When an event like this occurs in an organization, the first question asked post mortum is how can we prevent his from happening again. From iPremier’s perspective there are a few steps that can be taken. First, an overall evaluation of their security infrastructure and the individuals that support the structure. iPremier used a third party vendor to handle IT systems and support. This may be an area of weakness and the service that is provided by Qdata should be looked at closely.
Although it may be cost effective to use a thirdy party vendor for this service, it is important to constantly evaluate their service and infrastructure compliance. Second, although Qdata manages iPremier’s IT systems it is important for iPremiere to have standard operating procudures and compliance standards. Preparing such documentation after an outage is the perfect time because a lot of what went wrong is still in their head and helps provide some ground level requirements.
Once iPremier establishes their processes and procedures they should periodically “test” the process in a live drill. At my company we run several maintenance processes every month as well as disaster recovery testing once a year with some in between quarterly testing. It’s important to put the process, procedure and plan together, but equally important to test it in order to identify gaps. This process also needs to be written and locatable in the event it is needed for reference. Establishing a location for the process both in paper form an electronically is key.
Lastly, communication from leadership to staff and to the clients that iPremier supports must be immediate. It is extremely important that staff be communicated to in a timely matter when information may have been compromised. There is also legal obligation on iPremiers part to notify clients that there information may have been compromised. iPremier maybe on some level required to compensate or identify ways for clients to mitigate the risk of their information being compromised.
Overall, at the time of a service interruption post mortum evaluation will always find ways in which the interruption could have been prevented. Unfortunatley, organizations learn from disaster and it is the primary way in which we learn our weaknesses. Going forward if iPremier establishes the needed processes and procedures and takes the time to test their plan, they will prevent this specific issue from happening again, but are always other issues that will come up. Then it is time to re-evaluate your plan, processes, and procedures.