Contingency Planning

Wednesday, November 12

9:45 AM - 5:00 PM

BC1: Tutorial: Business Continuity 101 (100/L)

Kelley Okolita, Hanover Insurance

This popular all-day session provides a solid foundation for understanding business continuity principles and processes. The course is a starting point for all new planners and, when combined with other sessions at the conference, builds a framework for developing and implementing a business recovery plan. Learn all about safety, incident response, risk analysis, recovery strategies, plan development, plan testing and maintenance and awareness programs. This is also a terrific refresher course for more experienced planners. Participants receive a manual and sample recovery plan.

9:45 AM - 11:00 AM

BC2: Creating a Comprehensive Program for a Medium Size Business (200/C)

Doug Cassell, CBCP, Mutual of Enumclaw

Mutual of Enumclaw (MoE) is a regional property and casualty insurance company located in a rural area near Seattle, WA, at the foot of Mt. Rainier, an active volcano. MoE was aware of the need to have a solid business continuity program not only due to location, but to provide for customer claims needs in the event of a catastrophe. They created a plan using personnel from various parts of the company, managed by an IT employee with other duties. They found this plan difficult to exercise, fragmented, and unlikely to be workable in a disaster, so they hired a full-time BC/DR professional. This presentation will describe the actions taken by the new BC Program Manager, what was learned in the process, and how a comprehensive program, including integration with government emergency management agencies was created. Learn the ongoing process of keeping the plan living and current.

9:45 AM - 11:00 AM

BC3: Industrial Hygiene: 5 Key Points Every Continuity Planner Should Consider (300/L)

Ellen P. Clas, MS, CIH, CSP, Clas Consulting LLC

Industrial Hygiene consists of the science and art devoted to the anticipation, recognition, evaluation and control of those environmental factors or stresses, arising in or from the workplace, which may cause sickness, impaired health and well being, or significant discomfort and inefficiency among workers or among citizens of the community. Emergency situations can present unique exposures for your employees and/or citizens in your community. This session, presented by a Certified Industrial Hygienist active in emergency management, will provide an overview of five key industrial hygiene considerations that every continuity planner should embrace.

9:45 AM - 11:00 AM

EM4: Controlled Escalation: A Proactive Approach to Emergency Preparedness (500/L)

Todd A. Osborn, Osborn Survival Solutions LLC

A lot of expense and effort goes into building effective organizational emergency management plans, yet the focus remains centered on responding to crisis events. Controlled escalation is a methodology that facilitates an effective crisis response by increasing your preparedness posture in accordance with the developing threat. Accomplished properly this approach facilitates a proactive, cost-effective response.

9:45 AM - 11:00 AM

S5: The Insider Threat to Critical Systems (300/L)

Jim Kennedy, PhD, MBCI, MRP, CBRM, CHS-IV, Alcatel-Lucent

This session identifies threats to critical data and systems from within an organization. Learn to recognize the types of insider threats and hear ways to protect against them.

9:45 AM - 11:00 AM

L6: Putting the "M" Back in Business Continuity (400/L)

Kathleen Lucey, FBCI, Montague Risk Management

In our rush to stay current with the latest technology and resilience strategies, it is easy to forget that we are managing a business function. We need to manage people, budgets, objectives, and expectations. Our task is complicated by the always-precarious nature of the BC function. This presentation talks about the management skills that we must acquire and perfect in order to assure the smooth functioning and continuing existence of the BC function in the enterprise.

11:15 AM - 12:30 PM

BC7: Pandemic Planning: Lessons Learned from a Contagious Incident (200/C)

Jim Baird, U.S. Central FCU

Much has been done to research and prepare for a possible pandemic to the point where "pandemic fatigue" has set in at many organizations. But your efforts don't have to be limited to a pandemic response, and instead can be used for more likely health contingencies. Further, your planning efforts may gain more companywide buy-in when senior management understands other ways the plan development can be utilized beyond a pandemic response. In this session you will get a brief overview of relevant information on the H5N1 influenza to help sort through the "hype," followed by lessons-learned from an outbreak of a contagious disease. Attendees will come away with an understanding of key elements in planning for an illness-related contingency, including discussion on working with public emergency management, healthcare providers, communications issues and employee privacy concerns.

