DRJ's Spring 2019

Conference & Exhibit

Attend The #1 BC/DR Event!

Winter Journal

Volume 31, Issue 4

Full Contents Now Available!

Having just returned from the DRJ Fall World in beautiful San Diego, I have to tell you that I am very proud of the team that put together the PPBI Mock Disaster. This was a complex undertaking, with a ton of planning and activities behind the scenes to make it all happen.

The exercise was coordinated by Ken Schroeder of CorporateOne FCU following approval of DRJ to offer PPBI the opportunity last April. Schroeder put together an Occupy Harbor Island scenario and had a bulls-eye on the objectives: maximize training on using the principles of ICS to facilitate crisis management; develop an understanding of the advantages of public-private partnerships to improve likelihood of success managing a crisis; create an appreciation by the participants of the uses and pitfalls of social media during a crisis; introduce principles of media management to the participants, and demonstrate the advantages of a partnership prior to an event; demonstrate how risk management procedures may fail to identify the “black swan” event—how some event or group totally external to the organization can create total chaos and force implementation of business continuity plans; emphasize the need for a command succession plan; instill an appreciation of the complexities caused by multiple, unrelated disaster, and he and his team hit them squarely in the middle!

This success was not without some very hard work from a number of PPBI board members and many partnerships forged through an investment of time, many communications, discussion and much accord as to the quality of the exercise.

To give you an idea of the complexity, I would like to mention a few of the partnerships. These included PPBI Board members including myself, advising Schroeder and the team and working as a liaison with the DRJ’s Bob Arnold and Patti Fitzgerald on the venue and Curlystitch to provide the facilitators and protestor with shirts. I also played the role of the PPBI Widgets CEO, Iam D. Bosse.

I would also like to thank Lynnda Nelson, president of ICOR, who has always admonished PPBI to invest in our social media capabilities. Kevin Schaller a senior consultant with Virtual Corporation (and a retired deputy sheriff in Nevada), coordinated activities with the San Diego Harbor Police and organized the protestors into a formidable obstacle. Schaller also brought his motor home to serve as the mock exercise command post. Lee Goldstein, a principal in the Business Contingency Group, beat the bushes for protestors and helped facilitate the exercise. Marianne Guinee of HSBC, developed many of the Facebook screens, and made the live injects and homepage hijack real-time from her home in Chicago. Schroeder developed the Twitter ID’s and initial injects, with the team facilitating the programmed (and ad hoc) injects from a busy table in the mock room. John Jackson of Fusion Risk Management recruited journalism students from the local schools with help from Dr. Eric Frost from SDSU Sciences and Kathleen Hessert , president of Sports Media Challenge and BUZZManager, a social media expert. David Ziev of HP developed the presentations and facilitated the exercise. Equally valuable were the partnerships Schroeder and others developed in the short six months between venues, bringing talent, understanding, passion and compassion to the mock! Schroeder reached out to Dr. Roberta Flynn for her expertise in protecting our most valuable assets, each other. Dr. Flynn who works with several organizations including the Red Cross offered one of the teaching moments during the Mock which offered attendees a glimpse into the “Emotional and Psychological Trauma” that affects every responder and survivors with emotional symptoms that may differ dramatically. Her points reflect the advice offered by PPBI in our workshops, “take care of your people.”

“Develop psychological resiliency,” said Dr. Flynn, “use proactive planning, exercises and training, be aware that mental rehearsal affects readiness and resiliency, and remember that you can have a positive impact on a traumatic event even after many years.”

PPBI would also like to thank AGIOSAT for providing their satellite downlink solution to the DRJ mock venue which offered real-time Internet access to the facilitators and participants. Alan Farber and his team of Keith Simonsen and Adrian Maltbie supported the mock for more than three hours in the hot sun after travelling from LA to be a part of the action. Very gracious and AGIOSAT helped to make this a very real mock disaster. Thank you all!

As those of you who attended will remember, the chaos that ensued during the PPBI Widget management retreat was fairly authentic. It appeared at first that there was no one in charge; there was a lack of information about the event; communication with those who should know what was occurring, just didn’t work. The information from Facebook and Twitter was moving so fast and in some cases distracting and in others ignored entirely by the participants. These challenges were recognized by many of the tables each representing a response team included in the roles of incident command and section chiefs as depicted in the incident command system.

