PREPARATION
Contents
CRISIS MANAGEMENT
Preparing for a crisis before it happens is fine but when the disaster occurs, you have to be well-rehearsed and have knowledgeable people in charge. If you're unsure of what to do next, your staff will sense it, and so will the media.
The basic elements of a crisis communications plan will include the following. Many of these will already be in your company's disaster plan.
- Develop a call list of executives/personnel who must act as a team to see the organization through the crisis. Include name, department, office telephone number, and home telephone number. No exceptions.
- Designate a spokesperson to whom all immediate inquiries should be directed. As the situation unfolds, you may decide a medical expert or hospital administrator can best speak for the organization in a specific situation, but the first calls (from media or other sources) need to be fielded while the team is assessing the situation and developing a plan.
The designated spokesperson doesn't have to be a public speaker or media whiz, but consideration should be given to the person's "level-headedness," poise under pressure, ability to articulate complex ideas, and perhaps most importantly, knowing when to stop talking.
- Decide beforehand who has the authority to initiate an evacuation of the premises.
- Make sure your fire-fighting plan is up to date, and that rehearsals are held regularly.
- Have back-up communications in case the telephones fail.
- When the media call, direct inquiries to a specific person. Make arrangements for visiting media, including a designated area for the media pool, adequate telephone facilities for the media, and refreshments if it looks like they'll be with you for a while.
VULNERABILITY ASSESSMENT
The objective of a vulnerability assessment is to examine systems for weaknesses that could be exploited, and to determine the chances of someone attacking any of those weaknesses.
Numerous types of vulnerabilities, both physical and electronic, are possible. Each should be examined and documented; controlling all the risks associated with electronic access to systems is moot if someone could physically tamper with them and modify or walk away with data.
Many tools exist for evaluating electronic vulnerabilities. The primary value of these tools is in automation and detection. The tool is used to scan systems for configurations and services, compare the results with a database of known exploits, and produce a report. This prevents the laborious task of examining systems manually and researching the latest exploits. It also provides a method of easily obtaining consistent data on system vulnerabilities.
A list of vulnerabilities starts with host-and network-level exploits that could have an impact on your systems. Although the tools are confined to the electronic environment, be sure to examine exploits that could occur with physical access as well as electronically. Finally for completeness, examine scripts and applications on systems for potential vulnerabilities. This ensures that all vectors for attack are included in the assessment, so that efforts at reducing risk are based on real threats, not just those that are technical or well advertised.
Once a list of vulnerabilities per system is compiled, each vulnerability should be classified according to the probability that it could be exploited. This probability is the threat associated with vulnerability, and methods for determining this threat level are likely. They can be as complicated as completing a tree analysis, which documents the different series of conditions that could lead to exploitation of a vulnerability, or a simple as relying on reports about the frequency of exploits in the wild. CERT (Computer Emergency Response Team), the SANS (System Administration, Networking, and Security) Institute and other such groups routinely publish listings of exploits that are being seen frequently and thus are high-threat areas.
The combination of vulnerabilities and threats provides a measure of where exposures are, and what the chance is that a motivated attacker might exploit them. This is the level of inherent risk, or the risk that exists in the absence of any control measures.
FIRE PROTECTION
Fire is still the single most serious threat faced by any industry. The source of fire might be arson attacks, electrical components overheating or air-conditioning overheating. In order to combat the threat of fire, three essential areas must be addressed:
Fire prevention, which is often neglected, with reliance placed on detection and extinguishing systems to deal with the fire once it has broken out. By this time, considerable damage may already been inflicted.
Fire prevention initially involves staff awareness and housekeeping procedures but is also influenced by management. Induction training should familiarize employee with preventive measures such as:
- the control of flammable materials;
- the clearing of rubbish and unwanted materials;
- the control of smoking;
- the restriction of hazardous processes to certain areas;
- full enforcement of fire prevention requirements; and,
- quality installation and maintenance of air-conditioners.
