Compliance audit
Audit undertaken to confirm whether a firm is following the terms of an agreement (such as a bond indenture), or the rules and regulations applicable to an activity or practice prescribed by an external agency or authority.

Compliance test
Audit undertaken to confirm whether a firm is following the rules and regulations (prescribed by its internal authority or control system) applicable to an activity or practice. See also substantive test.

Conformance
Certification or confirmation that a good, service, or conduct meets the requirements of legislation, accepted practices, prescribed rules and regulations, specified standards, or terms of a contract.

Supplier quality assurance
Confidence in a supplier’s ability to deliver a good or service that will satisfy the customer’s needs. Achievable through interactive relationship between the customer and the supplier, it aims at ensuring the product’s ‘fit’ to the customer’s requirements with little or no adjustment or inspection. The US quality guru Joseph Moses Juran (born 1904 in Romania ) divides the supplier quality assurance process into nine steps: (1) definition of the product’s quality requirements, (2) evaluation of alternative suppliers. (3) selection of the most appropriate supplier, (4) conduction of joint quality planning, (5) cooperation during relationship period, (6) validation of conformance to requirements, (7) certification of qualified suppliers, (8) conduction of quality improvement plans, (9) creation and use of supplier ratings.

Conflict resolution
Intervention aimed at alleviating or eliminating discord through conciliation.

Chronological division of work to be performed under a contract or subcontract in the completion of a project. Also called work scope.

Work scope
Alternative term for scope of work.

Information security
Safe-guarding an organization’s data from unauthorized access or modification to ensure its availability, confidentiality, and integrity.

Inherent risk
Probability of loss arising out of circumstances or existing in an environment.

Risk mitigation
Systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. Also called risk reduction.

Business continuity
Ability of the key operations of a firm to continue without stoppage, irrespective of the adverse circumstances or events.

Business continuity planning (BCP)
Task of identifying, developing, acquiring, documenting, and testing procedures and resources that will ensure continuity of a firm’s key operations in the event of an accident, disaster, emergency, and/or threat. It involves (1) risk mitigation planning (reducing possibility of the occurrence of adverse events), and (2) business recovery planning (i.e. ensuring continued operation in the aftermath of a disaster).

Business continuity program
Ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats. It also involves (1) assessment of the probable effect of such events, (2) development of recovery strategies and plans, and (3) maintenance of their readiness through personnel training and plan testing. See also business impact analysis.

Business risk
Probability of loss inherent in a firm’s operations and environment (such as competition and adverse economic conditions) that may impair its ability to provide returns on investment. Business risk plus the financial risk arising from use of debt (borrowed capital and/or trade credit) equal total corporate risk.

Disaster recovery
Process of returning an organization, society, or system to a state of normality after the occurrence of a disastrous event.

Operational risk
Probability of loss occurring from the internal inadequacies of a firm or a breakdown in its controls, operations, or procedures.

System testing
The process of performing a variety of tests on a system to explore functionality or to identify problems. System testing is usually required before and after a system is put in place. A series of systematic procedures are referred to while testing is being performed. These procedures tell the tester how the system should perform and where common mistakes may be found. Testers usually try to “break the system” by entering data that may cause the system to malfunction or return incorrect information. For example, a tester may put in a city in a search engine designed to only accept states, to see how the system will respond to the incorrect input.

System analysis
Use of experimental approach (simulation) in understanding the behavior of an economy, market, or other complex phenomenon where mathematical analysis techniques are inadequate or unfeasible. See also system dynamics and systems analysis.

System dependability
Probability that a computer or other system will perform its intended functions in its specified environment without significant degradation.

Quality management system (QMS)
Collective policies, plans, practices, and the supporting infrastructure by which an organization aims to reduce and eventually eliminate non-conformance to specifications, standards, and customer expectations in the most cost effective and efficient manner.

Niche marketing

This is the practice of concentrating all marketing efforts on a small but specific and well defined segment of the population. Niches do not ‘exist’ but are ‘created’ by identifying needs, wants, and requirements that are being addressed poorly or not at all by other firms, and developing and delivering goods or services to satisfy them. As a strategy, niche marketing is aimed at being a big fish in a small pond instead of being a small fish in a big pond.

Regulations

A type of “delegated legislation” promulgated by a state, federal or local administrative agency given authority to do so by the appropriate legislature. Regulations generally are very specific in nature; they are also referred to as “rules” or simply “administrative law.”

