Your Solution for SMART Response Plans

Concepts of Secured and Redundant Response Plan Accessibility

Posted on Thu, Apr 24, 2014

In preparedness and emergency management, the concept of risk and hazard identification is fundamental. However, the potential inability to access important documents, particularly during an emergency scenario, is often overlooked. If you experienced a catastrophic loss and could not access response plan documents, would you be able to conduct an effective response?

Companies must mitigate the risk that an incident may incapacitate access to response plansIn order to manage risks and build resilience, Traditional risk-management tools must be incorporated with new technology-based concepts. With more people owning multiple computing devices such as laptops, tablets and smart phones, the idea of data being restricted to a single desktop computer or binder without adequate redundancies is antiquated. Cloud and web-based technology offer enterprise-wide, up-to-date redundancies that traditional record keeping methods cannot provide.

Response Team and Stakehold Accessibilty

To counteract potential incidents, fallout vulnerabilities, and regulatory noncompliance, response plans should be securely shared with and accessible to regulators, auditors, inspectors, and responders. Having up-to-date information readily available to trained responders has been proven to limit the duration of the emergency.  The faster responders can locate, assess, access, and mitigate the emergency, the sooner an incident can be contained. However, in order to minimize additional vulnerabilities, applicable data and confidential information must be secured.

A recent survey conducted by IT industry association CompTIA, found that more than 90% of companies use or have transitioned to some form of cloud technology in order to increase flexibility and reduce costs. However, the report revealed that only 48% of those surveyed utilize cloud-based methodology for business continuity/disaster recovery processes. When authorized users can access response plans information from any location, response expertise can be maximized and maintenance efforts can be shared.

Response_Plan_Accessibility.jpg

In the event of an emergency, up-to-date paper plans may not be available from other locations. Although some companies post electronic plans to their intranet that can be accessed remotely, the process of updating these plans is time-consuming and inefficient. In addition, if a catastrophic event occurs, there is the possibility that the main data source or server will be inaccessible.

When an incident is isolated to a particular location, cloud or web-based response plans can enable response measures on a company-wide scale. Cloud or web-based plans can also provide hyperlinks, forms libraries, simplified interfaces, and other tools designed to improve functionality for plan users.

Cyber-Security and Response Plan Redundancy

But with any data system cyber-security and back up efforts are essential. In the event Internet connectivity is terminated or inaccessible, emergency managers must have alternative means to access plans. Redundant data centers, scheduled download, and security measures must be a part of any web or cloud based emergency management program

When first responders can exercise approved response processes and procedures, responses can become second nature. Plan accessibility allows appointed responders to clarify critical contact information and responses to altered site circumstances, operations, or materials. Inaccessible response plan can facilitate confusion, inconsistency, and potentially accelerate impacts and financial loss.

As technology dependencies become more ingrained in company operations and emergency management programs, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.

Cyber exercises allow stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event.  These specific exercises educate employees on technological policies and provide a means to evaluate cyber incident preparedness, mitigation, response, and recovery capabilities.

Be prepared for your next incident! Click the image below to receive your free guide.

Preparedness and Emergency Management - TRP Corp

Tags: Data Recovery, Response Plans, Redundant Systems, Training and Exercises, Cyber-Security, Data Backup

Top Five Reasons to Utilize Emergency Management Software

Posted on Thu, Aug 15, 2013

Companies need an enterprise-wide, universally accessible emergency response planning system capable of adapting to every site, regulatory requirement, and plan type. Incorporating a definitive company emergency management system across an enterprise allows for a streamlined and familiar response process. Whether plans are mandated by corporate policy or regulatory agencies, an effectively exercised and accessible emergency response plan can minimize impacts of an emergency on employees, the environment, and infrastructure. The benefits of web-based emergency management systems are:

1. Efficiency:  Effective response plans require cyclical maintenance. As a result of changing personnel, fluctuating external response contacts, and revolving equipment availability and inventory levels, maintaining up-to-date and actionable response plans can be administratively time consuming. Emergency management software should eliminate the need for duplicate updates. The most advanced web-based software programs utilize a database, allowing for specific repetitive information to be duplicated in the various necessary plan types across an entire enterprise. By minimizing administratively tasking duties, plan changes are more likely to be transferred into the system, optimizing the accuracy of the plans.

2. Accessibility of plans: In the event of an emergency, updated paper plans are typically not available from all company locations. Additionally, accessing plans housed on a company intranet may be dubious if an incident renders company servers inaccessible.  Although the intranet approach has improved overall plan accessibility, a number of significant difficulties remain. With an intranet approach, plan maintenance, version control, and consistency across multiple plans remain challenging and time consuming.

