May 17, 2012

Posts Comments

You are here: Home / 2009 / Archives for August 2009

Social Impact Planning

August 24, 2009 By Leave a Comment

A wide scale, long-duration business interruption will force many changes in the way your organization operates. Social Impact Planning is the discipline that deals with this area of Operational Resiliency. Are your policies and procedures up to the challenge? Now is the time to think about this issue, not when you are in the middle of an emotionally charged situation suffering from poor communications and unreliable information.

Priority Analysis Chart G3

The Issues

People are an organization’s most important asset. During a crisis, some employees may be asked to make sacrifices on behalf of the firm. Handled correctly, a crisis is an opportunity to build long-term loyalty and goodwill with these employees. The key is to follow clear, respectful, and considerate policies that show a concern for the individual, their extended family, and their financial situation.

Organized into six areas, these are a few of the policy questions that you may have to face in the event of a disaster. How prepared is your firm to answer these questions?

Employee Relations and Communications

  • In the event of a disaster, who is responsible for communicating with the employees?
  • Are they the same individuals who will communicate an “all-clear” message?
  • If a disaster is declared, how will employees be notified?
  • Have employees been briefed on this disaster recovery procedure within the past year?
  • Has this procedure been tested for compliance with organization policies within the past 12 months?
  • Do employees know how to respond to crisis communication inquiries from the media?
  • How will employees communicate with the firm during a crisis?

Employee Compensation Policies

  • In the event of a widespread disaster, how will payroll be handled?
  • If banks are closed, will the organization provide payroll-cashing services?
  • What is the firm’s business continuity policy on cash advances, check cashing, and employee loans?
  • If relocated to remote location(s), will employees be given a stipend?
  • During a shutdown, can employees draw on their sick and vacation time without restriction?
  • Will employees continue to earn vacation and sick time during a crisis?

Employment Continuity Policies

  • If the firm is forced to shut down temporarily, will employees continued to be paid?
  • How will contractors be treated if there is a shutdown?

Work Requirements

  • Will “essential workers” be expected to work overtime during the crisis?
  • How would a long-term crisis affect scheduled vacations, sick leave, maternity leave, and sabbaticals?
  • Will “exempt” employees be compensated for overtime during a prolonged crisis?

Employee Relocation Policies

  • If employees are asked to commute to a different location, will they be reimbursed for out-of-pocket expenses?
  • If employees are asked to relocate to a remote location, who is responsible for making travel and lodging arrangements?

Employee Support Programs

  • Will the firm provide dependant care support if schools and other institutions are shut down?
  • If relocated, may employees bring their families?
  • If relocated will any non-work related expense for families be covered?
  • Is the firm prepared to provide healthcare coverage in remote locations?
  • If some employees are not immediately available to move, will they continue to be paid?
  • Are arrangements in place to deal with a reduction in public services and security?

Recommendations

Now is the time to establish a reputation as a concerned organization interested in the welfare of its employees. By publishing the firm’s disaster recovery plans and business continuity policies and openly discussing the topic, management gives employees confidence in the ability of the organization to respond decisively to a disaster.

Letting everyone know what is expected of them and what they can expect of the organization helps employees prepare psychologically for the pressures they will face when dealing with a crisis. Clear, concise, and consistently applied governance and human resource policies are one of the keys to successfully recovering from any disaster.

Several professional associations provide information and conduct research on the topic of social impact planning. We urge our clients to join one or more of these professional societies and to invest time in learning about this important area of Operational Resiliency Planning.

For more information on this subject, other business continuity topics or business continuity policies please write to:

Info@ContinuityCompliance.org

Filed Under: Organizational Resiliency Tagged With: ,

A Short History of BCP

August 24, 2009 By Leave a Comment

A Short History of BCP

Management often expects a short briefing on the background of a subject that is being presented to them for the first time. The purpose of this chapter is to provide you with some interesting and amusing historic material that you can use if asked to give an historical context to the practice of business continuity planning.

Business continuity concepts, such as preparing for a crisis and protecting vital records, are as old as life itself. The idea of protecting ourselves when confronted by a crisis is a deeply ingrained biological imperative. Reflexes help us cope with unexpected threats while our brain lays down new neural pathways based on past experience that help us anticipate and avoid future dangers. This is called learning[1].

Our immune system marshals the body’s resources and uses complex chemistry to defend against threatening infections. In a confrontational situation, our hearts pump faster delivering greater amounts of nutrient-rich, oxygenated blood to our muscles. We begin to draw on our stored energy pools[2] and all of our senses enter a heighten state of awareness. When threatened, we automatically release adrenaline and other stimulants that help us deal the emergency. Face it, the “fight or flight” response of all higher animals is an instinctive “emergency response system.”

With the development of language came some of the first storage techniques and data protection strategies. In the pre-writing era, a key way of accurately passing information from one generation to the next was through the repetitive telling of epic tales and poems. Songs and ballads were also widely used as memory devices[3]. These songs were regularly and repetitively taught to children as a way of passing on important information such as tribal history, religious traditions, and other moral or philosophical beliefs. While there was always the possibility that a single re-teller would change or modify one or more parts of the message, that fact that others had a “copy “ of the original message stored in memory (literally!), provided a useful error correction mechanism. Using a bit of imagination we can even view initiation and puberty rites as the forerunners of testing and auditing practices.

Writing developed in Mesopotamia and Egypt over 6,000 years ago. What started out as pictograms representing a specific object evolved into hieroglyphics which associated images with sounds[4]. This in turn led to the development of alphabets which are the basis of all written European languages. A modern form of these word pictures has survived in the puzzle style known as a rebus[5]. Modern Asian languages such as Japanese and Chinese remain highly pictorial and use different symbols to represent sounds[6].

Example of Early Writing

Example of Early Writing

There is much speculation as to why written language developed. One theory is that the need for record keeping at trading centers drove the creation of writing. This is supported, at least anecdotally by the large number of accounting records that have survived. The number of bills of lading and shipment inventories in our possession from these early times far exceed the quantity of religious, historic or other types of texts that have been preserved. Initially, these documents were recorded on very durable materials such as stone or, in the case of cuneiform, on clap tablets. The use of these materials speaks to the importance placed on these earliest of written vital records. Some of these symbols are still in use today as with the symbol , which the medical community recognizes as standing for the concept of a recipe.[7]

Around 5,000 years ago, the Egyptians invented papyrus – a paper like substance that served as the primary recoding medium for almost 3,000. Then, in 104 AD, Ts’ai Lun of China learned to crush the bark of the Mulberry tree, mix it with water and perfected a drying technique that resulted in the creation of the first paper.

A Notable Disaster

Jumping forward in time, the burning of the great library of Alexandria is an early example of how a fire led to the catastrophic loss of data because the information was stored on papyrus, and not something more durable.

Most scholars attribute the founding of this library to Ptolemy I Soter of Egypt at the beginning of the 3rd century BC[8]. At its peak, the library was reputed to have contained between 400,000 to 700,000 scrolls, each of which held the equivalent of approximately twenty-five of today’s typed pages[9].

The library was truly a world repository of knowledge. One theory holds that the library was founded when a student of Aristotle by the name of Demetrius Phalereus asked Ptolemy II for a safe place to store his teacher’s private writing. From this beginning, the library continued to grow until the reign of Ptolemy III when, by law, anyone entering the city of Alexandria was required to turn over any books or scrolls to the library scribes where they were quickly copied and the duplicates returned to the owners while the originals were retained by the library staff.

Tragedy struck sometime in October of 48 BC when Julius Caesar ordered the burning of Egyptian fleet and in the ensuing conflagration, the library is reported to have caught fire and was destroyed[10].

Interestingly, recent archeological discoveries indicate that a second “branch” of the library operated beneath the Temple of Serapis in the same city[11]. Perhaps this represents one of the earliest examples of what computer technologies of today would call a “mirrored site.”

Manuscript Copying, Data Integrity and Technology

While the copying of material (an early form of data replication) can be traced to the time of the Alexandrian library, in Western Europe this practice came into widespread use in Europe during the “Middle Ages.” Monastic clerks undertook the task of copying a wide variety of materials including histories, philosophical writing and scientific studies. Unfortunately, since manuscript copying was performed by individuals with little or no supervision focused on the truthfulness of the information copying process, this growth in data replication led to a corresponding increase in information corruption. History shows that many monks decided to insert their own views into some of the material they were copying , which led to the first cases of widespread data integrity problems.

Eventually, technology came to the rescue. Block printing techniques in both the Far East and in Europe eliminated the constant morphing of information and with the introduction of Gutenberg’s moveable type printing press in 1436, record and document protection took a giant leap forward.

The Beginning of the Computer Age

Computing devices have been around longer than most people think, especially whenyou realize that early structures such as Stonehenge in the UK were astronomical calculators. One of the earliest hand-held devices is the “Antikythera Mechanism” found in the wreck of a ship off the Greek islands around 1900. This device dates back to around 87 BC and was also a calculator used to predict the movement of the stars and Zodiac. Equally old are the abacus and there is evidence that “tally sticks” were used by the Mesopotamians thousand of years ago.

A rash of calculating devices emerged in Europe in the 17th and 18th century, but they were not programmable and thus considered calculating devices, not computers. In 1801, Joseph Marie Jacquard used a punch paper card to “program” his textile loom to produce a repetitive pattern, but no calculations were involved.

A giant leap forward in technology occurred when, in 1833, Charles Babbage began work on what is now recognized as the world’s first computer. Known as the Analytical Engine”, he demonstrated that the unit could be programmed and anser mathematical calculations submitted to it on punched cards. Lacking funds, his invention was never commercialized. It wasn’t until 1890 when the U.S. Census bureau contracted with Herman Hollerith of the Computing Tabulating Recording Corporation (CTR Corp.) that computers were seen as a commercial success[12].

The use by Babbage of punch cards revealed a weakness in the design of the process. Punched cards were rather fragile and easily damaged. Babbage and his colleague Ada Byron, Countess of Lovelace, began to research strategies for easily, accurately, and quickly duplicating their card decks. Many historians mark this effort at data protection through replication as the beginning of modern day disaster recovery techniques and the origin of our current business continuity industry.

