Disaster Recovery Journal Winter 2023

REGISTER TODAY! www.drj.com/spring2024

Winter 2023 u Volume 36, Number 4 Prep Your Business for Winter Road Hazards

INSIDE ... Getting The Boss on Board Disaster Disinformation Rounding Up a Backup BC Software Directory

Don’t Miss An Issue u Subscribe Today! u www.drj.com/#sign-up

Small-Medium Business Integrated Toolkit BIA Surveys, Dashbaords BC/DR Plan Templates 350+ Reports Low Cost

Global Enterprises Unlimited User Access Asset Geo-tagging Flexible, Customazible Integrated Workflow Voice, SMS Notification

www.eZPlan

(888) 480-3277

Platform for Building a Resilient Enterprise

• Cloud hosted • Secure Solution • Scalable • Product support • FREE upgrades

BIA, Plan Templates Gap Analysis Reports Exercise Management Role-Based Access Management Dashboards Management Consultants

powered by

nner.net

Info@eZPlanner.net

Your North Star for Resilience

Take a Different Approach – Move From Reactive to Proactive

Fusion provides easy, visual, and interactive ways to analyze every aspect of your business so you can identify single points of failure, key risks, and the exact actions you need to take next to mitigate impact.

Get started on your resilience journey today! Visit fusionrm.com

“Our team is able to visualize complex relationships and dependencies between lines of business in our organization. This alone is worth its weight in gold!” – Fusion User in the Financial Services Industry

Disaster Recovery Journal 1862 Old Lemay Ferry, Arnold, MO 63010 (636) 282-5800; Fax: (636) 282-5802

Internet: www.drj.com E-mail: drj@drj.com EXECUTIVE PUBLISHER Bob Arnold bob@drj.com EDITOR IN CHIEF Jon Seals jon@drj.com ASSOCIATE EDITOR Pam Clifton PRESIDENT Bob Arnold bob@drj.com DIRECTOR OF EVENTS Lesley Vinyard lesley@drj.com REGISTRATION MANAGER Rose Chotrow rose@drj.com SENIOR WEB DESIGNER

TABLE OF CONTENTS

COVER Prep Your Business for Winter Road Hazards By SHANNON COPELAND

Amy Faulkner amy@drj.com EVENT MARKETING Sonal Patel sonal@drj.com

8

EXECUTIVE COUNCIL Dan Bailey, Jeff Dato, John Jackson, Peter Laz, Frank Perlmutter, Ann Pickren, Steve Piggott, Tracey Rice, Randy Till, Damian Walch, Belinda Wilson EDITORIAL ADVISORY BOARD Erick Anez, Rich Cocchiara, Ashley Goosman, James Green, David Halford, John Hill, Ray Holloman, Colleen Huber, Cary Jasgur, Lisa Jones, Joan Landry, Melanie Lucht, Melissa Muñiz, Nicole Scott + (51) 1 436 6456 fijo Perú + 1 (786) 600 1864 USA ruth.rocha@drjenespanol.com www.drjenespanol.com ASIA Business Continuity Planning Asia Pte Ltd (BCP Asia) Henry Ee 1 Commonwealth Lane #08-27 One Commonwealth Singapore 149544 Phone: (65) 6325 2080 Fax: (65) 6223 5363 General: enquiry@bcpasia.com Events: conference@bcpasia.com Direct: henry@bcpasia.com www.bcpasia.com UNITED ARAB EMIRATES Continuity and Resilience A Division of CORE MANAGEMENT CONSULTING Dhiraj Lal , Executive Director P. O. Box 127557, Abu Dhabi, United Arab Emirates ( +971 2 8152831 | 7 +971 2 8152888 dhiraj@continuityandresilience.com www.continuityandresilience.com SOUTH AMERICA DRJ en Espanol Ruth Rocha , Directora Comercial

10

32 Rounding Up a Backup: Five Reliable Methods

Getting The Boss on Board By ASHLEY GOOSMAN

to Verify Your Backup’s Integrity By FLETUS POSTON III

14

The Role the NIST Framework Should Play in Creating a Cyber Secure DR Infrastructure By JEROME WENDT

