from 2011.
  • 25 percent of respondents ‘don’t know’ if they’ve been hit by a server attack, up 7 percent from last year.
  • 92 percent of respondents use signature-based antivirus software on their servers, while only 29 percent use a new-generation security solution, such as application control or whitelisting.

Click here to read the Bit9 2013 Server Security Survey Report (after free registration).

Wednesday, 06 November 2013 14:52

BCM World Conference 2013 – Special Edition

have changed the front page of the blog this week to promote the BCI’s World Conference.

I will be live blogging from the sessions I attend and trying to generate some engagement and discussion with other practitioners on a range of Social Media.

The aim is to promote discussion, rather than monologue.

Perhaps to even find an answer to one of the more perplexing question ..

How do we get BC folks to engage and debate issues and ideas?



Could the integration challenges of cloud computing trigger an organizational shift for IT?

IT tends to swing from centralized control to decentralized control every two or three decades, anyway. In times of strong centralized control, which is what we’ve seen in recent times, most of IT will report to a CIO. When the pendulum swings to de-centralized control, you’ll typically find IT workers reporting to specific LOB managers, although a smaller central IT organization may remain.

Already, cloud and SaaS have moved many IT decisions out of the CIO’s domain and down into the line of business.  In fact, Gartner is predicting that chief marketing officers alone will outspend CIOs on technology by 2017, according to “Maintaining IT Relevance in a Hybrid Environment.”

 In that Cloud Times column, Scribe Software’s VP of Technical Resources Mark Walker discusses the unique challenges of managing IT in a decentralized, cloud-based environment.



Wednesday, 06 November 2013 14:50

Fast Forward to the Software-Defined Data Center

It seems that all the virtual pieces are finally in place and the enterprise is poised to embark on an unprecedented journey into data performance and flexibility.

The arrival of software-defined networking has heralded the drive to the fully software-defined data center (SDDC), in which all physical aspects of the data environment—servers, storage, networking and the host of specialty appliances on the market—can be created, provisioned and decommissioned entirely via software. It is essentially the difference between data users’ behavior conforming to the dictates of infrastructure and the infrastructure conforming to the needs of users.

But just because we can now envision such a scenario, does not mean getting there will be easy, or cheap. A host of issues must be confronted—everything from systems and data migration to policy development and resource allocation—in order to bring the SDDC from the lab to the real world.



Wednesday, 06 November 2013 14:49

Replacing Your Important Papers

DENVER - Not only were Colorado homes damaged by the recent severe storms, flooding, landslides or mudslides, but many survivors also lost valuable personal documents.  The documents include everything from Social Security cards to driver licenses to credit cards. 

The following is a partial list of ways to get duplicates of destroyed or missing documents:

Birth and Death Certificates – Birth and death certificates can be replaced by visiting your county vital records office or on line http://go.usa.gov/DFbw

Marriage Certificates – The online link for replacement of marriage certificates is http://go.usa.gov/DFbw

Marriage Dissolutions (divorces) – The online link for divorce decree replacements is http://go.usa.gov/DFbw

Adoption Decrees – The Colorado District Courts link for adoption records - if the adoption was finalized in Colorado - is http://go.usa.gov/DFbw

Immigration Documents – Contact your county office or the site below for citizenship, immigration, permanent resident card (green card), employment authorization, re-entry permit and more. uscis.gov

Driver Licenses – Visit any Colorado driver license office with acceptable identification and proof of address. Fee required.

Vehicle Registration, License Tab or Title – Contact your county motor vehicle office. You will need proof of insurance and Colorado vehicle emissions. Fees administered by county.  http://tinyurl.com/m2hchyh

Passport – Complete form DS-64 from http://tinyurl.com/ld6z28k

Military Records – Request Standard Form 180 (SF-180) from any office of the Veterans Administration, American Legion, VFW or Red Cross, or download from http://tinyurl.com/lnu2pmt

Mortgage Papers – Contact your lending institution

Property Deeds – Contact the recorder’s office in the county where the property is located

Insurance Policies – Contact the insurance company for replacement papers

Social Security Card – Go to a Social Security Administration office. You also can request a copy of your Social Security statement online www.ssa.gov

Transcript of Your Tax Return – Call nearest Treasury Department office, IRS office or 800-829-3646; request form 4506. To find your local IRS office, go to http://tinyurl.com/mvk5dvu

Savings Bonds/Notes – Complete Form PDF 1048 (Claim for Lost, Stolen or Destroyed U.S. Savings Bonds); available by calling 304-480-6112 or at www.treasurydirect.gov/forms/sav1048.pdf

Credit Cards – American Express, 800-528-4800; Discover, 800-347-2683; MasterCard, 800-622-7747; Visa, 800-847-2911

In February, President Obama issued an executive order instructing the Commerce Department to lead a task force of security experts and industry insiders to develop a voluntary framework to reduce cyberrisk. Last week, the National Institute of Standards and Technology officially released an initial draft of the cybersecurity framework and announced a 45-day open comment period for public input.

The full Preliminary Cybersecurity Framework can be viewed here on the NIST website. After the review period and subsequent revisions, a more complete version will be released in February.

Risk management is a primary focus of the new framework, from the language used to analyze potential exposure to express endorsements in the policy itself. According to a press release, “The Preliminary Framework outlines a set of steps that can be customized to various sectors and adapted by both large and small organizations while providing a consistent approach to cybersecurity. It offers a common language and mechanism for organizations to determine and describe their current cybersecurity posture, as well as their target state for cybersecurity. The framework will help them to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals.”



Wednesday, 06 November 2013 14:45

… Jet lag, Standards and novel practice

An early start today with  arrival in the UK. In the spirit of my conference presentation I am experimenting with a novel practice to counter jet lag. You can read my BCEye blog post about adopting different mind sets and thinking differently.

It is a shame nobody comments on these posts – hopefully the audience at the conference will be more engaged in person than they are online.

My novel practice involved registering to attend a British Standards Institute launch event for ISO 27001. Conventional thinking would assume that an Infomation Security standards seminar is more likely to encourage sleep than keep it at bay.

Wednesday, 06 November 2013 14:44

Crisis management - achieving control in a crisis

Dominic Cockram

I will be talking on the topic of 'achieving control in a crisis' at the BCM World Conference 2013, and focussing on the key areas of:

  • What happens in a crisis?
  • What are the challenges you face?
  • How can you achieve control in such a situation?
First of all, one must understand just what a crisis means in terms of the characteristics of the actual crisis itself and the impacts on an organisation.  It is generally accepted that crises are characterised by:

Wednesday, 06 November 2013 14:43

Agile Organisations and Business Continuity

‘Agile’ is a common buzzword in organisations today. Intuitively, it fits well with the notion of business continuity – an agile enterprise, able to respond iteratively to whatever today’s business conditions or events throw at it. The old concept of long-term corporate planning is light years behind; many businesses don’t know what will happen in five months, let alone five years. But does it make sense to try to define ‘Agile’ further; even with a praiseworthy goal of trying to create a blueprint for ever more effective enterprise resilience? After all, the more you try to nail down ‘Agile’, the less agile you are likely to become. What’s the solution?



As a job title, chief data officer (CDO) generates as much confusion as it does excitement. More organizations are appointing CDOs, particularly in government organizations such as the FCC, the Army and the Federal Reserve.

But questions remain about this new role, as IT Business Edge’s Governance and Risk blogger Kachina Shaw pointed out in an earlier post. Among the questions she and others ask:

  • Do we really need another C-level executive?
  • Would this task be better handled by the CIO?
  • Could the CDO usurp the CIO?
  • What will CDOs accomplish?
  • Who’s qualified to be a CDO?
  • What the heck does a CDO do, anyway?



Data is the lifeblood of the business. Vast amounts of enterprise information is backed up, filtered, stored, retrieved and mined. For small to midsized businesses, dealing with data can seem daunting, though—especially when it comes to backup and recovery.

According to a Spiceworks survey, the top three issues for SMBs that prevent them from achieving success with backup and disaster recovery are:

  • Tight budgets
  • Lack of IT expertise
  • Constantly changing technology and solutions

Another study by Sage found that only 38 percent of those SMBs surveyed had a formal disaster recovery plan in place for accessing data after such an event. This same survey found that 72 percent of SMB respondents say that they back up their data on-site only, which poses a major challenge should a crisis occur such as a fire, flood, tornado or theft.



James Stevenson
Rolls-Royce plc

The experts keep telling us that supply chain risks are important and it is old news that:

  • An interruption could damage the business
  • Customers should work with their suppliers to reduce the risk of interruption
  • Sometimes the problem is with supplier’s supplier, or their suppliers
  • Unfortunately, supply chain risks seem to be increasing in scale and complexity

Occasionally, this kind of alarm call reaches the Board or Executive Management responsible for understanding the significant risks facing their business. They realise that the threat is real and ask around to see who is managing this area of risk.



Monday, 04 November 2013 15:34

Big Data Blues: The Dangers of Data Mining

Computerworld — More than simply bits and bytes, big data is now a multibillion-dollar business opportunity. Savvy organizations, from retailers to manufacturers, are fast discovering the power of turning consumers' ZIP codes and buying histories into bottom-line-enhancing insights.

In fact, the McKinsey Global Institute, the research arm of McKinsey & Co., estimates that big data can increase profits in the retail sector by a staggering 60%. And a recent Boston Consulting Group study reveals that personal data can help companies achieve greater business efficiencies and customize new products.

But while harnessing the power of data analytics is clearly a competitive advantage, overzealous data mining can easily backfire. As companies become experts at slicing and dicing data to reveal details as personal as mortgage defaults and heart attack risks, the threat of egregious privacy violations grows.



The FINANCIAL -- With information security functions not fully meeting the needs in 83% of organizations, 93% of companies globally are maintaining or increasing their investment in cyber-security to combat the ever increasing threat from cyber-attacks, according to a new survey released by EY.

Under cyber-attack, EY's 16th annual Global Information Security Survey 2013 tracks the level of awareness and action by companies in response to cyber threats and canvases the opinion of over 1,900 senior executives globally. This year’s results show that as companies continue to invest heavily to protect themselves against cyber-attacks, the number of security breaches is on the rise and it is no longer of question of if, but when, a company will be the target of an attack.

Thirty-one percent of respondents report the number of security incidents within their organization has increased by at least 5% over the last 12 months. Many have realized the extent and depth of the threat posed to them; resulting in information security now being ‘owned’ at the highest level within 70% of the organizations surveyed.



