Conference "CONTINUIDAD DE NEGOCIO 2012"

Contribution by Daniel Blanco Business Continuity Consultancy Solutions Coordinator at Grupo SIA.

Last 26th of september was pleased to attend the conference "CONTINUIDAD DE NEGOCIO 2012" (Bussiness Continuity 2012) in Madrid, organized by Fundación DINTEL in colaboration with continuam and INTECO
In the conference there were invited different lectures as BBVA, Banesto, Acciona, Minister of Defensa, Adif, Aena, Bankinter or EMT. The schedule can be seen in the followin link at Fundación DINTEL:
http://www.dintel.org/index.php?option=com_content&view=article&id=216&Itemid=312

Lectures were divided into two blocks, with different presentation models. In the morning, presentations about cases of success and experiences in Security and Business Continuity Management in their organizations were done by speakers speakers; in the evening took place a colloquium in which speakers answer questions done by a moderator. 

Better than describe in deep each lecture, I'd like to highlight some relevant messages and topics commented  repeatedly during the day:

1. Although there are still points of view in which business continuity is treated as a part of information security, this time there were presented as a independent discipline that complements information security and that, in conjunction with risk management, deliver resilience to organizations
2. Awareness and Management Commitment are important points not achieved in Spain nowadays and is necessary and essential. Business continuity plans or crisis management training and drills were presented as one of the most important ways to deal with the objective.
3. There is not enough with having a business continuity plan or a crisis management plan in which an organization critical business process recovery were defined, other actors like police, emergencies support, government and critical providers have to be taken into account in order to get the minimum level of operation after a disruption. Without internal and external support no organizations can recover their business.
4. The Spanish Critial Infraestructures Protecction Law were presented as an inflexion point that can bring the development of a industrie collaborative framework and allow to have sectorial strategic plans in Spain. Moreover, this can be a energizer of the three point described bellow.

As a conclusion, from my point of view, different lectures of the conference were in the right way: defining business continuity issues, resilience, economic sustainability and not only IT or Information Security. Nevertheless, we have still a long way to achieve what was defined in the second point: management has to commit and promote business continuity activities. As as sign I can point out that most of people attending the conference were chief of IT or were part of the structures of IT in companies.

Sabotage

Yesterday, talking with the chief of Business Continuity consultancy in one of the main companies of the industry in Spain, we have doubts about if the case of sabotage in the power infrastructure in Rayo Vallecano's stadium should be consider as a scenario in Business Continuity plans.

On the one hand, it could be clear that a scenario of lack of power, no matter the origin, must be included in BC plans. Measures to assure power are very common: generators, two power providers, etc.

On the other hand, the sabotage in football match between Rayo Vallecano - Real Madrid has two special considerations:

• The stadium must be available at a specific time and during a relatively short period (2 hours)  There is not possibility to play the match in other stadium - it would be impossible to move 15.000 - and it's not possible to play at other time, since the main business to be continued is the is the television retransmission.
• Internal electrical infraestructure were damaged, so there is no way to use an alternative infrastructure. It has to be repaired.

Since Business Continuity has to focus on moments after an events occurs, and the plans covers the actions to be taken on this moments, its seems to be difficult that the staff of Rayo Vallecano could done something different if they would have a Business Continuity plan. Traditional measures would be not effective in this scenario because it was damaged the internal infrastructure. So this scenario is only useful to analyze risks and define the mitigation measures.

In general terms, when business depends on somebody doing something in a certain location, business continuity plans doesn't help too much: It's not possible to change actors, location or time, so we can only make a good risk analysis and try to mitigate it as far as we can.

BYOD and Business Continuity

BYOD can be considered as a trend in the IT and is called to be developed during the following years, since this has a lot to do with mobility and telework. There has been users themselves, manly top management, who has introduced smartphones and tables into the offices when they realized that they were using their shabby professional mobiles more regularly than their brand new iphone and they began to invert this trend, forcing their CIOs to allow access to their email, agenda and other applications. This means that, instead of being the product of a marketing strategy or the conclusion of trends report by a high level consultancy company (surely they are going to include in it from now), is the result of an increasingly widespread practice.

From a technical point of view, BYOD is going to be a revolution in the workstation world that will require procedures update, new tools for manage the devices and new security policies. Security and legal issues will be probably most affected by this trend, with a lot of voices form security experts rising against it because of the violation of traditional security dogmas of access control al data loss prevention. That’s why there are a lot of comments in forums and a rising market about device protection tools to avoid happened situation like the one affected to the Spanish Homeland Security Department Minister, who loses his ipad. Most of this tool were available before and has been named with the fashion acronym (BYOD compliance…)

From Business Continuity perspective, BYOD doesn’t bring a great change, since will be very similar to remote access policies in which users usually take care of the expenses of Internet connection or even the computer they use to access to company’s intranet. In the same way they do to remote access, BC manager, usually with Human Resource department, should assure the following:

• Employee give consent to use their own resources to a professional use.
• Employee owns the required resources to carry out activities they have to do in a crisis or contingency situation. The better way to do this is involving the user when inventory of their own resources periodically.
• Employee resources comply with company security and feature politics and procedures.

Apart from that, as every BC resource, BC manager should assure the information in the inventory will be updated continuously. In order to do that, the best option is to automate the process with tools like Workforce Assessment by SunGards AS, in which inventory and update process are done with a web form and is stored in a relational database. This allows using this information later, when defining BC strategies and procedures. And of course these resources have to be included in the exercising program.