One response I remember well was included a group decision to host a press conference with one of the students from John Paul University in her role as a reporter. The reporter (Melinda) did a great job of probing for the pain and digging down into the heart of the incident. The public information officer also did a great job of delivering a press release. He was very articulate, authoritative, had a list of facts and promised a follow-up at a designated time. The problem as I noted, the information was not based on facts at the time in the exercise and no one as far as I could determine had authorized the content for distribution; for example the incident commander.

During the break, the protestors’ who had upset the exercise with a march through the venue chanting for their cause the Cockaded Harbor Island Crab (CHIC), kidnapped me playing the CEO and wanted to bargain my release for their cause. This led to several other sub plots such as isolation of witnesses, succession planning and hostage negotiation. The San Diego Harbor Police, Patrol Division represented by Lieutenant James Jordan and Officer David Lanham (a recent graduate of the SDSU Homeland Security Program under Professor Frost) did what they do best, keeping order and offering another teaching moment with a level set of expectations:

  • Don’t expect a television response
  • Not all resources will be available (SWAT team)
  • Understand command and control (who’s in charge)
  • Establish liaison with on-scene commander

All was well received and understood by the participants and we all offer our appreciation to Chief John Buldoc, San Diego Harbor Police for supporting their participation in the mock!

Next up were a couple of teaching moments that were timely and very poignant. The first was pressed by Linda Locke the principal at Reputare Consulting. Locke was joined by a number of social media “operatives” to help manage and facilitate the exercise. They watched our back as the exercise played out and helped to keep the content and message aligned with expectations.

According to Locke, reputation risk is as real as other risks. Negative reputation exacts a real penalty. Reputation is “owned” by stakeholders. Perceptions develop via three channels – direct experience with the company, what others say about the company, what the company says about itself . Tracking before a crisis enables you to measure time-to-recovery. Emotions are more important than facts in crisis communications.

In other words, the only way to manage your reputation is maintain a high level of vigilance on a combined media presence. Kathleen Hessert from BUZZmanager continued the lesson. Hessert, as you may remember from earlier in this article, is an expert on managing reputation on the Internet and had just returned from the Democratic National Convention, where she had been advising, protecting and monitoring all manner of social media during some very long days. Exercise participants listened intently as this message had a number of recommendations concerning the management of social media.

“Social media is your early warning system,” said Hessert, “ setting new expectations of all stakeholders and even miscreants. In a crisis it adds, accelerates and amplifies the volume of partial information, the degree of inaccurate information and the danger of damaging information with costly implications.”

I believe our participants learned many lessons during the exercise and took home a boatload of experiences from the interaction at the mock. The protestors eventually released Iam D. Bosse (much to the dismay of all participants) and allowed me to return and thank all those who facilitated and participated in the DRJ Fall World 2012 Mock Disaster. A big thank you to all of you again from PPBI. Look for us at ppbi.org. We hope to have the video available soon!

Deidrich E. Towne Jr., MBCP,is a senior technical consultant for Hewlett Packard and chairperson of the PPBI Board of Directors. Towne has more than 40 years of experience in information technology committed to infrastructure management, business continuity planning, disaster recovery and incident management in the areas of consulting, business process re-design, project management, project implementation, documentation, exercise design, execution and training. He has transitioned from a business and industry first responder role to assist clients in assessing, designing and implementing recovery solutions for their data centers, networks and mission critical business processes.

Disaster Recovery Journal had another successful show at Fall World 2012, Sept. 9-12, at the Sheraton San Diego Hotel and Marina.

“It was great to so many attendees returning again after years of being away,” said DRJ President Bob Arnold. “We had another great turnout.”

DRJ’s 47th conference drew more than 900 registered attendees to San Diego with more than 1,200 in total attendance.

“We would like to thank not only all of our attendees,” said Arnold, “but the wonderful presenters, sponsors and exhibitors for making it such a huge success.”

DRJ Fall World 2012 Gold Sponsor Send Word Now sponsored a Las Vegas-themed casino night for the Monday Night Hospitality.

“Send Word Now hosted another great party Monday evening,” said Arnold. “Our attendees really enjoyed themselves.”

Other conference sponsors included COOP Systems, eBRP Solutions, IBM Business Continuity and Resiliency Services, Strategic BCP, SunGard, xMatters, MIR3, EVault, AT&T, Dell, Everbridge, Fusion Risk, Iron Mountain, IT Cadre, Regus, Verizon Wireless, Vocal, Volo Recovery, Business Continuity Institute (BCI), Forrester Research, International Consortium for Organizational Resilience (ICOR), and Public and Private Business Inc. (PPBI).

