Continuity Compliance» Regulatory Compliance

ENISA Offers Free IT Security Awareness Training Videos in All 23 Official EU Languages

Continuity_Compliance — Wed, 23 Nov 2011 06:05:39 +0000

Does your organization struggle and need help training its workforce(s) in a foreign language regarding policies, procedures and strategies supporting their organization’s information security compliance efforts?

The European Network and Information Security Agency (ENISA) has launched a series of free videos in all 23 official EU languages. Designed to help raise awareness of information security risks and encourage secure handling of electronic data, the 13 video clips range from how to use strong passwords and protect sensitive data to locking down and securing your computer.

This awareness training information can now be downloaded from the ENISA website, and, should be suitable for use in your organization’s information security training program(s) along with any other awareness initiatives your company has launched to support its information security risk management strategies.

Click here to view and download some of these awareness training videos.

If applicable, please pass this information along to those risk management and ISO 27001 compliance team members in your organization.

Risk Management, Global Supply Chain Management and the Languages of Bribery

Continuity_Compliance — Fri, 04 Nov 2011 16:50:12 +0000

One of the more unusual risk components in global supply chain management involves the language of bribery. And, with fines and penalties for violations of anticorruption laws skyrocketing, feedback from our reader’s comments and following this topic on Google global alerts, our staff has found that multinational companies are applying many of their resources into the pursuit of anticorruption compliance.

In a recent article written by James G. Tillen and Sonia M. Delman, posted on the Forbes website, and entitled “A Bribe by Any Other Name”, we find the two dynamics mentioned above explained in a very easy to understand way with many examples offered to clarify their message, and as such, may be a valuable reading resource for global supply chain risk managers.

Although the article written by Tillen and Delman is somewhat dated in time, our staff believes it remains relevant today and should be an incentive for multinational companies to review this area of supply chain management risk on a regular basis.

Below you will find a short summary of a list of common bribery jargon used in certain countries. Be sure to review the complete list when reading this full article:

Country/Language	Bribery Jargon
Argentina	cohecho; soborno; coima; cometa
Angola	gaseoso
Brazil	propina; jetto; jetinho; caixinha; graxa; troco; nota; acerto
Bulgaria	rusvet
Cambodia	tea money
China	huilu; chaqian
Croatia	mitto; podmititi (v.)
East Africa	chai
Egypt	baksheesh; shay
France	pot-de-vin; arroser (v.); graisser (v.)
Gambia	maslaha
Germany	shmiergeld
Greece	bakssissi
Hausa (spoken in West Africa)	toshiyar-baki
Honduras	pajada
Hong Kong	hactzien
Hungary	megvesztegetes; kezet fogni (v.); keno penz; csuszo penz; lekenyerezni; lefizetni
India	rishwat; baksheesh; ghoos; hafta; chai-pani
Indonesia	suap; pungli; uang sogok
Iran	roshveh
Italy	tangento; omaggi; spintarella; bustarella
Japan	on; wairo; kuroi kiri

Click here to read the full article by Tillen and Delman.

If applicable, please pass this information along to those business continuity and PS-Prep strategy planning global supply chain team members in your organization.

Photo courtesy of gpnetnow.com

ISO 28002 Resilience in the Supply Chain Standard Approved

Continuity_Compliance — Fri, 05 Aug 2011 22:14:32 +0000

Contributed by: Lisa DuBrock

It seems every day ISO approves new standards. However, the approval of ISO 28002 (Resilience in the Supply Chain) is a standard to be watched in this space. The Technical Committee ISO/TC 8 of the International Organization of Standards (ISO) has worked hard to get this standard adopted. It is based on SPC.1 (Organizational Resilience Management System), one of the PS-Prep standards, and provides true linkage to a number of other Standards, including ISO 28000 Security in the Supply Chain and ISO 31000 Principles and Guidelines of Risk Management.

No discussion on ISO 28002 can go without mention of ASIS and their unwavering support of the 28000 series of standards. ASIS is also in the forefront of creating Lead Auditor curriculum that is in the final process of being certified by RABQSA, a leader in the world of ISO Lead Auditor Training and Certification.

What does this certification mean? Only time will tell, however, with the adoption of the standard as a Full ISO Management System Standard, many hurdles have already been cleared.

The ContinuityCompliance.org team wishes to congratulate all involved in this process.

Click here to read more about the ASIS announcement about this standard for resilience in the supply chain approval by ISO.

If applicable, please pass this information along to those risk management or PS-Prep compliance strategy planning teams in your organization.

Photo courtesy of blog.to-increase.com

Firm is Fined for Not Having Adequate Business Continuity and Disaster Recovery Plans

Continuity_Compliance — Mon, 01 Aug 2011 20:24:06 +0000

An article was recently posted on the ContinuityCentral website stating that the U.S. National Futures Association (NFA) has imposed a monetary sanction of $75,000 against Capital Market Services, LLC (CMS), a Futures Commission Merchant located in New York.

