2010 January

Business Continuity Plans and Planning Priority of Reported Incidents

January 19, 2010 By Continuity_Compliance Leave a Comment

Nearly every member of an organization’s business continuity or disaster recovery team recognizes the cold hard truth that not every incident can or should be regarded as critical status. However, those same members also face constant challenges to develop and implement a methodology of setting priorities for incident reporting policies and procedures to support their business continuity and disaster recovery plans.

In an article written by Hank Marquis and posted in a past DITY Newsletter, many strategies and suggestions are offered to deal with the “we need it now” incidents and yet still be able to balance response your internal team’s resources to provide critical assistance to the proper incidents on a timely basis.

From recent comments received on this topic, we believe that there is both a strong reason to re-read this past article and a consensus of opinion that our teams should always work on those things that are of a critical nature first, and not on those things people want done right away.

If you agree, then we believe that you will want to read this article by Hank Marquis.

As always, welcome your thought and additional comments on this important issue.

Disaster Recovery Suggested Next Steps for Companies and Employees in Haiti

January 15, 2010 By Continuity_Compliance Leave a Comment

Joan Goodchild, a writer for Computerworld, offers available information and advice for companies in Haiti who are trying to survive the aftermath of the devastating earthquake in Haiti.

Joan Goodchild’s article features an interview with Eddie Everett, senior vice president and national director for Global Services North America with security firm Control Risks, who is in charge of coordinating the firm’s global crisis efforts in Haiti.

In his interview excerpt from the article, Mr. Everett states that “…The best course of action at this time for those who are in country is to remain unless they have exit routes in place, because of the lack of logistics to get them out of country. So the first thing we do is gather information and assess what is the situation right now: Who is in the country? How they might be impacted? And then we assess what we need to do in the immediate instance.”

The article also confirms that fact that there a lot of companies in manufacturing, distribution, telecommunications and some financial organizations have a presence in Haiti. The safety and security of all individuals must remain the ultimate short term goal for every organization facing this disaster in Haiti – hopefully some of the information in this article will achieve that goal as quickly as possible.

If your organization is one of those companies, click here to read more …..

Filed Under: Business Continuity Info Tagged With: disaster recovery, Security

Haitian Disaster Recovery Relief Request

January 14, 2010 By Continuity_Compliance Leave a Comment

Like the rest of the world, the editorial staff of Continuity Compliance is saddened by the Earthquake Tragedy in Haiti that occurred on Tuesday, January 12, 2010. We understand that humanitarian aid is critically needed to support not only the current relief efforts, but eventually the rebuilding efforts in Haiti. Therefore, we are providing you, our reader, with a link to the CNN site listing the organizations that are specifically accepting donations to aid the relief effort in Haiti.

Unfortunately there are numerous scams that occur during periods of great need. Please remember to make any donation only to qualified legitimate organizations.

Filed Under: Business Continuity Info Tagged With: Business Continuity, disaster recovery

Security Weakness Found in Encrypted Flash Drives

January 13, 2010 By Continuity_Compliance Leave a Comment

This important discovery was revealed in an article recently written by Lucas Mearian, a writer for ComputerWorld’s Security division.

SanDisk Corp. and Verbatim Corp. have joined Kingston Technology Inc. in warning customers about a potential security threat posed by a flaw in the hardware-based AES 256-bit encryption on their USB flash drives.

Please pass this information along to your information security managers and your organization’s business continuity planning teams in order to update their current security policies and procedures and close this potential area of risk for their organization.

While this appears to be only a technical compliance risk to the implementation of your security policy, there is also some level of operations compliance to be recognized and certainly not overlooked as well.

Please CLICK HERE to read this article for more details.

Filed Under: Information Security Tagged With: business continuity planning, compliance, operations compliance, Security, security policies, security policy, technical compliance

PS-Prep Program: What's Left To Do?

January 12, 2010 By Continuity_Compliance Leave a Comment

As of today and as the comment period winds down for the Federal Register on the three standards selected for PS-Prep (National Fire Protection Association 1600: 2007, British Standard 25999-2:2007 and ASIS SPC.1-2009) —there is still much to do.