Monday, 04 November 2013 15:32

October Was a Busy Month for Big Data Tools

October was a busy month for integration announcements. A few news highlights from the past week include:

Oracle Amps Up Data Integration Portfolio

Big announcements in October for Oracle included the upgrades to Oracle Data Integrator 12c and Oracle GoldenGate 12c. Oracle says these “future proof” updates are one of the biggest to data integration in years. What that means is more support for cloud, real-time, analytics, Big Data and other new projects that require integration of new types of data. Integration Developer News offers a thorough summary of the improvements.



Converged infrastructure (CI) is about to make a big push in the enterprise channel. Sitting directly at the crossroads of Big Data, the cloud, energy conservation and dynamic data architectures, converged or modular systems are viewed as the next, and probably final, major change in physical-layer infrastructure.

But while most people agree that converged server-storage-networking systems are cheaper than traditional IT platforms and easier to deploy and maintain as well, it seems that few are considering the broader implications behind the technology. In what way will converged topologies alter the way we consume IT, and will it be for the better?

The first thing to understand, according to solutions provider Logicalis, is that convergence affects more than just data and data environments – it reaches deep into business processes and the relationships between individuals and business units. In fact, it has been said that the biggest obstacle to converged infrastructure is not technology, but politics. After years of silo-based architecture in which key people and applications enjoy one-to-one relationships with dedicated resources, shifting to a shared-use model can be rather unnerving. But shedding legacy systems is a necessity if the organization hopes to achieve the broad scalability and highly dynamic requirements of rising virtual ecosystems. Plus, migration to a new converged platform is a great time to shed unpopular and unproductive systems and processes.



Monday, 04 November 2013 15:30

2013 HSEEP Overview, Part 2

Contributed by Frank Kriz, MS, CEM, CPM, PEM

In Part 1 of this overview introduced the Presidential Policy Directive 8: National Preparedness (PPD-8) and the National Preparedness Goal (NPG). In addition, the five (5) Mission Areas and the Core Capabilities identified in the NPG were reviewed.

PPD-8 and the NPG are the base documents that set the outline for the overarching National Preparedness System (NPS) (November 2011). The National Preparedness System outlines an organized process for the whole community to move forward with preparedness activities and ultimately achieve the National Preparedness Goal.

One term that will be repeatedly seen throughout this and other NPS documents is “Whole Community.” This includes individuals, families, and households; communities; the private and nonprofit sectors; faith-based organizations; and local, state, tribal, territorial, insular, and federal governments. Whole Community is defined in the National Preparedness Goal as “a focus on enabling the participation of federal, state and local government partners in order to foster better coordination and working relationships.”



Monday, 04 November 2013 15:29

Adobe Data Breach Highlights Security Risk

The impact of a data breach at software maker Adobe appears to be worsening. When it first announced the breach on October 3, Adobe said that cyber attackers had compromised accounts and passwords of nearly 3 million users. Now that number has jumped to at least 38 million users.

What’s more a blog post at PCWorld indicates that a further 150 million usernames and hashed passwords were taken from Adobe. While Adobe says these could include inactive IDs, test accounts and IDs with invalid passwords, the company is still investigating.

PCWorld also reports that the hackers stole source code for flagship Adobe products such as Photoshop, Acrobat, and Reader.



A revolutionary new architecture aims to make the internet more “social” by eliminating the need to connect to servers and enabling all content to be shared more efficiently.

One colleague asked me how, using this architecture, you would get to the server. The answer is: you don’t.

Dirk Trossen

Researchers have taken the first step towards a radical new architecture for the internet, which they claim will transform the way in which information is shared online, and make it faster and safer to use.

The prototype, which has been developed as part of an EU-funded project called “Pursuit”, is being put forward as a proof-of concept model for overhauling the existing structure of the internet’s IP layer, through which isolated networks are connected, or “internetworked”.

The Pursuit Internet would, according to its creators, enable a more socially-minded and intelligent system, in which users would be able to obtain information without needing direct access to the servers where content is initially stored.

- See more at: http://www.cam.ac.uk/research/news/future-internet-aims-to-sever-links-with-servers#sthash.doUoCvJ5.dpuf

BSI has opened a consultation period for its new 'BS 11200 Crisis Management - Guidance and good practice' standard.

According to BSI, BS 11200 will provide guidance on crisis management to help top managers in an organization to implement and develop a crisis management capability. It is intended for any organization regardless of location, size, type, industry or sector.

Feedback can be given about BS 11200 until 10th January 2014.

Go to http://drafts.bsigroup.com/Home/Details/52021 to read the draft and submit your comments.

Monday, 04 November 2013 15:25

The State of Risk-Based Security 2013

The State of Risk-Based Security Management is an in-depth study conducted by Ponemon Institute and sponsored by Tripwire. The study is designed to reveal how organizations are applying rigor­ous and systematic analytical techniques in order to quantify and evaluate the security risks that impact an organization’s information assets and IT infrastructure.

Andrew Scott
Business Continuity Institute

The BCI is a global organisation with Members, Forums, Chapters and Partners all across the world, but whether it is due to time, distance or perhaps even environmental concerns, unfortunately not everyone who would like to attend the BCM World Conference and Exhibition on the 6th and 7th November will be able to do so. Sadly some people will miss out…

I don’t know about you but I sometimes feel like I’m doing several jobs at once. I'm sure we all do at times but even so, and with the best will in the world, none of us will be able to attend all three streams of the conference at the same time, not to mention the packed exhibition that will be going on or the free seminar programme taking place. With so much happening, we simply cannot attend everything. Again, sadly some people will miss out…



Despite a dramatic increase in mobile device sales in the past year, BYOD security among employees remains static. Gartner forecasts 2013 tablet shipments to grow 67.9 percent, with shipments reaching 202 million units, while the mobile phone market will grow 4.3 percent, with volume of more than 1.8 billion units.

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure.  Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.



Wednesday, 30 October 2013 15:35

Cyber threat opportunity

Ken Simpson
The VR Group

Only a week to go until the BCM World Conference!

What if we took a different approach to our reflective learning this time?

Instead of waiting until after the conference to reflect and integrate what we have learned, what if we took a proactive approach and spent some time ahead of the conference reflecting on what aspects of our current practice we need to change.

What if that reflection also included reframing the problem – not just how can I fine tune my practices within current frameworks and constraints, but how would I want to transform my practice going forward and remove some of those constraints.



CIO — When George Borst made the jump in 1997 from general manager of Toyota's Lexus division to head of the company's finance group, he was faced with a big decision.

The finance group's four core systems were in woeful shape, needing upgrades to improve performance and keep up with the rapid growth of finance operations. Borst came to the job long on strategy but admittedly a bit short on the intricacies of IT and finance, having come from sales, marketing and product-planning groups.

"I wish I'd paid a lot more attention in college to my economics and finance courses," he jokes. "But I was sent over there for a reason: to help increase sales and get closer to the dealers."



Wednesday, 30 October 2013 15:33

New England: One Year After Hurricane Sandy

BOSTON – One year ago today, on October 29th, 2012, the Northeast braced for impact as Hurricane Sandy came barreling toward our coastline. Although New England was spared the brunt of the storm, residents and businesses along the shores of Connecticut, Rhode Island, Massachusetts and New Hampshire suffered severe damages from wind and water, many losing homes and livelihoods. Towns along the coasts of Connecticut and Rhode Island were nearly impassable after the storm, roadways choked with debris and sand from a significant storm surge that swept through beachfront communities.

The Department of Homeland Security’s Federal Emergency Management Agency (FEMA) continues to work closely with its partners to help individuals and communities recover from Hurricane Sandy.

In the past year over $125.9 million in FEMA funding has been obligated toward Hurricane Sandy recovery in New England:

Individual Assistance

More than $15.5 million in Federal Emergency Management Agency grants approved for individuals and households region-wide, which includes:


  • More than $13.8 million for housing assistance
  • More than $1.1 million for other needs assistance

Rhode Island

  • $378,748 for housing assistance
  • $42,592 for other need assistance

More than $51.6 million in Small Business Administration disaster loans approved for homeowners, renters and businesses in Connecticut.

More than $285.3 million in National Flood Insurance Program payments made to policy holders. Including:


  • More than $249.5 million paid to flood insurance policy holders

Rhode Island

  • More than $35.8 million paid to flood insurance policy holders

Public Assistance

More than $59.1 million in Public Assistance grants to reimburse local, state and tribal governments and eligible private nonprofits region-wide for some of the costs of:

  • Emergency response
  • Debris removal
  • Repairing or rebuilding damaged public facilities

The committed efforts of  many additional federal, state and local agencies and organizations continue to assist  states, towns, communities and individuals in the recovery process.

IDG News Service (Brussels Bureau) — Europe's Justice Commissioner warned Tuesday that data privacy concerns could derail a major trade deal between the U.S. and the E.U.

"The U.S. will have to take European concerns about privacy and data protection very seriously ... otherwise, the European Parliament may decide to reject the TTIP," Commissioner Viviane Reding said at a conference in Washington.

TTIP -- the Transatlantic Trade and Investment Partnership -- is being negotiated in secret between the E.U. and U.S. It has provoked concerns in Europe that it could weaken citizens' privacy rights.

The issue of protection of personal data could "easily derail" the negotiations, Reding said, and she warned against including the topic in the trade talks. "Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable," she said.



Religious Discrimination apparently is alive and well in the workplace according to Newsmax in an article hededCQ Steep Rise in Workplace Religious Discrimination Claims .

Suggestions on what to do about the situation are given at the Ohio Employer's Law Blog under the heading Halting the tide of religious-discrimination claims .

According to Newsmax,

    "Religious discrimination complaints in the workplace have more than doubled over the last 15 years and appear to be growing faster than other types of complaints.

    "In 2012, there were 3,811 religion-based complaints filed with the Equal Employment Opportunity Commission, the second-highest number in a year ever recorded, after 2011, when 4,151 complaints were filed, The Wall Street Journal reports.

    "While age, sex, race, and disability claims are still much higher, religious claims are increasing at a faster rate and have doubled in the last decade and a half."



Wednesday, 30 October 2013 15:29

Big Data, Big Warehousing and the Cloud

In physics, the nightmare scenario is when an unstoppable force encounters an immovable object. In the enterprise, that would be like Big Data volumes becoming so large that even your expensive new data warehousing solution can’t handle it.

