Emergency Communications Systems — Will They Evolve into a Managed Systems Model?

January 30, 2010

Most business continuity planners and disaster recovery teams agree that the right technology mix can greatly affect the effectiveness and success of emergency communications regarding an incident management activity. They also agree that well constructed plans and highly capable individuals on those teams are doubly effective when given the correct tools to utilize during an emergency.

Berkly Trumbo, who is a mass notification systems (MNS) specialist, has recently written an article about how he sees recent developments and emerging changes and thinking on this topic — emergency communication systems. We believe the information he provides is valuable input to the decisions of your organization’s internal BC/DR planning teams.

In his article, Mr. Trumbo offers the premise that a managed systems approach to emergency communications systems is becoming a popular topic between IT, facilities, and public safety stakeholders. And, after offering many examples to support his reasoning, he concludes that emergency communications systems are evolving towards a managed system model as opposed to a collection of disjointed, boutique applications.

Click here to read the complete article as posted on the continuitycentral.com website for more details.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info | Leave a Comment

CyberSecurity Preparedness Resource in ChicagoFIRST

January 29, 2010

ChicagoFIRST is a non-profit association of private firms in the Chicagoland area that collaborates with one another and with government at all levels to promote the resilience of its members and the Chicago business community.

The ChicagoFIRST mission is to –

Increase the resilience of the Chicago land private sector in the event of an emergency, natural disaster, or terrorist event, in collaboration with the City of Chicago; the State of Illinois; and federal agencies, including the U.S. Departments of Treasury and Homeland Security, FEMA, FBI and Secret Service.
Improve the overall preparedness of employers and employees in the Chicago land area
Address the interdependencies among critical infrastructure within the Chicago land area, such as finance, insurance, banking, telecommunications, power, commercial facilities and water systems.

ChicagoFIRST has been addressing cyber security issues locally and nationally with recently completed exercises exploring these threats, as well as the private sector’s potential response to an attack.

As private sector business continuity and security programs continue to expand their focus on preparedness for and response to a cyber attack, ChicagoFIRST has been working with local and federal government officials to link the public and private sectors’ activities.

If your organization is in the Chicago land area, we recommend that your business continuity, disaster recovery and risk managers make note of this available resource for their crisis management and general preparedness requirements.

Click here to go to the ChicagoFIRST website.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Cybersecurity, Homeland Security Dpt | Leave a Comment

Benchmarking a Better Business Continuity Planning Guide

January 29, 2010

Benchmarking is an often overlooked resource activity, and, certainly a topic about which we receive email requests from our readership.

In particular, we recommend that a benchmarking methodology be used by your internal business continuity planning teams as they prepare their organization’s BC/DR plans to achieve a state of readiness and preparedness in your organization to not only survive a disruptive incident but also to survive any anticipated potential business interruption(s).

Even if your risk management teams have a policy or guideline document in place to address these issues, we recommend that it is still a good practice to compare your current BC/DR plans or guidelines to those business continuity or disaster recovery plans of other companies.

With that intent in mind, we like to bring your attention to a “Crisis Management and Business Continuity Planning Guide” recently published by Business Link.

We believe that this guide can not only assist your own BC/DR Planning teams to identify potential risks, make preparations for emergencies and test how your own business is likely to cope in a disaster, but, it can also be used as a benchmark against which you can compare your own company’s existing BC/DR Planning Guide.

Hopefully, this information and this exercise will be more than just using a provided business continuity template guide to your teams … so we ask that you don’t simply view and print out copies of this guide to put in your file cabinets.

Our real intention is to have this kind of information motivate and encourage a continuous improvement approach to your BC/DR planning teams and have those teams deliver the best levels of preparedness and readiness capabilities to your organization.

As always, we encourage and welcome our readers to share their own experiences, inputs and reactions to the advice we attempt to pass along in this website.

Click here to read this guide.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info, Standards & Best Practices | Leave a Comment

Effective Crisis Leadership Requires Resilient Attitude

January 28, 2010

While business continuity, information security and risk management planning groups in organizations evaluate, implement and review crisis management plans regularly– some more effective and successful than others – the fact remains that when your organization is faced with an actual crisis, strong resilient leadership is what will help those teams to deliver the objectives of your emergency management plans, compliance policies and procedures.

That topic was recently addressed very effectively in an article written by Leonard Kloeber and posted on the http://ezinearticles.com/.

Mr. Kloeber states that “…whatever challenges faced in striving for success, you need to be able to deal with setbacks and difficulties when they arise. This ability to overcome obstacles is called resilience. And whenever your organization runs into trouble, the rest of the team looks to the leader.”

