It is likely that on September 11th, 2001 most organizations did not have a recovery plan strategy or specific procedures regarding large commercial aircraft crashing into their facilities.  Similarly, many organizations today did not likely have a plan for the hazard potential of a worldwide COVID-19 pandemic which has shut down the economies and disrupted supply chains of nearly every country on the globe.  This has never happened like this before.  Who knows what the next unknown hazard will look like?

Many experts recommend that organizations adopt an “all-hazards” planning approach.  This involves performing a detailed risk assessment of all potential hazards that can possibly affect the organization, and then develop mitigations, planning strategies, and perform testing exercises based on these prioritized hazards .  These potential hazards are defined by certain categories, such as Natural Disasters, Human-caused Events, or Technical Disruptions.  For each potential hazard, one should determine the rating for each based on the following risk factors:

• Probability of Occurrence (Likelihood the threat will materialize)
• Loss Impact (Direct impact due to the loss of the function)
• Consequence (Downstream losses as a result of the realized threat)
• Exposure (the passive, inherent factors contributing to vulnerability)
• Level of Control (the active, controllable variables to offset vulnerability, e.g. – the Fire Suppression system)

In order to be complete in this assessment, it is also important to understand and consider the other side of the all-hazards planning approach, which is to identify and address all the “asset-types” for the organization that can be impacted by these potential hazards.  What are the key assets to the organization, and how can the potential hazards affect these different asset types?  In many cases, organizational assets can include:  Facilities, Personnel, IT/Infrastructure, and Data/Records.  So now, as an example you can develop planning strategies to account for all the “loss of facility” scenarios, whether the cause is fire, flooding, tornado, earthquake, train derailment, or other.

Another often missed element is regarding the asset of Image/Reputation where certain hazards can affect and impact the organizational Brand value in the marketplace.  Consider that a single Asset can have one or many identified threats, and likewise multiple asset types can be affected by a single common threat.

In summary, a comprehensive Enterprise Risk Management strategy will identify all the potential Hazards that can affect the organization, then rank and prioritize these for the different Asset Types that are identified for the organization, and finally employ mitigation strategies, effective planning approaches and testing/exercising to bring the organization into even greater resilience.

For more detailed information about how to better prepare your organization with an All Hazards Risk Assessment, effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:

• The contact form using the link at the top of this page
• Email at PSISales@ParadigmSI.com
• For more information, call us at 800-558-9568 ext. 300
• To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call:814-330-2560

 

ref: https://www.ready.gov/planning

 

No comments yet

5G is the next generation of mobile broadband service, and it will bring an exponential leap in capability, much more than in previous generations.  Ultra-reliable and extreme real-time communications will help to support the growth of the Internet of Things (IoT) down to wearable devices and a massive distribution of sensor networks that will impact the efficiency of our everyday lives.

Currently, the first 5G services are available to about 12% of the mobile broadband users in the US. Within 3 years, 5G coverage availability is expected to be at 25% or greater.  100% coverage availability is expected within four to five years.

The success of 5G will require caching and storing massive amounts of data to support applications and other functions that run on these devices.  The advent of smart homes, smart industry and smart cities will require moving a large portion of the computing power down from the cloud to the device level, or closer to the device level.

Edge computing and near-edge computing will be the architecture that is required to support the new mobile broadband ecosystem. Street-level IoT devices and connections, along with micro data centers will fuel the throughput and capacity that is required to enable the middle layer low latency fiber and wireless connections between the core systems that remain in the centralized cloud, and the edge level computing being performed via devices within industry, homes and cities.

5G and Edge computing infrastructure will bring with it many advancements, but also many challenges. Protection of user data and privacy will be paramount. The end user and business consumers will demand increasing capability, capacity, storage and uncompromised security.

While 5G and Edge computing may not dramatically affect your day-to-day consumer functions and business operations today, it most certainly will within a few years to come.

Businesses should be prepared to assess their existing critical functions, data flows, dependencies, and technologies with a view towards the ever-evolving use cases for how users and consumers will interface with your organization, and how your internal BC/DR plans will need to be proactively managed and transformed to meet the needs of the new 5G/Edge computing universe.

Is your Business Impact Analysis (BIA) up-to-date? Does your latest threat assessment include technology and data security hazards? Is your data center and cloud services infrastructure and Disaster Recovery Plan ready to handle the challenges of 5G and Edge computing?

For more information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:

• The contact form using the link at the top of this page
• Email at PSISales@ParadigmSI.com
• For more information, call us at 800-558-9568 ext. 300
• To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call:814-330-2560

2 comments

Communications can be one of the first readiness conditions that become degraded during a crisis event. Organizational resilience demands effective crisis communications strategies.

The manner and reach of communications has been dramatically altered in this post-pandemic world. Furthermore, increased vulnerabilities to cyberattack and weaknesses in the infrastructure grid require quick and effective solutions to early notification alerting.

What is your level of confidence that your organization can reach out to important stakeholders during a crisis situation?

