Our mission is to safeguard people, protect property, minimize business interruption, and protect reputations.

Our vision is to thoroughly understand each client’s business and become a long-term trusted adviser.

https://preparednessllc.com
info@preparednessllc.com

781.784.0672

Wednesday, January 23, 2019

NFPA 1600 2019 Edition Published


The 2019 edition of NFPA 1600 “Standard on Continuity, Emergency, and Crisis Management” has been published by the National Fire Protection Association. This international standard is the most mature standard of its kind in the world. Originally published in 1995, the 2019 edition is the 7th edition. It addresses the inter-connected elements of a preparedness program including program management, risk assessment, business impact analysis, prevention/mitigation, emergency management, business continuity, crisis management, and crisis communications.
First off, the title has changed to emphasize “crisis” management content that has been introduced over the past three editions. A crisis is defined as “an issue, event, or series of events with potential for strategic implications” including impacts on brand, image, reputation, and more. A new section “crisis management” has been added to chapter 6, Implementation. This section defines a “crisis management capability,” with senior leadership involvement, signals detection, identification of issues, strategy development, and more.
Another notable change is the addition of a new chapter 7 titled “Execution.” It defines what should be obvious but is often overlooked, that is, how a program should be executed. Incident recognition, reporting and notification, activation and planning, incident management, documentation, and resource management are included in the new chapter. The chapter extracts the important elements of alerting, notification, and warning with activation of an incident management system.
The annexes, which are a treasure trove of valuable information, continue to expand. Annex J, “Social Media in Emergency Management” has been added. When an incident occurs, social media is alive before emergency, continuity, and crisis management responders are fully engaged. Therefore, integrating social media into all program activities—preparedness for a forecast event to communicating with stakeholders regarding continuity and recovery information after—is a must.
Other new annexes include Annex K Emergency Communications: Public Alerts and Warnings in Disaster Response and Annex L Emergency Management, Continuity, and Crisis Management Data Interoperability.
NFPA 1600 can be downloaded for free from the NFPA website http://bit.ly/2AOTiFF
Check out a historical review of NFPA 1600 on the Preparedness, LLC website. http://bit.ly/2UcLzt9. Be sure to download the 2019 edition of Preparedness, LLC’s program self-assessment checklist, which is based on NFPA 1600. http://bit.ly/2uUz7ma

Monday, December 31, 2018

Happy New Year

The New Year, A Time of Reflection and Anticipation


https://files.constantcontact.com/a962cc5b001/48124bb5-d7e5-4373-85ea-1709e54c1b28.jpg
The early Roman calendar was created in the 8th century B.C. by Romulus, founder of Rome, consisting of 10 months and 304 days. Each New Year began at the vernal equinox as was tradition. 

Later, King Numa Pomlpilius added the months of Januarius and Februarious. Over the years the calendar fell out of synch with the sun.

In 46 BC, emperor Julius Caesar consulted with prominent astronomers and mathematicians to solve this problem. The Julian calendar, which closely resembles the more modern Gregorian calendar used today, was introduced.

Caesar instituted January 1st as the start of the New Year, honoring the month's namesake: Janus, the Roman God of beginnings and endings. The fitting significance of Janus' two faces allowed him to look back into the past and forward into the future.
_________________________________________

Looking back, here are events that occurred in 2018 causing widespread and significant impact:
  • Hurricanes Florence and Michael
  • Over-pressurized gas lines in Massachusetts that caused explosions, more than 60 fires, and months-long service interruption to 8,000 customers including many businesses
  • Data breaches of Facebook, Marriott/Starwood, and many others
  • Historic wildland fires in California
  • Reputations tarnished by product liability suits (Bayer/Monsanto) and privacy concerns (Facebook and others)
  • Geopolitical events including trade wars affecting the global supply chain and disinformation campaigns inciting the public discourse


https://files.constantcontact.com/a962cc5b001/fd9095db-a7dc-4a79-8450-d969f342e4c1.jpgEvents thought to be "unexpected" are now clearly foreseeable. Preparing for events that threaten life, property (real, digital, and intellectual), business operations, reputations, and relationships with stakeholders is a New Year's resolution for every organization.

We continue to monitor events as they unfold and work towards building better international standards and practices for preparedness and resilience. 

Our goal has always been to help others understand the hazard, operational, and reputational risks that surround them and to implement plans and strategies.

We wish you all the best in 2019.