When faced with a crisis, the need for this leadership resiliency is critical and necessary. Mr. Kloeber offers the following tips for crisis management team leaders: (a) change your thinking; (2) prepare for the unexpected and (3) practice for the unexpected.

This website recommends that you read this article for more details and suggested ways to help guarantee that your organization will have the resilient leadership to address and resolve any potential crisis to your organization.

As always, we welcome your comments and additional input to help our readers gain maximum benefit from this information.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Organizational Resiliency | Leave a Comment

A Renewed & Reinvigorated Association of Contingency Planners (ACP)!

January 27, 2010

Dateline: San Antonio, Texas – 16 and 17 January 2010

Byline: Don Byrne, CBCP, CDCP, CBRO-M, Lead Auditor, Adjunct Professor, Boston University

The rain and cool temperatures of San Antonio, Texas, did nothing to dampen the enthusiasm of the newly elected slate of chapter officers and national board members of the Association of Contingency Planners (ACP). A group of about 50 ACP leaders met in the home town of the Alamo to discuss the future and fate of the largest professional group of contingency planners and emergency management professionals in world. Numbering about 3,000 members in 42 chapters across North America, this annual meeting of the leadership attracted a representative mix of members from across the continent.

Much of the group’s time was spent discussing ways to increase ACP’s visibility and impact on topics of national interest such as the PS-Prep program, educational community outreach initiatives, and ways to promote professional development among the members.

Newly appointed president Mike Thomson of ImpactWeather challenged the group to find new and better ways of being “relevant and engaged.” Describing the organization as the “largest unknown group of contingency professionals in the world,” he urged the chapter leaders to focus on building partnerships with other organizations and strengthening their ties with the local business community.

A key area of focus for the meeting was the PS-Prep program which was described as “the most significant bit of legislation to impact the contingency planning and emergency management industry in over thirty years.” Sensitive to the importance of this and other aspects of preparedness planning the association is currently developing plans to make knowledgeable speakers available to businesses and civic organizations on a variety of resiliency planning topics.

The meeting ended with all members feeling reinvigorated and purposeful having developed practical plans that will benefit their chapters, their businesses and their community.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info, PS-Prep Program | Leave a Comment

New PS-Prep Overview Added to ContinuityCompliance Website

January 27, 2010

Due to email requests received from our readers, this website has recently introduced a new “PS-Prep Overview” section on our website’s ”Home” page. Indications received from our readers have indicated a desire to get more in touch with the PS-Prep Program, and, we are eager to comply with that request.

Be sure to check it out — but — more importantly, please add your comments, additional information and inputs to help us keep this kind of informative service improving in its ability to satisfy the requirements of our contingency planning and voluntary preparedness focused readership.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under PS-Prep Program | Leave a Comment

PS-Prep Program Proposed Standards – Apples and Oranges

January 26, 2010

Dateline: New Hampshire

Byline: Don Byrne, CBCP, CDCP, CBRO-M, Lead Auditor

With the selection of three standards for the PS-Prep program by the Department of Homeland Security (DHS), many people are struggling to understand the similarities and differences between these offerings.

The report entitled Framework for Voluntary Preparedness, funded by the Alfred P. Sloan Foundation, provides the most comprehensive comparison of the chosen standards and some others that were not selected. However, for many this is a “data rich but information poor” document. Much of the document’s emphasis is on showing how the various standards align as opposed to providing guidance on which one is appropriate for various businesses. In contrast, the following chart was developed to highlight some of the differences between the various standards. While not completely scientific, this chart does attempt to represent the conventional wisdom on this issue.

Key Issue	NFPA 1600:2007	BS 25999 Pt.2	ASIS SPC.1: 2009
Major Focus	Emergency Management and Tactical Activities	Business Continuity and Operations	Organizational Resiliency and Operations
National Standard	Yes – ANSI Standard (U.S.)	Yes – BSI Standard (U.K.)	Yes – ANSI Standard (U.S.)
International Perspective	Viewed as an American Standard	Viewed as an International Standard	Unknown – too new for opinions
General Acceptance	Popular – primarily in North America	Popular – outside the U.S. with good penetration in Asia/Pacific	Very New Standard – little market penetration
ISO Alignment	No – Element-based model. Does not use a Management System.	Yes – Process Model. Uses a Management System (PDCA)	Yes – Process Model. Uses a Management System (PDCA)
Supporting Methodology	DRI International: 10 Professional Practices	Business Continuity Institute Professional Practices	No specific methodology alignment
Unique Elements	Addresses NIMS and ICS Models for Emergency Planning	Introduces concept of MTPOS and drops RPO metric	Safety Act Approved; Contemplates 1^st and 2^nd party reviews; Some accommodation for Chain of Custody issues
Certification Available	No	Yes, through UKAS accredited CBR’s	No