Source: Georgetown Law School

Best Practices

Methods and techniques that have consistently shown results more superior than those achieved with other means, and which are used as benchmarks to strive for.

Source: Business Dictionary, COM

Standards

Documented agreements containing technical specifications or other precise criteria to be used consistently as rules, guidelines or definitions of characteristics, to ensure that materials, products, processes and services are fit for their purpose.

Source: International Standards Organization – ISO

Spoliation

Spoliation, in a legal context, is any act that renders potential evidence invalid, either intentionally or through negligence. In the case of a document, for example, destroying, altering or hiding it would all be considered spoliation if the document were relevant to current litigation.

Spoliation is illegal in many countries, including the United States, and is punishable by fine and/or incarceration. Furthermore, the legal system has established through case law that when spoliation has occurred it may be inferred that the evidence was unfavorable to the responsible party. As a result, that inference may be factored into the decision of the case.

Spoliation comes from the Latin spoliare, meaning to plunder. The use of the word in its current legal context dates back to a Roman rule of conduct, Omnia praesumuntur contra spoliatorem, which translates, roughly, as “Let everything be presumed against the spoiler of evidence.”

SearchCIO.com Definitions (Powered by WhatIs.com)

Cold site

In business continuity planning, empty building equipped with electric power, air conditioning, telephone connections, water, etc., but without computers, office equipment, and furniture. A cold site provides a less timely response to a disaster because it must be converted into a hot-site for use.

Source: Business Dictionary, COM

Hot site

Fully-equipped alternative computer center, office, work space or industrial facility that can be made immediately available to continue critical business functions affected by a disaster at the primary location. See also cold site and warm site.

Source: Business Dictionary, COM

Internal Audit

An audit conducted by, or on behalf of, the organization itself for management review and other internal purposes, and which might form the basis for an organization’s self-declaration of conformity.

Source: International Standards Organization – ISO

Organization

A group of people and facilities with an arrangement of responsibilities, authorities and relationships. An organization can be public or private.

Source: International Standards Organization – ISO

Process

A set of interrelated or interacting activities which transforms inputs into outputs.

Source: International Standards Organization – ISO

Recovery time objective (RTO)

A target time set for resumption of product, service or activity delivery after an incident.

Source: International Standards Organization – ISO

Resiliency

The ability of an organization to resist being affected by an incident.

Source: International Standards Organization – ISO

System

A set of interrelated or interacting elements.

Source: International Standards Organization – ISO

Incident

A situation that might be, or could lead to, a business disruption, loss, emergency or crisis.

Source: International Standards Organization – ISO

Critical activities

Those activities which have to be performed in order to deliver the key products and services which enable an organization to meet its most important and time-sensitive objectives.

Source: International Standards Organization – ISO

Consequence

The outcome of an incident that will have an impact on an organization’s objectives. There can be a range of consequences from one incident. A consequence can be certain or uncertain and can have positive or negative impact on objectives.

Source: International Standards Organization – ISO

Cost-benefit analysis

A financial technique that measures the cost of implementing a particular solution and compares this with the benefit delivered by that solution. The benefit may be defined in financial, reputational, service delivery, regulatory or other terms appropriate to the organization.

Source: International Standards Organization – ISO

Disruption

An event, whether anticipated or unanticipated, which causes an unplanned, negative deviation from the expected delivery of products or services according to the organization’s objectives.

Source: International Standards Organization – ISO

Exercise

An activity in which the business continuity plan(s) is rehearsed in part or in whole to ensure that the plan(s) contains the appropriate information and produces the desired results when put into effect. An exercise can involve invoking business continuity procedures, but is more likely to involve the simulation of a business continuity incident, announced or unannounced, in which participants role-play in order to assess what issues might arise, prior to a real invocation.

Source: International Standards Organization – ISO

Invocation

An act of declaring that an organization’s business continuity plan needs to be put into effect in order to continue delivery of key products or services.

Source: International Standards Organization – ISO

>Maximum Tolerable Period of Disruption

The duration after which an organization’s viability will be irrevocably threatened if product and service delivery cannot be resumed.

Source: International Standards Organization – ISO

Nonconformity

The non-fulfillment of a requirement. A nonconformity can be any deviation from relevant work standards, practices, procedures, legal requirements, etc.