36 Creating Value During Adverse Conditions with a Robust Plan By SUMINDA JAYASUNDERA

20 A Business Impact Analysis Checklist By MICHAEL HERRERA

40 Preparing for Disasters to Ensure Continuity in a Data-Driven World By RON KLINK

24 Disaster Disinformation By BILL MELLANDER

42 Career Spotlight: Cheryl Griffith By LISA JONES

28 From Reactive to Proactive: Crafting a Future-Proof Disaster Recovery Strategy By ERIN STEINMETZ

49 BC Software Directory

DISASTER RECOVERY JOURNAL (ISSN 1079-736X; USPS 013-076; Publication Agreement No. 40679000) is published quarterly by Systems Support, Inc., 1862 Old Lemay Ferry, Arnold, MO 63010. Subscriptions are free to all qualified personnel in the U.S. and Canada involved in managing, preparing, or supervising business continuity planning. Rate for all others in the U.S. is $10, Canada and Mexico $24, all other countries $47. For renewals or change of address, please include current mailing label. Periodical Postage Paid at Arnold, MO and additional offices at St. Louis, MO. POSTMASTER: Send address changes to DISASTER RECOVERY JOURNAL, 1862 Old Lemay Ferry, Arnold, MO 63010. Canada Post Publication Agreement No. 40686534. Return undeliverable Canadian addresses to: DISASTER RECOVERY JOURNAL, PO Box 456, Niagra Falls, ON L2E 6V2. DISASTER RECOVERY JOURNAL is copyrighted 1987-2023, by Systems Support, Inc., all rights reserved. DISASTER RECOVERY JOURNAL is a registered trademark of Systems Support, Inc. Reproduction in whole or part is prohibited without expressed written permission. Articles submitted by readers do not represent the views or opinions of DISASTER RECOVERY JOURNAL and are published for their informational content only.

DISASTER RECOVERY JOURNAL | WINTER 2023 5

FROM THE PRESIDENT’S DESK

Nurturing Organizational Resilience: Balancing Innovation with Stability

BOB ARNOLD, MBCI Hon.

I n the ever-evolving landscape of business, the pursuit of innovation and staying ahead of trends like artificial intel ligence (AI) can be exhilarating. However, it is crucial not to overlook the foundational pillar of organizational resilience. While embracing new technologies is important, striking a balance between innovation and stability is imperative for long term success. In this column, I’ll explore strategies to ensure your organization prioritizes resilience without neglecting emerging trends like AI. Cultivate a Long-Term Vision A clear and comprehensive vision is the cornerstone of organi zational resilience. It provides a roadmap which guides decision making, helping leaders distinguish between fleeting trends and enduring strategies. When formulating this vision, consider the core values and strengths of your organization. While AI may be part of the journey, it shouldn’t overshadow your organization’s Robust risk assessment is essential for building resilience. This involves identifying potential threats and vulnerabilities in the organization. While focusing on new technologies like AI is important, it should not divert attention from established proce dures like business impact analysis. By prioritizing risks such as supply chain disruptions, regulatory changes, or economic down turns, organizations can create a solid foundation for resilience. Adaptive Leadership Leaders play a pivotal role in maintaining the delicate bal ance between innovation and stability. Getting executive support is vital to your resilience program. Encourage leaders to foster a culture of learning, adaptability, and continuous training. This will ensure the organization remains open to emerging technolo gies like AI without neglecting inherent risk or existing strengths. Invest in Employee Development An empowered workforce is an invaluable asset in ensuring organizational resilience. Participating in training and develop ment programs like DRJ Spring 2024, DRJ Academy, and the DRJ Mentor Program are essential for keeping employees adapt able and capable of embracing new technologies. The “shiny, new toy” shouldn’t overshadow crucial skills like communica unique identity and strengths. Thorough Risk Assessment

diversity can offer fresh perspectives and innovative solutions to challenges. It also ensures the organization doesn’t become overly fixated on one area at the expense of others. Networking with peers is fundamental to the strength of your organization. Establish Clear Priorities Setting clear priorities is essential in avoiding the trap of chas ing every new trend, including AI. Evaluate which products and services best align with your organization’s long-term goals. By focusing on a few key areas, you can allocate resources effec tively and avoid spreading efforts too thin. Foster a Culture of Resilience Resilience should be woven into the fabric of the organi zation’s culture by exercising your plan and testing software regularly. Encourage open communication, adaptability, and a willingness to learn from victories, failures, and setbacks. This culture will ensure the organization remains steadfast in the face of any type of challenge. Leverage Technology Wisely While AI is a powerful tool, it’s essential to integrate it judi ciously. Consider how it aligns with your organization’s unique needs and capabilities. Avoid adopting technology for its own sake, and instead focus on how it can enhance existing processes Organizational resilience doesn’t demand radical transfor mations overnight. Small, incremental changes can often have a more profound and lasting impact. This approach allows the organization to adapt to new technologies like AI at a manageable pace, without sacrificing stability. Conclusion In the dynamic world of business, finding the right balance between innovation and stability is a delicate but essential task. While emerging technologies like AI hold great promise, it’s cru cial not to lose sight of the enduring value of certified standards and practices to achieve organizational resilience. By cultivating a clear vision, prioritizing risk assessment, and nurturing a cul ture of adaptability, organizations can thrive in the face of change while remaining grounded in their core strengths. Remember, it’s not about avoiding new trends, but about integrating them thoughtfully into a broader strategy of resilience and growth. and drive sustainable growth. Embrace Incremental Change

tion, problem-solving, and leadership. Build a Diverse Knowledge Base

Diversity of knowledge is a powerful tool in navigating the complexities of the modern business world. Encourage employees to explore a wide range of subjects beyond new technology. This

PRESIDENT bob@drj.com

6 DISASTER RECOVERY JOURNAL | WINTER 2023

Protect Your People and Operations

Industry-leading mass notification and AI-powered risk intelligence to identify risks and communicate quickly in one unified platform.

