3820 W Happy Valley Rd, Glendale, AZ 85310
(888) 689-2290

MHA Consulting



Do You Know the Current Business Climate?

By No Comments

Understanding how the business climate is changing  will allow to you start looking at how you may need to change your recovery and resiliency strategies.

I was recently talking with my father who was in the convenience store and gasoline distribution business his entire career. We were talking about planning and how the business climate changes over time. He mentioned that when pay-at-the-pump devices first came to stations, his company resisted implementing them. Their convenience store model was to get customers to walk into the store to pay so they would purchase additional items. Their money was not made on gas sales, but on the sale of store items (beverages, candy, etc.). My father was an advocate of putting the new pumps in. He saw it as being more important than just having customers walk into the store, but instead making sure that customers were comfortable using the store for both gas purchases and quick stops for other items. If they got in the habit of using a different store to get gas because of pay-at-the-pump, they would likely stop at that store for drinks and other items as well. The result: a lost customer.

Do you know how your business climate may be evolving? Do your current processes or paradigms still meet customer needs and desires? In previous blogs and presentations, we have encouraged those in continuity planning to learn about their business processes. Understanding how the business climate is changing – and how business processes and functions may be changing along with that – will allow to you start looking at how you may need to change your recovery and resiliency strategies.

Consider the items below as you identify how your business may be changing.


As your technology strategy evolves to meet the needs of the business climate, you need to re-assess the impacts of an event on IT recovery. What is the network impact? Network traffic, availability, and additional devices need to be addressed. Will the need for increased bandwidth impact other areas? What about change in the number of transactions? How might that impact data requirements? Will you need to look at a more resilient architecture rather than a recovery architecture?

How has data changed? What are the HIPAA or PII impacts? How will you ensure that this information is protected during an emergency event or when processing at a recovery location? Will there be changes to your online or social presence; has that changed the recovery/availability requirement?


People’s roles and responsibilities may have changed over time. Have these changes created a need for a different maintenance schedule or cycle? How will that impact staffing and shifts? What about potential natural events that may impact personnel availability or access? Will your staffing strategies during events need to change?


With the change in business processes, does the importance of the physical location change? Are people in the locations at different hours? Will security have to change? While the risks to the locations may remain constant, the impact of any given event may evolve over time.


You should also consider how you may need to adjust your recovery plans over time. Will you need to readjust the relocation strategy or workaround procedures to address the changing environment? Will the dependencies between departments impact the continuity strategy? Contact lists and notification processes may have to be modified.

Unsure of where to start? Understanding your current business climate should be an important factor in all your planning efforts. A good place to start your assessment is with a current BIA (Business impact analysis). You can use the BIA information to see how changes may impact the entire organization and what business units may need to be addressed.

by Richard Long, Senior Advisory Consultant, MHA Consulting

Are You Improving and Evolving?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

Our most recent blogs have been on how to improve your organization. But what about self-improvement? People are often the most important resource to an organization, though it is rare that a single individual will make or break the organization or is so important that the organization will fail without them. As an important resource to the organization you work for, what are you doing to improve yourself, whether personally or professionally? In today’s budget conscious environment, often training or personal development dollars are limited, or time is simply not available. As with many things in our lives, individuals should take ownership of this and not rely on others. Even if your organization does not provide development opportunities, this quote from Jeff Bezos, CEO of Amazon, is appropriate – “What’s dangerous is not to evolve.”

How might we go about our own personal evolution? Here are several ideas. None of them are directly related to our work, but by improving other areas of our lives, we will be more effective as employees or resources for the organization.


Choose one or two goals outside of your work. Make the goals a challenge, but not impossible. Do not make too many goals or you will not meet any of them. I am a member of an organization that provides 10+ goals each year to its members. During the year, any one of these may get priority and see progress, but then another gets priority and the first stops progressing. We don’t have time to put appropriate effort into 10 goals along with all our other responsibilities.


Our physical health should also be a primary focus. Without good health we cannot work effectively or support our family and friends. It is a critical dependency, using BCP language. Identify a way to improve your eating or exercise habits. Use a calorie counting app to help or just identify what is important for your diet; maybe increase your water intake by decreasing or eliminating soft drinks. Increase your physical activity. Make the time to take a 10 – 15 minute walk each day or use a 7-minute exercise program (there are multiple apps). The 7-minute exercise program is 14 exercises done for 20 seconds each, with 10 seconds rest between. Get your family or friends involved.


