Compliance Insight with David Schneier

Business Continuity/Disaster Recovery Part I: The Aftermath of Natural Disaster

Last fall I was conducting a risk assessment, and one of the people I interviewed shared his experience of having survived Hurricane Katrina in a previous job. His company's infrastructure had been located on the third floor of the building they occupied, and so as a result, when the water levels started rising, they avoided a complete loss. He regaled me with his tales of being lowered from a helicopter onto the roof, grabbing what amounted to the company's network infrastructure and having to rebuild at a remote location about 30 miles outside of the flood zone.

Within the details of the story, I discovered some amazing facts. That the server room was on the third floor was pure, dumb luck. There was a need for additional office space on the first floor, where it had been located until just a few months before the disaster struck. This forced the IT team to find a suitable alternate location, and thus their move to higher ground. One of the first things he needed to do when he was lowered from the helicopter and accessed the IT department was to secure a hardcopy of their disaster recovery plan -- the only current and functional copy available to use.

Let me restate that fact: the only usable copy of their DR plan was located tap-dead center in a locked cabinet in the heart of the disaster zone.

Beyond the James Bond 007 rescue effort and being able to overcome some remarkably poor planning, the rest of the story was somewhat mundane. The end result was that within days from the disaster scenario being declared, his company was back up and running to a point sufficient to resume basic business activities. But it weighed heavy on his mind that his company's most valuable asset during the ordeal was being lucky. And I don't blame him.

So, when I found myself last week traveling through the Midwest region on business, I continually encountered rivers swollen with unprecedented water levels, forcing many of the bridges to which my GPS device kept sending me to be blocked off. Everywhere I looked there were things under water that weren't supposed to be: riverside parks and paths, baseball fields, parking lots and streets. What shocked me the most was how high and fast the water was running. Despite there being many bridges available for crossing, I kept wondering how they were going to hold up under such extraordinary conditions. Many of these structures had rushing water pushing up against their underbellies, and I'm fairly certain they weren't designed to handle that.

Here's what kept coming to mind:

There were several buildings where there was either standing or moving water making contact with their foundations;
The bridges were being exposed to forces not typical for their usual wear and tear design;
Houses were flooded;
Streets were blocked off and in many cases likely closed for months until repairs can be made.

Even when the waters recede and things start drying out there are going to be businesses that cannot resume normal operations due to structural or equipment damage. For those that need to relocate critical infrastructure, where do they move them to, and how long until cabling and power supplies can be established? What if many of these bridges are declared damaged and can't be used until repaired? What about key staff that because of flooded homes or damaged streets now need to drive an additional 10, 20 or maybe even 30 miles to get to work?

For those financial institutions that needed to implement some or all of their Business Continuity Plan, I wonder how well they performed in real-time. For those that avoided any real impact, I wonder how many are reviewing their current BCP to see how well it might have held up under such conditions. And perhaps of even greater interest is how will the examiners factor all of this into the work they're doing in the affected regions?

I'll have more to post on this in a few days, as details make themselves available.



About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.