Open Forum

November 2004

Vol. 18 No. 2

Innovations in information resource management to support government

FROM THE EDITOR

Dear Colleague:

With the confirmation of Leigh Favita of the NYS Dormitory Authority as The Forum's Secretary/Treasurer, the slate of new officers formally took office at the Executive Committee meeting held on October 8th. Joanne Riddett of the NYS Thruway Authority and Cecelia Hamblin of the Department of Labor became Chair and Co-Chair respectively. At that same meeting, Victor Stucchi of the Higher Education Services Corporation joined the Executive Committee as the newly elected member. The committee cochairs were also confirmed and are listed on page 6. We have seen significant growth of our IT Corporate Roundtable. The leadership and corporate members of that Forum group are also listed on page 6. We very much look forward to another productive year with The Forum's new leadership team now in place.

Upcoming Executive Committee meetings are open to the public sector and members of The Forum's IT Corporate Roundtable. We encourage everyone to attend. At the November 19th meeting of the Executive Committee (note this is a week later than our usual 2nd Friday of the month due to the Veteran's Day holiday on Thursday, November 11th), Mike McCormack will provide his annual update on NYS Office for Technology initiatives. NYS CIO, Jim Dillon, will present to the Executive Committee at the December 10th meeting and Will Pelgrin, Director of the NYS Office of Cyber Security and Critical Infrastructure Coordination, will provide an overview of his initiatives at the meeting on January 14th.

This year, in an effort to share information and encourage collaboration aligned with the NYS IT Strategic Plan, the Executive Committee meetings will also feature a brief presentation by leadership of the various NYS CIO Council Committees. The first of those was made at the October 8th meeting with a brief presentation by Barry Russell of OGS, who co-chairs the NYS CIO Council's Fiscal/Procurement Committee. Also on November 19th, Gene Pezdek of the NYS Department of Environmental Conservation will provide a briefing on the initiatives of the Council's Human Resources Committee. This effort to provide broadened policy level briefings by key IT working groups is a continuation of The Forum's deliberate effort to stimulate new ideas and alliances in order to further the state's IT agenda.

The broader the representation at The Forum's monthly meetings and within our committees, the more likely it is that creative new ideas will surface of benefit to all members and services to New York's constituents. We urge you to attend and to become active in these proceedings.

Sincerely
Greg Benson

Moving Business Continuity Planning to the Front Burner: An Interview with Larry Kalmis, FBCI, Chair of the Business Continuity Institute Board of Directors and Project Executive, Virtual Corporation

Over the last three years, The Forum has pursued a number of initiatives to enhance the understanding of and ability to develop business continuity plans (BCP) within New York's public sector IT community. At the most recent Forum Strategic Planning Session held on July 16th, business continuity was again raised as a key concern and target for new initiatives in the coming year. At that session, suggestions to conduct a "BCP Day" and the creation of a repository of BCP tools, solutions and corporate providers were both ranked as highest priority for The Forum's Business Continuity Planning/Security Committee to consider (the work and related documents produced by that committee are available at www.nysfirm.org/committees/bcps/).

Given the continuing high degree of interest in BCP, The Forum is pleased to have had the opportunity to interview Larry Kalmis, FBCI, Chair of the Business Continuity Institute Board of Directors.

The Forum: Larry, we very much appreciate your taking the time to share some thoughts and insights with us today. Before we get started, can you tell us a little about the Business Continuity Institute (BCI)?

Larry Kalmis: The mission of the BCI is to promote the art and science of business continuity management on an international scale. It provides an internationally recognized certification of business continuity professionals worldwide and has over 1,100 members in 31 countries. The wider role of the BCI is to develop and promulgate the highest standards of professional competence and commercial ethics in the provision and maintenance of business continuity management and services.

The Forum: When you approach business continuity, are there specific elements of business continuity practice that you address and are those elements reflected in any "model" for business continuity that you employ?

Larry Kalmis: Virtual Corporation, working with an international team of business continuity professionals, has spent a five year period developing the Business Continuity Maturity ModelSM (BCMMSM) that is central to how I and other business continuity practitioners approach BCP. That model is now in the public domain and is shown in the graphic below.

