May 17, 2012

Posts Comments

You are here: Home / Archives for Information / Regulatory Compliance

Cyber-Shredding — Possible Related Issue Over Murdoch’s News Corp Closure

July 25, 2011 By Leave a Comment

As we have seen in prior postings on this website, a growing area of organizational risk management and mitigation involves potential threats surrounding legal actions related to e-discovery regulatory requirements – e.g. legal holds, data recovery, evidence spoliation, etc.

Could e-Discovery requirements be the next issue we read about concerning Rupert Murdoch’s News Corp. decision to close the newspaper?

For those business continuity and risk management teams looking for real life examples of consequences of risk taking decisions and e-Discovery, a recent article posted on the  iSightBlog website  offers some interesting e-discovery related reading resource content.

This story even goes so far as to suggest that Rupert Murdoch’s reason for shutting down the paper was to allow him to get rid of electronic evidence.

Time will tell if this story leads to the next major MBA business case study involving “How Not to Deal with E-Discovery Risk Management”.

Hopefully, your company will never be facing the situation surrounding the recent closure of Rupert Murdoch’s News Corp.  However, e-Discovery remains an area of potential risk for nearly all organizations and you cannot deny the fact that regulatory requirements related to privacy and e-discovery continue to be one of the more important agenda items for consideration in every organization’s business impact analysis project.

Read more of this “E-Discovery and Cyber-Shredding at News of the World” posting….

Filed Under: Business Continuity Info, Regulatory Compliance, Risk Management Tagged With: , , , , , , , , , ,

PS-Prep Standards — How Do they Compare?

May 26, 2011 By Leave a Comment

As many of our readers know, the PS-Prep program is a topic often posted on this website.

Our staff provides access to many postings on the internet related to PS-Prep, and, recently, a posting available on the SearchDisasterRecovery.com website came to our attention as something to be shared with our readership.

The SearchDisasterRecovery.com staff of writers organized a concise comparative chart between ASIS/BSI BCM.01-2010 with ISO 22301 and the existing PS-Prep recognized Standards (ASIS SPC.1:2009, BS 25999:2 and NFPA 1600:2010).

This information would be a great additional reading resource for the business continuity, risk management or PS-Prep strategy planning team members in your organization.

Click here to download this chart (pdf format) for your library.

Again, we thank the SearchDisasterRecovery.com staff for making this available.

Photo courtesy of tutor2u.net

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices Tagged With: , , , , , , , ,

Emergency Action Plans and OSHA 29 CFR 1910.38

May 24, 2011 By 1 Comment

Personal preparedness is an integral component of any emergency action or business continuity plan.

And for employers with more than ten (10) employees, training, education, and written plans to support personal preparedness levels of all of its employees regarding emergency action plans is a requirement by law under OSHA 29 CFR 1910.38.  It is important for those organizations to comply with those requlatory requirements.

Compliance with OSHA 29CFR 1910.38 More Important Now the Ever

Being prepared is one of the most important defenses against disasters, and, given the recent increase of weather related disasters, perhaps, now is the time to confirm the status and condition of your company’s existing written emergency action plans.  And, if no such plan exists, then, volunteer to help initiate and integrate such a plan into your workplace environment.

To assist that process, our staff suggests the use ofsome of the information provided in the links below:

OSHA Instruction Guide for Emergency Action Plans

OSHA Principal Emergency Response and Preparedness Requirements and Guidance

Checklist – Emergency Action Plan- OSHA 29CFR 1910.38

To download a word document sample emergency action plan for guidance purposes only, click the link below:

www.tdi.state.tx.us/pubs/videoresource/emergencyact.doc

For those companies needing  assistance in meeting the education and training requirements under OSHA 29 CFR 1910.38, FEMA offers a great independent study program that can be extended to those members of your business continuity, risk and crisis management or disaster preparedness team .

Emergency Management Institute (Independent Study Programs)

If applicable, please pass this information on to other disaster preparedness or PS-Prep strategy planning teams.

Photo courtesy of blog.liveprocess.com

Filed Under: Business Continuity Info, Personal Preparedness, Regulatory Compliance Tagged With: , , , , , , , , , , ,

Development of Corporate Code of Conduct Promoted by WMACCA

May 10, 2011 By Leave a Comment

The Washington Metropolitan Area Corporate Counsel Association (WMACCA) serves the professional needs of in-house counsel in Washington, D.C., the Commonwealth of Virginia, and suburban Maryland, and on May 19th is hosting a May Signature Luncheon.

Amy E. Hutchens, CCEP, General Counsel and Vice President, Compliance and Ethics Services, Watermark Risk Management International, who is also a contributing writer for this website,  along with Karen M. Litsinger, General Counsel, Mirixa Corporation, and Jason L. Lunday, Director, Values and Compliance, Verisign, Inc.n and Bonnie Green of Sodexo.

The title of that presentation is “Good Behavior – The Ins and Outs of Developing a Corporate Code of Conduct”.

Given the strong impact that executive management has on the culture and support needed to have and maintain an effective internal business continuity or risk management plan or policy, attendance at this presentation could and would be time well spent for in-house counsel or business continuity planning team members.

If applicable, Click here to read more about and register for this WMACCA event.

Photo courtesy of xzbackup.com

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , , , , , ,

Risk Management, Social Networks and Potential Risks of Hiring Discrimination Claims

April 28, 2011 By Leave a Comment

In a recent staff discussion reviewing several reader comments on the topic of potential corporate risk management issues concerning social networking and how this recent use of social media is being brought into business processes such as recruiting and other hiring related activities, many areas of potential privacy violation risks were discovered.   In fact, much of our research indicated that using social media in the recruiting and hiring process has the potential to create hiring discrimination claims and even possible law suits – all of which have then the potential to create large economic penalties in both time and money for organizations.   An example of this, might be where, depending on how a candidate restricts and controls their privacy on sites like Facebook, a recruiter or manager is capable of learning a great deal of information that legally, should not be included in their decision to interview or even a hire a potential employee.