Making a Selection

A quick review of the above chart might lead to some of the following conclusions:

Pick NFPA 1600 if:	Pick BS 25999 if:	Pick SPC.1:2009 if:
Emergency Management is your concern	Business Continuity is your major focus	Operational resiliency and business continuity are major concerns
Your business and extended supply chain is primarily U.S.-based	Your business and extended supply chain is a mix of U.S. and International businesses	Your business and extended supply chain is a mix of U.S. and International businesses
You are not already supporting another ISO Standard (e.g. ISO 9001, 14001, 27001, etc.)	You are already ISO certified	Supply chain concerns are important including 1^st and 2^nd party declarations and reviews
Your staff is unfamiliar with the PDCA methodology or is largely DRII certified.	Your staff is familiar with the PDCA or revised BCI methodology	Chain of Custody issues are important to your business
Cost is a major consideration – certification to an element-based model should be a less complicated matter and therefore less costly.	Cost is a consideration but not the driving force for a decision.	Cost is a consideration but not the driving force for a decision.

In conclusion, the decision of which standard to choose requires some thoughtful analysis. The problem is that all of these standards are so new that few individuals are in a position to act as knowledgeable consultants on this issue. And, as reported elsewhere on this site, there are other standards that are under consideration for ISO status that might provide even more choices in the near future which may complicate things even further.

Stay tuned, the PS-Prep program is still evolving!

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under PS-Prep Program | Leave a Comment

NEDRIX and MEMA Offer Crisis Management Assistance

January 26, 2010

Over the last few months, our website has received email requests for crisis management information available on a geographical and regional basis. Those requests have come from many of the business continuity and risk managers, who are members of their company’s enterprise risk management teams and whose companies are also located in the northeast sector of the United States. These requests have centered mostly on a concern of how to contact, evaluate and implement policies and procedures in their business continuity and crisis management plans for access to real-time governmental agencies in their areas for information needed during a crisis or event.

For those requesting companies in the northeast United States, we recommend contacting both the Northeast Disaster Recovery Information X-Change (NEDRIX) website and the Massachusetts Emergency Management Agency (MEMA) website.

NEDRIX is a non-profit organization, formed in 1991, that provides continuity and crisis management professionals, a real-time access to governmental agency information during a crisis or event. This is accomplished through our Public / Private Sector (PPS) Directive and our automated notification tool, NEDRIX Notify. Through NEDRIX Notify this team has the ability to coördinate bi-directional communications bringing the latest incident assessment to our members and providing any business impact back to the governmental agencies.

NEDRIX has PPS teams throughout the Northeast that are led by the Board Director of the PPS initiative. There are Team Leaders identified for each State along with Team Members that work with their State and local government to act as a liaison between the public and private sectors. NEDRIX also provides industry best practices and an opportunity to meet and share ideas and experiences with peers through conferences and symposiums held throughout the year. Our members receive continuing education points for all our conferences and events which are needed for them to maintain the Continuity Business professional certification.

The Massachusetts Emergency Management Agency (MEMA) is the state agency responsible for coordinating federal, state, local, voluntary and private resources during emergencies and disasters in the Commonwealth of Massachusetts. MEMA provides leadership to: develop plans for effective response to all hazards, disasters or threats; train emergency personnel to protect the public; provide information to the citizenry; and assist individuals, families, businesses and communities to mitigate against, prepare for, and respond to and recover from emergencies, both natural and man-made.

We welcome your comments and ask your assistance to list additional and similar resource information that might help these requests.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info | Leave a Comment

PS-Prep — A Fourth Standard?

January 26, 2010

Dateline: Washington, DC – 20 January 2010

Byline: Don Byrne, CBCP CDCP CBRO-M Lead Auditor

With the closing of the comment period for the PS-Prep program, the Department of Homeland Security (DHS) is poised to declare that for general business, the three standards nominated in the Federal Register of 16 October, 2009; will officially be part of the PS-Prep program.

These three join a number of other standards and mandatory procedures that are part of the regulatory framework of the eighteen Critical Infrastructure, Key Resource (CIKR) sectors. Because of their importance to the country, these industry sectors will be allowed to follow the preparedness practices overseen by non-governmental groups such as the Joint Commission on Accreditation (hospitals), the North American Electric Reliability Corporation (electrical transmission grids), and the Nuclear Regulatory Commission (nuclear power production plants and facilities). You can find more information on these sectors at http://www.dhs.gov/files/programs/gc_1189168948944.shtm.

The Question Is Settled, or Not!

With this announcement by DHS, one would assume that the question of which standards will form the basis of the PS-Prep program has been settled – but that would be wrong!

