February 5, 2012

Posts Comments

You are here: Home / 2010 / Archives for February 2010

New Personal Information Security Regulations Take Effect on March 1st in Massachusetts

February 26, 2010 By Leave a Comment

Just a reminder that under new rules taking effect this coming Monday, March 1, 2010, any institution that holds personal data about residents of Massachusetts must create a written policy for protecting the data, and must train employees to follow the rules.

In addition, this rule also requires that organizations must encrypt any personal information – scrambling files to conceal their content – when it is transmitted over the Internet or a wireless data network. Data must also be encrypted when it’s stored on portable devices like laptops or thumb drives, to protect against identity theft if the devices are lost or stolen.

Hopefully if you or your company is affected by this new rule, then your information security management system will already include an implemented plan to comply with these new requirements.

If not, then an information security specialist from your risk management team should read a recent article published in the Boston Globe and written by Hiawatha Bray

CLICK HERE to read the entire article, and if you prefer, there is also a good summary article on the Homeland Security Newswire that you can view here.

Filed Under: Information Security Tagged With: , , , ,

Reporting on DRI International Upcoming Election

February 25, 2010 By 1 Comment

DRI International is an organization that was founded in 1988 as the Disaster Recovery Institute in order to develop a base of knowledge in contingency planning and the management of risk, a rapidly growing profession. Since then, this organization has played a consistent role as a member in the larger business continuity community.

DRI International administers one of the industry’s premier educational and certification programs for those engaged in the practice of business continuity planning and management, and, have more than 3,500 individuals throughout the world who maintain professional certification through DRI International.

This website believes that news about this organization can be important to our readers.  And, with this point in mind, we have requested that Don Byrne, a contributing editor and reporter for this website, present some additional information about this organization to our readers.

Mr. Byrne has agreed and has offered his comments in the story below concerning an upcoming  first membership-wide election to the organization’s Board of Directors.  It is important to also note that Mr. Byrne himself is an eligible voting  member of DRI International.

An In-depth Look at Some of the Candidates for Election to the Board of DRI Int’l

by Donald Byrne, CBCP and contributing editor and reporter

Recent events in Iraq, the Ukraine, and my own country, have reshaped the image of elections. The word “voting” conjures images of courageous Iraqis holding up ink-stained fingers and the excitement and controversy of the last U.S. presidential election where more newly registered/ first-time votes were cast than in any previous election.

The opportunity to vote for Board of Director members of DRI International, while not in the same league as these other election breakthroughs is still a noteworthy event in the sense that this election represents the first time that the members of DRii are participating in the voting process, and thus,  those with an ongoing commitment to, and reliance on DRI International will now have a direct influence on this organization’s leadership, who in turn will have an effect upon the future policies of this institution.

As part of an  effort to help promote good governance, and present a fair reporting effort to the readers of continuitycompliance.org, I set out to gather more information on the people who are standing for this important position and bring that information to all of the eligible voting members of the DRii association.

As part of the interview process, each candidate was approached and offered an opportunity to speak “on the record” with us.

Some indicated that they were traveling or otherwise engaged and could not participate. This is understandable and the editorial team at CC.ORG agreed to extend the comment period from Monday (22 February) until the mid-day Wednesday 24 February, 2010. Unfortunately, this extension did not result in any additional opportunities for discussion.

Others were told by their firms to refrain from making public statements that might reflect back on the company.

Still others failed to respond to the invitation at all.

I should also note that some candidates submitted written comments.   And, after much discussion amongst our staff of contributing writers over whether it might be unfair to let candidates present a crafted and polished written response over others who were more limited to extemporaneous responses in a conversation, the decision was made to let our readers have both methods of response and then allow them to make the final determination of that decision.

We have gathered what information we could in the short time allowed and hope that this is of interest to not only the eligible voters in this election, but, also to the general readership of the CC.org website. Most importantly, if you are eligible PLEASE VOTE!