Organizations who have not fully signed up to address the compliancy issues stemming from the regulatory related business continuity requirements which may affect those organizations, need to read about this recent case.

In this case, and as stated in the article, “…the complaint alleged that CMS failed to implement adequate business continuity and disaster recovery plans and that CMS failed to report all system outages experienced by the firm to its customers and NFA. These outages left customers unable to enter new orders or manage their existing orders. In addition, the Complaint charged CMS with failing to adequately supervise the use of its electronic trading platforms.”

Be sure to also view the referenced case report to see more details and information surrounding this NFA Business Conduct Committee decision.

Is your organization potentially bound by similar or other industry related compliance requirements (e.g. U.S. critical infrastructure ranked concerns) regarding your company having an adequate business continuity plan in place, tested and improved upon to reflect the changing environment in which the company operates?

Click here to read this short article.

If applicable, please pass this information along to your executive risk management team or committee for their review.

Cyber-Shredding — Possible Related Issue Over Murdoch’s News Corp Closure

Continuity_Compliance — Mon, 25 Jul 2011 22:19:19 +0000

As we have seen in prior postings on this website, a growing area of organizational risk management and mitigation involves potential threats surrounding legal actions related to e-discovery regulatory requirements – e.g. legal holds, data recovery, evidence spoliation, etc.

Could e-Discovery requirements be the next issue we read about concerning Rupert Murdoch’s News Corp. decision to close the newspaper?

For those business continuity and risk management teams looking for real life examples of consequences of risk taking decisions and e-Discovery, a recent article posted on the iSightBlog website offers some interesting e-discovery related reading resource content.

This story even goes so far as to suggest that Rupert Murdoch’s reason for shutting down the paper was to allow him to get rid of electronic evidence.

Time will tell if this story leads to the next major MBA business case study involving “How Not to Deal with E-Discovery Risk Management”.

Hopefully, your company will never be facing the situation surrounding the recent closure of Rupert Murdoch’s News Corp. However, e-Discovery remains an area of potential risk for nearly all organizations and you cannot deny the fact that regulatory requirements related to privacy and e-discovery continue to be one of the more important agenda items for consideration in every organization’s business impact analysis project.

Read more of this “E-Discovery and Cyber-Shredding at News of the World” posting….

PS-Prep Standards — How Do they Compare?

Continuity_Compliance — Thu, 26 May 2011 06:47:23 +0000

As many of our readers know, the PS-Prep program is a topic often posted on this website.

Our staff provides access to many postings on the internet related to PS-Prep, and, recently, a posting available on the SearchDisasterRecovery.com website came to our attention as something to be shared with our readership.

The SearchDisasterRecovery.com staff of writers organized a concise comparative chart between ASIS/BSI BCM.01-2010 with ISO 22301 and the existing PS-Prep recognized Standards (ASIS SPC.1:2009, BS 25999:2 and NFPA 1600:2010).

This information would be a great additional reading resource for the business continuity, risk management or PS-Prep strategy planning team members in your organization.

Click here to download this chart (pdf format) for your library.

Again, we thank the SearchDisasterRecovery.com staff for making this available.

Photo courtesy of tutor2u.net

Emergency Action Plans and OSHA 29 CFR 1910.38

Continuity_Compliance — Tue, 24 May 2011 20:48:20 +0000

Personal preparedness is an integral component of any emergency action or business continuity plan.

And for employers with more than ten (10) employees, training, education, and written plans to support personal preparedness levels of all of its employees regarding emergency action plans is a requirement by law under OSHA 29 CFR 1910.38. It is important for those organizations to comply with those requlatory requirements.

Compliance with OSHA 29CFR 1910.38 More Important Now the Ever

Being prepared is one of the most important defenses against disasters, and, given the recent increase of weather related disasters, perhaps, now is the time to confirm the status and condition of your company’s existing written emergency action plans. And, if no such plan exists, then, volunteer to help initiate and integrate such a plan into your workplace environment.

To assist that process, our staff suggests the use ofsome of the information provided in the links below:

OSHA Instruction Guide for Emergency Action Plans

OSHA Principal Emergency Response and Preparedness Requirements and Guidance

Checklist – Emergency Action Plan- OSHA 29CFR 1910.38

To download a word document sample emergency action plan for guidance purposes only, click the link below:

www.tdi.state.tx.us/pubs/videoresource/emergencyact.doc

For those companies needing assistance in meeting the education and training requirements under OSHA 29 CFR 1910.38, FEMA offers a great independent study program that can be extended to those members of your business continuity, risk and crisis management or disaster preparedness team .

Emergency Management Institute (Independent Study Programs)

If applicable, please pass this information on to other disaster preparedness or PS-Prep strategy planning teams.