Warehousing vendors have always prided themselves on their ability to scale, but with Big Data about to make the jump from generalized shopping patterns and mobile app usage to highly granular details like how hot an individual car engine is running or whether the fridge needs a new water filter, it’s starting to seem that yesterday’s version of big wasn’t as future-proof as it seemed.



Wednesday, 30 October 2013 15:28

Hurricane Sandy One Year On

Pictures are often more powerful than words and so it is as we mark the first anniversary of Hurricane Sandy.

This NASA image shows Hurricane Sandy approaching the U.S. East Coast at 1:35pm Eastern Daylight Time on October 29, 2012.



CIO — The myriad glitches that have marred the rollout of the Web portal for Americans to sign up for health insurance stand as what the CIO of the federal government calls a "teachable moment."

Speaking at a government IT conference on Tuesday, U.S. CIO Steven VanRoekel acknowledged that the launch of Healthcare.gov has been troubled, but suggested, hopefully, that it will serve as an object lesson that will inspire, rather than deter, ambitious government IT projects in the future.

"Our goal, number one, hands down, the president reminds every day: get this thing fixed, make sure it's working and meet Americans' expectations on this," VanRoekel said. "As an aside, our focus, my focus, is also about what can we learn from this. How can we learn? And what can we take from this experience to say we shouldn't do things this way?"



Tuesday, 29 October 2013 15:02

The Risky Business of Not Taking Risks

In my work, I frequently engage in a broad-based leadership development program to prepare top talent for advancement. That was the case when I recently worked with a large construction company to groom Mike, one of the presidents, and Joe, the lead risk officer, for advancement.

During the 360-degree peer interviews I asked Mike how Joe could improve in general and how he could specifically help Mike with his growth objectives. Without hesitation, Mike answered, “I need for Joe to take me right to the edge of the cliff without letting me fall over. Right now he’s serving as the business-prevention arm of the business.”

I don’t think I’ve ever heard a better definition of what those in risk and compliance can do to support the organization. Take them as far as ethics and good sense will allow without letting them hurt themselves or the company, but don’t serve as the business prevention unit.



Tuesday, 29 October 2013 15:01

Crossing boundaries

John Robinson

Our BCM World Conference presentation is an illustration of how BCM can pleasantly surprise business leaders with the value it brings. Our case study will be about Reed and MacKay, a £200M turnover top-end executive travel firm located in Farringdon close to the heart of London’s legal, media and financial district. This is a multi-faceted, time-pressured and highly successful business and illustrates perfectly the importance of accurate and decisive BIA. The following explains why I believe they found it so valuable, noting that Reed and Mackay subsequently gained accreditation to ISO 22301 at the first attempt.



The ‘new normal’ propounded by management gurus a few years back was that ‘change is the only constant’. Companies, said the gurus, must constantly change, innovate and reinvent themselves in order to remain competitive and successful. They applied their mantra to everything from marketing to manufacturing to supply chain – with varying results. Victories included moves to lean and green manufacturing that saved money and the planet at the same time. Less fortunate changes have included Microsoft Windows 8 and (some time ago) Coca-Cola’s new Coke. Sometimes continuity itself is the best business continuity there is, but how can you tell?



Tuesday, 29 October 2013 14:59

Hurricane Sandy, A Year of Recovery

FEMA Helping Survivors and Communities Rebuild

WASHINGTON – On the evening of October 29, 2012, Hurricane Sandy made landfall in southern New Jersey, with impacts felt across 24 states. The storm battered the East Coast, particularly the densely-populated New York and New Jersey coasts, with heavy rain, strong winds, and record storm surges.  In Sandy’s immediate aftermath, more than 23,000 people sought refuge in temporary shelters, and more than 8.5 million customers lost power. The storm flooded numerous roads and tunnels, blocked transportation corridors, and deposited extensive debris along the coastline.

At the direction of President Barack Obama, the U.S. Department of Homeland Security's Federal Emergency Management Agency (FEMA) and its federal partners are worked closely with disaster survivors to ensure they received all the assistance for which they are eligible under the law. Over the course of the year, more than $1.4 billion in Individual Assistance has been provided to more than 182,000 survivors, and an additional $2.4 billion in low-interest disaster loans have been approved by the U.S. Small Business Administration.  More than $7.9 billion in National Flood Insurance Program (NFIP) payments have been made to policy holders.

Over the last twelve-months, more than 11,900 grants totaling over $3.2 billion have been approved for emergency work, to remove debris and rebuild or replace public infrastructure in the hardest hit areas.  This includes more than $1.3 billion for first responder costs for personnel overtime, materials and equipment used to save lives and protect property; more than $400 million obligated toward repairs to storm damaged homes so that disaster survivors could safely remain in their homes; and more than $19 million toward the costs to repair storm flooded and damaged schools.  FEMA has been working in concert and integrating with all levels of government, private and nonprofit sectors, faith-based organizations, communities and individuals to provide a whole community approach to recovery and leverage the capabilities of the entire nation. 

While supporting disaster survivors and communities on their road to recovery, FEMA has been aggressive in its implementation of new authorities granted in the Sandy Recovery Improvement Act of 2013 (SRIA). In many ways, the passage of SRIA represents the most significant legislative change to the FEMA’s substantive authorities since the enactment of the Robert T. Stafford Disaster Relief and Emergency Assistance Act.  The changes have nationwide impact and provide greater flexibility to state, local, tribal and territorial governments, allow FEMA to operate more effectively and efficiently, and provide tribal nations options for seeking emergency and disaster declarations for their tribes.  To date, 13 of the 17 provisions outlined in this legislation have been completed, implemented via a pilot program, or are otherwise immediately available.

FEMA is encouraging everyone to take steps to become better prepared for an emergency, whether or not the event occurs while they are at home, at work, at school, or in the community. For more information on preparing for severe weather events and other disasters, visit www.Ready.gov or www.listo.gov on the Internet. Information regarding emergency preparedness and what to do before and after a disaster can also be found at m.fema.gov or by downloading the FEMA app from your smartphone’s app store.

FEMA’s mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema.  Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.The social media links are provided for reference only. FEMA does not endorse any non-government websites, companies or applications.


Tuesday, 29 October 2013 14:58

Has Anything Changed a Year After Sandy?

Hurricane/Superstorm Sandy hit the east coast of the United States a year ago this week. It’s a time to take a quick look backward to some pretty dire days and then look ahead to assess whether readiness has improved in the areas impacted by the storm.

At a luncheon presentation at last week’s Cable-Tec Expo ’13 in Atlanta—a technical conference sponsored by The Society of Cable Telecommunications Engineers (SCTE)—Time Warner Cable Chief Security Officer Brian Allen took a look back at how the operator handled the storm.

The big lesson, according to Leslie Ellis’ report on the presentation at Multichannel News, is to create plans and put them in place ahead of time. Her story touches on the two big issues: fuel and power. The story concludes with Allen’s point that post mortems—figuring out what worked and what didn’t—are important.



Tuesday, 29 October 2013 14:56

Electronic Privacy? There's No Such Thing

Computerworld — Most people suffer from the delusion of privacy. They think it can be guaranteed somehow for their various electronic gadgets. But that is a delusion, and sadly even many in the information security field don't know it. Still, it's surprising how strong the desire to believe otherwise is, and how tech companies will sometimes try to feed that illusion.

Take the news that the encryption in Apple's iMessage can potentially be cracked. I was surprised, but not because the encryption could be cracked. That's a given, no matter the encryption algorithm. I was surprised because I didn't know that iMessage used point-to-point encryption. I just assumed that Apple could always read my messages. Call me uninformed for having missed that news, but what I think is that I was actually better informed than those people who saw Apple's promise that it couldn't decrypt iMessage traffic and let the delusion of privacy lull them into thinking that was really true. Believe me, we'd all be better off if we just acted on the theory that there is likely to be a back door every time.

Don't get me wrong. The fact that iMessage uses encryption is refreshing. Such encryption will do a lot to protect most of us in most of what we do (but more on that later). What is not refreshing is that Apple at best implied and at worst misrepresented that its encryption was uncrackable. Any computer professional in this day and age who thinks that any form of electronic communications is completely secure really doesn't know his profession.



LINCROFT, N.J. – The devastating aftermath of Superstorm Sandy left survivors and businesses in New Jersey with large-scale recovery needs. Throughout the year, the state’s private sector has made significant contributions to the recovery process and continues to play a key role.

FEMA Private Sector Specialists discuss disaster mitigation with business ownersMore than 600 businesses, utility companies, banks, insurance companies, colleges and universities, and professional organizations stood with local, state and federal agencies, voluntary agencies and faith-based organizations to strengthen the recovery efforts.

They disseminated information about disaster assistance to 7.2 million New Jersey residents through bill inserts, newsletters, signage and other means.

“One fast-food chain, which asked to remain anonymous, distributed 7,000 sandwiches with disaster-assistance information at 32 distribution points in three counties,” said Federal Coordinating Officer Gracia Szczech of the Federal Emergency Management Agency. “That’s just one example of how essential the private sector is to a strong recovery effort.”

Immediately after Sandy struck, specialists with FEMA’s Private Sector Division in External Affairs deployed to New Jersey to work with chambers of commerce, industry associations, individual companies, colleges and universities and other organizations.

Kathy Cook, Public Information Officer, explains her role in assisting Sandy survivors to roundtable of federal and insurance industry partners

Response was immediate. Utility companies inserted messages in billing statements, reaching 3.3 million customers. The South Jersey Transportation Authority featured registration information on its Vehicle Messaging Systems at toll plazas, and the ticker messaging system on its website, reaching an estimated 2.9 million people a month.

Chambers, associations and businesses shared FEMA’s electronic newsletter (the E-News Update) for the private sector stakeholders with their memberships and contacts. The access to recovery information proved invaluable to their members and had far-reaching effects.

“To have the opportunity to interact directly with representatives, ask questions and get answers has helped not only members, but their clients as well,” said New Jersey Association of Realtors Chief Executive Officer Jarrod Grasso. “The recovery process in the aftermath of Sandy has not been easy, but getting the correct facts to our members has relieved a great deal of the uncertainty related to flood maps, insurance and elevation that so many New Jersey residents felt."

