Several factors conspire to threaten the security of information systems within an organization, including: deliberate attacks such as theft, sabotage, vandalism and hacking, and accidental events such as technical software and hardware failures. Another category of threats result from forces of nature such as fires, floods, earthquakes, and lightening -- commonly referred to as "Acts of God." Many organizations (quickly) recognize and acknowledge the potential risks resulting from deliberate attacks and accidental events, but typically don't appreciate the danger posed by "Acts of God", mainly because these are not so imminent. However, it is (very) unwise to ignore the dangers posed by Acts of God, or to downplay the likelihood of these events, because Acts of God do happen, and can have disastrous effects on an organization's information systems -- in fact can result in loss of life, assets, equipment, and/or facility. Yesterday, there was a fire at the Kwame Nkrumah Circle branch of Computer Training Institute, NIIT. As unfortunate as this event is, it serves as a very good example of the disastrous effects such "Acts of God" can have on an organization. Planning for contingencies Due to the catastrophic nature of such events, adequate steps must be taken to prepare the organization for unexpected events, and also to ensure that normal modes of operation can be restored with minimal cost and disruption to normal business activities after an unexpected event. Contingency planning is very important in making sure that if and when such events do occur, things get back to the way they were within a reasonable period of time. A Contingency Plan (CP) should ensure the continuous availability of information systems to the organization even in the face of the unexpected, and typically entails: Business impact analysis (BIA) -- this provides the organization with detailed information on systems within the organization and the threats they face, and presents a potential damage assessment that outlines detailed scenarios of the effects that each potential attack could have on the organization. Incident response plan (IR plan) -- this details the steps to be taken in "responding" to and preparing for a disastrous event. The Incident Response plan outlines a set of processes and procedures that help relevant staff anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. Disaster Recovery Planning (DRP) -- this entails the preparation for and recovery from a disaster, whether natural or human-made. Business Continuity Planning (BCP) -- this ensures that critical business functions can continue if a disaster occurs. A business continuity plan is critical in making sure that the organization can "bounce back" after such an incident. Responding to disruptive events An incident response plan typically tells us what to do before, during, and after an attack. For instance, in responding to a fire outbreak, policy could state that the first person who notices the fire should immediately alert security. However, it simply isn't enough to have a plan. The organization must make it a practice to regularly test the incident response plan. In the case of an "Act of God" such as a fire, for instance, it is important to perform regular drills to ensure that employees are abreast with steps to be taken in such an event, and that the organization has the capacity to handle such an incident. Again, regarding the NIIT fire earlier today, information available seems to suggest that though staff may have followed laid down procedure, a failure to test plans could have been instrumental in the severity of the damage caused. According to a news report, although the staff who first noticed the fire alerted security personnel, the fire at the facility might have escalated because "fire extinguishers also failed to function when the security men she alerted tried to quench the fire." I hate to be presumptuous here, but one would imagine that this might not have been the case if incident response plans were tested and regular fire drills were carried out by the company. An organization's assets are crucial to its business functions, as such proper contingency planning must be enforced as a matter of priority.