OpsPlanner can provide your organization with the ability to perform robust emergency notification alerting directly from your activated plan. Since your contact information and lists are already available on your plan, with just a few clicks you can send emergency alerts to all your plan-based Contact lists. You can create pre-defined messages and send alerts to various email, voice or text based recipients using the latest in text-to-speech technology.

With OpsPlanner, the ability to have a comprehensive Emergency Notification Solution (ENS) is easy. There are no third party contracts required, nor the need to maintain and share contact information with another third party database.

For a limited time, Paradigm Solutions International is offering a free 60 day trial of the OpsPlanner Emergency Notification Solution.

For more information about how to better prepare your organization with an effective Emergency Notification Solution, or to sign up for this free 60 day Notification trial, please contact us via:

• The contact form using the link at the top of this page
• Email at PSISales@ParadigmSI.com
• Call us at 800-558-9568 ext. 300

No comments yet

By now, most of us are aware of the rising occurrence of ransomware-style cyber attacks.    Malicious code is introduced into the enterprise through phishing or some other means, and propagated quickly to infect networks, servers, PC/laptops and other devices.

No organization is immune, and the threat is increasing each year.  Large and small commercial companies, as well as state, local and federal governments have all fallen victim to attack.  With ransomware, the goal of the cyber criminal is typically financial gain, but may also be an effective means for any other intention that can be used as leverage when your data and systems have been hijacked.

Like any other type of attacker scenario, the ideal victims are those organizations that have left themselves to be vulnerable as easy prey.  Loss of access to IT systems and data can be devastating to the under-prepared.  Intentional planning, preparedness and prevention are key to thwarting and mitigating these types of attacks.

For the enterprise organization, Disaster Recovery strategies need to be reviewed and updated as necessary to ensure full resiliency.  Prevention techniques can begin with an assessment and review of Information Policies and Procedures.   A posture review of the IT Systems and controls can be helpful, including timely server patching to stay current with security updates, implementation of proactive antivirus programs, as well as continuous monitoring and intrusion detection solutions.

Within the overall Business Continuity Management Strategy (BCMS) for the organization, it is imperative to identify the resiliency approach for all critical areas or asset classes.  Typical assets to be managed for the organization include (but not limited to):  Facilities, Personnel, IT/Systems, Data/Records, Supply chain, and Image/Reputation.  The BCMS will need to address the “loss of asset” contingency for each of these areas.

In reality, ransomware can potentially affect all these areas, such as access to the Facility, ability for personnel to perform essential functions, management of the supply chain, and certainly loss of image and reputation.  When it comes specifically to ransomware and DR strategies, IT/Systems and Data/Records are two of the key asset classifications that can be directly affected by such an attack.

In the case of critical Data/Records, if the primary site becomes infected with malware and you are locked out of these systems, does the organization have redundancy in place, in addition to failover strategies in order to be able to retrieve and operationalize this data?  Does this include managed backups and offsite storage?   Are these encrypted with full or incremental backups; scheduled hourly, daily or weekly?  Are these aligned to the appropriate Recovery Point Objectives (RPOs) for the organization’s critical processes?

For IT/Systems, if the primary site becomes infected with malware and you are locked out of these systems, does the organization have redundancy and failover strategies in place that may include a geographically-dispersed cold-site, warm-site or hot-site?   Are these aligned to the appropriate Recovery Time Objectives (RTOs) for the organization’s critical processes that depend on these systems?  Depending on the RTO requirements and maximum tolerable downtime for critical processes in the organization, you may require  an ‘Active-Active’ level resiliency for a near-real time failover capability as compared to an ‘Active-Passive’ DR strategy.

As sometimes this can be overlooked, be sure to also consider the backup and offsite storage of what is required to run these systems, such as employee pc-image profiles, server images, configuration files and copies of the required software programs with valid license keys.

Once all this is in place, how can you verify the effectiveness of your DR strategy, to include a possible ransomware attack?   Many organizations will from time to time facilitate a tabletop exercise to simulate the response procedures for a disruption to the organization.  This can be a good start, but be sure to simulate cascading failure scenarios that affect both operational processes as well as related IT/Systems and Data/Records, since most real life disruptions go beyond a single failure point.

Sometimes, instead of a simulated disruption, having a planned and scheduled outage disruption to actually shut down the primary IT systems and bring them back online in an organized manner can reveal the true Disaster Recovery readiness of the organization.  Potential gaps will be revealed that may exist in a ransomware scenario when you have been shut out of all your primary IT Systems, programs and data.

The DR strategies required to mitigate against ransomware or any other type of disruption relies on having valid RTOs and RPOs for all the IT/Systems that support the organization.  The Business Impact Analysis (BIA) will help you to identify these critical processes, resource and technology requirements, dependencies and operational RTOs and RPOs that will feed into the DR requirements.    BC and DR plans can then be developed and documented, including the DR procedures for failover, recovery and restoration that may be needed during a malware or ransomware attack.

