Spring World 2018

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 30, Issue 4

Full Contents Now Available!

DRJ Blogs

DRJ | The premiere resource for business continuity and disaster recovery

Secure Documents with Shield

Secure Documents with Shield

As covered in our last post, Records Management for BCP, one of the most challenging and yet critical elements of your business continuity plan (BCP) is records management. In this follow-up post, we’ll look at how KingsBridge Shield helps you to secure documents that are most critical to your business’ recovery.

Safe and Secure Documents Storage

When it comes to business continuity, documents needed to help recover the business have to be safely and securely stored.  Many of our clients initially put a lot of faith in their IT department’s backups.  They know the data is backed up and therefore feel that having a copy stored elsewhere is unnecessary.  However, backup does not mean instant access.  Recovery of electronic document storage takes time.  Once documents are recovered, user access may be limited due to connectivity with the recovery location.

Shield provides a secure, web-based solution that supports the storage of critical documents independent of your company’s servers.  The Shield mobile application syncs with the web application placing an additional off-line copy of these documents on your phone.  No internet?  No problem.  Your phone will have all the documents you need.

...
Continue reading
430 Hits
0 Comments

OWASP Top 10 - Combating Data Security Breach in Web Applications

Most of the organizations are now developing and using web applications to do their business online. This shift in the style has undoubtedly eased the way to do the business, but at the same time has exposed critical business and customer data to security threats. Recent report of Verizon Data Breach Investigation (2017) suggests that a good percentage of breaches were associated with web applications.

Some of these threats have now been addressed by various automated scanners which provide a robust detection of security vulnerabilities. However, it is still important to understand such vulnerabilities before we can resolve the danger posed.

Open Web Application Security Project (OWASP) is a group that works towards defining security recommendations, specifications, and explanations in key areas. This group was initially created as a project to define testing standards for web applications security. The specialized project concluded that purchase of dedicated software tools can make the web application immune to security breaches. Apart from this, OWASP published and drafted ‘Top 10 Security Vulnerabilities List’ for any web application.

...
Continue reading
393 Hits
0 Comments

Disaster Recovery Planning: Who Needs A Seat At The Table & Why

Whether you’re implementing or just refining your disaster recovery (DR) process, one of the most important things to consider is your team. Depending on the people at the helm, your efforts will either be thorough and coordinated, or incomplete and disjointed. To start off on the right foot, you’ll need to assemble a knowledgeable group whose areas of expertise cover all the necessary bases.

Below is a list of roles that, in our view, are instrumental to the success of disaster recovery planning. Note that in your organization these roles may not be clearly defined yet (there may not be anyone who currently holds the title Disaster Recovery Coordinator, for example), but these roles should be assigned before the process begins.

Key Roles & Responsibilities For The Disaster Recovery Planning Team 

Your disaster recovery planning team should consist of the following:

Management Steering Committee

Executive team members who oversee the process are involved at a high level, which means they may not technically need a seat at the table—but they should be standing in the room. They play an important role when it comes to approvals for things like budgetary issues, policy considerations, strategic direction, and overcoming roadblocks or intradepartmental issues. These individuals might be part of an existing business continuity oversight committee, or form a separate disaster recovery steering committee, depending on the organization.

...
Continue reading
421 Hits
0 Comments

Records Management for BCP

Records Management for BCP

Records management is an ongoing struggle for many businesses, especially when it comes to Business Continuity Planning (BCP). Every time we go to a client site we get asked about what to do with all of the information the business generates. Where should it be stored? How should it be accessed, and by whom? And how do we know it’s up to date? In this post we are highlighting a few tips and tricks for records management to help your business easily survive the next disaster. 

What is a record?

Let’s start with the basics. What are we actually talking about when we say ‘record’? Most often a record is a set of printed documents that are kept in file folders or binders. But don’t be fooled! Records also include anything written in employee notebooks, or post-it notes at people’s desks. In short, anything written down for your company is a record. And that’s just hard copy.

There are also electronic records. Most often people think of anything that is generated in any of the Microsoft Office suite of programs (like Word, Excel, PowerPoint, etc.). These records also include pictures, any emails sent or received to the company email address (and yes, attachments too), as well as anything sent or received in instant message programs used by your business.

...
Continue reading
775 Hits
0 Comments

The 4 Ps of Incident Management 2.0 - Ramesh Warrier

Plans should not be the only goal of Business Continuity Management (BCM) programs.  The true end-state of BCM should be to assure that your organization can successfully manage itsresponseto any disruption, the goal of Incident Management.