Home Depot Hurricane Workshop

Two FEMA program areas, Private Sector and the Federal Disaster Recovery Coordination group, facilitated an Insurance Industry Roundtable. The resulting public-private partnership engaged the insurance industry in a series of four meetings to explore how to enhance and expedite the disaster assistance process. A roundtable work group identified issues impeding the process and then developed recommendations that were submitted to President Obama’s Hurricane Sandy Rebuilding Task Force.

The private sector reached out in more basic ways as well. Sometimes it was as simple as offering a space to work. Operation Photo Rescue, a nonprofit organization of volunteer photojournalists from around the country, wanted to help Sandy survivors restore treasured photos. The organization began helping disaster survivors during Hurricane Katrina recovery. Volunteers need to set up a temporary shop close enough for survivors to access the free services.

“Finding a place for us to host our copy run was turning into a major problem as we could not secure a building close enough to where Sandy hit,” said Operation Photo Rescue President Margie Hayes. “We were coming up empty handed until Chris Spyridon, regional pro sales manager for Home Depot, offered us space at a Home Depot in Seaside Heights.”

The business of recovery is long-term, and an important part of that is preparedness, which not only helps individuals survive a disaster but can help businesses endure as well. FEMA’s Private Sector specialists have covered the state to help executives and officials understand the need for a continuity plan so work continues once the emergency is over. Montclair State University recorded FEMA’s preparedness webinar to share with all of New Jersey’s colleges and universities.

Amy Ferdinand, the university’s director of Environmental Health and Safety, said, “With the recent trend of ever-increasing disasters – whether natural or manmade – being the ‘new normal,’ there is a definite need among business leaders and stakeholders to become better informed on the topic of continuity and business planning.”

Next in the One Year Later series: the role of Environmental and Historic Preservation in disaster recovery.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema

The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.


Monday, 28 October 2013 15:33

Electronic privacy? There's no such thing

Most people suffer from the delusion of privacy. They think it can be guaranteed somehow for their various electronic gadgets. But that is a delusion, and sadly even many in the information security field don't know it. Still, it's surprising how strong the desire to believe otherwise is, and how tech companies will sometimes try to feed that illusion.

Take the news that the encryption in Apple's iMessage can potentially be cracked. I was surprised, but not because the encryption could be cracked. That's a given, no matter the encryption algorithm. I was surprised because I didn't know that iMessage used point-to-point encryption. I just assumed that Apple could always read my messages. Call me uninformed for having missed that news, but what I think is that I was actually better informed than those people who saw Apple's promise that it couldn't decrypt iMessage traffic and let the delusion of privacy lull them into thinking that was really true. Believe me, we'd all be better off if we just acted on the theory that there is likely to be a back door every time.



More often than brands would probably like, we’re given opportunities to learn about social media crisis management through the highly visible fallout from the experiences of others. This weekend, social sharing platform Buffer was hacked, resulting in a Saturday afternoon and evening crisis for the start-up.

I wouldn’t say it was a positive experience for Buffer, but I will say this: it turned out okay. Not awesome, but okay. That’s about the best you can hope for when hackers cause an interruption in service for your customers that lasts several hours.



NEW YORK (TheStreet) -- On the one-year anniversary of Hurricane Sandy, the New York Stock Exchange's (NYX_) Head of Operations, Lou Pastina, tells TheStreet that the Exchange's emergency backup plans are more robust than ever. Even pre-scheduled events such as initial public offerings would have the option of moving forward in the face of another weather-triggered event in New York, he says.

The New York Stock Exchange's Print as "P" plan, allowing the switch to an electronic trading system through the NYSE Arca platform, formerly known as the Archipelago Exchange, has undergone numerous tests over the past year involving trading firms throughout the U.S. financial sector, Pastina said. The NYSE Arca's key datacenters are located in both New Jersey and Chicago.

The most difficult task for the NYSE is preparing systems to assure that enormous amounts of data are sufficiently backed up, including trades that may be in the process of being executed, Pastina said. And though machines handle the bulk of the chores, a minimum staff presence may be needed at the NYSE floor in Manhattan to help facilitate some aspects of the electronic trading system, he added.



Dejan Kosutic is an expert in information security management and business continuity management. In this interview he talks about the key changes in the ISO 27001: 2013 revision, the new security controls, mandatory documentation, implementation challenges, and much more.

What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?

The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.

What are the new security controls and how does the 2013 revision deal with new risks?



Dejan Kosutic is an expert in information security management and business continuity management. In this interview he talks about the key changes in the ISO 27001: 2013 revision, the new security controls, mandatory documentation, implementation challenges, and much more.

What are the key changes in the ISO 27001: 2013 revision, as well as the benefits?

The key benefit of this new ISO 27001 is that it can be more easily implemented in smaller companies – a greater degree of flexibility is allowed, and a smaller number of mandatory documents is needed. For instance, the risk assessment process is simplified, and there are no more requirements to document procedures like internal audit or corrective action.

What are the new security controls and how does the 2013 revision deal with new risks?It could have been so much worse.

A year ago this week, the 1,000-mile-wide monster known as Sandy bashed into the coast, causing massive tidal flooding and wind damage before moving inland, knocking out power to hundreds of thousands of people in South Jersey and Southeast Pennsylvania.

But a change in its path could have brought here the widespread destruction and misery seen in New York and Northern New Jersey's shore. The story of the superstorm could have been much different given that so many residents of Philadelphia and its suburbs were unprepared, officials say.

Read more at http://www.philly.com/philly/news/229258261.html#UeHx7sp2VkP4hD3x.99

Everyone old enough to remember will recall Y2K – the year our world was supposed to end in a catastrophic transition from December 31, 1999 to January 1, 2000.  Instead, since we are still here, we all recall what happened: nothing.

September 23, 2013 was the day when the new HIPAA regulations for covered entities came into effect.  Despite all the whining and predictions of disaster, we all continue to exist and the world did not end.  What happened?  A lot has happened.

The regulations gave all covered entities 180 days to comply with the new HIPAA requirements, which impose new and significant obligations on covered entities to revise their HIPAA policies.  Covered entities should have updated their HIPAA compliance policies and procedures, their notices of privacy practices and their business associate agreements for protecting sensitive health information from disclosure.

The key areas to change included:



Monday, 28 October 2013 15:19

Managing supply chain continuity

David Window
Continuity 22301 Ltd

As a member of three institutes - Institute of Risk Management, Business Continuity Institute and the Chartered Institute of Purchasing and Supply - I hope to explain why as business continuity professionals, we struggle to engage with my alter ego - the procurement professional.

Over the last two years I have been debating this topic with a colleague who is an accomplished procurement professional and we have challenged each other considerably in our efforts to justify the question, “why bother doing business continuity in supply chain”. We have also interviewed other procurement professionals to gauge our opinions against theirs.



NEW YORK — A year after Hurricane Sandy catastrophically flooded hundreds of miles of eastern U.S. coastline, thousands of people still trying to fix their soaked and surf-battered homes are being stymied by bureaucracy, insurance disputes and uncertainty over whether they can afford to rebuild.

Billions of dollars in federal aid appropriated months ago by Congress have yet to reach homeowners who need the money to move on. Many have found flood insurance checks weren’t nearly enough to cover damage.

And worse, new federal rules mean many in high-risk flood zones may have to either jack their houses up on stilts or pilings — expensive, and sometimes impossible — or face insurance premiums of $10,000 or more per year.



LINCROFT, N.J. -- The devastation Superstorm Sandy left behind changed the face of many New Jersey communities, perhaps none more so than along the Shore. With individual homes and businesses and even whole communities swept away, many people were left wondering if it’s even possible to live at the Shore.

But also along the Shore are homes that stand like lone sentinels, a testament to mitigation techniques that make structures stronger and safer. Mitigation construction practices such as elevation, berms and use of damage-resistant materials help reduce the risk of future damage. More and more, buildings throughout the country, and along the Shore, are constructed with these techniques.

Mantoloking home surrounded by Sandy floodwaters



When Mantoloking resident Ed Wright built his home 30 years ago, he used a classic mitigation technique: elevation. Last October, that decision proved to be a good one. The storm surge from Sandy swept away five neighboring homes and left his standing alone at the end of the Mantoloking Bridge.

Wright had seen photos of debris washing down the street and elected to elevate the home rather than build on a standard foundation. He built it on 35- to 45-foot pilings sunk into the ground and later enclosed the ground level with breakaway walls, which are designed to collapse in flood waters.

Elevation is a tried-and-true mitigation technique. After a major disaster declaration, the Federal Emergency Management Agency makes Hazard Mitigation grants available to the designated state for projects that reduce or eliminate losses from future disasters.

Projects eligible for hazard mitigation grants include retrofitting buildings to minimize damage from high winds and flooding; elevation of flood-prone buildings; minor flood-control projects; and the purchase of property at risk of repetitive flooding for conversion to open space. The state works with local communities to determine the focus of the Hazard Mitigation program.

Hazard Mitigation grants cover up to 75 percent of approved project costs. State and local governments pay the remaining 25 percent (in-kind donations of labor and materials can contribute toward this share). A project's potential savings must be more than the cost of implementing the project.

A completely restored Mantoloking home, one year after Sandy

While the state sometimes pays for mitigation projects through FEMA grants after a disaster, Wright paid for his home’s elevation as part of the construction cost. It was an investment in the future.

The day after Sandy struck New Jersey, a friend called Wright to tell him his home was the only one standing. When he returned home, he didn’t know what to expect.

“We had no clue,” he said. “It was very emotional to see it standing there all by itself.”

The home experienced minimal damage, losing the furnace, air conditioning unit, washer and dryer, and vehicles.

“We’re very fortunate,” Wright said. “We’re very happy to be here.”

Property owners who are interested in the Hazard Mitigation programs available in New Jersey after Sandy should contact their local emergency management office.

Video-links: Elevation Helps a Home Survive Hurricane Sandy,
What To Do About Mold (in American Sign Language)

Next, the One Year Later series examines the ways in which New Jersey’s private sector got down to business to aid in the recovery process.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema.



The tricky part about data is learning to accept what it says without imposing your own agenda.

It seems Big Data is no exception — at least, when it focuses on traditional, structured data, according to a Harvard Business Review Blog post written by Prof. Theos Evgeniou, Assoc. Prof. Vibha Gaba and consultant/visiting professor Joerg Niessing of international business school, INSEAD.

“A large body of research shows that decision-makers selectively use data for self-enhancement or to confirm their beliefs or simply to pursue personal goals not necessarily congruent with organizational ones,” they write. “Not surprisingly, any interpretation of the data becomes as much an evaluation of oneself as much as of the data.”



