February 5, 2012

Posts Comments

You are here: Home / Archives for Information / Regulatory Compliance

ENISA Offers Free IT Security Awareness Training Videos in All 23 Official EU Languages

November 23, 2011 By Leave a Comment

Does your organization struggle and need help training its workforce(s) in a foreign language regarding policies, procedures and strategies supporting their organization’s information security compliance efforts? 

The European Network and Information Security Agency (ENISA) has launched a series of free videos in all 23 official EU languages. Designed to help raise awareness of information security risks and encourage secure handling of electronic data, the 13 video clips range from how to use strong passwords and protect sensitive data to locking down and securing your computer.

This awareness training information can now be downloaded from the ENISA website, and, should be suitable for use in your organization’s information security training program(s) along with any other awareness initiatives your company has launched to support its information security risk management strategies.

Click here  to view and download some of these awareness training videos.

If applicable, please pass this information along to those risk management and ISO 27001 compliance team members in your organization.

Filed Under: Cybersecurity, Information Security, Regulatory Compliance, Regulatory Compliance, Risk Management Tagged With: , , , , , , , ,

Risk Management, Global Supply Chain Management and the Languages of Bribery

November 4, 2011 By Leave a Comment

One of the more unusual risk components in global supply chain management involves the language of bribery.  And, with fines and penalties for violations of anticorruption laws skyrocketing, feedback from our reader’s comments and following this topic on Google global alerts, our staff has found that multinational companies are applying many of their resources into the pursuit of anticorruption compliance.   

In a recent article written by James G. Tillen and Sonia M. Delman, posted on the Forbes website, and entitled “A Bribe by Any Other Name”, we find the two dynamics mentioned above explained in a very easy to understand way with many examples offered to clarify their message, and as such, may be a valuable reading resource for global supply chain risk managers. 

Although the article written by Tillen and Delman is somewhat dated in time, our staff believes it remains relevant today and should be an incentive for multinational companies to review this area of supply chain management risk on a regular basis. 

Below you will find a short summary of a list of common bribery jargon used in certain countries.  Be sure to review the complete list when reading this full article: 

Country/Language Bribery Jargon
Argentina cohecho; soborno; coima; cometa
Angola gaseoso
Brazil propina; jetto; jetinho; caixinha; graxa; troco; nota; acerto
Bulgaria rusvet
Cambodia tea money
China huilu; chaqian
Croatia mitto; podmititi (v.)
East Africa chai
Egypt baksheesh; shay
France pot-de-vin; arroser (v.); graisser (v.)
Gambia maslaha
Germany shmiergeld
Greece bakssissi
Hausa (spoken in West Africa) toshiyar-baki
Honduras pajada
Hong Kong hactzien
Hungary megvesztegetes; kezet fogni (v.); keno penz; csuszo penz; lekenyerezni; lefizetni
India rishwat; baksheesh; ghoos; hafta; chai-pani
Indonesia suap; pungli; uang sogok
Iran roshveh
Italy tangento; omaggi; spintarella; bustarella
Japan on; wairo; kuroi kiri

 

Click here to read the full article by Tillen and Delman.

If applicable, please pass this information along to those business continuity and PS-Prep strategy planning global supply chain team members in your organization.

Photo courtesy of gpnetnow.com

Filed Under: Business Continuity Info, Corner Office Viewpoint, PS-Prep Program, Regulatory Compliance, Risk Management Tagged With: , , , , , , , , , , ,

ISO 28002 Resilience in the Supply Chain Standard Approved

August 5, 2011 By Leave a Comment

Contributed by: Lisa DuBrock

It seems every day ISO approves new standards.  However, the approval of ISO 28002 (Resilience in the Supply Chain) is a standard to be watched in this space.  The Technical Committee ISO/TC 8 of the International Organization of Standards (ISO) has worked hard to get this standard adopted.  It is based on SPC.1 (Organizational Resilience Management System), one of the PS-Prep standards, and provides true linkage to a number of other Standards, including ISO 28000 Security in the Supply Chain and ISO 31000 Principles and Guidelines of Risk Management. 

