FFIEC Update: Cybersecurity Assessment Tool

Businesspeople discussing cyber security
Cybersecurity is a growing concern, particularly among highly regulated industries such as finance. In February, the Federal Financial Institutions Examination Council (FFIEC) urged financial organizations to prepare for cyber risks in an appendix to its IT Examination Handbook. The FFIEC is continuing its push for better cybersecurity practices through the release of its new Cybersecurity Assessment Tool.

The tool walks organizations through completing a risk assessment, which involves determining an organization’s inherent risk profile and cybersecurity maturity levels within five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

As threats, vulnerabilities and operational environments evolve, FFIEC members plan to update the tool as necessary. To access the tool and related documents, visit ffiec.gov/cyberassessmenttool.htm.

[Webinar Recap] DRaaS 101: What You Need to Know About Managing Your DR in the Cloud

DRaaS Overview Slide
Disaster recovery as a service (DRaasS) is a hot topic in the DR world right now. But is DRaaS just another buzzword, or is it a better way of doing DR?

In a recent webinar with the Disaster Recovery Journal, Brandon Tanner, senior manager for Rentsys, talked about how DRaaS got its start, how businesses are using it and how to select a DRaaS provider.

If you missed the live presentation, you can access the recording here

Freight Trains and Chemical Spills: How to Prepare Your Business

Freight train chemical spill
At the beginning of this month, a train carrying the flammable, toxic chemical acrylonitrile partly derailed and caught fire near Knoxville, TN, forcing 5,000 people to vacate the area. 

A few days later, July 6, marked the two-year anniversary of the oil train derailment and subsequent explosions in Lac-M├ęgantic, QC, which killed 47 and forced 2,000 people to evacuate their homes.

While some business continuity planners focus on risk assessments for natural disasters of hurricanes, tornadoes and earthquakes, man-made disasters such as train derailments and chemical spills can’t be ignored.

The Risks of Transporting Chemicals by Rail


Unfortunately, the risks of rail-transported hazardous materials are prevalent in certain areas of the U.S. and Canada. In Washington state, for example, up to 17 trains carry nearly 1 million gallons of crude oil through Spokane and other counties. 

While en route to oil refineries, one or two trains pass daily through Seattle’s antiquated downtown rail tunnel. If a spill or explosion were to occur, the city’s emergency managers warned that such an event would have a catastrophic effect on the city’s citizens, buildings and environment. 

This threat has become even more pronounced in recent years, with federal data revealing that more oil was spilled during U.S. rail incidents in 2013 than was spilled in nearly four decades.

Preparing for a Hazmat Catastrophe


Though the U.S. government recently coordinated with Canada to pass a rule for improving the safe transport of flammable liquids by rail, it’s still important that you take the following steps to protect your business and employees if you’re located near an industrial freight line.

Plan for an Alternate Facility

If a spill or explosion occurs in your region, you need to have a plan for alternate work arrangements. Even if your facility is left untouched, city evacuations can prevent you from accessing your building.

Some common backup facility options are Business Recovery Centers (BRCs), Mobile Recovery Centers (MRCs), modular buildings or rented office space. Because hazmat disasters happen with no notice and will likely affect other businesses in your region, you should consider contracting space ahead of time rather than relying on a first-come, first-served solution.

To minimize downtime, the facility should ideally be equipped with voice and data connectivity infrastructure and office technology preconfigured to your specifications. Also make sure the space can be available within your recovery time objectives. BRCs, for example, can be available in mere hours after a disaster declaration, and MRCs can be delivered within 24-48 hours. The availability of modular buildings and office space will vary.

Location is another key factor in selecting a facility. Choose a facility too far away, and your employees might not be able to travel to that location. Opt for a facility too close, and you run the risk of the building being affected by the same disaster that shuts your facility’s doors. The benefit of an MRC-based mobile recovery solution is that the unit can be deployed in a location of your choice without having to obtain permits from the city, as you would with a modular building.

Prepare for Loss of Data and Hardware


In the aftermath of a spill or explosion, your business could face restricted access to or even a total loss of critical IT infrastructure components. These assets could include servers and hard drives; on-premise traditional data repositories, such as tape; and end-user laptops and desktop computers. To continue business operations, you need access to your entire IT environment, including data, applications, operating systems and configurations.

