Security Board Initiative Discussion

Major corporations, especially in the financial and securities industries, have long been aware of the business impact of an unplanned interruption to business operations, most probably including an outage to computer and communications based systems.  The events of September 11th raised those concerns to a fever pitch, and highlighted a number of previously under-considered aspects of contingency planning, including:

• The impact of a loss of personnel
• The potential for a loss of paper records and the need to rely solely on the inventory of an offsite storage facility
• The realization that the company’s primary workplace could be permanently destroyed, requiring the acquisition of, and outfitting of a new base of operations

In addition to the above, many organizations now realize that an event like 9-11 requires that companies not only focus on their own individual recovery plans, but that they must also consider how the recovery efforts of other companies in their industry, or supporting industries must be coordinated so that normal, or near normal operations could resume.

First and foremost, there is a need for cross-industry government regulation that requires companies to have an auditable and testable continuity plan that matches either industry or individual company recovery time (the elapsed time between the event and resumption of business operations) and recovery point (how current the computerized data is when recovery commences) objectives.  Currently, only the financial industry has had this regulation via the Office of the Comptroller of the Currency’s Banking Circular.

Second, the events of 9-11 are bringing about a clear need for a business continuity blueprint that firms can follow to ensure that, not only is their plan adequate, but that it fits into an industry recovery framework that ensures all like, and dependent / complimentary firms can recover with similar recovery points and recovery times.  That framework also needs to address the non-information technology requirements of companies, such as facilities issues, personnel loss, paper records protection and communications / public relations requirements.

The Business Continuity Industry Today

The past history of the industry, primarily since 1979, and carried on even today, is one where all of the current vendors focus on discrete contracts for individual companies that are not synchronized, in almost any way, with those of other firms that could be required in order for an industry segment to recover.  Essentially, the industry leaders offer services that provide recovery facilities, network connectivity and equipment for individual companies to use, assuming no conflict with another customer that prohibits use (use is not guaranteed, available on a first come – first served basis only).  9-11 has renewed a focus on this industries’ solutions and the need for complimentary, dedicated solutions in many cases.

Mission and Objectives of the Security Board

The overall mission of the Security Board is to ensure that, in the event of an unanticipated interruption to corporate and governmental business operations, due to a terrorist, natural disaster or localized infrastructure interruption, that critical business operations, most probably dependent on computers and telecommunications, can resume in a timely manner, supporting not only the individual organizations, but industry-wide and cross-industry relationships to ensure that national and local interests  and security are safeguarded.

To support the overall mission, a number of key objectives have been defined:

• To work with government agencies and private industry to ensure that businesses and critical governmental agencies can recover from a security breach or an interruption to business operations in a rapid and coordinated manner.
• To work with governmental agencies in order to establish auditable regulation governing information protection, security and business continuity for individual companies, government agencies and selected industries.
• To manage a crisis communications database that government and private industry can utilize at the time of a crisis situation.  Also to be a clearinghouse for products and services that organizations can utilize in putting a program together to meet regulatory requirements.
• To ensure that industry-wide research and development is done so that the Security and Continuity / Availability vendors understand the needs of government and private industry which can influence product and service offering development.
• To support the continued growth of the industry and to act as a facilitator in certain cases to bring interested parties together to develop and implement a solution.