IDG News Service (Brussels Bureau) — European Union leaders have given themselves room for maneuver in implementing new data protection laws, while pledging to introduce them in a timely fashion.

All 28 leaders of the E.U. member states discussed issues of data protection, mass surveillance and the digital economy at a meeting that continued late into the night on Thursday.

They agreed that there is a strong need for an improved, robust digital economy in Europe and that artificial barriers between member states must be removed to create the so-called "digital single market."



Sandy facts

  • October 29, 2012, Hurricane Sandy strikes with a storm surge weather experts had never seen before
  • 37,000 primary residences destroyed or damaged
  • 8.7 million cubic yards of debris left behind
  • 2.7 million New Jerseyans without power

The first 48 hours

  • 548 FEMA specialists on the ground in New Jersey
  • Three mobile disaster recovery centers open
  • 3 States responded with Emergency Medical Services – 385 people
  • 8 Disaster Medical Assistance Teams and U.S. Public Health Strike Teams arrive
  • October 31, 2012, the first FEMA Individuals and Household Program disbursement of $155,027

Response milestones at one year

  • More than $5.67 billion in total federal assistance approved for Individual Assistance grants, SBA low-interest disaster loans, National Flood Insurance Program payments and Public Assistance grants.

Individual Assistance

  • More than $413 million approved for individuals and households including:
    • Nearly $356 million for housing assistance
    • More than $56.6 million for other needs, including clothing, household items, disaster-related damage to a vehicle, and disaster-related medical and dental expenses
  • More than 261, 000 people contacted FEMA for help or information
  • 127,046 housing inspections completed
  • 36 disaster recovery centers opened
  • 90,000 visits to disaster recovery centers
  • 5,546 individuals and families housed temporarily in hotel rooms under the Transitional Sheltering Assistance program
  • 3,410 survivors received disaster unemployment assistance

U.S. Small Business Administration

  • More than $819.8 million in SBA low-interest disaster loans approved for homeowners, renters and businesses

National Flood Insurance Program

  • More than $3.5 billion paid on all claims in flood insurance payments made to policyholders

Public Assistance

  • More than $926 million was approved in FEMA Public Assistance grants to communities and some nonprofit organizations that serve the public
  • 4,959 projects approved so far

A whole community response

  • 507 voluntary agencies were involved in recovery
  • More than 1.6 million meals and 1.4 million liters of water were distributed
  • 21 languages were used to communicate assistance information to survivors
  • More than 1 million multilingual fliers were distributed
  • Nearly 8.7 million cubic yards of debris was removed
  • At peak, more than 2,429 people were deployed to New Jersey by FEMA and other federal agencies
  • 36 federal agencies assisted FEMA during Hurricane Sandy in New York
  • The U.S. Army Corps of Engineers received 335 requests for generators – 106 installed at peak
  • Approximately 300,000 pounds of food was provided by the U.S. Department of Agriculture
  • The Defense Logistics Agency delivered 2.3 million gallons of fuel to distribution points in New York and New Jersey
  • The Port of New Jersey was closed to incoming and outgoing vessel traffic because of Superstorm Sandy, according the U.S. Coast Guard


Friday, 25 October 2013 18:05

Whose job is business continuity?

John Stagl weighs into an ongoing debate which is taking place on Continuity Central about what the role of the business continuity planner is.

We have over the past couple of decades developed an entire industry of business continuity planners and planning trainers to help companies deal with unanticipated events that can impact a company’s performance in the market place. This entire effort is founded on the assumption that companies will go out of business without these plans in place. Too often, these plans are developed by individuals who do not have access to, nor completely understand the strategic goals and pressures impacting the company. In most cases these well intentioned individuals do not even understand the dynamics of the competitive market in which the company functions every day. Even more importantly, these ‘planning individuals’ have not been trained to look for external factors that may influence the success of their company as part of their planning efforts. They have been educated to believe that all of the information they need is present within the company and known by the various levels of management in that company. The consequence of this naïve orientation is a business continuity plan document that is obviously lacking in fundamental information to achieve the company’s goals and long term success.

For years these planners have been trying to find ways to convince upper management that this planning effort is valuable to the company. At the same time professional and certification groups staffed with individuals who have also been trained with this inadequate planning method have created ‘standards’ of best practices for companies. Auditing firms, sometimes with a profound lack of complete business understanding, have embraced these planning methods and standards as critical factors that must be present in order for a company to be managed effectively. The result is a planning process within a company that is still, after all of these years, viewed as a necessary expense and not an asset.



Friday, 25 October 2013 18:04

Overcoming data residency issues

Dave Anderson looks at how organizations can overcome a common barrier to cloud computing adoption.

The benefits of adopting cloud technologies have been widely reported, and are commonly understood. However, the decision to adopt a cloud strategy brings with it many questions and concerns about jurisdictional and regulatory control over the privacy and protection of sensitive data. For instance, data residency and sovereignty requirements often insist that certain types of sensitive and private data are stored where the government will have legal jurisdiction over it. More often than not, this means within its borders. But the cloud allows providers to possibly store, process or back-up data across several global locations, as well as allowing organizations to freely move data outside of national borders. So, how does this impact compliance to data residency requirements?

Addressing data residency, protection and privacy concerns requires an understanding of both international and domestic regulations. Companies that do business in Europe must understand the implications of regulations such as the European Data Protection Law, as well as local data mandates. The EU’s Data Protection Directive is an example of this, as it prohibits personal data that can be linked to an individual from moving outside the EU, sometimes even outside of a specific country’s borders. Data residency is also particularly concerning for multi-nationals that have offices all over the world, covering several jurisdictions.



LINCROFT, N.J. -- One month after Superstorm Sandy, Dan Shields and his business partner, Robert Higgins, were thanking their lucky stars.

Their waterfront restaurant, Windansea in Highlands, had withstood the raging flood tides and winds of Sandy with only relatively minor damage.

The Windandsea restaurant overlooks a sandy beach and a calm sea.

Atlantic Highlands, N.J., Oct. 10, 2013 -- The Windansea restaurant withstood flood tides and winds with minimal damage from Hurricane Sandy. By renovating with FEMA's building recommendations prior to Sandy, the restaurant was able to open shortly after storm. Rosanna Arias/FEMA

The rest of Highlands was not so fortunate. Flood waters had inundated dozens of homes and businesses in the low-lying sections of the borough. Debris littered the streets; a mobile home park on the north side of the borough was in shambles.

As flood waters receded in the business district, store owners had to reckon with the physical destruction of their businesses and the loss of their livelihoods.

Many of Shields’ and Higgins’ fellow restaurateurs were essentially out of business for the long term, faced with major damage from the storm.

What saved Windansea?



The borough’s new building code that required properties in flood zones to comply with tough new Federal Emergency Management standards. “We had to stick to ‘V’ zone construction,” said Shields, referring to the strictest standards for properties located in high-risk flood zones. “I felt like we were the poster child for FEMA.”

When the business partners bought the restaurant in 2000 for $690,000, they planned to invest approximately $300,000 in renovating the old restaurant, formerly known as Branin’s Wharf. But as work on the building progressed, hidden problems came to the surface. “It was just a terrible, terrible building.” Ultimately, more than 50 percent of the existing building had to be demolished. One day, as they worked on the restaurant, officials from FEMA and the borough drove up and told them to stop work. “You’ve got to do it our way,” they told the partners.

The structure would have to be rebuilt in compliance with FEMA standards for “V” zone construction, the strictest standard that applies to properties at high risk of flooding.

Patrons sit in the undamaged outdoor seating area of the Windandsea restaurant.

Atlantic Highlands, N.J., Oct. 10, 2013 -- Hurricane Sandy damaged many businesses along the waterfront with floodwater and wind. The Windansea Restaurant received little damage because of mitigation measures taken prior to Hurricane Sandy. Rosanna Arias/FEMA To put it mildly, the partners were not happy. The shoestring budget they had assembled to pay for what they thought would be a fairly simple remodeling job wouldn’t cover the extensive construction that the town demanded. “It was a completely different animal from buying a little restaurant and (fixing it up),” Shields said.

Making the bayfront building flood-resistant required driving 80 pilings that measured 12 inches in diameter into the ground to a depth of 30 to 40 feet, reinforcing the roof and walls with steel rods and connecting the elements of the entire structure with steel plates and structural steel to hold the floor to the walls.

The project took a year longer than the partners anticipated and cost over $1 million more than they had originally budgeted.

“I felt like I was victimized,” Shields told the Asbury Park Press a few weeks after the storm, “like FEMA was trying to prove a point, trying to flex their muscles and trying to take it out on a little guy like me.”

He doesn’t feel that way anymore.

Though the building sustained some damage to its first floor lobbies and outdoor Tiki bar, Windansea was able to re-open less than three weeks after the storm. “There was not a crack in the sheetrock, not a thing out of place.”

Video-links: Avanti Linens Recovery and Mitigation Efforts, NJ Stronger Than The Storm Ribbon Cutting

Next, the One Year Later series examines the ways in which New Jersey’s private sector got down to business to aid in the recovery process.

FEMA's mission is to support our citizens and first responders to ensure that as a nation we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards.

Follow FEMA online at www.fema.gov/blog, www.twitter.com/fema, www.facebook.com/fema, and www.youtube.com/fema. Also, follow Administrator Craig Fugate's activities at www.twitter.com/craigatfema

The social media links provided are for reference only. FEMA does not endorse any non-government websites, companies or applications.


With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure. 

Forrester expects that we will see the following in the next 12-18 months:



By Martin Welsh and Keith Taylor

Too often information security incident response plans, disaster recovery and business continuity plans are not aligned with the overall corporate crisis management process. Now, more than ever, an organization must be able to quickly respond to a security breach, both from a tactical response and via a strategic corporate message. In this article we will discuss the benefits of, and offer an approach to, integrating the security response process into the overall corporate crisis management plan.

Similar efforts go into building, managing, exercising and maintaining both security incident response plans and overall corporate crisis management plans. For most organizations the escalation, notification and decision making process is similar, regardless of the incident. The struggles organizations encounter, while developing these plans, also tend to be similar. Building awareness, understanding roles and responsibilities, allocating time and resources (financial and human), can all be impediments to sound response plans.

Better plans can be developed by overcoming these shortcomings through integration.



