2.5 Emergency Incident Assessment (7/7)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

60 2.5 Emergency Incident Assessment

cannot be measured in speciﬁc units but can be qualiﬁed or described in

terms of high, medium, and low impacts.

Because of the generic nature of this discussion, this book describes only

the qualitative categories: high, medium, and low impact. High impact is

when exercise of the vulnerability may result in the costly loss of major tan-

gible assets or resources; or may signiﬁcantly violate, harm, or impede an

organization’s mission, reputation, or interest; or may result in human

death or serious injury. Medium impact is when exercise of the vulnerability

may result in the loss of tangible assets or resources; or may violate, harm,

or impede an organization’s mission, reputation, or interest; or may result in

human injury. Finally, low impact is when exercise of the vulnerability may

result in the loss of some tangible assets or resources or may noticeably

affect an organization’s mission, reputation, or interest. In the following sec-

tions, we list some potential emergencies that you should evaluate for busi-

ness disruption as a serious information security incident.

2.5.5.1 Cybercrime

Cybercrime is a major area of information security risk. It includes attacks

by hackers, denial-of-service attacks, virus attacks, hoax virus warnings, and

premeditated internal attacks. All cybercrime attacks can have an immedi-

ate and devastating effect on the organization’s normal business processes.

The average cost of an information security incident has been estimated at

US$30,000, and more than 60% of organizations are reported to experi-

ence one or more incidents every year.

2.5.5.2 Loss of Records or Data

The loss of records or data can be particularly disruptive where poor backup

and recovery procedures result in the need to reinput and recompile the

records. This is normally a slow process and is particularly labor intensive,

which can result in an increase in costs through additional working hours

and a great deal of embarrassment when information is unexpectedly not

available.

2.5.5.3 Disclosure of Sensitive Information

This is a serious information security incident, which can result in severe

embarrassment, ﬁnancial loss, and even litigation where damage has been

caused to someone’s reputation or ﬁnancial standing. Further types of seri-

ous disclosure involve secret patent information, plans and strategic direc-

2.5 Emergency Incident Assessment 61

Chapter 2

tions, secret recipes or ingredients, information disclosed to legal

representatives, and so on. Deliberate, unauthorized disclosure of sensitive

information is also referred to as espionage.

2.5.5.4 IT System Failure

With the almost total level of dependence on IT systems within the vast

majority of businesses, a failure to these systems can be particularly devas-

tating. The types of threats to computer systems are many and varied,

including hardware failure, damage to cables, water leaks and ﬁres, air con-

ditioning system failures, network failures, application system failures, tele-

communications equipment failures, and so on. Each of the above scenarios

needs to be developed and examined in detail and an analysis prepared of

the consequences of each potential scenario. Each scenario should also be

assessed for possibility of occurrence (probability rating) and possible

impact (impact rating) using the worksheet provided in Figure 2.7.

2.5.6 Other Emergency Situations

You will need to examine each potential disaster or emergency situation. The

focus should be on the level of business disruption likely from other emer-

gency situations not already covered above. Potential emergencies include

business disruption caused by one or more of the following incidents.

2.5.6.1 Contamination and Environmental Hazards

Contamination and environmental hazards include polluted air, polluted

water, chemicals, radiation, asbestos, smoke, dampness and mildew, toxic

waste, and oil pollution. Many of these conditions can disrupt business pro-

cesses directly and, in addition, cause sickness among employees. This can

result in prosecution or litigation if more permanent damage to employees’

Figure 2.7

Information

security incident

probability and

impact assessment

worksheet.

62 2.5 Emergency Incident Assessment

health occurs. Hazardous materials are substances that are either ﬂammable

or combustible, explosive, toxic, noxious, corrosive, oxidizable, an irritant,

or radioactive. A hazardous material spill or release can pose a risk to life,

health or property. An incident can result in the evacuation of a few people,

a section of a facility, or an entire neighborhood. There are a number of fed-

eral laws that regulate hazardous materials, including:

 The Superfund Amendments and Re-authorization Act of 1986 (SARA)

 The Resource Conservation and Recovery Act of 1976 (RCRA)

 The Hazardous Materials Transportation Act (HMTA)

 The Occupational Safety and Health Act (OSHA)

 The Toxic Substances Control Act (TSCA)

 The Clean Air Act

Title III of SARA regulates the packaging, labeling, handling, storage,

and transportation of hazardous materials. The law requires facilities to fur-

nish information about the quantities and health effects of materials used at

the facility, and to promptly notify local and state ofﬁcials whenever a sig-

niﬁcant release of hazardous materials occurs.