“The exhibit hall again featured the leading service providers in the BC/DR space,” said Arnold. “You can still browse Virtual World 2012 (www.drj-virtual.com) if you were not able to join us in San Diego.”

Manuel Ponciano, of GAEBD, won the $500 attendance prize drawing while Richard Fortson, of United Launch Alliance, and William Marotz, of Schneider Technology Services, each won $250. All three attendees also won a free pass to a future DRJ conference.

“We are sad to leave the Sheraton after 18 years,” said Arnold of the Fall World 2012 conference venue, “but we are extremely excited about our new home at the new Bayfront Hilton in downtown San Diego (see photo above). Among the many advantages for attendees, we’ll be able to have meals and exhibits in the same place like we do in Orlando.”

Speaking of Orlando, DRJ’s Spring World 2013 will take place March 17-20, 2013, at Disney World in Orlando, Fla. For more information, see pages 59-65.

“Our senior advanced track was a big success last year,” said Arnold. “We’re planning another great conference in Orlando.”

Jon Seals is an award-winning journalist with more than 25 years of experience. He has been the editor in chief of Disaster Recovery Journal since 2001.

One of the keys to successful and rapid disaster recovery is effective records management. In the past, the records management role was simple and non-strategic. However, today’s records managers are tasked with reducing risk in many areas, including data breaches, improper storage, destruction of information, and lack of employee compliance. Any type of risk has the potential for financial, reputational, and even criminal consequences if not managed effectively.

Now, records managers are integrated into the functionality of the businesses. They are responsible for identifying the need to embrace new technologies, adhering to specific records, laws, and policies, and driving greater efficiency and cost reduction. Having a keen awareness of the records management environment and adjusting their approach and management techniques to their particular program is critical to success.

With an increased level of records and data, and additional records legislation, records management risks are compounded. At times, records managers may feel as if they are playing a game of whack-a-mole instead of strategically managing one of the organization’s greatest risks. Security breaches are expensive. A single breach could impact thousands of records. In fact, according to The Ponemon Institute’s annual “U.S. Cost of a Data Breach,” the average cost of a data breach is $5.5 million. There’s also risk of fines for not storing, securing, or destroying documents properly or in the right time frame.

For example, a health clinic in the United States was fined $4.3 million for violating HIPAA privacy laws, and an insurance firm was fined $1.2 million by an independent regulatory committee for failing to comply with policies archiving company email records. With significant changes in today’s policies and procedures for both physical and electronic records management, there’s an even greater need to establish an effective strategy to prevent errors and data breaches.

In another example, a government agency’s employees were found improperly shredding critical documents and personal records. As the investigation continued, authorities discovered there were more than 500 misplaced records, highlighting a much larger problem with how the agency handled records and how employees failed to follow existing policies and procedures. In fact, some employees were accused of mishandling records as a way of meeting performance goals and receiving bonuses. It represented a major risk for both the agency and its employees, as improperly destroying government documents is a felony, punishable by up to three years in prison and a fine.

Disasters like these can be avoided by following best practices. Begin your approach to records management with these strategies:

  • Understand and quantify your risk. At the core, strategy is about understanding your environment and responding appropriately. One of the most important items for a records manager to get his or her head around is where risk exists and to what magnitude. This requires not only understanding the internal environment, but also the external environment, including laws that can ultimately determine the impact of a policy breach. The Ponemon Institute Study is a great way to quantify the risk. In addition, news articles and reports that contain costs of data breaches or costs associated with litigation from poor records management also contain great information for quantifying risks. The greater the risk, the more an organization is likely to spend on prevention, which is one of the best strategies a records manager can utilize.
  • Put focus on the greatest risk. Strategy is also about priorities. A good strategist focuses on getting a few things done right versus trying to do a multitude of tasks with average results. Rather than equally dividing your funding across the company, find the greatest exposure and enhance efforts in that specific area. Many companies recognize the significant risks with electronic media, including hard drives, PCs, and laptops. However, some organizations lack a truly secure destruction program for electronic media. Even when it comes to physical documents, most organizations will find themselves spending as much time managing customer documents with sensitive information as they do storing marketing materials that may be out of date.
  • Stay current on the industry’s best practices. Don’t become complacent with current policies and procedures. Risks are always evolving and changing. Be more strategic and effective by researching best practices for policies, procedures, compliance oversight, and new technologies. Investigate industry trends and read information from peers and thought leaders. Then take the extra step to think through the potential implications of the best practices on your business.
  • Think like the business. Do you know how much you are spending on records management? Can you demonstrate ways to drive increased efficiency in the organization? Earn records management investment dollars by presenting business leaders with a clear and concise business case. You can highlight benefits (tangible and intangible), expected savings, or payback and risks associated with action or inaction. Use industry research to quantify the value of the benefit and the potential cost of the risk to the business. As with many successful business cases, don’t give up if the first try isn’t persuasive. Invest time in modifying the business case and getting key stakeholders aligned, but be sure to stay consistent in your rationale for the investment.