Friday, 25 October 2013 18:00

The road to fire safety resilience

Russ Timpson

The key messages when it comes to fire safety resilience are that:

  • Prescriptive approaches to fire risk mitigation are reactive, cumbersome and commercially irrelevant
  • Fire risk ownership will only be achieved through linkage to business imperatives such as resilience, supply chain integrity and insurance
  • Tools and techniques do exist to assist those tasked with risk ownership to understand the scope and scale of the risks involved



With the retail industry’s biggest season quickly approaching, every facet of the sector needs to reevaluate plans to mitigate the increased risk that comes with increased demand. The holidays are certainly not the time to lose out on business due to breakdowns in the supply chain, loss of inventory from theft, or the fallout from credit risk. Yet a shocking 13% of retailers are doing nothing to manage their risk, according to a new study.

Insurance giant Allianz recently surveyed British retailers to see how they are managing changing risks within their business, and what steps retailers are taking to manage risk while growing businesses. This new infographic of their findings from Premierline Direct, which is part of the Allianz UK Group, offers some insight into the risks and concerns of major retailers, how these risks can be managed, and where insurers can better fit into the process.



Prepping for a webinar presentation next week for the oil and gas industry, I’ve been going back to some of the basics of crisis communications. Why do crisis communication efforts fail? Indeed, what constitutes failure? How is the success of a communication effort measured?

Seems to me the primary measure is on reputation–which translates to brand value, closely related to share or company value. That’s measured by those who have a stake in the company, sometimes called “stakeholders.” A communication fail occurs when there is an “unnecessary” loss of reputation, trust, brand value and/or share value. The “unnecessary” is necessary.



Friday, 25 October 2013 17:57

American Blackout


By Kristen Nordlund

This Sunday night there might be a few things vying for your attention – it’s Game 4 of the World Series, the Packers face the Vikings, and there’s a new episode of The Walking Dead. In addition to sports and the undead, the National Geographic Channel is debuting a movie about what happens when the lights go out. Literally.

American Blackout chronicles five groups of people during a ten-day power outage caused by cyber criminals.  How realistic is this scenario? Considering that since 2000 there have been more than 60 wide-scale power outages, including one in India lasting two days and affecting 670 million people, and it might not seem so far-fetched. Adobe PDF file

Although “American Blackout” may seem like an extreme example, many areas of the country have already experienced blackouts (like the Northeast blackout in 2003 that lasted up to 3 days for some areas) or other places like California that experience controlled blackouts (when a utility company shuts off power to an area).  Many areas experience blackouts after natural disasters like hurricanes or extreme weather.  Either way, being without power to control the lights, charge your phone, and use every day household appliances like the refrigerator or the heat, could become an emergency situation.  This is where being prepared can come in handy.

Nearly half of U.S. adults do not have the resources or plans in place in the event of an emergency.  So take this opportunity to check out the resources CDC’s Office of Public Health Preparedness and Response have put together on what you can do during an emergency. In order to make sure viewers have information about how to be prepared in the event of a blackout, CDC’s Office of Public Health Preparedness and Response and National Geographic ChannelExternal Web Site Icon worked together to provide important personal preparedness messages that will appear during the movie.

Thanks to this joint effort, CDC is providing tips on how everyone can get prepared by getting a kit, making a plan, and being informed.  First, put together a kit with water, food, and other supplies like medications, copies of personal documents, sanitation and personal hygiene products and more.  Second, make a plan with your family or friends in case something happens.  Third, be informed by learning how to shelter in place, understand what kinds of emergencies you should be prepared for in your area and make sure you know to manage stress during emergencies.  

A wise man once said, ”Happiness can be found even in the darkest of times, when one only remembers to turn on the light.” Okay, so that wise man was Albus Dumbledore, but the point is if the power is out, it’s best to be prepared. Visit CDC’s preparedness website for more information and to get started.


CityPoint, a 36 floor, 706,557sq ft. tall building, managed by CBRE, a real estate services company, and located in Ropemaker Street, London, believes it is the first tall building to achieve ISO 22301:2012 certification against its scope, successfully coordinating seven individual service providers: security, engineering, cleaning waste, IT, telecoms, lift and building management under one umbrella to deliver resilient building management services.

Stephen Massey, head of BCM (EMEA) for CBRE, interviewed Lee Murray, building manager for CityPoint, to get his insights and advice for those wishing to implement ISO 22301:



Patrick Roberts
Cambridge Risk Solutions

Ever since becoming involved in the profession, nearly ten years ago, I have been constantly intrigued by the attitude of different organisations towards business continuity. Simplistically, I began by assuming that large well known companies, with both assets and reputation to protect would be universally receptive to the idea of BCM, but (painful) experience has taught me that this is not the case. Equally, since starting our own BCM consultancy in the east of England, we have been surprised by the number of very small organisations that have asked us for assistance, organisations that we would never have considered approaching as potential clients. The same surprising pattern is borne out if you look at the firms which are certified to BS 2599, and are now certifying to ISO 22301. It is a curious mixture of large household names and much smaller firms.



What goes on inside your enterprise is of prime importance for your business continuity management. However, so are the actions and attitudes of vendors on which you rely to run your business.  In the same way that you regularly check on BC processes and awareness inside, you should also conduct periodic investigations of key business partners. The first thing to know which vendors should be on the critical list. Essentially, a critical vendor is one on which you are heavily dependent and which cannot easily be replaced in-house or by another vendor. Such a vendor may also have access to confidential information in order to make the relationship work. Let’s suppose you’ve identified such partners. What are your next steps?



In the U.S., small to midsized businesses are feeling more confident in their futures than they have been in several years, says the Sage Business Index for 2013. Sage Group conducted the survey of 11,000 SMBs from around the world from July through August and found that global confidence is up, but it is much higher in the U.S.

After several years of global economic issues, these findings show that the economy may be finally beginning to mend. Connie Certusi, executive vice president of Sage Small Business Accounting said in a statement:

‘Small businesses continue to be the driver of the U.S. economy and it is inspiring that business owners are confident in their prospects. With that said, many business owners have legitimate concerns about the variables that can impact their bottom line, namely the rising cost of energy, raw goods and inflation. Small business owners are always more vulnerable to these concerns so it is wise to be mindful of the challenges that these businesses will continue to face in 2014.’



Thursday, 24 October 2013 13:58

FEMA Corps Members Training in Vermont

WILLISTON, Vt. – A team of young Americans who have volunteered to serve their country during disasters is in Vermont learning more about the science of disaster response and recovery from observing Vermont’s recovery from flooding earlier this year as well as Tropical Storm Irene.

The Federal Emergency Management Agency welcomed a team of FEMA Corps members to the Joint Field Office in Williston for a two-week stint of education, which will be highlighted by actual site visits, as part of their nine-month assignment to FEMA’s Region I office in Boston.

“These young people embody the true spirit of FEMA,” said Federal Coordinating Officer Mark Landry, the head of FEMA’s operations in Vermont. “They have volunteered to help their country, and through their service our nation will be better prepared for disasters in the future.”

The seven FEMA Corps members – who range in age from 18 to 24 and hail from seven different states – have met with and gained valuable insights from state and local officials as well as veteran FEMA personnel.

FEMA and the Corporation for National and Community Service (CNCC) launched FEMA Corps in 2012 to strengthen the nation’s ability to respond to and recover from disasters while expanding career opportunities for young people.

FEMA Corps is a new unit of AmeriCorps’ National Civilian Community Corps (NCCC) whose members will be devoted solely to FEMA disaster response and recovery efforts. The five-year agreement provides for a full service corps of 1,600 members annually who will be an additional workforce in support of FEMA’s current disaster reservist workforce.

Once trained by FEMA and CNCS, members will provide support in areas ranging from working directly with disaster survivors to supporting disaster recovering centers to sharing valuable disaster preparedness and mitigation information with the public.

FEMA Corps members will serve for a 10 month term with an option to extend for a second year. The program will prepare thousands of young people for careers in emergency management and related fields. During their service, they will gain significant training and experience in disaster services and will provide important support to disaster survivors.


Thursday, 24 October 2013 13:56

Difficulty in Modeling for Terrorism

The following is an excerpt from the RIMS executive report “Terrorism Risk Insurance Act: The Commercial Consumer’s Perspective.” The report is available for download here.

For any insurer to operate successfully and avoid going out of business, it must be able to accurately estimate the probability of its losses, the severity of those losses, and then determine the amount of premium that must be charged to cover those losses should they occur. Historical data from past events is used to predict the losses from future events and pric­ing is set accordingly. Even extraordinary events like Hurricane Sandy or the recent tornadoes in Oklahoma, while harder to accurately estimate, can be predicted to a certain degree based on historical data and experi­ence. Terrorism risk, however, differs substantially from these other risks in several different ways.



Drug-resistant germs called carbapenem-resistant Enterobacteriaceae, or CRE, are on the rise and have become more resistant to last-resort antibiotics during the past decade, according to a new CDC Vital Signs report.  These bacteria are causing more hospitalized patients to get infections that, in some cases, are impossible to treat. 

CRE are lethal bacteria that pose a triple threat:

  • Resistance: CRE are resistant to all, or nearly all, the antibiotics we have - even our most powerful drugs of last-resort.
  • Death: CRE have high mortality rates – CRE germs kill 1 in 2 patients who get bloodstream infections from them.
  • Spread of disease:  CRE easily transfer their antibiotic resistance to other bacteria.  For example, carbapenem-resistant klebsiella can spread its drug-destroying weapons to a normal E. coli bacteria, which makes the E.coli resistant to antibiotics also. That could create a nightmare scenario since E. coli is the most common cause of urinary tract infections in healthy people.

Currently, almost all CRE infections occur in people receiving significant medical care.  CRE are usually transmitted from person-to-person, often on the hands of health care workers.  In 2012, CDC released a concise, practical CRE prevention toolkit with in-depth recommendations to control CRE transmission in hospitals, long-term acute care facilities, and nursing homes.  Recommendations for health departments are also included.  CRE can be carried by patients from one health care setting to another.  Therefore, facilities are encouraged to work together, using a regional “Detect and Protect” approach, to implement CRE prevention programs.

In addition to detailed data about the rise of CRE, the Vital Signs report details steps health care providers, CEOs and chief medical officers, state health departments and patients can take now to slow, and even stop, CRE before it becomes widespread throughout the country.