In addition and as part of this process, we invite our readers to give us and the candidates, constructive feedback on information presented in the responses to our questions.

So please share your thoughts and questions with us.

We have suggested that the candidates track this site for comments and have promised to post any responses they care to make to questions or inquiries.

As always, I welcome your comments, suggestions, and recommendations for improvement!

You can contact me at Don@continuitycompliance.org.

Enjoy – - – and VOTE!

Please note that the candidates are presented below in the same order they appear on the DRI International web site and the questions each candidate was asked were as follows:

  • Please tell us a bit about your experience in the BCP area and your current responsibilities.
  • How would you define your role if elected a member of the DRII BOD?
  • What other experiences do you have that is relevant to this type of position?
  • What do you see as the key challenges facing the DRII community?
  • What are the key controversies facing DRII over the next few years?
  • How do you see DRII relating to BCI?
  • What are your priorities if elected?
  • What else would you like the DRII community to know about you?

 The Candidates

             AnneMarie Staley, CBCP ,NYSE Euronext

AnneMarie has not responded to our request as of our release time.

             Tom Clark, Liberty Mutual

Tom is a member of the Liberty Mutual Insurance Company management team and provides D/R and BCM support for their Information Technology infrastructure.

Tom has over 35 years of experience in this field including a stint in law enforcement. Having lived and worked in 40 countries spread over six continents, he feels he has an international perspective on our profession.

In answer to questions about the major challenges he sees ahead for DRI International, Tom said the organization was losing ground to other credentialing organizations. He believes that by ignoring its core business and executing poorly against the core mission, DRI International has created a void in the marketplace that others are now beginning to fill. Developing a re-energized strategic vision is at the core of his program and, like the others interviewed on this assignment, he sees international expansion as a key area of opportunity.

When asked about the relationship between DRI International and the Business Continuity Institute (BCI), Tom believes that there should be one credentialing program and looks to open discussions with BCI about this initiative.

Tom points out that to be relevant the members of the BOD should have both theoretical and practical knowledge of our profession. He points to the key roles he has played in numerous wide-scale disasters such as Hurricane Ike, the 1993 World Trade Center bombing, and many others as examples of experiences that qualify him for a Board position.

Tom also admits that DRI International needs to do much more for the membership including helping to make the business case for continuity planning and emergency management.

             Daniel Mikulsky, MBCP CSC

Daniel has not responded to our request as of our release time.

             Kelley Okolita, MBCP

A former member of the DRI International Board of Directors, Kelly Okolita is a Master Business Continuity Professional. In addition to her work experience as a continuity professional she has served on several internal DRI International committees including Finance and the Credentialing Committees; and claims responsibility for some of the automation that has moved the application process from a manual to an automated system. She clearly articulates the challenges she feels are facing the organization.

Top in her list of priorities would be the recruitment of volunteers with keen business skills. Kelly believes some previous Board members struggled with business issues as simple as how to read and interpret a financial statement. She spoke at length of her commitment to the organization and pointed to her years of volunteer service to DRI International.

As with the other candidates, Kelly highlights the current weak organizational position the organization has internationally. She supports the idea of actively recruiting volunteers from outside the U.S. to staff key committees.

Kelly notes the success that competing credentialing organizations are having both in the U.S. and internationally and feels that DRI International has done little for the membership or to make the case for contingency planning as a process that should be core to every business.

Kelly presented herself as a very direct and transparent individual. “Ask me a question and I’ll give you a straight answer.” she promises. “I have the maturity, experience and dedication to help make DRII a better organization.”

            Brian P. Miller, CBCP Partner in Vanguard

Brian did contact us and explained that he was traveling and unavailable.

