Rothstein Associates Inc. Business Survival ™ Weblog

Rob Davis provides some pointers for successful exercises.

It is well recognised by exponents of our art that effective evaluation of emergency or business continuity plans by exercise is invaluable. As contributors to the Continuity Central site we are all of like mind. The common thread in previous articles identifying senior management as an obstacle is not easily overcome. Our message needs to get out from this ‘congregation of the converted’ - out to those senior managers who are an essential component in a successful evaluation formula.

See Thoughts on business continuity exercises

=================================================================
An unexercised contingency plan could be worse than no plan at all!

Be sure to read Disaster Recovery Testing: Exercising Your Contingency Plan, Philip Jan Rothstein, FBCI, Editor for valuable tips, techniques and insights.

Finjan Inc. recently announced the findings of its Web security survey of 1387 IT/security professionals conducted during July 2008.  The results reveal that an overwhelming number of respondents perceive cybercrime as a major business risk, specifically the possibility of their sensitive information such as customer, patient, and employee data being stolen by crimeware.

Following its Q2 Trend Report findings about today’s cybercrime economy and its modus operandi, Finjan conducted an online survey to determine the current perception of Cybercrime and Web 2.0 risks to organizations.  Respondents were asked about business risks resulting from crimeware attacks, the potential damage that successful attacks might inflict, their knowledge of being breached, their main concern with respect to data theft and loss of productivity, and about security solutions and Web 2.0 policies.

Key findings from the survey:

• 91 percent of all respondents stated that they perceive cybercrime as a major business risk (e.g., loss of customers, brand name damage, lawsuits, etc.)
• 73 percent of all responding CIOs and CSOs were more concerned about data theft (crimeware stealing their business data) than about downtime and loss of productivity due to virus infections
• The majority of the respondents (68 percent) indicated that their corporate intellectual property and sensitive information is at risk of data theft
• More than half of the respondents (54 percent) worry about their corporate employee information being stolen
• 47 percent of all respondents listed theft of their corporate customer information as a major business concern
• 25 percent of the respondents reported that their data had been breached, with a further 42 percent of respondents stating that they could not exclude the possibility of a breach
• 67 percent of respondents knowledgeable about web security listed real-time content inspection technology as the preferred web security solution

For details on the survey click here.

======================================================

Strong, comprehensive Infosec policies and procedures are essential to avert these and other cybercrime vulnerabilities.

Information Security Policies Made Easy is the definitive tool.

A paper which was published in the September issue of the Business Continuity Journal highlighted a significant gap in current pandemic planning guidance. Preparedness For A Flu Pandemic In Europe: Gaps In Advice by Alexandra Conseil and Dr. Richard Coker, of the Department of Public Health Policy, London School of Hygiene and Tropical Medicine, presented a gap analysis of European pandemic planning guidance. It concluded, among other things, that post-pandemic recovery planning is an area which almost all pandemic planning guidance has failed to address.

Read the rest of this entry »

The planning process for developing a data center disaster recovery plan is often viewed as a daunting task.  Much of the time the people who start the project - or new people added to assist - lack a good overview of the development components and process.  This leads to frustration, incomplete data collection, and missed deadlines.

Read the rest of this entry »

Microsoft recently announced Acronis® Recovery™ for Microsoft Exchange as its latestsolution for backup and restoration of its popular email product.

Read the rest of this entry »

Unlike large enterprise organizations, small-to-medium sized businesses (SMBs) face multiple security threats with often limited resources to protect assets, data and customer information. New research from Watch Guard Technologies has identified the ten leading security threats to SMBs.

Read the rest of this entry »

The Canadian Centre for Emergency Preparedness (CCEP) is calling for presentations for the 19th World Conference on Disaster Management (WCDM).  The Conference will be held at the Metro Toronto Convention Centre, Toronto, Canada from June 21-24, 2009.

The Conference theme will be A Climate for Change - Communication, Collaboration and Cooperation. A major goal of the 19th WCDM is to offer a program that challenges delegates by examining traditional concepts and methods, and provides:
- New ideas and approaches to problem solving
- Both leading edge and topical presentations
- Opportunities to network with key individuals and organizations

Presentations should fall into one or more of the following categories:
- Real Events/Lessons Learned
- Emerging Trends in Disaster Management
- The Human Element in Disaster Management
- Technical Issues/Threats
- Disaster Management Principles & Practices
- Academic/Research and Development

Presentation abstracts must be submitted by December 5, 2008.  To submit an abstract, click here.

