December 01, 2004
—
CSO
—
Q: I must prepare my first structured walk-through exercise of the emergency management and disaster recovery plan. I want to incorporate both plans into the exercise. Please give me suggestions to make the exercise powerful, motivating and informative. Can you ever give too much information?A: It is an aggressive endeavor to incorporate both emergency management and disaster recovery into one exercise, but there are great benefits. By bringing these players together, I believe that you will uncover challenges and benefits while determining if you have the buy-in required for success. The key to these exercises is preparation. Define what you are trying to accomplish. The focus of the exercise is planning, but there are indirect benefitsincluding driving the importance of these plans at the executive level, educating the participants about the benefits and generating excitement. The scripting is very important to make sure that the trigger points, handoffs and overall interaction are covered. Make sure your handouts are professional and focused. I would also suggest that if you are running the exercise, there should be another person focused on keeping the minutes, questions and action items. These planning sessions and exercises are the most beneficial when they identify areas for improvement. If you are directing the exercise, have additional resources to assist you. The comments, questions and assignments need to be accurate and recorded.
I believe that giving participants too much information can distract from the agenda and the purpose of the meeting. Have enough information to deliver your message, but keep the groupand the exercisefocused.Q: You're in a market that saw three hurricanes in six weeks. In terms of ROI, did your company and the clients you serve generally see a greater risk-reward benefit from a disaster recovery strategy or from a business continuity strategy?A: I believe that the overall return on investment was directly proportional to the investment and preparation. As Florida was hit by back-to-back storms for two months, we saw that companies that had focused solely on disaster recovery planningwithout including plan for full business continuitywere affected more. What was clear was the fact that the unfortunate repetition increased the focus on plans for disaster recovery and business continuity. The storms also gave teams practice that is generally not available.Q: How large and diverse should a continuity crisis management team be? What are the key roles?A: The crisis management team should encompass all areas within the enterprise: C-level management, IT, operations, HR, legal, contracts, shipping and others. There should be leaders within each of these areas and clearly defined alternates. The crisis management team should consist of individuals who are best suited for the job, not the highest-level managers within each area. The important roles are these: Who handles the communication internally and externally? Who can handle budget issues quickly and efficiently during a crisis? Who covers IT and data? And, of course, the CEO.Q: When deciding how to centralize security into an organization led by a security-dedicated officer, what do you think is the single best argument for including traditional IT-business continuity in this consolidation?A: By "security-dedicated officer" I would assume a CSO or equivalent sits in that leadership position. The CSO should be focused on all aspects of the protection and ongoing availability of data. The processes that are involved in security bridge the gap between IT-related functions such as traditional authentication, intrusion detection and recovery activities from all types of security incidents. Business continuity's foundation can be found in the day-to-day focus of the CSO. Business continuity management requires leadership, budgeting and business activities that engage all aspects of the company. If the CSO has been given the ability and authority to oversee the corporate protection of data, he can champion traditional IT-business continuity with the support of the other business unit executives.
Available On Demand Sept. 30 - Dec. 30
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program. 