Electronic calculating devices were in used during the 1930 and 1940, but the first electronic computers made their first appearance in the early 1940’s in Europe and the U.S[13]. Then, in the 1950’s, International Business Machines began using magnetic tape as a storage medium[14]. Descendants of this technology are still in wide use today and represent the dominant medium used in backup applications.

By the 1970s it was common to keep information in electronic form on magnetic tapes which were far more compact and easier to handle than paper-based storage media, thus simplifying the task of data protection. Magnetic tapes were classified by the density per inch of information stored on them and also by how the information was distributed across the storage medium. For example, recording techniques were developed that tightly packed information on magnetic tapes by creating side-by-side tracks.

Some of the tape technologies that found widespread commercial use in the computer industry were 7-track, 9-track tape formats. The 9-track format in particular gained acceptance as, in parallel, engineers found ways to increase the amount of information they stored in each of these tracks per inch of material. 9-track tapes evolved from packing densities of 800 bits per inch (bpi) to 1600 bpi and eventually to 6250 bpi formats. Over time other tape formats came into common use including 4 and 8 mm tape and DLT (digital linear tape), all three of which are still in use today.

Cross Over Technology

Advances in tape formatting technology provide an excellent example of the technical crossover that often takes place between the computer industry and other marketplaces. Many of the same advancements in tape technology that benefited the computer business found their way into the music industry. Commercial recording companies were anxious to find a lower cost and more easily handled medium for music and voice capture than vinyl records and seized the opportunity that tape advances offered. One example of this cross over of technology is the popular 8-track music tapes of the late 1970s. With the introduction of compact tape cassettes, sound recording moved into a new area. Music pirating came into vogue as people made copies (backups in computer parlance) of their originally purchased cassettes (the source code in this case) and exchanged them with friends. Some rock bands such as the Grateful Dead even encouraged fans to duplicate recordings and share them freely. This action of coping digitally recorded music was the precursor to today’s online music craze which has lead to the widely successful Apple IPOD and helped promote the creation of the MP/3 data recording standard.

The introduction of inexpensive but reliable recording devices allowed some businesses such as brokerage firms to inexpensively record conversations between their employees and clients as a way of mitigating the risk of lawsuits for inappropriate or incorrect stock trades. At about the same time, home voicemail entered the consumer market. Originally based on tape technology (in a variety of formats), eventually alternative storage media such as “solid state disks” (which aren’t really circular in construction!) replaced the wide range of tape cassettes that were used in home recording devices while leaving the core concepts the same. Today, with the increased capacity and access speed offered by various storage products, several industries are moving to require the long term archiving of phone conversations and other customer interactions as part of a company’s business record[15].

The storing of information on magnetic media such as tape dramatically simplified the disaster/recovery process. Tape technology was a more compact medium of storage and the retrieval time was vastly shorter since information could be “streamed”[16] back into computer memory at a much higher speed than with paper tape or punched cards. Also, magnetic tape took up less space and proved to be a more durable and easily handled medium than its paper predecessors. Today, magnetic tape is viewed to be a low cost but “delicate” medium (relative to other more rugged technologies such as solid state “jump drives”) that requires care and attention. The widespread use of tape and other removable storage technologies[17] has given rise to an entire sub-specialty of the backup and recovery industry known as “media management” which is concerned with tracking both the physical location and technical characteristics of these various storage media.

With the introduction in 1956 of the first magnetic disk drive (the IBM RAMAC[18]), the storage segment of the computer business took off and remains one of the most robust areas of technology. Computer technology continued to improve as did the associated storage technologies. Operating systems began to reside in the computer’s magnetic “core” memory. This computer memory technology was followed in rapid succession by a number of silicon-based memory technologies. In parallel, the first random-access[19] rotating memory storage devices (magnetic disks and drums) were brought to market. All the while the volume of data being digitally stored on devices was growing at a phenomenal pace as was the problem of how to protect against loss, damage or destruction.

Just as processing technology advanced at an accelerating pace, so did the associated technologies of information protection. Ever more sophisticated technologies were developed that allowed the manipulation of data in ways that began to also provide increased levels of data protection. Various algorithms were introduced that not only could detect when data copied from one memory location to another was incorrect, but also could do much to automatically correct the detected errors[20]. Soon these advances found their way into mass storage devices[21] which brought on an important advance in the integrity of stored digital information.

In parallel, speed and quantitative advances in computer processing systems, sub-systems and their components were matched by a qualitative improvement in the reliability of these manufactured devices. Together, these advances made possible entirely new approaches to the challenge of data integrity and reliable, long-term storage.

With the steep decline in the cost of rotating mass storage devices, RAID[22] technology – a storage-integrity technique that could be embedded in the disk drive’s controller[23] became available. This data integrity technology allowed magnetic disk drives[24] to offer the same class of error detection and correction capabilities that the earlier block parity techniques brought to computer system random access memory. Software versions of this same RAID technology came into general use as did low cost dedicated RAID storage units. Today, RAID is a common, and very affordable technology that provides a dramatic increase in storage reliability for even home personal computers.

And, in another example of how technology can be re-purposed, Apple’s IPOD family has spurred on the wide scale use of very small form disks and a related technology – memory sticks known collectively as MP3 players in recognition of the dominate music recording format used to store songs and other audio-oriented products such as Podcasts.[25].

Early computing facilities were highly specialized affairs which grew out of the use of sensitive mechanical tabulation equipment in the 1920s, 1930s and 1940s. Government and businesses alike quickly realized that special environmental conditions and highly trained technicians were a requirement for successful computer operations. Since efficiency was the goal of computing[26] it was significantly more cost effective to centrally locate the computer and all of its associated subsystems in one location, leading to the birth of the computer center. Early cost justification arguments for investment in computing equipment emphasized the labor saving benefits of automation over manual processes[27] and assumed the presence of computing experts who would manage the operation. This effort gave birth to the Information Systems (IS) group. Early political infighting at many companies eventually led to the creation of the Information Technology department model which combines several technologies including telecommunications and computing.

Driven to show a better return on the investment in equipment, computer designers made increased performance speed their primary goal. The strategy, still followed in some ways today, was to build larger and larger machines[28] which could “crunch” numbers much faster. This initiative gave rise to the mainframe and eventually, the supercomputer[29]. Unfortunately, usability never became a mainstream goal of any major computing powerhouse[30].

Other Advances

Another commonly used technology in the 1960s, 1970s and even through the 1980s, was a photographic medium known as microfiche.

The coping of information to microfiche was known as COM (computer output to microfiche) and it was often used in conjunction with so-called mainframe[31] computers. Today’s equivalent is called COLD (computer output to laser disk and DVDs). Just as with magnetic media, the focus of this technology was data protection.

In parallel other aspects of a computer’s overall architecture and supporting sub-systems were being improved. Some of the more significant advances included:

  • Uninterrupted Power Supplies (UPSs). Specially configured battery systems that, in the event of a loss of primary electrical power, deliver a continuous supply of energy for a specified period of time (generally measured in minutes). This technology allows for many processes to either shut down with a minimum of data corruption or operate while a secondary source of electrical power is engaged (often a backup electrical generator).
  • Computer Clusters[32]. An array of multiple computer systems under the direction of a common set of software applications which share the computational workload and can even automatically reconfigure themselves to continue operating in the event of a loss of one or more members of the cluster.
  • Non-Stop and High Availability Computers. These are sophisticated computers constructed with redundant subsystems (both N+1 and 2N architectures) so that in the event of a component failure, the computer can continue to operate in a nearly seamless manner. These same techniques can even be applied to sophisticated software programs such as databases and e-mail systems.
  • Network Attached Storage (NAS) units[33]. Dedicated storage systems, complete with their own operating systems, software applications and computer processor for management of the storage assets, network connections and computational activities. These devices were a direct outgrowth of the file server concept first introduced by companies such as Sun Microsystems and Apollo computers.
  • Storage Area Networks (SANs). The creation of these massive shared storage resource devices was made possible by parallel advances in networking and backplane technology as well as distributed file system software.

Software advances in the fields of synchronous and asynchronous data replication were made and brought to market. Today it is possible and affordable for even a small firm with little or no Information Technology (IT) staff to safely store multiple copies of all of its current data and have the information ready for quick retrieval in the event of a failure of one of the primary computing resources.

Other developments in the field of electronic archiving, e-vaulting and document management followed a similar evolution. These technologies concern themselves with the long-term storage of specific files, records and documents. This is in contrast to backup and data replication technologies, both of which are concerned with creating an exact copy of all the information present in a computer system at a specific point in time, regardless of the importance or transitory nature of the information.

Document management and related “information life cycle management” (ILCM) technologies continue to attract investment attention as various industry and government regulations begin to call for the long term retention of records, files and documents. A closely related field is that of “compliance management[34]” which deals with fulfilling the requirements of various statues and regulations. Importantly, compliance management deals not just with securely storing these documents but also requires that protections and tracking systems be established that insure:

  • the records are preserved in their original form (un-tampered with),
  • that access and authorship must be traceable,
  • and that the documents can be keyword searched and retrieved in short periods of time[35].

Compliance management is a very storage intensive area and one that is projected to undergo explosive growth through the end of the first decade of the twenty-first century.

Technical Advances and Language

So profound is the impact of computer technology on our daily lives that it has effected our ways of thinking and speaking. New words have entered our language and older ones took on new meanings. The information stored in this new digital medium became known by the vernacular “data”[36]. The coding of information into a digital format was called “inputing,” while reporting of results was called “outputing.” [37]. Computer instructions initially had to be converted into binary code, which gave rise to the term “coding” and sequential ordering of these coded instructions was associated with the word programming. The original collection of programmed instructions used to achieve a process was called “source code” and a failure of any type meant that the system was “down.[38]” An early error with one of the first computer systems was eventually traced to the fact that insects had gotten into the circuitry, an event that gave rise to wide-scale application of the word “bugs” as a reference for a range of problems[39]. Over time computer circuitry became much more reliable and people came to realize that errors were less likely to be due to a processing error than to the input of incorrect or damaged information. This realization gave birth to the concept of “GIGO”[40].