           Jason Herrington, MBCP

Unfortunately, Jason is traveling and not available for an interview, but, he did go to the trouble of sending us his comments in writing.  Those are as follows:

Q.  Please tell us a bit about your experiences in the BCP area and your current responsibilities….

A.  I have over ten years of experience in the business continuity and disaster recovery field.  Like most people in the profession, I didn’t start out as a business continuity planner.  I started out documenting processes that my team performed which ended up being the documentation for my team in the business continuity plan.  Eventually, I was asked to be a part of the mainframe recovery team to document a mainframe recovery plan.  Once that had been completed, I was pulled in to a team to document processes for business contiuity planning purposes.  Like they say, the third time is a charm; and I started to pursue business continuity as a career.

Since those early days of documenting plans, I have held various roles in business continuity.  These roles have included IT continuity, functional continuity, and corporate continuity.  I have experience building business continuity programs where none have existed, and experience reworking or retooling business continuity programs already in existence to gain maturity in the business continuity programs.

Q.  What do you see as your role as a member of the DRII Board of Directors?

A.  I would like to be considered “the voice of the people”.  I am passionate about my work in business continuity.  Over the years, I have heard many gripes and complaints about this or that.  I would pass these comments along to anyone I knew within the DRII organization, but, I would not hear if anything had been about it.  Going forward, I would like to bring those concerns to the attention of the Board of Directors for discussion and resolution where possible.

Q.  What other experience do you have that is relevant to this type of position?

A.  I have held leadership positions in business continuity and I come from an educational background.  I feel that this has helped me to be able to communicate and explain issues or concerns in a manner that can be understood by people from a variety of backgrounds.

Q.  What do you see as the key challenges facing the DRII-certified community?

A.  I think some of the key challenges we may face as certified professionals is to keep up with the ever changing landscape of regulations and standards.  I feel that DRII can be and will be the leader in tracking these changes and distributing key knowledge to all certified professionals.

Q.  What are your priorities if elected?

A.  I would like to have the education and certification process reviewed.  One of the biggest gripes I have heard is that certification takes too long.  I know there have been changes for the better over the past few years, but, I would like to review and see if there is anything else that can be done to simplify or speed up the process of education and certification.

Q.  What else would you like the DRII-certified community to know about you?

A.  Like many people, I would like to see some things changed in DRII, to continue to make DRII the premier body of knowledge and certification authority in business continuity, and I woudl like your vote so that I can work to better the DRII organization for certified professionals.  Thank you for taking the time to read this.

Jerome Ryan, CBCP Pfizer

Jerome is a senior member of the Pfizer BC Management Group. In this capacity he helps support Pfizer’s business around the world giving a distinctly worldwide perspective.  Rounding out his international credentials is his experiences living, working, and attending school outside of the US.

Prior to joining Pfizer, Jerome worked for both PWC and Marsh Risk Consulting.

Jerome’s feels his experiences will guide his decisions as a DRI International board member. He believes DRI International should be a voice for both the industry and certified professionals around the world. Jerome believes that much of DRI International’s growth will come from Asia and the developing countries and if the organization doesn’t actively market itself in these areas, its relevancy will be diminished. Jerome has three projects in mind which he believes will allow DRI International to flourish outside the U.S. First, he wants to see the appointment of an international member to the BOD. When asked if this would be an elected or appointed position he admits he must check to see what the bylaws would allow. However, he made it clear he feels having some non-U.S. citizen’s on the Board is important.

Next, he wants to work harder to support the growth of the Global Affiliate Program. This is an outgrowth of his experience as a member of the DRII International Development Committee. By working with local organizations that have relationships in the local communities around the world, he feels that DRI International’s relevancy to these markets will be improved.

Third, he is interested in expanding collaboration between DRI International and the Business Continuity Institute (BCI).

At the end of the discussion Jerome reinforced his interest in and commitment to the profession and DRI International.

            Vincent Orrico, CBCP, CGEIT, CISA, CISSP, PMP Director of Business Continuity and Information Security

Vince indicated that he was traveling and would not be available for the interview.

             Gary G. Wyne, CBCP BCP Coordinator

I would like to take this opportunity to apologize to Gary Wyne. He made every effort to be available for an interview. Unfortunately, my schedule prevented us from connecting. I appreciate his willingness to speak to us and take it as sign of his openness and sincerity.

