Businesses, whether large or small, often operate as if it will never be subjected to a major disaster. While these businesses may have plans in place, they often do not have adequate planning policies and practices based on developed from scenarios that are based on its operation practices, business models, and its social impact on the community. Consider the Citibank incident in 2005 where more than 3.9 million customer’s personal financial information disappeared during shipment from its Weehawken, NY facility.
Was this an unpreventable incident, or did Citibank fail to implement enough safeguards to minimize this incident from occurring? Could Citibank’s corporate culture have played a part in the incident occurring? Which aspect of the contingency planning process came up short, the IR, BP, CP or a combination of a few. What benefits, if any, would have been gained if Citibank had developed such a plan you have proposed? If you were Citibank’s CSO, what would you have done differently? What practices and procedures would you have put in place? How should the media have been secured, transmitted, and stored? How would you have guided the efforts of the CSIRT, or were they not needed for this type of incident? Why do you believe that your direction would have worked?