At this same time the practice of making one or more duplicate copies of data was seen as an important operational strategy and the process of “backing up” data became commonplace. Eventually, someone got the idea that it would be better if this copied information was taken to a second location away from the central computer site (hence the term “offsite”) in an effort to reduce the risk of damage or loss (an early form of risk assessment and mitigation)[41]. Many of these techniques and terms are still in use today, but some terms – like “offsite” have taken on a more general meaning than just digital data. For example, people who work from home or while traveling are said to be working “offsite.”

Some records and classes of information were considered to have an ongoing value and the age-old concept of archiving was applied to computer information. As more of our economy became dependent on intangible assets, archived digital information was used as a form of collateral in various business transactions. This practice led to the adoption of the concept of “escrowing” source code – a term adopted by the computer industry that had previously been reserved for financial assets or real property.[42]

Other Concerns

While the computer industry pushed the frontiers of technology ahead, businesses began to understand that data backup was only one facet of disaster planning. Others issues such as alternative sites and replacement staffing began to attract attention. Many of the larger companies also understood that having backup tapes was little consolation if a disaster prevented access to their data center.

In an effort to address these issues, the Sun Oil Company in 1978 initiated an arrangement with twenty other Philadelphia-based organizations to act as backup site for each other and to share resources among the group. The group signed a lease for property at 401 Broad Street in Philadelphia and with this step, another aspect of the modern disaster recovery business was born. Some five years later, Sun Oil spun out the division of its data processing group that was managing this resource and the SunGard company was born[43].

An Ever Changing World

The September 11, 2001 destruction of the World Trade Center in New York City and the destruction of part of the Pentagon Building in Washington DC put a number of business continuity plans to the test, but also sparked the attention of management teams all around the world that instantly understood that disasters can strike anyone, anywhere without warning.

On a local level, hundred’s of businesses located in downtown Manhattan simultaneously faced a catastrophic loss of people, facilities, infrastructure and data. Many business continuity plans which had been developed in the few years since the first attack on the NYC World Trade Center, where activated. The fact that so many businesses were able to survive and eventually return to normal operations is a testament to the excellent planning and professional execution of these plans by the continuity professionals at these firms.

Today, business continuity planning is no longer viewed as an arcane discipline. The Internet has become a major marketplace for millions of businesses, institutions and government agencies that find that they must now operate twenty-four hour a day, seven days a week as the world enters the 21st Century and the next phase of business evolution – a true information-age economy.

Longer term, commerce and communications will become even more entangled and traditional businesses will continue to change. In a world economy where it is becoming ever more difficult to differentiate between an organization and its’ supply chain, service level agreements (SLAs) will increasingly be used to manage the interaction between vendors and clients. Being able to confidently operate a business under the terms of an SLA will become a major secondary mission of business continuity planners and the need for consultants to facility this transformation is expected to grow exponentially over the next few years.

And to think it all began with teaching children songs around campfires thousands of years ago!

[1] The process of natural selection should also be viewed as a species-wide coping strategy that applies to all forms of life from viruses on up.

[2] These are also known as fat deposits.

[3] Think of them as “verbal storage units.” Some of these tales were also associated with various ceremonies and dances – both of which are memory enhancing techniques and can also be used to convey information as in the Hula dance of the natives of Hawaii and the rain ceremonies of the indigenous natives of America.

[4] Katie Harrow: “A Brief Guide to the History of the Written Word”, www.newarchaeology.com/articles

[5] An image that represents the word or phase phonetically. Example:  translates, “I love you.”

[6] For example: Hiragana and Katakana versus Kanji.

[7] The exact origin of this term is a matter of debate with some claiming that the symbol is an abbreviation for the Latin words: “recipere” or “recipe,” which means “take, thou.” Others claim it had its origin in an invocation to the Roman god Jupiter while another theory claims it is derived from the ancient Egyptian hieroglyph for the god Horus.

[8] From Wikipedia: The Free Encyclopedia. at http://en.wikipedia.org/wiki/Alexandria.

[9] Which would put the combined page total at between 10,000,000 and 17,500,000 pages of information.

[10] In fairness, it must be noted that other sources attribute the destruction of the library to at least two other culprits: the Orthodox Patriarch Theophilus of Alexandria and Caliph Omar of Damascus.

[11] From the Egyptian Weekly, Al Ahram, at http://weekly.ahram.org.eg/2003/668/he1.htm

[12] CTR Corp. became IBM

[13] For example, the Zuse Z3 was publicly shown in May of 1941 in Germany.

[14] IBM commercialized this technology which was first used on the UNIVAC 1 in 1951.

[15] Guidelines already exist that encourage U.S. brokerage firms to archive “instant message” discussions.

[16] That is – sequentially transmitted to the computer system. The term is a reference to the speed with which water or another object moves and is derived from a design term such as streamlining.

[17] For example, optical disk-based products like CDs and DVDs.

[18] 5 MBs for $50,000. Adjusted fro inflation, we have seen a improve in commodity disk drive price/performance of around 70 million!

[19] As opposed to tape technology which, because of its physical layout was more of a sequential access media.

[20] For example: Hamming Codes which offer block parity and forward error correction.

[21] For example the use of cyclical redundancy check sums (CRCs) and longitudinal redundancy check (LRCs).

[22] Originally an acronym for “redundant arrays of inexpensive disks,” this term has been redefined because of the general price decrease of disk drive technology to mean redundant arrays of independent disks.

[23] More precisely, in the commands that were programmed into the drive controller known as “firmware.”

[24] This same technology could be applied equally well to magnetic tapes. During his time at Data General Corporation, the author was involved in just such an engineering initiative that applied RAID techniques to magnetic tapes. For economic and performance reasons, this product line was not commercially released.

[25] Memory stick are used in some very small MP3 players as well as so called “jump drives” or “thumb drives and can be found dangling on key chains around the world.

[26] Early attempts to cost justify investment in computing equipment emphasized the efficiency of automation over manual processes. Computer architecture was initially focused on increasing speed by creating larger and larger machines. The economic goal behind this strategy was the achievement of “economies of scale.”

[27] This is a cost displacement argument that states that the same or less money can be spent to gain better performance.

[28] This approach to computer design is best described as “brute force” computing.

[29] And today, massive parallel computers and the field of grid-based computing.

[30] Except perhaps Apple Computer which has a marketshare measured in the low single digits.

[31] This term arises from the fact that in the construction of early computers, the electronics used for the central processing unit made up the primary or “main” part of the device. These electronic boards were physically put into a metallic frame – thus the term “mainframe.”

[32] The author was involved in the introduction and marketing of the first computer clusters by Digital Equipment Corporation in the early 1980s.

[33] Here again, the author was involved in the creation and launch of what is widely regarded as the first NAS system – the Epoch-1 from Epoch Systems, Inc.

[34] This topic is dealt within detail in another section of this book.

[35] This retrieval time is usually measured in days.

[36] As in data center or data processing.

[37] The “put” in these words is widely acknowledged to refer to the “put” in computing

[38] There is some evidence that the term “down” came from the observation that during the repair process technicians took the damaged component circuit boards down from the mounting cage holding the rest of the computer system in place while they repaired it.

[39] People often talk about “buggy” software or applications and its use is not limited to the computer business since it is not unusual to hear statements like: “I’m still working the bugs out of this car’s engine.”

[40] An acronym for the phase: garbage in, garbage out.

[41] Spawning a number of other companies who catered to this need including Iron Mountain.

[42] Escrowing was generally reserved for the source code of various application programs.

[43] From Sungard Magazine at http://www.sungard.com/magazine/sungard3235annhistory.pdf

Filed Under: Business Continuity Info Tagged With: ,

Business Continuity FAQs

August 24, 2009 By Leave a Comment

Within a Business Continuity Assessment process, are there any special consideration that should be factored into the Emergency Response Plan?

By law, organizations must take into consideration the safety needs and requirements of all employees. This includes preparations for the health and safety of individuals who may require special assistance during a crisis. The Chief Compliance Officer recommends that the question of special assistance be included as part of new employee orientation. In this way, those who may require additional assistance can voluntarily identify themselves. Each time the ERP is reviewed and updated, this issue should be readdressed and incorporated into the business continuity disaster recovery plan(s).

Is it important to assign responsibility for the Emergency Response Plan (ERP) to a specific individual?

A Business Continuity Risk Program along with its Emergency Response Plan component cannot succeed without responsibilities being clearly defined. This is particularly true when it comes to management of the ERP. For this reason it is critical to identify one or more individuals who, at the time of a crisis, could fulfill this role. Because of the seriousness of this responsibility it is best to recruit volunteers willing to deal with uncomfortable situations and disturbing sights. In addition, the Chief Compliance Officer recommends that this role be empowered with emergency authority to assign critical sub-tasks to others outside the team. Examples might include purchasing of replacement items or issues related to human resources.

What considerations go into the use and management of a crisis communication system?

Even if a fully functioning ERP is not in place, establishing some type of communications systems which can work during an emergency should be an early ERP business compliance priority. Intercoms, pre-programmed cell phone numbers, inexpensive walkie-talkies, even fog horns can provide some rudimentary communications capabilities.

What is the best technique for reducing confusion during a crisis?

Confusion in crisis situations is to be expected and the best way to reduce it is through training and practical exercises.  However, having an awareness of the need for business continuity training for your employees before a crisis along with regularly scheduled compliance audit to verify against a compliance checklist that this training is being implemented will greatly reduce the confusion level in these crisis situations as well.

Are there other, often overlooked areas of the crisis communications plan to which an organization should be sensitive?

A crisis communications plan is a complex and important element of a business continuity plan and compliance monitoring along with the compliance procedures most applicable to crisis management requirements are often overlooked when preparing a business continuity template for that plan. For example, determining the organization’s requirements as they apply to individuals with special needs is vitally important and may be a legal requirement of that plan. The same is true regarding communications with non-English speakers.

What is a Key Control System and how does it factor into a Security Analysis Process in a Business Continuity Plan?

Key control is an organized and formal security system which addresses control of master keys within a building or facility. It prevents unauthorized access to the facility. Through the use of documentation and status reporting, critical elements in the master key system can be controlled. Gather answer to questions such as: What are your keying systems? What keys do you have? What keys have you issued? What keys are not accounted for? Where are the keys? Who has them now? Can you account for all keys? Controlling access to facilities requires understanding who has access, when, and under what conditions. This is even a greater problem when employees leave. For example, electronic security systems can be hacked if improperly secured.

