Business Continuity & Disaster Recovery

Planning

Presented by Ed Goldberg, DM, CBCP

Manager, BC & DR Programs

5/22/2014

CBIA's Safety & Health Conference

Crowne Plaza Hotel, Cromwell, CT.

Disaster Planning for Small and Mid-sized Businesses

Landfall in southeast Louisiana as a

category 3 hurricane 8/29/2005.

Hurricane Katrina – Simple Case study & timeline

Entergy New Orleans filed for bankruptcy 9/23/2005.

• When a system is damaged extensively,

there’s insurance, loans, recovery of

prudent costs, etc.

• If the COMMUNITY is gone, there is no

current or future source of revenue,

therefore no loans and no resources

• The COMMUNITY is reliant on its

businesses for its very existence

• There are ~350,000 small businesses in

Connecticut (SBA).

• How many would survive a disaster?

• How many have continuity plans?

Don’t utilities plan and prepare for such things?

A tale of a power company tells an underlying story…..

What went wrong? Why bankruptcy?

For those of you with a quantitative leaning…..

9 out of 10 companies (90%) unable to resume

business operations within 5 days of a disaster are out

of business within 1 year

Nearly 4 out of 5 (78%) businesses faced with a

catastrophe without a contingency plan are out of

business within 2 years

(Original source unknown; cited in

innumerable reports – AT&T, Agility, SBA, etc.)

To make you really smart, we’ll cover:

• What are the buzzwords? So many new, similar terms….

• What kind of plan(s) do I need? What are the risks?

• How much work is it?

• How do I begin?

• Where is Jimmy Hoffa buried?

• What planning help is available?

• Will having a plan lower my insurance rates?

• How do I get my electricity for free?

• How does preparing myself and my family contribute to

preparing my business/organization?

• And we’ll answer your questions, address concerns, give

you some good resources, etc.

…because…

a) You came here today already convinced and I’ve been preaching to the choir

(so, Ed, stop it and move on!)

b) These last few slides and discussion have been SO enlightening and now you’re eager to start planning

c) You’re a little curious and willing to listen politely

Let’s proceed as if you’re convinced of the need for

contingency plans …

(What smart looks like)

Business Continuity (BC) Plan – a plan for performing your business/organization’s

critical business processes during and after a disaster

Disaster – some event or condition/environment that challenges your

business/organization’s ability to perform its critical business processes

Disaster Recovery (DR) Plan – the IT (Information Technology) piece of your BC plan

Continuity of Operations (COOP) plans, Business Resumption Plans, Business

Resiliency Plans, etc. – are often interchangeable, often used by vendors or large

organizations to indicate some “next step” above and beyond basic BC/DR plans.

Business Impact Analysis (BIA) – what large companies do to gather the necessary

information about their business processes to begin evaluating what they need in

their BC and DR plans

What are the buzzwords?

Risk! What are the risks that

would preclude your performing

crucial business processes?

• First, define what processes

NEED to continue

• Then evaluate threats/risks

What keeps you up at night? Create the BIA

(Business Impact Analysis) and get some sleep!

Risks can include….

Fire, flood, etc.

Violence

Unknown substance

Data breach & other IT attacks

Weather events & solar storms

Crime & terrorism

Regulations/compliance

Social media

Economy and other environments

Loss of personnel

Pandemic

Supply chain disruption

Chemical or nuclear accident

Sabotage, etc.

How can one plan deal with

hurricanes, pandemics, fire,

flooding, workplace violence,

unknown substances, etc.?

All-hazards approach:

• Loss of facility

• Loss of people

• Loss of systems

• Sometimes intangibles such as

reputation

For the vast majority and for

those just getting started, you need the basics – a

business continuity plan

and a disaster recovery

plan.

Old paradigm: DR plan only

What we’ve learned:

Business Continuity Plan….

• Loss of facility

Alternate worksite

Supplies

Communications, etc.

• Loss of people

Source for skilled workers

Help from others including competition

HR help

Loss of systems

Computers

Media

Services

What kind of plan do I need?

A decent BCP is probably just

a couple of hours of work up

front, and then an hour once

or twice a year to keep it

fresh. Obviously, there can

be more to the plan, but

that’s a starting point.

