Technology Consulting to Get It Done

Disaster Recovery Board Game

without comments

If you would like to perform your own disaster recovery table top exercise, we have a tool that you can use with your IT staff and user base to help facilitate the meeting: the Disaster Recovery Board Game.  You can download the game board materials we have prepared here (a single, zip file that contains the instructions and parts): DRGameContents, or you can contact us if you would like to pre-order a printed version of the game and instructions.

Written by tfaith

June 3rd, 2011 at 10:33 am

Posted in Technology

Performing a Table Top Exercise

without comments

Disaster Recovery: The Board Game

Objective

The object of the game is to review potential disaster scenarios, identify the impact of each scenario on information systems, and identify potential preparedness problems with existing recovery plans, such as lack of equipment, staffing, expertise, or recovery options for particular scenarios.

Setup

The game works best if ahead of time a network diagram is created that provides the following details for the existing information system:

  • Local network geographic locations
  • Workstations, network switches, routers, servers, phone systems, and related equipment
  • Local and Wide area network connections, speeds, and carriers
  • Existing contracts for business continuity services
  • Matrix of existing IT staff and areas of expertise

Where possible, the network diagram should identify the high level systems in place in the organization, and degree of criticality of each system to continued business operations in the event of a disaster. The criticality of a system determines its priority in a recovery effort.

In addition, if the organization has a policy on systems availability or the operations of the organization during particular disasters, this policy should be available to staff in the meeting. This policy may identify disasters where the organization will continue to operate, the chain of command to respond to system disasters, and organizational expectations for recovery time objectives.

With the network diagram, the IT/IS department should meet with its leadership and senior staff, and some representatives from the business units served by the information systems for approximately two hours. A member of the meeting should be designated to take notes on the course of the meeting, and a different member should be designated as moderator. Notes taken should be organized by disaster, and should identify which staff resources were available during each scenario, potential issues with recovery that were identified during the discussion, and open questions about configuration or recoverability.

Game Play

1. The game board provides spaces for up to eight physical locations. If the organization has more than eight physical locations, locations can be grouped into logical parts, perhaps by geographic or by business unit. Equipment available in each location should be placed from the resource cards deck into each location on the board, with the largest location should be placed in location A. Disaster scenarios may make one or more locations unavailable, including the resources within that location.

2. Gameplay begins by a member of the meeting drawing a disaster scenario card from the disaster scenario deck. Each scenario provides a designation of the likelihood that staff will be unavailable to help in the recovery effort according to the following:

a. 10% chance of unavailability corresponds to rolling the following numbers of the dice: 3 or 11

b. 50% chance of unavailability corresponds to rolling the following numbers of the dice: 5 or 6 or 8 or 9

c. 80% chance of unavailability corresponds to rolling the following numbers of the dice: 3 or 5 or 6 or 7 or 8 or 9 or 11

3. Each IT/IS staff member should roll the dice, and depending on the combination, be identified as available or unavailable to respond to the disaster. Unavailable staff can still participate in the discussion of the game, but their knowledge and skills will not be available if needed for the systemÕs recovery.

4. Once all staff have rolled to determine availability, the designated moderator of the meeting should solicit discussion from the members of the meeting for the topics drawn from the Discussion Topic cards.

5. The designated note taker from the meeting should endeavor to fill out the forms provided, with particular emphasis on single points of failure, issues that would prevent a recovery of a failed system, and other problems identified during the exercise. These issues can be used to develop a plan to address shortfalls in the present disaster recovery plan, and for budgeting for new staffing, capital items, or other resources required to recover from a particular scenario.

Interested in discussing or scheduling a table top exercise? Contact us for more information. Want to read more about NIST’s recommendations for table top exercises? Click here to download the NIST publication 800-84.