Source: International Standards Organization – ISO

Emergency planning

The development and maintenance of agreed procedures to prevent, reduce, control, mitigate and take other actions in the event of a civil emergency.

Source: International Standards Organization – ISO

Likelihood

The chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies or mathematical probabilities. Likelihood can be expressed qualitatively or quantitatively. The word “probability” can be used instead of “likelihood” in some non-English languages that have no direct equivalent.

Source: International Standards Organization – ISO

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Community Projects, Glossary, Tools & Resources | Leave a Comment

Data Loss – The 2 Headed Dilemma

August 25, 2009

The loss of data in your corporate environment, can be like flipping a 2 headed coin and calling ‘Tails’. No matter which ‘Head’ comes up….you lose. Data loss for the purpose of this article is defined as the permanent unforeseen loss of data or information. The definition of the 2 heads of the coin can be viewed as– loss due to unforeseen destruction of the data, or – loss of data due to a security breach.

Data Loss The two headed dilemma

Unforeseen destruction of Data –

There are 3 reasons where your organization has unforeseen destruction of data;

poor handling of the data
defects in the manufacture of the data storage device, or
a disaster type incident (fire, flood, etc).

Poor handling can be linked to everything from accumulated dirt within the device that stores the data, to electro-static discharge, to the failure of an HVAC system to maintain a constant cool temperature. No matter what the reason, important data that was there a minute ago is now gone. If no copy of the lost data exists, the loss of the data can be devastating to your business.

Security Data Breach –

The other reason for data loss, which unfortunately is occurring with increased frequency, is categorized as a breach of security. The loss of a laptop, thumb drive, or other media is considered a security breach data loss. Also include in this category is the introduction of a virus into your system or worse, an attack by a hacker where data to diverted away from your environment a security breach, even a disgruntled employee gaining access to confidential information and selling it or using it against the organization

Consequences

The loss of business due to an unforeseen data loss or a security breach can be permanent. The publicity alone can have a devastating aftershock. Data that is destroyed AND then unrecoverable is seen within any industry as poor business process. Loss of supplier contracts and consumer confidence is most likely evident.

Now consider that while you may have the same devastating business loss as you suffered above, with a data breach, you may now have additional, and expensive responsibilities. If the data that was lost is considered confidential and consumer related, it is considered a Security Data Breach which may require your organization to conform to any number of Data Breach Notification Laws or risk federal or state penalties. The notification process is very expensive; current estimates are over $200.00 per account lost, and penalties and fines are starting to increase to unrecoverable amounts.

Ways to Prevent Data Loss

The most economical way to prevent the permanent loss of data is to have a back-up of that data. This can be accomplished not only easily, but relatively inexpensively. Newer technologies have made not just the creation, but also the storage of duplicate data cheaper than it’s ever been. Although many organizations continue to create back-up tapes every day and move those tapes off-site, the electronic vaulting of data or even full replication of the data is now easier than its ever been. It is also proving to be a more reliable recovery method.

Another way to help prevent data loss is by maintaining a clean environment for your corporate servers, disk arrays, and other storage devices. The accumulation of particles on your storage devices never has a good outcome. So similar to how you make sure your kitchen counter clean before you prepare food, always make sure the area where you store your data is clean and secure

To help prevent a security breach, various appliances and software solutions are available, everything from encryption to biometics may be used. The trick here is to make sure that the end user is comfortable using the solution and can easily adapt to it.

Having reliable security controls in place will also help reduce the risk of sensitive data being removed without your knowledge. Creating corporate policies and communicating them to your customers and employees will assist in the education of how important your organization takes the securing of it critical data.

For more information on data loss please visit us at www.continuitycompliance.org

Written by Lisa

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info | Leave a Comment

Shelter in Place (SIP): Toward Developing a Decision Matrix

August 25, 2009

Dealing with an airborne toxin

Immediate evacuation is not always a best practice response to accidental chemical plumes or other non-nuclear airborne hazard releases. Not only is it challenging to initially notify and direct the potentially affected populations, but issues such as the safest direction to evacuate (if any), population density, and type of toxic agent are situation-specific and in some cases require minute to minute meteorological information to be valid. Follow-up instructions for these populations are as important as the initial notification, but are frequently taken for granted or omitted in Emergency Response Plans.

