An Exercise in Business Continuity
In a conversation with a senior officer of a large university we discussed operational continuity and what is important. It gave me a lot to think about, what does a major university face for operational continuity.
Events we know about from other locations…
Bomb, Guns, Knives etc…. This is law enforcement, and they will run the show.
Fire, accidents, injuries, poisonings, this will be run by Fire and Police.
How those events unfurl leads to the next section…
Building collapse, burn down, rendered un-occupyable, – all you need to know is what critical functions are housed in that building that need to be backed up elsewhere. Those function not deemed critical, but darn necessary such as relocation students and faculty to another location are a bother and must be dealt with – like relocating the NYSE to New Jersey after 9/11.
Yet all of these are known peril with solutions – in many cases that can be borrowed from other institutions and adopted…
The two that stick out in my mind are …
A football coach is a pedophile, gang rapes in dorms, professor sleeps with all girls in a class – even the smelly ones, a prominent professor is found to be fabricating research, coach in Las Vegas placing bets when a player was throwing games, virus leaks from the biology department, – these are the ones that bite you by the butt as you never thought any of this could have ever occurred. These RFM (Red Faced Moments) handled poorly can damage reputation, effect enrollment and seriously effect donations.
RFM responses need to be run by a two person team, a good lawyer and a good problem solver that can take action and make things occur. The worst is to let the lawyers run it, they are just there to protect the university from more liability. An example of how lawyers can screw it up – Martha Stuart, – her lawyers ticked off the government so much she went to jail when in reality no one had ever gone to jail for small insider trading – it was her lawyers encouraging to her not to talk that got her to lie… lie through omission and commission when an immediate mea culpa would have been the best choice.
It is a matter of time before the University is hacked and exposed to the core, or some knuckle head has stolen data and either wants to sell it back to the University or wishes to be part of the information freedom liberation movement.
I have personally seen several massive data breaches that have altered the history of businesses. The entire client list of a Luxembourg Bank stolen and then sold to the different government’s taxing authorities. The ICIJ getting a hold of 2.5 million client records from lawyers’ offices in the British Virgin Islands. All of the designs and fabrication details for 111,000 dies and the customer lists of a company stolen by a Chinese exchange student working as a paid intern. The intern took all of the info back to China and made knock offs that he sold to my client’s customers.
The leak may be in total or it may be specific such as the records of one professor’s research.
Model responses to all scenario categories could be developed and then adapted to develop a specific response to the individual fact pattern(s).
Also testing of the system needs to be done, friendly hackers should always be at work trying to compromise the system and develop counter measures… Also run RFM’s to see what you can up with and how you might respond. At the university this must all be an imponderable nightmare, as any one, faculty or student, can just plug and play with the school’s network. So how many levels do you need to be ready for ??? gad hardware, software, communication, CD, DVD, thumb drives etc… Yikes. I am truly glad this is someone else’s problem
I am also just a big enough of a pain to hold each departments by the data breaches and fire people who fail any and all standards they jointly set
It was a good mental exercise that was needed and it should be repeated at any and all levels of all entities, not just universities but aerospace to zoos.