It is a good practice to have an individual assigned to this task.

Are there other commonly overlooked security issues that a security risk assessment process should address in the security compliance sections of a business continuity plan?

A common risk overlooked in security training and security audits but still allowed in many organizations both large and small, is permitting delivery staff to enter and then move around the facility with little or no monitoring of their activities. Everyone in a UPS brown coverall carrying a box is not necessarily a safe individual and may not even be a UPS employee. However, once inside a facility, the image of a uniform of some type will tend to discourage further attention or scrutiny. This sense of trust may allow certain individuals access to areas when normally they should be challenged.

A risk management plan including specific security audit functions, policies and procedures should also be in place to track when and where employees and contractors are working at any specific time.

Is the risk of workplace violence increasing?

The short answer to this question is “Yes!” The increase in workplace violence suggests that every organization should have a clearly defined policy which states that no violence, of any type, is tolerated. Risk from violence comes not only from outside the organization but also from threatening behavior among employees or from supervisors. Escalation of violence from verbal to physical is well documented. All too often these increased levels of risk should be matched with stronger compliance risk management and compliance risk assessment policies and procedures within an organization.  Maintaining a corporate security awareness attitude among all employees is necessary defense against this risk as well.

Name some other “best practices” associated with a compliance methodology to support proper levels of security within an organization.

  • Keep a record of visitors to the facility
  • Issue security badges to all employees and contracts
  • Issue visitor badges to all others
  • Conduct a background check on independent contractors
  • Instruct employees to “challenge” anyone not displaying a badge of some type
  • Conduct and annual inspection of all locks
  • Conduct an annual security inspection with the help of an outside party.

Is having a relationship with one’s neighbors considered part of the business continuity or general security plan?

Having cordial relations with neighbors is always desirable. One way of establishing this type of relationship is by setting up a mutual aid agreement built around evacuation plans. This will assist the continuity potential of your organization to survive a crisis situation. Having a reciprocal agreement that allows the sheltering of employees at an adjacent facility in an emergency promotes both better Life Safety and a close working relationship. Such arrangements also lead to the development of a more resilient community. However, with such mutual agreements also come additional security considerations since your facility may become inundated with non-employees in times of emergency and thus should have a security assessment and evaluation procedure always at the ready to signal cause for alarm if necessary.

Filed Under: Business Continuity Info Tagged With: , , ,

Information Security Tools

August 24, 2009 By Leave a Comment

Computer Room G2

For most members of a business continuity team facing potential security threats, the successful use of information security tools often assumes total correction of those potential risks.  However, that assumption may leave you and your organization still at risk.   The reason you may be at more risk than you realize has to do with reaching an understanding of what it means to be secure.  That understanding gets confused because security is not something to be thought of as a binary value – i.e. where you assume something is secure or not.  Your ability to have a secure status depends on a constant monitoring of threats to that security.  In fact, without active integration and review, the security levels of an organization will degrade over time simply because the threats to that security are constantly changing over time.   Conclusion:  Be careful how much confidence you put into information security tools being able to solve your security problems over time.

Information security checklists and the development of those lists should be thought of as ongoing activity for every organization.  All too often organizations do not fully realize the true importance of keeping that checklist relevant to the unique requirements of their organization.  While there surely are components of that list that are common to many organizations, the real effectiveness of that checklist include those vital elements of control and monitoring that will produce the most effective levels of security for that organization.  A continuous improvement approach to keep that information security checklist totally relevant and effective must be constantly supported, monitored and measured by management.

Too often many people confuse business continuity with disaster recovery.  And, while the differences are well documented by subject experts, very often the first exposure many companies receive to an evaluation of their business continuity capabilities happens when that company is asked to complete a business continuity questionnaire.  By the end of the process, it becomes very evident that a disaster recovery plan is but one component (albeit an important part) of a total business continuity plan.

Information security reporting is a controversial component and yet often a critical element of an organization’s security control plan.  The reason it is controversial often relies on the fact that the information security event reported is not regarded as important enough to be given full management support and /or funding.  Then too, the lack of relating that event in a measurable way to have an impact on the organization leads to diminish the importance of that event.  An example might be that when evaluating the effectiveness of a spam filter on the inbox of an organization’s email, the organization overlooks the additional value created by that security control as it also lowers the wasted time employees spend with spam email and increases productivity by those employees.

Filed Under: Information Security Tagged With:

Congressional Voting Record For Public Law 110 53

August 24, 2009 By 1 Comment
Filed Under: PS-Prep Program Tagged With:

Implementing Recommendation of the 9/11 Commission Act of 2007

August 24, 2009 By Leave a Comment

Implementing Recommendation of the 9 11 Commission Act of 2007 1

Introduction

On August 3, 2007 President George Bush signed legislation that has profound implications for all private sector business in the United States. Entitled “Implementing Recommendation of the 9/11 Commission Act of 2007”,(a.k.a – PL 110-53), this newly enacted law provides up to $21 billion in grants and other forms of funding over the next five fiscal years (ending September 30, 2012) to improve the responsiveness of many “Critical Infrastructure Sectors” and specifies new initiatives in security.

As defined in this Act, the following are considered Critical Infrastructure Sectors:

  • Agriculture and Food Resources
  • Banking and Finance Industry
  • Chemical Industries
  • Commercial Nuclear Reactors, Materials and Waste
  • Dams and Other Flood Control Systems
  • The Defense Industry Base
  • Energy Services and Transmission
  • Emergency Services
  • Government Facilities
  • Information Technology
  • National Monuments and Icons
  • Postal and Shipping Facilities
  • Public Health and Healthcare
  • Telecommunications
  • Transportation Systems
  • Water Resources

Scope of PL 110-53

The Act consists of twenty-four Titles, each of which either modifies an existing Statute or addresses other aspects of the recommendations of the 9/11 commission.

  • TITLE I—HOMELAND SECURITY GRANTS
  • TITLE II—EMERGENCY MANAGEMENT PERFORMANCE GRANTS
  • TITLE III—ENSURING COMMUNICATIONS INTEROPERABILITY FOR FIRST RESPONDERS
  • TITLE IV—STRENGTHENING USE OF THE INCIDENT COMMAND SYSTEM
  • TITLE V—IMPROVING INTELLIGENCE AND INFORMATION SHARING WITHIN THE FEDERAL GOVERNMENT AND WITH STATE, LOCAL, AND TRIBAL GOVERNMENTS
  • TITLE VI—CONGRESSIONAL OVERSIGHT OF INTELLIGENCE
  • TITLE VII—STRENGTHENING EFFORTS TO PREVENT TERRORIST TRAVEL
  • TITLE VIII—PRIVACY AND CIVIL LIBERTIES
  • TITLE IX—PRIVATE SECTOR PREPAREDNESS
  • TITLE X—IMPROVING CRITICAL INFRASTRUCTURE SECURITY
  • TITLE XI—ENHANCED DEFENSES AGAINST WEAPONS OF MASS
    DESTRUCTION
  • TITLE XII—TRANSPORTATION SECURITY PLANNING AND INFORMATION
    SHARING
  • TITLE XIII—TRANSPORTATION SECURITY ENHANCEMENTS
  • TITLE XIV—PUBLIC TRANSPORTATION SECURITY
  • TITLE XV—SURFACE TRANSPORTATION SECURITY
  • TITLE XVI—AVIATION
  • TITLE XVII—MARITIME CARGO
  • TITLE XVIII—PREVENTING WEAPONS OF MASS DESTRUCTION
    PROLIFERATION AND TERRORISM
  • TITLE XIX—INTERNATIONAL COOPERATION ON ANTITERRORISM TECHNOLOGIES
  • TITLE XX—9/11 COMMISSION INTERNATIONAL IMPLEMENTATION
  • TITLE XXI—ADVANCING DEMOCRATIC VALUES
  • TITLE XXII—INTEROPERABLE EMERGENCY COMMUNICATIONS
  • TITLE XXIII—EMERGENCY COMMUNICATIONS MODERNIZATION
  • TITLE XXIV—MISCELLANEOUS PROVISIONS

Background

The bill was sponsored by Representative Bennie Thompson of Mississippi. Two hundred and five others signed on the bill as co-sponsors – indicating strong support for the proposed measures. With the support of Majority Leader Nancy Pelosi, this Act was designated as House Bill #1 and passed a roll call vote of the House of Representatives on January 9, 2007. The vote was 299 in favor, 128 against and 8 Not Voting.

On July 9th, a version of the bill passed the Senate by Unanimous Consent. A detailed record of those voting was not kept.

July 26, 2007 the Bill passed a joint conference committee of the House and Senate by a vote of 85 to 8 with 7 Not Voting.

A final vote was put the entire Congress. The Bill passed with a vote of 371 in favor, 40 against and 22 record as Not Voting.

From a geographical standpoint, the Senate, which is reflective of the various House votes, can be represented graphically as follows:

Implementing Recommendation of the 9 11 Commission Act of 2007 2

The Bill enjoyed bi-partisan support as indicated by the final vote

Total Votes

Democrats

Republicans

Independents
For The Bill 371    (86%) 221

150

0
Against the Bill 40     ( 9%) 1

39

0
Not Voting 22     ( 5%) 9

13

0

On August 3, 2007 President Bush signed the Bill into law.

The Congressional Budget Office estimates that this measure will cost the average American family $212.60 over the course of the next five years.

For more information on this important legislation, please visit www.NorthRiverSolutions.com. Please direct specific questions to PL110@NorthRiverSolutions.com.

In an effort to provide interested parties with a better understanding of this important legislation, North River Solutions has assembled this summary of the Act. Much of the information contained in this report is taken from a summary analysis prepared by the Congressional Research Service.