Today, there are several available cloud solutions that give you the flexibility to recover your environment from anywhere with an Internet connection. For example, by using a secure cloud-based vaulting and recovery solution in conjunction with infrastructure as a service, you can spin up your environment at time of disaster without having to reconfigure your servers, PCs and other hardware.

To offset the loss of office technology, desktop as a service (DaaS) can give users access to their desktop configurations from any device. Some DaaS providers can supply backup technology as well.

You might also choose to use a colocation solution to protect your environment — particularly if you contract a BRC that offers on-site rack space. If you go this route, make sure the hosting facility is located close enough to your primary facility to address cost and latency concerns, but far enough away to ensure there’s not a common risk between geographies.

Conduct BC/DR Testing and Employee Safety Drills 

Once you have a plan in place, it’s important to test it to identify interdependencies among your systems and processes, reveal differences between production and recovered environments, and make sure your staff members know what’s expected of them.


You should also conduct routine safety drills so your employees will know what to do in case a spill or explosion occurs during business hours.

Is your company susceptible to the risks of hazardous materials transported by rail? If so, what steps are you taking to prepare?

What Shark Week Can Teach Us About BC/DR

Shark
Roy Scheider's character in Jaws captured the essence of Shark Week in a single line of dialogue more than 10 years before Discovery Channel starts its annual block of shark-focused programming. After Jaws pokes his head above the surface of the water in one scene, a stunned Scheider slowly walks backward to the boat's cabin and tells Robert Shaw's character, "You're going to need a bigger boat."

You might find yourself uttering Scheider's famous line while preparing your company for a disaster. Whether you're planning for natural disasters such as hurricanes, earthquakes or tornadoes, or backing up crucial data from your business's servers, there will probably come a time when you think you're going to need a bigger boat.

With Shark Week coming to a close, here are a few things you can learn about business continuity and disaster preparedness from some of the interesting shark news over the last week.

Get Educated


Discovery Channel's Shark Week has caught some criticism over the years for becoming more entertainment-focused than educational, but one Illinois girl is thankful she tuned in before taking a trip to Florida. Ashlyn Gilpin, a high school freshman, was attacked by a shark in May at Cocoa Beach and credited Shark Week with teaching her how to react during the attack and not make it worse.

Knowing what to expect in a disaster is crucial to preparing your business for making it through a bad situation. Just as Gilpin benefited from watching Shark Week, you can benefit from participating in educational programs such as webinars, reading trade publications or learning from other professional in your industry so you know how to prepare for and react to a disaster.

Be Protected


Drought conditions and high salt levels in coastal waters have contributed to an increase in shark attacks along the Eastern coast of the United States, so what's a water lover to do when their local beach is being stalked by Jaws? An Australian company designed shark-repellent wet suits that camouflage swimmers from a shark's limited vision capabilities.

While it doesn't offer the same protection as swimming in a shark-proof cage, the innovative wet suits are a means of protecting yourself while still enjoying shark-haunted waters. Just as the wet suits let swimmers carry on as usual, you company's data needs to be protected in a manner that doesn't disrupt daily business. Backing up data to a secure, private cloud is an easy way to ensure critical information stays secure and also offers a way to quickly rebound if a system goes down.

Get a Bigger Boat


Scheider was on to something when he suggested getting a bigger boat all those years ago. In June, U.S. Coast Guard captain Ben Chancey was fishing for grouper in Florida when a shark knocked him from his kayak and sent him quickly swimming for a nearby support boat. Once the shark stopped attacking the kayak, Chancey was able to return to his undersized ship and reel in the shark for a big catch.

While Chancey was able to finish landing the shark back aboard his kayak, he was still at a disadvantage in the small boat. Had the much bigger support boats not been nearby, Chancey would have been in a much more perilous situation, stranded in the water with several sharks. When a disaster strikes your business, you can recover quickly with the help of a backup facility such as a Mobile Recovery Center or a Business Recovery Center. Having access to an alternate facility can help you rebound and reel in the biggest fish.

Need some more tips for how to keep your company prepared? Read our post "Most Commonly Forgotten BC/DR Items."

11 Questions to Include in Your IT Vendor Due Diligence


Outsourcing vector art
Outsourced IT is nothing new, but as Verizon Wireless’s recent report "Better Outcomes for IT Outsourcing" points out, digital transformation is changing the face of outsourcing. Customers want flexible service delivery models, ways to improve inefficient processes and spending models based on opex versus capex.

