page-blog

5 Actions of a Computer Incident Response Team

By Melissa | Published: May 21, 2013

IT departments should have a process in place for managing a computer incident. An incident can include any activity outside normal operations. Often incidents can escalate and require decisive action. In such cases, a Computer Incident Response Team (CIRT) would be appropriate. The CIRT is responsible for five major actions:

  1. Monitor – Every network must be monitored for a number of events such as failure events, unusual network traffic, excessive login attempts, etc.
  2. Alert and Mobilize – This may involve shutting down servers, firewalls, or other services if an unusual or suspicious event has occurred. In this case a CIRT member should alert appropriate team members and mobilize for action.
  3. Assess and Stabilize – Once the immediate threat has been stopped, the CIRT team will assess the situation and attempt to stabilize it.
  4. Resolve – A resolution may involve restoring using backups, updating operating systems, or changing settings on servers. This can be done after determining the nature and extent of an incident.
  5. Review – As with many events once the incident has been resolved it is necessary to go over the case and determine how it occurred, how to avoid similar problems in the future, and how to better understand the recovery process.

The CIRT most likely has day-to-day responsibilities as part of standard IT operations. It is very important that the Computer Incident Response Team’s responsibilities are integrated into a company’s Business Continuity and Disaster Recovery plan.

Posted in Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning | Leave a comment

Four Types of Risk Mitigation

By Melissa | Published: May 17, 2013

Risk mitigation is defined as taking steps to reduce adverse effects. There are four types of risk mitigation strategies that hold unique to Business Continuity and Disaster Recovery. It’s important to develop a strategy that closely relates to and matches your company’s profile.

Risk Acceptance: Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

Risk Avoidance: Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. Risk avoidance is usually the most expensive of all risk mitigation options.

Risk Limitation: Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

Risk Transference: Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.

Posted in Business Continuity Planning, Business Recovery Planning, Disaster Recovery Planning, Threat & Risk Assessment | Leave a comment

IT Risk Mitigation

By Melissa | Published: May 15, 2013

Risks to data include not only natural disasters but also data disruptions and outages due to data center outages, hardware or software failures, network security breaches, etc. In any disaster it is critical to have a risk mitigation strategy for your IT system.

Critical data and records: After looking at your Maximum Tolerable Downtime (MTD) and the cost of disruptions, you should have a solid understanding of the impact a loss of critical data would have on the organization. In addition to this, it is important to assess legal and regulatory requirements related to critical data (medical data, personal financial data, etc.). It is imperative to review your proposed recovery plan, as it’s possible to have gaps in certain areas.

Critical Systems and Infrastructure: Once you have a solid understanding of your data management and protection needs within the Disaster Recovery Planning process, you can start to evaluate hardware/software solutions, vendors, and costs. If you are able to identify solutions for these areas that meet your needs for the next three to five years, you’ll be doing well on the planning horizon.

Posted in Business Continuity Planning, Business Recovery Planning, Threat & Risk Assessment | Leave a comment

12 Areas to Look at When Determining the Impact of a Disaster

By Melissa | Published: May 10, 2013

Here is a list of 12 areas that the impact of any business disruption may include:

  1.  Financial – Loss of revenues, higher costs, etc.
  2. Customers & Suppliers – Customers and/or suppliers can be lost due to the company’s problems or if they experience a business disruption.
  3. Employees & Staff – Staff members can be lost due to injury, stress, or in the aftermath of a business disruption.
  4. Public Relations & Credibility – PR challenges arise when there is a business disruption due to IT failures. Having a well thought out PR plan is key to business credibility.
  5. Legal – It is very important to assess regulations regarding worker health, safety, data privacy and security, etc.
  6. Regulatory Requirements – In the event of some business disruptions, a company may be unable to meet minimum regulatory requirements.
  7. Environmental – In some companies, environmental challenges may be experienced due to failures of certain systems.
  8. Operational – Operations are impacted by any business disruptions. It is important to identify and rank these in terms of criticality.
  9. Human Resources – Considerations on how staff will be impacted by minor and major business disruptions.
  10. Loss Exposure – Overall losses that a company can possibly face include property loss, revenue loss, fines, cash flow, etc.
  11. Social and Corporate Image – How employees, customers, suppliers, partners will view your company after a business disruption. Will your company’s image be altered?
  12. Financial Community Credibility – How will banks, investors, or other creditors respond to a minor or major business disruption?