Consider meditation or just ponder a specific topic each day – maybe five minutes before going to work or before going to bed. There are multiple free sites on the Internet on meditation or concentration exercises. Taking a few minutes of time alone to just relax, breath and decompress can reduce stress and lower blood pressure. Talk to a friend or loved one (I mean talk with your voice – face to face or by phone, not through written messages exchanged on social media). Again these conversations do not have to be long or occur every day.


Learn a new skill or just learn a new word. Remember learning vocabulary in school? Why not try it again? Maybe choose a language from a culture you want to know more about or from the home country of one of your clients. Learn some of the vocabulary using a word of the day approach. Take an online course (I plan on taking an online history class). Often there are free courses – and they are much more productive than spending time on social media reading about kittens, political diatribes, or just insignificant life actions. That being said, there are wonderful topics to discuss over social media and opportunities for learning, so SM can be used as well.

As you improve different aspects of your life, just a little at a time, you will also become a better employee. You may be able to use the new experiences in relation to your job. More importantly, you will become the example Dr. Seuss wrote about – “Will you succeed? Yes, you will indeed! Nine-eight and three-quarters percent guaranteed.”

Understanding Actual Risks to Your Organization

By No Comments


Richard Long, Senior Advisory Consultant, MHA Consulting

There is an ongoing national conversation around the relationship between law enforcement and various civilian populations. In talking to friends of diverse ethnic backgrounds, it has become clear to me that my perceptions and how I go about my daily activities are different from some of my friends and acquaintances. This blog is not to comment on that, but rather to relate it to our business risk assessment.

There is not a single risk profile. Depending on the type of business, facility location, public perceptions, etc., the same event may be more or less likely to occur or may have a different impact. This may be an obvious statement, but how many of us in the risk or business continuity area evaluate the actual risks to our organization rather than looking at risk in the same old way or with the same bias? The following are items or areas to consider. While not necessarily complete, this list may prompt thoughts specific to your organization.

When I work with clients, I find that they almost always use natural events for disaster scenarios. Interestingly, those are typically the areas for which preparations are more mature and mitigations are in place – at least from a technology or facilities perspective. Data centers are hardened and relocation and evacuation plans are in place. However, the impact to people has often not been evaluated. Will employees’ homes be impacted? What if employees are unavailable? Is remote access sufficient? Remote access may be available, but that may not be the issue. I know of a company that was dealing with flooding in the area. The data center and business location were not impacted, but a significant number of peoples’ homes were flooded – those people were either not available to work or had to drop off unexpectedly during calls because their sump pumps could not keep up with the flow of water into their homes.

Staffing. What is the nature of your organization’s staffing? Are there multiple areas with only one person responsible for tasks? As an example: an organization has dual coverage for a certain function. This is a specialized function that would require resources from other locations to assist if needed. Each person takes their 6 – 8 weeks of vacation annually, often in a single vacation. So, for up to 16 weeks a year, there is only 1 person available to perform the functions, often for weeks at a time.

Risk Profile. It is not enough to simply know what your unmitigated risks are, or to know when your risk mitigation is not sufficient. A risk that most companies acknowledge, but for which they may or may not be prepared, is the potential for security breaches. Unfortunately, what we hear is true: it is not if, but when a breach will occur. Organizations must have a well thought out, tested, and comprehensive plan. You must recognize the risk of a data breach to your organization. Identify any proprietary, personal, or sensitive data. What would the impact be if any or all of these data stores were compromised?

Organization Profile. Has your organization grown, decreased or changed its product or service suite? How have acquisitions impacted your risk profile?

Physical security. How much of a risk is there? Is the show of security enough – think of a security sign outside a house, but no actual security system? Criminals may not take the chance. What are the security issues? Should you place more emphasis on keeping your employees safe or on the risk of theft (internal or external)? Is your organization in a location that could have collateral damage due to protests (even though your business is exceedingly innocuous)? Has the neighborhood changed over the years? Is there a need for different security from years past?

