From: InfoSec News (alertsinfosecnews.org)
Date: Fri Jan 18 2008 - 01:03:59 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.forbes.com/opinions/2008/01/16/disaster-preparedness-companies-oped-cx_slw_0117disaster.html

By Scott Louis Weber
Forbes.com
01.17.08

The private sector owns 85% of this country's critical infrastructure,
and the government simply cannot protect it all, nor should it be
expected to. So this year, the most important resolution any corporate
executive can make is to develop, maintain and test its own business
continuity program, or "BCP."

A well-designed BCP will enhance internal credibility (with employees)
and external credibility and goodwill (with regulators, stockholders,
customers, suppliers and the community at large). In today's legal
landscape, it is clear that senior managers, officers and directors have
an affirmative obligation to take a substantive role in a company's BCP
planning and actively participate in the frequent and regular testing
and exercising of a company's plan.

A business continuity program helps an organization prepare for future
incidents that could disrupt the organization's core mission and
critical functions and, thereby, jeopardize the long-term health of the
organization.

The program consists of several components, including written plans,
physical security, mission critical systems redundancy, identification
of key employees, succession rules, reliable emergency communications,
alternative secure locations and regular tests and exercises. A robust
BCP will help ensure the continuity of a company's operations regardless
of the hazard. It is not optional. Rather, the responsibilities of a
company--and the duties of a company's senior managers, officers and
directors--are often heightened and tested during times of crisis. If
you are just starting to figure things out at that point, then it's too
late.

Traditionally, neither the CEO nor the board of directors had
participated in BCP planning. However, the Sept. 11, 2001, terrorist
attacks elevated crisis planning to the CEO level. Accordingly,
corporate leaders must now plan for disruptions and crises resulting
from events that may be construed by courts as "foreseeable." And
unfortunately, in a post-Sept. 11, post-Hurricane Katrina and avian
influenza-threatened world, this category of unforeseeable events
becomes narrower every day. Guess what? If Jack Bauer on 24 has to deal
with it, it's foreseeable!

Thanks to a number of organizations and the U.S. federal government, the
Internet is host to a collection of helpful resources.

The National Fire Protection Association (NFPA) is a nonprofit
organization established in 1896, with more than 81,000 members
representing some 100 nations. Among other things, it develops consensus
codes and standards that address hazard reductions and that are
developed through an extensive peer-review process involving
representatives from the public and private sectors. The NFPA 1600
standards encompass disaster/emergency management and business
continuity programs. These standards were endorsed by the American
National Standards Institute and the U.S. Department of Homeland
Security.

The NFPA 1600 standards define business continuity as "an ongoing
process supported by senior management and funded to ensure that the
necessary steps are taken to identify the impact of potential losses,
maintain viable recovery strategies and recovery plans, and ensure
continuity of services through personnel training, plan testing and
maintenance." It provides an "all hazards" approach (identifying over 45
categories of hazards like pandemic disease, cyber-attack, flood and
biological agent attack) and establishes a common set of criteria for
disaster management, emergency management and business continuity. The
standards provide the criteria to assess current programs and to
develop, implement and maintain a program to mitigate, prepare for,
respond to and recover from disasters.

Though these standards are voluntary "best practices," they may
ultimately spark creation of a regulatory scheme, which could have
significant impact on the private sector. Indeed, the importance of BCP
was acknowledged in new federal law. Last August, H.R.1, Implementing
Recommendations of the 9/11 Commission Act of 2007 was signed into law
by the president, and one subsection on Private Sector Preparedness
encourages the use of business continuity and disaster recovery
standards. This new law specifically cites the NFPA's code and calls for
the development of a private sector preparedness accreditation and
certification program, which would be used to certify the preparedness
of private sector organizations.

In September 2004, the U.S. Department of Homeland Security launched its
Ready Campaign. This includes Ready Business, which outlines common
sense measures that business owners and managers can implement and
provides practical steps and templates to help companies plan for the
future.

Using the 2008 new year as a springboard, the department is renewing its
efforts for readiness. During a speech in December 2007, Homeland
Security Secretary Michael Chertoff offered the following advice:
"Having a plan can make all the difference. ... The time for
individuals, families and businesses to plan is now, and to resolve to
make readiness a priority for 2008."

Senior management's involvement is critical. Senior managers have the
required level of expertise, knowledge of the company and ability to
identify resources from all of its key functional areas. Still,
third-party advice and validation is essential to ensure compliance with
standards and keep the company ahead of the regulatory curve.

Internal BCP compliance reviews that are supported by outside experts
are just as important as internal reviews to ensure compliance with the
Sarbanes-Oxley Act and the Foreign Corrupt Practices Act. BCP compliance
reviews that involve third-party validation will help senior management
satisfy its duty of care to plan appropriately for business continuity,
and thereby shield officers and directors from personal liability and
enhance a company's ability to mitigate, regardless of the hazard.

It is only a matter of time before Washington legislates how BCP is
done. Don't become a test case by failing to get ahead of the curve.
Corporate America should heed Chertoff's advice that "having a plan can
make all the difference." Maintaining your company's preparedness is not
something that can fall by the wayside, and your senior managers,
officers and directors must take an active and substantive role in BCP
to ensure the long-term health of your organization.

-=-

Scott Louis Weber is a partner in the law firm of Patton Boggs and is a
former senior counselor to the secretary in the Department of Homeland
Security.

___________________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]