This is a short tutorial covering the basics of time zones, ISO Time Format and daylight saving. As can be appreciated it is a very complex subject and there are further reading links at the end of the document.

Time Zones

A time zone is a region of the Earth. The Earth is divided into 24 zones –12 through 0 to +12. Each one is 15 degrees of latitude as measured East and West from the Prime Meridian line, which is 0 degrees latitude. Each time zone is also an hour apart as the earth rotates at 15 degrees per hour.

This line runs through the Royal Observatory in Greenwich, England. The Royal Observatory was established in 1675 amongst other things to perfect the art of navigation.

The measurement of time is fundamental to the functioning of modern society and in particular navigation and technology.

Variations in time zone do exist to take into account geographical boundaries as can be seen from the time zone map below.

There are both civilian and military designations for time zones.

The civilian ones typically use three letter abbreviations, for example EST. Military/Aviation designations use letters of the alphabet (except J, J is not found in all languages) and are known by their phonetic name. A to M are for zones East of Greenwich and N to Y are for zones West of Greenwich. Z is GMT.

These designations follow the numeric time

GMT = Greenwich Mean Time (civilian)

Z = Zulu (military)

The most commonly known means of defining time is GMT or Greenwich Mean Time, which is the mean solar time at 0 degrees latitude. GMT is also known as Universal Time

Because of variations in the Earths rotation when hyper accuracy is needed GMT cannot be used.

Coordinated Universal Time or UTC is a highly precise time scale based on atomic clocks and has uniform seconds. UTC is a compromise between the French and English variations of the term and does not stand for universal time code as is sometimes thought.

So in summary GMT is based on the Earths Rotation and UTC is based on uniform seconds as measured on highly accurate atomic clocks maintained by a number of organisations.

Whilst the difference for all but the most technically demanding applications is minor, the odd leap second, UTC should be used as the standard for time.

Network Time Protocol or NTP which is used to synchronise clocks over the internet uses UTC. NTP is a protocol designed to synchronize the clocks of computers over a network. NTP version 3 is an internet draft standard, formalized in RFC 1305. NTP version 4 is a significant revision of the NTP standard, and is the current development version, but has not been formalized in an RFC. Simple NTP (SNTP) version 4 is described in RFC 2030.

Daylight Saving Time

Daylight Saving or Summer Time is a system of advancing or retreating clocks so that a day has more daylight. Details vary by location. There are many reasons given for the reason for daylight saving from energy efficiency to people’s desire for longer summer evenings and even better voter turnout but there seems to be as many reasons for as there are against.

There also exists a great deal of variation in the implementation of daylight saving. The rules of DST also change which can cause problems for electronic or automated systems, evidenced in the recent months by the USA decision in the Energy Policy Act 2005 to move the point at which DST applies roughly 3 weeks earlier than previously.

ISO Time Format

The International Organization for Standardization is a worldwide federation of national standards bodies from some 130 countries, one from each country.

Date and Time format is defined by: ISO 8601:2000 Data elements and interchange formats — Information interchange — Representation of dates and times

The standard defines formats for numerical representation of dates, times and date/time combinations. Local time and Coordinated Universal Time (UTC) are supported.

Dates are for the Gregorian calendar (introduced in 1582), and can be given in year-month-day, year-week-day or year-day formats.

Times are given in 24hr format. All date and time formats are represented with the largest units given first, i.e., from left to right the ranking is year, month, week, day, hour, minute, second.

For example 6.36pm would be written at 18.36

Having a standardised notation system is essential for software and scientific applications.

The report can be downloaded at:  http://www.imperva.com/ld/password_report.asp (registration not required).

The report identifies the most commonly used passwords:

• 123456
• 12345
• 123456789
• Password
• iloveyou
• princess
• rockyou
• 1234567
• 12345678
• 10.  abc123

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman.  “The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism.  Never before has there been such a high volume of real-world passwords to examine.”

Some key findings of the study include:

• The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic forms of cyber attacks known as “brute force attacks.”
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on). The most common password is “123456”.
• Recommendations for users and administrators for choosing strong passwords.

For enterprises, password insecurity can have serious consequences.  “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.

“The problem has changed very little over the past 20 years,” explained Shulman, referring to a 1990 Unix password study that showed a password selection pattern similar to what consumers select today.  “It’s time for everyone to take password security seriously; it’s an important first step in data security.