11:15 AM - 12:30 PM

BC8: Five Steps to Risk Management Maturity (300/L)

David Nolan, Fusion Risk Management

Risk management programs rarely leave senior executives confident that they have reduced business risk or created business value. As enterprises spend more to mitigate risk, the pressure is mounting to organize, measure and manage risk with more discipline and greater accountability. While the concepts of enterprise risk management and IT risk management focus these issues, most programs remain immature, ineffective, inefficient and costly. Risk management today is often the repetitive process of identify-and-mitigate. The absence of organization and measurement serves to disable the management process. The result is wasted effort and/or gaps of unaddressed risk. By applying the "Five Step Program" (Identify, Organize, Measure, Mitigate and Manage), underutilized resources can be redeployed, dangerous gaps can be prioritized, and the risk management process can become effective, efficient and economical. This presentation will outline that process.

11:15 AM - 12:30 PM

EM9: Solving the Emergency Notification Conundrum at Blue Cross and Blue Shield of Florida (300/C)

Chris Gay, CBCP, CBRA, and Joni Gulley, Blue Cross Blue Shield of Florida

A beginning-to-end look at the decision making process that Blue Cross and Blue Shield of Florida (BCBSFL) went through in choosing and implementing an emergency notification system (ENS). Learn about the key product assessment criteria, business case definition, and vendor selection process that were used by BCBSF in order to ensure a successful ENS implementation. Lessons learned as well as critical implementation success factors will be review and discussed.

11:15 AM - 12:30 PM

EM10: Special Needs: A New Definition for Emergency Preparedness (300/L)

Barbara Citarella, RBC Limited

This session focuses on the Department of Homeland Security's new definition of special needs populations as they relate to disaster preparedness. This new definition will not only impact local emergency planners but businesses as well. The definition is broad in scope and requires significant planning. Understand the rationale behind the new definition and some key actions that need to be undertaken.

11:15 AM - 12:30 PM

S11: Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry (300/L)

Joshua Corman, IBM

Do you ever feel security providers aren't telling you the whole truth? Wonder what they aren't telling you? We entrust the security industry to protect us from unacceptable risk. However, competing vendor priorities often prevent sharing and open discussion of security truths. Some 'lies by omission' merely delay countermeasures. More serious 'dirty secrets' have created and perpetuated unacceptable blind spots and exposures. This session exposes the 7 dirty secrets of the security industry. Learn key security trends deserving your attention and hear practical ways to command intellectual honesty from your trusted security providers.

2:15 PM - 3:15 PM

BC13: The Economic Measurement of Operational Risk (300/L)

Dennis Wenk, Hitachi Data Systems

Our intense dependence on technology has created competitive advantages for many organizations but it has also introduced new risks that have large financial consequences. The only rational reason for a business to spend money to manage operational risk is the expectation that the benefits outweigh the costs. This presentation will describe a comprehensive process for economically measuring operational risk which will provide a cause-effect link that is missing from the dysfunctional BIA-method.

2:15 PM - 3:15 PM

BC14: Organize Your BC Documentation for Better Results (300/L)

Kathleen Lucey, FBCI, Montague Risk Management

Organize your BC documentation to optimize your interruption response! This session is an in-depth analysis of the various kinds of documentation that must be created, distributed, stored, and maintained in order to ensure an effective business continuity capability. Each type of documentation has specific characteristics that dictate its storage medium, distribution, and maintenance. Together all of this documentation makes up your organization's your BC plan.

2:15 PM - 3:15 PM

EM15: Building Hospital Resiliency: Utilizing a Holistic Approach to Respond and Recover from a Disruption (300/L)

James Paturas, Yale New Haven Center for Emergency Preparedness and Disaster Response

Today, more than ever before, hospitals and healthcare facilities need to have emergency preparedness plans that encompass a broad spectrum of potential threats. These can range from natural, environmental, technical or intentional situations. One of the best ways to mitigate your exposure and insure business continuity is to develop a holistic contingency planning process that includes on-going communication, collaborative multi-agency planning and an evaluation process based on pre-defined indicators. There are many questions on the minds of administrators, risk managers and disaster/contingency planners every day regarding their organization's ability to recover from an event. This session will review the key points for developing a comprehensive contingency planning process. It will also review what support you can expect, and identify potential weaknesses in the planning and execution of a response to a real-time or staged exercise.