OnSolve® proactively mitigates physical threats, allowing organizations to remain agile when a crisis strikes.

onsolve.com

Prep Your Business for Winter Road Hazards

By SHANNON COPELAND

8 DISASTER RECOVERY JOURNAL | WINTER 2023

E ach season brings new challenges for businesses, and this winter will be no exception. Safety risks for employees and assets can range from structural damage to slippery walk ways, with one of the most challenging being road safety. As winter approaches, it is important that businesses receive education on the different types of road hazards and take proper precautions to mitigate them as effectively as possible. Freezing Rain vs. Sleet Weather forecasts often refer to icy conditions as freezing rain or sleet, but is there a difference between the two? The quick answer is yes. Freezing rain occurs when the horizon tal column of air right above the surface is so thin rain does not have time to freeze. If the air is cool enough, the surface will be below freezing and the supercooled rain drops will freeze when they hit the ground, powerlines, trees, and just about anything else. In sleeting conditions, that column of air right above the surface is thicker, giving the raindrops time to freeze before hitting the surface as icy pellets. Both freezing rain and sleet are incred ibly dangerous for drivers and can create black ice. The shape of the ice pellets in sleet makes it difficult to drive over and decreases the friction between vehicle

tires and the road. Each time the sleet pel lets are driven over, the tires compress the sleet into the road. This compression leads to slight melting and refreezing, leaving black ice in its wake. Understanding the difference between freezing rain and sleet can help in making the safest decisions. If employees should use specialized tires, stay off the road completely, or find alternative routes. Flash Freeze Flash freezing is a new term coined by meteorologists to describe when the ambient temperature drops several degrees over a few hours to sub-freezing temperatures, causing any fallen precipi tation to freeze rapidly. This weather phe nomenon becomes especially important when it impacts roadways and powerlines. Business decisions regarding flash freez ing must be made quickly and confidently given the rapid deterioration of conditions. Now that the weather terms have been clarified, what precautions should a busi ness take? Weather Monitoring The most obvious and necessary pre caution is to monitor the weather for any possible changes or impending hazards. While this sounds like a simple task, it can quickly become complex when you have drivers in multiple cities or states. There are several ways to address weather monitoring among many differ ent areas. The first solution is to make monitoring part of daily tasks assigned

to employees on a regional or local level. This ensures monitoring gets done every day, and the employees tasked are knowl edgeable about the area to determine alter nate routes if necessary. For longer routes which cross multiple regions or states, keeping them in contact with local team members along the way can help guide them throughout their journey. An alterna tive to local or regional help is to assign the monitoring tasks to specific business units. Weather Checklists As the winter season inches closer it is important to check inventory and mainte nance necessary equipment and material. Inspecting all work vehicles to ensure they have proper tires, windshield wipers, and deicing devices is vital to decrease risks on the road. For employees who commute to work in personal vehicles, an email reminder about winter road safety and company policies regarding weather are helpful. Businesses in the northern areas of the U.S are also offering employee bonuses or stipends to help cover these costs as an added benefit. Make the Call Business interruptions are never easy, but when winter weather is involved, it can become a matter of life or death for those on the road. Making a timely deliv ery is not worth risking employee or public safety. Follow guidelines set forth in weather safety plans and ensure driv ers know when to stop and call for further advisement. Winter weather can change quickly and having the knowledge of winter weather terminology, and a set response plan can help lessen the risks of the road. v

Shannon Copeland is an industry man ager for StormGeo and a graduate of the University of Oklahoma’s School of Meteorology. During her tenure, she sup ported numerous research initiatives

focused on severe weather, emergency management, and disaster preparedness and recovery. As an industry man ager, Copeland supports StormGeo’s outreach strategy and aids in identifying weather-related risks to businesses and their employees.

DISASTER RECOVERY JOURNAL | WINTER 2023 9

Getting The Boss on Board Securing Leadership Sponsorship for Your Business Continuity, Disaster Recovery, or Operational Resilience Program

Build Relationships and Communicate Effectively Building solid relationships with key decision-makers is essential. Seek oppor tunities to engage with leadership in a meaningful way. Attend leadership meet ings, workshops, and conferences to establish a presence and demonstrate your commitment to the organization’s success. When communicating the importance of your program, tailor your message to reso nate with each leader’s specific concerns and priorities. It’s also helpful to under stand the goals and concerns of leadership. That comes from opportunities to under stand what keeps them up at night and develops the ability to look at the organi zation from their perspective. Develop a Compelling Business Case A well-structured business case can be a game-changer in securing leadership sponsorship. Outline the financial implica

I

By ASHLEY GOOSMAN

n today’s rapidly evolving busi ness landscape, business continuity, disaster recovery, and operational resilience programs cannot be over stated. These programs are criti cal for ensuring organizations can thrive and withstand unexpected disruptions. However, securing leadership sponsorship for these initiatives can be a challenging task. This article will explore strategies for getting a seat at the table with leadership sponsorship for your program.

Clearly Define the Value Proposition The first step in securing leadership sponsorship is articulating a compelling value proposition. Leadership needs to understand how your program aligns with the organization’s strategic goals and con tributes to its success. To do this, clearly define your program’s benefits, such as reducing downtime, protecting revenue, and enhancing customer trust. Use con crete examples and data to illustrate the potential impact on the bottom line.

