What security issues surfaced once your team was displaced by Katrina?
Creger: Anytime an office is moved or converted into a temporary facility, there are going to be security issues. We followed our 100+ page disaster recovery plan that we activated the Friday before Katrina made landfall (on Monday). Twenty-four of our 226 employees are part of the recovery team that immediately moved to Baton Rouge, LA and setup shop. As time passed, more employees arrived at the temporary office in Baton Rouge. We had real challenges providing security of information systems access in light of the fact that we had many more employees than our 10 computers in the office.
While our employees maintained their job responsibilities, everyone pitched in to help in other areas. HR kept IT informed of those additional duties, so that IT could make the appropriate security system access adjustments.
Sounds like you trust your staff and other bank employees more in a crisis situation?
Creger: You have to make some adjustments to the (security) program because the top priority is customer care and recovery, and you do that within good security practices.
At first, we were in close quarters. Branch personnel, bookkeepers, human resources, lending and other functions were all handled within one office.
The IT department was definitely on top of security issues -- not to mention trouble-shooting. We had a database of system access privileges that we kept intact, but we created new groups for Katrina-response employees. They were given greater authority, for the storm response, but we know where we were pre-storm and we will be able to get back to that.
As an information security officer, how involved were you in the development and implementation of OmniBank's disaster recovery and continuity plan?
Creger: I'm on the 24-member team, and our physical security officer is on the team along with others from our IT staff. We certainly considered security. We have an audit trail for all our manual entries while systems were temporarily unavailable due to power outages.
What contingency plans worked best?
Creger: Having a plan is essential. The ability to call upon alternative resources in a crunch situation like a hurricane is impossible without advanced planning Within 24 hours of Katrina making landfall, we were able to serve our customers.
Telecommunications were, and continue to be, our biggest obstacle. Knowing our critical applications and systems was a key to success. Again, the reason we were able to respond so quickly was our advanced planning.
About the author
Michael S. Mimoso is Senior Editor of Information Security magazine.