Kim presents at IFSEC “Security & Business Continuity Working Together”
Kim this morning presented on operational resilience as part of the Security Managment Education Programme at ISCEC 2012. She was speaking on Security and Business Continuity Working Together.
The security manager and business continuity manager often sit in different departments within large organisations and perhaps do not work together as well as they could. She explained the role of a business continuity manager, the standards he or she is working to and some of the ‘black arts? of BC such as the Business Impact Analysis (BIA). In addition, she identified the questions to ask a business continuity manager and how to use the information collated to help the security manager focus on the most vulnerable parts of the organisation thus ensuring its best value in spending.
Kim also explained what resilience is, what it consists of and how it contributes to making an organisation more robust. To conclude, 
she gave a break down on how the two professions can work together to achieve mutual benefit, develop a greater understanding of the organisation they work for and ensure that the security budget is correctly spent on areas posing the greatest risk.
A copy of the slides is available here
Underpants Bomber
I heard in the news this week that the CIA had foiled an ‘underpants’ bomb plot which aimed to bring down an aeroplane. In the piece they were also talking about how Al-Qaeda in Yemen were getting more sophisticated in their bomb making, and that the Al-Qaeda as a whole appeared to be refocusing on attacking Western targets. The report claimed that Al-Qaeda felt that they had been distracted by the conflict in Iraq and Afghanistan, and had lost a lot of their support due to their involvement in local conflicts which were to blame for the deaths of many local people who Al-Qaeda were looking for support from. As a result, they were going to refocus their attacks on Western targets rather than being involved in local conflicts.
What does this mean for us?
This is likely to mean that in the future there will be more attacks, and although the security forces worldwide have been quite successful in foiling numerous attacks, I am always reminded of the IRA statement after the Brighton bombing when they failed to kill Margaret Thatcher “Today we were unlucky, but remember we only have to be lucky once. You will have to be lucky always.”
We therefore have to accept that there will be a successful attack sooner or later. One of the tasks of the business continuity manager is accounting for staff after a terrorist attack. This means that if there is a terrorist attack in a city that your staff members are visiting, you should be able to account for all your staff and make sure that they have not been caught up or injured in the attack. To do this I believe some preparation is required on the part of the business continuity manager.
- Do you have protocols in place for knowing where your staff members are at any time? For instance, if there is a terrorist attack in Paris would you know whether you have staff in the city at the time? This may be easy if you book your international flights through a central travel agency, but it is more difficult if this is internal travel within your country as staff may travel by car or train where bookings are not centralised.
- Do you have procedures in place for ensuring that if an incident occurs, staff members who may be nearby are able to phone in and say they are safe? This prevents lots of time wasted searching for them, but it is worthwhile remembering that when incidents occur, often the mobile phone system becomes overloaded and unusable so you may be unable to ring them on their mobile.
- Do you have a crisis plans in place for dealing with an incident if your staff are caught up in it, especially if they are traumatised, injured or killed? Organisations have a duty of care to their staff and so should have plans in place for dealing with overseas incidents. If you are looking for training on crisis and incident management you may want to attend the Level 2 course which has two days training on the subject.
For me the 2008 Mumbai attacks, (11 coordinated shooting and bombing attacks across Mumbai, India’s largest city, by terrorists who allegedly came from Pakistan) brought home how easily it is to be caught up in an ongoing terrorist attack. If you received an email from an employee caught up in a terrorist attack on their hotel would your organisation know what to do?
Kim involved in developing ISO 22313
Kim last week spent two days working with the BSI as part of the BCM/1 committee which is developing ISO22313 the guidance to accompany ISO 22301. She committed that some 450 UK comments were discussed with 150 going through as recommended changes to the ISO 223 committee meeting in Bogota at the end of June. Whether ISO22301 will replaced BS25999 is still up for discussion but she could confirm that ISO 22301 is going to be published any day now.
Details on how PlanB can help you develop business continuity standards within your organisation are available here
Mail terrorism
Over the last few days a total of 10 envelopes containing white powder have been sent to Michael R. Bloomberg and six banks in Manhattan. Following the Anthrax attacks in the USA in 2001, any envelope containing white powder causes mass disruption until the police can prove that is it not anthrax, such as in this case where the powder turned out to be corn flour.
In business continuity terms a white powder incident is something we should prepare for and staff should know what to do if they open an envelope containing it. The business continuity Manager should also look at where their mail is opened to ensure that in the event that anything suspicious is found in the post, the area can be cordoned off so that it does not cause wide scale disruption to the organisation. I was looking at some of the details of the 2001 anthrax attack and was reminded that it killed 5 people and infected 17 others and I was surprised how large the clear up bill was. According to Wikipedia “Dozens of buildings were contaminated with anthrax as a result of the mailings. The decontamination of the Brentwood postal facility took 26 months and cost $130 million, The Hamilton New Jersey postal facility remained closed until March 2005 costing $65 million to clean up and the United States Environmental Protection Agency spent $41.7 million to clean up government buildings in Washington D.C. One FBI document said the total damage exceeded $1 billion.”
Since the anthrax attacks the police have invested in equipment which can quickly identify whether the powder is anthrax or a harmless substance like flour or talcum powder. The police will still take some time to arrive and will have to ensure they are fully protected before moving into the area of the powder and making their assessment, so there will be some delay before hopefully the powder is declared a hoax.
For business continuity people there are some lessons to be learned from this. This is an incident which has happened before and so we should be prepared for it. Many real attacks or hoaxes which make it into the media are usually followed by a whole load of copycat incidents, so do not be surprised if there are several more incidents in the foreseeable future. Staff need to be briefed what to do if they find white powder, and perhaps where mail is opened should be reviewed to make sure that any such incident does not cause major disruption to the organisation. It might also be worth asking your local police to understand their capability, response times and instructions they will give to you if you have an incident. This is yet one more incident for us to prepare for, but as it is in the news there is a high chance of further copycat incidents, and you never know they may be aimed at your organisation.