Many companies focus their disaster recovery efforts on the data center first.  This is as it should be since it is usually on the critical path for most business units in a recovery effort.  Without availability of major systems and applications not much happens in today’s world.

However, disasters don’t occur only in the data center.  Frequently, disasters (fire, flood, hurricane, etc.) affect a business location without any impact on the data center.  It may be up and running while the business unit (e.g., a department) has nowhere to work.  In the end, that situation often terminates the processing of activity within a critical business unit.

While data center plan components are well known (backups, hot site, alternate network, etc.) there are components associated with recovering a business unit that aren’t accounted for in a traditional data center DR plan.

For example, here are a few business unit components to consider:

1. Special equipment needs such as scanners or imaging equipment that resides within the business unit location.  If these specialized devices are gone can they continue operations?
2. An approach to interim processing procedures. During Y2K we referred to these as workarounds.  Can some business functions resume immediately without computer support?
3. Alternate site work space requirements.  How many printers, fax machines, PCs, phones, etc. are needed by the business unit?
4. Facility requirements at the alternate work site.  These can include parking spots, rest rooms, reception requirements, etc. to name a few.  Without adequate facilities can the business unit be expected to function?

These are just examples of what needs to be evaluated when developing a business unit disaster recovery plan.  As you can see, for the most part these are not covered in a typical data-center-only disaster recovery plan document.

========================================================

Jan Persson is the author of the GO.RECOVER-Data Center Disaster Recovery Template - a powerful yet easy-to-use tool for under $100

The US Government Accountability Office (GAO) recently published a new report entitled Disaster Recovery: Past Experiences Offer Insights for Recovering from Hurricanes Ike and Gustav and Other Recent Natural Disasters.

The report seeks to capture some of the main disaster recovery lessons that have emerged from six major disasters that occurred from 1989 to 2005.

Among other things GAO found the following insights:

• Create a clear, implementable, and timely recovery plan. Effective plans provide a road map for recovery.
• Build state and local capacity for recovery. State and local governments need certain capacities to effectively make use of federal assistance, including having sufficient financial resources and technical know-how.
• Implement strategies for businesses recovery. Business recovery is a key element of a community’s recovery. Small businesses can be especially vulnerable to major disasters because they often lack resources to sustain financial losses.
• Adopt a comprehensive approach toward combating fraud, waste, and abuse. The influx of financial assistance after a major disaster provides increased opportunities for these things. Looking for ways to combat such activities before, during, and after a disaster can help states and localities protect residents from contractor fraud as well as safeguard the financial assistance they allocate to victims.

To download a copy of the report, click here.

The Department of Homeland Security paid an independent organization $450,000 to make recommendations on a classified terrorism program. The study took two years to complete, and was released the end of September, 2008. So why is the report already outdated?

DHS asked the National Academies to review its Bioterrorism Risk Assessment tool in 2006. The tool is a presidential mandated program that assesses millions of potential bioterrorist attack scenarios, such as anthrax that is widely dispersed in a major city. For each scenario, it defines the likelihood of the attack happening and what the consequences would be.

According to the committee that wrote the report, the review took two years to complete because it took one year to hold five meetings on it, six months to do an internal review process with 10 separate reviewers, and six months for the Homeland Security Department to review it.

In its report, the National Academies recommended that DHS simplify the formula, create a standard lexicon, and think of terrorists as ‘intelligent adversaries’ who know about US defenses.

But the DHS had already updated its program to include several of these points. A DHS spokesperson said that in other instances, the Academies’ recommendations were contrary to what the department and other leading academics consider are the best methods.

To review the report, click here.

How to Evaluate BC/DR Consultants

Five questions to help weed out the posers from the real deal. Plus: a checklist of topics a BC/DR consultant should know.

By Stacy Collett, CSO Online, July 11, 2008

See How to Evaluate BC/DR Consultants