Security

In the event: Planning in the real world

I just finished completing the 3rd National

Incident Management System (NIMS) compliance course required of me by my

organization, and it got me to thinking about planning in general. There are a

lot of planning processes for which we are responsible or participate in:

Disaster Recovery, Continuity of Operations, Accountability Frameworks,

Standard Operating Procedures, and NIMS to name a few.

There are templates and software, courseware and consulting

for all of this planning that is supposed to allow us to be “ready” or to be

able to justify and measure our work product. We are repeatedly told how important

it is to “have a plan.”

Yet, no matter how important it is, how much time is given

to you and your staff for planning purposes? I believe it is in this area that

“lip service” plays a significant role in many organizations.

The trend over the years has been to trim “excess” employees

in the name of being lean and mean. After all, look at how “productive” we as a

nation have become. How “profitable” our companies are, and how “cheaply” we

can run our government (“Look Ma! No employees! Wait, don’t dig to deep to find

that army of consultants that has replaced our “cheaper” employees—it’s the

number on the payroll the voters look at).

We have created a situation in which a ton of planning

occurs (and no real work gets done) or employees are scrambling to get the real

work done and planning is haphazard at best. We have “trimmed” away our

capacity for planning in the process of removing our fat.

Real preparedness is more than sitting down, creating required

document/s and filing them away— confident in the fact that if an “event”

happens, we will just whip out those documents and everything will be hunky

dory. Real preparedness means bringing those documents to life, testing them

frequently, updating them regularly, and living your SOP.

Our emergency responders tend to be the experts in these

areas because they live their plans out of necessity on a regular, if not day-to-day

basis. Dealing with full-fledged incidents/crises is usually not part of our

daily IT activities.

Having said all that, the plans we do come up with are worth

more than the paper they are written on, and their worth goes up with the

practice and commitment that is applied to them. Even if they are stale and in

a drawer somewhere, they are a starting point from which to begin your

response. Yes I realize that a stale plan

can cause more harm than good depending on the situation – but it is hard to

argue that having no plan is better than not having one at all.

That is why I like the idea of NIMS. NIMS gives us a

framework to respond to an incident/event of any size, whether it is planned or

unplanned, and which can scale from a single organization to a national

response. There has been a great deal of thought that has gone into NIMS and

while none of it is IT-specific, if you go through the training, you will

repeatedly find yourself thinking about your COOPs and disaster recovery plans

and ways to improve them. In fact, it is highly recommended that organizations

update their COOPS in order to reflect NIMS concepts. If you are a Federal

Agency, you are already required to do so.

So what is NIMS exactly, other than what I have described,

and where do you find out more?

NIMS is the National Incident Management System. It was

created per President Bush’s Homeland Security Presidential Directive – 5 which

instructed the Secretary of Homeland Security to develop and administer a

National Incident Management System.

Why is NIMS important to you as an IT professional? NIMS

provides a set of standardized organizational structures, as well as

requirements for processes, procedures and systems for interoperability as well

as a management system known as the Incident Command System (ICS). It is during

the learning of the ICS that I believe you will have many of those moments in

which you will think of ways to tweak your IT disaster response plans.

You can find out everything you wanted to know about NIMS

here:

http://www.nimsonline.com

or here: http://www.training.fema.gov/emiweb/is/is700.asp

and get online training here: http://training.fema.gov/emiweb/IS/crslist.asp

I suggest the following courses to IT professionals:

IS-1

Emergency Manager: An Orientation to the Position

IS-100

Introduction to Incident Command System, I-100

IS-200

ICS for Single Resources and Initial Action Incidents

IS-700

National Incident Management System (NIMS), An Introduction

It will take approximately 2-3 hours of your time for each,

but I think you will find the courses well worth the effort.

Editor's Picks

Free Newsletters, In your Inbox