Thursday, December 27, 2018

Tips to Enhance Survival During an Active Shooter Incident


"Active Shooter" actor from a full-scale exercise
(photo by Preparedness, LLC)
Lieutenant Colonel (ret.) Mike Wood’s article “What cops need to tell their families about active shooters,” (PoliceOne.com) should be read by everyone venturing out into public.
  • Maintain situational awareness
  • Know where the exits are
  • Get off the floor.
  • Don’t volunteer to be deaf and blind
  • Limit alcohol consumption in public
  • Have a plan
  • Be careful with your communication devices
  • Know how to act when the police arrive
  • Learn first aid basics.
  • Be prepared

Personal preparedness is essential. When a hostile event unfolds, no one is going to direct you to exits, concealment, or cover. It’s up to you.

Organizations have a lot of work to do, too. Human resource practices, effective physical and operational security, threat detection, warning and communication systems, and many more elements of a preparedness program should be implemented. Read the Preparedness BulletinActs of Violence” for detailed guidance.

Wednesday, November 28, 2018

Resilience

Resilience

November is National Critical Infrastructure Security and Resilience Month. Critical infrastructure is the physical and cyber systems and assets that are so vital that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.

There are 16 critical infrastructure sectors including commercial facilities, manufacturing, financial services, food and agriculture, healthcare, information technology, transportation, communications, energy, emergency services, and more. Every organization depends on critical infrastructure and many are a part of, or support, the critical infrastructure sectors.

What is resilience?

You hear the word resilience more and more—often after a major disaster or utility outage. Merriam-Webster defines resilience as the “ability to recover from or adjust easily to misfortune or change.” Resilience is not a finish line, rather it is a continuous process that engages safety, security, human resources, operations, engineering, supply chain, IT, risk management, and others. It begins with identifying assets that are critical to the success of the organization—people, operations, facilities, supporting infrastructure and technologies, machinery and equipment, supply chain, and more. Resilience should also encompass reputation and relationships with stakeholders.

Resilience is a continuous process to gain and maintain a current understanding of:
  • threats, hazards, and perils that could impact life and physical, digital, intellectual, operational, and reputational assets
  • operational criticalities (production or service delivery priorities),
  • vulnerabilities of assets and resources (weaknesses) that would make them more susceptible to damage or loss, and
  • potential impacts to life, property, operations, the environment, and the organization’s reputation and relationships with stakeholders.
Resilience also includes the development of strategies to manage risk and capabilities to promptly respond to and recover from whatever has happened.

What does it take to achieve resilience?

Since the risk environment is not static, continuous gathering of information and the development of actionable intelligence about credible threats, foreseeable hazards, and potential impacts to critical assets is essential. THIRA (threat and hazard identification and risk assessment) and BIA (business impact analysis) are the processes that engage internal and external experts to identify hazards, their probabilities of occurrence, and assets at risk; to evaluate the adequacy of prevention and mitigation capabilities; and to develop strategies for risk management.

Strategies for loss prevention, deterrence, and hazard mitigation should begin even before a building is built. By selecting a geographic site that has limited exposure to natural hazards and crime and one with reliable infrastructure and public safety services, the need and costs for building design, construction, redundant utilities, and on-site response capabilities may be reduced. Design and construction that is compliant with building codes and standards and industry best practices also can enhance resiliency. Periodic inspection, testing, and maintenance of protection systems and equipment are essential to ensure reliability.

Ongoing programs to manage risk are essential. Internal professionals including human resources manage employee risks through pre-employment screening, onboarding processes, threat assessment, critical employee backups, training, employee communications, and wellness programs.

Environmental, health and safety (EH&S) professionals partnering with human resources, operations, engineering, and others play an instrumental role with job hazard analysis, process safety, fire prevention, accident prevention, and environmental protection.
Security professionals and facilities management staff implement CPTED (crime prevention through environmental design) practices, surveillance and detection technologies, and operational security practices to deter, detect, and respond to potential threats. Communication and coordination with law enforcement is needed to promptly learn about developing threats and to increase security commensurate with the threat level.

EH&S professionals along with security, facilities, human resources and other staff must work together to develop and implement emergency response capabilities to safeguard employees, protect facilities, and prevent environmental contamination from the threats and hazard identified during the risk assessment.

Information Technology must manage the technology environment balancing access, efficiency, reliability, information security, and costs. Connectivity between internet service providers, worksites, networks, servers, and users must be reliable and have sufficient bandwidth to meet business needs. Digital information must be protected and promptly recoverable along with user applications to minimize production and service delays and unacceptable customer impacts. Information security laws require compliance. Conformity to standards and best practices for the protection of data centers and supporting infrastructure reduces exposure to loss and interruption. IT disaster recovery plans must be developed and tested to validate the ability to meet recovery time objectives.