Written by tfaith

June 3rd, 2011 at 10:24 am

Posted in Technology

Risk Assessments under HIPAA Security Regulations

without comments

The Health Insurance Portability and Accountability Act (HIPAA) granted the Secretary of Health and Human Services the power to establish regulations for covered entities, including the information security policies of the entity. An important aspect of the security regulations is regularly assessing risks to the entity’s information systems and infrastructure under section 164.308(a)(ii)(1) of the security regulations. If you are a health care provider, clearinghouse, or insurance company (and under ARRA, if you are a business associate of one of these covered entities), you are required to conduct risk assessments of your information systems on a regular basis. In addition, if you are a qualifying health care provider under the Medicaid or Medicare program, using a certified electronic health record and you wish to qualify for the meaningful use incentive payments, one of the core requirements of meaningful use is that you are conducting a risk assessment of your information systems.

The security regulation specifically requires a covered entity to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Id. This analytical process is helpful to the organization for several reasons. First, doing an inventory of the information systems in use in the organization helps to categorize the extent of exposure of the organization to security threats. Second, spending time on identifying known problems or vulnerabilities helps to clarify what should be budgeted for mitigating these problems. Third, all risk assessment methodologies require an organization to balance the potential impact of the risk against available mitigations, and to choose a reasonable mitigation (one which costs less than the adjusted risk to the organization of loss).

The following is an overview of the Risk Assessment Process:

Want to learn more or need help performing a risk assessment? Contact us for help by phone or email.

There are a wide variety of analytical tools available today to help a provider assess risk to his business organization. For example, the Centers for Medicaid and Medicare (CMS) has developed a risk assessment system that aids a provider in categorizing existing information systems, evaluating what risks exist to those systems, what mitigations are in place to reduce risk, and what risks remain that are sufficiently great that either additional mitigations are required or the business owner must accept them in order to continue to operate the system. See Centers for Medicare & Medicaid Services (CMS) Information Security Business Risk Assessment Methodology, version 2.1 (May 11, 2005).

Written by tfaith

June 3rd, 2011 at 10:19 am

Posted in Tech Law,Technology

Disaster Recovery Preparedness

without comments

The ability of a business to recover from a systems failure is generally measured by the amount and quality of preparation of the organization for a disaster. A solid disaster recovery plan is made up of several components: (a) a risk assessment of existing information systems identifying the unmitigated or insufficiently mitigated risks along with a plan for reducing or accepting those risks, (b) a disaster recovery methodology and policy that documents expected system availability, acceptable data loss, anticipated recovery time objectives, and a more detailed procedure that can be followed to achieve the policy objectives, and (c) regular testing of the existing disaster recovery plan along with updating of the plan as systems and objectives change.

A part of the planning and testing process includes a table top exercise with IT and business leaders. The objective of the table top exercise is to discuss current readiness for a disaster based on a variety of scenarios, to ensure regular communication between leaders of the business and IT staff to properly manage expectations about current preparedness and recoverability, and to help identify issues that require planning or additional effort (such as non-IT issues like where are staff going to physically work during an emergency, will the business be able to operate, who will be responsible for declaring a disaster and coordinating the organization’s response in concert with IT, and what will happen once the emergency situation is over).

Interested in discussing or scheduling a table top exercise? Contact us for more information. Want to read more about NIST’s recommendations for table top exercises? Click here to download the NIST publication 800-84.

Written by tfaith

June 3rd, 2011 at 10:16 am

Posted in Technology

HIPAA and Disaster Recovery

without comments

Here is a presentation on the security regulations in the Health Insurance Portability and Accountability Act and disaster recovery.  This presentation also discusses how virtualization technology can help to improve or enhance the functionality of a disaster recovery system.