            Robert Goldhammer, CEM, CBCP EMA Director

Robert has not responded to our request as of our release time.

Filed Under: Business Continuity Info Tagged With: , , ,

Rootkit Malware Attacks and Smart Phones

February 23, 2010 By Leave a Comment

In a recent article published by the Homeland Security Newswire, it was brought to our attention how a familiar type of personal computer security threat (“rootkits”) can now attack new generations of smart mobile phones.

For many readers of this website who are also active members of or consultants to any organization’s information security and risk management team(s), we believe this topic is one that should be addressed in their next network security assessment meeting.  And, if found to be a medium to high risk level, then, more importantly, this particular risk should become part of the company’s network security policy as well.

This article states that unlike viruses, this type of malware known as “rootkits” attacks the heart of a computer’s software – i.e. its operating system.  And, unfortunately, this article also claims that this malware can only be detected from outside of a corrupted operating system with a specialized tool known as a virtual machine monitor.  This tool does exist for desktop computers, but, because of the current lack processing resources, a portable smart phone cannot support this tool.

Another claim from this article involves results of recent research demonstrating how under such a malware attack, an individual’s smart phone could be used to eavesdrop on a meeting or rapidly drain its battery so as to render the phone useless.

With so many companies now or planning to integrate the use of new smart phones into their internal sales, distribution and administrative processes, we believe that this malware risk needs to become a consideration for inclusion into many information security plans.

CLICK HERE to read the full article.

Filed Under: Information Security Tagged With: , , , , , ,

Are You Ready for E-Discovery Litigation Hold Notices to Include Social Networking Pages?

February 22, 2010 By Leave a Comment

The topic of e-Discovery has been a growing area of inquiry coming from readers of this website for some time now, and with so many social networking technologies now being integrated into so many of our private and public life activities,  we would like to point your attention to an interesting article written by Clifford F.  Shnier, and published in a recent edition of InsideCounselThe title of this article is “Friend or Foe?  Social Networking and E-Discovery

In this article, Cliff Shnier, who is an attorney and an electronic discovery consultant, discusses just a few of the concerns that social networking presents to the electronic discovery process.

With the growing number of e-discovery requests now being part of the litigation process facing organizations, and given predictions that it won’t be too long before litigation hold notices will include social networking pages, it may be time for your organization’s risk management and information security teams to pay more attention to the information presented by Mr. Schnier … you can read his full article here.

Filed Under: Information Security Tagged With: , , ,

DoD Issues New Information Security Policy Directive to Their Supply Chain

February 19, 2010 By Leave a Comment

In a recent article written by Jason Miller, Executive Editor for the Federal News Radio, we are told that the Department of Defense (DoD) has recently issued a new policy to protect military information on or going in between unclassified networks run by contractors and the government.

We believe that this new policy may be a good benchmark for our readers to use in writing their own organization’s information security policies for vendors and contractors in their supply chain(s).

As part of this new policy’s requirements,  the DoD and the Defense Industrial Base (DIB) are to create an information sharing environment for threat information, develop best practices, create a standard for reporting of and responding to cyber attacks or threats, and develop an approach for vendors to do self-assessments of the security of their networks.

It may be too early to see all of the potential applications that this new policy may have to your own organization’s efforts in this area, however, it certainly is a good grounding in some of the basic concerns and challenges that organization’s face in managing information security risks in their own supply chains.

Click here to read Jason Miller’s article on this topic.

Click here to read the recently released DoD policy directive.

Filed Under: Cybersecurity, Information Security Tagged With: , , , , , , ,

Need Help with Your Business Case for Preparedness Presentation to Management?

February 17, 2010 By 1 Comment

One of the primary benefits of this website is to bring developing information, ongoing research data and business continuity community input into a single resource for its readership.

With PS-Prep now becoming more and more of an important part of the preparedness and resilience elements in an organization’s business continuity philosophy, methodology and/or plan, we turn to one of our favorite sources on the topic of PS-Prep to assist those efforts.