Insurance. We often hear “insurance will cover any losses.” There are typically specific notification and documentation requirements, along with preventative measures that are part of the insurance policy. Have those clauses been reviewed? Are you in compliance, or are you prepared to comply during an event? Are the notification and documentation requirements included in the appropriate crisis and recovery plans? As part of the risk review and mitigation process, you should review and update your insurance needs as well.

Risk management and mitigation are an important part of our role in continuity planning, but we must understand the actual risks, especially those that will have the largest impact and those with the highest probability of occurring. It is critical to put the appropriate mitigation strategies in place. Possibly the most important aspect of Risk Management is bringing the risk and impacts to light; ignore them at your own peril.

Internet of Things or Pervasive Connectivity

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

The Internet of Things (IoT) gets a lot of attention in blogs and podcasts. Tracking our fitness with an app is convenient; connecting our refrigerators to the Internet so we can access it with our smart phones seems exciting; and “answering” the doorbell while on vacation gives us an increased feeling of security. But how might the increase in devices connected to the Internet or within our networks affect us as planning professionals?

I recently heard an interesting term that gives a better idea of what IoT is: Pervasive Connectivity. We are getting to a stage where “everything” will be connected in some form or fashion. Devices may not be connected to the Internet directly, but over our home or corporate networks instead.

Here a few items to consider:

  • Security
  • Long-term viability
  • Unintended consequences
  • Interpersonal interactions
  • Supportability
  • Number of applications now critical to an organization
  • Configuration management

Security: While you may not have any IoT devices in your organization, how many employees are using them at home? How secure are the applications on their phones that are connected to your network? Can you segregate access from handheld devices? If you have IoT devices in your organization, how secure is that connectivity? Remember, the least secure portion of your network will be where malicious attacks occur. Would it not be ironic to have your Internet-connected refrigerator be the conduit for losing personally identifiable or proprietary information?

Long-Term Viability: Many pervasive connected devices rely on SaaS/PaaS/IaaS providers. What happens if those providers decide to stop the service? This has just occurred, impacting consumers of the Revolv smart-home hub. Google announced the shutdown of the Revolv service; after May 15 the smart-home hub will no longer work as the service will be shutdown. This is a concern for all *aaS offerings, and is something that should be considered.

Unintended Consequences: What are the power/battery needs of the devices? Items that were not a concern previously now must be considered. What are the access requirements – both onsite and remote? Will your organization need the development of new manual processes? How will the functions being supported by the IoT devices be performed if connectivity is lost? Are there legal/regulatory impacts that did not exist before?

Interpersonal interactions: A recent study suggests that people’s feeling of being ignored given the use of handheld devices has decreased. However, the question in my mind is – is that because the use of handheld devices has decreased during interpersonal interactions or are people just becoming conditioned to being ignored? With the increase of pervasive connected devices, will the need, or feeling of need, increase because there is now more information flowing to smart devices (alerts, monitoring, etc.)?

Take time to consider how your organization is being impacted by IoT devices; what you should be prepared to consider as they are introduced to your organization; and how your BCP program may be impacted.

BC Program Capability – Objective or Not?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

We may not want to admit it, but we are a biased species – whether in the positive or negative. I know some beautiful young people who only see their faults and some mature adults who can’t see their faults at all. We become accustomed to the current state. I live in the Phoenix metro area. What friends and family in other parts of the country think is hot is a nice day to me. Temps in the 100s are normal and expected for us in the summer months – we are used to it. Last week it was hot – and not just hot through my Phoenix filter (it was in the 110s, with a high of 117). But, no matter what I am accustomed to, I recognize that a temperature in the 100s is hot, even though those of us in Phoenix look at the low 100s as a cooling trend in June and July.

When it comes to our business continuity programs, we can often get used to the current state and lose our objectivity. When you look at the current state of your business continuity program, are you, your auditors and your management looking at it objectively or with a filter or bias?

Possibly the best tool to use is a set of objective metrics. Identifying and using the proper metrics will assist in keeping the assessment of the BC program in your organization valid. There are commercial tools for doing this – MHA has one that we think is easy and useful (see www.mha-it.com/bcmmetrics). Even basic self-generated spreadsheets can be helpful. The question is, what are the correct metrics to use? Here are a few we think are important.

