Archive for the ‘Business Continuity’ Category


There has been a large amount of security information and recent attacks posted in the media.  We have Mandiant’s report on China as well as several issues concerning Java.  The pure volume of information over the past year has made it difficult to keep up without a combination sources.  As a result InfoSecAlways has done a few modifications to the site.  Please check out the new “Security Feeds” in the right column (4th Block Down).  This is a combination of about 20 different security RSS feeds piping into the blog now.  You can check the site daily to get the latest news and updates in the industry.

Also, check out the links page as there are several new Threat and Vulnerability links added.  These are great if you are looking for specific attacks, breaches, or threats.

Advertisements

Almost one week after the hurricane Sandy disaster and this is the scene within at least a 50 mile radius north of Manhattan.  New Jersey which was hit harder is probably much worse considering gas rationing is now in effect.

December 2007 Posting

On December 19th, of 2007 InfoSecAlways posted a blog article on Disaster Recovery Alternate Site Distances.   In that posting was sited the recommended distance in preparing for a hurricane.  The external study suggested an 85 mile radius.  InfoSecAlways suggested increasing that distance to 210 miles.  If Sandy was only a category 1 hurricane and the Tri-state area is affected as far north as Bridgeport CT the 85 mile is absolutely not acceptable.  Even gas is hard to get within that 85 mile radius.

One item that was not discussed in the previous blog article was gasoline.  For the past 4 days now this is the same picture everywhere at least 50 miles north of Manhattan.  This station in particular has had a gas tank delivery every day for the past 3 days.  Each night the station runs out of gas late in the evening.  In New Jersey and Staten Island there are stories about gas being siphoned from tanks and generators being stolen.  The situation appears to get worse daily and the lines even longer.

A gasoline crisis affects both individuals and corporations.  Employees will not show up to work out of fear of theft or running out of gas.  This is especially true if they have power issues that require a generator.  Individuals will be forced to deal with personal items and work becomes secondary.   If a business operates as a supply chain, taxi, or delivery organization, which is dependent on transportation, it may be very difficult to operate due to lack of gas or increased traffic as a result of lines.

What to do?

Unfortunately gas is an absolute requirement for both individuals and corporations to operate effectively.  Individuals should know several different items that can help in the event of a disaster.

Siphoning gas is difficult on most new cars.  These cars contain a siphon screen that prevents hoses from going into the tank.  In dire situations removing the fuel filter allows access to the gas.  Remember lawn mowers and other house hold items may have gas if needed.

Generators and gas tanks will get stolen.  Staying is a disaster zone is not recommended even within a few days after the disaster.  Wait at the alternate location for several days until power is restored, supply chains can provide food, and any other immediate crisis has been resolved.

On the other hand corporations will need to provide an alternate means of connectivity for office and technology based jobs.  Use a good mobile provider that can bring a generator to the corporate office or enable the business to connect at a remote location.  Organizations like Agility Recovery are experts at providing these services and other mobile solutions.

Corporations that require gasoline to operate the business should have conducted the proper analysis and considered the supply of gasoline a mission critical process.  As a result these businesses must purchase a series of large tanks and should consider owning their own gas stations with back up supply chains in place.  These gas supply tanks and stations must be protected with the proper physical security mechanisms such as anti-siphon devices on tanks and secure fencing perimeters around the gas stations.

Recommended Distance

Gas is a critical resource and the effects during a hurricane can be substantial since it is required for heat, food, transportation, and much more.  Based on hurricane Sandy the distance required to provide a solid gasoline supply chain is around a 100 mile radius from the center point of the storm.  Both employees and corporations need to consider the type of disaster and its radius.  The radius should be considered for all resources and the supply chain for those resources.  Otherwise things may come to a halt when there is no gas left to buy at the station.


This document is written with the assumption that the organization follows ISO and has implemented many of the controls (including Disaster Recovery), but may be lacking in the area of business continuity management. This document aims to consolidate and leverage the work already done for other ISO controls to jumpstart the BCP compliance efforts.

 

The first step in compliance is to develop and implement a BCP management process.  The process needs to identify the critical business processes within the organization and incorporate management requirements.

 

Process:

  1. Identify critical business processes and associated assets.  Create a template or leverage the disaster recovery (DR) documentation (Note:  The DR information may not be complete enough as it usually only includes recovery of technology functions and may exclude important business functions or process that do not rely on technology.) and send to managers requiring them to document their critical business processes by location.
  2. Identify the consequences in the event of a disaster.  Again most of this should be in a DR plan.
  3. Identify controls to reduce risk.
  4. Ensure information for business operations is available.
  5. Ensure BCP is integrated within business processes and includes security.
  6. Ensure that plans are updated and tested on a regular basis.