That source is the International Center for Enterprise Preparedness (InterCEP) New York University.

In this particular posting, however, we are going to concentrate on InterCEP’s resource offering regarding building a business case to include Preparedness and Resilience in the strategic planning and organizational goals of your organization.

One of the ways, InterCEP can help your team build that business case is by sharing the business cases of others trying to achieve that same goal for their own organizations.  As an added benefit, InterCEP then encourages  those readers to comment upon and contribute their feedback to the continual improvement and effectiveness of those business case presentations.

We believe that this is good way to assist the planning and preparation efforts of your internal teams as they not only develop and make their own business case presentations to upper management, but also, as they can capitalize on the best practices of others discovered in this classic benchmarking activity.

If you would like to quickly review an annotated bibliography that InterCEP offers to help you build your business case for preparedness, CLICK HERE.

Good reading and good luck to your efforts in this exercise…..

Filed Under: PS-Prep Program Tagged With: , , , ,

European Network and Information Security Agency Releases New White Paper on Social Networking

February 16, 2010 By Leave a Comment

When discussing the topic of business continuity, the risks associated with maintaining acceptable levels of information security within an organization often involve debate and concern over the growing threats of mobile social networking services and the risks they present to organizations around the world.

If you are an information security manager in your organization and social networking and/or mobile communication is now becoming more integrated with your company’s internal processes, and, this risk topic is becoming a regular item on the agenda of your risk management team meetings, then we suggest that you read a recently released report published by the European Network and Information Security Agency (ENISA).

The title of this report is “Instantly Online-17 Golden Rules to Combat Online Risks and Provide Safer Surfing Mobile Social Networks”, and, we highly recommend it as required reading by the members of your information security management team.

This report points out many of the risks and threats of mobile social networking services, e.g. identity theft, corporate data leakage and reputation risks of mobile social networks, and also provides  17 ‘golden rules’ on how to combat these threats against your organization and the associates within your organization.

This report also offers a viewpoint of this topic that comes from a study of best practices outside of the United States for dealing with this area of concern.  If nothing else, you should have this report in your library of information security reading references. 

To read this full report, please CLICK HERE

Filed Under: Information Security Tagged With: , , , , , ,

International Center for Enterprise Preparedness Offers PS-Prep Working Group Report Drafts

February 15, 2010 By Leave a Comment

This website receives many inquiries asking for more information regarding the ongoing developments in the Department of Homeland Security’s PS-Prep program. And we would like to respond to that request.   

To that point, one of the resources that we have overlooked in the past, and would like to make available to our business continuity, crisis and risk management team members and readership is the International Center for Enterprise Preparedness (InterCEP).

InterCEP is the world’s first major academic center (New York University) dedicated to private sector crisis management and business continuity.

At InterCEP, businesses and other private sector organizations set the initial mission of the Center and remain engaged on an ongoing basis in its evolution. The U.S. Department of Homeland Security (DHS) provided the core funding for this initiative to create a truly international resource for education and research in this vital area.

Post September 11th, businesses and other private sector organizations have increasingly acknowledged the need for organization-wide emergency management and business continuity programs. In the United States alone, this need has been validated well beyond the terrorist threat by recent events including devastating hurricanes in America’s southeast, the blackout of the Northeast, tornadoes throughout the Midwest and wildfires in the Southwest. Corporate preparedness can mitigate the impact of emergencies on both people and property. 

All of these potential and real disasters support the need for an “all hazards” approach to emergency management and business continuity. Clearly, corporate preparedness can mitigate the impact of emergencies on both people and property, and, ultimately, preparedness, or the lack of it, can determine the ongoing viability of a firm.

Building on and incorporating InterCEP’s ongoing research on the business case for both resilience and enterprise risk management, five Working Groups of stakeholders were convened to each focus on a particular area of business benefit that could potentially be enhanced by the PS-Prep Certification Program.