Develop a Plan

While it’s impossible to eliminate all risks, steps can be taken to significantly reduce those facing your organization. Start with a solid plan. It’s important to think strategically about records management and how to make your business case for prioritization and funding for records management. Given such a complex environment, it is important to lay out a strategic plan that ensures you are covering all areas of risks, recognizing that it will take some time – likely years – to get the program in a position where management is comfortable with the level of risk.

First, establish a baseline. It is always important to understand where you are starting from in order to measure the benefit of your strategic plan. In addition, with regular monitoring of this data, you can determine if you are on track to meet your goals and adjust your strategies accordingly. Some potential records management metrics may include:

  • annual number of breaches or potential for breach
  • percentage of inventory properly indexed (could be done based on sampling)
  • number or percent of records past retention period
  • percentage of employees completing annual compliance training
  • total number of records in the organization, separating physical and digital (this can help keep track of the growth of information)
  • percentage of information requests properly filled by records management department (accurate and timely)

Next, begin outlining your strategic records management plan. Consider investment time to development of the following components:

Define success. As time management expert Stephen Covey would advise, begin with the end in mind. What are you trying to achieve as a records manager? How will you measure the success of your plan? Save money. Avoid policy fines. Create a more efficient organization. Serve and protect your customers. The list can be as unique as your organization. You can also establish metrics with each goal. Where would you like to be in one year, three years, and five years? Use the baseline assessment of your metrics to establish realistic targets.

Establish program elements. What will you include in your strategic records management program? Use industry research and data to help define what this should look like. For example, will your program include secure destruction? Will it cover both internal and external records? Will it be specific to a location, country, or region? While an effective program will typically cover all of these elements, it is important that your strategic plan focuses on those areas where the organization believes it has the greatest amount of risk.

Get tactical. Based on your assessment of the various metrics and a clear understanding of your greatest risks, outline specific items you would like to see in your records management program over the next three to five years. It is important to pick a time period over which you will have influence but also recognizes that it cannot all be accomplished in one year. Specific tactics can include items such as employee compliance training; record retention management; securing electronic data; enhancing security of data with vendors; etc. Use a traditional SWOT (strength, weaknesses, opportunities, threats) analysis to address any major gaps and also include opportunities for implementing best practices.

Be detailed. Looking ahead to five years, get detailed about what steps to take over the next year to make progress against the tactical plan. Too often, individuals set a target three to five years out in the future. They believe they are making progress against the target, but when year three approaches nothing has changed. The key is to break the target down into achievable one-year or even half-year milestones. For example, if your goal is to enhance security of data with outside vendors, the first year milestone might be to take an inventory of the policies for vendors handling 75 percent of your information. Based on that, identify any major areas of risk. Also be sure to include necessary resources when building out the detailed one-year plan.

Track your progress. A perfect plan is no help when you don’t use it. Establish a specific cadence for tracking your progress against the detailed one-year plan (quarterly at a minimum). Make this progress transparent to key stakeholders across the organization, and use it as a tool to ensure key decisions are made and important deadlines are met.

Finally, measure the success of your strategic planning by the impact it has on your metrics, not necessarily the ability to hit all of your milestones exactly when you were supposed to. For strategy to be effective, it has to be flexible. Always assess your progress on an annual basis, and should the environment change, be willing to change your tactics.

Businesses in all industries are recognizing the dynamic environment today in records management and realizing the need for reliable solutions. Ineffective records management and data breaches can be disastrous to customer retention and reputation. Follow best practices and develop a strategic plan to both manage and reduce risk.