Fire detection, which requires sensors linked to a central system that sounds an alarm and activates the extinguishing system. The control system may be programmed to assume one sensor signal acting in isolation is a faulty device and will not be activated until confirmation is received from an additional detector. The type of sensors which are available are:
- smoke detection by optical light scattering;
- smoke detection by ionization;
- heat detection by semiconductor, thermocouple or bimetallic switch;
- flame detection by photodiode devices; and
- VESDA (Very Early Smoke Detection Apparatus).
Fire extinguishment through the use of the following systems:
- Halon 1301 for data centers which is being replaced by other safer gas (e.g. intergen and NAFS-III);
- carbon dioxide system;
- water sprinkler system;
- individual, hand operated extinguishers of several types; and
- fire hoses located on each floor.
Training in the appropriate use of all these systems is mandatory to ensure the safety of those employees using the equipment.
ELECTRICAL SYSTEMS
The interruption of the power supply can be devastating to any company. Affected areas include not only the computer facility, but all manufacturing areas and all office areas. Without power, the modern company cannot continue to carry on business.
Common power disturbances include:
- under and over voltages;
- surges;
- sags;
- brownouts; and
- blackouts.
Some of the equipment which may be available to protect the facility against such disturbances include:
- ultra-isolation transformers;
- line voltage regulators;
- power line conditioners;
- flywheel;
- uninterruptible power supply (UPS); and
- emergency power generation.
EXISTING DISASTER PREVENTION MEASURES
Measures
Shown below is an example of what the author should put in this section
The following disaster prevention measures are currently in place at (Company): (to be edited below)
- Fire Extinguishers are in place throughout the facility. Also, heat/smoke detectors, bells that can be activated in an emergency, and a combination lock on the door.
- Security alarms are connected to the police departments.
- All computer equipment (PC network) and the telephone system are attached to a UPS (Uninterrupted Power Supply), which will allow the organization to perform an orderly shutdown of the equipment, in the event of an extended power outage.
- A Core Director System Backup is done daily. The organization has 3 rotations of System Save backups. .
- A Pre-Processing Save of the core data files is performed daily. The backup is kept in fireproof storage in the Computer Room on the day it is created, then taken to an offsite location the next day.
- A Post-Processing Save of the core End of Day data files is performed daily. This backup is taken off-site the next day.
- The network server and SWIFT systems are backed up weekly.The Bank owns a diesel generator that can (and has been used to) power the facility in the event of an extended power outage.
SECURITY
Physical Security
Physical security protects people, buildings, equipment and computer systems from intrusion, fire and other natural and environmental hazards, and include such things as:
- a Facility Security Plan
- The movement of equipment and data media in and out of site
- procedures for verifying authorization to access secured areas
- procedures for signing in and escorting of visitors
Safeguards should be installed to provide defense for the most sensitive operations, data, equipment and personnel. This security is achieved through:
- physical barriers to deter intrusion or theft such as perimeter barriers, clear areas, lighting; and locking devices.
- detection systems to make intrusion or theft as difficult as possible
- access control may be used by using systems that use conventional lock and key, manual card identification, card/token identification, or biometric devices (fingerprint pattern, hand geometry, retinal scan, voice pattern, signature dynamics, keystroke dynamics), and make significant response in making the detection of the attempt and apprehension of those responsible.
Computers also need to be secured physically to prevent theft and unauthorized access. It is possible that a thief could steal a hard disk containing sensitive information and access that information, even if the computer from which the disk was stolen is password-protected. For this and other obvious reasons, steps should be taken to physically secure computer equipment.
Lockdowns:
In general, computer equipment should be kept in locked offices with very few authorized key-holders. Where this is not possible, such as in a shared office or semipublic facility, lockdowns should be used.
Laptops:
Given their relative expense and ease of transportation, laptops are extremely vulnerable to theft. Even if you lock your office door, you should still keep your laptop in a locked desk or file cabinet, or take it with you when you leave. Leaving your laptop out on your desk, even in a locked office, invites theft.
It will also be important to quickly put security in place once a disaster occurs. This is the time when security can often be breached because attention is on the developing disaster and not on protection of assets.