Imperva will host a webinar detailing the study’s findings.  To register, please sign up here: https://imperva.webex.com/imperva/onstage/g.php?d=792179849&t=a&SourceID=004

The standard aims to achieve the following

• Provides a basis for understanding business continuity management
• Provides a means of measurement that is consistent and recognised
• Provides a system based on established good practice

It does not deal in general with emergency planning and management except in the context of an organisations role within a larger civil emergency.

• Is the standard for me?
• If I have a business continuity management plan already in place, why should I use this standard?
• Is it just for large organisations?
• Is it complicated and going to tie me up in red tape?
• Is it just a British Standard, not relevant if I live in the USA?

The standard was prepared by BSI Technical Committee BCM/1 whose membership included representatives from the financial services industry, government, academia, the emergency services, business organisations and a number of specialist practitioners from around the world.

It has been designed to be applicable to all sizes and types of organisations as the broad principles and practices described can be adapted to suite each individual organisation, considerable flexibility exists in implementation of the standard Although many industry sectors have a mature business continuity capability, many do not, particularly small to medium business.

Having a non prescriptive, moderately easy to understand and consistent set of principles will enable business continuity to mature in a greater number of businesses.

BSi have delivered a standard for the needs of the British market but it is just as applicable in New York or Munich as it is in London.

Of course, complying with the standard does not infer any immunity from problems, this must be understood clearly by any organisations looking to use it but lays down a common framework that will ultimately enable measurement, benchmarking and certification.

Measurement, benchmarking and certification will provide market assurance that the organisation is well prepared to meet a range of events that may threaten its sustainability and existence.

PS-Prep sets out to enhance nationwide resilience by improving private sector preparedness to establish a common set of criteria for private sector preparedness, including disaster management, emergency management and business continuity programs. Certification to BS 25999 US Edition will be used to confirm compliance with the voluntary preparedness scheme.

Todd VanderVen, President of BSI Americas,said:

“We are delighted to support the PS-Prep with the provision of BS 25999 US Edition. The standard has been used successfully by private businesses around the world assisting organizations of all types and size determine and invest in critical areas of the organization, protect reputation and enhance stakeholder confidence. It will now play a key role for private sector organizations in the USA wishing to demonstrate compliance with the voluntary preparedness scheme.”

Every year thousands of businesses face the risk of a disruption to their business operations, ranging from the effects of everyday disruption such as power failure, to adverse weather conditions to full scale terrorist attacks. Business interruptions can create a chain of ‘knock-on’ effects stretching as far as damaging national and international infrastructure. The need for good guidance in this field has never been stronger.

BS 25999 US Edition sets out the requirements for establishing and maintaining an effective BCM system, effectively enabling an organization to anticipate and prepare for disruption. This might mean being able to rapidly recruit temporary staff or moving premises at very short notice: risks are different for every organization but BS 25999 US Edition helps the organization to determine what they are and make the necessary arrangements. Independent certification to this standard enables an organization to demonstrate to customers, stakeholders and legislators its proactive approach to achieving best practice in the area of BCM.

BS 25999 US Edition is initially available to private businesses in the US for a one month period. At the end of this, all public comments on the standard will be examined and the DHS will evaluate the standard for permanent use in the program.

Selection of the BSI Standard does not imply DHS endorsement of BSI or any of its products or services other than the particular standard to be used for limited purposes.

For more information on BS 25999 US Edition,visit the BSI website.

www.bsiamerica.com

• Forget the rearview mirror: The bad guys are ahead of you
• Leave the lights on — always
• Don’t forget the boiling oil! Your mom was right: change your underwear, often
• Don’t let vendors put you in their box

Forget the Rear View Mirror

You may not know the intent of those attacking your systems; however what you should know is that they probably know more than you. The security industry does not innovate; we simply chase behind the true innovators and try to keep up.

Zero-day attacks and unknown vulnerabilities. Malware and botnets. There is no magic crystal ball to tell you what’s coming next, but you need to be looking to secure your future.

Looking in the rearview mirror you will see investment in network controls that stop simple mass attacks. But the attackers have evolved and “moved up the stack” going after applications and host systems with targeted attacks. Commercial and custom software that run on these hosts contain thousands of vulnerabilities. Using simple, widely-known techniques, hackers can exploit these vulnerabilities and easily gain complete access to the hosts.

It always will be important to keep current with the latest patches to remediate vulnerabilities. However, the lag time between discovery of a vulnerability and an exploit is rapidly dwindling.

Zero-day (and zero-hour!) attacks are a reality: you are hit before you even know there is a problem. This renders traditional signature-based, reactive protection inadequate. A proactive protection stance is now necessary. What I mean by this: you need to find ways to apply compensating measures to shield vulnerabilities immediately. This will buy your organization the time needed to wait to receive, test and soak the patch appropriately before deploying.

