Thursday, April 10, 2008

Security Incident Management - Event Notification

Deep in policy land of late, finishing off a BITS compliant set of Infosec polices, I noticed a service which may prove useful in Information Security Incident management (or any other incident management scenario for that matter) from Grasswhispers (

The user controlled web portal allows you to upload your staff mobile phone database then categorise them accordingly. When an incident occurs they will receive a pre-recorded message. Of considerable further use is the ability to record update messages on the move from a mobile phone. It's a slightly better alternative that SMS (see below.)

In times of crisis

Only fly in the ointment is what happens if they switch the mobile phone networks off? This happened during 7/7 for whatever reason - presumably in an attempt to block a control route to a yet unexploded devices. Perhaps this is something that needs to be taken into consideration in any emergency scenario? However, I'm surprised that so many organisations seem to devolve the responsibility for DR/BCP to the least able of the IT groups and usually to their least able members i.e. Infrastructure.

SMS comes with no quality of service guarantees - in fact it's store and forward at its worst. As an example, people frequently encounter difficulties with SMS traffic each New Year or in crowded venues. Occasionally, you'll get an SMS message that has been significantly delayed too.