As is evident, the maturity of a business continuity initiative is in large part reflected by the depth of its integration and commitment to it across all aspects of the enterprise. The BCMMSM is unique in that its focus in developing leadership and enterprise capacity to pursue BCP is focused on an array of core competencies. In short, achieving higher levels of BCP maturity requires skill sets across a broader spectrum of the enterprise workforce so the focus is on creating those skill sets. The BCI has a selfassessment guide that is useful with what might be termed as developing an enterprise BCP "gap analysis."

The Forum: Your model indicates that enterprise leadership involvement and commitment is key to success. Finding ways to secure that involvement and commitment has become a major challenge for our members. Do you have suggestions related to techniques and practices that have shown success in achieving the level of understanding and commitment required for reaching a high level of maturation?

Larry Kalmis: Clearly there is a difference between the perceived priorities of BCP in the private vs. the public sector and making the case in the public sector is surely a tougher argument to win. Efforts should focus enterprise leadership on what the core public products and services are and what the impact would be if they were not provided for hours, days, weeks or months. This exercise can be structured to address the essential questions that ultimately become very specific and require broad enterprise involvement to even come up with reasonable answers.

For example, were there to be a serious, widespread power failure, perhaps affecting all or nearly all of New York state, what implications would that hold for our ability to get our products and services to our constituents or for maintaining core, internal state functions? If nondeliverable for extended periods of time, which products and services cause significant negative impact on our constituents or on the state itself? These questions of impact seem to be far more pertinent and likely to attract the interest and commitment of enterprise leadership than are questions of risk assessment. Impact in the public sector has far-reaching implications as they do in the private sector but in the public sector there is the added dimension of significant political liabilities associated with "impact" and sometimes consideration of those can make all the difference in the government environment.

The Forum: Other than a direct and internal approach to enterprise leadership, have you seen techniques that involve external organizations that have provided an appropriate "wake-up call?"

Larry Kalmis: Using "other voices" to garner interest and support of enterprise leadership can be a very productive technique. For example at a local level key, probing questions of disaster readiness and impact put to fire and police officials by large, resident corporations can be very "motivational" since that corporation may well represent the source of employment and tax revenue upon which most of the town depends. Obviously, this technique is scaleable to county, state and even the national level.

The Forum: Government organizations at all levels are suffering under very difficult fiscal pressures. With little resource to devote to BCP and the inherent mitigating practices, what advice do you have for how government approaches BCP?

Larry Kalmis: First and foremost the enterprise should have a basic understanding of what the process is, how it is best undertaken and the realization that it requires an ongoing, iterative process - the BCMMSM is a good place to start. Beyond that, making a commitment to a deliberate, incremental approach, taking into account the fact that the enterprise business model will not remain static, is the most realistic way to begin. Oftentimes there is "low hanging fruit" but unless the commitment is made to an enterprise-engaging, deliberate BCP process, those low cost solutions may be totally missed or misinterpreted. In short, without everyone clearly thinking about "impact" and how to mitigate its effects, the obvious and sometimes very cost-effective initiatives will be missed.

The Forum: Addressing BCP, adequate cyber security measures, and even responsive customer support is particularly difficult for small and medium size government agencies with precious few resources. In some agencies an IT shop is but one or two persons. Are there techniques that these small agencies might pursue that have shown to be successful elsewhere?

Larry Kalmis: On the "supply" side, there are commercial services that offer shared "hot sites" that are far more realistic for smaller organizations to consider. This corporate offering of shared solutions extends beyond just alternate sites, so looking to what is available on state contracts is one place to start. On what might be characterized as the "demand" side, developing reciprocal agreements with other state or local government organizations is another way smaller agencies might address back-up storage and operations. For example, I believe that many of New York's state agencies have facilities across the state, some urban; some rural. This dispersion of New York's operational enterprise provides a rich array of options for development of reciprocal agreement across agencies or even within agencies. Back-up of Albany office data/operations at a Buffalo office or vice versa would seem to me to be an excellent opportunity for using the state's own facilities as a key component of a BCP and one that would save precious public funds.

The Forum: Are the development of standards and/or national level initiatives beginning to lend support for and acceleration of BCP initiatives?

Larry Kalmis: As I indicated earlier, both the BCI and Virtual Corporation approach BCP from the perspective of developing sustainable process and building appropriate competencies. In light of that, BCI has developed a set of ten certification standards for business continuity professionals. Those standards along with planning, training resources and links to related websites are available at the BCI website at www.thebci.org. In fact, in light of the outcome that suggested the need for a repository of BCP resources that came of your recent Strategic Planning Session, I would encourage your membership to visit that website as an extremely good place to start. It is very much a repository as was suggested by your membership. Other encouraging developments have come of legislation addressing BCP requirements in the UK and emerging legislation in the US coming from our Homeland Security initiatives. Within the context of legislation and/or regulation, I feel it is important that there be standards but not dictated BCP methodologies. The diversity of public and private organizations, their operations, products and services requires flexibility of approaches within the parameters of appropriate standards.