But with the rise of cybersecurity issues, tightly wound supply chains and customer expectations for always-on service, you need to make sure that any vendor with access to your data and systems is fully vetted.

Before you involve any third party in your IT processes, make sure you know the answers to these questions:

  • Has the vendor undergone a compliance audit such as the SOC 2 Type II? How often are audits performed?
  • Does the vendor's services and certifications align with your organization's service level agreements (SLAs), business impact analysis recovery objectives and industry-specific compliance requirements?
  • What performance objectives, remediation procedures and exit provisions are included in the vendor's SLAs?
  • What is the vendor's business continuity and disaster recovery (BC/DR) strategy?
  • What BC/DR test practices does the vendor follow? When was the last test?
  • What tools and industries do the vendor's staff members have experience with?
  • Where is data stored and how long is it retained?
  • Are data center engineers certified and experienced?
  • Do employees receive routine background checks?
  • What access control methods does the vendor use?
  • Has the vendor ever experienced a data breach? If so, how did the company handle it?

Depending on your industry and the type of solution you’re looking for, you’ll likely have a few questions to add to this list. But by being informed about these 11 key areas and making sure the vendor’s answers align with your business’s needs, you can help ensure a better outcome for your outsourced IT functions.

For examples of vendor evaluation guidelines specific to a unique industry or technology service, check out our post "FFIEC Update: Ensuring Resiliency of Outsourced Technology Services" and download our vendor evaluation guide.

The Fourth of July: Fireworks and Fire Danger

American flags
On June 11, 1776, the Continental Congress gave the Committee of Five, which included Thomas Jefferson and John Adams among others, three weeks to draft a document that made a case for the colonies' independence from Great Britain. The American Revolution had already begun on April 19, 1775, but this document was meant to declare absolute independence from the crown.

Though the Declaration of Independence wasn't signed until much later, July 4 marks the day we remember our nation's independence. Every year since then, many celebrate the holiday with fireworks, barbecues and fellowship.

But the Fourth of July festivities can also bring about certain dangers caused by fireworks, bonfires and grilling. For instance, in 2011, fireworks caused 17,800 fires that resulted in eight civilian deaths and $32 million in property damage. Take these steps to help mitigate the possibility of your becoming a statistic:

  • If you’re burning anything, make sure all fires are being watched closely.
  • When cooking or burning, stay upwind to avoid smoke inhalation.
  • Avoid grilling near buildings or other structures, as well as low branches.
  • Keep children away from fires, grills, matches and lighters.
  • Use fireworks away from residences.
  • Have fire extinguishers readily available in case a fire flares up.
  • Do not burn or use fireworks if there is a burn ban in effect.
  • Do not become negligent or reckless while using potentially dangerous items.
  • If there is an emergency, do not hesitate to call 911.

These tips can help you avoid unexpected fire-related disaster, but unfortunately problems do arise despite our best efforts. When the time came for the colonists to gain independence from the British, the Committee of Five was ready. If it becomes necessary for you to respond to an emergency this Fourth of July, will you be ready?

[Webinar Recap] Getting the Most Value From Your Business Continuity and Disaster Recovery Plan

A water main break wreaks havoc on a business’s facility. Civil rioting forces employees to steer clear of their main facility. A fire reduces a building to a gutted, ashy shell. A mass software update requires all hands on deck. Heavy rains and flash flooding make a downtown commute out of the question. A booming business requires a new facility faster than it can expand.

You might place some of these events on opposite ends of the disaster spectrum, but they all have one thing in common: They’re all real-life examples of situations that had the potential to cause significant business interruptions.

Mobile bank branch open for business
Photo courtesy of Service Credit Union
During a recent Association of Contingency Planners webinar, Rentsys National Sales Manager David Tedford and one of our clients, Service Credit Union CIO Bill Arnold, spoke about how businesses can gain the most value from their contracted business continuity and disaster recovery (BC/DR) solutions by implementing them for both disaster- and non-disaster-related scenarios.

 Service Credit Union, for example, has used a mobile bank branch to recover from a fire and to accommodate customers during a branch expansion project.

The webinar is over, but to hear more about Service Credit Union’s experiences, you can access the recorded presentation here.