2:15 PM - 3:15 PM

S16: Security Implications of Virtualization (300/L)

Joshua Corman, IBM

Virtualization is rapidly gaining acceptance due to its consolidation and green IT benefits. But when implementing virtualized data centers, businesses need to put strategic plans in place for the new attack surfaces and availability risks virtualization brings. This session covers the virtualization market and adoption rates; the virtualized threat landscape, including VM theft, replay attacks and compliance; one of the most worrisome concerns, hypervisor vulnerabilities, with a review of Vitriol and BluePill attacks; and protection strategy recommendations.

2:15 PM - 3:15 PM

L17: Situational Awareness: Preparing for the Next Disaster, Not the Last One (500/P)

Moderator: Ronald Thomas, EdD, Embry-Riddle Aeronautical University

Invited panelists will discuss how to move beyond emergency planning for the most recent notable disaster (Oklahoma City, World Trade Center, Hurricane Katrina) and begin looking to the horizon. The three parts of situational awareness (anticipation, analysis, and action) will provide the framework of the discussion.

3:45 PM - 5:00 PM

BC18: The Utility of Failure: The Integral Role of Mistakes in Process Improvement (300/L)

Scott A. Watson, CPP, CFE, S.A. Watson and Associates LLC

We all know the phrase "Failure is not an option." While such statements may play well in a sound-byte laden society, the reality is that failure is not only an option, it is inevitable! Every person, program and organization eventually experiences a significant failure of some kind. How we decide to respond to the failures of today not only impacts the present but sets a precedent for the future. This session uses case studies to examine how failures and our response to them can be used to strengthen ourselves, our programs and our organizations.

3:45 PM - 5:00 PM

BC19: Resiliency Finally Defined! (300/L)

Douglas Weldon, FBCI, Thomson Reuters and Lisa Young, CISA, CISSP, CERT/SEI, Carnegie Mellon University

The term "resiliency" has been used often in recent times to refer to an advanced achievement in business continuity planning. But each reference seems to be at least a little different than the last in terms of what "resiliency" specifically means. So what does "resiliency" mean? The SEI (Software Engineering Institute) has provided a detailed answer! The SEI Compter Emergency Response Team, of Carnegie Mellon University, has developed extensive guidance through their "Resiliency Engineering Framework," which puts a definitive and specific foundation on the meaning of "resiliency" for both IT and business processes. This session will provide a walkthrough of this important guidance.

3:45 PM - 5:00 PM

EM20: Human Response in the Workplace (400/L)

Kristen Deuel, S1 Corporation

Large concentrations of people who gather on a fairly routine and predictable basis can logically become not only targets of terrorism and victims of human aggression but also potential casualties of pandemic outbreaks and natural disasters. A single office structure today can host thousands of employees from diverse locations; when disasters impact such an environment the effects can have widespread social, economic and psychological impact. Effective disaster preparedness and planning within the private organization can not only mitigate disaster risk but can also offer a considerably positive effect on employees. In order to implement the most effective disaster plan, it is imperative that disaster planners understand the human side of disaster. This paper discusses the human element of the private organization in relation to disasters, and outlines key information for planners when developing and implementing preparedness, response and recovery plans for the workplace.

3:45 PM - 5:00 PM

EM21: Protecting Against the Collapse of Critical Infrastructure (400/L)

Richard Penland, U.S. Army, Europe

Every corporation, every army and every country all have critical infrastructures. These are the things, which if removed, would cause the collapse of the entity. It is imperative for every corporation, army, or country to define, plan for and protect their critical infrastructure against destruction from their enemy or competition. This is a fictitious yet plausible story of a plot to collapse the critical infrastructure of a country, that exploits vulnerabilities in their policies and procedures, during certain environmental conditions, that are favorable to their enemy, causing the partial collapse of their critical infrastructure, which has a domino effect on the rest of their critical infrastructure, and the catastrophic loss of life and property. The awareness gained by the audience in planning and defining their critical infrastructure will help understand the threats and provide the ability to protect or decrease the risk of such a collapse

3:45 PM - 5:00 PM

S22: Consolidating Security Policies and Standards Under One Governance Body (200/L)

Ellen Jackson, Key Bank

Attendees will be introduced to the concept of, the approach to, and the benefits of having one set of security policies and standards that cover all aspects of corporate security, including, but not limited to, information security, physical security, corporate continuity and recovery, incident management, and privacy. As part of the approach, attendees will be provided with a method which includes reviewing current policies and standards, broadening the scope in these standards, when feasible, identifying gaps and creating policies and standards to fill them, and reviewing for continual improvement to ensure they remain current and effective. The benefits to this concept and approach include more effective and easier to understand security content, reduction in redundancy, consistent delivery of security requirements, and easier enforcement efforts. Real-life examples will be provided.

