February 5, 2012

Posts Comments

You are here: Home / 2009 / Archives for October 2009

World Conference on Disaster Management Calls for Papers

October 31, 2009 By Leave a Comment

The 20th World Conference on Disaster Management (WCDM) will be held in Toronto, Canada from June 20-23, 2010.  This event is regarded as the premier annual conference to attend if you want to hear all of the major global issues common to every aspect of disaster and/or emergency management.  Currently the management of this WCDM Summit Series Conference is soliciting writers and abstracts for consideration to be presented and discussed at this conference.

This call for papers requires that all abstracts be submitted by December 6, 2009 and should fit into one of the following six (6) main topic areas:  (1) Real Events / Lessons Learned, (2) Emerging Trends in Disaster Management, (3) The Human Element in Disaster Management, (4) Technical Issues/Threats, (5) Disaster Management Principles & Practices and (6) Research and Development.

Perhaps there are individuals within your organization, who are charged with responsibilities regarding disaster management, and, who would like to submit their thoughts in writing  regarding related subjects such as:  Community Emergency Response Programs, Emergency Risk Management, Crisis Communications, Emergency Site Management, Evacuation Planning, Trauma Risk Management, Organizational and Community Resilience, Exercise and Training Programs, Personal Preparedness & Pandemic Planning, Cyber & Electronic Data Security, or Virtualization and Cloud Computing as related to your company’s Disaster Recovery capabilities.

To get more information and details about this important conference and to view all of the  abstract submission requirements :  Click Here.

Filed Under: Cybersecurity, Organizational Resiliency Tagged With: , , , , , ,

GAO Report Stresses Need to Address Flu Related Network Congestion Fears

October 30, 2009 By Leave a Comment

Officials at the U.S. Government Accountability Office (GAO) recently released a report entitled, “Influenza Pandemic: Key Securities Market Participants are Making Progress, but Agencies Could Do More to Address Potential Internet Congestion and Encourage Readiness“. (Read this Report)

The Department of Homeland Security (DHS) responded to this report by stating, “An expectation of unlimited Internet access during a pandemic is not realistic — any more so than an expectation that traffic congestion on hurricane evacuation routes can be completly avoided.  All users which rely on the Internet, including the financial sectors, should not exptect that Internet congestion problems will be easily solved ….”

If your business continuity planning committee is planning for having employees work from home, or, if students are also doing their assignments from home, then the findings and recommendations from this report are a must read for members of those committees and school boards.

Security consultants, enterprise risk management teams, information system security leaders, continuity management members, and disaster recovery and business continuity specialists will benefit also from reading this report.

Filed Under: Homeland Security Dpt Tagged With: , , , , , ,

Information Security Management Trends Predicted for 2010

October 29, 2009 By Leave a Comment

Ian Kilpatrick has recently posted an article on the Continuity Central blog website that identifies growth areas that he believes we should be aware of in 2010.

In his article, Mr. Kilpatrick lists the following growth trends for 2010:

1.     EXtensible Threat Management Systems (XTM’s)

2.     Two Factor Authentication

3.     Encryption

4.     Hosted Security

5.     Internet Filtering

6.     Endpoint Security

7.     Low Footprint Anti-Virus

8.     VoiP Security

9.     Compliance

10.   Convergence of Voice and Data

As security management is always a topic for your compliance management team meetings, and the fact that information security risk will continue to be a challenge to meet for all organizations, these information security management (ISM) trends for 2010 are well worth reading.

Click here to read more details about these trends as predicted by Mr. Kilpatrick.

Filed Under: Information Security Tagged With: ,

From ITIL Maturity to ISO 20000

October 28, 2009 By Leave a Comment

When you hear IT Service Management, most people associate the acronym ITIL with it.  ITIL (Information Technology Infrastructure Library) is a set of best practices to manage IT Services.   Enterprise organizations have spent many years striving to achieve ITIL success.  ITIL provides its guidance in a set of 5 books;

  • Service Strategy
  • Service Design
  • Service Transition
  • Service Operation
  • Continual Service Improvement

Through the guidance of ITIL, most organizations have been able to achieve a level of mature process for the delivery of critical IT Services; whether to their internal customers or external customers.  From a competitive standpoint, for both large and small organizations though, there is there is no way for an organization to prove ITIL competence beyond the confidence of existing customers. 

There are personal certifications for individuals to show ITIL competencies, but within ITIL, there is no “stamp of approval” for organizations.

There is, however, an ISO (International Organization of Standards) certification for IT Service Management with ISO/IEC 20000-1:2005.  This standard provides an ITIL lite set requirement along with the common Management System structure of Plan, Do, Check, Act (PDCA).

ISO 20000 – IT Service Management is a set of auditable requirements which ensure management participation and customer feedback.  The standard incorporates an overall compliance management framework and includes such critical areas as information systems security and looks at overall compliance risks to the delivery of the IT Services.

Following best practice (ITIL) and conforming to a recognized standard (ISO 20000) provides the evidence that IT services are meeting the highest standard of best practices and that mechanisms are in place to keep it that way.  Through the certification by a third party registrar, an organization is able to prove or certify their IT Service Management commitment.   