Oak Ridge National Laboratory has defined four levels of sheltering: Normal, Expedient, Enhanced, and Pressurized.[1]

Only the first two levels are commonly available. The above study states that the effectiveness of sheltering in place is subject to

the behavior of the public;
the characteristics of the structure and its immediate environment; and
the characteristics of the toxin. NRS concludes that there are a number of other critical elements to be considered, as well.

Guidelines for SIP must be specifically drawn for each threat. A weighted multi-dimensional Decision Matrix can be developed using event-specific parameters. Visually, this matrix would resemble the famous Rubix cube. Some of the parameters that would be included in such a decision process would be:

I. Effectiveness of Notification and Update Methods

How much lead time is needed to reach populations?
How much lead time is needed to allow populations to follow emergency measures?
How to will notification of SIP and of the All Clear or Continued Caution be delivered?
How and how often should updates be made – minutes, hours, days?
U.S. populations are diverse and should be warned in different ways and languages.
Information must be communicated in a convincing and directed manner.
Overuse of almost every form of communication can cause outages.

II. Education of Population and Media

FAQs sheets are effective if read prior to an event.[2]
Simple signage is helpful.[3]
What percentage of the population is prepared with Go-Kits?[4]

Does the at-risk population have duct tape, towels to wet, and plastic sheeting?[5]

Video instruction is available.[6]
Experience from past disasters can educate.[7]
Some people will not remember siren patterns and certain individuals will be prone to panic.
Some people are motivated by fears and distrust of authority and will not voluntarily follow direction.
Dispersed families will respond differently from united families.[8]
Parents rushing to schools to retrieve children rarely obey instructions, as was seen in the 1999 Chevron refinery explosion.
Media reporters often mistake emergency terms. SIP has been confused by the media with the opening of community shelters, resulting in dangerous circumstances and wasted time.

III. Education of Emergency Response teams

People will respond to family before job obligations.
If response teams’ families are unprotected, team effectiveness will be reduced.
Handicapped or incapacitated individuals may require direct intervention.
Risks are more severe for the sick, elderly, and very young.

IV. Meteorological Data

Is it raining? Phosphorus chloride and rain can create a hydrochloric acid cloud.
Is it snowing? Visibility of warning signs may be limited.
Is it icy? Sirens may be muffled or non-operational.
Which direction will the wind carry a hazardous cloud?

V. Presence of Additional Threats

Frequently more than one chemical or hazard will be present during an event.
Some airborne hazards are the result of a fire, an explosion, or an accident.
The progress of firefighting may be impeded by airborne hazards, allowing residents who are sheltering in place to be at an increased fire risk.

VI. Population Density

How many people are present in a building during an SIP event?
Are there hospitals, schools, corrections facilities, half-way houses, homeless shelters, hotels, or large businesses in the path of the airborne hazard?
Was a large outside meeting, such as a baseball or football game in progress before the event?
Where do people gather who learn of the event while outside?

VII. Road Conditions and Transportation issues

Traffic volume and the presence of emergency vehicles in the case of an accident may alter expected traffic patterns.
Transported hazardous materials in a truck or train accident may result in fleeing residents facing chemical exposure in a traffic jam.
What are the safest ways to shelter-in-place in a vehicle?
Is mass transport present?
Are people riding mass transport during the event?
How should traffic behave in departing the area of an event?
Where should people trapped in rush hour traffic shelter in place?
Are roads clearly marked?

VIII. Time (Season, Daylight) of Event

Are people sleeping?
Will notification reach them if they are asleep?
Are homes and other buildings closed up for cold weather or generally open for warm weather?

IX. Shelter-in-place locations and characteristics

If SIP will occur in the path of shifting winds, how long will exposure last?
If exposure is lengthy, how will residents be advised when or if to move?
Older buildings will allow greater exposure rates.
Is the building tall? Plumes will rise and collect on upper floors.[9]
Are valuable pets or livestock present?
Are animals permitted where people shelter?
Was the toxin release indoors?[10]

X. Presence of Symptomatic People or Animals

What guidelines should be followed by affected people or their co-workers and family?
In the absence of medical experts, what should be done?

XI. Medical Surveillance and Oversight

Are medical professionals involved in the recommendation to SIP?
Are medical professionals involved in the All Clear decision?

XII. Toxin concentration and health effects

Which is more dangerous, the duration of exposure or the concentration of toxin?
How was the toxin released and how long is it expected to linger?
Does the toxin have a “shelf-life”?