In addition to onsite hazards, you should be aware of the potential for

an offsite incident affecting your operations. You should also be aware of

hazardous materials used in facility processes and in the construction of the

physical plant. Detailed deﬁnitions, as well as lists of hazardous materials,

can be obtained from the Environmental Protection Agency (EPA) and the

Occupational Safety and Health Administration (OSHA).

2.5.6.2 Epidemic

An epidemic can occur when a contagious illness affects a large number of

persons within a country or region. This can have a particularly devastating

short-term impact on business through a large number of persons being

absent from work at the same time. Certain illnesses can have a longer-term

effect on the business, when long-term illness or death results. An example

of this extreme situation is occurring in certain third world countries, where

the AIDS virus is considered to be of epidemic proportions.

2.5 Emergency Incident Assessment 63

Chapter 2

2.5.6.3 Workplace Violence

Acts of violence in the workplace can affect morale, encourage absenteeism,

create fear and uncertainty, and increase the employee turnover rate. This

can have a signiﬁcant effect on productivity and could also result in claims

for workers compensation, harassment claims, and a need for increased

security measures. Statistically, this type of incident is especially prevalent at

organizations that have recently merged or are being resized or restructured,

where there are regular threats of industrial action, or where permanent

employees have been replaced with temporary employees.

2.5.6.4 Public Transportation Disruption

Disruption to public transportation has a major effect on businesses

through the inability of employees to get to their normal place of work.

This disruption can be caused through major accidents, industrial action,

equipment failure, bad weather conditions, and major preventative repairs.

Difﬁcult traveling conditions increase absenteeism, as well as lower morale

and productivity.

2.5.6.5 Neighborhood Hazard

A neighborhood hazard is deﬁned as a disruptive event in the close vicinity

that directly or indirectly affects your own premises and employees. An

example would be the seepage of hazardous waste from a neighboring fac-

tory, or the escape of toxic gases from a local chemical plant. Health and

safety regulations require the organization take suitable action to protect its

employees. This may have severe disruptive implications for the business,

particularly when it can take some time to clear the hazard.

2.5.7 Nonemergency Factors

Several nonemergency factors can have a negative impact on your ability to

resume business operations after an emergency or disaster. We have high-

lighted a few of the most important factors in the following paragraphs. It is

important that these areas be addressed as part of the BCP so that none of

these becomes a disaster unto itself. It will be much more cost-effective and

efﬁcient, and less distractive to your limited resources, to plan ahead for

these potential issues than to try an address them on the ﬂy during an emer-

gency and during recovery.

64 2.5 Emergency Incident Assessment

2.5.7.1 Health and Safety Regulations

For organizations that do not properly and fully observe all the necessary

health and safety regulations, a complaint or an inspection can result in the

operation being completely closed down until the situation is corrected.

This could result in substantial delays on major projects with signiﬁcant

ﬁnancial implications. Organizations should ensure that they meet the nec-

essary regulations and requirements at all times.

2.5.7.2 Employee Morale

A large number of internal or external factors can have a direct impact on

the level of employee morale. This can often arise where there is a combina-

tion of poor management, uncertainty, and difﬁcult working conditions.

Productivity will be affected and employee turnover is likely to rise.

2.5.7.3 Mergers and Acquisitions

Mergers and acquisitions can be extremely destabilizing on the employees

of both businesses involved. Employees may be uncertain about how they

will be affected, or even whether they are about to lose their jobs. Unless the

merger/acquisition is managed well, the effect on the staff could be consid-

erable, with a dramatic lowering of morale and productivity.

2.5.7.4 Negative Publicity

Unfavorable press comments can result in a lowering of employee morale or

a loss of customers. Any company can suffer from negative publicity, and an

internal crisis is best resolved from within, prior to the media feeding of the

uncertainties and disputes. Reports may also be inaccurate, particularly

where reliable information is not available, and therefore, well-worded press

statements may be issued to counter adverse reports. Information can be

leaked to the press from disgruntled employees and industry competitors.

2.5.7.5 Legal Problems

Legal problems are both time-consuming and expensive. Organizations can

experience a wide range of legal issues, including sexual harassment, con-

tract disputes, copyright disputes, health and safety regulations, and dis-

crimination. It is important that organizations are fully aware of their legal

duties and of the rights of their employees.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 2.5 Emergency Incident Assessment (7/7)

Create new playlist

Sign In

Sign Up

Table of Contents for
2.5 Emergency Incident Assessment (7/7)