2009: 220,000,000 Personal Records Exposed So Far

November 30, 2009

In a recent article, written by Andy Greenberg and published on the Forbes.com website, information is provided to bring your attention to the fact that while fewer data breaches were reported as of November 17, 2009 as compared to the same period prior year, more personal information was exposed from those fewer breaches than ever before.

In fact, the article cites the Identity Theft Resource Center for stating that hackers exposed nearly 220,000,000 records so far this year, compared with 35,000,000 in 2008.

Read this article for more details, links and facts about this information security risk to you, personally, and to your organization’s information security plan and policy.

“2012″ — the Movie and Business Continuity or Contingency Planning

November 29, 2009

Is the moon really the ultimate disaster recovery site?  What is the RTO for civilization, anyway?

If these questions seem strange to you —  then you probably have not seen the recent disaster movie “2012″.  Nor have you read a recent article written by Nathaniel Forbes, from the Forbes Calamity Prevention Pte, Ltd. in Singapore.

With all of the pressure on keeping the doors of your business open and finding ways to survive the next potential disaster, your business continuity and contingency planning members may need to take a break.   And, to do that, we suggest that they read this article by Mr. Forbes, and then maybe even take the time to see the recent disaster movie “2012″.

When is the last time you thought  of earth as “…one, tiny single-point-of-failure”?  And if it fails in any way, as far as we know, there aren’t any replacement parts of similar models like it anywhere.  However, in the event of a failure, would the moon be a good recovery site?  Or, perhaps the moon would be a great off-site storage site?

Once you get questions like this in your mind, and you start thinking like a contingency planner, then watching this movie might begin to take on the aspects of researching for and writing a business continuity or contingency plan.

In the end, however, we do sadly agree with Mr. Forbes’ conclusion that you won’t be able to write off the cost of your tickets to this movie as a professional BC or DR development expense.

New DHS Resource Announced for Business Continuity Planning Groups

November 24, 2009

The Department of Homeland Security (DHS) recently launched a website that should be listed as a go-to source for all business continuity and disaster recovery planning groups.

This new site allows the public easy accessible information in securing the nation’s critical infrastructures and key resources (CIKR), plus links to tools and best practices for digital and physical infrastructure protection.

CIKR is comprised of eighteen (18) sectors including at least the following areas: food, water, manufacturing, energy, communications and transportation systems and emergency services.

Truly this information should be available to, and included as part of all, BC and DR organizational plans.  This federal government unified approach  that is coordinated by DHS will ensure protection and resiliency of CIKR through partnerships with thousands of public and private members.

Click here to go this new site and establish this link within your own company’s process compliance methodology make this a part of the input requirement for compliance controls of their BC and DR plans.

Tips for Building an Executive Protection Program

November 23, 2009

For many years, one of the most referenced articles on the topic of executive protection has been that which was written by Daintry Duffy in the CSO magazine. 

Originally organized from information received from discussions with security executives and protection specialists back in 2005, we believe that you will discover that this article remains totally relevant today.  The tips revealed in this article apply whether you are spending millions to protect all of your top executives or even if you hire the occasional security provider only when your CEO travels.

A summary of the tips presented in this article are as follows:

     1.  Conduct a thorough risk analysis to identify critical individuals in your organization, assess the impact to the company if they were lost and examine the risks that each of those people face.

     2.  An effective executive protection program has to be based on research and preparation rather than sheer muscle.

     3.  Make protection feel like a perk.

     4.  CSO’s have to educate the executive about security recommendations while still arguing for that executive’s buy-in.

     5.  Good information (and plenty of it) is the lifeblood of a successful executive protection program.

     6.  Don’t forget the family of the executive.

A theme that runs throughout the steps suggested above, is that sometimes the simplest steps can make a big difference to an executive’s security and safety.

If your organization has gathered a safety compliance team that includes executive protection in its charter, or perhaps your company has hired a security consultant to provide those services, then we would suggest that they read this article for more details and information regarding this most important topic.

New Concepts of Business Continuity and Disaster Prevention Changing Established Disaster Recovery Thinking

November 23, 2009

In a recent article written by John Brandon and published in an October issue of the Processor magazine, the concept that disaster prevention is challenging a lot of the conventional and established thinking about disaster recovery was discussed from a variety of viewpoints.

