I just finished completing the 3rd National
Incident Management System (NIMS) compliance course required of me by my
organization, and it got me to thinking about planning in general. There are a
lot of planning processes for which we are responsible or participate in:
Disaster Recovery, Continuity of Operations, Accountability Frameworks,
Standard Operating Procedures, and NIMS to name a few.
There are templates and software, courseware and consulting
for all of this planning that is supposed to allow us to be ready or to be
able to justify and measure our work product. We are repeatedly told how important
it is to have a plan.
Yet, no matter how important it is, how much time is given
to you and your staff for planning purposes? I believe it is in this area that
lip service plays a significant role in many organizations.
The trend over the years has been to trim excess employees
in the name of being lean and mean. After all, look at how productive we as a
nation have become. How profitable our companies are, and how cheaply we
can run our government (Look Ma! No employees! Wait, dont dig to deep to find
that army of consultants that has replaced our cheaper employees--its the
number on the payroll the voters look at).
We have created a situation in which a ton of planning
occurs (and no real work gets done) or employees are scrambling to get the real
work done and planning is haphazard at best. We have trimmed away our
capacity for planning in the process of removing our fat.
Real preparedness is more than sitting down, creating required
document/s and filing them away-- confident in the fact that if an event
happens, we will just whip out those documents and everything will be hunky
dory. Real preparedness means bringing those documents to life, testing them
frequently, updating them regularly, and living your SOP.
Our emergency responders tend to be the experts in these
areas because they live their plans out of necessity on a regular, if not day-to-day
basis. Dealing with full-fledged incidents/crises is usually not part of our
daily IT activities.
Having said all that, the plans we do come up with are worth
more than the paper they are written on, and their worth goes up with the
practice and commitment that is applied to them. Even if they are stale and in
a drawer somewhere, they are a starting point from which to begin your
response. Yes I realize that a stale plan
can cause more harm than good depending on the situation but it is hard to
argue that having no plan is better than not having one at all.
That is why I like the idea of NIMS. NIMS gives us a
framework to respond to an incident/event of any size, whether it is planned or
unplanned, and which can scale from a single organization to a national
response. There has been a great deal of thought that has gone into NIMS and
while none of it is IT-specific, if you go through the training, you will
repeatedly find yourself thinking about your COOPs and disaster recovery plans
and ways to improve them. In fact, it is highly recommended that organizations
update their COOPS in order to reflect NIMS concepts. If you are a Federal
Agency, you are already required to do so.
So what is NIMS exactly, other than what I have described,
and where do you find out more?
NIMS is the National Incident Management System. It was
created per President Bushs Homeland Security Presidential Directive 5 which
instructed the Secretary of Homeland Security to develop and administer a
National Incident Management System.
Why is NIMS important to you as an IT professional? NIMS
provides a set of standardized organizational structures, as well as
requirements for processes, procedures and systems for interoperability as well
as a management system known as the Incident Command System (ICS). It is during
the learning of the ICS that I believe you will have many of those moments in
which you will think of ways to tweak your IT disaster response plans.
You can find out everything you wanted to know about NIMS
and get online training here: http://training.fema.gov/emiweb/IS/crslist.asp
I suggest the following courses to IT professionals:
Emergency Manager: An Orientation to the Position
Introduction to Incident Command System, I-100
ICS for Single Resources and Initial Action Incidents
National Incident Management System (NIMS), An Introduction
It will take approximately 2-3 hours of your time for each,
but I think you will find the courses well worth the effort.