The Forum: Are there true BCP "exemplars" that come to mind that government organizations might look to as best practices?

Larry Kalmis: The financial industry has long been acutely aware of, and addressed the need to have comprehensive BCP's. The Health Insurance Portability and Accountability Act (HIPAA) has provided the healthcare industry with new BCP incentives. Also driving the increased focus on comprehensive business continuity planning is the Sarbanes-Oxley Act of 2002 that requires every public company to establish and maintain adequate internal control structures and procedures for financial reporting, and management's assessment of the effectiveness of the company's internal control structures and procedures. One example worth mentioning is Kaiser Permanente, the largest health maintenance organization (HMO) in the US with approximately 137,000 employees, over 17,000 physicians and 30 medical centers. Starting from scratch, Kaiser Permanente and Virtual Corporation implemented a sustainable business continuity program and created over 6,000 business continuity plans in under two years. In March of this year, that Virtual Corporation initiative won the New Jersey Project Management Institute's 2004 Project of the Year Award for its management of the Kaiser Permanente project. That effort is one worth exploring as a best practice. More information about that award winning initiative can be found at www.virtual-corp.net.

The Forum: In the wake of 9/11 the nation, and particularly here in New York, both public and private sectors were focused on the realization that the parameters of disaster, and therefore the considerations for being prepared for one, had dramatically and permanently changed. In that period of time we saw and, indeed, were part of significant efforts to raise the level of awareness related to BCP and to offer education and training to assist state and local governments. Has that high degree of interest and commitment been sustained?

Larry Kalmis: There was a great flurry of BCP activity following 9/11, although there seemed initially to be a lack of cohesiveness of approach at almost all levels that was worrisome because it did not point to the development of sustainable processes. However, we have begun to see new emphasis on standardization and building sustainable processes. I would hope that the gradual decline in BCP commitment that occurred in the years following the 1993 Trade Center and Oklahoma City bombing will not happen again. I look forward to new and expanded Public Sector/Private Sector initiatives that will lead to significantly improved resilience to both natural and man-made disruptions.

The Forum: You and the BCI obviously represent an enormously valuable knowledge and experience base. As this organization, particularly our Business Continuity Planning/Security Committee, moves forward with planning initiatives here in New York, may we call on you and other members of the BCI for assistance with developing education and training opportunities and/or a BCP Day?

Larry Kalmis: I would be happy to work with your committee as it develops plans for the coming year. Although I cannot speak for other BCI members, I'm sure that the potential exists for involving others in developing your state initiatives. I would be glad to serve as the liaison between the NYS Forum and BCI to navigate that relationship.

The Forum: Larry, thank you for your time and we look forward to continuing this conversation within the context of planning our BCP initiatives for 2004-2005.

About Larry Kalmis

Larry Kalmis, FBCI, Chair of the BCI Board of Directors and Project Executive, Virtual Corporation, has received the US-based Contingency Planning and Management's magazine's 2003 Hall of Fame Award. Larry has over 25 years experience in business continuity and was a key player in the recoveries of both the 1993 World Trade Center bombing and the downtown Chicago flood.

Forum Leadership Makes "IT" Happen

In addition to the Executive Committee members listed at the end of the newsletter, we rely heavily on the volunteer efforts of our committee cochairs and the membership of the IT Corporate Roundtable.

Forum Committees

Forum Committees are open to government employees and your participation in those meetings is most welcome. Each committee has a public sector and corporate/private sector co-chair. Visit our website at www.nysfirm.org and click on the committee(s) of interest to you to learn about their mission, review minutes from previous meetings, and notification of future meetings. Please feel free to contact any of the committee co-chairs (contact information is included on the respective page of our website) or Forum staff, if you would like additional information. Registration is not required to attend committee meetings.

