Tuesday, February 5, 2013

ERM-BC-COOP:

It can't happen, but . . .




Because, like Popeye the Sailorman, I am who I am, I always play the "What if" game.

Today the game revolves around "emergency notification," the notification needed when something goes bump in the night.


There are a number of vendors offering emergency notification services.


They can contact anyone via


  • landline (subscriber or business line)
  • cell phone (voice and data)
  • computers with internet connectivity



All the customer has to do it contact the vendor and tell the vendor what to broadcast and to whom. Most offer multiple message options: Message A for Group 1, Message 2 for Group 2, etc.


Sounds great.


So where is the inevitable "got'cha"?


What are you going to do if the event is widespread?


  • A tornado
  • An earthquake
  • A hurricane
  • A flood


and you cannot communicate with the outside world.


Telco lines get ripped down. Underground cables get water logged or cut. (This also can happen due to traffic accidents or backhoes gone berserk.)


Dishes get blown off, or simply blow to a new direction.


Those things can happen at any "end."


Basically, the Enterprise Risk Management practitioner needs to find ways (plural) to work around any "disconnect."


There ARE alternatives, albeit some are expensive.


Two-way radio is one of my favorites.


VHF for "around town" communications. Shortwave (HF) for long-distance chats.


Commercial tv and radio also are good, IF someone can get to the station and IF the station is on the air (does it have a generator; is the broadcast tower still standing).


Of course, this "assumes" that the person you need to contact has power and has the radio or tv turned on and to the station used for the announcement.


With the overwhelming popularity of cell phones, pagers are archaic - but they can prove valuable - proving the pager staff is at work and the pager tower is up.


True story. A hurricane is coming to south Florida. My client had a contract with a local pager company (interestingly, a company I wrote about when working for a PBX manufacturer). The client called the pager company to page its staff. No one answered the pager company's phone. Why. Being a good boss, the company manager sent all his staff home to ride out the storm. My client's pager plans were for naught.


Thinking about using the smart phone's Push-To-Talk (PTT) feature?  Keep in mind that while this is basically two-way radio, it usually goes though a repeating tower - a tower that may not be available.


While it is neither high-tech nor instantaneous, on-going communications with personnel can be via bulletin boards. Many supermarkets and laundromats have notice boards. The communications can be "semi"-cryptic providing the reader is trained to "translate" the message.


Calling up soldiers without alerting "the world" used to be, and in some laces still is, via coded messages such as "Bill Jones call home" or "Frank Smith, your wife just went into the delivery room." Of course when more than a few people got up to leave, those no in the know could figure out something was up.


Again, personnel must know where to look, and how often. The problem may be in getting the message to the bulletin board; again, think flood and earthquake, and assuring the building hosting the bulletin board still is standing, think tornado and hurricane.


When thinking about emergency communications, think beyond high tech. Some of the old fashioned ways just might be the most efficient, effective, and economical.

Flying the (US) flag upside down still is a sign of distress. Not fancy, but it does convey the message.


At one time in my life, while working for a manufacturer of mil-spec two-way radios (HF to GHz) I facetiously wrote a document that described dual-mode media. One mode was a flashlight; the other was a semaphore mounted on an antenna (we had lots of those). At night, the flashlight sent dots and dashes; during daylight hours, the message was wig-wagged. It was humor, but thinking back . . .

 

 

Monday, February 4, 2013

ERM-BC-COOP:

Standards with holes

 

The Disaster Recovery Journal (DRJ) issue for Winter 2013 has an advertisement in it from MIR3. MIR3 bills itself as "intelligent notification." Having never used or even evaluated the product, I have no idea if its good or not.

The advertisement caught my eye because it asked, in about 48 point type:

Confused by standards

with the sub-head that read: We can cut through the confusion.

Since I have some strong opinions about "standards," I read on.

At the bottom of the full page advertisement MIR3 invited me to download The Concise Guide to Business Continuity Standards: www.mir3.com/bc-standards

(The page I read was hard copy, e.g., paper; the page also is accessible on DRJ's Web site via the Journal > Digital Edition. The advertisement is on Page 23.)

I followed the link to the MIR3 PDF document and downloaded the file.

The MIR3 effort, put together by Ann Pickren, Vice President, Solutions, addressed 3 and a half "standards":

  • National Fire Protection Association's NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs; this document, due to its non-US variations is an "international" standard

  • American National Standard for Security's ASIS SPC-1: Organizational Resilience: Security, Preparedness, and Continuity Management Systems-Requirements with Guidance for Use

  • British Standard BS 25999: Business continuity

  • International Standards Organisation's ISO 22301: Societal security -- Business continuity management systems --- Requirements

The first three standards are approved for use with the US Homeland Security Department's Public Law 110.53, Private Sector Preparedness, a/k/a PS-Prep. The last "standard," is, I am given to believe, the ISO version of BS 25999 and is slated to be added to, or to replace BS 25999, as a PS-Prep acceptable "standard."

According to the MIR3 article,

The MIR3 article includes a table attempting to list each "standard's" contents vis-a-vis Business Continuity requirements.

Unfortunately, the table is less than accurate.

For example, the table shows that BS 25999 aligns with US NIMS and ICS; NFPA 1600 aligns with NIMS/ICS (as stated in the article's text).

I won't categorically state BS 25999 and, by extension ISO 22301 lacks mention of avoidance and mitigation , but I do know the draft BS 25999 lacked this topic. I found that strange then, especially when BS 25999 was supposed to have been the result of work by business continuity - vs. IT DR - professionals.

One reason I am less than enthusiastic about BS 25999/ISO 22301 is because they are purchase documents.

Mind, the people who provided input to BS 25999/ISO 22301 received zero compensation.

If someone wants their "product" to be a voluntarily-adhered-to standard, it MUST be free, gratis, no charge, he'nam.

All-in-all, save for the "chart (that) shows a graphical overview of the standards," the MIR3 article is worth the time to download and read.

There are no surprises, and it is geared to people who need PS-PREP certification. For what it is worth, I think the idea of PS-PREP is worthwhile since, in theory it can give vendor managers a "warm, fuzzy" feeling that the vendor has a viable plan. (As for this practitioner, I will continue to insist on seeing some hard evidence of a vendor risk management, or at least business continuity, plan; in the end, the buck stops with me if the vendor fails to meet its contract requirements.)