We think this topic and this article in particular would be a timely resource for all business continuity and disaster recovery planning groups and in this article you can find a good representation of recent and developing components that our writing teams believe will support the paradigm shift in thinking that is going on in the business continuity and disaster planning community.

A short listing of points discussed in this article could be summarized as stated below:

DISASTER RECOVERY:

     Restores data to its original state

     Can include collocation of data center(s)

     Critical to business continuity

     SME’s must do DR because prevention is not a given

     Expensive for a comprehensive DR plan

DISASTER PREVENTION:

     Alerts staff about data center problem(s)

     Offers minor data center problem(s)

     Easier to predict and control

     Less costly than disaster recovery

     Encourages management and backup

Whether you agree with the positions presented by Mr. Brandon in this article or not, two constant themes emerge; (1) either disaster recovery or prevention plans should always evolve and align with ongoing changes in technology, and (2) business continuity planning will always be a complex process involving not just disaster recovery and prevention, but also, security, government compliance and business process.

Click here to read this article.

Red Cross Offers An Emergency Preparedness Process for Businesses and Organizations

November 20, 2009

The American Red Cross is now offering a new, first-of-its-kind emergency readiness program.  The Red Cross Ready Rating Program is designed to help your business or organization become better prepared for emergencies, and to help reaffirm that your business continuity team is ready to: (1) ensure employees, clients and members are safe during emergencies, (2) minimize losses during an emergency, (3) maintain – and perhaps even improve – your company’s brand and reputation, and (4) better the overall community.

The ContinuityCompliance team of writers all agree that the information provided at redcrossreadyrating.org will help your organization’s compliance and disaster recovery teams better answer the question, “What is business continuity?” and ”Why is business continuity important to my organization?’ 

As comments received from our readers indicate — understanding the “what if” is hard to think about and often is not enough to get upper management’s support to allocate limited resource capabilites to the business continuity planning process.  Introduce this new Red Cross program to your BP or DR planning team now, and, we think you might now have that additional reason to gain the backing from your company’s executive managment group.

We suggest that business continuity consultants, who may be working for your organization, also visit this Red Cross website.

Report on 1st DHS and FEMA PS-Prep Outreach Meeting

November 19, 2009

On November 17, 2009, a group of contributing editors of www.continuitycompliance.org had a chance to sit in on the 1st scheduled Outreach Meeting of the PS-Prep Program.  We would like to share our observations with our business continuity and compliance community. 

On the panel for the meeting were senior employees of both FEMA and the DHS.  Don Grant, Director of Incident Management Systems, Integration Division, FEMA kicked off the session with a brief presentation on what PS-Prep is, its requirements and challenges, and a brief history of the program.  The floor was then opened for questions — which the panel sought to keep aligned with and focused on the seven (7) questions as documented in the recent Federal Register notice (Section VII of Federal Register Notice Dated 10-09-09).  

In attendance were approximately 50 people from the Chicago area.  Those individuals were representative of Private Companies and Financial Institutions, as well as “Not-for-Profit” firms, utilities and consultants.  The Association of Continuity Planners – Northern Illinois had a number of officers and members present in the room.

As the afternoon progressed, a few central themes emerged:

     1.  Additional training and educational programs  need to be developed and provided for the Standards themselves plus information regarding the entire PS-Prep Program as a whole, and finally, if a company decides to pursue certification — then, an explanation of that certification process is required.

     2.  Where certification is chosen by a small business, a question of economic burden and resource capability was discussed and left as an ongoing concern for the Program.

     3.   A discussion about incorporating a Maturity Model into the certification process was also presented.  However, this suggestion was not largely supported by the audience in general.  Specifically, Dan Dec, from Fusion Risk Management, Inc., presented the position that a Maturity Model is an excellent tool for an organization to use internally to map out an organizational approach to creating a Business Continuity Plan – i.e. to understand where corporate funds and research should be allocated to further that program along effectively and efficiently.  However, Mr. Dec did not feel that the Maturity Model should necessarily be used in the certification process.   And, the reason for that opinion was that depending upon how the Maturity Model was structured, it was possible that achievement of the highest level of maturity could become cost prohibitive for any but the largest companies.  This was a concern because in that situation it would give the largest companies an advantage in the supply chain over their smaller competitors.