Committees and their Co-Chairs:

• Business Continuity Planning/Security - JoAnn Bomeisl, Insurance Department; Christopher Labatt-Simon, D&D Consulting; Christopher Lloyd, Keane
• e-Government - Seeking Public Sector Co-Chair; Michael Ladd, Novell
• ICEDP - Larry Tompkins, DCJS; Seeking Corporate/Private Sector Co-Chair
• IT Accessibility - Debi Orton, Governor's Office of Employee Relations; Mike Short, Department of Civil Service; Kelly Casey, D&D Consulting
• IT Corporate Roundtable - Fred DiMaggio Empire State Development; Steve Frank, Oracle; Ken Damato, Hewlett Packard
• Local Government - Tom Bodden, Association of Towns of New York State; Stan France, Schoharie County; Seeking Corporate/Private Sector Co-Chair
• Procurement Work Group - Seeking Public Sector Co-Chair; Bill Branch, Bearing Point
• Project Management Community of Practice - Nancy Mulholland, Workers' Compensation Board; Joann Dunham, Keane
• Small/Medium Agency - Karl Kelly, Division of Military and Naval Affairs; Paul Shatsoff, Governor's Office of Employee Relations; Peter Chynoweth, CMA
• Webmasters Guild - Paul Maguire, Office of Alcohol and Substance Abuse Services; John Kaldy, Microsoft

IT Corporate Roundtable

The IT Corporate Roundtable is a membership organization of the Forum designed to provide meaningful interaction in a neutral setting between New York state and local CIO's, IT directors and their staffs, and members of the IT corporate community. One of the benefits of IT Corporate Roundtable membership is the opportunity to co-chair a Forum committee. To learn more about the IT Corporate Roundtable visit our website and click on IT Corporate Roundtable or contact The Forum at (518) 443-5001 to request an information packet. Corporate members currently include:

• Akamai Technologies
• Aon
• AT&T
• Bearing Point
• CDW-G
• CGI-AMS
• CMA
• Computer Associates
• D&D Consulting
• e-Biz Docs
• EMC
• Gartner
• Hewlett Packard
• IBM
• IIC
• IMG
• Keane
• Microsoft
• Nortel Networks
• Novell
• NYSTEC
• Oracle
• SAS
• Sybase
• Symantec
• Veritas

Committee co-chairs will be meetng in November to begin working on our 2004-2005 program year. Watch www.nysfirm.org for program announcements and committee updates.

IRM Calendar of Events

Deadline for calendar submissions is the first week of the month prior to the month of publication. You may contact us by phone at (518) 443-5001, fax (518) 443-5006, or e-mail info@nysfirm.org. View the complete Calendar online at www.nysfirm.org.

November

November 3

The Forum ICEDP Committee - 2:15 pm the first Wednesday of each month at Civil Service, State Office Campus, Bldg. 1, Rm. 2, Albany, NY. Contact Larry Tompkins at larry.tompkins@dcjs.state.ny.us or (518) 457-3745.

November 4

Local Government Records Management Improvement Fund - Grant Application Information Session - in Ballston Spa and Baldwinsville. Only local governments are eligible to apply for these grants. To register, visit www.archives.nysed.gov click on "Services" then "Training" then "Subject" then "Grants" or contact Carol Gallacchi at cgallacc@mail.nysed.gov or (518) 474-0670.

November 5

The Forum Webmasters Guild - 9:00 am - noon the first Friday of each month. Empire State Plaza Convention Center, MR 2 & 3, Albany, NY. No registration required. Contact info@nysfirm.org or call (518) 443-5001.

November 5

Local Government Records Management Improvement Fund - Grant Application Information Session - in Cortland. Only local governments are eligible to apply for these grants. To register, visit www.archives.nysed.gov click on "Services" then "Training" then "Subject" then "Grants" or contact Carol Gallacchi at cgallacc@mail.nysed.gov or (518) 474-0670.

November 16

The Forum ICEDP Program Committee - 1:00 - 2:00 pm at DCJS, Executive Park South, Stuyvesant Plaza, Albany, NY. Take part in shaping programs for the coming year. Due to security at DCJS, registration is required. Contact Jim Blake at jim.blake@dcjs.state.ny.us or The Forum at (518) 443-5001.

November 18

The Forum IT Accessibility Committee - 2:30 - 4:00 pm at Rockefeller Institute of Government, 411 State St., Albany, NY. No registration required. Contact info@nysfirm.org or (518) 443-5001.

November 19

The Forum Executive Committee - 8:30 - 10:00 am the second Friday of each month at Rockefeller Institute of Government, 411 State St., Albany, NY. Contact info@nysfirm.org or call (518) 443-5001.