No discussion on ISO 28002 can go without mention of ASIS and their unwavering support of the 28000 series of standards.  ASIS is also in the forefront of creating Lead Auditor curriculum that is in the final process of being certified by RABQSA, a leader in the world of ISO Lead Auditor Training and Certification. 

What does this certification mean?  Only time will tell, however, with the adoption of the standard as a Full ISO Management System Standard, many hurdles have already been cleared. 

The ContinuityCompliance.org team wishes to congratulate all involved in this process.

Click here to read more about the ASIS announcement about this standard for resilience in the supply chain approval by ISO.

If applicable, please pass this information along to those risk management or PS-Prep compliance strategy planning teams in your organization. 

Photo courtesy of blog.to-increase.com

Filed Under: Business Continuity Info, Information Security, Organizational Resiliency, PS-Prep Program, Regulatory Compliance, Regulatory Compliance, Risk Management, Standards & Best Practices Tagged With: , , , , , , , , , , , , , , , , , ,

Firm is Fined for Not Having Adequate Business Continuity and Disaster Recovery Plans

August 1, 2011 By Leave a Comment

An article was recently posted on the ContinuityCentral website stating that the U.S. National Futures Association (NFA) has imposed a monetary sanction of $75,000 against Capital Market Services, LLC (CMS), a Futures Commission Merchant located in New York.

Organizations who have not fully signed up to address the compliancy issues stemming from the regulatory related business continuity requirements which may affect those organizations, need to read about this recent case.

In this case, and as stated in the article, “…the complaint alleged that CMS failed to implement adequate business continuity and disaster recovery plans and that CMS failed to report all system outages experienced by the firm to its customers and NFA. These outages left customers unable to enter new orders or manage their existing orders. In addition, the Complaint charged CMS with failing to adequately supervise the use of its electronic trading platforms.”

Be sure to also view the referenced case report  to see more details and information surrounding this NFA Business Conduct Committee decision.

Is your organization potentially bound by similar or other industry related compliance requirements (e.g. U.S. critical infrastructure ranked concerns) regarding your company having an adequate business continuity plan in place, tested and improved upon to reflect the changing environment in which the company operates?

Click here  to read this short article.

If applicable, please pass this information along to your executive risk management team or committee for their review. 

Filed Under: Business Continuity Info, Corner Office Viewpoint, Regulatory Compliance, Risk Management Tagged With: , , , , , , , , ,

Cyber-Shredding — Possible Related Issue Over Murdoch’s News Corp Closure

July 25, 2011 By Leave a Comment

As we have seen in prior postings on this website, a growing area of organizational risk management and mitigation involves potential threats surrounding legal actions related to e-discovery regulatory requirements – e.g. legal holds, data recovery, evidence spoliation, etc.

Could e-Discovery requirements be the next issue we read about concerning Rupert Murdoch’s News Corp. decision to close the newspaper?

For those business continuity and risk management teams looking for real life examples of consequences of risk taking decisions and e-Discovery, a recent article posted on the  iSightBlog website  offers some interesting e-discovery related reading resource content.

This story even goes so far as to suggest that Rupert Murdoch’s reason for shutting down the paper was to allow him to get rid of electronic evidence.

Time will tell if this story leads to the next major MBA business case study involving “How Not to Deal with E-Discovery Risk Management”.

Hopefully, your company will never be facing the situation surrounding the recent closure of Rupert Murdoch’s News Corp.  However, e-Discovery remains an area of potential risk for nearly all organizations and you cannot deny the fact that regulatory requirements related to privacy and e-discovery continue to be one of the more important agenda items for consideration in every organization’s business impact analysis project.

Read more of this “E-Discovery and Cyber-Shredding at News of the World” posting….