Web-based planning system software offers every option of instant accessibility: viewed via the Internet from any location, downloaded, or printed. Increasing accessibility options while improving efficiency, functionality, and effectiveness can bolster an entire emergency management program.

3. Instantaneous updates: With web-based technology and an Internet connection, revised information is immediately available to all approved stakeholders. Both paper-based plans and those housed on a company intranet are often out of date with multiple versions in various locations, potentially misinforming the response team.  Microsoft Word or PDF documents, often the format used in response plans, are cumbersome to revise for various plan types and locations. Web based software eliminates” version confusion” and allows responders to apply the most up-to-date and tested processes to a response.

4. Superior functionality: Web-based plans can provide hyperlinks, forms libraries, simplified interfaces, and other tools designed to improve functionality for plan users. Simplifying documentation during an incident enables prompt response progress, improved regulatory compliance, and a more accurate account of the response. Easy to follow response plans allow responders to carry out specified industry and company procedures in accordance with proven best practices responses.

5. Multi-purpose data: Typically, response plans share common data with a variety of additional plan types including business continuity, pre-fire plans, hurricane plans, and others. Web-based, database driven plans utilize one database to manage this information, effectively leveraging plan content and revision efforts to all plans and locations that utilize that data.

If best practices are implemented, and training and exercises confirm effective response processes and procedures are in place, response plans can be an effective tool for responders. However utilizing web-based, database software allows registered users to swiftly and accurately identify confirmed response contacts, response procedures, and available resources, expediting the response and minimizing impacts.

Resource management is a key practice in the National Incident Management System (NIMS). Web-based software streamlines the resource data incorporated into a response plan allowing NIMS components to be utilized more effectively. NIMS resource management includes:

  • Resource identification: Integrated data allows for all resources to be quantified.
  • Procurement: Through automated contact verification systems, the process of procuring resources is simplified. Accurate contacts, contact numbers, and resource lead times have already been confirmed.
  • Mobilization:  Plan transportation and logistics needs easily identified based on response priorities
  • Track and report:  Web-base response software’s links and forms database allows for easy resource reporting and documentation. Real-time incident management systems can ensure efficient use, coordination, and movement of equipment.
  • Recover and demobilize: Accurate data allocation ensures timely demobilization of equipment, including decontamination, disposal, repair, and restocking activities, as required.
  • Reimburse:  Web-based software contains documentation measures that assisting in tracking costs. This allows for accurate allocations of incident expenses, including contractors, equipment, transportation services, and other costs.
  • Inventory and replenishments: Resource data contained within the web-based software can be utilized to inventory response requirements or site equipment. This feature streamlines the ability to assess the availability of on-site equipment and supplies and determine external resource levels.
For an introduction to web-based planning click HERE:

 

Tags: Data Recovery, Redundant Systems, Cloud Computing, Emergency Response Planning, Data Backup, Safety

How to Maintain Business Continuity throughout Disaster Recovery

Posted on Thu, Jun 20, 2013

The goal of business continuity planning is to restore operations efficiently through a systematic approach. In the event of a disaster, many companies lack adequate recovery planning and backup capabilities to restore critical information, essential processes, and normal business operations within an acceptable recovery time frame. The lack of recovery preparedness can adversely affect corporate reputation, financial stability, and overall resilience.

The recovery process is a sequence of interdependent and often concurrent activities that allow for measured advances toward a successful recovery. The time frame between temporary relocation and securing permanent facilities (either at the original or alternate facility) describe the recovery phase. Decisions and priorities set early in the recovery process often have a cascading effect on the evolution and speed of the recovery progress and business continuity efforts. Business unit management and staff must be familiar with and trained in the recovery procedures in order to effectively implement directives and maintain minimal business continuity.

Establishing plans that include comprehensive recovery processes and protocols prior to a disaster is essential. A fully coordinated post-disaster recovery plan should be implemented with internal and external stakeholders. Developing relationships and common understandings of roles and responsibilities prior to a disaster increases post-disaster collaboration and unified decision-making, streamlining the recovery process.