Logical Security
Logical security is the protection of such things as intellectual property (inventions, patents, programs, etc.), and passwords.
It is important that to develop and maintain a program of logical security to control access to company protected material.
Access Security
Desktop administrators should ensure that workstations are configured consistent with the job function of the computer user. This may include, but is not limited to:
- Limiting programs or utilities available to only those needed by the position.
- Increasing controls on key system directories.
- Increased levels of auditing.
- Limiting use of removable media, such as floppy disks.
Firewalls
Firewalls are hardware devices or software that protect a system or systems from access or intrusion by outside or untrusted systems or users, especially malicious hackers. A firewall should also keep a log of any such attempts. Much of the functionality of a firewall can be implemented through the enabling and disabling of selected system services, Operating System auditing and control of Access Control Lists (ACLs). However, for greater security and more detailed reporting, a personal firewall or a system-based intrusion-detection agent should be installed.
Viruses
Computer viruses are self-propagating programs that infect other programs. Viruses and worms may destroy programs and data as well as using the computer's memory and processing power. Viruses, worms, and Trojan horses are of particular concern in networked and shared resource environments because the possible damage they can cause is greatly increased. Some of these cause damage by exploiting holes in system software. Fixes to infected software should be made as soon as a problem is found.
To decrease the risk of viruses and limit their spread:
- Check all software before installing it.
- Use virus-scanning software to detect and remove viruses.
- Ensure that virus definitions for the virus-scanning software is kept updated, preferably automated.
- Immediately isolate any contaminated system.
Password guidelines
Password-protection of PCs. Many PCs can be password-protected in their Basic Input/Output System (BIOS). This is the base level at which the computer operates, regardless of operating system, and enabling this feature greatly enhances the security of a PC. Once the PC is protected by password, only authorized users should be given the password, and it should not be written down anywhere.
Password-protection of Macintoshes:
Macintosh PowerBooks running Mac OS 7.5 or better can be password-protected using the operating system control panels. Desktops, on the other hand, require the use of a commercial product such as At Ease or After Dark to restrict access.
Password-protection of shared accounts:
If you cannot password-protect your desktop computer, you should store sensitive files on a server, and all accounts on the server should be password-protected. This applies to Unix, Macintosh, Windows NT, and Novell servers.
- Passwords are to be assigned to the individual employee or issued on an individual employee basis if computerized records are being accessed as part of their responsibility.
- Distribution of passwords should be handled with the strictest confidentiality.
- Passwords shall be changed on a regular basis (at least once every 60 days).
- Passwords that are obvious, such as nicknames and dates of birth, should not be allowable.
- Passwords should never be shared with another user. Employees are formally notified as to their role in protecting the security of the user ID and password. Counter accounts, for view only, are an exception to this rule.
- Passwords should have a minimum length of five characters.
- Passwords stored on a computer should be encrypted in storage.
- System software should enforce the changing of passwords and the minimum length and format.
- The non-printing, password-suppression feature should be used on all terminals to prevent the display of a user ID or password at log-on.
- System software should disable the user identification code if more than three consecutive invalid passwords are given.
- System software should maintain a history of at least two previous passwords and prevent their reuse.
- Procedures for forgotten passwords should require that Support Services personally identify the user.
Data and Software Availability
- Back up and store important records and programs on a regular schedule.
- Check data and software integrity against original files.
- Use the latest version of specific software when possible.
- Ensure that software patches and updates are applied in a timely fashion.
Confidential Information
- Encrypt sensitive and confidential information where appropriate.
- Monitor printers used to produce sensitive and confidential information.
- When deleting sensitive files on fixed disks, floppy disks, or cartridges, over-write the remaining space with software that writes a random bit-pattern.
Encryption
Much of the data sent over the network is transmitted in clear text. Moreover since most networks are shared among hundreds of computers, anyone on the network can eavesdrop on the data being transmitted over that network. This requires only the installation of one of many freely-available software tools. Passwords are particularly vulnerable to capture over the network. You should verify that passwords and other sensitive information are encrypted to prevent eavesdropping.
