Are You Ready for the Next Disaster?

By Eric Klinenberg, New York Times

“Mother Nature goes to extremes in the summer, spoiling the gift of good weather with hurricanes, heat waves, fires and floods. This year she started early. On May 2, Cyclone Nargis laid waste to large parts of Myanmar. According to the latest counts, the disaster left 2.4 million people destitute, more than 50,000 missing and at least 84,000 dead. On May 12, China’s Sichuan Province suffered an earthquake measuring 7.9 on the Richter scale. China’s state media reported that more than five million people lost their homes; an estimated 80,000 people, many of them children, were killed.

“Is there anything we can do to avert such dangers? These days, of course, extreme weather is only one of the many perils we face. Terrorist attacks or technological accidents involving nuclear weapons; pandemic diseases that cannot be cured; comets and asteroids that could wipe out the human race. We live in an age of risk assessment and risk analysis, when doomsday scenarios have become daily anxieties, and planning for improbable but world-changing events has become a focus of disaster policy.”

A recently published survey of 421 IT executives at small- and medium-sized businesses (SMBs) in the U.S. found that 53 percent of those surveyed have not implemented an e-mail archiving system within their organizations. The research was carried out by eMediaUSA on behalf of GFI Software, a developer of e-mail archiving software.

The survey also found among those companies currently using an e-mail archiving solution, 35 percent are relying on end users to manage their own e-mail archives, 35 percent use an in-house solution to archive e-mails, and 33 percent use tape backups.

Top reasons given for retaining e-mails included

• internal inquiries and investigations (39 percent);
• backup (31 percent);
• compliance (28 percent); and,
• reducing the load of mail quotas on Exchange Server (27 percent).

Among the reasons given by SMBs who are not using an e-mail archiving solution included the company is too small to need an archiving product (26 percent); they are not impacted by compliance regulations (21 percent); no budget (26 percent); and e-mails are stored on the mail server (23 percent).

Other key findings from the survey include:

• 5 percent archive e-mails indefinitely, while 21 percent keep them six months to a year
• 47 percent have had to search for old or deleted e-mails because of compliance requirements
• 29 percent say it typically takes less than an hour to find an e-mail from 15 months ago or longer
• 40 percent do not feel they are sufficiently informed about compliance and e-mail archiving issues

On a positive note, the survey found that 36 percent of respondents consider e-mail archiving important, and 23 percent found it very important. Further, more than half that use an e-mail archiving solution have had a positive experience using it.

The Departments of Health and Human Services (HHS) and Homeland Security (DHS) recently released guidance on allocating and targeting pandemic influenza vaccine. The guidance provides a planning framework to help state, tribal, local and community leaders ensure that vaccine allocation and use will reduce the impact of a pandemic on public health and minimize disruption to society and the economy.

“This guidance is the result of a deliberative democratic process,” HHS Secretary Mike Leavitt said. “All interested parties took part in the dialogue; we are confident that this document represents the best of shared responsibility and decision-making.”

“A severe pandemic has the potential to disrupt our everyday way of life,” said DHS Assistant Secretary for Health Affairs and Chief Medical Officer Dr. Jeffrey Runge. “This guidance was developed to ensure that our nation’s critical infrastructure remains up and running and we address the needs of all of our citizens, enabling the country to recover from a pandemic more quickly.”

As part of developing the guidance, HHS held day-long public engagement and stakeholder meetings throughout the country and received more than 200 written public comments on the goals and objectives of pandemic vaccination. In all the meetings, stakeholders and the public identified the same four vaccination program objectives as the most important:

• Protect persons critical to the pandemic response and who provide care for persons with pandemic illness
• Protect persons who provide essential community services
• Protect persons who are at high risk of infection because of their occupation\
• Protect children

The guidance is also firmly rooted in the most up-to-date scientific information available and directly considers the societal values and ethical issues involved in planning a phased approach to pandemic vaccination.