After the initial response and relocation of operations and personnel, the recovery phase includes, but is not limited to:

  • Damage assessments of primary facilities
  • Mobilization of tactical recovery teams
  • Recovery debriefings
  • Identification of recovery objectives
  • Initiation of restoration activities

The restoration phase addresses return of personnel to restored facilities, or permanent alternate facilities, and restoration of operations, and  includes:

  • Confirmation of the restoration of primary facilities and infrastructure
  • Confirmation of staff relocation schedules
  • Relocation to permanent facility
  • Consolidation and archiving incident documentation
  • Review and updating Business Continuity Plan based on lessons learned
  • Return to business as usual

Recovery outcomes vary based on incident circumstances, challenges,  and priorities. In the corporate world, a successful disaster recovery is typically characterized as the return of operations to pre-disaster conditions. FEMA’s National Disaster Recovery Framework provides key factors that contribute to a successful recovery.  These factors include:

1. Effective Decision making and Coordination:

    • Confirm roles and responsibilities of recovery team and stakeholders
    • Examine recovery alternatives, address conflicts and make informed and timely decisions that best achieve recovery
    • Establish metrics for tracking progress, ensuring accountability and reinforcing realistic expectations among stakeholders
    • Track progress, ensure accountability, and make procedural adjustments as necessary

2. Integration of Community Recovery Planning Processes:

    • Engage all stakeholders in pre-disaster business continuity and recovery planning, training, and exercises
    • Establish processes and criteria for identifying and prioritizing key recovery actions and projects

3. Well-managed Recovery:

    • Leverage and coordinate recovery teams, local response groups, government liaisons, and non-governmental organizations to accelerate the recovery process and avoid duplication of efforts
    • Surge staffing and management structures as necessary to support the workload during recovery
    • Establish leadership guidance, including the shift of roles and responsibilities, for the transition from response operations to recovery, and eventually a return to a normal (or new normal) operational state
    • Ensure regulatory compliance throughout recovery process

4. Proactive Community Engagement, Public Participation, and Public Awareness:

    • Ensure transparency and accountability
    • Communicate recovery objectives (short, intermediate and long-term) and applicable detailed information to employees, stakeholders, and community members

5. Well-administered Financials:

    • Clearly identify funding sources and financial recovery processes
    • Evaluate and present external programs that can provide financial assistance to aid in the recovery progress
    • Allow for budgetary flexibility, yet maintain adequate financial monitoring and accounting systems
    • Implement processes and systems that detect and deter fraud, waste, and abuse.

6. Organizational Flexibility:

    • Institute scalable and flexible processes that can align with recovery operations objectives
    • Institute business processes that can evolve and adapt to address the changing landscape of post-disaster environments

7. Resilient Rebuilding:

    • Invoke “Lessons Learned” in the restoration phase to minimize risks and threats, and improve response, recovery and restoration efforts.

For tips and best practices on designing a crisis management program, download Tips for  Effective Exercises.

TRP Corp Emergency Response Planning Exercises

Tags: Data Recovery, Resiliency, Business Continuity Plan, Disaster Recovery, Business Disruption

Spike in Cyber Attacks Requires Specific Business Continuity Efforts

Posted on Mon, Jun 03, 2013

“According to recent estimates, this global network of networks encompasses more than two billion people with at least 12 billion computers and devices, including global positioning systems, mobile phones, satellites, data routers, ordinary desktop computers, and industrial control computers that run power plants, water systems, and more. While this increased connectivity has led to significant transformations and advances across our country – and around the world – it also has increased complexity of our shared risk.” - Department of Homeland Security

Based on statistics from the Department of Homeland Security (DHS), it is critical for companies to establish business continuity plans associated with technology, and related applications. As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.

A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended due to an incident or cyber attack. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records. According to the DHS, the increasing number of cyber attacks elevates the potential for critical data lapses or loss. Recent cyber statistics include:

  • 68% increase in cyber incidents between 2009 and 2011 (Subcommittee on Cyber Security, Infrastructure Protection, and Security Technologies)
  • Confirmation of cyber intrusion campaign targeting oil and pipeline companies (Janet Napolitano, DHS Secretary)
  • Confirmation that the majority of companies in the energy sector had experienced cyber attacks, and approximately 55% of those attacks targeted control systems (Charles Edwards, DHS Deputy Inspector General)
  • In 2012, DHS responded to 177 cyber control systems incidents, up from 9 in 2012

To counteract the increasing threat on critical technology infrastructure, DHS has developed CSET, Cyber Security Evaluation Tool. “CSET is a desktop software tool that guides users through a step-by-step process to assess their control system and information technology network security practices against recognized industry standards.” After a thorough evaluation, CSET then produces a prioritized list of recommendations for improving the cyber security and industrial control cyber systems. Each recommendation is linked to a set of actions that can be applied to enhance cyber security controls.