Although not all of these areas may pertain to your business it is very important to analyze all potential impact points for the Disaster Recovery Plan.

Posted in Business Continuity Planning, Business Impact Analysis, Uncategorized | Leave a comment

Recovery Options

By Melissa | Published: May 7, 2013

Each critical business function or process has a level of impact on an organization and its dependency to the other functions. Based on the data and recovery requirements of each function, there is a need for a viable recovery option based on a company’s Business Impact Analysis data. There are three basic recovery options to consider:

As Needed: As needed options often take longer to implement after a business disruption and commonly cost more. However the overall cost can still end up lower than other recovery option prices.

Prearranged: The prearranged recovery option involves making arrangements in advance. An example of this can usually involve an agreement with a vendor to supply required systems, products, or services within an agreed upon timeframe after a business disruption.

Pre-established: Preestablished options are those that are purchased, configured, and administered before a disruption occurs. Each critical business function may use a different recovery option. After a list of recovery requirements and options has been developed, the recovery time of each option can be determined.

Posted in Business Continuity Planning, Business Impact Analysis, Business Recovery Planning, Disaster Recovery Planning | Leave a comment

Assessing the Risk Management Process

By Melissa | Published: April 30, 2013

The key to a successful risk management plan is through assessing trade-offs and understanding the opportunity costs by making, or excluding certain choices before a disaster occurs. The framework for the risk assessment process is looked at in three phases.

Threat Assessment: Identifying possible uncertainties, within a business or system, is the first step in the Risk Management Process plan.

Vulnerability Assessment: This assessment analyzes how vulnerable, susceptible, and exposed a business or system is to a particular threat.

Impact Assessment: The Impact Assessment analyzes how small or large the impact of a threat occurrence will be on a business or system.

Overall, we can view risk as the following equation:

Risk = Threat + (Likelihood + Vulnerability) + Impact

It is important to view the opportunity costs and risk mitigation options within a business or system because in many cases it is more expensive to avoid a risk rather than to take steps to reduce the impact of a risk.

 

Posted in Business Continuity Planning, Business Recovery Planning, Threat & Risk Assessment | Leave a comment

BCM Metrics, Best Practices and Standards

By Melissa | Published: April 22, 2013

There is no shortage of industry best practices and standards to benchmark Business Continuity Management programs.  These standards include Internal Standard Organization 22301 (ISO 22301), National Fire Protection Act 1600 (NFPA 1600), Disaster Recovery Institute International Professional Practices (DRII PP) and Business Continuity Institute Good Practices (BCI GP) just to name a few.  But, what we have found is very few, if any; of todays companies know which standard to use and/or are using one of the standards to benchmark their program against.

Additionally, many of our clients are frequently dealing with customer audits that reference these standards in their questionnaires.  So, why aren’t planners benchmarking their programs using one of today’s accepted industry standards?  There are a number of reasons that include, but are not limited to:

  • Not knowing which standard to use
  • Too many questions
  • Lack of management reporting
  • Questions often difficult to understand
  • No automated way to perform these assessments
  • Interpreting the results

Additionally, many BCM planners are concerned that this due diligence will expose the gaps and exposures in their program in a negative light versus as a positive form of benchmarking to guide future improvement.

So, what has MHA done?  As a BCM consultancy, we developed a Current State Assessment (CSA) tool to quickly and easily benchmark where a program and its key dimensions (e.g., Program Administration, Crisis Management, Business Recovery, etc.) comply with industry best practices and standards.    This tool is evolving to be a cloud based, secure self-assessment tool called BCMMETRICS.  The tool references today’s relevant industry standards and best practices to measure the compliance of a BCM program across four (4) key dimensions:

  • Program Administration
  • Crisis Management
  • Business Recovery
  • Disaster Recovery

The question sets used by the tool represent the relevant industry standards and best practices, providing the BCM Planner with a comprehensive assessment of the program and its 4 dimensions.  We take a set of the most relevant questions from the myriad of standards to assess the BCM program.  Each of the the questions are appropriately weighted based on their importance to the success of the program highlighting what are the most critical aspects to compliance and the ability for your program to successfully recover.

