NIST Announces SP 800-41 Rev.1 and SP 800-124

The National Institute of Standards and Technology (NIST, based in Gaithersburg, Maryland), recently announced two Special Publications (SPs) of interest to business continuity professionals. First is SP 800-41 Revision 1, Draft Guidelines on Firewalls and Firewall Policy, which provides recommendations on developing firewall policies and on selecting, configuring, testing, deploying, and managing firewalls.

Second is SP 800-124, Draft Guidelines on Cell Phone and PDA Security. This guideline provides an overview of cell phone and personal digital assistant (PDA) devices in use today and offers insights for making informed information technology security decisions regarding their treatment.

ISACA Survey Addresses BC/DR Issues

ISACA, the Information Security and Audit Association, recently published the results of its 2008 Top Business/Technology Issues Survey.  ISACA conducted the survey to validate and prioritize the findings of ISACA’s Business/Technology Issues Task Force, which conducts surveys and produces survey reports.

The task force identified 21 current business issues facing IT managers and executives. The list consisted of global issues that the task force felt were already affecting ISACA members and constituents, or would be in the next 12 to 18 months. The survey participants were then asked to rank the 21 business issues.

Read the rest of this entry »

Alerts and communications issues have always been a part of data center disaster recovery plans. Who calls the fire department? Are the alarms set up to automatically go to the security desk? When do I get the message to evacuate? If the heat in the data center rises beyond a threshold, does an alarm call a cell phone? When the fire department arrives does everyone understand that they own the building at that point? What if a regional disaster or terrorist attack is about to happen? And on and on. These are communications and compliance issues that more and more will need to be fully integrated into the DRP.

A recent Disaster Resource Guide article clearly indicates that CAP 1.1 is coming and will be required. CAP stands for Common Alerting Protocol. It is billed as a national emergency warning and alert system.

At first glance, it may seem that this is outside what typical companies need to consider. But, on second thought, it might be a good idea to at least be familiar with CAP 1.1 content and procedures. For example, what if an alert was issued for a biological attack and evacuation was required. Would you get the message with your current DRP procedures in place? With today’s data center schedules, many are staffed 12×7 and not 24×7. Would someone be in danger?

Not that we need another compliance requirement to follow. We already have NIMS, NFPA 1600 and many others. But it would be a good idea to at least see how the alerts would be issued using CAP 1.1 and what expectation FEMA has in terms of company participation. If you are not familiar with NIMS, NFPA 1600 and CAP 1.1, just use a search engine. See how they may or may not fit in your DRP. The job of DRP/BCP professionals is to stay abreast of what is coming.

————————————————————

A sound Disaster Recovery Plan is essential for any data center. Jan Persson’s GO.RECOVER-Data Center Template is a powerful yet easy-to-use tool for under $100.

Singapore’s TR19 BCM standard: in intensive care, prognosis dire

“In the Alfred P. Sloan Foundation’s Framework for Voluntary Preparedness report of January 2008, the authors refer to Singapore’s Technical Reference for Business Continuity Management (TR19) as an “authoritative source” for “best practices” (see page 4).

“That’s ironic, because among professionals here in Singapore, TR19 has been mostly a source of derision since its release in 2005.”

The US Department of Homeland Security (DHS) recently announced it had signed an agreement with the ANSI-ASQ National Accreditation Board (ANAB) to establish and oversee the development and implementation of the accreditation and certification requirements for the Voluntary Private Sector Preparedness Accreditation and Certification Program. This program is directed by Public Law 110-53, Implementing the Recommendations of the 9/11 Commission Act of 2007, requiring the department to establish a common set of criteria for private sector preparedness in disaster management, emergency management and business continuity.

Under Title IX of the Act, the department is charged with a number of core tasks to establish the voluntary program, to include the designation of an organization to act as an accrediting body. In this role, ANAB will be responsible for overseeing the certification process, managing the accreditation, and accrediting qualified third parties to carry out certifications of private sector entities. ANAB was selected based on its experience and expertise in managing and implementing accreditation programs.

As required by the Act, Homeland Security Secretary Michael Chertoff previously designated an officer within the department to be responsible for the accreditation and certification program. R. David Paulison, Administrator of the Federal Emergency Management Agency, serves as the designated officer and will chair an internal Private Sector Preparedness Council comprised of department leadership from the Science & Technology Directorate, Private Sector Office and the Office of Infrastructure Protection.

The Private Sector Preparedness Council will focus on the remaining requirements of the Act. This includes selecting program standards, defining and promoting the business case for private sector entities to work toward voluntary certification, overseeing the program’s progress, and providing regular updates to Congress.

The ANSI-ASQ National Accreditation Board (ANAB) is the U.S. accreditation body for management systems. ANAB accredits certification bodies (CBs) for ISO 9001 quality management systems (QMS), ISO 14001 environmental management systems (EMS), ISO 27001 information security management systems, ISO 22000 food safety management systems, ANSI/AIHA Z10 occupational health and safety management systems, and numerous industry-specific requirements.

In NOAA’s (National Oceanic and Atmospheric Administration) August, 2008 update regarding the Atlantic hurricane season outlook, its Climate Prediction Center has increased the likelihood of an above-normal hurricane season and has raised the total number of named storms and hurricanes that may form.  Forecasters attribute this adjustment to atmospheric and oceanic conditions across the Atlantic Basin that favor storm development - combined with the strong early season activity.