Thursday, November 13

9:15 AM - 12:00 PM

BC25: Disaster Simulation Exercise (300/W)

Jimmy Stanford and Chas Walts, MTSS

Don't be caught unprepared. Find out how you would perform in an actual disaster. This popular workshop at CPM is an atendee favorite and fills up quickly. Sign up early to reserve your seat and be a part of the action.

9:15 AM - 10:30 AM

BC26: Evaluation Plans for Financial Institutions (200/C)

Alan Salkowitz, CBCP, Commerce Bank

This session will focus on how to evaluate your business resumption and disaster recovery plans for financial institutions. The attendee will learn how to set numeric criteria for plan components and use this criterion to score their plans. Learn how to present the information to the regulatory agencies and senior management. Further discussion will include how to evaluate the data collected from the plan evaluation and tier the supporting applications to the business processes. Find out how to evaluate which applications will require testing when competing priorities and resources are an issue in today's competitive climate.

9:15 AM - 10:30 AM

BC27: Workplace Violence Tabletop Exercise (400/W)

Ted Brown, CBCP, KETCHConsulting and Felix Nater, CSC, Nater Associates, Ltd.

This interactive presentation and workshop on workplace violence prevention includes a desktop simulation exercise. Learn what constitutes workplace violence, contributing behaviors and indicators, roles, responsibilities and recommendations. A simulation exercise teaches workplace violence prevention planning using a panel of volunteers to role-play various parts during which they will interact and make business and security decisions for the benefit of the audience.

9:15 AM - 10:30 AM

EM28: Accurate Emergency Information Exchange (300/C)

Brian Shanks, NB Power Nuclear

This case study examines the deployment of a redundent emergency system at a major power utility in Canada. Learn how contact is made with Provinical, Federal and other stakeholders. Lessons learned over a one year development and deployment program proves that communications must take place before command and control is established.

9:15 AM - 10:30 AM

S29: Developing and Auditing Loss Prevention Policies and Procedures (300/L)

David Patterson, CPP, PSP, CFE, CHS-III, Patterson and Associates

This session provides attendees with an in-depth look at the essential elements of a loss prevention program, such as corporate mission, values, rules of conduct and mandatory policies and procedures. Attendees will learn techniques for developing loss prevention operational concepts for various threat levels. Receive guidance on developing policies and procedures that are essential to an effective loss prevention program. Auditing policies and procedures and considerations for maintenance and training will also be discussed.

10:45 AM - 12:00 PM

BC30: New Practice Standards for Data Center Professionals (300/L)

Jim Nelson, ICOR

With few exceptions, enterprises rely on the IT department for the delivery of many services that support the business mission and objectives. It is logical to then anticipate that the data center is designed, maintained, and operated with hi-availability, efficiency and environmental concerns in mind. Many data centers do not meet this expectation. The changing technologies put even more pressure on data center managers. This presentation focuses on the mission critical facility design, operation and maintenance. Learn valuable lessons and insights for hi-availability, tier 3 and tier 4 mission critical data center environments for both new and existing sites.

10:45 AM - 12:00 PM

BC31: Financial Institutions: Your IT Disaster Recovery Plan Isn't a Business Continuity Plan (400/L)

Greg Livingston, RSM McGladrey

The most common pitfall financial institutions make in the area of business continuity planning is substituting an IT DR plan for a business continuity plan. With the new FFIEC guidelines for BCP (March 2008) there has been added emphasis to evaluating business process, not just systems and applications. This session will outline the new FFIEC guidelines for BCP, discuss what a BIA should include, and discuss what banking examiners are looking for in a financial institution's BC program.

10:45 AM - 12:00 PM

EM32: Miracle at Greensburg (200/C)

Steve Barkley, Union Pacific and Michael R. Smith, C.C.M., WeatherData

The town of Greensburg, Kansas, was destroyed by a tornado May 4, 2007. The fierce storm struck in darkness. In the hours after the tornado, officials put out a call for three refrigerated trucks to store the "hundreds" of bodies they expected to find. When the sun rose the next morning, a miracle was revealed. This is the story of how the science of meteorology saved more than 200 lives that night.