December

December 1

The Forum ICEDP Committee - 2:15 pm the first Wednesday of each month at Civil Service, State Office Campus, Bldg. 1, Rm. 2, Albany, NY. Contact Larry Tompkins at larry.tompkins@dcjs.state.ny.us or (518) 457-3745.

December 3

The Forum Webmasters Guild - 9:00 am - noon the first Friday of each month. Empire State Plaza Convention Center, MR 2 & 3, Albany, NY. No registration required. Contact info@nysfirm.org or call (518) 443-5001.

December 9

The Forum IT Accessibility Committee - 2:30 - 4:00 pm at Rockefeller Institute of Government, 411 State St., Albany, NY. No registration required. Contact info@nysfirm.org or (518) 443-5001.

December 10

The Forum Executive Committee - 8:30 - 10:00 am the second Friday of each month at Rockefeller Institute of Government, 411 State St., Albany, NY. Contact info@nysfirm.org or call (518) 443-5001.

December 17

CTG Advisory Committee - 9:00 am on the third Friday of each month at the Center for Technology in Government, 187 Wolf Rd., Suite 302, Albany, NY. Contact Linda Keane at lkeane@ctg.albany.edu or call (518) 442-3892.

December 21

The Forum ICEDP Program Committee - 1:00 - 2:00 pm at DCJS, Executive Park South, Stuyvesant Plaza, Albany, NY. Take part in shaping programs for the coming year. Due to security at DCJS, registration is required. Contact Jim Blake at jim.blake@dcjs.state.ny.us or The Forum at (518) 443-5001.

Forum co-hosts 4th National Cyber Security Webcast

On October 19th over 1,400 professionals from 49 states and 10 countries participated in the webcast entitled Are YOU the Weakest Link?(What to Look For and What To Do). This one hour webcast was the fourth in a series being coordinated by the New York State Office of Cyber Security and Critical Infrastructure Coordination and the New York State Forum for Information Resource Management and produced on behalf of the US Department of Homeland Security US-CERT and the Multi-State Information Sharing and Analysis Center (MS-ISAC). Embracing the concept that security is everyone's responsibility, these webcasts are being made available to raise levels of awareness and knowledge.

Are YOU the Weakest Link? focused on what each of us should do on a daily basis to be more secure and placed particular emphasis on the human elements of cyber security, which are just as important, if not more so, than the technical elements. Only by ensuring that users understand their importance in the cyber security chain, and assume the responsibility for using computing technology wisely and securely, can we help to keep all of us secure. PowerPoint presentations made as part of this webcast are available at: www.cscic.state.ny.us and www.nysfirm.org.

This cyber security webcast is part of an ongoing series that will produce one-hour webcasts on a monthly basis.

Executive Committee

Officers

Chair, Joanne Riddett, Thruway Authority
Vice-Chair, Cecelia Hamblin, Dept. of Labor
Sec./Treas. Leigh Favitta, Dormitory Authority

Members

James Bell, NYS Senate
Walter Bikowitz, OGS
Thomas R. Bodden, Assoc. of Towns of NYS
JoAnn P. Bomeisl, Insurance Dept.
Terri Daly, OFT
Sharon Dawes, CTG
Michael Donovan, OFT
Stanley France, Schoharie County
Robert Freeman, Dept. of State
Jeffrey S. Grunfeld, OSC
Christine Haile, SUNY at Albany
Roman Hedges, NYS Assembly
Karl Kelly, DMNA
Robert G. Kelly, DHCR
Kim S. McKinney, NYSLGITDA
Michael Mittleman, CIO
Janice Morris, Dept. of Civil Service
Nancy Mulholland, Workers' Comp. Board
Eugene Pezdek, DEC
Franklin Slade, Dept. of Civil Service
Timothy Spencer, DOB
Victor Stucchi, HESC
David Walsh, SED

Staff

Editor
Gregory M. Benson, Executive Director

Design & Production
Rebecca J. Buchner, Executive Assistant

Milena Ivanova,
Technical Coordinator

Editorial Office
NYS Forum
Rockefeller Institute of Government
411 State Street
Albany, NY 12203
Phone (518) 443-5001
Fax (518) 443-5006
Visit our Web Site www.nysfirm.org
E-mail info@nysfirm.org

Open Forum is a regular publication of the NYS Forum. We welcome editorial proposals and submissions.