NOAA now projects an 85 percent probability of an above-normal season – up from 65 percent in May. The updated outlook includes a 67 percent chance of 14 to 18 named storms, of which seven to 10 are expected to become hurricanes, including three to six major hurricanes of Category 3 strength or higher on the Saffir-Simpson Scale. These ranges encompass the entire season, which ends November 30, and include the five storms that have formed thus far.

In May, the outlook called for 12 to 16 named storms, including six to nine hurricanes and two to five major hurricanes. An average Atlantic hurricane season has 11 named storms, including six hurricanes and two major hurricanes.

“Leading indicators for an above-normal season during 2008 include the continuing multi-decadal signal – atmospheric and oceanic conditions that have spawned increased hurricane activity since 1995 – and the lingering effects of La Niña,” said Gerry Bell, Ph.D., lead seasonal hurricane forecaster at NOAA’s Climate Prediction Center. “Some of these conditions include reduced wind shear, weaker trade winds, an active West African monsoon system, the winds coming off of Africa and warmer-than-average water in the Atlantic Ocean.”

Another indicator favoring an above-normal hurricane season is a very active July, the third most active since 1886.  Even so, there is still a 10 percent chance of a near normal season and a five percent chance of a below normal season.

Being prepared for hurricanes sure beats floundering around (pun intended) when one hits.  Complete Hurricane & Flood Plan for Business: A Disaster Prevention and Recovery Template is an easy-to-use yet powerful template to build your own hurricane plan.

The ASIS International Commission on Standards and Guidelines has released a draft of the Facilities Physical Security Measures Guideline. The purpose of this new guideline is to describe the main types of physical security measures that can be applied to minimize the security risks at a facility.

The Facilities Physical Security Measures Guideline assists in the identification of physical security measures that can be applied at facilities to safeguard or protect an organization’s assets—people, property and information.  It is not aimed at a specific occupancy, but facilities and buildings in general.

The guideline is available for a 45-day public review and comment period (through Sept. 15). To view it, go to http://www.asisonline.org/guidelines/guidelines_fpsm_draft.pdf.  To submit comments, go to http://www.asisonline.org/guidelines/comment_fpsm_draft.doc.  Comments will be reviewed and considered before publication of this guideline.

For more on facilities management and physical security read Facility Manager’s Guide to Security: Protecting Your Assets.

Facility Manager's Guide to Security

British Standards Institution has announced a new white paper entitled Business Continuity Management and Risk - The Role of Standards, and a new book called Exercising for Excellence: Delivering a Successful Business Continuity Management Exercise.

The white paper addresses the rise of risk management up the corporate agenda and reflects an increased understanding by organizations of their risk profiles and the need to effectively manage exposures. High-profile examples such as Enron, 9/11, Hurricane Katrina, and the summer floods in the United Kingdom have served to shape attitudes to risk management and achieve greater boardroom awareness. The paper will provide insights on how standards can assist organizations in being more proactive with their risk strategy. Case studies are included.

The exercise book provides a practical guide for anyone with responsibility for the planning and delivery of business continuity management (BCM) exercises. It’s considered a “how-to” guide to conducting successful business continuity exercises. According to the BSI, It will help practitioners test and evaluate the effectiveness of their incident management capabilities and business recovery plans. It is also consistent with guidelines established in BS 25999, the British standard for business continuity.

Download the BSI white paper

Purchase the BSI exercise book

Another valuable book on exercising contingency plans is Disaster Recovery Testing: Exercising Your Contingency Plan, Philip Jan Rothstein, FBCI, Editor.

Social Networking in the Workplace Could Put Corporate Networks in Danger

Just when you thought your business continuity program was doing a great job… a recent Trend Micro survey of corporate end users found that more and more employees are visiting Web 2.0 social networking sites while on the corporate network. The company reported an increase in the number of employees who admit to visiting social networking sites on the Internet while connected to the corporate network.

Read the rest of this entry »

Have you taken The Disaster Resource Guide and Varolii Corporation 2008 Survey on Business Continuity and Crisis Communications? Click on the link above to take the survey. The survey closes on September 5, 2008, and examines a variety of issues of relevance to business continuity and crisis communications practitioners.

2008 Business Continuity and Crisis Communications Trends Survey

You can find lots of Business Continuity statistics and survey results at http://www.rothstein.com/links/rothstein_recommended32.html.

Include Data Center Risk Assessments in Your Business Continuity Program

Risk assessments have been performed for many years, and they are a regular part of business continuity projects today. Often the task falls on the risk management or insurance departments. However, a good risk assessment can be a valuable tool in a data center’s disaster recovery plan. Normally the RA covers the usual list of potential risks: Natural events (e.g., fires, thunderstorms, tornadoes), security (e.g., locked facility, badge access) and procedures (e.g., evacuation, backups).

The current thinking is that as data centers become more critical (e.g., 24 X 7 X 365 operations), a proper risk assessment should go beyond the normal list of risks. In short, they should address what you can do to limit downtime and/or reduce recovery time.

Read the rest of this entry »