Title I – Risk-Based Allocation of Homeland Security Grants

Section 101 –

Amends the Homeland Security Act of 2002 (HSA) to set forth provisions governing Department of Homeland Security (DHS) grants for first responders pursuant to the State Homeland Security Grant Program, Urban Area Security Initiative, and Law Enforcement Terrorism Prevention Program to prevent, prepare for, respond to, mitigate against, or recover from terrorist attacks. Directs the Secretary of Homeland Security (the Secretary) to: (1) evaluate and prioritize applications based on the degree to which applicants would lessen the threat to persons and critical infrastructure; and (2) ensure that each state receives no less than .25% of grant funds available in a fiscal year (.45% for international border states). Lists: (1) critical infrastructure sectors and types of threats that the Secretary shall specifically consider; and (2) minimum allocation amounts for states, territories, and directly eligible tribes.

Specifies authorized uses of covered grants. Prohibits the use of grant funds to supplant state or local funds, to construct physical facilities, to acquire land, or for any state or local government cost sharing contribution. Establishes requirements for intelligence analysts. Authorizes covered grant applicants to petition the Secretary for reimbursement of the costs of any activity relating to terrorism prevention, preparedness, response, or recovery that is a federal duty being performed by a state or local government under agreement with a federal agency. Sets the federal share of the costs of activities carried out under covered grants at 100% for the two-year period following enactment of this Act and at 75% thereafter. Requires each covered grant recipient to submit annual reports on homeland security spending. Establishes penalties for states that fail to pass through funds or resources to local governments, first responders, and other local groups, as required by this Act.

Requires the Secretary to report to Congress on grant program activities annually.

Title II – Ensuring Communications Interoperability for First Responders

Section 201 –

Amends HSA to direct the Secretary, acting through the Director of the Office of Grants and Training in coordination with the Director for Emergency Communications, to establish the Improve Communications for Emergency Response Grant Program to make grants to states and regions to carry out initiatives to improve interoperable emergency communications.

Title III – Strengthening Use of a Unified Incident Command During Emergencies

Section 301 –

Amends the Department of Homeland Security Appropriations Act, 2007 to require that the national exercise program (to test and evaluate the national preparedness goal, National Incident Management System, National Response Plan, and other related plans and strategies): (1) be designed to provide for systematic evaluation of readiness and enhance operational understanding of the Incident Command System and relevant mutual aid agreements, address the unique requirements of special needs populations, and include the prompt development of after-action reports and plans for quickly incorporating lessons learned into future operations; and (2) provide assistance that includes a selection of model exercises that state, local, and tribal governments can readily adapt. Includes among the responsibilities of the Regional Administrators of the Federal Emergency Management Agency (FEMA) assisting state, local, or tribal governments to pre-identify and evaluate suitable sites where a multi-jurisdictional unified command system can be quickly established if the need arises.

Title IV – Strengthening Aviation Security

Section 401 –

Directs the Secretary to submit to Congress a cost sharing study regarding installation of in-line baggage screening equipment, together with the Secretary’s analysis, a list of provisions of the study the Secretary intends to implement, and a plan and schedule for implementation.

Section 402 –

Extends the authorization for the Aviation Security Capital Fund.

Section 403 –

Establishes in DHS the Checkpoint Screening Security Fund. Directs the Secretary to impose a uniform fee on air passengers for deposit into the Fund, from which amounts shall be available for research, development, purchase, deployment, and installation of equipment to improve the ability of security screening personnel at screening checkpoints to detect explosives.

Section 404 –

Directs the Assistant Secretary for Homeland Security (TSA) to submit to Congress the strategic plan for deployment and use of explosive detection equipment at airport screening checkpoints.

Section 405 –

Extends the authorization for aviation security funding.

Section 406 –

Requires the Secretary to: (1) establish a system to inspect 100% of cargo transported on passenger aircraft, phased in over a three-year period, and report to Congress; and (2) submit to Congress and the Comptroller General a report regarding an assessment of each exemption granted and an analysis to assess the risk of maintaining such exemption. Directs the Comptroller General to review the report and provide to Congress an assessment of the methodology of determinations made by the Secretary for maintaining, changing, or eliminating an exemption.

Section 407 –

Directs the Secretary to establish: (1) a timely and fair process for individuals who believe they have been delayed or prohibited from boarding a commercial aircraft because they were wrongly identified as a threat; and (2) an Office of Appeals and Redress to oversee the process. Provides for recordkeeping and information sharing to allow the Transportation Security Administration (TSA) or other agencies to assist air carriers in improving their administration of the advanced passenger prescreening system and reducing the number of false positives. Requires the Office to establish at each airport at which DHS has a significant presence a process to allow air carrier passengers to begin the appeals process.

Section 408 –

Repeals certain personnel management authorities, including a provision authorizing the Under Secretary of Transportation for Security to employ and fix the compensation, terms, and conditions of employment for screeners. Directs: (1) the Secretary to take any measures necessary to provide for the uniform treatment of all TSA employees; and (2) the Government Accountability Office (GAO) to report to the House and Senate homeland security committees on the pay system that applies to TSA employees.

Section 409 –

Directs the Secretary to submit to Congress a plan that: (1) describes the system to be used by DHS to compare passenger information to the automatic selectee and no fly lists, utilizing the consolidated and integrated terrorist watchlist; (2) provides a projected timeline for testing and implementating the system; (3) explains how the system will be integrated with the prescreening system for passengers on international flights; and (4) describes how the system complies with the Privacy Act of 1974.

Title V – Strengthening the Security of Cargo Containers

Section 501 –

Permits a container to enter the United States, either directly or via a foreign port, only if the container is: (1) scanned with equipment that meets standards established by the Secretary, including for the use of technology to scan for radiation, density, and atomic elements; and (2) secured with a seal that meets standards established by the Secretary, including for the use of technology to detect and identify the time of any container breach. Authorizes appropriations. Phases in application of this requirement. Encourages the Secretary to promote and establish international standards for container security with foreign governments and international organizations.

Title VI – Strengthening Efforts to Prevent Terrorist Travel

Subtitle A – Human Smuggling and Trafficking Center Improvements

Section 601 –

Directs the Secretary, acting through the Assistant Secretary of Homeland Security for Immigration and Customs Enforcement (ICE), to: (1) provide specified administrative support and funding to the Human Smuggling and Trafficking Center; (2) develop a plan; and (3) and execute, with the Attorney General, a Memorandum of Understanding to clarify cooperation and coordination between ICE and the Federal Bureau of Investigation (FBI) regarding issues related to human smuggling, human trafficking, and terrorist travel. Requires the Office of Intelligence and Analysis (renamed under section 741), in coordination with the Center, to submit to law enforcement and relevant agencies periodic reports regarding terrorist threats related to such smuggling, trafficking, and travel.

Subtitle B – International Collaboration to Prevent Terrorist Travel

Section 611 –

Directs the Secretary of State and the Secretary, in conjunction with the Director of National Intelligence and other federal agency heads, to report to Congress on U.S. efforts to collaborate with international partners and allies to increase border security, enhance global document security, and exchange terrorist information.

Subtitle C – Biometric Border Entry and Exit System

Section 621 –

Directs the Secretary to report to the House and Senate homeland security committees on the plan to accelerate implementation of an automated biometric entry and exit data system.

Title VII – Improving Intelligence and Information Sharing with Local Law Enforcement and First Responders

Subtitle A – Fusion and Law Enforcement Education and Teaming (FLEET) Grant Program

Section 702 –

Directs the Secretary to carry out a Fusion and Law Enforcement Education and Teaming (FLEET) Grant Program for local and tribal law enforcement agencies to detail law enforcement personnel to participate in a fusion center that serves such agency’s geographic area. Authorizes grants to: (1) hire or pay personnel to perform the duties of eligible law enforcement personnel who are detailed to a fusion center; (2) provide training; and (3) establish communications connectivity between detailed law enforcement personnel and the home agency.

Requires the Secretary to submit a FLEET Grant Program implementation plan to Congress and encourage the participation of fusion centers and local and tribal law enforcement in developing such plan. Requires all detailed personnel to undergo privacy and civil liberties training. Sets forth requirements regarding applications, grant distribution, priorities, matching funds, grant renewal, revocation or suspension of funding, and reports to the Secretary and to Congress. Directs the Secretary to: (1) create a mechanism for participating state, local, and tribal law enforcement officers and intelligence analysts to fill out an electronic customer satisfaction survey and to periodically assess program effectiveness; and (2) submit a continuation assessment to Congress five years after program implementation.

Subtitle B – Border Intelligence Fusion Center Program

Section 712 –

Establishes in DHS the Border Intelligence Fusion Center Program to station Customs and Border Protection (CBP) and ICE officers or intelligence analysts in the fusion centers of participating border states. Makes funding available to hire new CBP and ICE officers or intelligence analysts to replace those stationed at such centers. Authorizes the Secretary to develop qualifying criteria for a center’s participation in the Program. Provides for stationing at least one CBP and one ICE officer or analyst at each participating center. Sets forth provisions regarding prerequisites for participation and expedited security clearance processing.

Directs CBP officers and analysts assigned to centers to: (1) help law enforcement in jurisdictions along the northern and southern borders and center staff to overlay threat and suspicious activity with federal homeland security information to develop a more comprehensive and accurate threat picture; and (2) review border security-relevant information from law enforcement sources, create border intelligence products, and disseminate such products to border law enforcement, as well as to DHS’s Office of Intelligence and Analysis. Grants them direct access to relevant databases. Directs the Secretary to create a customer satisfaction survey, develop an implementation plan, and submit various reports and a continuation assessment to Congress.

Subtitle C – Homeland Security Information Sharing Enhancement

Homeland Security Information Sharing Enhancement Act of 2007

Section 722 –

Directs the Under Secretary for Intelligence and Analysis (as renamed in section 741) to implement a Homeland Security Advisory System to provide public advisories and alerts regarding threats to homeland security, including national, regional, local, and economic sector advisories and alerts.

Section 723 –

Directs the Secretary to: (1) integrate and standardize the information of DHS intelligence components into an information sharing environment, to be administered by the Under Secretary; and (2) designate an information sharing and knowledge management officer for each component who shall report to the Under Secretary regarding coordinating the different systems used in DHS to gather and disseminate homeland security information.