In 2012, over 1,000 companies utilized CSET to evaluate cyber security measures. Sectors with the highest number of self-assessments include: water and water treatment, energy, transportation, commercial and government facilities, and public health or health care. By leveraging the CSET application and Control System Security Program onsite consultation opportunities, companies can mitigate cyber security issues and increase the potential for business continuity. Some key business continuity benefits of the programs include:

  • Highlighting vulnerabilities in a company’s system(s) and providing recommendations of mitigation efforts
  • Identifying areas of strength and recommended practices being followed in the organization
  • Providing a method to systematically compare and monitor cyber systems improvement
  • Informing a risk management and decision-making process
  • Raising awareness and facilitating discussion on cyber-security within the organization.

According to the Business Continuity Institute online survey conducted in December 2011, the top identified threat from conducting a thorough risk assessment was an unplanned IT or telecommunication outage. However, the top three identified threats were all related to the viability of technology, highlighting the need for technology-associated business continuity efforts.

Here are the top three threats from Business Continuity Insight survey:

1. 74% - Unplanned IT and telecommunications outages
  • Departments or business units should define workaround procedures, or alternate processes, to support critical process recovery until key systems and applications have been restored.
  • Ensure all business documentation, records, and files necessary for resumption and recovery purposes are backed up and stored/located safely away from the primary office facility to minimize data loss.
  • Identify alternate methods of communication: landlines, cell phones, satellite phones.

2. 68% - Data breach (i.e. loss or theft of confidential information):  Organizations need site specific data security solutions that can detect, prevent, and continually audit interactions with sensitive data. Through continual monitoring of file and application access, organizations can minimize theft of confidential information.

3. 65% - Cyber attack (e.g. malware, denial of service): Companies should follow security best practices and implement practical and effective safeguards to mitigate internal and external attacks.

Each department should be responsible for assessing computer and software needs when developing critical process recovery strategies, and obtaining the review and input of the IT Department in support of any identified computer and software recovery time objectives.

TRP Corp - Emergency Response Planning Crisis Management

Tags: Data Recovery, Computer Security, Data Loss, Cyber-Security, Data Backup, Business Continuity Plan, Terrorism Threat Management

Cyber Security is Essential for Business Continuity

Posted on Thu, Mar 21, 2013

Media organizations, multinational companies, and government agencies have all been victims of recent cyber attacks. February’s highly publicized 60-page Mandiant report entitled APT1: Exposing One of China's Cyber Espionage Units, revealed evidence of cyber data theft of nearly 141 organizations. It was “beyond a shadow of a doubt” that the Chinese government and military is behind growing cyber attacks against the United States, said House Intelligence Committee Chair Mike Roger.

The 2013 Global Risk Report ranks cyber attacks in the “Top Five” of highly probability occurring incidents within the next ten years. According to the report, cyber attacks and critical system failures are considerable technological risks to companies and organizations across the globe.

As technology dependencies become more ingrained in company operations, it is essential to institute company-wide best practices for computer security, downloads, and backups in order to secure necessary technologies and communications networks.  A company’s business continuity plan (BCP) should include processes related to critical technologies that may be lost or suspended during an incident. A BCP is a vital tool that companies can use to plan for the restoration of normal operations after a business-disrupting incident. Incidents can create a temporary or permanent loss of infrastructure, critical staff, software, and/or vital records.

Identifying the procedural details of computer backups, data restoration methods, and minimum software requirements are crucial to re-establish technology related critical business processes.  The Department of Homeland Security’s Cyber Exercise Program (CEP) can assist companies in developing protocols to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities.

Companies should address the following DHS cyber security points to ensure business continuity:

  • Is cyber preparedness integrated with your current all hazards preparedness efforts?
  • Who are your cyber preparedness stakeholders (public, private, non-profit, other)?
  • Are cyber security risk-based policies established in your organization?
  • Does your organization ensure that service providers and vendors that have access to your systems are following appropriate personnel security procedures and/or practices?
  • Does your organization integrate cyber security into the life cycle system (i.e., design, procurement, installation, operation and disposal)?
  • Are audits conducted on cyber security systems?
  • Are cyber  security plan requirement in place and are they being adhered to?
  • Are all systems compliant to company and/or cyber  security plan requirements?
  • Does your organization have an asset inventory of all critical IT systems and a cohesive set of network/system architecture diagrams or other documentation (e.g. nodes, interfaces, and information flows)?
  • Upon being notified of a compromise/breach of security regarding an employee:
    • Who is notified?
    • What steps are followed to ensure this individual’s access to facility and/or equipment has been terminated?
    • What steps are followed?
    • Should legal representation be sought and at what point?
    • Who determines if the employee should be held criminally responsible?
  • Are there policies (formal and informal) pertaining to removable storage devices?
  • What is the priority of cyber preparedness, including cyber security, in your organization?
  • What level of funding and/or resources is devoted to cyber preparedness?
  • What are your estimated losses if a cyber attack were to terminate system functionality?
  • What are your critical business unit software requirements?
  • What are the procedures for backing up and restoring data?
  • How often are security patches updated?