This update will try to focus specifically on the ANSI-ASQ National Accreditation Board (ANAB) and what we see are the tasks at hand.

From earlier web postings, we have been able to gather and summarize in our own words, the following lists of ANAB items, requirements and “to-do’s” to complete and support the PS-Prep program moving forward. If you have additional information, please comment so we can keep the community as up to date as possible.

1.       The Accreditation Rule is still in a draft status. The Committee of Experts needs to confirm
           the updated Accreditation Rule based on the final decision from DHS. This Accreditation Rule is to
          inform certification bodies (CBs) of ANAB requirements for becoming accredited to offer
          certification for one or more of the selected standards under PS-Prep.

2. Accreditation Council approval is still needed to distribute the draft Accreditation Rule for public
comment.

3. A Training Program for the Certification Bodies / Auditors needs to be created. The normal process is for ANAB to release a formal Request for Proposal (RFP) to training providers. An early RFP was released before the comment period had ended and was since retracted. It is our hope that ANAB revises this new RFP to match existing training requirements and take into account many of the recommendations made to them by training providers.

4. Create a Certifying Body application format and have it approved through an ANAB certified assessor
review. Then, once this application is approved into the document control system — have it released.

These are some critical “to-do’s” in the timing for the PS-Prep program to be fully functional.

The accreditation rule is the driver for certifying bodies, auditors and assessors to know what the Program requirements will be to support PS-Prep.

Coming Soon: End of Comment Period – What’s Next?

This article was written by Sally A. Smoczynski, a contributing writer to this website.

Filed Under: PS-Prep Program Tagged With: ANAB, ASIS SPC.1-2009, BS25999, NFPA 1600, PS-Prep, PS-Prep Program

ISO 20000 Implementation: Benefits Gained

January 12, 2010 By Continuity_Compliance Leave a Comment

Following some recent ISO implementation projects completed by Sally A. Smoczynski, who is a Managing Director of Radian Compliance, LLC, and also a contributing writer for articles on this site, Ms. Smoczynski wanted to share some of the benefits stemming from those implementations with others who might be considering an ISO/IEC 20000-1:2005 implementation for their organization(s).

And, with this time of the year when many companies are reviewing or continuously improving their compliance plans and re-confirming their ability to maintain business information security levels compliant with customer and regulatory requirements, we also believe that such an offering of pertinent material to the ISO 20000 Standard can be a benefit to those organization(s).

Intending not to bore everyone with too many details of the implementation process, Sally has tried to summarize her findings in a recent publication released by the Radian Complaince team and offered freely to our community of readers.

Click here ISO 20000 Implementation Benefits to view a pdf file of a snapshot of the benefits of implementing ISO 20000. Although not all inclusive, it provides talking points to get interest and commitment for an ISO 20000 implementation.

(You may want to utilize the magnification features of this *.pdf file to make your reading a little easier.)

Filed Under: Risk Management Tagged With: business information security, compliance plans, ISO 20000 implementation benefits, ISO/IEC 20000-1:2005

Measuring Business Continuity Management Performance Required

January 8, 2010 By Continuity_Compliance Leave a Comment

For many organizations that have supported the initiation of a business continuity plan and the internal business continuity and risk management teams to implement and maintain those plans in 2009 (or earlier), the asking of an important follow-up question may now be necessary — i.e. How well did those plans/teams perform in 2009 and what level of support might they need to both continue and improve those plans in 2010?

This question addresses one of the key activities around which a successful business continuity (“BC”) plan revolves. That activity involves a measuring methodology of the performance of that BC plan – with particular focus on how the business processes within that business continuity plan are being managed to achieve the stated objectives of that organization.

If your company is now doing such a management review and assessment, then we would like to suggest a reading assignment to help you in that process.

Paul Kirvan, FBCI, CBCP CISSP, has written a recent article in 2009 that presents a metric approach and outline of a two-tier model that can be used to measure the business continuity management performance.