As the threats continue to evolve, we need to evolve our controls, and the mindsets behind them.

Leave the lights on — always

TJX has become a household brand, for all the wrong reasons. The UK Foreign and Commonwealth Office was just slapped for endangering the privacy and identities of people applying for visas to enter the UK.

Security is about vigilance. You need to leave the lights on, or in other words, do everything you can to dissuade attackers by making it difficult for them to attain their goal. You don’t have to be perfect; you just have to be a little bit more secure than the neighbour, as attackers will go after easier targets first.

You need to recognize that the new age of information technology tools means that the average security levels in software is going down. It was hard enough to find application developers who understood security, but now we see web applications built by amateurs using scripting languages, and you can appreciate the problem. In the web 2.0 world, these applications execute across firewall boundaries, opening more seams for clever attackers to exploit.

A mistake made by one, has consequences for all.

Don’t forget the boiling oil!

Defence-in-depth works. Castles historically had strong perimeter defences, but the buckets of boiling oil were on standby to discourage attackers that got past the moat and drawbridge.

Traditional perimeter defences for our networks are necessary, but now not sufficient. There are so many ways to get though the perimeter. An attack might originate from an end user lured to a malicious site compromised by malware. The resulting downloaded malware tunnels in through the HTTP session, ready to launch exploits from within your network perimeter. More frequent use of encryption is problematic, as it can blind network scanning tools, and be a nice tunnel for malware to enter the enterprise.

Security professionals, and indeed most business executives, fundamentally accept the basic premise that it takes multiple layers of defence to protect against the wide variety of attacks and threats. A single product or security layer is not sufficient. A layered, defence-in-depth approach gives multiple lines of defence that will allow one product to catch things that may have slipped past the outer defences.

Learn from the past to secure the future.

Your mom was right: change your underwear, often

Let’s talk about what “vigilance” in security really means. Regulations are popping up in every industry and country or region around the world. When it comes to security, much of these regulations, in particular prescriptive regulations such as PCI, are advancing security in leaps and bounds.

The problem with these regulations is how we (organizations collectively) are dealing with them. Official audits cause mad panic as we rush to apply all security patches and controls to comply with regulations. Shortly thereafter, complacency and forgetfulness allow controls to lapse and patches to be avoided.

Compliance is more than just for the auditors; it will help protect your business. But, compliance does not equal security. Only you can be responsible to keep your house in check.

Don’t let vendors put you in their box

This is not about thinking “outside the box” unless of course you use these as code words for saying “works with more than just Microsoft.” One of the most common complaints that we have heard from CIOs and CISOs around the world is the prevalence of Microsoft-fanatical vendors — even worse, those that support singular versions of Microsoft products.

Look for security vendors and products that work (well) across the broadest range of platforms. There are extremely varied opinions on the security of open source operating systems and applications, but regardless, you should not let a vendor tell you how to run your business when you are asking them how to secure your business.

You need to be wary of vendors that claim to provide a “one-stop shop” for all things security. There is significant value in a diversity of security approaches to match the diversity of approaches to malware and other forms of attacks.

Security needs to be able to be deployed where and when you need it. As embarrassing as it sounds, this fundamental fact seems to have been forgotten by the majority of security vendors around the world. The forklift approach to security installation does not work when you are protecting mission critical systems. Security mechanisms need to complement existing systems and should not disrupt your business.

Great security + poor deployment = bad security

Good security + good deployment = great security

Looking to the future

From London, to Frankfurt, or even Beijing, the security game being played has new players and new purpose. Today’s cybercriminals are organized, ruthless, and financially or politically motivated. Your best line of defence is a defence-in-depth approach to security.

Make sure you choose vendors (not vendor) that are willing to chase your attackers as much as they chased you for your business.

Brian O’Higgins, CTO for leading intrusion defence firm, Third Brigade, is best known for his role introducing PKI products to the security landscape. http://www.thirdbrigade.com/

An organisations business continuity programme is defined in a management system, termed the Business Continuity Management System or shortened to BCMS (sorry, another acronym to learn)

The general requirement of the standard is that the organisation, fairly obviously, develops, implements, maintains and improves a business continuity management system in line with familiar the PLAN-DO-CHECK-ACT model.

BS25999 — Plan Do Check Act

Establish and Manage the BCMS [PLAN]

This section requires that the organisation defines its business continuity requirements in terms of its overall objectives and that the scope of the BCMS is clearly defined, for example is it just for the London office or the whole organisation.