10 DISASTER RECOVERY JOURNAL | WINTER 2023

infinite blue

Infinitely ready. Infinite Blue's integrated enterprise resilience solutions give organizations the power to foresee risks, predict impacts, collaborate, communicate, and emerge stronger than ever before.

tions of not having a robust continuity and recovery plan, including potential losses and recovery costs. In today’s environ ment, providing a roadmap to detail how your program will mitigate these risks and deliver a positive return on investment is also helpful. Leverage Industry Benchmarks and Best Practices Leadership often looks to industry benchmarks and best practices for guid ance. Demonstrate your program aligns with recognized standards and frameworks such as ISO 22301 for business continu ity management. Highlight success stories from other organizations that have ben efited from similar programs, showcasing the competitive advantage of investing in resilience. Align with Regulatory and Compliance Requirements Many industries are subject to regula tory and compliance requirements related to business continuity and disaster recov ery. Show leadership how your program meets these obligations and goes beyond to ensure comprehensive resilience. Compliance-driven arguments can be persuasive, as non-compliance can result in fines and reputational damage. Even if regulatory requirements do not govern

your industry, it is a compelling argument to align with existing best practices. Showcase Quick Wins and Milestones Aim for quick wins and tangible mile stones early in your program’s implemen tation to gain leadership trust and support. These successes demonstrate progress and the potential for larger-scale benefits. Celebrate achievements and use them as proof of concept to build momentum and support from leadership. Involve Leadership in the Planning Process Involve leadership directly in the planning process. Get their input in risk assessments, tabletop exercises, and scenario planning sessions. Their active participation can lead to a deeper under standing of the program’s importance and foster a sense of ownership. Ask for their honest feedback and make changes accordingly. Demonstrate Continual Improvement Resilience is an ongoing journey. Continually monitor and evaluate your program’s performance and use the data to drive improvements. Share these insights with leadership to illustrate your commit ment to adapting and evolving in response to changing threats and opportunities.

Ask This can be one of the most challeng ing aspects, regardless of your relation ship with leadership. Sometimes it can be difficult to ask for this level of leader ship commitment. It’s always a gamble and depends on various factors, many of which are out of your control. However, your ability to advance your program and professional life is predicated on the sponsorship you receive from manage ment. Ideally, the champion is the direct manager or leader you report to. You want to know your sponsor will advocate for you continuously. They should be some one who believes in your program and you. That level of support is invaluable in today’s evolving business world. Conclusion Securing leadership sponsorship for your business continuity, disaster recov ery, or operational resilience program requires a strategic approach which emphasizes the alignment of your program with the organization’s goals and values. By clearly defining the value proposition, building relationships, and communicat ing effectively, you can make a compel ling case which positions your program as a critical asset to the organization’s long term success. Remember, resilience is not just a program but a mindset leadership can embrace to navigate the complexities of the modern business environment. v Disaster Empire blog. Eager to amplify her impact, she introduced a podcast in 2022 dedicated to showcasing the brightest thought leaders and innovators in her industry. Her journey is marked by a remarkable ability to navigate and lead in the face of high-profile crises, from pandem ics to natural disasters, and other business disruptions. Goosman’s career began as a member of the American Red Cross’s September 11 Recovery Program in the heart of New York City. She later assumed the role of director of emergency services for the Massachusetts Department of Mental Health. Goosman’s passion for sharing knowledge led her to serve as an adjunct senior instructor specializing in disaster and terrorism. Her expertise revolves around crisis man agement, business continuity, and operational resilience, a niche where she’s made a significant impact within a Fortune 100 company. Ashley Goosman is a seasoned profes sional with two decades of experience span ning the public and private sectors. In 2019, she embarked on a mission to educate and engage fellow practitioners by founding the

12 DISASTER RECOVERY JOURNAL | WINTER 2023

Drive growth, manage risk, thrive in adversity. One platform to build resiliency

4cstrategies.com

EDITOR’S NOTE : DCIG empowers the IT industry with actionable analysis that equips individuals within organizations to do supplier and product evaluations. DCIG delivers informed, insightful, third-party analysis, and commentary on IT technology. As industry experts, DCIG provides comprehensive, in-depth analysis, and recommendations of various enterprise data storage and data protection technologies. The views, thoughts, and opinions expressed in all Disaster Recovery Journal articles belong solely to the author. The information, product recommendations, and opinions in this article are based upon public information and from sources DCIG, LLC. believes to be accurate and reliable.

situation becomes particu larly problematic if an indi vidual inside the organization unknowingly helps facilitate the attack. Consider the recent attack on the MGM Resorts. Using a technique referred to as vish ing, a hacker called into the MGM Resorts support desk. This individual presented themself as an internal IT administrator who needed help remotely logging into its net work. Once the individual obtained login privileges, he or she had the necessary creden tials to perform administrative tasks. In doing so, they could bypass MGM Resorts’ cyber security perimeter defenses and render them partially or wholly ineffective. This instance represents only one example of an attack where a hacker may bypass existing cybersecurity perim eter defenses. Further, other such attack vectors exist. These show the danger of solely rely ing upon one’s cybersecurity perimeter for IT defenses. It also helps illustrate why organizations should create a cyber-secure DR infrastructure for their IT infrastructure.

