Broken Links

Please at any time why’ll browsing this blog you notice a link is not working leave a comment or send an email.  Yesterday I noticed the policy whitepaper link is not working at Foundstone.  I am currently working with McAfee to try and figure out where the document moved or to get it uploaded back on the site.  My apologies, but in the future if you notice a problem with a link please point it out and I will update the site ASAP.  There is nothing more frustrating than broken links on a user’s website or blog.

MTA NYC Explosion: Poor Business Continuity

It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct.  The link below has a summary of the disaster scenario

NYC Steam Blast Explosion  

Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city.  Usually the commuters take the Metro North trains.  Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.


More than 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action.  If you dialed the MTA-Info number listed on their web site you would be out of luck.  Response – All lines are busy.  The website did not have a service alert message for commuters. 

Ok phones out of service expected, except that only MTA’s phones are the issue.  Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City.  311 staff didn’t know the status of the MTA trains.  311 staff also couldn’t contact MTA because phones were still out of service at MTA.  Out on the street it was worse.  The police were controlling the area, so they were the only government staff that a person could ask a question.  The answer the police responded with was “you have to wait around”. 

I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north.  Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.


This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines.  MTA needs to update their current plan to include:

Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).

Faster update of the website for emergency situations.

Identify key contacts to improve downstream communications to the police on the street.

Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.

Good Practice

What did MTA do right?  They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.

More on Emergency Management and Business Continuity

FEMA has a great deal of information on Emergency Management

DRJ has a good deal of information on business continuity and disaster recovery

Security Threat Statistics – Resources

Where do you get statistics and probabilities on threats?  It seems organizations always ask for hard facts on threat statistics, but the research doesn’t appear to be very mature.  Creating a good threat library and making a best guest effort seems to be common practice among others in the security industry.  There are a few good sources for this information that exist such as:

  • CERTs Ecrime Surveys

  • The National Counter Terrorism Center

  • FEMA

  • Workshare Reports

And then you have all kinds of different sites that can help you build a threat library but are lacking statistics such as:

  • Georgia Institute of Technology

Some of these sources were used to start the ISM’s list, but my involvement has slipped, however time and time again there is a need for this information.  If anyone has other good resources let me know and I will add them to the links page and see about getting some of this information into the ISM community threat library.