May 17, 2012

Posts Comments

You are here: Home / 2009 / Archives for October 2009

Supply Chain Risk Leadership Council – What Is It and Why Should I Know About It?

October 19, 2009 By Leave a Comment

The Supply Chain Risk Leadership Council is a group of companies that meet four times a year to discuss how to incorporate standardized best practices into their supply chain.  Some of the companies that sit on the council are industry heavyweights, such as CISCO, GE, Boeing, Coca-Cola, Merck and FedEx. 

Their mission as stated on their website   http://www.scrlc.com/ is to: “Work together to create best-practice supply chain risk management standards, processes, capabilities and metrics to be adopted within our respective organizations. Leverage this best practices effort to proactively initiate consistency across industries and their related organizations / councils. Enable standardizations across industries where applicable and become “industry integrators” for the betterment of a more efficient and consistent risk management environment.”

In order to accomplish this effort, many of the member organizations are embracing the ISO 28000 Family of Standards.  This group of standards specifically revolves around the supply chain.  ISO 28001 deals with security in the supply chain. 

They have a newsletter that anyone can subscribe to which keeps you abreast of what they are talking about.

You may ask, ‘Why do I need to know about this ongoing effort?’ 

If your company is a part of any of the large enterprise corporate supply chains, then, you need to keep abreast of developments with this group.   They will be setting the standards that you will eventually need to follow to continue to be a trusted supplier of these organizations.  Whether you will be required to become compliant or certify to additional standards, knowing what they are and how this group is implementing them, may be your next competitive advantage.

Filed Under: Organizational Resiliency Tagged With: , , , ,

H1N1 Influenza and Your Insurance Coverage

October 16, 2009 By Leave a Comment

An important element of an organization’s ability to keep its doors “open for business” is to be on constant lookout for those internal and external risks that might disrupt its daily “business-as-usual” capabilities. 

And, while much has been written concerning the impact that the Pandemic H1N1 Influenza might have on an organization’s workforce, we would like to point our readers to an area that we believe may often be overlooked.  That area involves knowing the level of insurance coverage your organization has in place to offset the potential economic loss an organization may incur because of H1N1 influenza related and unexpected levels of absenteeism in its workforce.

Bottom line is that you need to have a clear understanding of your organization’s health insurance policy protection limits resulting from the H1N1 influenza, but,  as important, and with the potential for an increased demand for health care services caused by the Swine Flu this Fall, you now need to be more aware of the specific details within your plan than ever before.

Filed Under: Business Continuity Info Tagged With:

Standards Announced for PS-Prep by DHS

October 15, 2009 By Leave a Comment

On October 15, 2009, Janet Napolitano, Secretary of the Department of Homeland Security (DHS) identified three standards to be included in the PS-Prep; Private Sector Preparedness Program.  The PS-Prep program was created under Title IX of Public Law 110-53: Recommendations from the 9/11 Commission and is a partnership between DHS and the private sector that enables private entities – including businesses, non-profit organizations and universities - to receive emergency preparedness certification from a DHS accreditation system created in coordination with the private sector.

The three standards recommended for inclusion in the Program, and for which public comment is requested,  are:  NFPA 1600 (National Fire Protection Association), BS 25999-2 (British Standards Institution) and ASIS SPC.1 Organization Resiliency (ASIS International). (Click here to read the press release from Janet Napolitano.)

The recommendation of this selection of standards is significant because each of these standards requires not only support — but more importantly — a leadership role from the highest levels of management.  The participation of a formal Management System (MS) is required in two (2) of the three (3) standards.

DHS has set-up a Resource Center related to all information on the PS-Prep Program which can be accessed by clicking here.

This recommendation will also be posted in the Federal Register under Docket ID FEMA-2008-0017.

Filed Under: PS-Prep Program Tagged With: , , , , , , , , , ,

Information Security Management

October 15, 2009 By Leave a Comment

A recurring theme in the Continuity Compliance website is the need to determine your critical processes.   In most cases, which of the organizations processes are critical takes some discovery.  And then, there are obvious processes that don’t take much thought.  The protection of Information Assets, such as data stored on your local hard drive, encrypted data stored on a remote e-vault or even those documents from the last major acquisition in 1984, stuffed in a white banker’s box in a warehouse in Ohio are definitely a critical component of the major process for Information Security Management.