 

Below is a sample that can be used and quickly put together to help meet some of this compliance.  Use Excel and list the critical business processes in a matrix associated with each geographic location as shown below.

 

 bcp-iso1

 

The next step is to identity the results of different events by doing a business impact analysis.  Continuity plans have to be developed to for quick restoration of operations and should be integrated with information security and other key management processes.  Controls that can be put in place to reduce risk should be identified.

 

The Threat should define “Who”

The Event should define “What, Where, and When”

 

 bcp-iso21

 

The table below is an expansion of the above.  (Threats are repeated for consistency)

 

 bcp-iso31

 

After the assessment the following must be done:

  • Continuity plan(s) must be created.
  • Roles and responsibilities must be documented.  Most should have already been done for other ISO controls, but there may need to be a few short statements added to reflect business continuity compliance.
  • Procedures and processes must be documented.  Many of these should have already been documented as a part of incident response, disaster recovery, change control, and other standard operations.  A few additional procedures may need to be created like the process of documenting and updating plans.

 

Plans must have the same framework.  This means all departmental plans must be a on a standard template.  A centralized escalation and evacuation plan should be developed.  Evacuation plans can simply state follow building evacuation procedures.  Escalation plans in most cases can follow standard disaster, emergency services, or incident response plans.

 

Plans need to address:

  • Roles and responsibilities of key staff (i.e. BCP coordinator, executive management, and users)
  • Summary pointing to the documents that have recovery procedures for operations.  In many cases these procedures are in the disaster recovery area or part of the standard operating function.
  • Testing of plans.  This needs to track and schedule each element and when its tested. 
  • Storage of plans at alternate locations
  • Ownership of plans
  • Fallback procedures
  • Resumption procedures
  • Awareness and Training
  • Review of plan(s)

 

Putting everything important together is the key to the business continuity plan.  Many of the items above exist within many organizations but they have not been organized or consolidated in one area.  A document detailing each of these items and consolidating them all in one location is the key to passing the assessment.  If you are already working towards ISO compliance then Business Continuity Management is just one more minor component that can be accomplished quickly by consolidating a large amount of information in one place and creating a document (plan) that organizes and explains everything that needs to be done with these documents if there disruption to business operations.  In some cases there may need to be department level plans that are a close mirror to the main plan but focus more on departmental operations.  Some assessments will look for both centralized and departmental plans.

 

For more information you can also review that actual ISO/IEC 17799/27001 documentation and the BS 25999-2 Specification.


An article was recently published about the Army adding Macs to improve security.  Although diversifying vendors will usually make you more secure if used to support a defense-in-depth strategy, the context of the article supports a lack of knowledge or evidence to support the statements made on the Army’s part. 

Article in Full:

http://news.yahoo.com/s/nf/20071224/bs_nf/57382;_ylt=AtIAHN4BI3dTDzpNM.n7xA8E1vAI

 

There is one particular statement that is worrisome whereas the Army security spokesperson has been quoted “Apple’s version of Unix is inherently more secure than Windows”.  Now I don’t claim to know all the facts but if you look at the links provided below the Mac OSx falls behind in 2007 and in the year 2004 has less advisories, but remains equally comparative percentage wise in regards to the number of critical vulnerabilities.

 

2007 Stats:

http://blogs.zdnet.com/security/?p=758

2004 Stats:

http://www.techworld.com/security/news/index.cfm?newsid=1798

 

Fortunately the article has a counter argument by Charlie Miller at the end supporting the fact that the Army needs to step it up with more than Macs when it comes to security strategy.  He comments about Mac being “behind the curve in security”.  Also has a great reference stating “In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house.”  On the other hand diversifying is good if you use one product to back up the function of another project in the event one fails.  So even though the pigs straw house was destroyed if that third pig could get to the brick house it would still survive.


There is an article that came out earlier from DRJ (Thomas L. Weems) based on a study that provides guidelines on the required geographical distance for alternate site locations.  This is good news for those performing risk assessments where this is considered vulnerability, because as far as I know FEMA has provided no specific guidelines. 

http://www.drj.com/articles/spr03/1602-02.html (registration required to view)

Ideally 105 miles point to point is the key number for all the threats listed below.  For those who don’t have access to the article below is a breakdown of the recommended geographical distances based on the threat.

NOTE: The article provides a graph so the numbers below is based on my interpretation of the graph.