In what is a potentially large task it also requires that the organisation assures itself, by whatever demonstrable method, that it’s key suppliers and outsourced agencies also have effective BCM in place. Probably the easiest way to demonstrate that suppliers have effective business continuity is to require them to have BS25999, a somewhat difficult task to complete admittedly. Other means might include inspections, questionnaires etc

The BCMS must as a minimum contain;

* A business continuity policy
* Responsibilities
* Management Processes
* Topic Specific Processes
* Documentation

A BCM policy is required that demonstrates commitment and details the scope and objectives of the BCMS. This policy also has to be regularly reviewed and made available to all relevant parties. Very similar to a quality policy or security policy this forms the foundation of the BCMS because it demonstrates clear management commitment and sets out responsibilities.

The organisation has to demonstrate that an appropriate level of resources are allocated and that a person is nominated to be accountable and for implementation/maintenance of the BCMS. This does not have to be the same person and in larger organisations means that a senior manager, perhaps a Board member is accountable but a Business Continuity Manager is responsible for implementation and maintenance.

Any person who is assigned responsibilities in the BCMS also has to have appropriate competency. There also has to be documented evidence to support this. How organisations choose to demonstrate competence is up to them and might include interview notes, professional qualifications, references, training records, tests, copies of published work or a mix of various items. Of course with a nod to the various professional organisations out there one of the quickest ways to demonstrate competence would be to have copies of their professional qualifications on file.

Training and competency management for those involved in the BCMS either by virtue of their day to day role or involvement in a recovery or incident is required.

Embedding Business Continuity Management in the Organisations Culture
BCM has to become a central part of its management outlook and an ongoing BCM education and information programme must be in place.

Business Continuity Management Systems Documentation and Records
The documentation that forms part of the BCMS has to be fully controlled and protected by document release and authorisation processes

As a minimum the BCMSmust contain the following documentation

* Scope
* Policy
* Resource provision
* Staff competency and records
* BIA, risk assessment and BC strategy
* Incident response structure,incident response plan and business continuity plan
* Exercise arrangements
* Maintenance, review and audit procedures
* Preventative and corrective actions
* Management reviews and evidence of continual improvement

Record management, in order to support the Plan Do Check Act model forms a key part of the standard, for example, retention, location, authorisation, issue status etc

The BCMS documentation may be maintained in hard copy or soft copy formats.

Implement and Operate BCMS [DO]

Get out there and put those plans into action.

Understand the Organisation
This section essentially formalises what is in Part 1; that is carry out a BIA in a structured and documented manner recording the results. Using a documented risk assessment process the organisation shall analyse the threats it faces and vulnerabilities to those threats, these being measured against its critical activities and resources. The, decide how the organisation is going to address those risks. One of the key elements of this section is that the risk assessment process must be documented so again organisations can simply document how they do it or just use a recognised method and refer to that in their BCMS.Once the organisation is understood in terms of impacts, risks and likelihoods a reasonable strategy can be decided upon.

Develop and Implement a BCM Response
Once a strategy has been decided upon, implement it. This also includes the incident response structure.

Exercising and Maintaining BCM Arrangements
When the BCM response has been implemented it has to be tested with an exercise programme that is appropriate for the organisation.

Monitor and Review the BCMS [CHECK]

To ensure that the BCMS is effective a monitoring and review process shall be implemented.

Broadly split into 2 elements

Internal Audit
If the organisation already has an internal audit function it may make sense to utilise the processes and procedures already being used. Even personnel not specifically trained in business continuity may be used as internal audit should be an objective process.

Management Review
Management review would ordinarily be an annual exercise involving review of internal and external audit activity, resources and other inputs and outputs. The overal objective of the management review is to determine if the the BCMS continues to meet the organisations needs. A management review may also take place in light of significant organisational change.

Maintain and Improve the BCMS [ACT]

One of the goals of any management standard is that of continuous improvement.

The standard requires that organisations continually improve the general effectiveness of the BCMS with a mixture of both preventative and corrective actions. Preventative and corrective actions are identified by a range of activities such as audits, event analysis or management reviews. They have to be formally recorded and acted upon and these records held for inspection.

The management review will determine a range of actions that need to be taken.

Titled BS 25999–2:2007 Specification for business continuity management and includes…

* Documentation Requirements
* Management responsibility
* Internal BCMS Audit
* Management review of BCMS
* BCMS Improvement

The standard was published on November 20th 2007

How does an organisation seek compliance with the standard?

