xv
Foreword
Foreword by Mr. Paul Kurtz
Paul B. Kurtz is currently the executive director of the Cyber Security Industry
Alliance. Most recently, Paul was special assistant to the President and senior
director for critical infrastructure protection on the White Houses Homeland
Security Council (HSC), where he was responsible for both physical and cyber-
space security. Before joining HSC in 2003, Kurtz served on the White Houses
National Security Council (NSC) as senior director for national security of the
Office of Cyberspace Security and a member of the President’s Critical Infra-
structure Protection Board, where he developed the international component of
the National Strategy to Secure Cyberspace. Previously, he was a director for
counter-terrorism in the NSC’s Office of Transnational Threats from 1999 to
2001. Prior to his White House work, Kurtz served in several bureaus in the
State Department, specializing in weapons of mass destruction non-proliferation
policy and strategic arms control. He also served as political advisor to Opera-
tion Provide Comfort in Incirlik, Turkey and as science attaché in Vienna, Aus-
tria. He participated in several arms control inspection teams, traveling to Iraq
and North Korea. Kurtz received his Bachelor’s degree from Holy Cross College
and his Masters degree in International Public Policy from Johns Hopkins Uni-
versitys School of Advanced International Studies.
Planning for recovery from a disaster is now commonly recognized as an
essential component in the management of risk. Businesses today have
become accustomed to planning for commercial risks, such as the sudden
failure of a critical parts supplier, an unexpected debt or liability, labor
strikes, or the discovery of a serious fault in a retail product. Planning for a
terrorist incident is, in many ways, very similar. Nearly one in five busi-
nesses suffer a major disruption every year. Business continuity planning is
a means of ensuring that essential functions of your business survive a ter-
xvi Foreword by Mr. Paul Kurtz
rorist incident, natural disaster, or other disruption. It is crucial for any
business or organization to plan its survival following the loss or denial of
access to buildings, a significant number of staff, their IT systems, impor-
tant records and information, or myriad other assets they depend upon to
operate successfully.
I have learned in my career that one can never plan enough to mitigate
all of the effects of a disaster. I have been privileged to participate in strate-
gic planning for many unforeseen events; such experiences expose the mag-
nitude and scope of devastation and destruction with which people close to
the event must contend. In the middle of such unforeseen events, there is
little one can do to stop an explosion, a volcano, flood, fire, or myriad other
things that we see happen every day in our instant-news environment.
What one must realize is that the distinguishing factor between coping suc-
cessfully with such events or being totally overwhelmed and unable to cope
at all is the amount of planning and preparation that takes place before the
event occurs. This, of course, does not mean preparation and planning will
insulate those who take such steps from the explosions effects, or from the
waters of a flood, but it does mean that their likelihood of preventing
greater damage or of lessening the effects of damage is greater than that of
someone who did nothing. While no amount of planning can magically
defray the effects of a disaster, planning and preparation can help reduce the
after-effects and aid in recovery after such events.
In Business Continuity and Disaster Recovery for InfoSec Managers, Drs.
Rittinghouse and Ransome present a thorough, well-structured explanation
of the need for taking such preventative measures. They have carefully
crafted a presentation of the material that is crucial to help any organization
develop a set of contingency plans that will assist in the recovery process.
The book is clearly business oriented, and from the very first page, the
authors emphasize the need to understand what can happen and why the
organizations that survive such events are the ones that have prepared for
their mitigation and recovery. They candidly point out that organizations
that fail to do so generally do not survive the effects of an event.
In Chapter 1, they present the issue of planning, distinguishing between
the contingency and continuity planning processes and explaining each facet
of planning that an organization must undertake to create a successful Busi-
ness Continuity Plan. They even cover the steps necessary to organize a
project team to build the plan. In Chapter 2, the process of risk assessment is
covered thoroughly. It is impossible to cover every conceivable aspect of busi-
ness risk assessment in any book, but the authors have presented a cogent
approach for businesses that allows planning teams to look at what is possible
Foreword by Mr. Paul Kurtz xvii
Foreword
for them and perform an impact analysis from that perspective. A very com-
plete coverage of business impact analysis is presented.
I am reminded of the old adage that “on ounce of prevention is worth a
pound of cure” when I think of the things that could have been done in
nearly any circumstance you read or hear about today. The focus of Chapter
3 in this book are ways to develop strategies that mitigate the effects of an
unforeseen event. This section covers preventative measures that can be
taken and preventative controls that can be implemented to reduce the
impact of an incident to an organization. Having the foresight to prepare
for such unforeseen events is not just good business practice these days, it is
often required by law.
Chapter 4 of this book shows how to prepare for emergencies and what
steps must be taken to facilitate a recovery process. In any event, there are
really two stages of recovery that take place. First, when the event occurs, an
organization must recover from the immediate threat of that event. Second,
after the event, an organization must recover business operations. The focus
of Chapters 5 and 6 deal precisely with those two stages of recovery and
provide the reader with an insightful look at how organizations should be
prepared to respond.
There is no amount of contingency planning in any organization that
will be effective without proper training and periodic testing. Drs. Ritting-
house and Ransome provide a complete and concise approach organizations
can leverage to develop testing, auditing and training programs in Chapter
7. Strategic audits and recurring training often differentiate organizations
that recover successfully from organizations that never quite seem to get
back on their feet. Even those organizations that do manage to stand up
operations again often have suffered great losses in the process, and can
never really regain momentum in the marketplace or leadership in the
industry after they suffer a catastrophe. It drives home the need for continu-
ing maintenance of the strategic plans an organization invests its money to
build. Business Continuity Planning should be considered a strategic
investment in any organization, and I think Business Continuity and Disaster
Recovery for InfoSec Managers is an investment every organization should
make to learn how to properly prepare and plan for disaster.
Paul B. Kurtz
Executive Director of the Cyber Security Industry Alliance
7/20/05
This Page Intentionally Left Blank
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.124.232