Jamal Powell is global director of strategy of Recall Corporation. He is responsible for helping to shape and implement the future strategic direction of Recall.

Michele L. Guido, CBCP, MBCI, is the business assurance principal for Southern Company. She is responsible for advising the business assurance program, which addresses resiliency across all facets of the company. She has worked at Southern Company since 2004.

Aris: Southern Company is a leading producer of electricity in the U.S., with more than 4.4 million customers and more than 43,000 megawatts of generating capacity. It also has several major subsidiaries in nuclear power, telecom, and wireless, with total assets of nearly $60 billion, and 26,000 employees. With this in mind, who do you consider your key stakeholders and what are the business continuity needs of each group?

Guido: Customers are at the center of everything we do. They are the first filter for developing our strategy and tactics and in measuring our business results. We define ourselves through reliability, price, and customer satisfaction. Business continuity has a key role in the “reliability” component of this culture.

We must provide high reliability, and we do. Our statistics for transmission, distribution, and generation are among the best in the industry. We’ve been able to maintain that level of service even when we’ve been hit with catastrophic system failures around us – the blackouts in the Midwest and the Northeast – as well as natural disasters within our own territory like Hurricane Katrina. Our delivery of clean, safe, reliable, and affordable electricity to customers leads to constructive regulation which in turn results in healthy capital spending. It’s what we refer to as our “Circle of Life.”

At a high level, Southern Company has adopted the concept of all-hazard planning for both electric and corporate operations. This approach to planning ensures understanding of critical process, associated business infrastructure (technology, personnel, data, facilities, etc.) and interdependencies, both internal and external. Needs may be unique for a group, but the approach provides viability, sustainability, and consistency.

As an example, Southern Company’s operating subsidiaries maintain detailed and dynamic disaster recovery plans for storms along the Gulf Coast. These plans are graduated based on the expected damage from the five categories of hurricanes, with specific responses and actions identified for each. Our plans provide for flexible and decentralized authority to make decisions as close as possible to the disaster.

Aris: Southern Company has a reputation as one of the most reliable and stable power providers in the U.S. It also provides power to residents in an area covering 120,000 square miles across four states. So there are both corporate and professional reasons as well as very practical reasons to maintain a high level of service. Why is your business assurance program so important to your organization, and how is it influenced by the fact that you are a key part of the infrastructure of the U.S.?

Guido: “Keeping the Lights On” is at the CORE of our business. Being part of our nation’s critical infrastructure outlines the need for the prioritization of critical functions and services. Our restoration plans define the priority for repairing critical facilities and equipment based on the need to establish stability to the electric system and to restore service to critical customers like hospitals, emergency responders, and water systems. Public health and safety take priority. Our program is a business issue, managing risk across the enterprise along with stakeholder expectations.

Aris: In an organization as large and as diverse as yours, executive leadership obviously has a lot of concerns on a day-to-day basis, from operations to efficiency to revenues. How do you achieve “buy-in” from executives in prioritizing the business assurance program, and how do you demonstrate its value back to the business, e.g. show gaps in RTO?

Guido: Business assurance is defined as “the confidence in our ability to maintain business-critical operations during an unexpected disruption.” Preparedness is institutionalized across Southern Company and its operating companies. We are evolving from project to program to culture. The business assurance program reports to an executive council that sets prioritization of work, ranging from policy to engagement. The council meets on a quarterly basis.

Aris: A number of standards and regulations are widely used in business continuity, such as PS Prep, BS25999 and NFPA 1600, and in addition, Southern Company has very strong governance and policies internally related to business continuity. What are the elements that help you manage a program like this across a large enterprise?

Guido: The business assurance program has three key elements: protect, prepare, and respond. The elements focus on minimizing or eliminating the impact of events that have the potential to disrupt critical business operations, functions, or services. We use business continuity management software as well to help us manage our business and IT challenges and adapt as changes occur. There are many owners and vehicles to support the program, from evacuation, safety, storm, business continuity, crisis communication, and compliance. Our business assurance department is the enabling arm of the program. However, ownership exists across the company from executives, business unit managers, information technology, enterprise risk, compliance, facilities, and security.

Aris: Business continuity and disaster recovery planning is always influenced by external changes —global economic change, environmental forces, and advances in technology — as well as internal shifts in performance measurements and goals. How do you ensure your business assurance plan is up-to-date, scalable, and flexible?