Often forgotten is the question “At what point is it more dangerous to remain sheltering in place?” Argonne National Laboratory (ANL) has studied this issue[11] and suggested steps toward building a decision-tree or matrix for instituting and terminating SIP under very controlled circumstances at or near Army chemical stockpile sites. This document contains a useful bibliography. It concluded that there are no “off-the-shelf” methods available to institute, manage, or terminate SIP.

Based on multiple studies and methodologies, a general timeframe for particle infiltration was sought for unpressurized structures, leading to a determination of when the shelter would become more contaminated than the outside air. Options for dealing with this included ventilating the shelter while occupied or exiting the shelter and relocating. The ANL study concluded that further development was needed. As part of that development, they have designed Sync Matrix planning software.[12] Homeland Security also has begun using the Sync Matrix Planning Process to study the “disaster dimensions of time, space, and hazard characteristics.”[13]

Other study groups have asked similar questions, including queries about how to handle populations emerging from an SIP episode.[14]

Others have approached single issues through a Decision Matrix. An example is the Agency for Healthcare Research and Quality study of Call Centers for Crisis Support, performed as part of the U.S. Dept. of Health and Human Services.[15] An example of a simple ranked Decision Matrix is described by the Hancock County [Maine] Hazard Mitigation Plan.[16]

Continuity Compliance continues to monitor these complex response issues and to support the development of a Decision Matrix to aid clients in designing their own specifically tailored education and response plans.

For more information on this subject, other business continuity topics or business continuity policies please write to:

Info@ContinuityCompliance.org

Written by Don

[1] Sheltering_In_Place_As_A_Public_Action.doc.

[2] Actions_To_Take_When_Ending_Shelter_In_Place.doc

[3] Shelter_In_Place_It_Works_With_You.doc

[4] Shelter_In-Place_In_The_Work_Environment.doc or Shelter_In_Place.doc

[5] Issues_Related_to_Expedient_Shelter_In_Place.doc; see also EXPED.doc and Expedient_Respiratory_And_Physical_Protection.doc

[6] Residential_Shelter_In_Place.doc

[7] NICs_SIP_brief-examples.doc

[8] Family.doc

[9] Protecting_Building_Hazardous.doc

[10] Protecting_Buildings_From_A_Biological_Or_Chemical_Attack.doc

[11] Temporary_Shelter_In_Place.doc

[12] http://www.dis.anl.gov/projects/sync_matrix_planning.html

[13] http://www.globalsecurity.org/security/systems/synchronization-matrix.htm

[14] http://emc.ornl.gov/CSEPPweb/data/Reports/Workgroup_IPT%20Reports/Final_SIP WG_report_12_3_01%20copy.pdf

[15] http://www.ahrq.gov/prep/callcenters/callapp1.htm

[16] http://www.co/hancock.me/us/pdfs/Mitigation%20Plan%20-%20Strategy%205.pdf

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info | 2 Comments

Selecting an Alternative Worksite

August 25, 2009

Events of recent years have demonstrated that having an alternative worksite is not only prudent, but an essential precaution. Considered an element of Business Continuity, in some industries the decision to maintain an alternative worksite is not a choice but a matter of regulatory compliance.

Tracking Map G3

Sungard, Hewlett Packard, International Business Machines, and large numbers of regional vendors offer various shared facility programs. In some cases, the vendor supplies a fully equipped infrastructure complete with computers, telecommunication equipment, printers, high volume mailing systems, and high speed Internet access – all for a fixed monthly charge. In other cases, the offering consists of little more than an empty warehouse or ready-to-move-in office. There are even mobile options consisting of specially equipped trailers that can be driven to your facility and used as temporary office space for weeks at a time.

Choosing from these alternatives can be an overwhelming undertaking, especially for managers who are unfamiliar with this area of Business Continuity Planning. The following “checklist” is designed to help our clients perform a self-assessment and make an informed decision.

While important, the selection of an alternative work site involves more than a decision about a site’s location. The following list provides a few of the business continuity policy issues, grouped into seven categories that should be discussed before choosing an alternative worksite.

Organizational Preparedness

Is an alternative site plan part of your business continuity plan?
Does the plan provide for emergency notification of employees, clients, vendors and other stakeholders?
Has the plan been tested?
Do you have a business interruption insurance that pays the cost of using an alternative site?

