What mental image does "computer security" conjure up? Some people picture locked doors, guarded offices, maybe even "geeks with guns." You might imagine knitted brows on concerned faces, lit by the glow of computer monitors as elusive hackers are tracked across the global Internet. But just as police work is seldom about shoot-outs and car chases, computer security is often about boring stuff like policies and reports. And security can be as much about preparing to recover from problems as preventing them.

Over the years, many companies have developed plans to deal with a variety of different incidents, from computer failures to natural disasters, power outages to adverse publicity. Unfortunately, we have observed that these plans are often created by different departments, and different incidents are addressed in different plans. In other words, they are not coordinated, which can lead to costly duplication, of both time and expenditure.

Few people know more about this than our good friend Michael Miora, who specializes in incident management planning. Michael defines incident management planning as "the critical process of recognizing events that will adversely affect your business, reacting appropriately to those events, and then responding to quickly resume normal operations."

The idea is that when something goes wrong, people need to know what to do about it in order to minimize the impact. Incident management addresses the problem of disparate contingency plans by making sure all such efforts are coordinated, bringing together the different elements in one overriding project plan that not only enhances protection, but also increases cost-effectiveness and provides a much better Return on Investment (ROI) than a compartmentalized and uncoordinated, piecemeal approach.

Take a simple example like an unexpected power outage at an office or factory. What happens if nobody knows whose job it is to call the power company? Here are two possible outcomes:

* Everyone makes the assumption that somebody else is making the call, so no call is made; or,

* A lot of people use their initiative and make the call themselves, jamming the phone lines so none of the calls get through.

In both scenarios, a lack of clear understanding about who is supposed to do what means that the recovery process is unnecessarily delayed. If proper procedures had been clearly established, the power company would be contacted as soon as possible, minimizing the length of time the office or factory is without power, thereby reducing the incident's financial impact on the company.

This is true regardless of the type of incident. Consider an unannounced raid on your office by an FBI anti-terrorism squad--less likely than a power outage perhaps, but not impossible to imagine these days. If the local press turns up and starts asking questions you will fare much better if employees know that the only person allowed to speak to reporters is the CEO. A good Incident Management Plan enables your company to respond efficiently to a wide range of events that have the potential to harm the organization, even those that are unexpected.

But where do you get such a plan? One approach is to hire an expert. However, that can be expensive, particularly for smaller companies. Or what if you are a branch office of a larger company? Your Incident Management Plan needs to be specific to your office, your staff, and your systems; it is not something that head office can easily cook up and send you via Federal Express. Contemplating this problem led Michael Miora to come up with a product called IMCD, literally a CD that contains everything you need to create a comprehensive Incident Management Plan (you can check out a demonstration version at http://www.contingenz.com/imcd.htm).

The CD contains three parts. First is a basic course in incident management, complete with narration and suitable for all employees. There are also narrated instructions on how to prepare for the second part, which is the inputting of information about your organization, its business functions, employees, clients, systems, backup procedures, and so forth. Included in part two is a calculation of the relative criticality of different business functions so that, in the third part of IMCD, where you print out your customized Incident Management Plan, you get an expert analysis of which systems and functions need to be given priority during an incident.

The value of such a plan is not just the money it can save your company should an incident occur. Computer security has moved up the corporate agenda to the point where companies are now demanding assurances from their suppliers that they have all the bases covered. The very first sale of IMCD was to a small company about to land a contract to supply services to a much larger company, a company that, as a matter of policy, requires all suppliers to provide a copy of their incident management plans, before they do business.

In all likelihood, every company, large and small, will face a significant incident of some sort within the next three years. Sensible incident management planning will lessen the impact of that incident on the corporate brand, image and revenues. With IMCD, even small companies, or the branch offices of large companies, can apply the knowledge and skills of incident management experts without the cost of hiring one.