As with most management standards the process will be relatively standardised using the guidelines in ISO 17021

STEP 1 — Application

Apply to a certification body, certification bodies are organisations that are accredited to certify organisations, for example BSI or LRQA (although these two examples are not the only ones). An understanding of the scope of the BCMS will need to be made. The certification body will then create a proposal detailing the number of assessment days required and costs etc. If the organisation chooses to proceed the assessment should take place.

STEP 2 — Pre Assessment

A pre assessment may be used to provide a snap shot of readiness for the full assessment. Sampling and other techniques may be used in this pre assessment. Any areas of omission will be raised and an assessment of remedial work, should any be needed, would be made. The formal assessment may be delayed if it is thought that it would be unlikely that the organisation would pass.

STEP 3 — Assessment

The formal assessment is then made during which all areas of the Part 2 Specification will be covered. In line with ISO17021 and in a similar way to other management standards the formal assessment is done in two parts.

Stage 1: This stage will cover the Business Continuity Management System and will examine BCMS documentation, the management review/audit system and evaluation of readiness for stage 2. Planning for Stage 2 will also take place.

Stage 2: This stage examines the implementation of the BCMS i.e. objective evidence. It may involve inspection of records, interviews of personnel and physical inspections.

Any observations or non conformities will be formally recorded and a recommendation for certification or not made.

STEP 4 - Recommendation and Award

If client achieves recommendation for certification body this recommendation will be forwarded to the BS25999 Certification Manager for final review and issuing of certificates. If the client fails the audit a corrective action plan is usually agreed and a second audit arranged.

STEP 5 — Continued Assessment

When the certificate has been awarded surveillance audits will be planned, typically at yearly intervals. These surveillance visits will examine the effectiveness of the BCMS, management reviews/audit, progress of continual improvement actions, change review and possibly the use of the registration marks in publicity materials etc. A full reassessment will also be carried out at longer intervals, usually 3 years although this will depend on both the organisation and the certification body.

What are the benefits of certification?

As I have mentioned the standard comes in two parts. Splitting them is designed to make it easier to understand and deploy. Part 2 or the Specification sets out the minimum that an organisation should do in order that its business continuity systems are effective.

Implementing BS25999 Part 1 or the Code Practice will undoubtedly provide many benefits to an organisation but there is no doubt that achieving certification will require significant extra work, so what are the benefits?

In a word, demonstrability.

Having certification to a known and accepted management standard such as BS25999 Part 2 avoid saying to stakeholders ‘Trust Me’

It has long been recognised that this “divide” creates more problems that it solves, after all most businesses could not continue to operate successfully if their IT services were unavailable for a period of time, depending on the nature of your business this may well range from a few hours to several days.

The launch of BS 25999 has established a Business Continuity Management (BCM) standard which intrinsically links BCM, Incident Management, and IT DR. Essentially the key message is to have true business continuity you must also have strong capability.A disaster recovery plan should interface with the overall business continuity management plan, be clear and concise, focus on the key activities required to recover the critical IT services, be tested reviewed and updated on a regular basis, have an owner, and enable the recovery objectives to be met.

Recovery Objectives

The two key recovery objectives which many people are familiar with are: the recovery time objectives, how long can my business continue to function without the critical IT services (how quickly must I recover the service from the “decision to invoke”) the recovery point objective, from what time in my processing cycle am I going to recovery my data (how much data am I prepared to lose or have to re-enter from an alternate source).

There are several options, these are:

* Zero data loss, recovery to the point of failure
* Start of the current business day (SoD)
* End of the previous business day (EoD)
* Intraday

Intraday is a point between the last available backup either SoD or EoD and the failure, for arguments sake midday period end, the weekly or monthly backup

Additionally there is an additional measure, this is the Maximum Tolerable Outage (MTO), the MTO is the maximum time that my business will survive from the initial service interruption.

The recovery objectives must be based upon solid business requirements identified by the Business Impact Analysis (BIA) process.

This figure above clearly demonstrates the correlation between the incident starting, the reporting process, the investigation process, the decision making process, and the recovery process. If the MTO is 12 hours and the IT DR process takes 8 hours to perform from the invocation point then the decision to invoke has to be made within 4 hours of the initial incident.

Knowing this “lead time” is crucial to implementing an effective incident management and escalation process. The recovery time objective is where most misunderstanding occurs between the Business and IT Department.

The message from IT to the Business is “of course we can recover services within your required recovery time”.

The hidden message is assuming we start the recovery immediately the incident in detected. Generally speaking many organisations usually recover from minor incidents or service interruption well within their MTO.