this objective. It provides high-level guidance on how organizations may create such a cyber-secure DR infrastruc ture. However, organizations still must identify and map products and product features to this NIST Framework to successfully implement it. Assuming one’s organiza tion will eventually experience a cybersecurity attack seems almost fatalistic. An organiza tion may presume creating a cybersecurity perimeter around its production IT infrastructure will provide sufficient protec tion. Firewalls, anti-virus soft ware, and rigid security proto cols serve to limit and restrict access to production IT envi ronments. These techniques help to reduce the likelihood of a cybersecurity attack occur ring or succeeding if they do occur. However, recent attacks illustrate individuals outside or inside of the organization may participate in an attack. In worst-case scenarios, indi viduals both inside and outside the organization may work in concert with one another. This The Inevitability of a Cybersecurity Attack

Photo by J. Stoughton/NIST

The Role the NIST Framework Should Play in Creating a Cyber Secure DR Infrastructure By JEROME WENDT A ny organi zation irre spective of its size must acknowledge the reality of cybersecu rity threats. Further, no organization can or should assume it can completely secure its production environ ment against a cybersecurity attack. This puts the onus on organizations to create a cyber secure disaster recovery (DR) infrastructure so they can respond. The National Institute of Science and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity can help organizations achieve

14 DISASTER RECOVERY JOURNAL | WINTER 2023

�gility Recovery )�6-rreparis

Recovery Services Prepare for, respond to, and recover from any interruption Agility is North America's leading provider of business continuity solutions. Build, test, and execute your business continuity plan with our expert support, resources, and turnkey recovery services. Agility Recovery has over 30 years of experience providing solutions to help businesses recover faster.

Confidence Comes from Being Prepared with Agility • Power & Fuel • Communications & Technology • Workspace • Data Backup & Recovery

The only integrated business continuity solution in the market that helps you Plan, Train, Test, Alert, and Recover-all in one.

With an end-to-end solution, such as Agility Recovery, businesses can recover 4x faster than with no BCM solution.

,_.,,,._.,,, �. , The Preparis Platform Organizations face continuous threats that

can disrupt operations. Unfortunately, implementing an incident manager program that fits your organization's specific needs is challenging. The Preparis Platform makes preparedness easy so your organization is ready to respond to any disruption or critical event with emergency notifications, business continuity planning, and incident management.

Form o plan that makes sense for you.

��reparis Continuity,

simplified.

>[s>'

,_,.___,,

Alerts

Streamline emergency notifications.

Exercise, test, and mobilize your plan.

866-364-9696Icontactus@preparis.comIwww.preparis.com Copyright 2023 - Preparis. All Rights Reserved

The NIST Framework’s subjective nature highlights why IT solutions do not need to possess every cybersecurity feature. Organizations will likely need to construct a cyber-secure DR solution from multiple offerings, potentially from different providers. This inability to buy a “NIST-certified” solution, the lack of NIST feature check list, and the unlikelihood any such options will emerge dic tates organizations take owner ship of this task. This requires identifying the core capa bilities their cyber-secure DR infrastructure should possess and the products they need to deliver them. Five Cybersecurity Features Available Now The products which offer these features and the role they play in a cyber secure DR infrastructure will vary. However, backup and recovery products already exist which offer five core features organi zations may use to secure their DR infrastructure. These fea tures include: 1. Air-gapped backups . Using this feature organizations may store and manage copies of data in a physical location separate from their primary production location. This feature helps ensure no one can logically or virtually access backups through the organization’s production environment. As the MGM Resorts incident illustrated,

necessary if administrative credentials in the production IT environment become compromised. The media (cloud, disk, tape, or optical) on which backups get stored in another location also matters. It affects the backup data’s availability and integrity as well as an organization’s storage costs and data recoverability. 2. Encrypted backups . More outside the organization to a site they own and control. Known as data exfiltration, this practice has become more common. Once hackers create an offsite copy, they may threaten to release the data unless organizations pay a ransom. Even should organizations pay the ransom, they have few assurances the hackers will destroy the data. Alternatively, hackers may never even tell the organization they stole the data. They may simply exfiltrate the data and use it for their own purposes. Backups often contain much or all organizational data. Further, organizations may not carefully monitor access to their backup. This makes them a prime target for hackers to access and copy offsite in an attack. Encrypting backups mitigates the possibility hackers can read or use the backups, even if they do copy them offsite. Organizations may encrypt their backups using a variety of products. Available on hackers, as part of their attack, first copy organizational data

their journey toward creating a cyber-secure DR infrastructure. However, the NIST Framework only provides organizations with high-level guidance and direction. It does not spell out the specific features or products they need or how to best imple ment them. This creates the following three-fold challenge for orga nizations: 1. The mapping of specific product features to specific NIST Framework boxes is a subjective exercise . NIST leaves it to organizations to map specific product features to the cybersecurity categories in its Framework. Adding to the difficulty, organizations may interpret and understand the components in each category of the NIST Framework differently. This makes mapping specific product features to specific NIST Framework components both a difficult and subjective exercise. 2. No universal, objective NIST Framework feature checklist exists . Organizations cannot acquire a cyber secure DR solution that checks all the boxes in the NIST Framework. They cannot do so because no formal objective checklist exists either in general or for specific products. Adding to the difficulty, a specific feature may map to one, two, or multiple components of different NIST Framework categories. 3. A cyber-secure DR solution may not, and probably does not, need to possess all NIST Framework features .