Photo courtesy of blog.liveprocess.com

Development of Corporate Code of Conduct Promoted by WMACCA

Continuity_Compliance — Tue, 10 May 2011 03:49:33 +0000

The Washington Metropolitan Area Corporate Counsel Association (WMACCA) serves the professional needs of in-house counsel in Washington, D.C., the Commonwealth of Virginia, and suburban Maryland, and on May 19^th is hosting a May Signature Luncheon.

Amy E. Hutchens, CCEP, General Counsel and Vice President, Compliance and Ethics Services, Watermark Risk Management International, who is also a contributing writer for this website, along with Karen M. Litsinger, General Counsel, Mirixa Corporation, and Jason L. Lunday, Director, Values and Compliance, Verisign, Inc.n and Bonnie Green of Sodexo.

The title of that presentation is “Good Behavior – The Ins and Outs of Developing a Corporate Code of Conduct”.

Given the strong impact that executive management has on the culture and support needed to have and maintain an effective internal business continuity or risk management plan or policy, attendance at this presentation could and would be time well spent for in-house counsel or business continuity planning team members.

If applicable, Click here to read more about and register for this WMACCA event.

Photo courtesy of xzbackup.com

Risk Management, Social Networks and Potential Risks of Hiring Discrimination Claims

Continuity_Compliance — Fri, 29 Apr 2011 03:22:39 +0000

In a recent staff discussion reviewing several reader comments on the topic of potential corporate risk management issues concerning social networking and how this recent use of social media is being brought into business processes such as recruiting and other hiring related activities, many areas of potential privacy violation risks were discovered. In fact, much of our research indicated that using social media in the recruiting and hiring process has the potential to create hiring discrimination claims and even possible law suits – all of which have then the potential to create large economic penalties in both time and money for organizations. An example of this, might be where, depending on how a candidate restricts and controls their privacy on sites like Facebook, a recruiter or manager is capable of learning a great deal of information that legally, should not be included in their decision to interview or even a hire a potential employee.

Supporting a disaster preparedness position and mindset on this issue, our staff recommends an article entitled ”The Era of Corporate Social Media Discrimination” , written in four parts by Jessica Miller-Merrell, SPHR, as great reading on this topic.

The links to that information are as follows:

Part 1 – types of protected classes of privacy are outlined along with real world possible scenarios to consider,
Part 2 - points out potential liabilities and governmental agencies that are now just learning about social media,
Part 3 - discusses disparate and adverse impacts, and
Part 4 - raises the concern for potential liabilities from online unconscious bias which is the foundation of the pending Wal-Mart class action suit.

Hopefully, from the information and recommendations provided by Jessica Miller-Merrell, your organization will be able to use social media to recruit and hire individuals safely and effectively, and thus, totally avoid the need for business continuity planners to develop a disaster recovery or crisis management strategy to address such a potential violation of an individual’s rights to privacy.

If applicable, please pass this information on to those HR professionals in your organization.

Photo courtesy of newscollective.com

ISO/IEC 20000-1:2011 Standard Formally Released

Continuity_Compliance — Fri, 15 Apr 2011 15:40:45 +0000

by: Sally Smoczynski, Contributing Writer

I just wanted to let you know that ISO has just issued a new update to the ISO/IEC 20000-1:2005 standard. There is now a revised standard, ISO/IEC 20000-1:2011. It is available for purchase at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51986

What does this mean for you???

At this time, and if you have been already certified to the old version of the standard, your Service Management System is still valid! In the near future, the Registrars will issue a transition plan that will require certified organizations to transition to the new requirements of the standard. It is usually an 18 months transition period.

I have highlighted a few of the changes for you to consider:

The updated standard refers to a Service Management System instead of an IT Service Management System.
Clauses 3 and 4 have been collapsed in to one clause and have been aligned with ISO 9001 and ISO 27001 requirement statements.
There are additional definitions in the glossary.
There is more clarification in most sections

ISO/IEC 20000-1:2005	ISO/IEC 20000-1:2011
Clauses 3 & 4 have been merged into one Clause
Clause 3 Management Responsibility	Clause 4 Service Management Responsibility
Clause 4 PDCA Service Management
Clause 5 has been expanded to a more ITIL based Service Design and Transition process
Clause 5 New or Changed Services	Clause 5 Design and Transition of New or Changed Services
Clause 6 has added more clarification and expansion on requirements for each sub clause
Clause 7 has added additional guidance on supplier management
Clause 8 has included service request to incident management
Clause 8.2 Incident Management	Clause 8.2 Incident and Service Request Management
Clause 9 has included Release and Deployment Management, Clause 10 is removed
Clause 10 Release Management	Clause 9.3 Release and Deployment Management

I am certain that more will be written about these changes and their effects on organizations already certified to ISO.IEC 20000-1:2005 or those considering to become either in compliance with or certified to the new standard ISO/IEC 20000-2011 — so be watchful for those notices on this website or other websites dealing with this standard.

Photo courtesy of samanage.com