Directs the Under Secretary to: (1) establish a DHS-wide procedure for the review and analysis of information gathered from state, local, tribal, and private sector sources and integrate such information with federal agency information; (2) provide training and educational opportunities to DHS employees; and (3) evaluate how employees of the Office and DHS intelligence components are utilizing homeland security information and participating in the information sharing environment.

Directs the Secretary to: (1) establish a comprehensive information technology network architecture for the Office; and (2) report to Congress.


Subtitle D – Homeland Security Information Sharing Partnerships

Homeland Security Information Sharing Partnerships Act of 2007 -

Section 732 –

Directs the Secretary to: (1) establish a State, Local, and Regional Fusion Center Initiative to establish partnerships with such centers; and (2) establish a Homeland Security Information Sharing Fellows Program. Sets forth reporting and privacy impact requirements.

Subtitle E – Homeland Security Intelligence Offices Reorganization

Section 741 –

Renames: (1) the Directorate for Information Analysis and Infrastructure Protection as the Office of Intelligence and Analysis; and (2) the Under Secretary for such Directorate as the Under Secretary for Intelligence and Analysis. Expands the intelligence-related duties of the Under Secretary. Establishes within the Office an Internal Continuity of Operations Plan to assure the continuation of intelligence operations during emergencies.

Section 742 –

Specifies the responsibilities of each DHS intelligence component. Directs the Secretary to provide training for employees.

Section 743 –

Establishes within DHS an Office of Infrastructure Protection, headed by an Assistant Secretary. Delineates the Assistant Secretary’s responsibilities, including carrying out comprehensive assessments of the vulnerabilities of, and recommending measures to protect, key resources and critical infrastructure.

Title VIII – Protecting Privacy and Civil Liberties While Effectively Fighting Terrorism

Subtitle A – Privacy and Civil Liberties Oversight Boards

Protection of Civil Liberties Act -

Section 803 –

Amends the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) to make the Privacy and Civil Liberties Oversight Board an independent agency within the executive branch to be composed of a full-time chairman and four additional members. Requires the Board to: (1) receive and review reports from privacy and civil liberties officers; and (2) report at least semiannually to specified congressional committees on Board activities and specified other matters.

Requires the Attorney General, the Secretaries of Defense, State, Treasury, Health and Human Services, and Homeland Security, the National Intelligence Director, the Director of the Central Intelligence Agency (CIA), any other intelligence community entity, and any other executive branch element designated by the Board to designate a senior officer to: (1) assist in considering privacy and civil liberties concerns when proposing, developing, or implementing efforts to protect the nation against terrorism; (2) periodically investigate and review actions, procedures, guidelines, and related laws and their implementation to ensure adequate consideration of privacy and civil liberties; (3) ensure adequate complaint procedures; and (4) consider whether proposals to retain or enhance a particular governmental power actually enhance security and whether there is adequate supervision to protect privacy and civil liberties and adequate guidelines and oversight.

Makes exceptions where there is a statutorily created privacy or civil liberties officer. Prohibits reprisals for making complaints, with exceptions. Requires: (1) periodic reports; (2) privacy and civil liberties officers to keep the public informed, consistent with the protection of classified information and applicable law; and (3) the Secretary to ensure that DHS complies with protections for human research subjects.

Subtitle B – Enhancement of Privacy Officer Authorities

Privacy Officer With Enhanced Rights Act of 2007 or the POWER Act –

Section 812 –

Amends HSA with respect to the authorities of the DHS privacy officer. Authorizes such officer to: (1) have access to all records and other materials available to the DHS relating to programs and operations for which the privacy officer has responsibilities; (2) make necessary or desirable investigations and reports on the administration of DHS programs and operations; (3) subpoena necessary data and documentary evidence; and (4) take any other action that may be taken by the Inspector General of DHS to require DHS employees to produce documents and answer questions relevant to performance of the privacy officer’ s functions. Requires the officer to report to Congress regarding such officer’s performance, without comment or amendment by any officer or employee of DHS or the Office of Management and Budget (OMB).

Title IX – Improving Critical Infrastructure Security

Section 901 –

Directs the Secretary, acting through the Assistant Secretary for Infrastructure Protection, to prepare and report annually to Congress on a vulnerability assessment of the critical infrastructure information available to the Secretary for a fiscal year.

Section 902 –

Directs the Secretary to: (1) establish, maintain, and annually update a National Asset Database to identify and prioritize critical infrastructure and key resources and protect them from terrorist attack; (2) establish within that Database a National At-Risk Database identifying the infrastructure most at risk; (3) establish a National Asset Database Consortium to advise the Secretary on the best way to identify, generate, organize, and maintain such databases; (4) remove from the databases assets determined to be unverifiable; (5) classify assets in the Database according to the 17 sectors listed in the National Infrastructure Protection Plan; (6) identify and evaluate key milestones for the databases and issue guidelines for states to submit uniform information for possible inclusion and for review of submissions by DHS; and (7) report annually to the homeland security committees.

Title X – Transportation Security Planning and Information Sharing

Section 1001 –

Directs the Secretary to: (1) establish a Strategic Transportation Security Information Sharing Plan to ensure the robust development of tactical and strategic intelligence products for disseminating to public and private stakeholders security information relating to threats to and vulnerabilities of transportation modes; (2) report to Congress, including updates on implementation and an annual report; (3) conduct an annual survey of satisfaction of each of the recipients of transportation intelligence reports disseminated under the plan and include the results in the annual report; (4) ensure that public and private stakeholders have security clearances needed to receive classified information if information contained in transportation intelligence reports cannot be disseminated in an unclassified format; and (5) provide stakeholders with specific and actionable information in an unclassified format.

Section 1002 –

Requires transportation modal security plans to address risks, threats, and vulnerabilities for specified public transportation infrastructure assets. Modifies provisions regarding the National Strategy for Transportation Security to require: (1) risk-based priorities to be based on vulnerability assessments conducted by DHS; (2) the strategic plan to include the roles and missions of local and tribal authorities and the establishment of mechanisms for encouraging cooperation and participation by nonprofit employee labor organizations; (3) delineation of prevention responsibilities and issues regarding threatened and executed acts of terrorism within the United States; and (4) DHS research and development projects to be based on the prioritization of research and development objectives that support transportation security needs.

Requires periodic reports to include an assessment of progress on implementing transportation modal security plans, an accounting of all funds expended by DHS on transportation security, and information on the number of DHS employees working on transportation security issues and on employee turnover in the previous year. Requires the Secretary, before carrying out a transportation security activity that is not clearly delineated in the Strategy, to submit to appropriate committees a written explanation of the activity, including the amount to be expended. Directs the Secretary to provide an unclassified version of the Strategy to federal, state, and local agencies, tribal governments, private sector entities (including nonprofit employee labor organizations), and institutions of higher learning.

Title XI – Private Sector Preparedness

Section 1101 –

Amends HSA to direct the Secretary to: (1) develop and implement a program to enhance private sector preparedness for acts of terrorism and other emergencies and disasters through the promotion of the use of voluntary consensus standards; (2) develop guidance and identify best practices to assist action by the private sector in identifying hazards, assessing risks and impacts, and developing mutual aid agreements; and (3) support the development of, promulgate, and regularly update national voluntary consensus standards that will enable private sector organizations to achieve optimal levels of emergency preparedness as soon as practicable.

Title XII – Preventing Weapons of Mass Destruction Proliferation and Terrorism

Subtitle A – Repeal and Modification of Limitations on Assistance for Prevention of WMD Proliferation and Terrorism

Section 1211 –

Repeals limitations on assistance for prevention of weapons of mass destruction (WMD) proliferation and terrorism under the Soviet Nuclear Threat Reduction Act of 1991, the Cooperative Threat Reduction Act of 1993, and the National Defense Authorization Act for Fiscal Year 2000 (regarding Russian chemical weapons destruction facilities).

Modifies the National Defense Authorization Act for Fiscal Year 2004 regarding authority to use Cooperative Threat Reduction funds outside the former Soviet Union. Authorizes the Secretary of Defense (currently, the President) to obligate and expend such funds. Substitutes the Secretary for the President in other actions required, allowed, or prohibited. Repeals a $50 million cap on the amount obligated in a fiscal year. Requires congressional notification 15 days (currently, 10 days) after obligation of funds, except in the case of a situation that threatens human life or safety or where a delay would severely undermine national security. Makes similar changes to provisions of that Act regarding authority to use international nuclear materials protection and cooperation program funds outside the former Soviet Union.

Subtitle B – Proliferation Security Initiative

Section 1221 –

Expresses the sense of Congress that the President should strive to expand and strengthen the Proliferation Security Initiative (PSI) announced on May 31, 2003. Directs: (1) the Secretaries of State and Defense to submit a defined budget for PSI beginning with budget submissions for FY2009; (2) the President to transmit an implementation report to specified committees; and (3) GAO to submit to Congress an annual report with its assessment of the progress and effectiveness of PSI.

Section 1222 –

Authorizes the President to provide specified assistance under the Arms Export Control Act and the Foreign Assistance Act of 1961 to any country that cooperates with the United States and its allies to prevent the transport and transshipment of items of proliferation concern, subject to restrictions involving congressional notification, a three fiscal year limit, and uses of assistance.

Subtitle C – Assistance to Accelerate Programs to Prevent Weapons of Mass Destruction Proliferation and Terrorism

Section 1231 –

Declares that it is U.S. policy to eliminate obstacles to the timely obligation and execution of the full amount of appropriated funds for threat reduction and nonproliferation programs with concrete measures to accelerate and strengthen progress on preventing WMD proliferation and terrorism.

Section 1232 –

Authorizes appropriations to: (1) the Department of Defense (DOD) Cooperative Threat Reduction Program for specified purposes, including chemical weapons destruction in Russia; and (2) the Department of Energy (DOE) National Nuclear Security Administration for programs to prevent WMD proliferation and terrorism, to accelerate, expand, and strengthen the Global Threat Reduction Initiative, the Nonproliferation and International Security Program, the International Materials Protection, Control and Accounting Program, and the Research and Development Program.

