You have to bend but not break when it comes to business resilience.
All organizations face a certain amount of uncertainty and risk. In order to ensure sustainability of operations and maintain resilience, security, competitiveness and performance, you must have a system to manage risks.
The challenge is to determine how much risk and uncertainty is acceptable and how to cost effectively manage the risk and uncertainty while meeting strategic and operational objectives. Specific to this important mission, there are overall needs for resilience and continuity as well as subset needs specific to disaster planning, management and recovery.
According to Robert Messemer, chief security officer for The Nielsen Company, the marketing and media information company, “Business continuity and disaster recovery planning are essential to an effective corporate security program and a robust enterprise-wide risk management program.”
No One Template
“In today’s complex corporate environment, it is simply unwise to provide a ‘one size fits all’ template and ask someone to fill in the blanks. The effective security leader seeks first to understand the business, its unique characteristics, its competitive and regulatory environments as well as understanding its clients’ expectations and its contractual obligations,” says Messemer.
For some facilities, the unique characteristics have daily, community-wide importance.
Guy Grace, director of security and emergency planning for Littleton (Colo.) Public Schools, points out that business continuity planning in a school district setting is important not only for the school district but the community as a whole. “Schools are expected to be the educational foundation of the community but additionally, in many cases, the community center of the neighborhood that the school serves. It is a logical expectation.”
Still, whatever the type of operation, community involvement is essential.
“In Nielsen security, we engage with the business stakeholders to identify the unique characteristics of our business operations and its revenue streams to better prioritize our recovery efforts,” says Messemer. “There is no short-cut here. The time invested at the front end can save money over the long term. Its financial impact is measurable and inspires confidence within the organization.”
Saving Insurance Dollars
“Effective business continuity and disaster recovery planning can translate directly into cost savings with your insurance underwriters,” adds Messemer.
“Not all planning should be centered solely on disasters. There should also be contingency plans for special events that involve executives and clients. For example, recently we commissioned a board-certified emergency room physician to conduct an independent review of available medical care well in advance of a special event. We actually developed and executed our plan at a substantial cost savings compared to similarly situated corporations,” he explains. “When one of our clients experienced an unforeseeable medical emergency, we simply executed our plan that included the physician’s recommendations. Our swift execution delighted our client and the other clients who witnessed first-hand the foresight of our plans. Our client said they’ll be a Nielsen client for life.”
Business continuity and disaster recovery planning should also focus on providing guiding principles of crisis response, Messemer says. “Not all disasters can be predicted. However, if you provide your business leaders with principle-based guidelines, they can adapt your guidelines to respond to any unforeseen contingency. This not only reduces confusion but also helps prevent a bad situation from becoming worse. The days of ‘F-U-D’ (fear – uncertainty – doubt) are over. Being practical and emphasizing return on investment are keys to selling your ideas in the boardroom.”
Continuity planning also goes beyond an individual site to a broader base for the district as a whole, Grace says. Each school site has an individual emergency action plan that is updated every year. This plan is also recorded and compiled into what Grace calls the school emergency management planning software program or SEMPS. Data includes the emergency plans as well as other critical data such as complete virtual tours of the inside and outside of the school building, aerial photography and other important data. This data is placed on a USB drive that is then provided to all the police, fire and other emergency responders within the community.
There are other groups which are involved in Grace’s continuity planning. One group he recommends to other security leaders is the FBI Infragard program (www.infragard.net). Grace says the program exposes members to broad range of critical infrastructure issues across the country, and has opened his eyes to a bigger picture of the global need for continuity planning.
Exercise the Plan
Walter Chan, supervisor, corporate security, facilities and real estate for the city of Toronto, has written extensively on resilience and enterprise security management. He says that it is usually accepted that enterprise structures qualify as complex systems. “They evolve, struggle, thrive and die or transform,” he says. “A number of the infrastructures and conveniences we enjoy today are the result of very complex endeavors such as air traffic, power grid, food supply, and others.” All and more are vulnerable to disruptions otherwise known as low probability/high-impact events, according to Chan.
When resilience is introduced as a desirable goal, expertise should trump rank. “We would rather be operated on by a qualified surgeon not a hospital administrator,” points out Chan. “Disruptive events will cause sudden changes whether we are adaptive and resilient or not. But our ability to bounce back will improve us.
Chan shares a vision with others that standards will play a continuity role.
Professional associations and standards groups are helping put resilience tools in the hands of security executives. In October, DHS selected the ANSI/ASIS Organizational Resilience American National Standard as one of three sets of standards to be adopted as a national preparedness standard for private-sector entities as part of the DHS PS-Prep program.
PS-Prep seeks to raise the level of private sector preparedness through DHS adoption and promotion of preparedness standards and provides a mechanism for a private sector entity to receive certification that it is in conformity with one or more of the adopted standards.
The standard takes an enterprise-wide view of risk management, enabling an organization to develop a comprehensive strategy to prevent when possible, prepare for, mitigate, respond to and recover from a disruptive incident.
Marc Siegel, a commissioner with the ASIS Global Standards Initiative, says that the three sets of standards (British Standards Institution 25999 "Business Continuity Management" and the National Fire Protection Association 1600:2007 Standard on Disaster / Emergency Management and Business Continuity Programs) “are all very different. However, ours is ISO compatible.” It’s an advantage for companies familiar with ISO’s two decades of work for quality and environmental management and companies can stick to that model.