The following diagram gives a high level incident management and DR invocation flow:

Disaster Recovery Plan Objectives

The key objective of a disaster recovery plan is to detail the key activities required to reinstate the critical IT services within the agreed recovery objectives. The most effective start point for any DR plan is the “Declaration of a Disaster” once an incident has been deemed serious enough that “forward fixing” at the primary location is impractical or is likely to result in an outage expending beyond the Maximum Tolerable Outage.

There are a number of common mistakes which organisation make when creating a DR plan, these relate to the level of detail they contain and the “standalone” nature of their construction.

So what level of detail should the plan contain?

The answer will depend on who you ask, the more people you ask the varied number of replies you will receive. It is advisable to keep the IT DR plan as concise as possible and focus only on the key information required at the time of a disaster.

So what information should the DR plan contain?

As a minimum the plan should contain the following information:

A statement detailing the scope and capability of the DR Plan, exactly when should this plan be used and what “consequences” are covered. It is advisable to focus on the consequences of an incident rather than the cause.

Why focus on consequences rather than the cause?

It is really important why the data centre is destroyed? As far as the DR Plan is concerned the answer is no. The same process and recovery stages will be followed regardless of the cause, fire, flood, terrorist incident, or the proverbial aircraft impact will all result in the partial or total destruction of the data centre.

The only relevant question is what is the impact and can I realistically continue to host servcies from my primary site or should I invoke and recover/resume the critical services at my secondary site.

A description of the key roles and responsibilities so that anyone assigned to a particular role in the recovery team understand what is required of them. Should you name individuals in the plan? Ideally individuals who are to be expected to perform a particular role should already be aware that they are likely to be called upon and should have received the relevant training. It is advisable to record the names and contact details of individuals in the relevant section of the overall BCM plan rather than the DR Plan. There is no reason why the individual names at the time can’t be entered into the recovery log as the “designated recovery manager” or other predefined role.

A summary of the critical services, their recovery objectives and recovery priorities, this information may be lifted from the Business Impact Analysis (BIA) performed as part of the overall BCM process. Summarising them in the invocation plan will remove the inevitable discussions at the time of the incident and provide a reference point for the recovery teams. Third party contact details, particularly those that may be required to assist in the recovery effort or those that provide recovery servcies, for example:

The secondary (DR) data centre service provider, you will need contact details, address, maps, and of course the invocation process and codes. It is advisable to do this as soon as it becomes clear the incident is likely to become a disaster recovery situation. You can always “stand down” if the incident can be forward fixed (some service providers may levy a charge for this);

Your media handling company. Are your disaster recovery tapes removed from your data centre and vaulted off-site? If so you will want to arrange for them to be retrieved and sent to your recovery centre at the earliest opportunity; Mobilisation of the recovery teams.

What teams and individuals need to be contacted to recovery the services, at this stage of the recovery the incident management team will already know the extent of the incident and should (if not you need to make sure you do at the earliest opportunity) have placed the recovery teams on standby.

The plan should teams and skills required, not individuals. Individual contact details have to be recorded somewhere, it is normal practice, as part of the overall business continuity management program to have “contact lists”, rather than repeat the detailed contact information the DR Plan should reference the relevant sections in the BCM plan.

Detailed recovery activities and sequence of events, including pre-requisites, dependencies, and responsibilities.

What level of detail should you include in this section of the DR Plan?

This is very much down to personal choice, however, as a minimum you should include:

The recovery process and flow of activities;high level activities, for example, load operating systems, install application software, restore data, synchronise database, make configuration changes, post recovery checks, open service to users; pre-requisites and dependencies for each activity; responsibilities, who will perform each activity.

Should you include the detailed activities for installing an operating system or restoring a database? The detailed recovery activities should be held locally by the team responsible for performing these activities. There are several reasons for this, the “how do I install Windows” instructions will be used for business as usual activities, minor incidents, and disaster recovery. The DR Plan only needs to reference these documents, if you find it an absolute necessity to include these in your DR Plan then do so as an appendices and not in the main body of the document, don’t allow key purpose of the DR Plan to be lost in un-necessary or duplicated detail.

Testing the Disaster Recovery Plan

IT DR Testing should be performed on a regular basis, the exact frequency very much depends on your own organisational needs. However, it is usual for “full deployment” tests should be performed, as a minimum, on an annual basis. There are of course other “trigger points”, for example, a change in your infrastructure that affects your disaster recovery strategy, i.e. moving from active/contingency recovery model to an active/passive recovery model.

What do I test?

This question is probably the most common question asked, and the answer is simple, you test the plans, the process, the people, and the infrastructure, in fact every component required to recovery and resume your critical IT services.