The final theme to emerge was that DHS and FEMA want to encourage everyone to formally comment in the Federal Register on their thoughts regarding the PS-Prep Program.  Specifically, DHS and FEMA are looking for answers to the seven (7) questions referenced above.  The comment period has been extended to January 15, 2010.  The notice regarding that extension can be found by clicking here.

We at ContinuityCompliance.org support the request by DHS and FEMA to provide those comments, and, we also encourage attendance at any of the remaining scheduled Outreach Meetings.  Notice, locations and information regarding those meetings can be found at PS-Prep Outreach Meeting Information.

Peer-to-Peer Software Ban Proposed for U.S. House Members

November 18, 2009

Peer-to-peer software has been a topic on the agenda of security consulting presentations for some time.  And in a recent article by Richard Lardner, a writer for the Associated Press (AP), we see the topic of peer-to-peer software presented again as a risk management area of ongoing concern.

Stung by an embarrassing electronic leak last month that revealed ethics investigations into dozens of lawmakers, House lawmakers moved to prohibit federal employees from using peer-to-peer file-sharing software that was blamed for the disclosure.

The White House Office of Management and Budget advised federal agencies in 2004 of these kinds of risks related to the use of peer-to-peer software.  Rep. Edolphus Towns, D-N.Y., the new bill’s sponsor, said putting the prohibition into federal law gives it much greater weight.

We hope that similar actions or discussions are present in your organization’s information security guidelines and information security processes.  If not — then you may want to read this article for additional details and information on this totally relevant corporate information security issue.

Small Companies Becoming More Popular Targets of Hacker Attacks

November 17, 2009

Think your business is too small to be a target of hackers?  Logic seems to say, “Why would anyone bother to attack a tiny company with only a couple of servers and a handful of employees?”  Think again. 

In an article written by Minda Zetlin, and posted on Inc. Technology, recently, you can read all about the growing trend of hackers to attack small businesses that have smaller security budgets and weaker security in general than larger companies — and that makes them attractive to hackers.

In this article, you can read about “root kits”, “zero-day attacks”, and “botnet attacks”.  All of these present serious threats to small businesses and individuals.

Also, because of the higher success rate of attacks on smaller businesses, Ms. Zetlin also claims that organized crime is beginning to take advantage of these security vulnerabilities, co-ordinating and managing cyber-attacks, and tracking which campaigns are most effective.

Especially if your company is a smaller business, you should read this article for more details and information that can be passed along to your information security manager and become part of your security assessments process, network security policy and your IT security policy.

Impact of U.S. Regulations on the World

November 12, 2009

written by Don H. Byrne, CBCP, CDCP, CBROI, Lead Auditor, Senior Writer and Contributing Editor.

While the media has spent many hours discussing the waning importance of the U.S. economy, the facts seem to indicate the opposite.  The U.S. economy remains very influential and the regulations that are attempting to control business transactions are impacting all of the economies that are connected to the U.S.

Certainly, other economies are on the rise — most significantly those in Asia and around the Indian subcontinent.  But the full impact and reach of the U.S. economy, and the associated business continuity, security management issues, especially information security requirements, and compliance reporting demands on non-U.S. vendors to whom business is outsourced; must be taken into consideration when gauging the true significance of the U.S. economy on the world stage.  This article will explore the impact and influence that U.S. regulations, especially information security regulations, have on business operations outside of the United States.

U.S. laws and regulations are designed so that compliance with established requirements flow through any U.S. company and impose a responsibility on all business partners and outsourced vendors.  Take for an example, HIPAA Compliance.  Many insurance companies now outsource the data entry associated with claims processing to organizations located outside the U.S.  The reason for this movement of labor offshore is quite simple; the cost of labor in these locations is quite low.  However, even though these offshore companies operate as independent companies, and, one would otherwise assume them to be outside of the jurisdiction of U.S. regulators; the need to provide compliance reporting and the requirement to follow HIPAA security procedures remains.

Clever U.S. companies make compliance with U.S. regulations part of their outsourcing contracts and insist on reviewing the firm’s compliance systems that monitor and track this adherence to regulations.  Some firms even egnage in sample compliance studies in an effort to gain creditability with U.S. regulators, showing that the rules are being followed.