An Incident Management focus has 4 components:

Planning– More than just BIAs and Risk Assessment, planning is the process of gathering, analysis and presentation of data crucial to Incident Managers’ and senior executives’ Decision Support.  These include: assessment of current capabilities, vulnerabilities, gaps, single points of failure, process and IT services critical resources, RTO’s and RPO requirements.

...
Continue reading
617 Hits
0 Comments

4 years later… what we can learn from the Lac Mégantic rail disaster

4 years later… what we can learn from the Lac Mégantic rail disaster

What can we learn from Lac Mégantic

In July of 2013, the deadliest Canadian rail accident since 1867 occurred in Lac Megantic, Quebec.  A series of errors resulted in a train carrying crude oil to roll downhill before derailing in the town of Lac Megantic.  The accident resulted in:

  • 63 derailed rail cars
  • 47 deaths
  • 2000 people forced from their homes
  • 4200 people impacted
  • 30 buildings destroyed
  • multiple criminal charges
  • $460 million dollars in settlements (and ongoing legal battles)

While it might be tempting to assume an accident of this magnitude is the result of a single large error or mechanical failure, this was not the case.  Investigators identified 18 causes and contributing factors that led to the disaster.  Here are a few common, but potentially dangerous assumptions, that were made by the rail company and are often heard in the emergency response and business continuity arena:

  • We've trained our staff in all safety procedures. The rail engineer in the Lac Megantic disaster received training.  Despite this, he did not conduct a proper brake test to ensure the locomotive was secure.  The engineer applied 7 handbrakes, yet investigators estimate that the operator should have applied at least 17 brakes to secure the train.  Investigations revealed that training, testing and supervision were insufficient.  Safety training is important, but regular reviews and testing are just as critical.  Management needs to be sure that staff are always following procedures accurately and consistently.
  • We have written procedures for our staff to follow. In the rail disaster, personnel mislabeled the oil cars with the wrong type of crude oil and did not follow brake procedures.  Just because procedures are written down doesn’t mean staff will always follow them.  We can learn from the checklist approach used in the airline industry and now adopted in operating rooms as well.  Mandatory checklists require the pilot/surgeon to physically check off that required procedures are followed, every time.
  • We’ve evaluated the situation and decided it’s too costly to fix so we’re going to accept the risk. Eight months before the Lac Mégantic rail disaster the lead locomotive was in for repair.  Due to the costs associated with a standard repair and the pressure to return the locomotive to service as quickly as possible, the company took short cuts using an epoxy-like material instead of performing the standard repair.  This material caught fire the night of the disaster and was a significant contributing factor to the events that led to the derailment.  Businesses make cost-benefit decisions everyday but we need to be sure we’re fully recognizing all the costs.  The railway is now in bankruptcy protection because of the event.
  • We are regulated and regularly inspected so we’re confident that we’re following all required procedures. Prior to the rail disaster, reports documented a pattern of repeat problems.  Despite these reports, Transport Canada did not always follow up to ensure the company was addressing the underlying conditions that led to these recurring problems. Lack of oversight left gaps that contributed to the disaster.  While many regulations exist, regulators often do not have sufficient resources to verify that companies are following the rules.  Do not confuse compliance with safety.  Companies need to do their own due diligence.

These are just a few of the excuses we hear companies use to make themselves feel comfortable that they’re meeting safety and business continuity obligations. These are also some of the same issues that led to the Lac Megantic disaster.  Don’t assume you are meeting your obligations.  Test, retest, and ensure you have tools and plans in place to ensure the safety of your operations.

...
Continue reading
398 Hits
0 Comments

7 Emerging Trends in Disaster Recovery Industry

7 Emerging Trends in Disaster Recovery Industry

For most business executives, finding a way to keep their businesses running even in the event of a disaster cannot be overstated. In fact, disaster recovery and business continuity are fast becoming the most important IT conversation that business leaders are having to discuss with their staff as well as train them on the protocols to follow when a disaster strikes. On average, business organizations take 1-9 hours to recover from a disaster. Each hour costs an average of $700,000.

In any disaster recovery procedure, the first few minutes and hours after a business system crashes are extremely crucial. For most enterprises, the rest of the recovery process is determined by how well events unfold in the period immediately after the disaster hits the business process.