Wednesday, 23 October 2013 17:10

Supply chain resilience

Lyndon Bird
Business Continuity Institute

In 2009 The Business Continuity Institute decided that more research was needed into the level of business disruption being caused by supply chain problems. The challenge we set ourselves was to provide data to help organizations develop and enhance resiliency within their supply chains. This work was done with the strong support of Zurich Insurance Services and in collaboration with the Chartered Institute of Purchasing and Supply.

Since then, this has become a regular annual survey and its findings have become increasingly influential to the business continuity, purchasing and supply and insurance communities. At BCM World 2013, the findings from the most recent survey will be announced and I will be leading a discussion on these alongside Nick Wildgoose of Zurich Insurance Services.

This is the first release of data from 2013 survey and those attending the session will be given a printed copy of the full report. Although the methodology used in 2013 was consistent with previous years, some additional questions were added.



Keeping your doors open for business is a concept that the Insurance Institute for Business & Home Safety (IBHS) has promoted for many years with its long standing popular business continuity planning toolkit.  Many of our website readers are familiar with this disaster preparedness planning tool.

As the anniversary of Hurricane Sandy approaches, our staff research team found that IBHS has just recently launched a free, online version of their business continuity planning toolkit —-entitled OFB-EZ™ (Open for Business-EZ).  This online version is a somewhat streamlined version which guides users through an easy process to create a recovery plan that will help even the smallest businesses recover after a disaster.

CIO — Social media can be a powerful marketing tool. But used the wrong way, social media sites can have a negative impact on your business -- costing you goodwill and prospective customers. So how can you create a positive impression of your business and/or your products on popular social media sites, such as Facebook, Twitter, LinkedIn, Google+ -- and avoid potentially costly social media blunders? CIO.com asked dozens of social media experts and managers to find out. Here are their top 15 picks for the most common social media mistakes businesses make and how to avoid them.



Wednesday, 23 October 2013 17:07

Disaster Alert: Hurricane Raymond

Hurricane Raymond is a category 3 hurricane, heading toward the Mexican states of Guerrero and Michoacán. Mexico’s Civil Protection agency has declared a red alert in three municipalities: one in Guerrero and two in Michoacán. Some preventative evacuations of at-risk communities have also been undertaken and school classes have been suspended. The Mexican Red Cross has put all of its delegations on alert and is in permanent contact with Mexico’s Civil Protection agency to continue monitoring the event. Some 15,000 food parcels, 3,000 hygiene kits, 1,000 kitchen kits and 500 home-cleaning kits have been pre-positioned close to the area.

There are currently 50 damage evaluation personnel in Acapulco, Mexico and 250 volunteers in the area. Along with rescue units, Mexican Red Cross staff and volunteers are supporting evacuations, as well as assisting at the shelters equipped for food delivery. Since Monday evening, rains have continued along the Pacific coast, causing water levels of some rivers to increase—but have not yet resulted in flooding.


Wednesday, 23 October 2013 17:06

Privileged Users Abusing Data Access

Privileged access. Privileged users. These words should make us all uncomfortable at this point. While IT, management and users are all bombarded with and distracted by daily news of new malware attacks or software vulnerabilities, the more serious threat to network security and data integrity continues quietly: insider threats. Whether the initial intent is malicious or not, once the breach occurs, even if it is accidental, the damage is done.

So-called privileged users are a big part of the problem. Whether “privileged” because they are power users of some sort or have reached that rank through a different path, or are “privileged” because their access was never restricted through an oversight, the temptation to access data not necessary to their daily tasks proves too tempting to users on a regular basis. IT is not exempt from that group, either. Results from BeyondTrust’s recent survey, “Privilege Gone Wild,” for example, show that in many companies, controls on access to data are still lacking, or easily circumvented. The responses from 265 IT decision makers across a variety of industries are disheartening:



When it comes to data silos, nobody does it quite as well as the government.

This makes government agencies the butt of a lot of jokes, but there are actually some pretty good reasons for these silos.

First, most government agencies have been around for nearly 100 years and counting. Second, these agencies have usually grown through Congressional action, which can by act establish a whole new division to support new services.



We are about to kickoff our next Forrester Wave on web content security.  The inclusion criteria for vendor prequalification will be sent out within the next two weeks. We will be focusing on both traditional web gateways as well as the hybrid and SaaS delivery models. What does this mean for you?

  • Vendors:  If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey.  We will be limiting the number of vendors participating in this evaluation. 
  • Enterprises:  If you would like to provide us feedback on your experience with web content security solutions and vendors, we would love to hear from you.  We plan to leverage your feedback for evaluation criteria as well as score weighting.  

Please contact Kelley Mak (kmak at forrester.com) if you are interested in participating.   We expect this Wave will publish in the Spring of 2014. (Fine print: This is a publication estimate and this date is subject to change.)


By William Heisel

One year ago, valley fever was a disease that few people outside of Arizona or Central California had heard of.

Caused by breathing in spores from a fungus that grows in the dirt throughout the Southwest, coccidioidomycosis – as it is formally known – can cause serious illness and a painful death. It spreads from the lungs to the bones, skin, and organs. It can cause lifelong pain and disability and require years of expensive medications. If you live in one of the 15 states that are required to report cases of the disease to the CDC, you have a greater chance of getting valley fever than you do AIDS, hepatitis, or Lyme disease.

I lived south of Los Angeles for 10 years and never heard about it. Nobody I know in Seattle had ever heard of it, either.

“Is that like yellow fever?” is a typical response.

It might have remained a poorly understood and under-the-radar disease if it weren’t for three things: an intense regional media campaign to focus attention on the disease, a new wave of scientific interest led by the CDC, and the intervention of local and federal policymakers.

Now people throughout the United States know about the disease through big stories in the national media. And two of the top health officials in the country – Dr. Thomas Frieden from the CDC and Dr. Francis Collins from the NIH – have pledged to pull together a multi-million-dollar clinical trialExternal Web Site Icon to find better treatment protocols.

This all started in the summer of 2012 when ReportingonHealth.orgExternal Web Site Icon’s editor-in-chief and I (in the role of project editor) convened a group of Southern California media outlets  to talk about the possibilities for collaborating together on untold health stories. The news website is an initiative of The California Endowment Health Journalism FellowshipsExternal Web Site Icon at the University of Southern California’s Annenberg School for Communication and Journalism, and the reporters who took part in the initial discussions were all former fellows in the professional journalism training program. The project was supported by The California Endowment and, from the onset, we set out to have an impact and make a different through investigative and explanatory journalism. 

From Bakersfield to Fresno to Merced to Stockton, the story we heard from editors and reporters was consistent: people in Central California communities had been hit hard by valley fever, but the news outlets had only scratched the surface reporting on it.  Over the next year, the Bakersfield Californian, the Merced Sun-Star, Radio Bilingüe in Fresno, The Record in Stockton, Valley Public Radio in Fresno and Bakersfield, Vida en el Valle in Fresno, the Voice of OC in Santa Ana and ReportingonHealth.org banded together under the Reporting On Health Collaborative banner.

We called our series Just One BreathExternal Web Site Icon because all it takes to catch valley fever is to breath in the fungal spores. The series documented the rise of the disease epidemicExternal Web Site Icon, the toll on familiesExternal Web Site Icon and the financial costsExternal Web Site Icon, the stalled attempts to find a vaccineExternal Web Site Icon, and a range of other issues. Throughout, the collaborative identified the levers that – if switched – could prevent infections and improve the lives of patients afflicted with the disease. And we ultimately provided a five-point road mapExternal Web Site Icon for changing the course of the disease. We coupled the reporting with an innovative community engagement campaign.

Our stories led to coverage by some of the best-read media outlets in the worldExternal Web Site Icon, including the Associated PressExternal Web Site Icon, the New York TimesExternal Web Site Icon, and the BBCExternal Web Site Icon.

At the same time, the CDC began ramping up its publication of journal articles related to valley fever. Between 2000 and 2011, there were an average of two articles on valley fever in CDC publications: MMWR Weekly and Emerging Infectious Diseases. In 2012 alone, though, the CDC published six articles that provided new information about the disease.

Among these studies was one particularly important report. Coccidioidomycosis-associated Deaths, United States, 1990–2008 detailed the mortality from valley fever, the age groups being hit the hardest and the ethnic differences in death rates. Jennifer Y. Huang, Benjamin Bristow, Shira Shafir, and Frank Sorvillo reported:

During 1990–2008, a total of 3,089 coccidioidomycosis-associated deaths among US residents were identified; these deaths represent 55,264 years of potential life lost. The overall crude mortality rate was 0.58 per 1 million person-years (95% CI 0.56–0.61); after age adjustment, the mortality rate was 0.59 deaths per 1 million person-years (95% CI 0.57–0.61).

That report was followed by an update on the upswing in reported valley fever cases in March 2013, in Morbidity and Mortality Weekly Report (MMWR). The study, Increase in Reported Coccidioidomycosis – United States, 1998-2011, was co-authored by two of the CDC’s lead experts in fungal diseases: Dr. Tom Chiller and Dr. Benjamin Park, along with Clarisse A. Tsang, Farzaneh Tabnak, Dr. Duc J. Vugia, and Kaitlin Benedict. They wrote:

This report describes the results of that analysis, which indicated that the incidence of reported coccidioidomycosis increased substantially during this period, from 5.3 per 100,000 population in the endemic area (Arizona, California, Nevada, New Mexico, and Utah) in 1998 to 42.6 per 100,000 in 2011. Health-care providers should be aware of this increasingly common infection when treating persons with influenza-like illness or pneumonia who live in or have traveled to endemic areas.

Soon, it wasn’t just the media and the scientists who were calling attention to valley fever this past year. Politicians started to move, too.

Within a few weeks of the Just One Breath kickoff in September 2012, Michael Rubio, then a California state senator, called a town hall meetingExternal Web Site Icon in Bakersfield that brought together community leaders, clinicians, researchers, and patients to talk about how to deal with the disease. He then formed a valley fever committee in the state Senate.

“Let’s have a competition: Who can come up with a better test so we can achieve it?” Rubio said to the crowd. “Who can come up with a better treatment so we can have a cost-effective way of treating this very serious disease?”

At the federal level, Sen. Kevin McCarthy, R-Bakersfield, contacted Dr. Frieden at the CDC. McCarthy told reporters earlier this yearExternal Web Site Icon that he knew there had to be a better way to deal with valley fever.

“What I would like to do in the short-term is a randomized clinical trial, because no facts are proven out there for the best treatment for valley fever,” he said. “It’s still unknown.”