Given the rash of data breaches that have been reported in the past few years, many vendors are now insisting on a formal review of the outsourced  vendor’s information security strategy and a detailed description of the information security procedures in place.  While there is an effort to sanitize records as much as possible , some personal information must be included in order to properly identify the patient or insured person.  This requirement will contribute to the ongoing demand for risk management and security management personnel to oversee these operations. 

Associated with the growth of this profession will be an insistence that the outsourced vendor  develop an information security framework.  The information security procedure associated with control of identity information that could then facilitate better control of or elminate the risk of identity threat will obviously receive ongoing attention.

In closing, while the checking of physical compliance with various U.S. regulations such as the proper storage of records covered by HIPAA regulations will continue; this is only part of the impact that U.S. regulations will have on businesses outside of the U.S.  The same or a greater level of attention will be paid to information security controls especially as they relate to information that poses a danger to individuals, or disclosure of sensitive financial information.  The information security industry is aware of this opportunity and is gearing up for it. 

Even organizatons such as SUNGARD, IBM and other regional vendors who have been traditionally associated with disaster recovery software and recovery sites are beginning to expand their consulting practice and product offerings to capitalize on the opportunity and need for an information security plan that, without consulting help, will not exist in most small to mid-sized U.S. companies.  Similarly, vendors of business continuity software are adding a compliance template to their products and re-branding these offerings as a new product category called “business continuity security products”.

As the regulatory environment in the U.S. becomes more complex and each major industry sector establishes its own business continuity standard, the ripple effect of these decisions will be fellt around the world.  In the future, as the concept of the extended enterprise becomes commonplace, an information security audit will have to account not only for operations being conducted in the U.S., but at the offices of trading partners and outsourced vendors around the world.

Next Page »

• 
• 
• 
• 

• Subscribe

  • Subscribe to RSS
  • Comments

• Recent News

  • Career Options and the PS-Prep Program
  • E-Discovery – Compliance and Privacy Challenges
  • “Career Options and the PS-Prep Program” – July 27th, 2010 Webinar Reminder
  • Can Resilience be Enshrined in a Standard?
  • PS-Prep Developing Liability Protection?
  • PS-Prep Career Options Webinar
  • Emergency Plans and Behavioral Accuracy
  • Business Continuity Testing Guidance
  • Federal Cybersecurity Guidelines Document Update Released by NIST
  • Checklist Offered to Mitigate Project Related Risk Factors

• Categories

  • Events
  • Information
    • Auditing
    • Business Continuity Info
    • IT Service Management
    • Organizational Resiliency
    • PS-Prep Program
    • Regulatory Compliance
    • Standards & Best Practices
  • Security
    • Cybersecurity
    • Environmental Security
    • Executive Protection
    • Homeland Security Dpt
    • Information Security
    • Physical Security
    • Regulatory Compliance
    • Safety
  • Tools & Resources
    • Community Projects
      • Forms & Checklists
      • Glossary
    • First Timers
      • FAQs
  • Uncategorized

• Archives

  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009

• What Others Are Reading About

  ANAB ASIS ASIS SPC.1-2009 best practices Business Continuity business continuity management business continuity planning Business Continuity Plans compliance compliance risk contingency planning corporate security crisis management cybersecurity cyber security data breach Department of Homeland Security DHS disaster recovery disaster recovery planning e-Discovery emergency response enterprise risk management FEMA Information Security information systems security network security NFPA 1600 organizational resilience Organizational Resiliency Physical Security preparedness privacy Private Sector Preparedness PS-Prep PS-Prep Program readiness Regulatory Compliance resilience Resiliency risk assessment risk management Security security management security policies Auditing (4)
  Business Continuity Info (89)
  Community Projects (2)
  Cybersecurity (26)
  Environmental Security (2)
  Events (3)
  Executive Protection (1)
  FAQs (1)
  Forms & Checklists (1)
  Glossary (2)
  Homeland Security Dpt (11)
  Information (2)
  Information Security (57)
  IT Service Management (6)
  Organizational Resiliency (12)
  Physical Security (15)
  PS-Prep Program (57)
  Regulatory Compliance (16)
  Regulatory Compliance (9)
  Safety (4)
  Standards & Best Practices (9)
  Tools & Resources (4)
  Uncategorized (2)
  

  WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.