Your Solution for SMART Response Plans

Securely Share Response Plans with Inspectors, Responders, and Auditors

Posted on Mon, Mar 10, 2014

Industrial facilities are vulnerable to innate risks, targeted threats, and security breaches. These vulnerabilities vary according to the location, site characteristics, operations, and hazards. Site-specific response plans are often required by regulatory agencies to address these vulnerabilities.  To counteract potential incidents relating to vulnerabilities and comply with government mandates, response plans are shared with regulators, auditors, inspectors, and responders. However, in order to minimize additional vulnerabilities, applicable confidential information should be secured from unauthorized individuals.

Response Plans must be shared, but information security must be a priority. There are generally three basic means to share response plans with recipients.

1) Paper plans

Long before tablet computers and smart phones, companies composed and shared binder-bound response plans. These plans, which are still used in large numbers today, were/are mailed to agencies, printed for auditors and inspectors, and reproduced for response stakeholders. Paper plan accessibility is limited to physical distribution tactics. This traditional concept may not provide the security measures necessary for the modern world. Paper plans share the following common pitfalls, possibly rendering non-compliance and an ineffective response.

Paper plans are often:

  • Inaccessible: Most plan users will only have a paper copy and will not carry it wherever they go. Because of the lack of accessibility, it is often difficult for a program managers to know when plans were last updated, or approved by regulatory agencies.
  • Inefficient: Repeated information updates, especially in multiple plans, is time consuming There are often duplicate or overlapping information requirements from one plan type to another, and for multiple facilities.
  • Out of date: Having multiple versions of plans in various locations leads to version confusion. It is often difficult to determine and document when company, site, or personnel information has changed. Example: Corporate emergency manager's contact information may reside in many plans. If/when that person's contact information changes, it has to be physically changed in each plan.
  • Inconsistent:  Plan formats usually vary from one facility to another, making it difficult to manage training and compliance efforts.
  • Cumbersome: A company may have multiple plan types, documents, and records for various regulatory agencies. During an audit, inspection, or response, the pure physicality of paper plans can be hindering.

2) Intranet-based plans

Some companies host response plans on their local intranet, or company network. These plans can often be accessed remotely through a Virtual Private Network (VPN). In order to establish a VPN connection with a company's server, the endpoints are typically authenticated to secure access. Plans can be shared through a VPN connection, potentially expanding the accessibility to approved viewers.

Secured access has been historically accomplished through passwords, personal data advanced biometrics, or a combination of security means. Once the connection is made, authorized individuals should be able to securely access a company's network. However, as recent headlines have revealed, company networks are often vulnerable to hackers, data breaches, and network attacks, potentially exposing private company information and broadening vulnerabilities. Companies must prioritize network security, especially when response plans are hosted within this critical business function.

In a variety of scenarios or in the event of an emergency, company servers may be inaccessible; rendering responders ill informed when response information is needed most. It is imperative to regularly back up response data and establish an alternate means to retrieve necessary response information in the event that site and/or company network is involved in the incident. 

Although plan accessibility may be improved with an intranet system, the plans may still be subject to some of the same pitfalls as paper plans:

  • Inaccessibility
  • Inefficient
  • Inconsistent

Efficiency and consistency across multiple plans remains challenging and time consuming when documents utilize separate static word-based files.

3) Web-based plans

As mobile technology advances and becomes more commonplace, many companies are beginning to realize the benefits of web-based emergency response planning systems. Web-based emergency response planning systems offer secured, immediate, and direct access to your emergency response plans from any computer. Since company response plans are no longer stored in a single, centralized location, the risk of inaccessibility, loss, or damage of these critical records in an emergency situation is minimized. More importantly, since every member of your team can easily locate and navigate your emergency response plans at a moment’s notice through a password protected website, your incident response time and management capabilities improve dramatically.

For organizations with multiple facilities and locations, web-based response planning provides site-specific emergency response plans that integrate seamlessly with your organization-wide procedures and policies. This optimizes the opportunity for every location to remain in compliance with state, federal and municipal regulations.

Response plans that utilize an informational database, plans securely open to the latest plan version, providing ability for plans to be shared or printed for auditor analysis and inspectors’ review.

Some benefits of a web-based business continuity system include:

  • Instantaneous Accessibility: A web-based planning system software offers every option of instant accessibility:
    • Viewed via the Internet from any location
    • Downloaded
    • Printed.

Web-based response plans increase accessibility options while improving efficiency, functionality, and effectiveness.

  • Efficiency: The most advanced web-based software programs utilize a database, allowing for repetitive information to be duplicated in all plan types across an entire enterprise. By minimizing administratively tasking duties, plan changes are more likely to be performed, thereby improving accuracy of the plans. Web-based plans can provide hyperlinks, forms libraries, simplified interfaces, and other tools designed to improve functionality for plan users.
  • Instantaneous Updates: Revised information is immediately available to all stakeholders. Web-based, database driven plans utilize one database to manage this information, effectively leveraging plan revision efforts to all plans that utilize that data.

Web-based response plans offer the greatest secured accessibility option for stakeholders, auditors, and inspectors while bolstering an entire emergency management program.