The ultimate goal of the pandemic vaccination program is to vaccinate every person in the United States who wants to be vaccinated. Because pandemic vaccine cannot be made fast enough for everyone to be vaccinated at once, federal, state, local and tribal governments, communities, and the private sector can use the guidance to decide who should be vaccinated during this early stage to best protect people and communities.

The guidance’s vaccination structure defines four broad target groups, people who:

1. maintain homeland and national security,
2. provide health care and community support services,
3. maintain critical infrastructure, and
4. are in the general population.

Everyone in the United States is included in at least one vaccination target group. People who are not included in any occupational group would be vaccinated as part of the general population based on their age and health status.

While vaccines are an important resource in a pandemic, vaccination will only be one of several tools to fight the spread of influenza if and when a pandemic emerges. Other tools include community public health measures, antiviral medications, facemasks and respirators, washing hands and covering coughs and sneezes.

===============================================================

A Pandemic Preparation and Response Plan should be an essential component of any Business Continuity Management Program.

A key part of disaster recovery planning involves measuring how things are going. This is usually referred to as “metrics.” Usually, we think of metrics as they relate to data center issues like up time, response time, number of network outages, etc. But there are more important issues to address using metrics.

When disaster recovery is considered, metrics are often not maintained or scarce to say the least. This doesn’t need to be the case. Just to get started, consider the following five sample metrics for keeping track of how DRP is going:

1. Total number of applications supported from the computer facility - This sets the scope for the potential for DRP requirements
2. % of total applications covered by a DR strategy - Could include hot sites, high availability systems, quick ship requirements, etc.
3. # of DR test hours scheduled each year - This is the total scheduled test time in a one-year period
4. % of total DR scheduled test time actually used each year - Could be under or over 100%, and can be reported as a cumulative metric throughout the year
5. # of months since the last DR Plan “Maintenance Cycle” - Ideally, this should not exceed 6 months

Just by starting with these five metrics you’ll begin to keep track of how your firm’s disaster recovery capability is progressing. It also is an easy way to report to management on progress and issues identified. Metrics will relate to these kinds of issues very well.

For a more detailed discussion of disaster recovery metrics, see the Disaster Recovery Journal Winter 2005 issue, Volume 18, Number 1, The Time Has Come for DRP Metrics, by Jan Persson.

————————————————————

A sound Disaster Recovery Plan is essential for any data center. Jan Persson’s GO.RECOVER-Data Center Template is a powerful yet easy-to-use tool for under $100.

New book by Jeffrey R. Ryan - available August, 2008:

Pandemic Influenza: Emergency Planning and Community Preparedness

• Analyze the threat of pandemics in general, and influenza specifically
• Identify principles associated with the National Strategy for Pandemic Influenza
• Assess factors leading to an outbreak of the highly pathogenic avian influenza, including its potential effect on the economy
• Evaluate the use of pharmaceutical and nonpharmaceutical measures
• Determine response actions of various emergency services disciplines as they relate to communications, travel, and quarantine
• Examine the components of service continuation essential for the private sector to remain intact during a severe pandemic

“… an amazing resource … Dr. Ryan has assembled some of the best experts in the field to guide you in understanding the threat of pandemic influenza and how it can affect you and the people you are responsible for. …” - From the foreword by Lynn A. Slepski, Captain, United States Public Health Service

No one is immune to the potential devastation of a mass pandemic influenza outbreak. Yet despite recent small-scale outbreaks and dire warnings from the World Health Organization that such an event is imminent and overdue, our preparedness continues to lag. Part of the problem is that while a national plan is important, all the real action must occur at the local level. Triage, care, and containment, along with maintenance of the infrastructure, are functions that must be carried out by local planners and responders.

Pandemic Influenza: Emergency Planning and Community Preparedness introduces readers to the critical global and domestic issues regarding a potential pandemic. Featuring the contributions of leading experts, this volume arms planners and responders with an understanding of outbreak containment and response planning and provides an analysis of our present capabilities and potential weaknesses.

The first section reviews the history of pandemics and discusses the deadly 1918 Spanish flu. The middle chapters examine the biology of the virus and the clinical aspects of influenza, with special attention given to Avian Influenza. The final chapters examine international and federal programs and discuss response at the local level, including service continuation planning and fatality management.