Single Sign on Approach
Within enterprise networks and especially when it comes to access control continuity, organizations such as healthcare facilities are embracing single sign on and provisioning. For example, Texas Children's Hospital in Houston, is adding Sentillion's provisioning manager to its existing deployment of the company's single sign on and single patient selection solutions. Currently in the midst of an enormous $1.5 billion hospital expansion, the hospital will use provisioning manager to create and manage user accounts throughout their life cycle.
Provisioning manager will expedite the process for adding new Microsoft Active Directory and Microsoft Exchange accounts as well as accounts for accessing an electronic medical record and PeopleSoft applications. The technology will also keep track of each transaction whenever application access is granted, modified, suspended or removed as well as details of all privileges granted.
Rene Fonseca, manager, business systems and solutions, and John Espinosa, applications technical advisor, both of Texas Children’s Hospital, believe that staff have a hard time to remember all the different sign ons. “Coordinating and controlling is now transparent to the users,” says Fonseca. In regard to resiliency, “Patient coordination is a must in a healthcare environment. Tap-and-go, for example, allows proximity card access for a certain period of time,” adds Espinosa.
Disaster planning and recovery, especially in a difficult economic climate, creates an interesting infrastructure and perimeter dilemma, which must be handled with both skill and smarts. You can also add some low tech tools, too.
Sage Realty Corp., which manages New York City’s 777 Third Avenue building among other high rises, and Christina Bates, president of SPC Services, answered the call.
Solutions include a security officer on a Segway as well as its recently created centralized offsite “bunker” emergency response and command center. Bates believes that her operation is one of the only properties using the transporter inside a high rise building. And the offsite command center arose after a steam pipe explosion in a New York street, which threatened building perimeters and scared tenants and visitors. Sage has five buildings and the emergency response bunker can coordinate security, life safety and communications if any facility experiences an incident. Why are privacy experts concerned about America's smart grids? Go to securitymagazine.com to learn more.
Business Resilience: Six Actions to Take Now
According to Firooz Ghanbarzadeh, director, technology services and solutions for CDW Corp., “Despite the compelling imperative ‘protect your IT, or be prepared to suffer devastating business interruptions,’ the majority of businesses under-invest in business continuity and disaster recovery planning. As a result, they tend to defer business continuity into the ‘solve tomorrow’ column until right before (or right after) an incident.”
The link between business continuity and disaster survivability is significant, observes Ghanbarzadeh, who recommends six steps that can apply to physical and IT security operations.
- Conduct a business impact assessment. Convene a cross-functional team to evaluate the business requirements and tier data based on its importance to operations.
- Establish a downtime threshold. When building a disaster recovery plan, the first objective should be to decide the recovery point objective (RPO) and recovery time objective (RTO). The RPO dictates the allowable data loss, while the RTO is the amount of time applications can afford to be down – the maximum tolerable outage. These provide critical context for the remaining steps of the process.
- Take steps to protect data. Back up data frequently to ensure records are kept, and consider upgrading to a faster version of backup equipment to reduce the time it takes to complete a backup cycle.
- Review power options. Add uninterrupted power supplies for critical servers, network connections and selected personal computers to keep the most essential applications running.
- Consider telecommunications alternatives. Telecommunications backup must involve both redundancy and alternatives. In the case of spot outages, redundancy may be enough. For larger outages, alternative communications vehicles, including wireless phones, wireless data cards and satellite phones, should be considered.
- Form tight relationships with vendors that can help expedite recovery and ensure priority replacement of critical telecommunications equipment, personal computers, servers and network hardware in the event of a disaster.
The Smart Grid: The Ultimate Disaster to Come?
It may be that America can live without the Internet, cable and satellite TV, at least for a while. But electricity?
In the 2009 economic stimulus package, for example, the U.S. allocated $4.5 billion to develop technologies for the "smart grid," what utility experts describe as a revamped digital delivery system for electricity and that can make energy-saving adjustments to power flow.
There are two resiliency concerns, however. There is the domestic and international terrorism threat that may make attacks “easier” because of the digital backbone. And there is a threat to individual privacy as more personal information on and about customers is housed in databases and files.
There also is the potential of more local attacks that seemingly can do some damage through illegal access of digital meters. According to recent literature, one way to hack into a smart meter is through its wireless networking device. An attacker can use a software radio, mirroring diverse communications devices, to listen in on wireless communications along the network and discover over time how to communicate with one or more meters.
Susan Lyon, counsel in the law firm Perkins Coie's privacy and security practice, sees problems along the smart wires. As two-way flows of information emerge in the development of smart grid, the energy industry will face similar privacy concerns as those that have emerged recently in the online industry. “It’s not necessarily a matter of information ownership but data control and choice,” she commented.
There are a lot of pie-in-the-sky benefits. “It’s cool to think that, one day, your refrigerator will be plugged into the Internet and give you a mobile phone message that you should buy eggs when you come near a supermarket.” But, Lyon warns enterprises and security executives, “This vision of the smart grid as an information conduit multiplies the vulnerabilities and possibilities that these organizations have not had to face before.”
Resilience in the new world of the smart grid means that “everyone involved must anticipate the changes and be proactive. Trust among all those involved is the best continuity plan. And communications will be more tricky” as it relates to energy identity theft, stealing service from others and illegal brokering of customer information, to name a few.