Subtitle D – Office of the United States Coordinator for the Prevention of Weapons of Mass Destruction Proliferation and Terrorism

Section 1241 –

Establishes within the Executive Office of the President the Office of the United States Coordinator for the Prevention of Weapons of Mass Destruction Proliferation and Terrorism, who shall: (1) serve as the advisor to the President on all matters relating to the prevention of WMD proliferation and terrorism; (2) formulate a U.S. strategy for preventing WMD proliferation and terrorism; (3) lead interagency coordination of U.S. efforts to implement the strategy and policies; (4) conduct oversight and evaluation of accelerated and strengthened implementation of initiatives and programs to prevent WMD proliferation and terrorism by government agencies; and (5) oversee the development of a comprehensive and coordinated budget for programs and initiatives to prevent WMD proliferation and terrorism. Directs the Coordinator to report annually on strategy and policies.

Section 1242 –

Expresses the sense of Congress that the President should personally request the President of the Russian Federation to designate an official with the same responsibilities with whom the Coordinator should coordinate planning and implementation of activities in the Russian Federation to prevent WMD proliferation and terrorism.

Subtitle E – Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism

Section 1251 –

Establishes the Commission on the Prevention of Weapons of Mass Destruction Proliferation and Terrorism to: (1) assess current prevention activities, initiatives, and programs; and (2) provide a clear and comprehensive strategy and concrete recommendations for such activities, initiatives, and programs.

Directs the Commission to: (1) give particular attention to activities, initiatives, and programs to secure all nuclear weapons-usable material around the world; (2) significantly accelerate, expand, and strengthen U.S. and international efforts to prevent, stop, and counter the spread of nuclear weapons capabilities and related equipment, material, and technology to terrorists and states of concern; (3) address the roles, mission, and structure of all relevant government agencies and other actors, interagency coordination, U.S. commitments to international regimes and cooperation with other countries, and the threat of WMD proliferation and terrorism to the United States and its interests and allies; (4) reassess, update, and expand on the conclusions and recommendations of the Baker-Cutler Report; and (5) submit a final report on corrective measures to the President and Congress.

Title XIII – Nuclear Black Market Counter-Terrorism Act

Nuclear Black Market Counter-Terrorism Act of 2007 –

Subtitle A – Sanctions for Transfers of Nuclear Enrichment, Reprocessing, and Weapons Technology, Equipment, and Materials Involving Foreign Persons and Terrorists

Section 1311 –

Directs the President to impose sanctions for specified transfers of nuclear enrichment, reprocessing, and weapons technology, equipment, and materials involving foreign persons and terrorists, subject to a waiver.

Section 1312 –

Directs the President to submit annual reports to the appropriate committees on any activity by a foreign person involving such transfers and any sanctions imposed.

Subtitle B – Further Actions Against Corporations Associated with Sanctioned Foreign Persons

Section 1322 –

Directs the President to instruct all U.S. government agencies to try to persuade foreign governments and relevant corporations not to engage in any business transaction with a sanctioned foreign person or any parent or subsidiary of such person. Directs the Secretary of State to: (1) coordinate U.S. government actions; and (2) report annually to the appropriate committees.

Subtitle C – Rollback of Nuclear Proliferation Networks

Section 1331 –

Declares that U.S. foreign assistance should only be provided to countries that: (1) are not cooperating with any non-nuclear-weapon state or any foreign group or individual who may be engaging in, planning, or assisting any international terrorist group in the development of a nuclear explosive device or its means of delivery and are taking all necessary measures to prevent their nationals from participating in such cooperation; and (2) are fully cooperating with U.S. efforts to eliminate nuclear black-market networks or activities.

Section 1322 –

Requires the President to: (1) report to Congress identifying nuclear proliferation network host countries; and (2) suspend arms sales licenses and deliveries to such countries, subject to a national security waiver.

Title XIV – 9/11 Commission International Implementation

9/11 Commission International Implementation Act of 2007 –

Subtitle A – Quality Educational Opportunities in Arab and Predominantly Muslim Countries

Section 1411 –

Declares that it is U.S. policy to: (1) work and provide incentives to increase the availability of modern basic education through public schools in Arab and predominantly Muslim countries; (2) join other countries in supporting the International Arab and Muslim Youth Opportunity Fund; and (3) work to prevent financing of educational institutions that support radical Islamic fundamentalism.

Section 1412 –

Amends IRTPA to authorize the President to establish an International Arab and Muslim Youth Opportunity Fund as a separate fund in the Treasury or through an international organization or financial institution, to support programs to improve the educational environment in Arab and predominantly Muslim countries. Includes among such programs the provision of assistance: (1) to enhance modern educational programs; (2) for training and exchange programs for teachers, administrators, and students; (3) targeting primary and secondary students; and (4) for development of youth professionals. Authorizes appropriations. Requires the President to report to appropriate committees on U.S. efforts to assist in the improvement of educational opportunities for Arab and predominantly Muslim children and youths, including progress made toward establishing the Fund.

Section 1413 –

Requires the Secretary of State to report annually on efforts of Arab and predominantly Muslim countries to increase the availability of modern basic education and to close educational institutions that promote religious extremism and terrorism.

Section 1414 –

Makes permanent the pilot program under IRTPA to provide grants to American-sponsored schools in Arab and predominantly Muslim countries.

Subtitle B – Democracy and Development in Arab and Predominantly Muslim Countries

Section 1421 –

Declares that it is U.S. policy to: (1) promote specified objectives, including democracy, the rule of law, sustainable development, independent media, and women’s rights, in the countries of the Middle East, Central Asia, South Asia, and Southeast Asia; (2) provide assistance and resources to, and design strategies for, individuals and organizations in those countries that are committed to promoting such objectives; and (3) work with other countries and international organizations to increase the resources devoted to promoting such objectives. Directs the Secretary of State to submit to appropriate committees a report with a country-by-country five-year strategy to promote this policy.

Section 1422 –

Authorizes the Secretary of State to: (1) designate a private, nonprofit organization as the Middle East Foundation; (2) provide funding to it through the Department of State’s Middle East Partnership Initiative; and (3) require it to use such funds for grants to persons or non-governmental entities located or working in the Middle East to carry out projects that support such objectives. Sets forth provisions regarding grant applications, the private character of the Foundation, financial accountability, and annual reports.

Subtitle C – Restoring United States Moral Leadership

Section 1431 –

Expresses the sense of Congress that: (1) the United States needs to improve its communication of information and ideas to people in foreign countries, particularly those with significant Muslim populations; (2) public diplomacy should reaffirm the U.S. commitment to democratic principles; and (3) expansion of U.S. international broadcasting would provide a cost-effective means of improving communication with countries with significant Muslim populations.

Amends the United States International Broadcasting Act of 1994 to grant the President special surge capacity for international broadcasting to support U.S. foreign policy objectives during a crisis abroad. Authorizes appropriations to a United States International Broadcasting Surge Capacity Fund. Requires the Broadcasting Board of Governors’ annual report to the President and Congress to describe activities carried out under this section. Authorizes appropriations for U.S. international broadcasting activities.

Section 1432 –

Directs the Secretary of State to submit to the appropriate committees a report on the recommendations of the National Commission on Terrorist Attacks Upon the United States and policy goals described in IRTPA for expanding U.S. scholarship, exchange, and library programs in Arab and predominantly Muslim countries, including certification requirements that recommendations have been implemented and goals achieved.

Section 1433 –

Directs the Secretary of State to submit to the relevant committees a report on any progress toward implementing the recommendations of the 9/11 Commission for engaging U.S. allies to develop a common coalition approach toward the detention and humane treatment of individuals detained during Operation Iraqi Freedom, Operation Enduring Freedom, or in connection with U.S. counterterrorist operations.

Subtitle D – Strategy for the United States Relationship with Afghanistan, Pakistan, and Saudi Arabia

Section 1441 –

Declares that it is U.S. policy that: (1) the United States shall vigorously support the Afghan government; and (2) the President shall engage with that government and NATO partners to assess the success of the Afghan counter-narcotics strategy and explore all additional options.

Urges the reauthorization and updating of the Afghanistan Freedom Support Act of 2002.

Directs the President to increase the number of U.S. police personnel operating with Afghanistan civil security forces and increase efforts to assist the Afghan government in fighting corruption. Sets forth reporting requirements. Authorizes the President to provide assistance for the acquisition of emergency energy resources to secure the delivery of electricity to Kabul and other major Afghan cities and provinces. Authorizes appropriations.

Section 1442 –

Declares that it is U.S. policy to: (1) work with the Pakistani government to combat international terrorism; (2) establish a long-term strategic partnership with that government in addressing specified critical issues, including curbing the proliferation of nuclear weapons technology, combating poverty and corruption, and promoting democracy; (3) increase the funding for programs of the Agency for International Development (AID) and the State Department that assist that government in addressing such issues if that government demonstrates a commitment to building a moderate, democratic state; and (4) work with the international community to secure additional financial and political support to implement policies set forth in this section and to resolve the dispute between the Pakistani and Indian governments over Kashmir.

Directs the President to report to the appropriate committees on long-term U.S. strategy relating to Pakistan. Prohibits specified military assistance under the Arms Export Control Act and the Foreign Assistance Act of 1961 to Pakistan until 15 days after the President certifies that the Pakistani government is making all possible efforts to prevent the Taliban from operating in areas under its sovereign control, subject to a national security waiver.

Expresses the sense of Congress that the U.S. national security interest will best be served if the United States implements a long-term strategy to improve the U.S. relationship with Pakistan and works with its government to stop nuclear proliferation. Authorizes appropriations for a variety of other assistance for Pakistan for FY2008. Extends presidential authority to waive foreign assistance restrictions regarding Pakistan for FY 2007-FY2008. Expresses the sense of Congress that determinations to provide such extensions beyond that period should be informed by the pace of democratic reform, extension of the rule of law, and the conduct of parliamentary elections scheduled for 2007.

Section 1443 –

Declares that it is U.S. policy to: (1) engage with the Saudi government to openly confront the issue of terrorism and other problematic issues, such as the lack of political freedoms; (2) enhance counterterrorism cooperation with that government if its leaders are committed to making a serious, sustained effort to combat terrorism; and (3) support efforts of that government to make political, economic, and social reforms.