Most performance metrics are subject to a variety of conditions, requirements and even limitations depending on the objectives of any particular organization. In fact, once you understand the two-tier model presented, you may want to expand upon that model relevant to the needs and objectives of your own organization. However, you cannot deny the need, if not necessity, to formulate and implement such an annual performance review process for your BC plans.

This website has recommended articles written by Paul Kirvan in the past, and, we continue to monitor his writings to be added to our data base of referral business continuity content reources.

CLICK HERE to read this article posted on the SearchDisasterRecovery.com website.

Filed Under: Business Continuity Info Tagged With: Business Continuity, Business Continuity Plans, business processes, risk management

Better Business Bureau Offers Great Security & Privacy Guidelines Document – FREE

January 7, 2010 By Continuity_Compliance Leave a Comment

As we move into 2010, our group would like to point out a useful resource that should be added to your organization’s security and privacy resource reading list.

As your risk management and information security planning teams get ready for 2010, we suggest using this resource as a reference base and tool to quickly raise their awareness levels to the current critical security and privacy issues affecting business in general. And from that awareness, that team will be better able to evaluate and prioritize those risks identified with their organization into mitigation tasks for them to address over time.

An example of some of the security and privacy challenges to address for businesses are stated in this document as follows,

Customer and business ID theft

Noncompliance with federal and state data protection laws

Employee fraud and theft

Loss of trust and customers

Costly lawsuits stemming from sloppy security practices

Computer and hardware damage from viruses

The Better Business Bureau (BBB) offers such a resource in a guideline titled “Security & Privacy – Made Simpler” — and, best of all, it is a free offering available to all businesses.

You can download this resource by either viewing the BBB website directly or viewing the actual guideline document itself (CLICK HERE).

Please let our community know if this document is a valuable resource for your information security and risk managmement teams.

Filed Under: Information Security Tagged With: Information Security, privacy, risk management, Security

Illinois Launches Preparedness Campaign

January 6, 2010 By Continuity_Compliance Leave a Comment

As we begin 2010, and as management commissions reviews, updates and continuous improvement in their organizational business continuity plans, you may want to recommend that your risk management and information security team leaders look to their local state agencies for ideas to improve their own organization’s preparedness capabilities.

If your organization is located in or does business in Illinois, then you may want to stay in touch with a recently launched campaign designed to focus on different aspects of preparedness during 2010. This year long preparedness campaign is called the “12-Month Preparedness Campaign”.

The Illinois Emergency Management Agency (IEMA) Director Andrew Velasquez III states that IEMA will focus on a different preparedness topic each month in 2010. Directions on assembling a disaster supply kit and information about family emergency plans are two of the subjects that will be featured during January.

Other topics to be addressed during the year-long campaign include home preparedness, workplace preparedness, earthquake preparedness, children and preparedness, weather-related preparedness, cyber security, and preparedness for people with functional needs.

For more details, check out the ready.illinois.gov website.

Filed Under: PS-Prep Program Tagged With: Business Continuity Plans, IEMA, Illinois Emergency Management Agency, Information Security, preparedness, risk management

Information Security Issues in 2009 Tell a Story

January 6, 2010 By Continuity_Compliance Leave a Comment

The Symantec Security Response Team findings for 2009 were reported recently in an article written by Kevin Haley.

In this report, the top security trends of 2009 were determined from inputs received from the Global Intelligence Network and the experiences of the thousands of analysts and security experts at Symantec.

While none of the findings may be a total surprise, it is the numbers that really bring out the breadth and width of the problem.

Some of the findings that occurred in 2009 were stated as:

In May, 2009, 95% of all email was spam

403 data breaches in 2009 resulted in 220 million exposed records

There were more than 43 million rogue security software installations

14.4 million drive-by download attempts occurred in one two-month period

All major news events are used for social engineering

Major brands are being appropriated by cybercriminals to lure online victims

CLICK HERE to read more about this Symantec report.

Please pass this link along to your security management team members who are now developing their internal risk analysis reports and writing their 2010 business continuity plan templates and trying to meet their 2010 security compliance objectives.

Filed Under: Information Security Tagged With: Business Continuity Plan Template, risk analysis, Security, security compliance, security management