Failure to be adequately prepared for a disaster has the potential to wreak havoc on the reputation and financial standing of the organization. What’s more, a poorly managed disaster can scare customers away. A Business Continuity Institute poll conducted by risk experts found that 85% of the people who took part in the survey had concerns that their businesses were at risk of a cyber-attack within a period of 12 months from the time the poll was conducted.

...
Continue reading
1502 Hits
0 Comments

Emergency Response, Disaster Recovery and Business Continuity: Putting Incidents in Context

Emergency Response, Disaster Recovery and Business Continuity: Putting Incidents in Context

You’ve likely heard the terms before and may have a vague idea of their definition, but how do emergency response, disaster recovery and business continuity really work together during an incident? This blog post will walk you through these phases.

 

Putting Incident in Context

You are sitting in your office building and the fire alarm goes off. Following health and safety procedures, you head outside and smell smoke. You can see flames coming from the top two floors of the building. The fire department has arrived and is setting up to put the fire out. Your colleagues are moved away from the building, and anyone who is hurt is treated. You are left to wonder when, if ever, you’ll be able to come back to work.

Within three days your IT group has you set up with a laptop so that you can work remotely. You and your colleagues work together online and through conference calls. Eventually, after the damage to the office is fixed, you get a notice that everyone can return to work as normal.

...
Continue reading
453 Hits
0 Comments

Hyperlink your way to a successful BCP

At KingsBridge our primary focus is developing simple and straightforward business continuity software (our flagship tool Shield). However, we also believe strongly that to develop a useful tool, you need to be using it everyday, just like our customers do. To make this happen, we also do consultingwriting plans, exercising plans and performing gap analyses on existing plans. The gap analysis is always an interesting experience because we see how other organizations have structured their business continuity plans. We can receive hundreds of pages of content to perform our analysis. When the documentation arrives, our first thought is often, how do they find anything in here? They must be flipping pages forever to find the content they need when the plan is activated.

Easy plan navigation is critical to writing your business continuity plan. It’s one thing to ensure your plan includes all the critical plan elements and it is kept up to date. It’s quite another to ensure that everyone can find the information that they’re looking for. How do we manage this in Shield? Hyperlinks!  [READ MORE...]

...
Continue reading
459 Hits
0 Comments

Business Continuity or Disaster Recovery?

Business Continuity or Disaster Recovery?

Business Continuity plan, or Disaster Recovery plan? How do you know which of these you should be writing for your company? Is there even a difference between the two?

The short answer is yes, there is a difference! And it is not intuitive. Most people hear the words ‘disaster recovery’ and assume that the phrase means ‘recovering from a disaster’. Likewise, ‘business continuity’ sounds like it means ‘continuing with business.’ These terms are often misused because the assumed definitions sound very similar. So let’s set the record straight!

Disaster Recovery Plan

A Disaster Recovery plan is not a plan to recover from a disaster. It is the plan your IT department will follow to bring systems back online in the event of an outage. These outages (what we in the industry call ‘incidents’) can occur in a number of different ways and affect a myriad of components. An outage or incident may be the cause of, or it may lead to, a disaster. If you have ever been sitting at your office desk and your email suddenly stops working, chances are your company experienced an incident. The IT department works madly to get your email back online. Then there is a sigh of relief when it works. And email is just one part of it. Access to the internal network, the different software you use, the phone system, and the internet all fall under Disaster Recovery too.

...
Continue reading
667 Hits
0 Comments

Business Continuity Awareness Week 2017

Business Continuity Awareness Week 2017

Mark your calendars! Business Continuity Awareness Week 2017 is next week, May 15 – 19! You may be thinking, “Wow, that’s coming up fast! I’m not ready, I thought I had more time!” Don’t worry! We’re here to help you with some last minute tips and tricks to pull off an educational, forward thinking Business Continuity Awareness Week!

This year’s theme is Cyber Security

The first thing you should know is this; The Business Continuity Institute (BCI) announced this week’s theme as cyber security. In a nutshell, cyber security is made up of the firewalls, technology, processes, etc. that help to protect your business from viruses, attacks, and other wrongful access. Below are a few examples of what you can do to increase its awareness in your organization.

Put up posters

The BCI has six different posters for download on their website – for free. Download some of these posters, print them, and hang them throughout your office. Each poster touches on a different part of cyber security and what your employees can do to stay secure.

