I just finished completing the 3rd National Incident Management System (NIMS) compliance course required of me by my organization, and it got me thinking about planning in general. There are a lot of planning processes for which we are responsible or participate in: Disaster Recovery, Continuity of Operations, Accountability Frameworks, Standard Operating Procedures, and NIMS to name a few.
There are templates and software, courseware and consulting for all of this planning that is supposed to allow us to be “ready” or to be able to justify and measure our work product. We are repeatedly told how important it is to “have a plan.”
Yet no matter how important it is, how much time is given to you and your staff for planning purposes? I believe it is in this area that “lip service” plays a significant role in many organizations.
The trend over the years has been to trim “excess” employees in the name of being lean and mean. After all, look at how “productive” we as a nation have become. How “profitable” our companies are, and how “cheaply” we can run our government (“Look Ma! No employees! Wait, don’t dig to deep to find that army of consultants that has replaced our “cheaper” employees--it’s the number on the payroll the voters look at).
We have created a situation in which a ton of planning occurs (and no real work gets done) or employees are scrambling to get the real work done and planning is haphazard at best. We have “trimmed” away our capacity for planning in the process of removing our fat.
Real preparedness is more than sitting down, creating required document/s and filing them away-- confident in the fact that if an “event” happens, we will just whip out those documents and everything will be hunky-dory. Real preparedness means bringing those documents to life, testing them frequently, updating them regularly, and living your SOP.
Our emergency responders tend to be the experts in these areas because they live their plans out of necessity on a regular, if not day-to-day basis. Dealing with full-fledged incidents/crises is usually not part of our daily IT activities.
Having said all that, the plans we do come up with are worth more than the paper they are written on, and their worth goes up with the practice and commitment that is applied to them. Even if they are stale and in a drawer somewhere, they are a starting point from which to begin your response. Yes I realize that a stale plan can cause more harm than good depending on the situation – but it is hard to argue that having no plan is better than not having one at all.
That is why I like the idea of NIMS. It gives us a framework to respond to an incident/event of any size, whether it is planned or unplanned, and which can scale from a single organization to a national response. A great deal of thought has gone into NIMS, and while none of it is IT-specific, if you go through the training, you will repeatedly find yourself thinking about your COOPs and disaster recovery plans and ways to improve them. In fact, it is highly recommended that organizations update their COOPS in order to reflect NIMS concepts. Federal agencies are already required to do so.
So what is NIMS exactly and where do you find out more?
NIMS is the National Incident Management System. It was created per President Bush’s Homeland Security Presidential Directive – which instructed the Secretary of Homeland Security to develop and administer a National Incident Management System.
Why is NIMS important to you as an IT professional? NIMS provides a set of standardized organizational structures, as well as requirements for processes, procedures and systems for interoperability as well as a management system known as the Incident Command System (ICS). It is during the learning of the ICS that I believe you will have many of those moments in which you will think of ways to tweak your IT disaster response plans.
You can find out everything you wanted to know about NIMS here:
http://www.nimsonline.com or here: http://www.training.fema.gov/emiweb/is/is700.asp
and get online training here: http://training.fema.gov/emiweb/IS/crslist.asp
I suggest the following courses to IT professionals:
IS-1 Emergency Manager: An Orientation to the Position
IS-100 Introduction to Incident Command System, I-100
IS-200 ICS for Single Resources and Initial Action Incidents
IS-700 National Incident Management System (NIMS), An Introduction
It will take approximately 2-3 hours of your time for each, but I think you will find the courses well worth the effort.