What are the key objectives of a DR test? There are several key objectives of a test, the main ones are:

Exercise the recovery processes and procedures familiarise staff with the recovery process and documentation; verify the effectiveness of the recovery documentation; verify the effectiveness of the recovery site; establish if the recovery objectives are achievable; identify improvements require to the DR strategy, infrastructure, and recovery processes;

What is the scope of a DR test?

The scope will very much depend on the maturity of your DR strategy and capability, it is important to scope the test to stretch the objectives and success criteria of the previous test, for example, if this is your first test, you may not want to have the entire user community scheduled to come in and perform lots of testing, you may wish to limit the scope to just IT staff and maybe a couple of “friendly users” to test functionality. Depending on the complexity of your environment it may take several tests to build confidence and perform a “full deployment” test.

Common DR testing mistakes are:

Operating within your comfort zone, for example, recovering the servers you know you can recovery whilst avoiding the more difficult components

Not testing the recovery of a service but focusing on the hardware, systems, and applications. Remember, a particular service may require several servers to be recovered, it may also require data held on local drives and network attached devices, and network connectivity from the data centre to the user. trying to achieve too much too soon and overstating your DR capability and readiness

Not planning appropriately, testing and live invocation are very different. In a live invocation you do not have a live environment to protect. Consider the impact that testing may have on your live services.

Engage with the appropriate people at an early stage, a “full deployment” test may take several weeks to plan.

Siemens Enterprise Communications Limited

While the recent media reporting of swine flu has dwelt on the obvious health and safety issues, the threat of a pandemic, whether now or in the next few months, also raises some practical challenges for HR departments across the country.

Necessary action steps?

From a health and safety perspective, employers are legally required to provide a safe working environment, and this includes protecting employees from outbreaks of contagious diseases in the workplace. However, how that protection might be afforded is likely to give rise to many and diverse issues for employers and that is assuming employees can make it in to work. What if public transport is affected and schools closed, preventing attendance at work?

The key message is to be prepared, to take sensible precautions now and to have a contingency plan in place in case the situation deteriorates. Such a plan should reflect a balanced and informed risk assessment.

Some initial sensible precautions include:

Providing employees with access to the latest government information and advice via emails, posters and the like

Advising unwell employees to seek medical advice and to stay away from work

Restating absence reporting procedures to ensure that employees report their illness at the earliest opportunity

Postponing face to face meetings and training courses or replacing them with teleconferencing; cancelling unnecessary travel and social events.

Contingency Planning

A contingency plan will address the more difficult HR and legal issues. For example, it should anticipate the following:

How the organisation could continue to function with a skeleton staff, for example, dividing work between multiple sites in case one location is affected

Whether and how to train more employees in essential business-critical knowledge and skills, to ensure the organisation can continue to operate

How to manage working hours and overtime where employees agree to cover absent employees

How to deal with employees who are required to go on business-critical foreign travel, but who refuse to go for fear of getting infected

Whether essential foreign business travel can be tracked to allow employees to be located and repatriated if necessary

How to deal with foreign-posted employees who want to come home

How and when employees will be permitted to work from home to avoid workplace infection

Where home-working is not an option, how the organisation will deal with employees being excluded from an infected workplace. Is there a contractual right to lay-off employees, or to require them to attend a different workplace or take holiday in such circumstances?

Whether the employer has the right to require employees to submit to a medical examination

How to deal with employees who are well but who are refusing to attend work to avoid the risk of general infection

Whether the employer has the right to require an employee to submit to a vaccination against swine flu (if one is developed)

Whether and how normal absence recording will include quarantine time, working from home to avoid infection and falling ill with swine flu (one risk being that employees are ‘penalised’ for reporting symptoms)

How to deal with employees whose dependants fall ill with swine flu or where their children’s school is closed to contain an infection.

Many of these issues represent organisational and staffing issues for the employer. Others, such as how to address lack of attendance, workplace closures and what, if any, payments absent employees should receive can be legally complex.

How an employer should respond will vary according to the particular issue and, unfortunately, there is no one-size-fits-all answer. A starting point will be the contract of employment.

For example, if a workplace is required to close temporarily, the contract may provide for enforced holiday or lay-offs. If employees cannot attend work because of their personal circumstances or travel facilities, there is unlikely to be a specific contractual term addressing this.

Consideration will then need to be given to issues such as the employee’s right to stay at home to undertake emergency childcare, flexible working and home-working policies and any custom and practice within the organisation.

Likewise, consider custom and practice in the context of occupational sick pay; the risk being that this has become a contractual right for employees.