For a free Audit Preparedness Guide for Industrial Regulatory Compliance, click the image below:

Regulatory Compliance with TRP Corp

Tags: Resiliency, Response Plans, Incident Management, Redundant Systems, Regulatory Compliance, Emergency Response Planning, Information Security

Protect Critical Systems from Cyber Disaster for Business Continuity

Posted on Thu, Aug 23, 2012

In July, General Keith Alexander, head of the National Security Agency and U.S. Cyber Command chief warned that the changing nature of dangerous cyber attacks is taking a toll on American business. A Department of Homeland Security report on cyber security revealed 198 cyber attack incidents were reported to DHS in 2011. This is a sharp contrast to the nine incidents reported in 2009. The report noted that companies who control critical infrastructure reported higher numbers of attacks on their systems over the past three years.

With cyber threats to these computer systems on the rise, the U.S. Department of Homeland Security (DHS) is working to better protect control systems of critical infrastructure. DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides operational capabilities for defense of control system environments against emerging cyber threats. ICS-CERTs were deployed to investigate and analyze threats in 17 of the 198 cases in 2011. By understanding the threats and effectively managing the risks, actions can be taken to reduce the occurrences and sustain critical systems. Specific company names were not released in order to maintain a level of confidentiality and encourage reporting of other cyber attack incidents. Alexander said that for every intrusion detected by the FBI, there are 100 others that remain undetected.

DHS admits that the number of incidents reported to DHS's ICS-CERT has increased partly due to this increased communication between ICS-CERT and the private sector. However, through proper mitigation and business continuity measures companies will be prepared to combat their current lapses in technology.

According to the EPA, “Technological emergencies include any interruption or loss of a utility service, power source, life support system, information system or equipment needed to keep the business in operation.”  Identifying all critical technology related operations is the first step in mitigating and combating threats. Possible critical technologies involved in business operations include, but are not limited to:

  • Utilities including electric power, gas, water, hydraulics, compressed air, municipal and internal sewer systems, wastewater treatment services
  • Security and alarm systems, elevators, lighting, life support systems, heating, ventilation and air conditioning systems, electrical distribution system.
  • Manufacturing equipment, pollution control equipment
  • Communication systems, both data and voice computer networks
  • Transportation systems including air, highway, railroad and waterway

Once technology systems are identified, the following planning considerations should be taken into account in order to safeguard critical systems and develop an effective business continuity plan:

  • Determine the impact of technology service disruptions.
  • Ensure that key safety and maintenance personnel are thoroughly familiar with all building systems, such as alarms, utility shutoffs, elevators, etc.
  • Establish company-wide computer security practices, such as password-protected information, in order to secure technologies. (See CSET Assessment to determine system vulnerabilities)
  • Establish procedures for restoring systems. Determine the need for backup systems.
  • Establish preventive maintenance schedules for all systems and equipment.

ICS-CERT encourages companies to report suspicious cyber activity, incidents and vulnerabilities affecting critical infrastructure control systems. Online reporting forms are available at https://forms.us-cert.gov/report/.

For a sample Emergency Response Checklist, download our helpful and informative guide.

Tags: Data Recovery, Cloud Computing, Data Loss, Cyber-Security, Business Continuity Plan, Business Disruption, Information Security

Top Five Reasons to Use Web-Based Business Continuity Plans

Posted on Mon, Jan 09, 2012

In business continuity, the concept of identification of critical business processes and equipment is often discussed. However, the ability to access important documents is often overlooked. Some companies even choose to store emergency response plans in binders. What would you if you experienced a catastrophic loss and could not access these important documents?

Numerous companies that have business continuity plans are evolving from paper-based e plans to web-based planning systems to ensure access to critical information during an  emergency. Disasters and emergencies can instantly eliminate any trace of hard copy plans that are not properly backed-up and accessible off-site. Companies could lose access to the necessary information and tools that enable recovery of critical business processes.

A business continuity plan identifies the critical processes and how to recover these processes following loss of infrastructure. Some of these critical processes rely on specific data. By transitioning from paper-based business continuity plans to a web-based approach, companies have the ability make the plans more accessible to both internal and external stakeholders.

Some benefits of a web-based business continuity system include:

1. Efficiency: Eliminates repetitive updates of duplicate information within  multiple plans.

2. Instantaneous Updates: Revised information is immediately available to all stakeholders.

3. Accessibility of plans: In the event of an emergency, updated paper plans are typically not available from other locations. Although some companies  post electronic plans to their intranet, which  can be accessed remotely, the process of updating these plans is time-consuming and inefficient. In addition, a catastrophic event may render company servers inaccessible.

4. Superior functionality: Web-based plans can provide hyperlinks, forms libraries, simplified interfaces, and other tools designed to improve functionality for plan users.

5. Multi-purpose data: Typically, business continuity plans share common data with emergency response and other plan types. Web-based, database driven plans utilize one database to manage this information, effectively leveraging plan revision efforts to all plans that utilize that data.

For tips and best practices on designing a crisis management program, download Best Practices for Crisis Management.

TRP Download

Tags: Power Failure, Business Continuity key points, Business Continuity, Facility Management, Emergency Management Program, Notification Systems, Information Security