A sample management report from BCMMETRICS for Program Administration is as follows:

UntitledCopyright BCMMetrics 2013

These management level reports permit planners and others to easily and quickly identify areas of success and areas for improvement based on the results.  A detail report of each dimension listing the results of the individual questioning is also available.

The tool will permit enterprise level assessments for multiple programs whether domestic or across the globe as well permit “read only” access to auditors.

We will be piloting the tool to a small set of MHA customers in early June and hope to have the tool for public consumption by early fourth quarter of this year.  Initial reviews of the tool have been very favorable from MHA customers and others.

If you would like more information on BCMMETRICS and how it can be used for your organization, contact Brandon Magestro, MHA Director if Operations,  at magestro@mha-it.com.

Posted in BCM Metrics, Business Continuity Planning, Business Recovery Planning, Crisis Management, Disaster Recovery Planning, MHA Consulting, Threat & Risk Assessment | Leave a comment

When is the Best Time to Establish a Training & Awareness Program?

By Melissa | Published: April 10, 2013

Best time to establish a Training and Awareness Program is at the beginning of the BCP lifecycle.  There are many benefits of starting this part of the program early:

  1. Can use training to communicate best practices and policies from the start
  2. Track training improvements to quantify progress
  3. Unify communication to better solidify key concepts
  4. Heighten awareness of program to a wider audience which can result in increased support
  5. Use information gathered from training to help redefine and develop the program as it progresses
  6. Taylor training to specific needs of participants, updating as the needs progress,  resulting in increased program quality and efficiency
Posted in Business Continuity Planning, Business Recovery Planning, Disaster Recovery Planning | Leave a comment

The Five Levels of BCP Exercising

By Melissa | Published: April 5, 2013

There are many types of plan exercises. Different exercises serve different purposes and should match the plan and experience of the teams. Each of the following five exercises builds on the results of the previous exercises:

Plan walk-through: A walk-through of a plan is an excellent way of explaining its format and content. A plan walk-through is a low-pressure exercise that uses presentation techniques including videos, slides and handouts, so that participants fully understand their plans.

Facilitated discussion: Facilitated discussions can be delivered in a number if ways, but usually begin with the presentation of a hypothetical scenario. Potential issues and problems are then extracted from the scenario and given to the participants to solve using brainstorming and group discussion.

Single-team simulation: This simple form of simulation brings participants together in order to examine both the plan and how the team works together under limited pressure. The team will be expected to manage a fictional incident, manage information flows, make decisions, log activities, handle dilemmas and work together as an effective team.

Multi-team simulation: The multi-team simulation extends the single-team version by providing the added dynamic of team interaction. The focus is on coordination, communication and control. Such exercises often highlight elements of the overall plan that have either not been assigned or have been given to more than one team.

Full-scale exercise: Full-scale exercises involve all teams. They should not be considered until other forms of exercises have been conducted and all teams have a high degree of experience, competence and confidence.

 

Posted in Business Continuity Planning, Business Recovery Planning, Disaster Recovery Planning | Leave a comment

10 Considerations When Developing Recovery Strategies and Plans

By Melissa | Published: April 2, 2013

In developing both the recovery strategies and the recovery plan, the planners should consider 10 basic rules:

  1. Don’t confine yourself to traditional ways
  2. Maintain Risk Management, conduct Risk Assessments, and develop a Risk Management culture
  3. Consider whether workarounds used for operational incidents can be adapted to disaster situations
  4. Be adventurous in your thinking – use creativity and common sense
  5. Use group thinking to develop and review strategies
  6. Infrastructure, support functions and interdependencies are major considerations
  7. Mitigation is an important recovery strategy
  8. Strategize but don’t become committed to any one-recovery strategy
  9. In a recovery mode, you can’t do anything until you know the type and extent of the damage and the affected environment
  10. Educate, train, exercise

 

Posted in Business Continuity Planning, Business Recovery Planning, Disaster Recovery Planning | Leave a comment

  • About Michael

    Michael Herrera, CEO of MHA Consulting Inc., a leading boutique Business Continuity, Disaster Recovery and IT Optimization Consulting firm.
  • BCP Program Outsourcing & Staff Augmentation
    MHA has the proven experience and expertise to be your Business Continuity or Disaster Recovery Office. Outsourcing or augmenting your BCP or DR Office allows for the flexibility to apply the optimal level of resources in all aspects of the Business Continuity Lifecycle.
    Learn more...