L33: Taking BCP to BCM (400/L)

John Beattie, SunGard

This discussion takes 'check off the audit box' BCP to implementing BCM enterprise wide. Step out of 'BCP on the shelf' and into managing the resiliency of an organization on an enterprise scale by the organization's executive management team. It includes how program managers go to the next level in gaining business ownership of BCM and defining the strategic process to implement.

2:45 PM - 4:00 PM

BC35: Governance, Risk and Compliance Process Management (300/L)

Brian Barnier, IBM

Organization, culture, collaboration and ethics are paramount to creating a governance process that is healthy and efficient, rather than one that simply adds a new layer of bureaucracy. It is imperative that you design a governance process that is healthy for your organization by designing tools that help streamline decision-making and outcomes evaluation processes. In this session, you will learn how to align business and IT goals to increase value from IT investment; better measure performance; improve regulatory compliance with more effective procedures and controls; use compliance cost to achieve other strategic objectives and assess risk on an enterprise-wide basis.

2:45 PM - 4:00 PM

BC36: Bringing Pandemic Plans to the Next Level (400/C)

Suzanne Bernier, Workplace Safety & Insurance Board of Ontario

In this session, attendees will learn how to take their current pandemic plans to the next level. While many organizations have started pandemic planning, this session will demonstrate how Ontario's Workplace Safety & Insurance Board has gone the next step to ensure continuity of operations during a possible pandemic. This includes sharing detailed plans the WSIB has prepared to ensure it can support the mental health of its employees, as well as ensuring adequate staff coverage, particularly with senior management and key decision makers within the organisation. The study will also review what the WSIB has already done to educate employees on pandemic illness and preparing them in a positive and practical manner.

2:45 PM - 4:00 PM

EM37: OEP: Protecting Those with Disabilities (300/L)

Zelda Carter-Umana and Jerry Stanphill, U.S. Securities and Exchange Commission

The U.S. Securities and Exchange Commission emergency preparedness staff will guide participants through a multi-story building from the perspective of emergency managers forecasting the challenges and solutions of protecting the workforce to include employees and visitors with temporary or permanent mobility impairments, respiratory conditions and cognitive delays. Participants will gain a better understanding of the proactive initiatives to introduce new employees to occupant emergency plans (OEP), getting employees involved in the program and OEP volunteer retention. Participants will be briefed on the OEP headquarters and regional offices best practices and areas of needed improvement.

2:45 PM - 4:00 PM

S34: Detection K-9s and Their Increased Deployment in Emergencies (200/W)

Hank Nolin, CPP, CAS, CHS III, Sun State Specialty K-9s, Inc.

This session will allow attendees to come up to speed on the increased demand for, and deployment of, explosive detection K-9 teams. From transportation security to NBA games, many previously undisturbed entities are now putting these highly trained teams to the test. Learn how these K-9s are trained and observe up close how they do their work. In addition, other industries have employed newly developed detection K-9 teams, many working in the aftermath of Hurricane Katrina.

2:45 PM - 4:00 PM

S38: Security Incident Response vs Security Emergency Preparedness (300/C)

Martin Waterhouse, Chevron

For many companies and organizations, achieving the "perfect" security incident response and continuity planning process will likely prove to be extremely cost prohibitive. This study will investigate the challenge of establishing and maintaining an effective level of expertise and coverage for security incident response/continuity while working within a cost-contrained environment. Areas of discussion include essential elements such as: education, internal-marketing, communications, peer assistance, effective risk/threat assessments, external security services, automated tools, incident avoidance/interference, creative funding and additional best practices such as financial or other incentives to participate.

4:15 PM - 5:30 PM

BC39: Ensuring a Successful BIA (300/L)

Ted Brown, CBCP, and Morris Davis, CBCP, KETCHConsulting

Need a review of the "critical success factors" that lead to a quality BIA? Look no further. Participants of this sessions will discuss common pitfalls that usually end in failure. Other discussions will include the project plan, surveys, goals, output, sponsors, management buy-in, necessary resources and more.