  • What percentage of BC and DR plans have been updated in the past year?
  • Do you have a Crisis Management Plan?
  • Do you have an identified Crisis Management Team?
    • Are they trained?
  • When was your last DR exercise?
    • Did it demonstrate actual functional recovery?
    • Were the DR Plans used?
  • When was your last Crisis Management exercise?
    • Did you perform tasks from the plan or just talk about performing tasks?
  • Have you performed a BIA in the past two years?
  • Have you performed a Threat and Risk Assessment in the past two years?
    • What is the state of the findings?
    • If you perform another TRA, will the findings be the same?
  • Do you have a process for updating/reviewing documentation and strategies to ensure they are current?
  • Is there a formal Program Oversight Committee or Program Steering Committee with Management representation?

These metrics can be given values that provide an overall readiness or functional score. With metrics like these, you can generate reports that quickly show the state of the various components of your program.

Screen Shot 2016-06-28 at 2.10.37 PM

Good and objective information will:

  • Help you identify both the areas that are working well and those which need more attention
  • Help management make appropriate risk and funding decisions
  • Assist auditors in their assessment

The reason for business continuity is to reduce risk to the organization. It is wonderful if the program is mature and running optimally. However, if there are issues, it is important to remember that “bad news does not get better with age.” You must have some understanding of what will happen if you actually have to use the plans and strategies during a crisis or emergency event. Metrics allow you to be confident when communicating the state of your program and to make appropriate plans. For more information and examples of metrics and the use of them in your organization, see visit mha-it.com/bcmmetrics.



How Secure is your Facility?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

On a walk with my toddler grandson the other day we waved to everyone (and every animal, including the birds) we came across. Like many young children, he is oblivious to the dangers of taking a walk around the neighborhood. He will take off across the street, run up to any dog or person, run out in the street when he sees a vehicle. I feel bad pulling him back, making sure all is safe as he looks up at me questioning, “Why are you taking this joy away?” As the adult, wanting to keep him safe, it is necessary for me to restrict some of his actions to ensure he stays safe. Now, I do let him fall, play in the dirt, walk through the water and plants. What is life without some dirt and scars? But it is my job to make sure he is not seriously harmed (along with making sure he has ice cream for breakfast).

For most of us, we go about our lives like my grandson, not worrying about our safety (other than the normal precautions we take each day, like looking both ways when crossing the street and making sure we don’t run into the person texting while walking). What a blessing that is. So how does this relate to the title of this blog?

Most of us recognize the various security precautions or technologies present at our place of business, such as badges to gain access to the building, access restricted by need to some areas, parking barriers, security guards at entrances, sign in sheets, etc.

In a recent blog we discussed weapons and facilities. That includes some items that are pertinent to consider here.

  • What barriers are in place in your facilities that prevent unauthorized access to critical equipment or areas?
  • What measures are in place in your facilities to keep people safe?
  • What are your evacuation procedures for a workplace violence situation? Are they the same as those for a fire? Should they be different? For example, in a workplace violence incident you may want to use both the elevators and the stairs.
  • Do all staff members understand and follow the procedures for visitor access?
  • Have you ever seen someone who does not belong in your building? What did you do?
  • What is your weapons policy? Does that include knives? Should it?
  • Is workplace violence prevention/reaction part of your overall training for all employees?
  • Do you have plans for uncontrolled person(s)?

We recommend that you look at the various measures in place at your facility and determine any weaknesses. For example, you may have access barriers in place or require that a badge be displayed upon entering the building. Can those measures stop anyone who wants to get in? Are they intended to do so?

Do you have any ingresses/egresses that allow entry outside of policy or design? For example, at Company A, there was a gate that did not close without manual effort. This gate was often left open and was accessible from the sidewalk of a main thoroughfare. Anyone could gain access to a courtyard and wait for a door to open to have access to a secure area.

What is your visitor policy and how easy is it to get beyond the main entrance? One of the most important aspects of safety is understanding what is a normal state and what is not. Training staff to be alert to surroundings and what may be out of place will allow individuals to raise potential issues or risks. As someone who visits many client sites and often is allowed to move about with some independence, I am actually comfortable when individuals ask if I need help when they do not recognize me. Far from being offended, it puts me at ease knowing there are some who recognize when there are people or conditions that may not belong.

Reviewing and identifying the policies, procedures and physical/technology items will make your facility more functionally secure without the feel of overbearing security.