The NIST Framework for Improving Cybersecurity Infrastructure A cyber-secure DR infra structure requires each tech nology used in creating it to satisfy defined cybersecu rity standards. The National Institute of Science and Technology (NIST) provides organizations with perhaps the best cybersecurity framework for them to reference. The cur rent version 1.1 of the NIST Framework for Improving Critical Infrastructure Cybersecurity has the follow ing five categories: 4. Respond 5. Recover Its next draft, version 2.0, already scheduled for release in early 2024, introduces a new govern category. This category underlies these existing five categories. Each of these Framework categories also contains spe cific components. For instance, the protect category includes identity management and access control; awareness and training; data security; infor mation protection processes; maintenance; and protective technology. Organizations may use these various NIST catego ries and their respective ele ments to aid them in creating a cyber-secure DR infrastruc ture. The Three-fold Challenge This NIST Framework can certainly help organizations in 1. Identify 2. Protect 3. Detect

storing data physically elsewhere may become

16 DISASTER RECOVERY JOURNAL | WINTER 2023

Protecting Performance

75% of organizations have recovery plans. Most prove inadequate. Siloed recovery and resiliency capabilities are now obsolete.

Protect business continuity and performance across your IT ecosystem with technology and experts you can rely on. Trust the predictive and proactive model led by automated insights into potential attacks continuously analyzed, tested, and executed by recovery specialists.

Vendor Agnostic

Expert Recovery

Holistic Strategy

Gartner Leader

877.445.4333

RECOVERYPOINT.COM

backup software, backup targets, third-party encryption software, and from cloud providers, organizations have plenty of options from which to choose. In doing so, they should give more thought to the solution they use which generates and manages the keys used to encrypt and decrypt the backups. Organizations should also note this step of encrypting backups does nothing to protect production data from being copied or read. Organizations should employ separate cybersecurity measures to monitor and protect against access to and copying of their production data. immutable format . Storing backups in an immutable format prevents hackers from deleting, compromising, or encrypting backups as part of an attack. More ransomware attacks now begin with the ransomware seeking out backup repositories. If ransomware finds and destroys or compromises backups, it mitigates the ability of organizations to recover. Organizations have multiple immutable format options from which to choose. Most cloud storage providers and many disk, SSD, and tape storage systems offer this feature as an option. In selecting this option, organizations should verify how the cloud provider or storage solution implements its data immutability feature.

A few provide an option for administrators to override the data immutability feature. Not all organizations may want this override option available. 4. Instant restores. Every organization wants viable backups . However, organizations need backups stored in a format which positions them to recover quickly. While many backup solutions offer instant restore “instant restore” differently. The amount of data they can restore, and where they can restore, will vary significantly between solutions. Organizations should implement solutions to position them to restore in a manner which meets their service level agreements (SLAs). 5. Multiple user logins and capabilities, providers define and implement roles with logins secured by multi-factor authentication (MFA) . Due to hackers more frequently first attacking backup and DR solutions, organizations need to better secure them. Organizations can do so by giving preference to those offerings which support multiple user roles. Historically, these systems offered “superuser” roles which possessed all security permissions. While still desirable since they can simplify administration, they can unnecessarily expose organizations to undue risk if compromised.

Using solutions which offer multiple user roles and use MFA when individuals log in helps ensure only the right individuals access the system. Further, if a login does become compromised, having different roles limits the amount of damage the user can potentially inflict. Backup solutions vary significantly in their ability to deliver on this functionality. Many rely upon user roles and permissions created in Active Directory (AD) to deliver these capabilities. While that may work fine for organizations connecting their backup solutions to AD, not every organization can or wants to pursue that option. If they cannot connect or use AD, organizations will need to carefully examine the types of user roles a backup solution independently supports. A Cyber Secure DR Infrastructure has Become an IT Necessity Organizations first and foremost need to create a secure perimeter around their production IT environment. However, they cannot and should not assume perimeter alone protects them against all cyberattacks. The MGM Resorts cybersecurity attack helped to illustrate that point and why a cyber secure DR infrastructure has become an IT necessity. This DR infrastructure will need to both secure backups and position organizations to recover. The NIST Framework can help organizations ask the

right questions to identify the features they need to create such a DR infrastructure. While it remains incumbent upon organizations to ask and answer these questions, the five features listed here pro vide organizations with a good starting point. Yet organizations should treat these five features as just that: a good starting point and not a complete list. Further, organizations will likely need to implement multiple features to secure their DR infrastruc ture. As the recent attack on MGM Resorts highlighted, organizations should be care ful not to just cherry pick cer tain features. If they simply select the ones they like or find most cost effective or easiest to implement, hackers may find a way compromise it. Organizations should work under the assumption a hacker may compromise one or more of these features. However, DCIG has yet to hear of an instance where a hacker has successfully compromised two or more of these features. By implementing multiple fea tures, organizations can have a high degree of confidence they always have a path forward to performing restores and recov eries. v

3. Store backups in an

Jerome Wendt, an AWS Certified Solutions Architect, is the president and founder of DCIG, LLC., a technology analyst firm. DCIG, LLC.,

focuses on providing competitive intel ligence for the enterprise data protection, data storage, disaster recovery, and cloud technology markets.