Information Security Management is the overall process for protecting “information assets” that are essential to your business such as HR Files, Customer Data and Mailings Lists.  As defined in the
BS ISO/IEC 27001-1:2005 Terms and Definitions section, Information Security is defined as

“Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”.

Further definition for the Information Security Management System states;

“the part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security”.

Based on the above definitions and general experiences, it is apparent that Information Security requires the management of the processes for success.  Key words such as Risk, Confidentiality and Availability are everyday requirements in the world of IT Departments.     How organizations go about their specific business of information security varies to some degree.  There are a number of general frameworks and a few standards that an organization can use to assist them in ensuring their critical processes for managing information security is working.

Frameworks help us to define, build, and communicate ideas and requirements but they tend to lack guidance.  This may leave an organization with a large costly implementation project with slow ROI or failed sub projects that cannot see light at the end of the tunnel.   Standards require the organization to implement specific controls.  They can leverage the beneficial elements of Frameworks to ensure compliance to the standard as well as be more flexible to the requirements of the business.   Some standards can be audited by a third party, such as BS ISO/IEC 27001-1:2005 Information technology – Security techniques-Information Security management systems – Requirements.  Others, such as the NIST Special Publication 800-53 Recommended Security Control for Federal Information Systems has become a widely adopted standard by non-government business to use for guidance in managing their IT business.

Information Assets come in many shapes and sizes, and can be found throughout the organization.  Both the NIST 800-53 Publication and the ISO 27001-1 Requirements document list a family or domain of areas to input controls.   

 

In a generalized view, Information Security Management should look at the following areas to ensure protection.

 

Risk Assessment  

 

 Physical and Environmental Protection  
Security Planning   Contingency Planning and Operations  
Management System and Services Acquisition  Configuration Management 
Management Security Control Review   Hardware and Software Maintenance 
Processing Authorization   System and Information Integrity 
Personnel Security  Media Protection  
Incident Response   Security Awareness and Training  
Identification and Authentication  Logical Access Control  

 

Every day, sensitive data is being compromised and it is under the auspices of Information Security Management that a company ensures that correct and timely response can mitigate the costly and sometimes devastating effects of a security breach. Whichever combination of or sets of controls that an organization adopts, the important rule is to be able to manage the confidentiality, integrity and availability of these critical information assets.

Filed Under: Risk Management Tagged With: , , , , , , , ,

E-Discovery: The Cost of Preparedness

October 14, 2009 By Leave a Comment

Organizations have always been aware of the risks of being sued as part of just being in business.  And, if a law suit was issued against an organization, they might well be aware also of “discovery” being an important early stage of that litigation process.

Today that term “discovery” has been extended to include an “e-discovery” element.

The fact is that that awareness of the importance (and risks) of electronic documents has spread down to records managers and up to corporate offices. The notion that all paper documents in a company might become evidence in a trial was daunting enough. Extending the liability posed by all things electronic — yes, including and often especially emails — has given records departments increased stature and legal departments more to worry about.

When weighing the cost of deploying e-Discovery tools to possibly mitigate those risks and costs, organizations appear to be taking two separate approaches. First, they’re looking to extend investments already made in content management software, policies and procedures. Secondly, they measure these investments not only in what they cost to acquire, but also by how much they save by not having to pay lawyers.

In a recent Gartner report, E-Discovery: Project Planning and Budgeting 2008-2011, it was determined that one gigabyte of data can result in $18,750 in legal review costs. In the event that an organization is facing litigation expenses, it was also implied from that report that a company practicing good records management policies, and with strong content management and document classification and retrieval systems, can conduct much of this work internally.

Because the risks of litigation are closely related to the rising number of data breaches suffered by both public and private enterprises, and, considering the fact that costs for legal discovery are forecasted to only increase in the future, many organization are awakening to the realization that now is the time to investigate, evaluate and consider those potential litigation costs more closely.  In addition, organizations are now beginning to realize that whether they win or lose in such litigation — those costs are more likely to remain their responsibility.

The result of this logic is making many organizations ask the question, “Can I bring some of these costs in-house, and thus potentially, avoid having to pay a $200+/hr rate to a legal reviewer?