Filed Under: Business Continuity Info, Regulatory Compliance, Risk Management Tagged With: , , , , , , , , , ,

PS-Prep Standards — How Do they Compare?

May 26, 2011 By Leave a Comment

As many of our readers know, the PS-Prep program is a topic often posted on this website.

Our staff provides access to many postings on the internet related to PS-Prep, and, recently, a posting available on the SearchDisasterRecovery.com website came to our attention as something to be shared with our readership.

The SearchDisasterRecovery.com staff of writers organized a concise comparative chart between ASIS/BSI BCM.01-2010 with ISO 22301 and the existing PS-Prep recognized Standards (ASIS SPC.1:2009, BS 25999:2 and NFPA 1600:2010).

This information would be a great additional reading resource for the business continuity, risk management or PS-Prep strategy planning team members in your organization.

Click here to download this chart (pdf format) for your library.

Again, we thank the SearchDisasterRecovery.com staff for making this available.

Photo courtesy of tutor2u.net

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices Tagged With: , , , , , , , ,

Emergency Action Plans and OSHA 29 CFR 1910.38

May 24, 2011 By 1 Comment

Personal preparedness is an integral component of any emergency action or business continuity plan.

And for employers with more than ten (10) employees, training, education, and written plans to support personal preparedness levels of all of its employees regarding emergency action plans is a requirement by law under OSHA 29 CFR 1910.38.  It is important for those organizations to comply with those requlatory requirements.

Compliance with OSHA 29CFR 1910.38 More Important Now the Ever

Being prepared is one of the most important defenses against disasters, and, given the recent increase of weather related disasters, perhaps, now is the time to confirm the status and condition of your company’s existing written emergency action plans.  And, if no such plan exists, then, volunteer to help initiate and integrate such a plan into your workplace environment.

To assist that process, our staff suggests the use ofsome of the information provided in the links below:

OSHA Instruction Guide for Emergency Action Plans

OSHA Principal Emergency Response and Preparedness Requirements and Guidance

Checklist – Emergency Action Plan- OSHA 29CFR 1910.38

To download a word document sample emergency action plan for guidance purposes only, click the link below:

www.tdi.state.tx.us/pubs/videoresource/emergencyact.doc

For those companies needing  assistance in meeting the education and training requirements under OSHA 29 CFR 1910.38, FEMA offers a great independent study program that can be extended to those members of your business continuity, risk and crisis management or disaster preparedness team .

Emergency Management Institute (Independent Study Programs)

If applicable, please pass this information on to other disaster preparedness or PS-Prep strategy planning teams.

Photo courtesy of blog.liveprocess.com

Filed Under: Business Continuity Info, Personal Preparedness, Regulatory Compliance Tagged With: , , , , , , , , , , ,

Development of Corporate Code of Conduct Promoted by WMACCA

May 10, 2011 By Leave a Comment

The Washington Metropolitan Area Corporate Counsel Association (WMACCA) serves the professional needs of in-house counsel in Washington, D.C., the Commonwealth of Virginia, and suburban Maryland, and on May 19th is hosting a May Signature Luncheon.

Amy E. Hutchens, CCEP, General Counsel and Vice President, Compliance and Ethics Services, Watermark Risk Management International, who is also a contributing writer for this website,  along with Karen M. Litsinger, General Counsel, Mirixa Corporation, and Jason L. Lunday, Director, Values and Compliance, Verisign, Inc.n and Bonnie Green of Sodexo.

The title of that presentation is “Good Behavior – The Ins and Outs of Developing a Corporate Code of Conduct”.

Given the strong impact that executive management has on the culture and support needed to have and maintain an effective internal business continuity or risk management plan or policy, attendance at this presentation could and would be time well spent for in-house counsel or business continuity planning team members.

If applicable, Click here to read more about and register for this WMACCA event.