18 DISASTER RECOVERY JOURNAL | WINTER 2023

A Leader in Business Continuity for Now 25 Years

3 solutions

has been helping worldwide organizations manage the unpredictable for 25 years. Whether you need to implement your business continuity program, strengthen it or automate it, you can count on us. Work with a well-rounded BC partner, with a collaborative and holistic approach that supports your teams at every step of your BCM program. Premier Continuum

Automation software

Certified training

World-class consulting

LET'S BUILD SMART RESILIENCE

6 fields of expertise We've been in the business for 25 years. Talk about resilience.

BUSINESS CONTINUITY

OPERATIONAL RESILIENCE

IT/DR

CRISIS MANAGEMENT

RISK MANAGEMENT

EMERGENCY RESPONSE

A Business Impact Analysis Checklist

A well-conducted BIA pro vides a solid foundation for your future efforts to design a good business continuity plan. A bad BIA can provide false reassurance, leave critical gaps undiscov ered, or prompt unneeded expenditures. How do you make sure your BIA is thorough and well-organized? Over the years, we have developed a checklist for use in conducting BIAs for our clients. We find the checklist invalu able in making sure the BIAs we conduct are focused, comprehensive, and well grounded. Below is a version of our checklist you are welcome to use in conducting your own BIAs (explanations have been added to increase its usefulness to you). The list could be leveraged in many ways. You could transfer the steps to a blank docu ment to make a kind of BIA template, con sult them as a reference, or use them in some other way—whatever works for you.

By MICHAEL HERRERA

regulatory requirements, computer systems, special equipment, vital records, interdependencies, etc. Note that the BIA questionnaire should also align with authoritative standards such as NFPA 1600. o Meet with senior management. You’ll need them on board if you want the process to be successful. Explain the BIA’s purpose to them, share your plan and questionnaire, and ask for their help and support to unite the relevant parties. o Ask IT for a complete list of systems and applications used company-wide. Such a list would be helpful as you’re conducting the BIA interviews. o Identify subject matter experts (SMEs) from the business units you selected. Your SMEs should be people who actually work with the processes. o Identify an IT representative for each BIA interview. It’s helpful to have someone from IT present during interviews to help clarify the names of computer processes and applications, in case your SMEs don’t know.

The items are divided among the four phases of the BIA: information gathering and BIA validation, conducting BIA inter views, validating the interview data, and presenting your findings. A Step-By-Step Business Impact Analysis Checklist Phase 1: Information Gathering and BIA Validation o Identify the scope of your BIA. How many business units will you be evaluating? If you’re just starting out, keep it small. Do what you think might be the most critical units, and if need be you can do additional units later. o Develop a good BIA questionnaire. Your questionnaire needs to cover two areas: the dollar impact on each individual business unit should a disruption occur (e.g., what would the loss of revenue be?) and the non-dollar impact (e.g., how would it affect our reputation and image?). o Identify and collect key information about the processes associated with the business unit, including legal/

20 DISASTER RECOVERY JOURNAL | WINTER 2023

Are you prepared for a cyber attack? Don’t pay the price.

THE 11:11 DIFFERENCE

CUSTOMER HIGHLIGHT Modern Business Continuity

“You hear about ransomware and other kinds of attacks, and we wanted to put something in place that was going to make us feel safer. Working with 11:11 felt like a true partnership. They understood where we wanted our business continuity strategy to be and helped us get there.”

Neil O’Connor, IT Operations and Engineering Supervisor City of Encinitas, California

Ransomware is on the rise.

A multi-layered, comprehensive approach to defend, protect, and recover your data will keep your organization from being vulnerable to cyber attacks. 11:11 Systems provides solutions that meet the highest standards for security, compliance, and performance with global availability and unparalleled flexibility.

11:11 Systems, the 11:11 Systems logo, and all other 11:11 Systems product or service names are registered trademarks or trademarks of 11:11 Systems, Inc. All other registered trademarks or trademarks belong to their respective owners. ©2023 11:11 Systems. All rights reserved. 1111systems.com

questions or concerns with them and make adjustments as necessary. Phase 4: Presenting Your Findings o Document the BIA process and results in a management report. Although some senior management teams may ask only for the less detailed presentation document (see the next step), it’s important to have a document which includes the results of your BIA in full, along with supporting details and additional findings. o Create an accompanying management presentation. This downsized version of the report succinctly conveys what the BIA was about, the results you found, and your recommendations on what to do next. o Get management approval. Gather and incorporate any final revisions to the report based on management’s review and get approval on the results of the BIA via email or a handwritten note. One Final Step If you’ve reached this stage, your BIA is complete. One final step not included in this checklist is to use the BIA to implement targeted recovery strategies which will ensure the survival of your critical business units in the event of a disruption. Once that is accomplished, you will have succeeded in your mission of providing the best pos sible protection for your enterprise. Takeaways n Use a checklist to make sure your BIAs are focused, comprehensive, and well grounded. n A checklist can be leveraged in many ways. n Your checklist should cover all four phases of the BIA: information gathering and BIA validation, conducting BIA interviews, validating the interview data, and presenting your findings. v Michael Herrera is the CEO of MHA Consulting, a leading business continu ity planning and information technology consulting firm. Herrera is the founder of BCMMetrics, which specializes in business continuity software designed to aid organizations in devel oping and executing business continuity programs.