What is your level of confidence that you could successfully recover from a test of a primary systems shutdown, or from an actual malware attack?    BC/DR planning tools like OpsPlanner™ can assist you and provide an effective foundation to build, plan, document, test, train, mature and continuously improve your organizational resiliency.

For more information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:

• The contact form using the link at the top of this page
• Email at PSISales@ParadigmSI.com
• Call us at 800-558-9568 ext. 300

No comments yet

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy.

4. Determine the BCM Strategy.

5. Determine the BCM Implementation Approach

The first step is to meet with decision-makers to understand and review the program approach, requirements and scope relative to implementation of the Business Continuity Management program.

The key focus is directed at identifying and then supporting the critical business functions.

Meet with decision-makers to understand and review the program approach, requirements and scope relative to OpsPlanner implementation for BCM/COOP.

Who? Decision-makers regarding the implementation factors for the continuity program (e.g. – IT representation for technology considerations; Agency-level BCM owners, etc..)

What is expected to be accomplished? Level-set on expectations and strategize operational decisions regarding specific implementation topics.

(e.g. – Who is required to approve a plan before it can be published?)

What distinct operational segments are covered in this program?

• Operational Groups:
• Lines of Business:
• Organizational Units:
• Locations: (Site -> Location)
• (named facilities: cold/hot sites? non-US sites?  IS/failover locations?  ancillary/support sites?

Define Critical Success Factors / Project Goals

For example:

1. Identify gaps in RTO between business units and IT
2. Accurately integrate information about people, contact information, locations, equipment and systems in a timely manner
3. Allow business units to declare an event scenario and record the activities that occur for evaluation and improvement
4. Document and test all BCP test plans
5. Document and test all DR processes

Discuss desired implementation method:

1. “Big Bang” approach: All Agencies brought online at one time, or
2. Staged implementation, with lessons learned after initial deployment and period of operation.

Discuss desired training approach:

1. “Train the trainer” –Individual focus sessions by user function? (e.g.: Admins, etc.)

Use internal or external staffing? 

The first step in determining the BCM implementation approach is to decide if the BCM program will be implemented using internal/hired staff, or using external BCM consultants.  Either approach can be valid, depending on the resource capabilities and budget that is available.  Outsourcing the BCM program implementation to BCM Consultants can certainly streamline the process.  If internal staff can lead and manage the BCM implementation, this can minimize third party expenses, but increase the amount of effort and expertise requirements from existing FTEs.

Manual, document-driven BCMP or software-based BCMP solutions?

In many cases the size of the organization and complexity of the BCM requirements will drive this decision.  For other than very small organizations with minimal requirements, a software-based BCMP solution can be a great investment with positive return-on-investment.

There are many great BCM tools available in the marketplace.  Certain features and capabilities can be tailored to certain industries and BCM requirements.  It will be important to determine your key requirements and then review and assess which BCM tools best fit those organizational needs and requirements.

The OpsPlanner Business Continuity Planning Software solution can provide your organization with enterprise capabilities for Business Impact Analysis, Risk Assessment, Incident Management, and Automated Notification for a comprehensive Business Continuity Management program.

In addition, our Certified Business Continuity Planning Consulting professionals work shoulder-to-shoulder with you to facilitate enterprise-wide business continuity planning and participation, training, and support.

For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via:

– The contact form using the link at the top of this page
– Email at PSISales@ParadigmSI.com
– Call us at 800-558-9568 ext. 300

Next up in Part 6:  Initiate the BCM Program

No comments yet

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy.

4. Determine the BCM Strategy.

5. Determine the BCM Implementation Approach.

6. Initiate the BCM Program

7. Business Impact Analysis

 

BIA Purpose 

The Business Impact Analysis (BIA) is the critical first step in the conceptual transition from recovery to continuity.  It is designed to establish a common understanding for endorsement by senior management, of what the enterprise sees as its key processes.  It is the most important element, as well as the most complex component of the Business Continuity Planning (BCP) or Continuity Of Operations (COOP) program. 

An effective BIA will:  

Identify the processes or functions performed by an organization and the criticality of each process

Identify the resources required to support each process performed

Demonstrate interdependencies between processes and/or departments

Allow understanding of the impact of failing to perform a key process

Assign a Recovery Time Objective (RTO) for each process and a Recovery Point Objective (RPO)

Identify Recovery Requirements 

Prioritize the order in which the business units will recover 

The BIA will assign priorities to those processes and the quantified impact on the organization should the processes be disrupted, serve to determine vulnerabilities based on the failure of critical functions, and ascertain which functions are mission-critical, critical, essential, or non(less)-essential. 

To begin the BIA Process:

Develop detailed project plans for implementation of the BIA 

Form a BIA Steering Committee

Identify the BIA Administrator Team

Conduct a Project Kickoff Session and invite Project Stakeholders

For more detailed information about how to perform a Business Impact Analysis, better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via: 

The contact form using the link at the top of this page

Email at info@ParadigmSI.com

For more information, call us at 800-558-9568 ext. 300

To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call:814-330-2560

Next up in Part 8:  Risk Analysis

 

 

 

 

 

 

No comments yet