Photo courtesy of xzbackup.com

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , , , , , ,

Risk Management, Social Networks and Potential Risks of Hiring Discrimination Claims

April 28, 2011 By Leave a Comment

In a recent staff discussion reviewing several reader comments on the topic of potential corporate risk management issues concerning social networking and how this recent use of social media is being brought into business processes such as recruiting and other hiring related activities, many areas of potential privacy violation risks were discovered.   In fact, much of our research indicated that using social media in the recruiting and hiring process has the potential to create hiring discrimination claims and even possible law suits – all of which have then the potential to create large economic penalties in both time and money for organizations.   An example of this, might be where, depending on how a candidate restricts and controls their privacy on sites like Facebook, a recruiter or manager is capable of learning a great deal of information that legally, should not be included in their decision to interview or even a hire a potential employee.

Supporting a disaster preparedness position and mindset on this issue, our staff recommends an article entitled  ”The Era of Corporate Social Media Discrimination” , written in four parts by Jessica Miller-Merrell, SPHR, as great reading on this topic.

The links to that information are as follows:

  1. Part 1 – types of protected classes of privacy are outlined along with real world possible scenarios to consider,
  2. Part 2 - points out potential liabilities and governmental agencies that are now just learning about social media,
  3. Part 3 - discusses disparate and adverse impacts, and
  4. Part 4 - raises the concern for potential liabilities from online unconscious bias which is the foundation of the pending Wal-Mart class action suit.

Hopefully, from the information and recommendations provided by Jessica Miller-Merrell, your organization will be able to use social media to recruit and hire individuals safely and effectively, and thus, totally avoid the need for business continuity planners to develop a disaster recovery or crisis management strategy to address such a potential violation of an individual’s rights to privacy.

If applicable, please pass this information on to those HR professionals in your organization.

Photo courtesy of newscollective.com

Filed Under: Business Continuity Info, Cybersecurity, Information Security, Regulatory Compliance Tagged With: , , , , , , ,

ISO/IEC 20000-1:2011 Standard Formally Released

April 15, 2011 By 3 Comments

by: Sally Smoczynski, Contributing Writer

I just wanted to let you know that ISO has just issued a new update to the ISO/IEC 20000-1:2005 standard.  There is now a revised standard, ISO/IEC 20000-1:2011.  It is available for purchase at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51986 

What does this mean for you???  

At this time, and if you have been already certified to the old version of the standard, your Service Management System is still valid!  In the near future, the Registrars will issue a transition plan that will require certified organizations to transition to the new requirements of the standard.  It is usually an 18 months transition period. 

I have highlighted a few of the changes for you to consider:

  1. The updated standard refers to a Service Management System instead of an IT Service Management System.
  2. Clauses 3 and 4 have been collapsed in to one clause and have been aligned with ISO 9001 and ISO 27001 requirement statements.
  3. There are additional definitions in the glossary.
  4. There is more clarification in most sections
ISO/IEC 20000-1:2005                                                              ISO/IEC 20000-1:2011
Clauses 3 & 4 have been merged into one Clause
Clause 3 Management Responsibility Clause 4 Service Management Responsibility
Clause 4 PDCA Service Management
Clause 5 has been expanded to a more ITIL based Service Design and Transition process
Clause 5 New or Changed Services Clause 5 Design and Transition of New or Changed Services
Clause 6 has added more clarification and expansion on requirements for each sub clause
Clause 7 has added additional guidance on supplier management
Clause 8 has included service request to incident management
Clause 8.2 Incident Management Clause 8.2 Incident and Service Request Management
Clause 9 has included Release and Deployment Management, Clause 10 is removed
Clause 10 Release Management Clause 9.3 Release and Deployment Management

 

I am certain that more will be written about these changes and their effects on organizations already certified to ISO.IEC 20000-1:2005 or those considering to become either in compliance with or certified to the new standard ISO/IEC 20000-2011 — so be watchful for those notices on this website or other websites dealing with this standard.

Photo courtesy of samanage.com

Filed Under: IT Service Management, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , ,
« Older Posts