Where employers have no contractual terms addressing potential pandemic issues, the employee may agree to unpaid leave and other changes to their contract. Seeking employee consent to short-term changes in terms and conditions to deal with an emergency is a potential option worth exploring.

Contingency planning requires the employer to act reasonably, weighing up the needs of both the employer and employee and consulting with trade unions or employees representatives, if appropriate, before deciding on policy.

In so doing, employers must treat employees even-handedly, for example, not making unfunded assumptions around pregnant, older or disabled employees. Employers should also be aware of privacy and data protection issues when dealing with the details of employees’ illnesses or other sensitive personal information.

Contact us

To find out more about the Eversheds training courses and other human resources issues, please e-mail hrgroup@eversheds.com. You can also visit our training pages for details of in-house and public courses.

The main areas for best practice improvements are;

Plug holes in the raised floor: Most raised-floor environments exhibit cable holes, conduit holes and other breaches that allow cold air to escape and mix with hot air. This single low-tech retrofit can save as much as 10 percent of the energy used for data centre cooling.

Install blanking panels: Any unused position in a rack needs to be covered with a blanking panel to manage airflow in a rack by preventing the hot air leaving one piece of equipment from entering the cold-air intake of other equipment in the same rack. When the panels are used effectively, supply air temperatures are lowered by as much as 22 degrees Fahrenheit, greatly reducing the electricity consumed by fans in the IT equipment and potentially alleviating hot spots in the data centre.

Coordinate CRAC units: Older CRAC (computer room air-conditioning) units operate independently with respect to cooling and dehumidifying the air. These units should be tied together with newer technologies so that their efforts are coordinated, or managers should remove humidification responsibilities from them altogether and place those responsibilities on a newer piece of technology.

Improve under floor airflow: Older data centres typically have constrained space underneath the raised floor that is not only used for the distribution of cold air, but also has served as a place for data cables and power cables. Many old data centres have accumulated such a tangle of these cables that airflow is restricted, so the under floor should be cleaned out to improve airflow.

Implement hot aisles and cold aisles: In traditional data centres, racks were set up in what is sometimes referred to as “classroom style,” where all the intakes face in a single direction. This arrangement causes the hot air exhausted from one row to mix with the cold air being drawn into the adjacent row, thereby increasing the cold-air-supply temperature in uneven and sometimes unpredictable ways. Newer rack layout practices instituted in the past 10 years demonstrate that organizing rows into hot aisles and cold aisles is better for controlling the flow of air in the data centre.

Install sensors: A small number of individual sensors can be placed in areas where temperature problems are suspected. Simple sensors store temperature data that can be manually collected and transferred into a spreadsheet, where it can be further analyzed. Even this minimal investment in instrumentation can provide great insight into the dynamics of possible data centres temperature problems and can provide a method for analyzing the results of improvements made to data centre cooling.

Implement cold-aisle or hot-aisle containment: Once a data centre has been organized around hot aisles and cold aisles, dramatically improved separation of cold supply air and hot exhaust air through containment becomes an option. For most users, hot-aisle containment or cold-aisle containment will have the single largest payback of any of these energy efficiency best practices.

Raise the temperature in the data centres: Many data centres are run colder than an efficient standard. ASHRAE (the American Society of Heating, Refrigerating, and Air-Conditioning Engineers) has increased the top end of allowable supply-side air temperatures from 77 to 80 degrees Fahrenheit. Not all data centres should be run at the top end of this temperature range, but a step-by-step increase, even to the 75 to 76 F range, would have a beneficial effect on data centre electrical use.

Install variable-speed fans and pumps: Traditional CRAC and CRAH (computer room air handler) units contain fans that run at a single speed. Emerging best practices suggest that variable-speed fans be used whenever possible. A reduction of 10 percent in fan speed yields an approximately 27 percent reduction in the fan’s electrical use, and a 20 percent reduction in speed yields electrical savings of approximately 49 percent.

Exploit “free cooling”: Free cooling is the general term for any technique that cools air without the use of chillers or refrigeration units. The two most common forms of free cooling are air-side economization and water-side economization. The amount of free cooling available depends on the local climate, and ranges from approximately 100 hours per year to more than 8,000 hours per year.

Design new data centres using modular cooling: Traditional raised-floor-perimeter air distribution systems have long been the method used to cool data centres. However, mounting evidence strongly points to the use of modular cooling (in-row or in-rack) as a more energy-efficient data centre cooling strategy

The entire report ($195) can be found on the Gartner Web site: “How to Save a Million Kilowatt Hours in Your Data Center.”