...
Continue reading
574 Hits
0 Comments

Orchestration for Disaster Recovery

It’s no longer acceptable to have simply checked a box indicating that you have a disaster recovery plan, or have performed a disaster recovery exercise within the last year that required significant resource investment and more than 16 weeks to plan for. In today’s always on world, with the severe reputational damage that can be caused by an outage at the forefront, many companies need a validated plan that may be fully executed in a minutes notice. As a result, companies are moving towards designing more proactive strategies to fail between sites on a more frequent basis, running production from the failed over site for an extended period of time to verify operations, then failing back to their original state.

For many companies this may seem to be an almost impossible task; however, the very recent introduction of recovery technology in the form of advanced orchestration, which automates and executes the entire recovery run book from end to end, now provides a single pane of glass to govern the complete process. Many companies are now successfully leveraging these advanced designs to not only successfully orchestrate and validate a fail over, but are gaining valuable insight and documented proof of the results for audit and compliance.  

Will your disaster recovery plan do that?

...
Continue reading
581 Hits
0 Comments

Driving Resiliency Through Operational Risk Management

I recently had the pleasure of presenting with a panel of RSA Archer customers on the topic of “Building Resiliency Across the Value Chain" for a Disaster Recovery Journal webinar.  

Two key questions were posed to the 80 attendees. The first question was: “Where is your organization on the business resilience scale?”  The responses were:

 

...
Continue reading
1183 Hits
0 Comments

The price of Cloud Backup and DRaaS

Cloud computing is hardly a new player of the IT world. Its ever-growing market share and popularity within the IT community derives from combining flexible prices with the Always-On Availability of infrastructure resources. It brings out a whole new world of possibilities for your business, while reducing the long-term costs of maintaining your own infrastructure. Yet, despite the obvious cost advantages of moving data to the cloud, pricing is still a top concern, as Veeam discovered from our recent 2016 cloud end-user survey (see chart below).

Are cloud backup and DRaaS affordable?

The answer depends on many factors. A change of mindset is required when thinking about the affordability of cloud-based backup and disaster recovery (DR). Depending on your individual business requirements, cloud backups or even a full Disaster Recovery as a Service (DRaaS) solution can be very affordable, especially considering the money saved in the event of a disaster. The general rule is the lower the recovery time objective (RTO) and recovery point objective (RPO) your business requires, the higher the potential cost.

...
Continue reading
1602 Hits
0 Comments

Communicating When Disaster Strikes - Tips for Preparedness

One of the first things people do when disaster strikes is start communicating. Someone calls 911. Emergency response groups learn and relay important facts about the incident. And people speculate about what happened, why it happened, and what will happen now.

As a business, it is vital to be ready to respond when disasters occur. In order to keep gossip to a minimum and maintain a positive reputation, clear communication about the incident must occur in a timely fashion. This can be hard to do when there is concern over the well being of employees or pressure to provide an explanation about who is responsible. Adding to this stress is that all of the facts may not be known right away, yet communications still need to be sent.

So how does a business take steps to ensure clear, timely communications occur under all of that pressure? This post provides you with a few tips to help you (and your business) communicate effectively in the aftermath of a disaster.

...
Continue reading
726 Hits
0 Comments

BUSINESS IMPACT ANALYSIS RELIEVES “TEMPEST IN A TEAPOT” SYNDROME

BUSINESS IMPACT ANALYSIS RELIEVES “TEMPEST IN A TEAPOT” SYNDROME

Do you ever use the term, ‘you are creating a tempest in a teapot’? It means, don’t make a big deal out of something that isn’t. Doing a little research, I found other similar phrases I thought were entertaining. They are:

• A storm in a teacup’ – Cicero; or ‘Billows in a ladle’ – translation of Cicero’s writings
• A storm in a glass of water’ – Netherland
• Tempest in a potty’ – Hungary
• A storm in a wash-hand basin’, or ‘A storm in a cream bowl’ – England

Of course my seven year old loved the ‘tempest in a potty’. Anyway, something these phrases all have in common is “business impact analysis”. Surprised? Let me explain.

...
Continue reading
734 Hits
0 Comments

No Building, No People, No Systems, No Suppliers

We get asked a lot of questions about how any one company can possibly plan for all of the different incidents they could experience.  It’s a good question.  There are many variations of complexity to incidents that can make the task of planning for them all feel overwhelming.  Fires start small, and can grow and spread.  Tornadoes might cause minor damage to the warehouse, or take out the entire structure.  One employee gets sick with the flu, and suddenly a third of the workforce is unable to come to work.  