Business Continuity Plans –

BCP’s – are living documents.

They require a little care and

feeding or they won’t be very

useful when needed.

One piece of care and

feeding is to exercise the

plan(s) at least once per

year. A tabletop exercise –

an hour or so with everyone

involved with the plan should

be adequate.

How much work is it?

Coming here was a great first step

We can discuss what goes into a BC

plan – and we will – but let’s make it

really easy and quick…….with a free

(really) template.

Want it electronically?

http://ofb.ibhs.org/content/data/file/

OpenForBusiness_new.pdf

Or type in ibhs.org and click on the

Open For Business link, then on the picture of the cover (same as ).

How do you get started?

•Contact info for employees (either a list or a call tree);

•Key vendors & suppliers info – contact info, perhaps some procurement info

(contracts, PO numbers, etc.)

•Other key contacts such as investors and other stakeholders

•A list of critical business functions & processes

•Alternate work location, recovery location or plans to work from home, etc.

•Supplies

•Systems, machines, vehicles – depends on what you need

•Communications “stuff”

•What IT systems you need – and this becomes your IT DR plan, either in house

or 3rd party, etc.

•Backup data/systems and instructions on how to use it

What’s in a BC plan?

TRIBAL KNOWLEDGE aka Tacit

Knowledge, intuition, closely held

trade secrets, etc.

Why is this mentioned? If a reasonably

competent person with necessary

basic skills can’t perform a task or

otherwise engage in the work needed

to continue a process, the plan(s) will

fail. Remember to plan for Loss of

People!

You need to somehow provide for the

continuance of business processes,

including passing on the recipes or

other trade secrets.

It’s not likley that you would put such

detail into your BC plan, but it needs

to exist somewhere, even if only in

more than one person

What’s not in your plan?

There are lots of options to get this done, daunting as it may seem….

•Do it yourself and have it reviewed by an expert volunteer

•Become a bit of an expert or have someone in your organization do so

•Hire a consultant or otherwise outsource it

Big organizations/businesses have people on staff who are expert at BC/DR planning.

Those people are often willing to help through their professional organizations.

No organizations compete on the basis of preparedness, and so they tend to share

best practices. It’s in all of our best interests to be prepared – companies are only as

resilient as their host communities.

Where can one get educated on BC/DR, network and learn from others, and meet

others who do this professionally?

What planning help is available?

The Association of Contingency Planners (ACP)

•Not for profit 501C6;

•Connecticut chapter provides educational programs monthly October – June, plus a

¾ day conference in September (9/23/2014 – topic “Supply Chain Resiliency”)

•CL&P hosts most of ACP’s programs in Berlin

•Members share ideas, best practices, etc., freely. Take advantage of that.

•The best all-around BC/DR/EM organization, including thousands of members in 42

chapters across the US

http://ct.acp-international.com

www.acp-international.com

Preparedness begins at home –

Each of us, our coworkers and

employees need….

…. a kit

…. a plan

….a way to get information

(http://www.ct.gov/ctalert/site/

default.asp)

What good is all this if no one comes to work post-disaster?

www.ready.gov

Lots of resources available,

and it doesn’t cost much to

make a kit. Can any of us

afford not to be prepared?

Active Shooter

Guidance from DHS

Plans should be all-

hazard, but there are

specific threats for which

additional guidance is

warranted….

• Active shooter

• Pandemic

• Data Breach

• What threatens YOUR

business processes?

What Is A Data Breach?

• Many definitions:

• The exposure of data outside of its intended audience.

• The misappropriation of data.

So what?…….

• If it was exposed, does it matter whether it’s known what was done with it?

• Does it matter what the data was? Confidential, sensitive, protected, important, personal….

• Does it matter who had access to it?

• Does it matter if it was actually accessed or simply could have been?

• Does intent matter?

• Does it matter how many were affected or what the cost was?

• Regulatory definitions? HIPPA, PII, CIP, etc.

Organizations need to define “data breach” for their own purposes.

How do data breaches occur?