Business Continuity Policies

How much seating capacity is allocated to your firm and is it in a private (walled off) setting?
Is the space shared among several clients who, in a wide-scale crisis would be competing with you for access to the space?
Does the vendor offer a program that would guarantees you a minimum number of “seats?”

Facility Infrastructure

Does the infrastructure of the alternative facility meet your needs in terms of electrical and HVAC capacity?
Have the security systems been through an audit?
Is the information technology including the telecommunications infrastructure redundant, diverse (uses multiple vendors), and have unused capacity?
Does the site have its own water supply or does it rely on city/town water systems?
Are there shipping and receiving areas?
Are there meeting areas where you can entertain clients, vendors or regulators?
What are the telephony, voicemail, email, and fax capabilities of the site?
Are there volume mail and print services onsite?
Are supplies stored on site?
Does the facility have a cafeteria or kitchen?
Are the sanitation facilities adequate to support the site when fully staffed?
Is there a secure space for storage of vital records (locked room, caged-in area, etc.)?

Information Technology Support Services

Are backup copies of your files maintained at the site for quick setup and access (disaster recovery)?
Do you have personnel on staff who can rebuild your Information Technology systems from the “ground up?”
Has the facility’s infrastructure undergone a recent network security audit?
Has the facility’s infrastructure undergone a recent physical security audit?
Does the vendor have staff that can perform this task should your people be unavailable?

Local Support Services

Is there adequate parking, lodging and food service facilitates in the immediate area?
What other services are in the area (banks, food stores, pharmacies, etc.)?

Accessibility

Is the site accessible by public transportation?
Does it have facilities for the physically challenged?

Security

Is the neighborhood safe and suitable for long-term occupation of the recovery center?
Is security provided by the vendor?
Does the site offer an information security monitoring system?
Has the site been through a security audit?
Is the site secure, monitored, and available 24 hours a day?

For more information on this subject, other business continuity topics or business continuity policies please write to:

Info@ContinuityCompliance.org

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Business Continuity Info, Information | Leave a Comment

Physical Information Security

August 25, 2009

Physical information security, although vital to information security strategy, does not garner as much attention as more technologically sophisticated security techniques. This inattention to physical information security exposes an organization to a host of threats, both natural and man-made, that can cause serious damage to infrastructure and assets, as well as disruption of operations. Mitigation of physical information security risks like fire, theft, vandalism, terrorism or natural disaster can be achieved through prevention, detection and planning.

Vocalno Erupting G4

Prevention measures usually incorporate barriers that deter would be attackers and features that “harden” a facility against natural disasters or accidents. Deterrents can include door locks, biometrics, man-traps, fences, moats, file cabinet locks, shred bin locks, laptop/desktop computer locks, and clean desk policies. Features that may harden a facility in the event of a natural disaster or accident include earthquake resistant construction, fire suppression systems, redundant power supply to data centers, redundant cooling in data centers, multiple telco feeds, raised floors, and data center design that minimizes the need to access the server area.

Detection can be achieved through various notification systems and surveillance methods. Building automation systems and data center monitoring devices can be used to alert of temperature deviations, humidity levels, water detection, intrusion detection, smoke detection, heat detection and equipment function. The automation systems and monitoring devices allow remote management of the facilities. Surveillance can incorporate on-site physical monitoring using security guards, as well as cameras and video/digital recording equipment.

The last mitigation technique, planning, can be implemented as a preventive measure, but can also be used as a recovery method after a physical information security breach. Organizations need to develop plans for how to recover from flood, earthquake, fire or power loss, as well as theft, burglary or vandalism. Planning helps an organization assess vulnerabilities, measure probability of occurrences, and create processes and procedures for mitigating damage and interruption of operations. Successful planning will enable the organization to recover effectively and efficiently, thereby preserving the organization’s reputation and standing.

Organizations need to be sure they have strong physical information security measures in place at their premises and should also review prevention measures of vendors who may be providing information or data center services, in order to ensure information is adequately protected from physical threats.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Physical Security | 1 Comment

Making Sense of the Alphabet Soup – Business Continuity Certifications

August 25, 2009

When I was a kid my favorite cereal was Post’s Alpha-Bits. I spent hours trying to find all the little cereal letters to spell my name in the bowl on the breakfast table. Some days I had success and others were dismal failures with nothing but vowels, P’s, Q’s and X’s. These days when looking at the business cards of business continuity professionals, I revert back to that alphabet soup that was in my cereal bowl.