ISO/IEC 20000-1:2005 is to the organization what ITIL is to the operations. In today’s business climate, more than ever, suppliers of IT Services are being required to certify to ISO 20000 to keep existing clients or as a cost of entry to respond to new Requests for Proposals (RFPs).  This ITSM standard is a way to get the best of both best practice and continuous improvement and meet the certification requirements.

Filed Under: Risk Management Tagged With: , , , ,

Operational Risk Management Report Issued by Senior Supervisors Group

October 27, 2009 By Leave a Comment

The Senior Supervisors Group (SSG) is an advisory group comprised of senior financial supervisors from seven (7) countries — United States, Canada, France, Germany, Japan, Switzerland, and the United Kingdom.  This group released and issued a report on October 21, 2009 titled “Risk Management Lessons from the Global Banking Crisis of 2008“.

The initiatives behind the issuance of this report are to support the priorities of the Financial Stability Board whose mission is to address vulnerabilities affecting the financial system and to promote global financial stability.

This report basically states that weaknesses in risk management and internal controls contributed to industry distress during the financial crisis period starting in 2008.

The report concludes that substantial work is still necessary to improve risk management practices, underlying weaknesses in governance controls, incentive structures, information technology infrastructure and internal controls within the organization.

To read this report in its entirety and to determine where your own organization can benefit from its findings in such critical areas as security risk management, information technology security and management, information security risk assessment and general business risk assessment,  go to the following link:

http://www.sec.gov/news/press/2009/report102109.pdf

Filed Under: Information Security Tagged With: , , , , ,

NASA IT Security Posture Found to be "High Risk"

October 26, 2009 By Leave a Comment

The U.S. Government Accountability Office (GAO) has issued a report this month that has painted a bleak picture of NASA’s IT security posture.

Between 2007 and 2008, the space agency (NASA) reported 1,120 security incidents that have resulted in the installation of malicious software on its systems along with unauthorized access to sensitive information.  And, this recent report continues the warning that highly sensitive personal, scientific, and other data was found to be  at an “increased risk” of unauthorized use, modification, or disclusure.

There are potential lessons to be learned in this report and it is suggested reading for members of your organization’s business continuity management team(s).  This report addresses questions of security software effectiveness, network security risks and weaknesses, information management and security management guidelines and ultimately potential ideas to increase the effectiveness of your enterprise security programs.

Click here to read this report.

Filed Under: Cybersecurity Tagged With: , , , , , , , , ,

ITSM — IT Service Management

October 23, 2009 By Leave a Comment

With the business demand to lower costs and improve delivery of IT services, focus on IT Service Management has been at the forefront this year.

The management for the delivery of IT Services includes those organizations that want to manage their internal IT services, manage the external delivery to their customers and in many cases, both.

IT Service Management combines a set of inter-related processes to manage the level of service, quality of service and cost of the service.  IT Service Management also relies heavily on the customer’s input and requirements.

There are a number of “best practice” frameworks available within ITSM.  The most common is ITIL: Information Technology Infrastructure Library.  ITIL is a set of 5 books and has a number of supporting organizations that provide guidance and forums.  Others such as ISO/IEC 20000-1:2005 IT Service Management is an ISO standard that can “certify” an organization to specific ITIL lite requirements.  This standard is gaining momentum due to the mandates within certain agencies of the Federal Government that now require ISO 20000 certification as a requirement to respond to a proposal.  Additional guidance is gained through CMMI and Six Sigma methodologies.  Whichever one or many that you chose, the ultimate goal is to be able to successfully deliver IT Services.

Service Management extends well beyond IT and should be looked at more holistically.  As stated before, ITSM uses a set of inter-related processes.  It also includes requirements for supplier management – especially those vendors in the critical path of service delivery.  Additionally, you and/or your customers might be subject to compliance auditing and need proper controls for third party audits.   Using ISO 20000 as a baseline can help achieve process compliance across many regulatory and customer audit requirements.    The inter-relationship of the processes of ITSM ensure that any critical service component is managed within a lifecycle and that all critical inputs and outputs are considered when creating, changing or removing any service. 

High level views of a few critical components are:

  • Management responsibility
  • Change Management
  • Information Security Risk Management
  • Continuity and Availability
  • Release Management

Whether you are an Internal IT department or a Managed Services firm, embracing some form of IT Service Management has now become a critical business requirement.

Filed Under: Risk Management Tagged With: , , , , , , ,

Security Policy — Components of a Good Policy

October 23, 2009 By Leave a Comment

By:  Lisa DuBrock, CPA, CBC

Whether you are tasked with writing your organization’s Information Security Policies or updating an existing security policy or security policies, knowing what is in a well crafted policy is important.  Below are details of many of the areas you should include:

Security Definition – All security policies should include a well-defined security vision for the organization.  The security vision should be clear and concise and convey to readers the intent of the policy.  Also included in this section should be details of what if any security standards your organization is following.  Examples of which are ISO 27001 Information Security Management System (sometimes still referred to as ISO 17799), NIST Standard (National Institute of Standards and Technology) or any of the other standards available to you.