Unauthorized access from outside the network (hacking)

Unauthorized access from inside the network (someone with network

access, physical or virtual)

Loss of physical media with embedded data (a stolen laptop, PC, cell

phone, tablet, etc.; lost tapes, disks, memory devices, etc.)

Accidental or intentional release of otherwise secure data (programming

error, database access control miscue, publication in error, mischief and

malicious intent, social engineering, etc.)

How do we prevent data breaches?

Implementing best practices in IT security can reduce the likelihood of data breaches and reduce their adverse effects

IT Security is a great topic for another presentation on another day

The real answer, especially for the purposes of contingency planning, is that we can’t prevent data breaches.

Create guidance from a business continuity perspective

• How does the new risk challenge existing BC/DR plans?

• All hazards approach: people, facilities, systems, intangibles (i.e. reputation)

• Crisis management for a data breach will require a wide variety of the organization’s resources

• Constituency of Incident Response Team will differ for a data breach

• Timelines and roles need to reflect heavy involvement of IT, Legal and Communications (possibly HR)

Detecting that a breach has occurred • No guarantee that detection will occur in a timely manner

• Detection is usually funneled through or directly detected by IT

• Intake protocols – client calls to an IT support desk, web tickets, etc. – need to consider signs that a breach has occurred

• Internal monitoring – routine activities that might detect log irregularities, unusual movement of data, intrusion detection (routine activities given some sensitivity to what a breach might look like)

• Performance, bandwidth, database management alarms

• Keeping up with security patches and notices

• Determine what was taken (yes, it matters)

Identifying what was taken Personal Information – can be associated with an individual, such as….

• Social Security number

• Driver’s license number

• State i.d. card number

• Financial account (bank, credit union, brokerage, credit or debit card) or other PCI numbers

• Passport number

• Alien registration number

• Health insurance i.d. number or other personal health information

• Critical infrastructure information

• Proprietary and business sensitive information

Initial Response to a breach

• IT’s best people need to be involved and managing the response, not managing anything that can be deferred to others (Incident Response Team, for example)

• Activate Incident Response Team(s) to get necessary help

• IT and Information Security; HR, Health, Payroll, Customer Service/Experience, Risk Management, Insurance, Investor Relations, the internal owner of the data affected, Communications, Legal, senior management, etc.

• Contain the breach – empower IT to act a.s.a.p., including “opening the breaker”

• Escalate to the extent appropriate for what is known and what is possible

• Bring in expertise as needed – law enforcement, 3rd party experts, etc.

What needs to be communicated • The nature and extent of the breach

• What happened; when it happened and when it was discovered; why it took so long to find out about it; where it happened; why it happened, etc.

• What’s been done to contain the breach, manage the incident

• Who’s been notified including regulators and authorities

• Point of contact for additional information

What needs to be communicated • The nature and extent of the breach

• What happened; when it happened and when it was discovered; why it took so long to find out about it; where it happened; why it happened, etc.

• What’s been done to contain the breach, manage the incident

• Who’s been notified including regulators and authorities

• Point of contact for additional information

Breach legal guidance

• Fulfill notification requirements, as appropriate, to:

• Affected people

• Law enforcement

• Attorneys General

• Regulators

• Third parties

• Insurance carriers

Key points to preparing for a data breach

• Define data breach for your organization

• Be specific about the conditions for declaring a breach

• Adjust the response for the level of breach – not all breaches are the same

• Being prepared allows for swift response which is necessary

• Identify causes, contain the incident by securing data, prevent recurrence

• As for any contingency plan, don’t “hard-wire” decisions and actions

• Predefine and involve all key players to optimize your response

• Document incident, people involved, developments and actions taken

• Predetermine all potential actions to preserve rights, protect stakeholders, satisfy regulators.

You can’t. I just wanted you to stay until the end of the presentation.

How do I get my electricity for free?

Questions?

Thank you….

….for helping to make our

communities resilient and

prepared

….for your time and interest

….for your gracious

hospitality and for inviting

me here today

*** Thank you! ***

Resilient Not so resilient

Dr. Ed Goldberg, CBCP

Edward.goldberg@NU.com

860-665-5422

The Connecticut Light & Power Company

Berlin, Connecticut