Data Center Hub

Every one of us is at risk for extended power outages after storms, tornadoes, or hurricanes. In the event you do experience the power outage, how long your power outage will last will depend on the severity of the storm as well as where you are in relationship to the grid itself. When your local area is experiencing widespread power outages, there are certain steps that are taking to restore power beginning with facilities which provide critical services.

As a general rule power plants and power lines from the plants are going to be restored first. It should be obvious that without power to the main power lines power cannot be restored elsewhere.

The second groups which will have power restored are those which provide services such as hospitals, fire stations, and public safety such as police. Next after this group is grocery stores and gas stations as well as traffic control systems.

Next in the list are the major power lines that serve large amounts customers followed by smaller power lines that provide power to individual streets, and last among the groups to be restored are individual homes and businesses with out power.

So where does your home or business fit in relationship to the grid? If your business is located in a residential area, you can expect that your business will be a low priority for restoration. If however, your business is located directly next to your local hospital, it is very likely your business will be among the first to have power restored.

How do you begin to assess the risk? The first thing you should do is take a look at how power is fed to your building. If you have an above ground wiring you can simply follow the wiring with your eye up to your power pole. What kind of power pole do you have? Is it wood or steel? If the poll is wooden, you should take a look at it to see what its physical condition is, is it rotted or damaged? If the pole is made of steel, you should check it for rust and for proper fastening at the ground. Take a look around the wires on your pole, are there any tree limbs resting on the wiring? If so, you should inform your power company to have the trees trimmed back before they cause an issue.

It’s important to note, even if you are located directly next to a hospital, you can still have a situation where the last mile to your home or business is filled via one of these old wooden power poles-in which case power would be restored very quickly to the grid but should the line into your home be damaged you can still be without power for an extended period of time. Homes and businesses with power feeds which are underground are obviously going to be at the least risk for extended power outages.

Keep all these factors in mind when assessing your risk for extended power outages along with the need for your home or business to have power during these times. The size of generator system you purchase, the capacity for fuel storage, the type of fuel your system is powered by, along with such aspects of automatic power switching will all affect your choice of emergency power and UPS systems.

One way to assess risk of being without power is to simply take your annual revenues and divide it by the number of HRS in the year to come up with an average value per hour that you may be without power. For example should your business have annual revenues of $1.5 million, you can divide that by 8760-the number of hours in the year. This would give you a value for each hour you are without service of roughly $171 in revenue. Of course, this assumes your working 24 hours a day which you’re not-so the real figure of lost revenue would likely be much higher. It’s more likely a correct figure would be closer to three times your revenue divided by the number of hours in the year.

Given the above figures, one can estimate the average revenue to be in the neighborhood of $4000 for each 8 hour day so a five day power outage could cost you $20,000 in revenues. These rule of thumb figures should help you put your budgeting in perspective.

Other items to consider:

1. Take steps to minimize impact if suppliers upon which you depend for products or services are disrupted during weather related events.
2. Plan for alternate communication, transportation, and courier services.
3. Create a plan for your employees to follow in the event of sever weather, tornado, or hurricane.
4. Create a plan to restore your business operation after the storm has cleared
5. Take a look at your current insurance policies and assess the sufficiency of coverage.
6. Determine in advance methods for assessing and reporting storm damages.

Even if you are not located in an area likely to be affected by severe weather it is still possible for your business to be impacted by it. In our office we waited one year to get a new door. Why? The factory which made all the doors in our building is located in New Orleans; well, they were in New Orleans.

Mikko Hyppönen of F-secure has suggested that a new top level domain such as .bank or similar would help alleviate problems of phishing attacks against financial institutions.

Unfortunately the suggestion is a solution which does not cure the actual problem: DNS is insecure. This new top level domain has been the subject of much heated debate, and of course much criticism. I believe I have to count myself in on the criticisms side of the debate at the moment. After reviewing some of F-Secure’s rebuttals of the criticisms, here are some issues I have with the suggestion which F-Secure have not yet addressed. Some of the following are quoted from the F-Secure web log and followed with my own comments.

A new top-level domain will not solve the phishing problem once and for all, so it’s not even worth considering.

This is not a silver bullet. A new top-level-domain (TLD) would not be the end of the phishing problem. But it would be a helpful top-level domain and it would stop a particular subset of phishing completely.

    While it is true that some domains are more trustworthy than others (for example.info domains appear to have the highest level of phishing sites on them ), creating a new top-level domain does not actually solve the problem of phishing-it merely creates yet another domain and as such it is dependent upon a weak DNS system. In fact DNS shows up in the list of top 20 Internet Security attack targets for 2006.