Enforcement – This section should clearly identify how the policy will be enforced and how security breaches and/or misconduct will be handled.  Whatever enforcement actions you enact should be cohesive with the enforcement actions that you already have in place for any enterprise security breaches.

User Access to Computer Resources – This section should identify the roles and responsibilities of users accessing resources on the organization’s network.  Procedures should be included such as but not necessarily limited to:

            Obtaining Network Access and Application permissions

            Prohibiting personal use of organizational computer systems

            Use of portable media devices

            Applicable e-mail standards of conduct

            Specifications for both acceptable and prohibited internet usage

            Account termination process

            Threat notification procedures

Security Profiles – This section should include information that identifies how security profiles will be applied uniformly across common devices (e.g. servers, workstations, routers, switches, firewalls, proxy servers, etc.)

Passwords – This section should state clearly the requirements imposed on users for passwords.  Length, character set, # of times the password can be entered prior to it being disabled, # of days the password is good for, and # of unique passwords required prior to reuse.

E-Mail – This section includes how to handle attachments, through filtering, personal use of the e-mail system, language restrictions, and archival requirements

Internet – This section is about usage and what content filtering is in place.

Anti-Virus – This section identifies the frequency of updating the file definitions as well as how removable media, e-mail attachments and other files are scanned.

Back-up and Recovery – A comprehensive back-up and recovery plan is included here.  This section may be separated from the policy as a whole and included in a comprehensive Business Continuity Plan Template for your organization

Intrusion Detection – This section discusses what if any Network Security Intrusion Detection or Prevention System is used and how it is implemented.

Remote Access – This section should identify all the ways that the system can be remotely accessed and what is in place to ensure that access is from only authorized individuals 

Information Security Auditing – How are all the security programs reviewed and how frequently

Information Security Training – Training occurs in many different flavors.  One of the types of training required in an organization is Awareness Training.  The policy should document what sort of awareness program is in place and how is it communicated on a regular basis.

Filed Under: Cybersecurity Tagged With: , , , , , , , ,

"Red Flag Rules": Exemption Ruling Announced

October 22, 2009 By Leave a Comment

By an overwhelming vote of 400-0, the U.S. House approved legislation on October 20, 2009, that exempt certain businesses from the Federal Trade Commission’s Red Flag Rules.  As part of that legislation, the FTC is also required to issue new regulation setting out the exemption processes that allow any business to apply for an exemption.

With November 1, 2009 as an announced Red Flag Rule compliance deadline, it is very likely that this new ruling will cause the FTC to at least consider the announcement of another delay for this compliance deadline.

Under the current ruling, health care, accounting, and legal practices with 20 or fewer employees will be excluded from the definition of “creditor”.  You can view this ruling by clicking the following link:  H.R. 3763

For more information, you may also want to follow the Mintz Levin Privacy Matters BlawgCynthia Larose is a member in Mintz Levin’s Corporate Group and leads its Privacy and Security practice.  She has posted an informative update on this current ruling and you can read her blog entry by clicking on the following link:

http://privacyandsecuritymatters.blogspot.com/2009/10/changes-to-red-flag-rules-may-be-coming.html

Filed Under: Regulatory Compliance Tagged With: , , , , ,

ISO 28002 – What's The Buzz About?

October 20, 2009 By Leave a Comment

Never heard of ISO 28002?  A lot of people haven’t.  But it seems like every security and continuity conference lately has a session or two on what it is and why it’s important.  Is this just hype or the foundation of new requirements for companies that exist within the global and/or domestic supply chain.

Although it isn’t yet published, it has the potential to cause you to sit up and take notice if your company is part of a supply chain.  ‘ISO 28002 – Resilience in the Supply Chain’ is currently being developed.  Significant input to the standard is being provided by the Supply Chain Risk Leadership Council.  This council is made up of many corporate household names like:  CISCO, Boeing, GE and others.  It is currently being reviewed by ISO Technical Committee 8 and being represented there by ASIS International, which is not only a leader in the world of security, but is a standard’s writing body which recently released through ANSI, ASIS SPC.1 Organizational Resiliency Management Systems Standard.

Why is this standard being developed?  Nobody argues that that threat of a disruption occurring in the supply chain is a rising threat.  Just-in-time manufacturing, outsourcing and global sourcing, as well as, specialized factories and materials requirements increase the volatility of supply and demand in the marketplace.   Companies, especially those at the top of the supply chain are looking for ways to standardize an approach with their suppliers.  They want to take the ambiguity out of not only what it takes for a company to be resilient but also to provide the companies in their supply chain with a standard framework from which to comply with best practices. 

Below are a couple of links which offer valuable insight on ISO 28002 and what it might mean to your organization.

http://www.scrlc.com/newsletter-readMore.php?aID=212

http://www.dtic.mil/ndia/2009DIBCIP/SiegelSupplyChainPanel.pdf

Filed Under: Organizational Resiliency Tagged With: , , , , , , , ,
« Older Posts