Cyber exercises are an essential tool for organizations to evaluate their cyber incident preparation, mitigation, response, and recovery capabilities. The exercise environment allows stakeholders to simulate real-world situations, to improve communications and coordination, and to increase the effectiveness of broad-based critical infrastructure protection capabilities without the consequences of real cyber event. These types of exercises can also be used to educate employees on technological policies and procedures used to offset cyber attack strategies. DHS identifies two types of exercises that can aid in the advancement of cyber security. 

Discussion based exercises:

  • Familiarize participants with current agreements and procedures or assist in the development of new plans, agreements, and procedures
  • An effective method for bringing together key response team leaders common in mid- to large-scale cyber events
  • Easier to conduct, especially when multiple response team leaders participate using a variety of collaboration and video teleconferencing technologies

Operations based exercises:

  • Validate agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment
  • May include the use of simulated network environments, “live-fire” events, and active adversary forces to produce realistic scenario inputs and effects
  • Generally involve mobilization and response as opposed to policies and procedures

By exercising key areas of conjunction between IT and other corporate response elements, company cyber security and incident response operations gaps and shortfalls can be identified. In order for business continuity, there must be a mutual understanding between IT personnel and crisis managers regarding their respective roles, available resources, and response measure during events caused by cyber disruption.

For tips and best practices on designing a crisis management program, download Tips for Effective Exercises.

Exercises - TRP Corp

Tags: Data Recovery, Computer Security, Business Continuity, Department of Homeland Security, Data Loss, Cyber-Security, Data Backup

Protect Critical Systems from Cyber Disaster for Business Continuity

Posted on Thu, Aug 23, 2012

In July, General Keith Alexander, head of the National Security Agency and U.S. Cyber Command chief warned that the changing nature of dangerous cyber attacks is taking a toll on American business. A Department of Homeland Security report on cyber security revealed 198 cyber attack incidents were reported to DHS in 2011. This is a sharp contrast to the nine incidents reported in 2009. The report noted that companies who control critical infrastructure reported higher numbers of attacks on their systems over the past three years.

With cyber threats to these computer systems on the rise, the U.S. Department of Homeland Security (DHS) is working to better protect control systems of critical infrastructure. DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides operational capabilities for defense of control system environments against emerging cyber threats. ICS-CERTs were deployed to investigate and analyze threats in 17 of the 198 cases in 2011. By understanding the threats and effectively managing the risks, actions can be taken to reduce the occurrences and sustain critical systems. Specific company names were not released in order to maintain a level of confidentiality and encourage reporting of other cyber attack incidents. Alexander said that for every intrusion detected by the FBI, there are 100 others that remain undetected.

DHS admits that the number of incidents reported to DHS's ICS-CERT has increased partly due to this increased communication between ICS-CERT and the private sector. However, through proper mitigation and business continuity measures companies will be prepared to combat their current lapses in technology.

According to the EPA, “Technological emergencies include any interruption or loss of a utility service, power source, life support system, information system or equipment needed to keep the business in operation.”  Identifying all critical technology related operations is the first step in mitigating and combating threats. Possible critical technologies involved in business operations include, but are not limited to:

  • Utilities including electric power, gas, water, hydraulics, compressed air, municipal and internal sewer systems, wastewater treatment services
  • Security and alarm systems, elevators, lighting, life support systems, heating, ventilation and air conditioning systems, electrical distribution system.
  • Manufacturing equipment, pollution control equipment
  • Communication systems, both data and voice computer networks
  • Transportation systems including air, highway, railroad and waterway

Once technology systems are identified, the following planning considerations should be taken into account in order to safeguard critical systems and develop an effective business continuity plan:

  • Determine the impact of technology service disruptions.
  • Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
  • Establish company-wide computer security practices, such as password-protected information, in order to secure technologies. (See CSET Assessment to determine system vulnerabilities)
  • Establish procedures for restoring systems. Determine the need for backup systems.
  • Establish preventive maintenance schedules for all systems and equipment.

ICS-CERT encourages companies to report suspicious cyber activity, incidents and vulnerabilities affecting critical infrastructure control systems. Online reporting forms are available at https://forms.us-cert.gov/report/.

For a sample Emergency Response Checklist, download our helpful and informative guide.

Tags: Data Recovery, Cloud Computing, Data Loss, Cyber-Security, Business Continuity Plan, Business Disruption, Information Security