o Schedule the BIA interviews. Work with your business unit and IT SMEs to coordinate timeframes and schedules. o Finalize the interview logistics. This may include arranging access to a conference room and/or online meeting software. o Schedule and conduct a kickoff meeting. This step is optional, though in some cases it’s useful to gather the team in advance, to give your interviewees a preview of what to expect. Phase 2: Conducting BIA Interviews o Conduct the BIA interviews. These will be based on your questionnaires. In-person interviews are preferable to virtual ones because they are more likely to encourage discussion and careful consideration of answers. Each business-unit interview should take 2.5 hours or less and be led by an experienced facilitator. First, identify all departmental business processes. Then, for each process, identify:

u Recovery time objectives (RTOs). u Recovery point objectives (RPOs). u Supporting computer systems, applications, and equipment. u Legal and regulatory requirements. u External and internal dependencies. u Vital records. u Manual workarounds. u Service level agreements, and legal and contractual requirements. Phase 3: Validating the Interview Data o Review all business-unit interview results for anomalies and missing data. If a particular business-unit criticality ranking or RTO doesn’t seem to make sense, review the results with the group and reassess. Be stringent! This is important if you expect management to take the results seriously. o Send each completed BIA questionnaire back to the business units for validation. Ask the relevant parties to review and return it with their approval. Discuss any

22 DISASTER RECOVERY JOURNAL | WINTER 2023

Could your third-party suppliers take you down?

Vendors and other third-party suppliers are critical to the success of most organizations – but they also pose considerable risk. Riskonnect’s business continuity software helps you prepare for threats and minimize disruption from anywhere. • Instantly access dynamic business continuity plans. • Identify hidden vulnerabilities that could derail your business. • Effectively respond to a disruption .

Riskonnect.com

of a Hawaiian recovery operation pro vided plenty of fuel for the not-so-prover bial fire. Post-disaster disinformation can be placed into three buckets: causal, manipu lative, and incidental. Causal disinformation is speculative, often focusing on events and actions lead ing up to the event. It is sometimes pur poseful and sometimes not. Manipulative disinformatio n is inten tional, purposefully planted to influence recovery decisions or use the event to influence outside theaters. Incidental disinformation often has the best of intentions but is not always aligned with real needs or the recovery supply chain. Disinformation can be costly. A survey of aid organizations estimated 60% of sup plies donated by individuals after natural disasters are lost to landfills through spoil age or because the items were simply not needed. In Maui, one picture of people deliver ing supplies via jet skis was shared more than 70,000 times. The original post was unintentional. It was uploaded by a Maui resident watching what was a real event. The social media tree which grew from that seed made the image an illustration of failing recovery efforts. Social media works much like a tree. There is a seed, a source. From that seed grows a tree with countless branches as the post is shared multitudes of times. The historic Lahaina Banyan Tree in Maui is, ironically, a manifestation of what a viral social media post would look like if it were physical – countless branches twist ing and spreading in different directions, all searching for light to provide nourish ment. Common strategies to combat disin formation won’t work in a disaster. The situation is too fast-paced and continu ally changing. Disaster recovery strategies need to be more aggressive and prepared to address images and statements in real time. Managers need to incorporate con scious monitoring for disinformation or misinformation as part of their communi cation plan.

Disaster Disinformation

S

By BILL MELLANDER

ocial media is ripe with allega tions the government is keep ing recovery supplies away from recent catastrophe vic tims. Complaints are common after catastrophes. Survivors want help faster, and respond

critical platform allowing direct outreach to the public. Catastrophe communicators seek to empower with information to help people help themselves. The communicative landscape after a disaster is dictated by the environment of the event. That envi ronment is already, uniquely difficult and filled with life-threatening distractions to the message. Disinformation was abundant after wildfires tore across the island of Maui in August. It was more apparent because the usual logistical complexities of recovery were magnified exponentially in Hawaii simply because it is Hawaii – the most isolated large population center on earth, 2,400 miles from the nearest mainland. Disinformation feeds off of real news, events, and actions. The logistical troubles

ers want to provide it faster. Every natural disaster recovery is wrought with logisti cal difficulty. Frustrations are expected. What’s different now is the growth of social media-driven disinformation. I have been working and studying catastrophe communication for 25 years. The cloud of disinformation seen recently in Maui is an example of why disaster communicators are now being forced to pay more and more attention to the nega tive aspects of social media – a vehicle mostly seen by emergency managers as a

24 DISASTER RECOVERY JOURNAL | WINTER 2023