While discussing this problem with a friend of KingsBridge BCP recently, they had the perfect example to illustrate this point.  This person works for a natural gas company, and their story goes like this:

There was a bad thunderstorm happening in an urban area adjacent to an electrical tower.  Lightning from the storm struck the tower.  The good news is that the tower had a ground wire. The bad news is that the ground wire ran down into the ground next to the end of a metal corrugated sewer pipe.  The surge from the lightning strike ran down into the ground wire and hit the sewer pipe. It was conducted along the length of the sewer pipe until it hit a natural gas pipeline at the other end.  This caused a minor explosion that set off a chain reaction to all of the natural gas feeds into the homes and businesses in the nearby vicinity.

...
Continue reading
1062 Hits
0 Comments

New Age Resiliency

 The age of manual disaster recovery is rapidly reaching end of life.  The need for an ‘Always on’ business that leverages enhanced technologies is driving traditional recovery programs to seek improved, cost effective alternatives.  Speed, accuracy, and consistency quickly become the predominate principles for effective resiliency programs.

Many factors are driving the need for taking the next step towards transforming resiliency programs to enable a more software defined, orchestrated approach to keeping a business up and running. These include:

  • Corporate demands for less downtime, evidenced by the growing number of real time, online systems that demand a 24x7x365 end user experience to drive expected results
  • Increased mandates for external compliance and internal audit to demonstrate continuous availability and a near instant response to an outage
  • Threats from cyber activity that require immediate action to identify and re-mediate the concern and resume processing with minimal business interruption
  • Continuous monitoring and confirmation of the resiliency program which increases confidence that should an event occur, the business is ready to respond
  • Increased recovery capacities to manage the tremendous upsurge in data growth and hybrid IT progression is driving the need for more significant resiliency designs to protect information and develop a more expeditious means to bring it back online in the event of an interruption
  • The challenge to validate recovery given the increase in size and complexity of the environment and the inherent risks associated with demonstrating full business functionality without impacting production 

Addressing these factors has become a huge challenge, especially when using traditional methods for validation of the program, responding to a live event, and ultimately demonstrating complete business resumption.  Recent technology developments in the area of automation and orchestration not only address these needs, but more specifically provide the road map for the next generation of business resiliency. 

...
Continue reading
1553 Hits
0 Comments

Have You Automated Your Emergency Notifications? How This One Step Can Save Lives

Have You Automated Your Emergency Notifications? How This One Step Can Save Lives

Emergencies Aren’t The Time to Plan

We don’t often think of emergency response until there is an actual emergency which is the absolute worst time to figure it out. When you’re in a crisis, you and your co-workers are less likely to think as clearly as when you aren’t. An emergency “plan” is just that, a plan. It’s your guide to getting you and your employees out of harm’s way and keep the business up and running as best as possible. The more steps you can remove from the process through automation, the better off everyone will be.

While many organizations say they have an emergency procedure  in place, there are a few problems with many plans:

1. The plan isn’t really a plan. It’s more of an idea. “If we have to evacuate, we’ll just go into the parking lot.” That’s not a well-conceived plan. An appropriate plan must be well thought out, rehearsed, and include all of the most likely scenarios, plus the flexibility to extrapolate the procedure to unexpected events. This “all-hazards” plan requires more than one person to develop, in fact, a committee of in-house and remote stakeholders who can work together to come up with a comprehensive strategy and agree on the technologies that will make it happen.

...
Continue reading
924 Hits
0 Comments

5 Clichés About Business Continuity Management You Should Avoid

Business Continuity Management has tremendously evolved since it originated in the 70’s but some common clichés are still lurking in the shadows. Avoid these 5 mistakes to create a successful business continuity management program that is objective, consistent & repeatable.

 

1. Every business continuity program is the same

Don’t fall into the trap of one size fi­ts all or “This is how we did it at my last company so let’s go!”  Is it possible that all the factors that went into the success you had with your last employer will come together at this organization? Sure, why not! Should you bank your career on that happening? Hmmm, maybe not. Each organization has its own unique ‘best fit’ framework for a sustainable resilience program. 

Define business continuity/organizational resilience as it relates to your organization or industry. Every organization has unique needs & priorities that vary based on industry, geographic location & resources.

Continue reading
1519 Hits
0 Comments