That was in April. Last month, McCarthy helped make something unprecedented happen when he brought Drs. Frieden and Collins to Bakersfield for a two-day symposium on the disease.

The unknowns about valley fever are starting to give way to concrete, concerted action. As developments unfold, you can be assured that many more people are going to be paying attention. Gone are the days when valley fever was thought of as an unavoidable risk, the downside of all the upsides of living in the Southwest. People have seen what is possible when the science, policy, and advocacy communities put their heads together, and they want to see that same attention paid to valley fever.

William HeiselExternal Web Site Icon is a Contributing Editor at ReportingonHealth.org and the Project Editor on the Just One Breath series about valley fever. A reporter for 20 years, Heisel lives in Seattle, where he works as the Director of Communications for the Institute for Health Metrics and EvaluationExternal Web Site Icon.

Comments Icon  Post a Comment


One in three British companies is putting business operations at risk by storing data back-ups on-site, according to new research by Onyx Group and Computing magazine.

The research, which took place among IT managers in UK SMEs, shows that less than half back-up data off-site in a secure data centre, despite the risk that loss of IT poses to business continuity.

The research also revealed that just 16 percent of businesses are confident that their disaster recovery procedures are as good as they could be. A further 14 percent did not know whether they could be improved.

Neil Stephenson, CEO at Onyx Group commented: “This research shows a real lack of confidence in existing disaster recovery procedures and an obvious need to review and improve the business continuity plans that many UK SMEs currently have in place.



Network WorldThis vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Cloud computing has transformed the way IT resources are utilized, but the externalization of infrastructures and applications has brought with it the perception of increased risk, which seem to swirl around visibility and control.

This perception of increased risk has prevented the adoption of cloud solutions in a number of industries, so the key question is how to make decisions about moving your organization's IT solutions to the cloud while considering the risks involved. A

Let's review the key advantages of cloud computing:



Alan Elwood
Risk and Resilience Ltd

So far I have posted about the need to concentrate on ensuring your OODA Loop can operate faster than the emergency and talked about how to manage information and actions in a crisis. To complete this series of three blog posts I am going to look at how you can structure crisis decision making. Decision making in a crisis is not the same as in everyday circumstances so you will need access to different tools. Here are five things to consider:

Key Questions: Have a system to guide your decision making that analyses the situation but also allows you to use your experience and intuition. Think about the key set of questions you need to ask yourself and write them down in advance. These questions should help you (1) understand what is going on and the implications of that; (2) appreciate what needs to be done and why it needs to be done; (3) be clear on where your priority lies; and (4) identify, resource and co-ordinate tasks. Once you have this in place make its use is second nature - rehearse, rehearse, rehearse!



Tuesday, 22 October 2013 15:51

5 Tips for Managing Clouds at Scale

Network World — The enterprise adoption of cloud computing resources has taken a precarious path. Many organizations have started by running small workloads in the public cloud, reticent to use the platform for bigger mission-critical workloads.

But once they get comfortable with say a test and development use case in the cloud, or an outsourced e-mail platform, perhaps CIOs and CTOs warm up to the idea of using outsourced cloud resources for more jobs.

At a recent panel of cloud users, one thing became clear though: Managing a public cloud deployment at small scale is relatively straightforward. The problem comes when that deployment has to scale up. "It gets very complex," says IDC analyst Mary Turner, who advises companies on cloud management strategies. "In the early stages of cloud we had a lot of test and development, single-purpose, ad-hoc use case. We're getting to the point where people realize the agility cloud can bring, and now they have to scale it."

And doing so can be tough. The panelists at the recent Massachusetts Technology Leadership Cloud Summit had some tips and tricks for users though. Here are five.



While good planning and processes are at the heart of business continuity and disaster recovery, technology can accelerate the benefits as well. We live in an age of cloud computing and smartphones. Both can be used to help an organisation get back on its feet after incidents, or simply ride them out without severe or permanent consequences.

Mobile Apps. With a billion smartphones in the world, the mobile app is now a familiar concept. The MIRA smartphone app makes use of the extensive capabilities of mobile devices to communicate with and localise respondents in order to coordinate DR and BC processes and exchange crucial information.



Tuesday, 22 October 2013 15:48

Thornton May: The Future Will Need CIOs

Computerworld — Several weeks ago, a group of enterprise CIOs gathered to celebrate the 32nd birthday of CIO-ness. That's right, the "chief information officer" job title is 32 years old.

There are several origin myths associated with the CIO position floating around our industry, but all of them roughly place the moment of CIO conception as sometime during 1981. I asked the hundred-plus CIOs in attendance to think back to what they were doing when they were 32. Doing pattern recognition on the responses revealed much. The most important observation was that by age 32, the executives in the room emphatically concluded that their careers were not over. They unanimously agreed that from age 32, their jobs got bigger, better and different.

We should all be able to conclude with equal certainty that at age 32, CIO job is not over either. Not even close. Things are going to get bigger, better and different on a massive scale.



Tuesday, 22 October 2013 15:37

Picking Up the Insurance Tab

Your broker will help you determine your insurance needs, go out to market, and obtain competitive quotes. She’ll guide you through the buying process, price negotiations and policy terms. She might even take you out to a nice lunch and introduce you to the key players at your carrier. There’s no debating it – your broker is a great help when you’re purchasing insurance.

But the one thing your broker won’t help you with is paying your insurance bill. For that, you’ll need a budget.

Preparing an insurance budget is a lot like splitting the tab after an expensive meal. You’re pretty sure that everyone sitting at the table should pay something, but how much? Should the bill be divided evenly? Should each person pay according to what he ordered? Should you skip all the awkwardness and just pay the thing yourself?




In 2011, Chris Kloosterman joined the IT team at Saint Michaels University School (SMUS) in Victoria, BC, Canada after leaving his position at nearby Brentwood College School. St. Michaels University School is a private co-educational, independent day and boarding school of 930 students from kindergarten through grade 12.

The timing of Kloosterman’s hiring as the new systems administrator could not have been better as SMUS was facing major challenges with its data backup and recovery system. Fortunately, he had just spent months in his previous role evaluating backup solutions and had great insight to share with SMUS manager of computer services, Rob Przybylski.

With the previous system, Symantec Backup Exec 2010 version 13, the school was backing up full plus incrementals over seven days, but wanted the ability to back up all data every day. SMUS also needed an easier and more robust solution for performing file level restores and looking at data retention policies to ensure they had copies of data where they needed copies. With Backup Exec 2010 version 13, doing multiple copies was cumbersome. During testing, they generally did not work. SMUS went to disk and archive to tape, but because tape was so unreliable, they had to back up to two different disk boxes in two different locations. That was problematic.

As it came time to evaluate and implement a new backup solution, Przybylski relied heavily on Kloosterman who had been part of Brentwood College School’s extensive research into backup systems. With his thorough knowledge of the available systems, SMUS didn’t need to replicate his research efforts.

Based on Kloosterman’s endorsement of the STORServer Backup Appliance, SMUS implemented the system in June 2011. The competitive solutions were either significantly more expensive or lacked the robust features that the Appliance offered.

Driven by IBM® Tivoli® Storage Manager (TSM) and other proven technologies, the STORServer Backup Appliance is a comprehensive, fully integrated, backup, archive and disaster recovery solution in a single, easy-to-use configuration of hardware and software technologies.

STORServer has enabled much faster backups for SMUS. Previously, with Backup Exec 2010 version 13, the school was doing incremental backups daily and full backups during the weekend, which proved to be incredibly challenging for performing restores. In order to restore a file, Przybylski had to go to the latest full backup and look up all backups since then. If a file changed daily, that meant they backed it up daily. So, if a file changed every day for 30 days, SMUS had 30 copies of it due to a 30-day retention requirement. STORServer enabled the school to get proper file retention policies back to a year and eliminated the worry about all the different data sets they were backing up every day.

SMUS is currently backing up 17.5 terabytes (TBs) of raw data across two locations—one at its main facility and the other at a nearby junior school. The school is fully virtualized with 60 virtual servers and runs Windows and Linux and a 10 gigabyte network in its server room.

Using Backup Exec 2010 version 13, backups started running at 10 p.m. every evening and usually finished by 7 a.m. the next day. However, if there was ever an issue, backups would go into the next work day and make the system very slow. The backup window was growing and growing and Przybylski feared SMUS would eventually run out of physical time to perform backups. Now, STORServer’s backup window is a quarter of that—mere hours.

The Appliance has saved the school immense amounts of time. Restores previously took half an hour to 40 minutes depending on when the file was deleted. Now, restores happen instantly with STORServer.

In October 2013, SMUS had a major storage crash. The process of restoring all of the data using the STORServer Backup Appliance included more than 7.1 million files restored to the main file server, 900 student email boxes and a couple of bare metal server restores. With no hiccups, problems or errors, STORServer had all of the data restored in a matter of a few days.

Although quantifying a cost savings of implementing the Appliance is difficult, Przybylski says the peace of mind the solution offers is invaluable.

The daily time period we would need to spend on managing the STORServer Backup Appliance is probably a quarter of the time we were spending on the old system,” says Przybylski. “We now spend at most 10 minutes a day maintaining the system. Time wise, it is a huge savings. And, my level of comfort is priceless.”

Since implementing the Appliance, the system has been able to meet SMUS’s growing needs. The school has bought extra tapes—as its backup data set has grown—and changed out the hard drives in the unit with help of STORServer. According to Przybylski, there wouldn’t be any issue expanding the system even if their file data volume doubled, which it likely will. STORServer could handle that growth.

STORServer is quite a hands-off system,” says Przybylski. “You set it up at the beginning with the retention policies, and then it really does run itself. Restores are instant and can be done by any of our technical staff. It doesn’t require expertise of the TSM platform. But, the biggest benefit is the peace of mind that my data is backed up and I can get it back in case of disaster. That was not the case with our old system.”

One of the biggest topics in IT today, specifically for anyone in the backup field, is deduplication. Using STORServer, SMUS is able to store 17 TBs of data on 9 TBs with compression and data deduplication.

Our WAN backups used to take seven nights to get a full backup, but with deduplication, we now get a full backup every night in just minutes over the same WAN connection,” says Przybylski “This has helped us out more than any of the other features of the Appliance. Compression and deduplication mean we have a quarter of the disk space our old system had. Now, we can store more data and archive sets than was previously possible. We don’t have to store data for specified periods of time. Some files are archived forever and most have retention policies.”