Guido: We learn from every event – our own and others. We practice and routinely revise the plan as we gain new experience, whether a natural, man-made, or technological event. BCM software also helps us make risk assessments and identify gaps. As a regulated industry for reliability of the bulk power system, we continuously work with our industry and government (federal, state, local) to improve our situation awareness and information sharing. Specifically, we work with the Department of Homeland Security and Sector Specific Agency, Department of Energy on public-private sector partnerships, the National Infrastructure Protection Plan (steady state), and the National Response Framework Plan (crisis state). Electric companies are part of the nation’s critical infrastructure key resource sectors (CIKRs); with all mentioned, and others, we strive to keep our plans reliable and resilient.

Kathleen Aris, CMP, is a senior manager of events marketing for SunGard Availability Services.

“Mathias Thurman,” a real security manager whose name and employer has been disguised for obvious reasons, wrote in the May 21 edition of Computerworld [www.computerworld.com/s/article/9227254/Red_Alert_for_Child_Pornography] that an administrator, during a training session with an employee on how to manage the organization’s antivirus infrastructure while reviewing the reports of machines with infected files, spotted what appeared to be a very suspicious file with a “.mov” extension.

This particular employee had an MOV file on his G drive with a name that indicated the video potentially involved child pornography. The file was found to be on a device of an employee located in Europe.

Thurman posed the question whether an MOV file with a highly suggestive name is enough to kick off an investigation into what is on an employee’s PC. He went on to discuss the various legalities and issues that would surround such an investigation.

This all-too-real scenario is out there, lurking, waiting to strike any organization that is dependent upon technology or that allows its employees access to this technology. In essence, any company which desires to remain competitive in today’s global marketplace. Every organization, regardless of its size, is prone to be a victim of illegal, unauthorized use of its IT infrastructure.

Thurman’s comments are very timely and should be required reading and posted to every IT executive/manager/department head, HR director, information security manager, auditor, and legal counsel with an organization. That goes as well for those professionals responsible for business continuity planning. The illegal use of an organization’s IT infrastructure, if unchecked, could result in a significant disruption of organizational services, legal and financial exposure, as well as loss of company goodwill and customer base.

If not addressed properly, legal ramifications brought by wrongfully accused, emotionally scarred, or professionally injured employees will compound the situation, exposing the organization to additional legal and financial liabilities and possibly unflattering public exposure and legislative scrutiny.

Currently, this is not primarily a technical issue but, strategically right now, it is a procedural issue.

As Thurman aptly states, there are plenty of repulsive people out there tramping about in many unsavory and illegal areas. In today’s technology-rich workplace, it is not a matter of “if” but “when.” When your organization faces these same issues, how will you respond? Are you prepared to respond? Can you respond?

When, an organization is required (certainly by law, or through enforcement of its internal policies), to address the possibility of inappropriate or illegal employee activity conducted with, on, by, or through the use of the organization’s IT infrastructure, will your organization be prepared to legally conduct an appropriate investigation, in order to acquire the evidence necessary to evaluate guilt or innocence? Respond to a request for such data from external legal or law enforcement authorities?

Given the ever increasing individual and organizational dependency on technology and devices that store, process and transmit billions upon billions of bits of data per day, organizations must begin to immediately investigate, organize, staff , train, and formulate an internal, cyber forensic response strategy along with a comparable, well-trained, cyber forensic investigation team.

Child pornography is certainly repulsive, and any indication that organizational infrastructure is being utilized to support this activity would require swift and decisive action on the part of any organization to identify and stop it immediately.

Child pornography, however, is not the only violation that would activate the organization’s cyber forensic response team. Theft of intellectual property, violation of company policy, cyber espionage, fraud, non-compliance issues, threat of cyber extortion, etc., would be reason enough to have a pro-active cyber forensic response capability. In fact, any event that by its very nature elevates data to the status of digital evidence, will require specifically trained and skilled cyber forensic response professionals to follow documentable and strict investigatory procedures and processes, to identify, recover, extract and analyze these potentially evidentiary data.

For most organizations, these professionals won’t just be sitting around waiting for the call to action. They will be trained to perform a variety of anti-fraud, compliance, and security responsibilities as well. Teams will consist of properly-trained cyber forensic investigators, ready to respond globally to an organizational need to secure, identify, extract, and analyze potential digital evidence, all in a manner legally acceptable in a court of law.