This initiative won’t move further until we find a sponsoring organization that starts to push it and proposes it officially to ICANN. This sponsoring organization is what we are trying to find at the moment.

    Of course the sponsoring organization could officially propose this to ICANN; however, ICANN is not a regulatory agency or governing body. Even know there is presently a .pro domain for doctors and other professionals, creating a .bank domain or another authenticated top level domain does not correct the problem of phishing any more of than a new coat of paint will make a house hurricane resistant.

I do believe the suggestion for a new .bank domain is well intentioned and I don’t question the motives of that- however any new solution which doesn’t correct the actual problem it attempts to solve is not a move in the right direction in my opinion. I believe the move of requesting ICANN to expand its authority is one of the main reasons not to ask ICANN to create a .bank TLD. Given the present state of the domain registration business, there’s no way that a data bank top level domain could be sufficiently authenticated given that there will be likely registrars issuing the domain and not ICANN itself. It is not possible for a TLD such as .bank to be run in the same manner as the .gov domain. There’s not a governing body for domain registration yet. Perhaps the banks themselves can create a group and petition for the TLD but this involves investing money on speculation- something most banks are loathe to do.

Who needs IT security policies and what types of organizations must comply?
Regardless of the size of your company, you should have an IT security policy in place. Even if you’ve not put one in writing yet, you have a policy already. In most small companies the policy is an island approach where every individual is left to his or her own devices and while this has worked well in the past, it must change in the future. In the past, with the exception of burning down your offices, damage from a single employee’s actions would usually be limited to their own files and sphere of influence. Today, the actions of one can affect your entire IT structure and wreak havoc and even destruction or disclosure of your data. Running your business without a policy in place is akin to setting sail in a boat with no rudder. The winds may carry you safely somewhere, or smash you into the rocks at any time. At a minimum the security policy should act as a guide for your business. If you have more than one employee, you should have a policy in place. For companies with up to 200 employees, the ISO 17799 standards allow management to have a better awareness of IT security and for larger organizations, the standards should allow the creation of a mature and compatible IT security culture within the company.

What organizations are required by US law to have IT security policies? The short answer is all public companies and virtually all companies in the health care business who handle electronic patient data.
The Sarbanes Oxley Act (SOx) section 404 requires public companies to document their IT and financial controls as well as issuing an annual statement of the effectiveness of the controls. Whether your company is large or small, if you make periodic filings under section 13 (a) or 15 (d) of the Exchange act, you’ll need to comply with SOx.

HIPAA Subpart C Section 164.306 (c) requires covered entities to apply specific security standards regarding all protected health information.

How does one implement a policy and what standards are involved?

Of course, you can go the the ISO web site, purchase a copy of the ISO 17799:2005 standard in PDF, and write your own policies from scratch. Or you can start based on templates created by others.

One of the simplest ways to get started is by evaluating a sample policy based on ISO 17799. There are two easy ways to do this. One is to purchase a commercially available template system, and the other is by using Open Source documents as a starting point for your policies. The Lazarus Alliance started a wiki for this purpose about a year ago and while it’s a work in progress, reviewing the ISO 17799 documentation in the wiki should give you a good start towards ISO 17799. Bear in mind that the wiki is a work in progress and may not offer a policy as comprehensive as a commercially offered set of templates.

For commercial templates, there are quite a few revealed with a simple search on Google. The majority of those in the top results appear to be from the same creators with similar descriptions and pricing. The hype of this creator lends me to have a jaundice eye towards the product (for example they claim Patriot Act compliance- unless you are an ISP, you need not worry about this act. Having said this please note I am not an attorney). I personally would demand a review period to evaluate the quality prior to committing money to the e-janco templates. Another sample template system is available for a free review in PDF format from RUSECURE. Having reviewed this template, I can opine on the quality and thoroughness of the policies in their templates. At half the price of the Janco templates and with a seven day money back guarantee it would be hard to go wrong with this template set.

You may also consider buying a software solution to generate your security policies. One such solution is produced by Callio though you will find many others on the market for a DIY approach.

Another option is to hire a consultant to do all the steps for you. In most cases, the consultant will likely start with a software toolkit or templates and customize them as needed for your business. This is by far the easiest way to get a policy in place but do remember to do your due-diligence on the consultant and inquire as to his background, qualifications, and real-world experience prior to hiring. A good consultant should also be able to provide a clear detailed proposal covering costs and milestones prior to beginning work. One last bit of advice: never pay the full consultant fee in advance. My experience from both sides of the table indicates structured payments based on milestones with a final payment upon full deliverables works best for all concerned.