So You Think You Can Communicate During an Event

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

We spend hours developing plans and strategies – preparing for possible emergency events that we hope will never happen. Many of our colleagues, and let’s be honest, even some of our management team, believe this planning is of little value. They feel that we only need the documentation to “check the box” for an audit. The implied desire is to get it done as quickly and with as little use of resources as possible. We may fall into the trap of being influenced by those feelings, generating what seems like good documentation that, when looking deeper and more objectively, is really just a lot of words that may not be usable.

For this week’s blog, the functional item we are considering is communication. We all know that during an emergency event communication will be critical, and we understand the basic groups and type of information we must communicate. Though the items below may seem obvious, many do not take the time to ensure that the appropriate planning is in place – it is assumed that everything will work when needed.

  • Information or status updates to internal groups to make decisions
  • Information or status updates to internal groups to implement emergency plans or resume/continue business activities
  • Information to media outlets
  • Information or status updates to external groups to protect your brand
  • Information or status updates to customers

When done effectively, this communication will help keep your business working as normally as possible, will limit the ability of others to control the narrative, and will prevent the dissemination of incorrect information.

Have you looked at your various communication strategies – internal, external, and crisis management – and identified the risks or potential gaps? In general, the technologies or methods you plan to use will be those used on a day-to-day basis: Phone (VOIP or LAN), cell, email, SMS, social media, etc.

If your technologies are cloud-based, housed in a different location, or highly available, then they are assumed to be available during an emergency event. Any of those solutions are acceptable. If they do not meet this criteria, it is a major risk to your communication capability.

Typical Gaps:

  • Do you have templates to use for the various forms of communication that may need to be provided?
    • Developing these will take time and important items could be overlooked. It is better to remove items than it is to risk forgetting important items.
  • Do you have recommended timing for communications or a checklist of items to determine appropriate timing?
    • In the middle of events, time can go by quickly. Before even recognizing it, hours may have passed since the event started or since the last communication was sent. Remember, without information, individuals will make assumptions or develop their own conclusions with potentially limited information.
  • Do you have a social media strategy or plan?
    • In today’s world of instant communication, if you do not provide information, something you have no control over will show up on social media whether you want it or not.
  • Do you have a policy for external communication by staff that includes social media? Is there a plan to remind staff of this policy?
    • Most organizations have polices around external communication to vendors or media. People may not think that these policies apply to communicating over social media.
  • Have you reviewed the implications for staff or emergency team members who may be remote or traveling? Will your plans/strategies allow for their effective participation?

Communication during an event is difficult to anticipate, train for, and exercise, but with some objective review of plans and strategies, you can minimize the impact of an emergency situation on your communication strategy.

Is your DR/BC Implementation Functional?

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

I have been thinking quite a bit about things in my life being usable and functional vs. being “pretty” and just “there.” It’s not that I don’t like or want nice clothes or that I don’t enjoy the colors in the backyard, but what is in my life that is taking up time and effort that really does not push me to be a better person and world citizen? This blog is not about how to improve our lives, but rather, what is in our BC program that is “pretty” or “there” and is not really making our business more resilient or functional?

Here is a DR example. The IT team says they have a DR strategy in place and are able to recover servers. Everything has been tested. But after looking a little closer, it is clear that only the test environment for an application was included, and that not all of the necessary production servers are being replicated to the DR site. The basic functionality will be available, but not the middleware servers or external facing (public) servers. If this were an order entry system, the only way to get information or make changes on self-service would be to call or physically go to the support center. Also, passing information to suppliers would not occur. Orders can be processed, but the actual functionality is severely limited.

The technology has been tested and the strategy works, but both are far from functional. In today’s environments, the technology itself is often the least concern. More important is ensuring that all the necessary dependencies are in place to guarantee equal (or at least sufficient) functionality is in place. This is much more than verifying that “the servers are up.”

How about a BC example? The company has a work from home strategy and IT has put in place the capability to access systems remotely via web access or VPN. It is assumed and verified that everyone has a company issued laptop. The BC analyst stays late one night and notices that at least half of the laptops are still on the docking stations after the office is vacated for the night. Corporate policy and security do not allow non-corporate devices through VPN. In the event of relocation, how many people would actually be able to work? Again, strategies are in place and verified, but in actuality those strategies are not functional.

We encourage you to look closely at your program and identify areas that may look good, but actually have significant functionality gaps. They may be easily fixed, or they may be more complicated. At least you will know and can then put together a plan.