The court of law and the rules which must be followed for attaining legally acceptable digital evidence, differs here in the U.S. verses in global destinations where the organization may be located, have employees or agents conducting company business, or have their data “parked” via a third-party cloud provider.

Even if the investigation is performed only to enforce compliance with internal company policy, conducting the investigation as if the results are to be used in court, makes those data collected admissible as evidence should things turn nasty and heading into court becomes an unforeseen necessity.

On an international scale, the ability to access these data and to perform a cyber forensic investigation may be hampered by conflicting privacy laws, data security legislation, and to a greater extent, the lack of country-specific data security and privacy legislation addressing the scope and limitation of conducting a cyber forensic investigation by a U.S. company on foreign soil.

Right now, before the alarm to action sounds, companies should be addressing a host of preparatory questions to assess their readiness to respond to the need to conduct a cyber forensic investigation.

Questions such as …

Exactly what is unacceptable material? Is this defined by the organization? By legal doctrine? By both? Is this simply left up to the individual discretion of the employee?

Are those items, data, etc., deemed unacceptable by definition, clearly communicated to all company personnel? External vendors with access to company-owned technology? Guests? Visitors? Anyone with access privileges to company-owned technology?

Do all employees know what to do and whom to call, should they accidentally access or encounter unacceptable material?

Do we have …

1. a proactive cyber forensic investigation (CFI) policy in place?

2. properly-trained cyber forensic investigators on staff that can respond in a proper and legally defensible manner, to the need for a CFI? If not, have we pre-assessed and pre-qualified a third-party cyber forensic investigation organization that can respond and perform the required cyber forensic investigation processes, in an authorized, legally defensible, and timely manner?

3. a current, up-to-date inventory registry of all company provided technology assigned to an individual employee? Can we “tie” an individual piece of company owned and distributed technology back to an individual employee, via an employee signature attesting to the receipt of these technologies?

Have we …

1. defined and communicated to all employees what constitutes unacceptable use of company IT infrastructure and data, both from an organizational policy perspective as well as legally defined?

2. discussed an appropriate protocol with third-party service vendors, should these vendors encounter unacceptable materials (read images) on company-owned hardware during servicing operations?

3. instructed all employees not to probe or to take any further actions, which may potentially alter or destroy data, upon discovering questionable (unacceptable) material on any company-owned technology?

Based upon an evolving business impact analysis (BIA) and risk assessment process, do we …

1. conduct proactive cyber forensic investigations at all levels of the organization?

2. as part of an employee exit interview process, secure and forensically acquire (following strict chain of custody processes and procedures) any hard drive technology accessible by the employee, thus preserving these original data, should these data be required to be forensically analyzed at a future date?

Note … this acquisition process would not be performed on every employee leaving the organization, only those employees whose job responsibilities have been identified as having access to sensitive, critical, essential data, based upon the BIA and risk assessment.

Does every employee know that the organization has a cyber forensic response team? That this team should be called first prior to any action on the part of an employee to assess or analyze any suspicious and/or company defined unacceptable data? How do we intend (or can we) enforce this policy?

Does the organization’s acceptable use policy extend to all external vendors connecting to the organization’s IT infrastructure? Have these external vendors/contractors agreed to submit any connected device for forensic examination, upon request by the organization’s legal counsel?

For each foreign operation, where company data is processed and held (backed up on site or “parked” by a cloud service provider), do you have specific knowledge of the country’s cyber-crime laws (if they exist) and how these laws will affect your abilities to perform a cyber forensic investigation of a suspected employee, who may be a foreign national? How about a U.S. citizen working in a foreign country?

These preparatory questions can go on for many pages. The point is that now is the time to assess the organization’s preparedness and ability to successfully perform a legally defensible, valid, accurate and thorough cyber forensic investigation.

It is not solely a technical question or response. Preparedness will require the intimate involvement of and between IT, business continuity planning, HR, legal, and executive management.

The time to act is now. Act or accept!

Albert J. Marcella Jr., Ph.D., CISA, CISM is president of Business Automation Consultants, LLC. He is an internationally recognized public speaker, researcher, and seminar leader with 35 years of experience in IT audit, security and assessing internal controls. He is an author of numerous articles and 26 books on various IT, audit, and security-related subjects. Marcella’s most recent book, “Cyber Forensics: From Data to Digital Evidence,” was released in May 2012. For more information, contact him at This email address is being protected from spambots. You need JavaScript enabled to view it. or visit www.businessautomationconsultants.com.