Public health and emergency preparedness professionals, as well as policy makers at all levels will find a wealth of information to help them create a plan and allocate the proper resources to mitigate the devastation of a pandemic influenza.

Special Offer!

Be prepared! Purchase Pandemic Influenza, along with the Pandemic Preparation and Response Plan Template for Business on CD-ROM for $119.90.

If the power goes out, will America’s small businesses be prepared? Not really, according to the results of a recent survey commissioned by Emerson Network Power, a business of Emerson.

The survey results indicate that the issue is not really “if” the power will go out but “when.” Consider these statistics:

• 79 percent of the small business decision makers surveyed experienced at least one power outage in 2007.

• 67 percent of respondents anticipate experiencing outages again in the next 12 months.

Even more alarming is that of the small businesses that experienced outages in 2007, 42 percent had to close their businesses during the longest outages.

And while small-business decision-makers ranked outages above fire, government regulation, weather damage, theft, and employee turnover as threats to their businesses, only 39 percent of them have back-up power systems, leaving 61 percent vulnerable to the negative business impacts of outages.

In a tight economy, a plunge into darkness could put a small business in the red. On average, power outages cost about $80 billion each year, with most losses — 98 percent — borne by businesses, according to the Department of Energy.

“Emerson’s survey findings are alarming considering that more than 99 percent of all American businesses are small businesses, with these companies generating 45 percent of the total U.S. payroll,” said Steve Strauss, nationally syndicated business columnist and author of “The Small Business Bible.” “It is critical that small enterprises have a business continuity plan that includes backup power systems to keep the business running when the main power source goes down.”

To help small businesses understand the impacts of power outages, Emerson Network Power has launched a backup power information resource at www.emerson.com/smallbusiness. It includes an online tool small companies can use to measure their vulnerability to the impacts of outages.

Emerson Network Power released the findings of the survey in conjunction with the fifth anniversary of the Great Blackout of 2003, which began on Aug. 14, 2003, when an overgrown tree tangled with sagging power lines in Ohio and triggered a series of human and technology gaffes that resulted in the largest power outage in North American history. The blackout left 50 million people in the northeastern U.S. and Canada in the dark - some for days - and cost the economy an estimated $6 billion in productivity.

For additional reading on emergency power systems, see Power Systems in Emergencies: from Contingency Planning to Crisis Management, by U.G. Knight.

The Disaster Recovery Institute International (DRII) has issued a call to its membership and others in the profession to stop the development of a new ASIS business continuity standard (see blog entry dated August 6). Calling for BC professionals to, in effect, “stop the madness” with the continued development of new BC standards, DRII asked people to write to ASIS and even offered several possible messages to send ASIS. Following are excerpts from the message.

“Last October, Disaster Recovery Institute International (DRII) issued a position statement regarding the establishment of a standard for Business Continuity Planning. This was in response to the American Society for Industrial Security (ASIS) attempting push through an unproved and ill-considered standard with the American National Standards Institute (ANSI). We believed that our statement had settled the matter.”

“However, ASIS has filed two notices with the ANSI called “PINS Forms: Standards Action Public Review Requests.” One of these is “BSR/ASIS BCM.01-200x, Business Continuity Management: Preparedness, Crisis Management, and Disaster Recovery”. This proposed standard is being drafted “to include auditable criteria for preparedness, crisis management, business/operational continuity and disaster management using a process approach with the Plan-Do-Check-Act model, as required by Title IX of H.R. 1 and Public Law 110-53 ‘Implementing Recommendations of the 9/11 Commission Act of 2007′”.”

“DRI International strongly opposes this filing. We are asking our colleagues and certified professionals in the field to oppose this effort to create a “Business Continuity Management” standard in an industry already beset with multiple and often confusing standards. The comment period for this “PINS” phase of “BSR/ASIS BCM.01-200x” closes on August 30, 2008.”