The purpose of the proceedings conducted by these Working Groups, was to inform stakeholders in general, and, in particular, inform both the parties in the U.S. Department of Homeland Security (DHS), and, the designated accreditation body, ANAB, who have responsibilities for the design, development and implementation of the PS-Prep Program.

At this point in time, both DHS and ANAB have participated as observers in these Working Groups so that the insights from the Working Groups could inform actions on an ongoing basis.

The Working Groups focused their efforts on the following areas: Supply Chain Resilience, Legal Liability Mitigation, rationalized Business Reporting of Preparedness, Insurance acknowledgement and Rating Agency acknowledgement.

CLICK HERE to read the full report and findings from the Working Group for Supply Chain Resilience. 

CLICK HERE to read the full report and findings from the Working Group for Legal Liability Mitigation and Resilience.

CLICK HERE to read the full report and findings from the Working Group for rationalized Business Reporting of Preparedness and Resilience. 

CLICK HERE to read the full report and findings from the Working Group on Corporate Ratings and Resilience.

CLICK HERE to read the full report and findings from the Working Group on Insurance and Resilience

We recommend that both the InterCEP website, and, any or all chosen report(s), found to be most applicable to your business and organizational goals, be added to your list of educational resources on the topic of PS-Prep. 

Please direct any comments regarding these reports to http://www.nyu.edu/intercep/about/

Filed Under: Homeland Security Dpt, PS-Prep Program Tagged With: , , , , , , , , , , , ,

Disaster Recovery Planning Cannot Be Left on the Back Burner in 2010

February 12, 2010 By Leave a Comment

In a recent article written by Pierre Dorion, and posted on the SearchDisasterRecovery.com website, Mr. Dorion makes a strong argument to avoid repeating the fact that with the slow economy and shrinking IT budgets and staff cuts of 2009, disaster recovery (DR) planning was all too often pushed to the back burner.  He then goes on to state, “With outsourcing strategies, virtualization technologies, more communication and certifications, no disaster recovery plan should be left sitting on the back burner in 2010.” 

To support his position, Mr. Dorion outlines some of the DR trends for the IT industry in 2010 and how these trends can help your business continuity and disaster recovery planning teams develop, evaluate, and implement effective disaster recovery strategies into their 2010 business continuity plans for their companies.

Some of the major trends outlined in this article are as follows:

  1. Disaster recovery outsourcing
  2. Cloud computing and disaster recovery strategies
  3. Server virtualization
  4. Desktop virtualization
  5. Unified communication
  6. Standards compliance

If any or all of these trends take off in 2010, then most certainly they will be technology trends  to incorporate into your disaster recovery plans.

Click here to read the full article.

Filed Under: Business Continuity Info Tagged With: , , , ,

Preparedness and Situational Awareness New Culture of Corporate Security Plans

February 10, 2010 By Leave a Comment

In a recent article written by Leischen Stelter, and posted on the Security Director News website, a strong case was made whereby detecting terrorism activity is everyone’s responsibility.  This is a message that our business continuity and preparedness teams need to stress and convey within the business continuity plans of their organizations, but, more importantly, to train employees and associates on how to look for and recognize suspicious persons and behaviors.

In this article, Larry Barrett, member of the DHS Office of Bombing Prevention, estimated that “…85% of the U.S. nation’s critical infrastructure is controlled by private corporations.”

Much of the message of this article also comes from the information provided in a recent workshop titled “The Private Sector Counterterrorism Awareness”, sponsored by the Department of Homeland Security (DHS) and hosted by the Maine Emergency Management Agency (MEMA).

Since it has been found that most private companies do not include the potential for terrorist attacks, secondary hazards, and entrapment devices into their business continuity and security risk management plans, we recommend reading this article to better understand if and how your organization must consider these risks before completing their plans.

CLICK HERE to read this article.

Filed Under: Homeland Security Dpt, Physical Security, PS-Prep Program Tagged With: , , , , , , , , , ,
« Older Posts