Servers
Administrators of all types of servers should also periodically check the CERT http://www.cert.org/ security websites.
Steps To Better Logical Security
- Remove active accounts, such as phone, e-mail, Internet and voicemail, belonging to former employees.
- Establish a protocol so human resources personnel can notify system administrators when employees leave.
- Review data coming through each network connection. Shut down any where you can't determine remote origin.
- Examine how remote and external users are authenticated; use token-based or similar authentication when possible.
Personnel Security
The first key element in your personnel security must be to take all reasonable measures to protect your employees against harm on the job. This means that you must safeguard them from hazards and risks and prepare them for any potentially harmful situations that may occur on the job. This will includes training to respond appropriately to a disaster.
A second key element in personnel security is the overall policy which outlines a clear definition of the structure of the organization interlinked with job descriptions, which reflect the following activities:
Selection of the right employees is a critical protection measure in any organization. In security screening for sensitive positions, the key element to address is the trait of honesty to determine a person's reaction to various environmental, social and personal situations.
There is also a need for a general procedure for dismissal including immediate removal from the premises.
Comprehensive Terms and Condition of Service should be in place to ensure that every employee:
- has the knowledge and applies the appropriate corporate policies and procedures dealing with the protection of company information;
- follows the appropriate procedures for the storage, reproduction, distribution and disposal of corporate information;
- shares corporate information only when authorized and only with those who have a clear business 'need to know' in order to support the company business;
- who is the owner or originator of corporate information, has the responsibility to classify the information according to its level of sensitivity and can authorize access to the information;
- provides the appropriate level of protection based on the sensitivity of the information; and
- notifies the Security department when it is believed that corporate information has been compromised in any manner.
The key ingredient to the success of any personnel protection program is the level of employee awareness in disaster avoidance and recovery steps. There is the need to develop and conduct, at regular intervals, a Security Awareness Program to make the employees think about things in a way that they have not before, realize that it can happen here and that this is a people/management problem, not a technology problem.
Travel Security
Travel security is the protection that must be put into place to safeguard (Company) personnel while in travel status. This includes airports and hotels.
These are the most vulnerable places in airports:
- Check-in Counter: your attention is focused on the ticket agent and not your baggage.
- Security Checkpoint: watch for a team of thieves & always have a large I.D. tag on your laptop.
- Internet Connection Businesses: too much exposure & not enough attention to your baggage.
- Waiting Areas: when you reach the gate, you relax and become less vigilant.
- Luggage Pick-up Areas: Keep all of your luggage touching your legs.
INSURANCE
Recovery planning is one form of insurance. A comprehensive program of business insurance which includes recovery planning and more traditional forms of insurance is important when you are developing a complete protection package.
Be sure that you have recovery insurance and business interruption insurance. This is an area that your Risk Manager should review with your insurance company.
Business Interruption Insurance
Business Interruption Insurance covers an organization's loss in net profit due to a disaster. It also covers continuing expenses (e.g. rent and loan payments) that the organization is obligated to pay during the time that it is unable to operate.
It is important to note that business income insurance is a contingent coverage. That is, it covers consequential loss resulting from a direct loss to property. Thus an organization's property (e.g. building) must suffer a direct loss (e.g. fire) which is covered under it's property policy. The consequential loss in profit and/or continuing expenses would be covered by business income insurance. If there is no direct loss to property, or that loss is not covered by the insured's property policy, then the business income insurance would not respond.
The application of business income insurance is obvious. It reimburses the organization for the revenue it normally generates while it is unable to do so. This increases the chance of quick successful recovery and retention of customers. A question that should be asked when purchasing this policy is whether there is a time frame during which the policy will respond. For example, some policies will pay for losses up to only one year after the date of the disaster. Some policies will pay indefinitely, up to the purchased limit. This is an important consideration, as a company's full recovery to the level of operation before it suffered the disaster could take several years.