Let’s start looking at how functional we are and not just what boxes are checked.

Do you need a document retention schedule?

By No Comments

Katherine Jonelis, Consultant, MHA Consulting

Do you need to develop document retention standards and procedures for your Business Continuity Program? If you want to ensure compliance with standards and best practices, yes, you do.

Generally speaking, if there is a standard that requires the creation of a certain type of documentation, there will be some corresponding requirement to retain those records for a period of time, even if that requirement is not expressly stated.

The standards require recordkeeping to provide evidence of the effective operation and implementation of your program, the competency of your personnel, and audit requirements and results. Documentation should cover these aspects of your program:

  • The scope and objectives of the program and procedures
  • The BCM policy
  • The provision of resources
  • The competency of BCM personnel and associated training records
  • The business impact analysis
  • The risk assessment
  • The business continuity strategy
  • The incident response structure
  • Business continuity plans and incident management plans
  • BCM exercising
  • The maintenance and review of BCM arrangements
  • Internal audit
  • Management review of the program
  • Preventive and corrective actions
  • Continual improvement

So where do you start? First, determine if your organization has a records and information management program and/or a records retention schedule. If so, you must work with your company’s records professional to determine what records you have and how long you should retain those records. It is not unusual to find that a company has little to no reference to business continuity documentation in the schedule. But you can use what the schedule says about other documents (like risk assessments, other company policies/procedures, audit or other assessment reports, etc.) as a guideline to develop retention periods.

Regardless of whether you are working with a records professional, use the list above as a starting point and determine:

  • What specific documentation do you keep in each category?
  • What does your maintenance schedule say about the documentation? How often is it created/superseded (quarterly, annually)?
  • Is there a legal or compliance based rationale to retain the documentation once it is no longer active or in use (e.g., to prove that training or testing took place and what the results were)?
  • Is there a legal or compliance requirement to retain the document for a specified period of time?
  • Is there lasting value in old versions of the document?

Using this information, you might use the following sample guidelines:

  • Plans: retain for one year after superseded (replaced).
  • Governance related documents (e.g., Policy, Standards, Charter): retain based upon the maintenance schedule.
    • If the Standards are updated annually, keep them on file for one year after they are updated.
  • Retention schedules should take into consideration what we would consider “exception” documentation – when documents need to be kept for a longer period of time in response to an item from an exercise, the Steering Committee, and/or an Auditor.
  • Retention schedules should take into consideration that a legal/litigation hold issued in response to actual or pending litigation may suspend destruction of certain information until that hold is released.

Cyber Event Planning – Hope is not a Strategy

By No Comments

Richard Long, Senior Advisory Consultant, MHA Consulting

For Business Continuity planners, data security has become a high priority element of the program. Audits have pushed this to the top of the priority list for many organizations. Even with all the data breaches over the past several years, many organizations are not prepared to react to a data breach. We have seen the entire continuum – from highly prepared for a breach (with formal plans, regular exercises, and technologies in place to prevent breaches) to a strategy of hope – we hope it does not occur.

Every security expert with whom we have worked says it is not if, but when, an organization will have some type of data exposure or cyber event. The cost of these breaches has grown year over year. A 2015 study by IBM and the Ponemon Institute calculated the average cost to organizations (350 companies in the survey) to be 3.79 million dollars. This is an average of $154 per record lost or stolen. Depending on the industry the cost can vary, with the public sector at $68 and retail at $165.

Organizations must make planning for and preventing data breaches an ongoing activity. It should be noted that a basic security penetrating code can be purchased for a little as 10–15 dollars on the web. These codes are not sophisticated, but the ease of access should cause everyone to pause.

Your planning should include the following:

  • Does your organization have or need cyber insurance?
  • What is your response plan in the event of a cyber event?
  • What is your communication plan?
    • Media
    • Social Media
    • Internal
  • Can you afford to shut down your online presence, your online commerce, or access?
    • For how long?
    • Are there portions that can be shutdown, still allowing critical or limited access?
    • Is there a decision point for shutting down access?

These should be identified in advance to allow the Crisis Management Team to make decisions quickly.

Cyber event planning is both a business and IT endeavor. As it relates to data breach or cyber event planning, hope is not a strategy.