HIPAA And Disaster Recovery: Regulations and Solutions

Written by tfaith

August 27th, 2010 at 8:27 am

Posted in Tech Law,Technology

Disaster Recovery Table Top Exercises

without comments

Being able to recover from a major system failure is essential for most businesses today.  The key to recovery, beyond implementing technology that supports disaster recovery, is to practice for disasters.  That means periodically meeting with members of the organization to review the process an IT department will go through in order to, step by step, bring critical systems back from an uncontrolled virus attack, hurricane, or major hardware failure.  The table top exercise described below is a relatively inexpensive way for an organization to discuss scenarios for systems recovery and identify issues in the current disaster recovery plan.

(To read the remainder of this posting, check it out here, courtesy Tim Faith and Faith at Law, LLC).

Written by admin

August 25th, 2010 at 12:21 pm

Posted in Technology

Disaster Recovery Consulting

without comments

Are you a covered entity or business associate and are obligated to design and test a disaster recovery system for your systems that contain protected health information?  Do you need help assessing your current technology risk and identifying changes or capital expenditures that can help contain existing risks to your data or systems?  We can help.

Risk Assessments. Our consultants can help you to complete a risk assessment using a standardized methodology, and help you to design a budget around the identified unmitigated (or insufficiently mitigated) risks to your systems and infrastructure.

Implementation.  We can also help you if you wish to establish a remote site for hosting a mirrored or replicated disaster recovery system, including helping to implement a virtual environment from which you can operate in the event that your production environment suffers a partial or complete, extended failure.

Testing.  We also provide help in performing backup and system testing so that you can ensure that your backup and DR systems are performing normally, and we can work with you to design a testing procedure that will fit your resources and will help your staff to practice in preparation for the real thing.

Table Top Exercises. We can also help you to conduct a disaster recovery table top exercise to help you and your staff walk through various disaster scenarios and think through the recovery process.  Table top exercises can be helpful in identifying missed issues or risks (sometimes the most basic kinds of issues that we tend to take for granted when preparing for a system failure or disaster), and also to identify work yet to be done to prepare for a disaster.

Written by admin

August 25th, 2010 at 12:14 pm

Posted in Technology

Infrastructure Consulting

without comments

Considering a change in your server room or need help securing your existing network?  We can provide help to you in designing a server or network operations center to make sure that your equipment has sufficient power, backup power, cooling and space.  We can also help to assess your existing network’s security configuration or design and help you to implement changes so that your network is less vulnerable to security issues and viruses.  We can also help you to document your existing network infrastructure.

Written by admin

August 25th, 2010 at 12:02 pm

Posted in Technology

Remote Technical Support

with 2 comments

Tech Two can provide remote technical management and support to your organization, if you have a broadband internet connection and a local area network. Need help implement your LAN? Contact Us to schedule an assessment. Using Virtual Private Networking (VPN), we can securely connect to your network, inventory your workstations, servers, and peripherals, remotely ensure that your network is protected from viruses, securely backup your critical data to our servers, and provide “remote control” support for application and specific operating system problems.

Our flat annual rate contracts ensure that you don’t have unexpected technical support expenses. In addition, you can get the most out of your technology investment without having to read the manual.

Written by admin

August 25th, 2010 at 11:43 am

Posted in Technology

Local and Wide Area Networking

without comments

Tech Two has several years of experience in designing and implementing local and wide area networks for a number of organizations.  We can cable or install 802.11x local area networks, and ensure that these networks are appropriately secure.  In addition, we are able to implement application, authentication, file, and database servers as required by the organization.  We can also help you to implement appropriate server technology, or help you to virtualize your existing server fleet.  We build custom servers for our clients, or we recommend pre-built/configured servers.  We also are able to provide your organization with workstations, printers, and other peripherals.

Are you a non-profit? You may qualify for significant discounts on software products from companies like Microsoft ©, Symantec ©, and others. We can help you to get the best price on software licensing for your servers or workstations.

We also offer technical support for your networks, and can provide you with a support contract or hourly support as needed. Need help sharing internet access, files, printers, or data with members of your organization? We can implement a network that will serve your needs.

Written by admin

August 25th, 2010 at 11:43 am

Posted in Technology