There are a number of PS-Prep issues that that remain open. For example, what requirements will be placed on Small Businesses and what other standards might be added to the current mix?

The Small Business Challenge

DHS has given little in the way of useful guidance on the question of how small businesses will participate in the PS-Prep program. There is much discussion around using first and second party declarations as a low cost option for these organizations but nothing has been decided. ANAB, who is chartered with developing and monitoring the audit certification process has set a goal of addressing this issue within six month, but that is a goal, not a commitment.

Update or Replacement?

The issue of adding or replacing standards is one that has not been widely discussed yet this is a very likely development of the program. For instance, the National Fire Protection Association (NFPA) has already indicated that it will lobby to have the 2010 version of NFPA 1600 replace the current selected 2007 version.

Also, the British Standards Institute is collaborating with ASIS on development of a fourth document which they have agreed to promote to the International Organization for Standardization (ISO) as the primary business continuity standard.

BCM.1 – a New PS-Prep Option?

Known as BCM.1 this proposed standard is about to be released for public comment. If BCM.1 is successful in attaining ISO standing then it is almost unthinkable that DHS wouldn’t add it to the list of approved standards. Does this mean that a fourth standard will be selected? Would one of the others be “retired?” Time will tell but there remains one last twist to this story.

The ASIS sponsored BCM.1 standard is not the only contender being positioned as the ISO standard. At least one other already developed standard is under consideration.

Enter ISO/PAS 223XX

ISO/PAS 22399: 2007, Societal Security – Guideline for Incident Preparedness and Operational Continuity Management is an existing specification that has been languishing for quite a while. Considered to be rather general in its tone, questions have been raised as to its value as an auditable standard. DHS has publically announced that before selection of the three current standards. “approximately twenty-five candidate standards” were reviewed. Given the through job performed by the Homeland Security Institute, the “think tank” that actually advised DHS on standard selection, it is clear that ISO/PAS 22399 and its related document in this series ISO/PAS 22301 Societal Security – Preparedness and Continuity Management Systems- Requirements were part of the review process. However, with pressure mounting to converge on a single ISO standard in this area, the stage is set for a competition.

How Will It End?

Will the ultimate victor be the new BCM.1 specification or the more developed but less comprehensive ISO/PAS 223XX standard? And, regardless of which of these emerges as the designated international standard for business continuity and preparedness, will DHS add a fourth standard to the mix or replace one or more of the already announced specifications? Remember, that in 2008, DHS published a list of what they considered to be the target criteria for any comprehensive standard for the PS-Prep program (Federal Register Vol. 73, No. 248 pages 79146 and 79147). To date, none of the proposed standards meet all of the target criteria. So, the search goes on and while businesses wait for decisions to be announced, it seems we all just keep getting more choices.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under PS-Prep Program | Leave a Comment

2010 Suggested Audit Guidelines for Internal Control Committees

January 25, 2010

As many companies finalize their 2009 fiscal year-end reports, and set their budgets, policies and procedures in place for 2010, we would like to focus your attention on a set of suggested guidelines for both internal and external audit committees to review and implement in 2010. While we can make the assumption that lessons will have been learned from the past year — it may still be necessary to integrate some of these listed guidelines into your organization’s 2010 strategic goal setting procedures.

For 2010, business risk assessment remains high on any organization’s planning agenda – as does compliance assessment and compliance risk management. Security risk assessment and security risk management of both financial and operational issues closely follow ….

The following highlights of issues — that should be at the top of every audit and/or control committee in the coming year — are summarized from a report recently issued by KPMG U.K. and are as follows:

Regain control of the committee agenda and focus an eye on the company’s current and future key areas of risk.
Understand the risks imposed by and stemming from the dramatic cost reductions from the prior year.
Focus closely on all current and proposed financial and other narrative disclosure and communication requirements.
Pay particular attention at specific current and new financial reporting developments impacting the company.
Rethink the internal audit committee’s role in risk oversight and be ready to make changes when and wherever necessary.
Focus internal audit’s activities only on key areas of risk and risk management.
Prepare for the potential impact of key 2010 public policy initiatives on compliance, risk, and governance processes and how they impact the organization.
Be extra vigilant since an economic crisis continues to put pressure on the funding and implementation of necessary compliance and anti-fraud programs.
Allow upper management support of these committees to reduce the risk of misalignment between the organization’s strategic goals and daily operational achievements.
Take a hard look at the committee’s composition, independence and leadership capabilities and make adjustments or changes to deliver a maximum level performance from that committee.

You can view some more information on the issues raised above, by viewing EITHER a summary article on the continuitycentral.com website OR you can view the full report on the KPMG U.K. website. Registration is necessary on the KPMG U.K. website.

Share and Enjoy: