By Paul Kirvan
Most of us probably think of disasters as external events. However, situations may exist within companies that could be equally destructive. Here are some common internal situations that, left unattended or unaddressed, could easily escalate into real disasters, and what you can do to prevent these disasters from occurring within your company.
>> Disasters and employees
>> Facilities issues
>> Operational issues
>> Preventing disasters
>> A checklist of facilities and operational activities
>> More resources on disaster recovery planning for facilities and operations
From a security perspective, many options exist for skilled and motivated people to steal valuable company information, damage systems and applications, and violate physical and information security provisions. Despite the use of passwords, biometrics and other security devices, it is still possible to damage information systems.
Physical security systems, such as proximity cards, scanners, video cameras, motion detectors and other devices can also be compromised. Even techniques like social engineering, in which clever individuals can obtain valuable information from unsuspecting colleagues, can create potential disasters.
Editor's Tip: It's also important to know how to communicate with employees during a disaster. Read this article to learn how you can effectively communicate with other staff members during a disaster.
In a typical office, the building infrastructure and its supporting components, e.g., HVAC, commercial power, communications, fire protection, air quality management and security can be compromised. Despite the use of automated monitoring systems for power and HVAC, for example, it is still possible for a system failure to result in an unplanned building evacuation or other disruption. And if a fire occurs, the lack of detection and suppression systems due to a malfunction could cause a serious disaster.
Editor's Tip: Are you operationally ready to recover from this type of disaster? Read this article to learn how you can have your data center ready to recover from a "nondisaster."
The ability to prevent disasters from occurring within a business depends on operational procedures that address potential situations before they occur and respond quickly to minimize the impact if an incident occurs. Risk assessments can identify potential threats to the building/company as well as vulnerabilities that could facilitate an incident. The key is to address those risks and vulnerabilities with the greatest potential to cause a business disruption.
Editor's Tip: Risk management is a multifaceted discipline and covers a broad area ranging from business and operational risk to the more focused IT risk. Here's how to understand your data storage risk.
Preventing disasters is just as important as responding to them. Here's a checklist of information security prevention activities.
- Conduct risk assessments to identify potential threats
- Conduct vulnerability assessments to identify potential system weaknesses
- Address key threats and vulnerabilities and enact continuous monitoring to ensure proper operation of remedies
- Establish information security policies, disseminate them to all staff and enforce them vigorously
- Implement multiple system security access strategies to thwart potential inside criminals
- Use biometric access to further increase security
- Consider using video cameras to record staff activity
- Require password resets every 30 days
- Be aware of potential social engineering by staff
- Consider implementing keystroke monitoring
Editor's Tip: Having a disaster recovery plan is just the first step in DR planning. It's important to test your plan on a regular basis and learn from your mistakes. Here's an article about 10 things you must have in your DR plan.
Here's a list of facilities and operational activities to get you organized.
- Conduct risk assessments to internal systems, e.g., security, access control, HVAC, air handling, power, communications to identify potential threats
- Conduct vulnerability assessments to identify potential infrastructure weaknesses
- Update infrastructure systems to address identified threats and vulnerabilities
- Provide continuous monitoring of critical systems
- Regularly test fire detection and suppression systems to ensure they operate properly; install fire extinguishers wherever possible
- Ensure that primary and backup power supplies are operating properly; test them regularly
- Provide lightning arresting equipment, and ensure that electrical systems are properly grounded
- Use video cameras to monitor areas, employee safety, after-hours safety (e.g., for multiple shift situations)
- Minimize potential for static electricity from carpeting
- In regions where severe storms and high winds occur, install plastic film in building windows to minimize the potential for windows to shatter
- Conduct assessments to identify potential operational risks and vulnerabilities
- Develop and disseminate operational policies that address disaster situations
- Ensure that businesses have disaster recovery plans for technology, and test them periodically
- Ensure that building infrastructure systems have emergency procedures to address incidents when they occur
- Ensure that evacuation instructions for staff are on display for all occupants (e.g., at elevator banks), and distributed to all building occupants
- Contact neighboring buildings to arrange for temporary relocation of staff if necessary
- Identify assembly areas for staff to meet in a building evacuation
- Provide employees with cards that list emergency procedures, phone numbers to contact, assembly areas, etc.
- Conduct periodic training programs to ensure that employees are aware of potential disaster situations and can be alert to them
- Conduct periodic training programs to ensure that employees are aware of company security policies, ways that systems can be compromised, and how they can help prevent future incidents
Careful assessment of risks and ongoing diligence in maintaining system and operational security will help minimize the chance of an internal disaster. Employees must also be mindful of their role in protecting the company and keeping the office a safe environment.
Editor's Tip: We're always updating our content to include the latest disaster recovery facilities and operations resources. Bookmark our special section on disaster recovery facilities and operations
About this author: Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.