Other Coverage
There are other coverages, not usually included in the standard business income form, that can be purchased. One is extra expense coverage. This pays any expense an organizaton incurs in an attempt to continue operations, over and above normal operational expenses. The obvious application would be to pay for implementation of a disaster plan: hot site fees, transportation and hotel costs for employees, purchase of cellular phones, use of subcontractors, etc..
Another coverage that may be purchased is ordinary payroll. This covers ordinary payroll expenses during the time a company is unable to operate. Thus if a company suffers a major disaster, they at least won't have to worry about where the money will come from to pay their employees.
The above information details only time element coverages. Obviously an organization needs to purchase the basic property coverages such as fire, flood, earthquake, etc., to properly protect their operation. Should they need to file a claim, what are some of the questions their insurance company's claims representative will ask? What are some of the documentation the claims representative will need? The following is meant to give a "feel" for the types of questions that can be expected from a claims representative regarding a large loss claim.
Claims Matters
Cause:
A claims representative will be interested as to the cause of the loss (unless it is a catastrophic type loss such as flood or earthquake). If the reported loss were fire, some questions would be: Where did it start? Who discovered it; can claims speak to that person? What Fire Dept. was called? What was the Fire Dept.'s opinion of the cause? If the cause was undetermined, an independent cause and origin investigation would be initiated, and the insured would be asked to leave the premises. The insured could be asked to secure the premises (e.g. board it up and/or hire security guards), pending the investigation.
Alternate Location:
If the damaged premises is not tenantable, claims would ask the following: Can a temporary location be used to set up temporary operations? Is there a current list of available properties; when was it last updated? Where can supplies be quickly obtained to continue manufacturing? Can temporary office equipment/machinery be rented? Have computer records been backed up and where are those records? Are vendors (telephone, computer, etc.,) available who can provide services quickly? If equipment is damaged, are there repair facilities available which can expedite repair/replacement. One can see from that most, if not all, of these questions should already have been addressed in a company's disaster recovery plan. Thus a company with such a plan would be better prepared when filing an insurance claim.
Building Damage:
Is the building repairable? If so, is there a contractor with whom the insured prefers to work? Does the insured own the building? Is there a mortgagee; if so, who is it? What is the outstanding loan balance? Is a copy of the loan papers available? If the building is leased, who is the owner? Is there a copy of the lease which details the insured's responsibilities? If the building is a total loss, and the insured owns it, what is their intent to rebuild at the same location with the same kind of building?
Personal Property/Inventory:
Is there a current list of all personal property, and can the articles damaged/lost be identified? What are the values of the damaged articles? Can the articles be repaired? Can accounting books be reviewed to verify the values being claimed? What other supporting documentation is available to substantiate the articles being claimed? When was the last inventory completed, and is a copy available? Does any other party have an interest in any of the insured's personal property? If so, who is that party, what is their interest, and a can a copy of the agreement be obtained?
If a large loss is suffered with five million dollars of property coverage, an unspecific claim for the entire five million dollars is not sufficient. Documentation will be required to substantiate the values of what are being claimed to be lost.
Business Income/Extra Expense:
Can operations be resumed on a temporary basis? What are an insured's continuing vs. non-continuing expenses? (Recall from above that continuing expenses are normally covered by business income insurance. Rent payments may or may not continue. Loan payments on the building generally continue as do all other "contract" type expenses. Electric, gas, phone, and ordinary payroll can be suspended until operations are resumed.) Are copies of the Profit and Loss Statements from the past 2-3 years available? (This allows the insurance company to determine the profit that is lost due to the disaster.)
An independent CPA may be hired to assist in the analysis of the insured's financial status, and their projected loss earnings.) How long does the insured anticipate being out of business, and how long does the insured estimate it will take to resume operations? What processes, if any, can be subcontracted out at an extra expense to meet sales obligations to the insured's customers? What outstanding committments are not going to be met by the insured as a result of the disaster?
Conclusion
Being prepared when filing a claim can greatly facilitate the claims process and increase the insurance company's ability to assist at the insured's time of need. Business income coverage can be an invaluable contribution to the recovery after a disaster. The above information is meant to be a general guide regarding business income insurance.