Directs the President to report to the appropriate committees on progress on the Strategic Dialogue between the United States and Saudi Arabia, including progress toward implementing long-term U.S. strategy to: (1) engage with that government to facilitate such reforms; and (2) work with that government to combat terrorism.

Sources and Citations

The information contained in this report was drawn from a variety of sources including:

http://www.govtrack.us/congress/bill.xpd?bill=h110-1

http://www.washingtonwatch.com/bills/show/110_PL_110-53.html

http://www.cbo.gov/ftpdocs/85xx/doc8590/hr1pgo.pdf

Please visit www.NorthRiverSolutions.com for additional information on this and related topics.

Filed Under: Standards & Best Practices Tagged With: ,

Government Position on Business Continuity Concept

August 24, 2009 By Leave a Comment

This is a useful link to get a feeling for the government’s position on the “business continuity” concept…

http://www.direct.gov.uk/en/Governmentcitizensandrights/Dealingwithemergencies/Preparingforemergencies/DG_175927

Filed Under: Business Continuity Info Tagged With:

Facility Compliance

August 24, 2009 By Leave a Comment

Facility compliance can mean a lot of different things depending on the industry and occupancy of the premises, but in most cases it means compliance with federal, state and local regulations pertaining to environment, health and safety.  Healthcare and nursing facilities have different facility compliance issues than manufacturing facilities, for instance, due to specific regulations for the healthcare industry.  It is difficult to outline all of the regulations that may impact facility compliance, but an overview of some of the general environmental, health and safety considerations will bring to light areas of concern.

Environmental

Federal and state governments regulate the environment primarily through environmental protection agencies.  These agencies are for the most part concerned with land, air and water safety, which also impacts human life.   Typically, the regulations regarding facility compliance pertain to:

  • Hazardous material identification, use, handling and storage
  • Hazardous waste generation, handling and disposal
  • Air quality and the emission of hazardous pollutants
  • Waste water and the control of pollutants entering surface waters
  • Recordkeeping on the facility’s activities involving all of the above environmental regulations

Health and Safety

Health and safety from a facilities perspective are regulated by various federal, state and local regulations and codes.  A building’s construction and occupancy are subject to building, fire and health codes, to name a few.  Worker health and safety is regulated by the Occupational Safety and Health Administration (OSHA).  Some of the areas regulated by OSHA are:

  • Material storage
  • Means of egress
  • Occupational health and environment controls
  • Hazardous materials
  • Confined space
  • Fire protection
  • Machinery and machine guarding

While this is not an all encompassing list of regulations to consider when assessing facility compliance, it does give an overview of some of the areas that should be included in a facility compliance review or facility compliance audit.

Filed Under: Physical Security Tagged With:

Family Emergency Supply Checklist

August 24, 2009 By Leave a Comment

Flooded House Scene G2

The Department of Homeland Security (DHS), the Red Cross and others have developed guidelines for family preparedness. The list shown below represents a consensus of opinion on this important issue.

This checklist is divided into eight sections. Continuity Compliance suggest that your verify the completeness of this list quarterly. A similar business continuity list is also available on this site.

Water

1 Gal per person per day (2 Qts for drinking, 2 Qts for food prep and sanitation)

Recommendation: Keep a 3 – 5 day supply for each person in the household

Food

Select food that requires no refrigeration, no cooking, and little water

Ready-to-eat canned meats, fruits and vegetables

Canned juices, milk, soup (if powered, store extra water)

Staples – sugar, salt, pepper

High energy foods – peanut butter, jelly, crackers, granola bars, trail mix

Vitamins

Foods for infants, elderly persons (be aware of special diet needs)

Comfort/stress foods, (candy), sweetened cereals, instant coffee, tea bags

Medication and Health

Bandages of various sizes

Half- Dozen 2” Sterile pads (gauze)

Half- Dozen 4” Sterile pads (gauze)

Adhesive hospital tape

Triangular bandages

2 “Sterile roller bandages (3 rolls)

3” Sterile roller bandages (3 rolls)

Hospital Scissors

Tweezers

A Needle

Moist towelettes

Antiseptic

Thermometer

Tongue blades

Petroleum jelly or equivalent

Safety pins of assorted sizes

Cleansing agent and soap

Latex gloves

Sunscreen

Aspirin or non-aspirin pain reliever

Anti-diarrhea medication

Antacid

Syrup of Ipecac

Laxative

Activated charcoal

Any special medications or prescriptions

Tools and Supplies

Mess kits, disposable cups, plates and utensils

Battery operated radio w/ fresh batteries

Flashlight with fresh batteries

Candles and lighter/matches (water proof)

$100 in cash in traveler’s checks

Non-electric can opener

Fire extinguisher (ABC)

Tube text

Pliers

Tape

Compass

Aluminum foil

Plastic Storage Containers

Signal Flare

Paper and Pencil

Needles, thread

Medicine dropper

Shut off wrench

Whistle

Plastic sheeting

Local map

Toilet paper

Soap, liquid detergent

Feminine supplies

Personal hygiene items

Plastic garbage bag

Plastic bucket with tight lid

Disinfectant

Household chlorine bleach

Duct tape

Cloth hand towels

Clothing and Bedding

Work shoes or boots

Rain gear

Blankets or sleeping bags

Pillows

Hat and gloves

Thermal underwear

Sunglasses

Special Items

Baby supplies

Denture needs

Contact lenses and supplies

Entertainment items (games/ books)

Important Family Documents

Wills, insurance policies, contracts, deeds, stocks and bonds

Passports, social security cards, immunization records

Bank account numbers

Credit card account numbers

Inventory of valuable household goods

Telephone numbers

Family records

Family Disaster Plan

Designate a sheltered position a safe distance away from home

Designate a place outside of your neighborhood as a secondary site

Designate an out-of-state contact friend or family member as a contact point

Emergency numbers (position control) located at every phone

Periodically test smoke detectors

Consider a CO2 detector

For more information on this subject, other business continuity topics or business continuity policies please write to:

Info@ContinuityCompliance.org

Filed Under: Physical Security Tagged With:

Elements of a Business Continuity Plan

August 24, 2009 By Leave a Comment

No one argues with the value of having a continuity plan. Considered a core discipline of business resiliency, the Continuity Plan (CP) deals with the actions organizations take before, during and after a crisis to insure minimal disruption and loss.

The studies are in, the facts are verified, and the arguments are compelling! In the event of a catastrophe, having a comprehensive CP reduces business losses by up to 90% and helps maintain stakeholder confidence in the organization. However, despite universal acceptance of the value of planning, surprisingly few organizations have an ongoing program that promotes business continuity through planning, testing, and other forms of continual improvement. While some organizations shy away from developing a plan because they are intimidated by what may seem to be a significant commitment of time and resources to such a project, others just are not sure of how to proceed.

Below is a sample outline of a business contingency plan. 

1.0

2.0

3.0

4.0

5.0

6.0

6.1

6.2

6.3

6.4

6.6

6.6

6.7

6.8

6.9

6.10

6.11

6.12

6.13

6.14

6.15

6.16

6.17

6.18

6.19

7.0

7.1

7.2

7.3

 Cover Memorandum from Management

Signature Page of Program Team

Table of Contents

Memorandum to the Reader

Program Mission Statement & Glossary

Section 1 – General Policies

Introduction

Command and Control Center(s)

Emergency Teams & Key Personnel

Team Responsibility

Coordination with Public Agencies

Risk Analysis Results

Disaster Scenarios Defined

Business Impact Assessment

Security and Disaster Prevention

Awareness and Training Activities

Response/Recovery/Restoration Goals

Alternative Sites & Infrastructure

Essential Services and Finance

Plan Documentation

Plan Distribution

Plan Testing

Plan Maintenance

Inventory of Critical Assets

IT & Telecom Recovery Considerations

Timetables, Strategies and Exhibits

Introduction and Expectation

Emergency Team(s) Activation and Role

Initial Response & Recovery Actions

 7.4

7.5

7.6

7.7

7.8

8.0

8.1

8.2

8.3

8.4

8.5

8.6

8.7

8.8

9.0

9.1

10.0

10.1

10.2

11.0

12.0

13.0

14.0

15.0

16.0

17.0

18.0

19.0

20.0

 Emergency Declaration Guidelines Detailed Life Safety Plans

Detailed Employee Assistance Plans

Detailed Facility & Security Plans

Detailed IT & Telecom Plans

Crisis Communication Strategies

Management Update Strategy

Employee-oriented Communications

Customer-oriented Communication

Value Chain Communications

Alternative Sourcing & Services

Media Communications

Other Stakeholder Communications

“All Clear” Declaration

Damage Assessment

Disaster Assessment Guidelines

Vital Function Recovery Timeframes

RTO and RPO Guidelines

Priority Restoration Plans

Human Resource Policy Issues

Facility and Security Considerations

Legal and Regulatory Concerns

Financial Management Issues

Organizational Considerations

Supply Chain and Logistics

Resumption of Normal Operations

Future Plan Testing Schedule

Post Event Analysis

Supporting Appendices

Plans come in many sizes and formats and the plan’s organization reflects its purpose. Various industry and governmental groups have agreed on a common format, which has gained international acceptance. In the United States, this format finds expression in the publication NFPA 1600, while internationally; a nearly identical structure is promoted by British Standard 25999. These methodologies form the core of the business continuity training and credentialing offered by the three most widely recognized organizations in this field: the Disaster Recovery Institute International (DRII), the Business Continuity Institute (BCI) and the International Consortium for Operational Resiliency (ICOR).

Openly discussing your business continuity plan with employees, vendors, and clients promotes development of a culture of safety and resiliency in the community.

Regardless of how well designed your plan is, it has little value if it is untested and unused. The best way to insure its relevancy is through regularly scheduled exercise and reviews. While some may view quarterly or semi-annual testing as an unnecessary expense, when a disaster strikes, these experiences can mean the difference between life and death. Several professional associations provide information and conduct research on the topic of business continuity planning.

We recommend that interested parties should join one or more of these professional societies and to invest time in learning about this important area of Business Continuity Planning.

For more information on this subject, other business continuity topics or business continuity policies please write to:

Info@ContinuityCompliance.org

Filed Under: Business Continuity Info Tagged With: , ,
« Older Posts
Newer Posts »