4:15 PM - 5:30 PM

BC40: Most Critical Element and Most Forgotten in Business Continuity Planning (500/L)

Diane F. Fojt, Corporate Crisis Management

This presentation will feature the complexities of managing the unexpected and will outline steps a company can take to prepare for and respond to life altering events. Undoubtedly, at some point, every executive will play a critical role in managing crises for the organization and be expected to make all the right decisions. When managing a crisis two words come to mind: accountability and liability. Learn the secrets of how to increase accountability while decreasing liability. A well developed business continuity plan should include a heavy emphasis on human continuity. Learn how to analyze the top 10 reasons why a crisis grows larger over time, avoid the 5 most common mistakes when dealing with a traumatic event, and how to strategize 3 key methods to contain chaos.

4:15 PM - 5:30 PM

EM41: Pfizer Headquarters Recovery from Manhattan Steam Pipe Explosion (300/C)

Paul Katzer, Pfizer, Inc.

On July 14th, 2007 a steam pipe in mid-town Manhattan exploded, sending a 400-degree Fahrenheit jet of steam into the air and causing minor damage to the surrounding buildings. However, because the burst pipe had been insulated with asbestos, the area was immediately presumed to be unsafe, and New York City officials quickly restricted access to the area. One of Pfizer's headquarters buildings was adjacent to the blast site and was closed to Pfizer colleagues until the Department of Health deemed the building safe to re-occupy. In this talk, Pfizer's Headquarters BCM Leader describes the company's emergency response, business recovery and facility restoration and how Pfizer ensured the confidence of the colleagues working in the affected building.

4:15 PM - 5:30 PM

S42: PCI DSS: Do I Need to Be Concerned? (300/L)

Peter Gallinari

The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. Even vendors who process your work must be PCI compliant, and you as the data owner are responsible to comply. This review will help ease the mind of corporate leaders on what is a must have and what can wait, along with answering the questions: do I need to worry about PCI; what is a QSA; and what are compensating controls.

4:15 PM - 5:30 PM

L43: Strategic Crisis Leadership (400/L)

Bruce T. Blythe, Crisis Management International

At the heart of any crisis response are strategic decisions that serve as defining moments. These decisions can bring you and your organization toward successful resolution or they can spiral you deeper into the damage. Most crisis preparedness is focused at the tactical level, i.e., evacuation, emergency response, notifications, communications, accommodating media, etc. Beyond tactics, the attention here will be on strategic crisis management, which by definition is making the right decisions and doing the right things during high consequence crises. Leadership in unexpected crises with high visibility, inadequate time and information, personal stress, and high velocity developments requires skills and capabilities beyond daily leadership. This presentation answers, “how can you optimize your personal and team effectiveness when an unexpected crisis hits?” Take-and-use guidelines will be provided to increase the likelihood that, when needed, you will become a crisis champion.

Friday, November 14

10:00 AM - 12:00 PM

EM45: Staff Evacuation Procedures for Hurricane Preparedness (400/L)

Daniel Baigne, GSR Consulting, Kevin Doherty and Herve Riou, SBCI, Montague Risk Management

In this 2-hour workshop, learn with three experts how civil authorities decide to issue evacuation decisions, how you can plan for a smooth and effective staff evacuation, and how you can track your staff members in the immediate hours and days following a severe interruption. This information will allow you to prepare your company to shut down and effectively weather the storm. Learn how to plan a pre-deployment to an alternate location, including moving your key staff ahead of the event, as well as designing and implementing a customer communications plan so that they know how to reach critical support staff. Hear how you can implement a set of tools and procedures that will allow you to communicate with your staff prior to the storm making landfall and after the storm has passed, and support both your staff and recovery of company operations from a remote EOC.

10:00 AM - 11:15 AM

BC46: Applications Impacts Analysis: Cornerstone of the BIA (300/L)

Larry Marler CFCP, Southern Farm Bureau Casualty Insurance Company

Gathering data for a BIA can sometimes be difficult even with C-level support. Traditional data gathering methods don't work in every venue. Don't despair; there is an easier way! Use IT to gather basic BIA data and, in the process, fine tune the technical recovery program. The applications impacts analysis provides supporting functional data for the BIA. It assists to determine technical and functional interdependencies, inventories, key personnel, provides useful data to determine RTOs, RPOs, and other supporting data required for the BIA. This presentation will provide you with the knowledge you need to implement an applications impacts analysis. Use this knowledge to enhance your BIA efforts, IT disaster recovery program, and bring added value to your business continuity program.

