Back in Business

Security Training Videos:

“Back in Business”

by M. E. Kabay, PhD, CISSP-ISSMPAssociate Professor, Information Assurance
Dept. of Computer Information Systems
Norwich University, Northfield, VT 05663-1035 USA

This series of short reviews is intended to help security-awareness officers evaluate training videos for their training programs. The author and his employer have no financial interest in or involvement with the companies whose products are reviewed.

* * *

The training video “Back in Business” from Commonwealth Films < http://www.commonwealthfilms.com > is subtitled, “Disaster Recovery / Business Resumption.” I have used this title for many years in various courses and it has to be one of the best training video ever made. It has recently been superseded by a newer video, “Ready for Anything,” which uses some of the same situations (and even some of the same dialog) in a more modern context. Nonetheless, “Back in Business” remains a superb training tool.

The video starts with pictures of devastated business sites and a voiceover that emphasizes how important business resumption planning is for the continued survival of a firm after a disaster.

“Atwell Corporation” experiences a power outage on December 18^th, during a company Christmas party on Friday afternoon. Through a series of plausible accidents, the power failure and subsequent voltage surge causes a fire in a storage closet as well as damaging many PCs. The sprinklers go off and soak unprotected electronic equipment; and paper records are ruined. By the next morning, the company began to realize that they had no idea what to do to get recovery going. Naïve managers thought that the small fire would be a minor inconvenience; instead the situation escalates into a disaster. The two-year old disaster recovery plan dealt only with the data center but the master copy is– naturally – locked in the building, which is contaminated with PCBs from burst fluorescent light ballast. Even the fragments of the plan that are available have out-of-date phone numbers for employees; many of the employees do not wish to participate in recovery. The managers scramble to use a car phone and the Yellow Pages to try to find the firms they need to get recovery going.

By start of business on Monday, the company is ensconced in a bingo hall and the bad news is that no one realized how long it would take to install software and restore backup data onto the recovery system. Trying to run production software on a different division’s computers does not work well, with untrained staff working without documentation on other people’s programs. By mid-week, it becomes clear that the priorities established in theory do not reflect the critical path; and people who do unofficial end-runs around the official sequence just as often create new bottlenecks.

Because of the lack of training and forethought, much of the wet paper rots and disintegrates; maverick employees discard valuable records thoughtlessly, causing serious problems later. Inadequate security allows Dumpster-divers to search through discarded files and retrieve confidential data.

Employees chat casually with news reporters; their off-the-cuff jokes make the newspapers, much to the embarrassment of the company. Inadequate communications with customers leads to lost sales. Eight weeks after the disaster, the company’s operational recovery looks good; however, six months later, the lost sales and more important, lost clients leads to massive employee layoffs.

The rest of the film looks in detail at the steps in establishing a sound disaster recovery and business resumption plan for all kinds of problems. They integrate the knowledge of all kinds of people within the organization; use expert guidance; think about the critical path for recovery of each department and unit; coordinate priorities. The I.T. department look in detail at how to get going faster and more efficiently at the recovery site. Document retention policies now include backups and offsite storage of critical paper documents as well as magnetic media. The Public Relations department assigns a chief spokesperson for media communications; the Customer Service department ensures that customers will continue to have their needs met with a minimum of disruption.

The video moves fast, has plenty of practical information, and really motivates employees to pay attention to disaster recovery and business resumption planning. As usual with Commonwealth Films’ productions, the video is convincing and interesting. The CD-ROM includes an information-packed one-page summary with the key points from the video laid out for easy reference.

The video was written and directed by Webster Lithgow and produced by Jennifer Wry. The technical advisors were Edward S. Devlin, Thomas R. Peltier and James M. St. Germain. Several government and industry experts reviewed the script for accuracy. Good job, everyone!

Commonwealth Films are in Boston; phone 617-262-5634.

* * *

Information about M. E. Kabay, PhD, CISSP-ISSMP< mailto:mekabay@gmail.com > is available at < http://www.mekabay.com/ >.