Alternate Site Distance Recommendations

Hurricane:  105
Volcano:   75
Snow/Sleet/Ice:  70
Earthquake:  60
Tsunami:  52
Flood:   48
Military Installation: 45
Forest Fire:  42
Power Grid:  36
Tornado:  35
Central Office:  29
Civilian Airport: 28
None of the Above: 21

Off Site Storage Facility Distance Recommendations

Hurricane:  85
Volcano:  64
Snow/Sleet/Ice:  56
Tsunami:  45
Earthquake:  43
Flood:   43
Military Installation: 41
Forest Fire:  38
Power Grid:  36
Central Office:  25
Tornado:  24
None of the Above: 24
Civilian Airport: 22

Also the key here is to remember that the off site storage facility should accessible from the alternate site facility, which is a mistake many organizations make.

Problems and Revisions

Based on some quick research there are a few problems with the current distances above.  For example, I took three common disasters and did a quick analysis and here are the results along with some suggested changes.

Hurricane – Katrina spanned a much larger distance then 105 files proving that this distance is not adequate in a very large hurricane storm.  The article below explains that Katrina expanded over 780 miles whereas the outer regions were probably only affected by rain.  However, from my research severe damage was over about a 200 mile radius.  Therefore, I would suggest doubling the current metric to 210 miles.

http://earthobservatory.nasa.gov/NaturalHazards/shownh.php3?img_id=13083

Volcanoes – Although the current figure will probably be fine in most cases there is information to support that volcanoes can spread ashes up to 100 miles as displayed in the below article.  Therefore, this number should be revised to 105 miles based on the type of volcano.

http://pubs.usgs.gov/gip/volc/types.html

Earthquake – Similar to the volcano this distance will probably be sufficient but why take the chance when there is evidence that a 7.8 earthquake ruptured 220 miles of a fault.  Therefore, this number and the definition should be clarified to be at least 60 miles from a major fault line.

http://www.earthquakecountry.info/roots/shaking.html


The BS 25999-2 Specification for business continuity management is out in draft form free to download and review.  My apologies for sitting on this so long and not getting it out earlier because the deadline is today for review.  Anyway it’s still good to download while you can. 

http://www.bsi-global.com/en/Standards-and-Publications/Industry-Sectors/All-Standards/BS/BS-25999-2-Draft-for-Public-Comment-DPC-/


It’s amazing that after so many disasters and crisis in NYC that the MTA (Metropolitan Transportation Authority) still can’t seem to get it correct.  The link below has a summary of the disaster scenario

NYC Steam Blast Explosion  

Anyway, so NYC is falling apart and all the people that live in Connecticut and upstate New York require transportation out of the city.  Usually the commuters take the Metro North trains.  Unfortunately the explosion is located outside of Grand Central Station where the Metro North trains depart NYC, so access to trains is limited.

Problem

More than 45 minutes after the disaster occurred MTA still did not have its continuity plan in full action.  If you dialed the MTA-Info number listed on their web site you would be out of luck.  Response – All lines are busy.  The website did not have a service alert message for commuters.

http://www.mta.info/ 

Ok phones out of service expected, except that only MTA’s phones are the issue.  Next step call 311, (NYC information hotline) maybe the NYC main government information center can help figure out how to get out of the City.  311 staff didn’t know the status of the MTA trains.  311 staff also couldn’t contact MTA because phones were still out of service at MTA.  Out on the street it was worse.  The police were controlling the area, so they were the only government staff that a person could ask a question.  The answer the police responded with was “you have to wait around”. 

I can’t recall if it was the news or 311 that mentioned going to 125th street, which is one of the locations that the Metro North trains pass while going up north.  Only problem is that train stops were not modified so it was pretty sad to say that many commuters watched trains drive right past.

Improvement

This is basic, but many companies fail at crisis management, business continuity, and disaster recovery for some of the simplest items, like phone hotlines.  MTA needs to update their current plan to include:

Phone hotline that gets immediately updated with current crisis status and directions for customers (This should not be the normal MTA line it should be a crisis information hotline, or utilize the current 311 system more effectively.).

Faster update of the website for emergency situations.

Identify key contacts to improve downstream communications to the police on the street.

Re-evaluate train stops by communicating with the employees in the field to identify over capacity issues at particular stops, such as the 125 street location.

Good Practice

What did MTA do right?  They finally got the information out to the news channels and on the website, but I’m sure it was hard for people standing on the street to get the information.

More on Emergency Management and Business Continuity

FEMA has a great deal of information on Emergency Management

http://www.training.fema.gov/EMICourses/EMICourse.asp

DRJ has a good deal of information on business continuity and disaster recovery

http://www.drj.com/new2dr/model/bcmodel.htm