“Please send a clear message to ANSI through its designated point of contact, Susan Carioti at scarioti@asisonline.org. We are making every attempt to coordinate this effort and track the comments, which we believe will help in making presentations to ANSI and other appropriate agencies. When you send your e-mail to Ms. Carioti, please send a bcc to standards@drii.org. Your efforts are greatly appreciated.”

Commentary: While it’s true that there are over two dozen standards that address business continuity in one way or another, and it’s true that NFPA 1600 (National Fire Protection Association) is the American national standard, few professionals in this country are actually using the standards. Previously conducted surveys by such firms as Deloitte and Touche showed that less than one-quarter of the respondents knew about NFPA 1600, much less used it. More attention is being focused on the British Standard, BS 25999, than NFPA 1600. Further, it is likely that within the coming year the International Organization for Standardization (ISO) will issue a global standard for business continuity. What happens then? Hopefully most of the standards commotion will cease, and we can move forward with our profession, knowing that it has a global set of guidelines on how to perform this vital service.

Using Supply Chain Solutions to Prepare for the Next Disaster

by Andrew K. Reese, Supply & Demand Chain

Devastating terrorist attacks. Cataclysmic tsunamis. Catastrophic hurricanes. If these disastrous events in recent years have taught Dana Mathes anything, it’s that that in this day and age, you really just don’t know what manmade or natural calamity might threaten to wreak havoc upon your supply chain next. “It’s very hard to understand or quantify what the threats are these days,” says Mathes, who is global supply chain director of logistics operations at Dow Chemical, the $49 billion producer of plastics, chemical and agricultural products.

“But as hard as it may be, thinking about the unthinkable has become an integral part of the job for Mathes, as it has for supply chain executives at many other enterprises. Because, for better or worse, in this age of lean, extended and outsourced operations, “disaster-proofing” your supply chain isn’t an option, it’s an obligation.”

See Best Practices for Disaster-proofing the Supply Chain.

===============================================================

Business Continuity Planning and Management for Manufacturing and Distribution businesses are a lot easier with this new CD-based tool.

Challenges and Opportunities for Business Continuity Within 21st-century Business Models

by David Kaye

First published: Journal of Business Continuity and Emergency Planning; September 2006 Henry Stewart Publications

This paper sets out to explore the new challenges and opportunities for business continuity within 21st-century business models. It illustrates why and how businesses are changing, demanding that traditional silos of risk thinking be broken down, and business continuity management (BCM) become a central and crucial tool for the board and its risk management team. The paper also sets out to explain an important need for traditional organisational barriers to be lowered among the risk community. As in all business change, there are drivers for that change. By exploring and understanding these drivers, it will be possible to fully appreciate why business continuity itself is changing, and why it must change further if it is to satisfy the needs and trust of its own stakeholders. That understanding will also help to forecast the challenges and opportunities for risk and continuity professionals that will evolve in years to come. It will also encourage some organisations to rethink how BCM is best skilled and positioned within their management structures.

Read the rest of this entry »

NIST Announces SP 800-41 Rev.1 and SP 800-124

The National Institute of Standards and Technology (NIST, based in Gaithersburg, Maryland), recently announced two Special Publications (SPs) of interest to business continuity professionals. First is SP 800-41 Revision 1, Draft Guidelines on Firewalls and Firewall Policy, which provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls.

Second is SP 800-124, Draft Guidelines on Cell Phone and PDA Security. This guideline provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights for making informed information technology security decisions regarding their treatment.

ISACA Survey Addresses BC/DR Issues

ISACA, the Information Security and Audit Association, recently published the results of its 2008 Top Business/Technology Issues Survey.  ISACA conducted the survey to validate and prioritize the findings of ISACA’s Business/Technology Issues Task Force, which conducts surveys and produces survey reports.

The task force identified 21 current business issues facing IT managers and executives. The list consisted of global issues that the task force felt were already affecting ISACA members and constituents, or would be in the next 12 to 18 months. The survey participants were then asked to rank the 21 business issues.

Read the rest of this entry »