Production managers and engineers must identify vulnerabilities in production methods, machinery and equipment, supporting infrastructure and technologies and develop strategies to overcome loss scenarios. Supply chain managers must continually assess the ability of suppliers to meet demand and logistics capabilities to deliver supplies where and when needed. Strategies for loss or damage to equipment, unavailability of essential personnel, and supply chain interruption must be developed.

Operations personnel working together with managers, supervisors, and others within the organization that possess the institutional knowledge of operations and resources must work together to complete the business impact analysis and develop business continuity strategies and documented plans for use when critical processes are interrupted or required resources are unavailable.

Role of Leadership

Resilience is elusive because of the broad spectrum of hazard, operational, financial, and strategic risks. It can be fleeting because of the short duration of institutional memory and human nature that “it can’t happen to us” or “it will never happen again.” A concerted, ongoing effort is required to understand and manage risk. Ultimately, senior management must embrace resilience as a core value of the organization and strive to embed risk management within its culture.

Reaching a threshold of “resilience” means that the organization has a clear understanding of risk and has implemented controls to manage operational, financial, and reputational risk to an acceptable level. Compliance with laws and regulations is the minimum. Meeting customer requirements is essential. Protecting the business, its employees and facilities by implementing and maintaining a mature preparedness program is no longer a luxury. There is no finish line.



Tuesday, November 27, 2018

From the National Cyber Awareness System: Major Online Ad Fraud Operation

https://www.us-cert.gov/ncas/alerts/TA18-331A



Overview

This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). DHS and FBI are releasing this TA to provide information about a major online ad fraud operation—referred to by the U.S. Government as "3ve"—involving the control of over 1.7 million unique Internet Protocol (IP) addresses globally, when sampled over a 10-day window.

Online advertisers desire premium websites on which to publish their ads and large numbers of visitors to view those ads. 3ve created fake versions of both (websites and visitors), and funneled the advertising revenue to cyber criminals. 3ve obtained control over 1.7 million unique IPs by leveraging victim computers infected with Boaxxe/Miuref and Kovter malware, as well as Border Gateway Patrol-hijacked IP addresses.

Malware

Boaxxe malware is spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Boaxxe botnet is primarily located in a data center. Hundreds of machines in this data center are browsing to counterfeit websites. When these counterfeit webpages are loaded into a browser, requests are made for ads to be placed on these pages. The machines in the data center use the Boaxxe botnet as a proxy to make requests for these ads. A command and control (C2) server sends instructions to the infected botnet computers to make the ad requests in an effort to hide their true data center IPs.

Kovter malware is also spread through email attachments and drive-by downloads. The ad fraud scheme that utilizes the Kovter botnet runs a hidden Chromium Embedded Framework (CEF) browser on the infected machine that the user cannot see. A C2 server tells the infected machine to visit counterfeit websites. When the counterfeit webpage is loaded in the hidden browser, requests are made for ads to be placed on these counterfeit pages. The infected machine receives the ads and loads them into the hidden browser.

Solution

DHS and FBI advise users to take the following actions to remediate malware infections associated with Boaxxe/Miuref or Kovter:
  • Use and maintain antivirus software. Antivirus software recognizes and protects your computer against most known viruses. Security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your antivirus software up-to-date. If you suspect you may be a victim of malware, update your antivirus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Avoid clicking links in email. Attackers have become very skilled at making phishing emails look legitimate. Users should ensure the link is legitimate by typing the link into a new browser. (See Avoiding Social Engineering and Phishing Attacks.)
  • Change your passwords. Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords.)
  • Keep your operating system and application software up-to-date. Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches and Software Updates for more information.)
  • Use anti-malware tools. Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool. A non-exhaustive list of examples is provided below. The U.S. Government does not endorse or support any particular product or vendor.


Monday, November 19, 2018

Practical Tips for Continuity Planning

Don Schmidt presented “Practical Tips for Continuity Planning: From Impact Analysis to Executable Strategies and Plans” to the Safe+Ready Institute’s 2018 Virtual Summit.