Credentialing Organizations

Today business continuity professionals have several options when looking to obtain business continuity certifications. There are many credentialing organizations with various training and testing programs, each with their own experience requirements and continuing education point systems. In alphabetic order, the major credentialing organizations are:

BCI – The Business Continuity Institute
BRCCI – Business Resilience Certification Consortium International
DRII – DRI International
ICOR – International Consortium for Organizational Resilience

The Business Continuity Institute (http://www.thebcicertificate.org/index.html)

The Business Continuity Institute was founded in 1994 and is headquartered in the United Kingdom. They have a membership scheme of credentialing for their association. You can pass the BCI certification exam or you can pass with merit. The level of passing the exam and your experience in the business continuity field will determine the level at which you can be a member of the professional association. Please see their website for specific requirements for each level. The BCI certification levels are:

AMBCI – Associate Member BCI
SBCI – Specialist Member BCI
MBCI – Member BCI
FBCI – Fellowship Member BCI

Business Resilience Certification Consortium International (http://www.brcci.org/)

BRCCI is an open non-profit international business resilience certification body and association that emphasizes business continuity and enterprise risk management to develop business resiliency. They have varying levels of membership and certification. Anyone who is interested in business resiliency is able to join the association at an associate level without taking an exam. The BRCCI certification levels are:

Associate of BRCCI
CBRS – Certified Business Resiliency Specialist
CBRM – Certified Business Resiliency Manager
CBRA - Certified Business Resiliency Auditor
MABR – Masters Achievement in Business Resiliency

DRI International (https://www.drii.org/)

DRI International was founded in 1988 and is headquartered in Conway, Arkansas. They provide business continuity training and certification. Their certification levels require an exam, experience levels, and references. The certifications available are:

ABCP – Associate Business Continuity Professional
CBCV – Certified Business Continuity Vendor
CFCP – Certified Functional Continuity Professional
CBCP – Certified Business Continuity Professional
MBCP – Master Business Continuity Professional

International Consortium for Organizational Resilience (http://www.theicor.org)

International Consortium for Organization Resilience (ICOR) is a not-for-profit education and credentialing organization. They have several levels of membership in the organization and many different certification programs all relating to organizational resilience. The credentialing is based on education, experience, continuing education, certifications, authoring and public speaking. Their credentialing levels are as follows:

CORA – Certified Organizational Resilience Associate
CORS – Certified Organizational Resilience Specialist
CORM – Certified Organizational Resilience Manager
CORP – Certified Organizational Resilience Professional
CORE – Certified Organizational Resilience Executive

There are many options for business continuity certifications being offered to professionals today. We have listed just a few of the major providers of credentialing and certification. Please refer to the organization websites for all the details regarding the certification programs.

Share and Enjoy:

Posted by Continuity_Compliance | Filed Under Information, Standards & Best Practices | Leave a Comment

Information Security Risks

August 25, 2009

Hurricane Satellite Shot G3

Information security risks abound in today’s information age. How many risks below can you correctly match with their definitions?

1. Virus	A. Deliberate malicious damage or destruction of property.
2. Worm	B. Illegally implanted non-replicating computer code that does damage to local computer when launched.
3. Malware	C. Hidden method for bypassing computer’s authentication system.
4. Botnet	D. A process or state of combustion in which fuel is ignited and combined with oxygen to produce light, heat and flame
5. Theft	E. Computer program that captures or records keystrokes to illegally obtain passwords or encryption keys.
6. Rootkit	F. Any type of software that has a malicious intent.
7. Backdoor	G. Illegally implanted computer code that destroys data when the program is downloaded.
8. Spyware	H. Army of infected computers formed by a virus that orders the infected machines to follow instructions from attacker.
9. Keylogger	I. Illegally implanted computer code that intends to take control of the computer operating system without the owner’s consent
10. Fire	J. An attempt to make computer resources unavailable to intended users.
11. Trojan Horse	K. A segment of self-replicating, illegally implanted computer code that is intended to damage or shut-down a computer or network.
12. Vandalism	L. Software that secretly records information about a person or organization.
13. Distributed Denial of Access	M. The wrongful taking of property of another.