THANK YOU FOR SUBSCRIBING
Gov CIO Outlook Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Gov CIO Outlook
Joe Moudy, Director, Office of Emergency Management, City of LubbockMost public organizations and businesses utilize exercises to evaluate the effectiveness of plans, policies, and procedures. Those exercises allow an organization to identify areas for improvement in our mitigation, response, and recovery to disasters. Each department or organization has different requirements as to the type and quantity of exercises such as statutory, certification or insurance requirements.
It is very easy for a department to conduct individual or internal exercises to meet those requirements. However, organizations are not as separated and fragmented as they once were. As we further implement and integrate new technologies, we continue to develop interconnections between variousfunctionsand departments in the organization. This creates interdependencies that may not be visible or well known.
However, when an organization adopts an organization-wide approach to exercises, the organization will identify multiple departments that have similar requirements. One mechanism to coordinate exercises across an organization is to conduct an Integrated Preparedness Planning Workshop. This workshop allows an organization to identify an exercise schedule and to include meeting the requirements of each department.However, it is often identified that there were exercise requirements that are not communicated in the Integrated Preparedness Planning Workshop. This occurs for a variety of reasons such as the representatives in the workshop were not aware of the requirements, the requirements are implemented after the workshop, etc.
In order to accomplish an organization-wide approach to exercises, an organization may require a single department to coordinate all facets of the exercises. For public organizations, this is typically handled by emergency management staff. In organizations that do not have a dedicated emergency management staff, it is recommended that a single department or specific staff be identified to coordinate exercises.
“In order to accomplish an organization-wide approach to exercises, an organization may require a single department to coordinate the schedule, design and facilitation of the exercises.”
As cyber incidents become more prevalent, organizations are being required to conduct cyber exercises. These requirements occur across the entire organization but are specific to departments such as electric utilities, public water systems, airports, information technology, etc. A coordinated cyber exercise can meet each individual department need while providing other departments an opportunity to evaluate how they would be impacted by a cyber incident. The exercises can be designed to challenge individual departments, such as information technology, while creating challenges for departments as various components of the information technology infrastructure become unavailable.
Through fully integrated exercises, the organization canevaluate information sharing across all departments, continuity plans, and recovery plans. Organizations can answer questions such as:
• Are all departments receiving the information they need to adequately respond to the incident?
• Do your continuity plans identify single points of failure?
• Do your continuity plans identify interdependencies such as which components or servers are required to continue mission essential functions?
• Do your backup systems work?
• How are your backup locations impacted?
• How far can a cyber incident reach across your organization?
• What does your recovery look like?
• What are your recovery priorities?
When departments conduct internal or individual exercises, the organization loses visibility on the impacts of the hazard.However, when those exercises are coordinated across the entire organization, each department gains knowledge about how they can be impacted and how they impact other departments.
Read Also