Tips (and lessons learned) from decades of business continuity planning were shared including:
  • Importance of management support and Identifying who needs to be involved in the planning process
  • Planning Scope, Assumptions, Limitations, and Scenarios
  • Tools & Techniques for Business Impact Analysis (BIA)
  • Risk Assessment: It’s not just for emergency planning
  • Continuity Strategies: Focus on Priorities
  • Resources, Resources, Resources
  • Continuity Plan: Putting it all together
  • Incident Management: Concept of Operations
  • Training, Testing & Exercises
  • Program Development Resources

The presentation can be viewed here, and the recorded webinar can be viewed on the Safe+Ready Institute’s website here. While you’re visiting the Preparedness, LLC website, be sure to check out the program development resources and Preparedness Bulletins.

Thursday, November 1, 2018

Suspicious Packages

Suspicious Packages

Over the past week, U.S. politicians, high profile individuals, and CNN were targeted with suspicious packages/letters at their homes or places of business.  These packages, each appearing to contain a bomb, were a coordinated attempt to spread fear, injure the intended recipients, and cause destruction. Since the days of the "Unabomber" in 1978 and the anthrax containing letters sent to members of Congress in 2001, the potential dangers of threats perpetrated by mail have been realized.

What is a suspicious item? 

https://imgssl.constantcontact.com/letters/images/1101116784221/T.pngA suspicious item is any article (e.g. package, envelope, bag, vehicle, etc.) that is reasonably believed to contain explosives, an improvised explosive device (IED), or other hazardous material that requires a bomb technician and/or specialized equipment to further evaluate it. Examples that could indicate a bomb include unexplainable wires or electronics, other visible bomb-like components and unusual sounds, vapors, mists or odors.  

Anything that is HiddenObviously suspicious, and not Typical (HOT) should be deemed suspicious. In addition, potential indicators for a bomb are threats, placement, and proximity of the item to people and valuable assets.

The term Improvised Explosive Device (IED) has long been associated with war, but easy access to instructions and ingredients has resulted in numerous incidents involving the use of IEDs in the United States. IED attacks remain the primary tactic for terrorists seeking a relatively uncomplicated, inexpensive means for inflicting mass casualties and maximum damage. A series of bombings in Seaside Park, NJ and New York City in September, 2016 targeted a charity race and a Manhattan neighborhood. Unexploded devices including a pressure cooker were found at both the New Jersey and New York City bombing sites.

Differentiating Between Unattended and Suspicious

Not all unattended items are suspicious. An unattended item is an item of unknown origin and content where there are no obvious signs of being suspicious.  If not suspicious, there is no need for facility search or evacuation.
Evaluate the item using the U.S. Postal Service "Suspicious Mail" poster (below) to determine if it meets "suspicious" criteria. Consider the placement of the package and its proximity to people and valuable assets and the current threat environment. Consider the following factors:
  • Was any suspicious activity reported when the package was left or discovered?
  • Have any threats to the receiving organization or similar organizations been reported?
  • Is the unattended package or bag consistent with those normally expected to be found in the building?
  • Does the unattended package or bag have any external indicators consistent with a suspicious package?
If package is not considered an immediate threat to health or safety, record the name and address of the addressee and sender; post office codes, stamps, and cancellation date; and any other markings or labels. Contact the addressee to determine if the package was expected.


Figure 1. Suspicious Mail Poster 84 (U.S. Postal Service)

Emergency Response to Suspicious Packages

If a package is deemed "suspicious," the following action should be taken:
  • Notify security that a suspicious package has been detected. Alert everyone in adjacent areas that a suspicious letter or package has been found and direct them to clear the area. 
  • If the suspicious item is believed to be a bomb, evacuate the building. 
  • Anyone in contact with any powder or substance believed to have been released from the package should seek decontamination immediately and should segregate from others not exposed. Shut down the building's ventilation system if shutdown can be done safely.
If package is not deemed an immediate threat to health or safety, document the reasons for identifying the package as suspicious. Without making direct contact with the suspicious item, record all available information from all sides including name and address of addressee and sender, post office codes, stamps, and cancellation date, any other markings or labels found on the item, any other peculiarities (stains, tears, tape, flaps not glued). If possible, photograph from all sides without moving. Contact the addressee to determine if package was expected.

If the package cannot be verified as legitimate within a reasonable period, notify police.


Emergency operations plans should include instructions for employees as well as those responsible for managing emergencies. Procedures should be clear and concise and align with your organization's incident management system. Figure 2 is an example from Preparedness, LLC's flowchart-based emergency operations plans. Flowcharts, hazard precautions, and defined roles and responsibilities are compiled in hard-copy and digital format with hyperlinks for quick navigation to all related guidance.


Figure 2. Emergency procedures flowchart from Preparedness, LLC's emergency operations plan.