Click here to read more about this topic in an article written by Dan Bolita in a recent publication of  the Integrated Solutions Magazine.

Filed Under: Regulatory Compliance Tagged With: , , , , , , ,

October: National Cybersecurity Month

October 13, 2009 By Leave a Comment

Ranking high on any company agenda regarding risk management within their organization, you will likely see a direct or indirect reference to cybersecurity and the growing role that the internet plays in nearly every function of an organization.  With increasing levels of data breach incidents and the related costs to an organization resulting from those data breaches which occur through cybersecurity, every company should make every effort to learn more about cybersecurity and the many ways its relates to not only their organization but also as to how each member of their organization faces cybersecurity risk in both business and personal areas of their lives.

The National Cyber Security Alliance is a place to learn more about those risks and what you can do about them…..and more importantly with October being “The National Cybersecurity Awareness” month, now is a great time to get some information about all of the events and ways in which that information is available to you.

Click here to learn more …..  

Filed Under: Cybersecurity Tagged With: , , ,

Frequently Asked Questions:

October 12, 2009 By Leave a Comment

Q. What is the idea behind the Continuity Compliance website?

A. Continuity Compliance is an expert or “authority” site dedicated to the areas of Security, Regulatory Compliance, and Business Continuity. Various professionals periodically contribute new material not found elsewhere, to the site. The ambition of the site is to be the first place you go when you have a question about a variety of security, compliance or business continuity topics. 

As a community-driven website, the people behind Continuity Compliance are very interested in hearing from you on ways it could be improved.

**********

Q. What topics are addressed on the website?

 Continuity Compliance spends a tremendous amount of energy updating and maintaining its content. On the site you will find articles, white papers, presentations and a vast array of reference links and tools. The following is a partial list of the topics currently receiving attention at www.ContinuityCompliance.org.

 

Business Continuity ManagementRisk Management

Organizational Resilience

Physical security

Information security plans

  Security Risk ManagementRegulatory Compliance

Compliance Risk Assessment

Business Continuity Guidelines

Certification Audits

 

  Information securityBusiness Impact Analysis

Disaster Recovery Planning

Table Top Plan Testing

Environmental Security

 **********

Q. Who contributes to the site?

This is an all volunteer site. No one receives a salary for contributing information or helping to maintain the site. The cost of keeping the site current is covered by advertising.

**********

Q. Is there a membership charge?

There is no membership fee to use the site or its resources. This said, we do ask that you respect the copyrights of our contributors where they exist.

**********

Filed Under: FAQs Tagged With: , , , , , ,

Organizational Resilience – Are You Ready?

October 12, 2009 By Leave a Comment

On March 12, 2009, American National Standards Institute (ANSI) approved ASIS SPC.1-2009 as an American National Standard.  This Standard is titled Organizational Resilience: Security, Preparedness, and Continuity Management Systems – Requirements with Guidance for Use.

The adoption of this standard by ANSI is significant in the world of business continuity and security for multiple reasons:

  • The standard very clearly incorporates the Management System Model found in ISO 9001:2008 (Plan, Do, Check, Act) into the joint disciplines of Security and Preparedness.
  • It begins the process of convergence between Security and Preparedness.  This is significant as in years past; the 2 disciplines were seen not as complementary, but as competing for scarce resources in most organizations.
  • Highlights the need for risk identification and development of corresponding risk prevention, reduction and mitigation strategies which enhance an organizations sustainability and resiliency.
  • The American Society for Industrial Security (ASIS)  is also developing a standard for Business Continuity Management Systems that will utilize BS 25999-1 as a starting point.  This standard will fall under the umbrella and compliment ASIS SPC.1 Organizational Resiliency.

The Abstract from the standard sums it up as “A comprehensive management systems approach for security, preparedness, response, mitigation, business/operational continuity, and recovery for disruptive incidents resulting in an emergency, crisis, or disaster.” 

Click the link below to read the standard for yourself….

http://www.asisonline.org/guidelines/ASIS_SPC.1-2009_Item_No._1842.pdf

Filed Under: Organizational Resiliency Tagged With: , , , , , , , ,
Newer Posts »