10:00 AM - 11:15 AM

BC47: Disaster Recovery: When Time Is Of the Essence, Do You Know What Time It Is? (400/C)

Telva Chase, MBCI, CFCP, Thomson Reuters and Jerry Varney, FBCI, Vigilant Services Group

This case study outlines how the Healthcare & Scientific businesses of Thomson Reuters are developing end-to-end recovery timelines (project schedules) for their data centers, for all production systems/applications. When recovery priorities, procedures, dependencies, resources and timings are added to a project schedule, it very quickly shows if recovery is viable within the prescribed RTOs and/or already signed customer SLAs. This session will review all the challenges, opportunities and necessary components to outline detailed recovery timelines by data center. The recovery timeline approach has worked well where the IT staff is a shared resource and recovery sites are geographically dispersed. The approach is also integrated with our incident management and emergency response plans providing Thomson with a well-understood, feasible recovery solution for its people, assets, systems and applications.

10:00 AM - 11:15 AM

EM48: Essential Function Identification and Submission Process (500/L)

Mark Spreitzer, CBCP, CGI Federal

The ultimate goal of continuity is the continuation of Essential Functions. In order to achieve that goal, the objective for departments and organizations is to identify their Mission Essential Functions (MEFs) and the Primary Mission Essential Functions (PMEFs) that support the organization and ensure that those functions can be continued through-out, or resumed rapidly after, a disruption of normal activities. The continuous performance of essential functions must be guaranteed with the right people, resources and planning. Continuity cannot occur without the commitment and dedication of many partners. This session will describe the process for identifying essential functions and mapping the associated value chains (business process analysis) as input to the business impact analysis. The framework for this session will follow the recent Federal Continuity Directives 1 and 2.

10:00 AM - 11:15 AM

S49: Evaluating Your Physical Security Program (300/L)

Scott A. Watson, CPP, CFE, S.A.Watson & Associates L.L.C.

Utilizing numerous case studies, this session will provide a step by step introduction to evaluating your organization's physical security needs, in the context of an overall enterprise protection program. Specific topics addressed in this session will include comparative organizational structures of security departments, risk analysis methodology, characteristics of a well protected facility, security technologies and the acquisition, deployment and management of security personnel.

11:30 AM - 12:45 PM

BC50: BS 25999: The New Generation of Business Continuity (400/L)

John DiMaria, BSI Management

The purpose of the BS 25999 standard is to provide a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business to business and business to customer dealings. It also enables the organization to measure its BCM capability in a consistent, recognized and auditable manner that is recognized globally. Attendees will get an understanding of BS 25999 business continuity management versus business continuity planning, learn the structure and content of the BS 25999 business continuity standard, compare BS 25999 with other frameworks, and understand the BS 25999 certification process.

11:30 AM - 12:45 PM

S51: Beyond Resilience (500/L)

Maitland Hyslop, Onyx Group

There is a disconnect between events in the Middle East and events at home related to information security. This lecture suggests that we need to wake up to the impact of information technology, organized crime and the reactions to globalization, the export of democracy, and effects-based operations on organizations. An effective counter-measure is the hardened organization. Creating one is subtler than you might think. Learn of the new threats, and the counter-measures, to organizations and the steps needed to create an effective hardened organization. The hardened organization is a step beyond resilience.

11:30 AM - 12:45 PM

S52: Reliable Security in Times of Crisis: The Proper Assessment of Security Vendors (300/L)

Edward Sorrells, DSI Security Services

Security services can be one of the most vital components in a business continuity plan. It is imperative that security functions are well defined, rehearsed, and ready to be performed when a disaster strikes. The proper selection of an outside security vendor can in some cases be the difference in the success and failure of a plan. This session will explore some of the most vital security measures that should be taken to ensure business continuity, and most importantly, how to select the vendor that will be best equipped to meet the challenge. Learn proven and practical steps that can be taken to properly screen and assess potential vendors to ensure that they are capable of providing service in times of crisis.

11:30 AM - 12:45 PM

L53: Buzzworthy 2009 (400/P)

Moderator: John Taylor, HS Leader

Buzzworthy 2009 is a power packed session where the panelists will review emerging trends and technologies in homeland security. The session will include a panel of homeland security leaders who detail technologies from a variety of sectors including emergency management, intelligence, cyber security, biometrics and corporate security. The fun and interactive panel discussion will cover a wide spectrum and allow for audience participation and recommendations. The panel participants attend dozens of technology tradeshows per year and review hundreds of emerging technologies. This session will allow attendees to get an inside track on the technologies of tomorrow.