Supporting a disaster preparedness position and mindset on this issue, our staff recommends an article entitled  ”The Era of Corporate Social Media Discrimination” , written in four parts by Jessica Miller-Merrell, SPHR, as great reading on this topic.

The links to that information are as follows:

  1. Part 1 – types of protected classes of privacy are outlined along with real world possible scenarios to consider,
  2. Part 2 - points out potential liabilities and governmental agencies that are now just learning about social media,
  3. Part 3 - discusses disparate and adverse impacts, and
  4. Part 4 - raises the concern for potential liabilities from online unconscious bias which is the foundation of the pending Wal-Mart class action suit.

Hopefully, from the information and recommendations provided by Jessica Miller-Merrell, your organization will be able to use social media to recruit and hire individuals safely and effectively, and thus, totally avoid the need for business continuity planners to develop a disaster recovery or crisis management strategy to address such a potential violation of an individual’s rights to privacy.

If applicable, please pass this information on to those HR professionals in your organization.

Photo courtesy of newscollective.com

Filed Under: Business Continuity Info, Cybersecurity, Information Security, Regulatory Compliance Tagged With: , , , , , , ,

ISO/IEC 20000-1:2011 Standard Formally Released

April 15, 2011 By 3 Comments

by: Sally Smoczynski, Contributing Writer

I just wanted to let you know that ISO has just issued a new update to the ISO/IEC 20000-1:2005 standard.  There is now a revised standard, ISO/IEC 20000-1:2011.  It is available for purchase at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51986 

What does this mean for you???  

At this time, and if you have been already certified to the old version of the standard, your Service Management System is still valid!  In the near future, the Registrars will issue a transition plan that will require certified organizations to transition to the new requirements of the standard.  It is usually an 18 months transition period. 

I have highlighted a few of the changes for you to consider:

  1. The updated standard refers to a Service Management System instead of an IT Service Management System.
  2. Clauses 3 and 4 have been collapsed in to one clause and have been aligned with ISO 9001 and ISO 27001 requirement statements.
  3. There are additional definitions in the glossary.
  4. There is more clarification in most sections
ISO/IEC 20000-1:2005                                                              ISO/IEC 20000-1:2011
Clauses 3 & 4 have been merged into one Clause
Clause 3 Management Responsibility Clause 4 Service Management Responsibility
Clause 4 PDCA Service Management
Clause 5 has been expanded to a more ITIL based Service Design and Transition process
Clause 5 New or Changed Services Clause 5 Design and Transition of New or Changed Services
Clause 6 has added more clarification and expansion on requirements for each sub clause
Clause 7 has added additional guidance on supplier management
Clause 8 has included service request to incident management
Clause 8.2 Incident Management Clause 8.2 Incident and Service Request Management
Clause 9 has included Release and Deployment Management, Clause 10 is removed
Clause 10 Release Management Clause 9.3 Release and Deployment Management

 

I am certain that more will be written about these changes and their effects on organizations already certified to ISO.IEC 20000-1:2005 or those considering to become either in compliance with or certified to the new standard ISO/IEC 20000-2011 — so be watchful for those notices on this website or other websites dealing with this standard.

Photo courtesy of samanage.com

Filed Under: IT Service Management, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , ,

Compensation Laws and Risk Management

April 10, 2011 By Leave a Comment

Few business continuity planning teams might consider labor laws in their business impact analysis exercises to prepare their organization to avoid or survive an unexpected disruptive event.  Yet, as Amy Hutchens JD, CCEP, a contributing writer for this website, has pointed out to readers in the past, it is important to realize that many organizations have been and will continue to be challenged to double-check their wage and hour practices and ensure their compliance with compensation laws.  If found to be non-compliance with compensation laws, many organizations might find themselves facing a serious economic disruptive event that might surely qualify as a serious threat to keeping their doors “open for business”. 

If you believe your organization needs to be kept abreast of DOL’s tightening campaigns, their requirements, and their implications for your organization’s compensation program, then register for a free webinar entitled:  “Wage and Hour Law: Update and Outlook”. 

This free webinar will be held on May 4, 2011 from 2:00-3:00PM EST, as part of a DuPont Sustainable Solutions offering and will include a presentation by Ms. Hutchens

If applicable, please click here for more details.

Photo courtesy of examiner.com

Filed Under: Business Continuity Info, Regulatory Compliance Tagged With: , , ,

E-Discovery Reaches Historic Milestone

March 24, 2011 By 1 Comment

The Association of Certified E-Discovery Specialist (CEDS) announced that “,,,a new day in e-discovery dawned from coast to coast in the United States and other countries this week as practitioners in law, litigation support, information technology, records management and other fields of endeavor learned they are members of the inaugural class of professionals who earned the Certified E-Discovery Specialist (CEDS) designation.”

The landmark CEDS exam, which the CEDS candidates took at more than 40 secure testing centers worldwide, is the first legally defensible, scientifically verifiable e-discovery competency examination. Neither ACEDS nor the CEDS examinations have any ties or links to a software product or outside organization.

This website has consistently included e-discovery as an important part of the potential threat that organizations need to be aware of as part of their regulatory requirements applied to their internal records management and information security functions.

More succinctly the potential risk managment issue here to consider can be better understood when a definition of the term e-discovery is reviewed.  Per the ACEDS website,  e-discovery is defined as “… the major new legal and technological specialty area focused on the complex obligations of private sector and government organizations and individuals, to retain, organize, retrieve and disclose electronically stored information in civil and criminal litigation, governmental and internal investigations, arbitration, and other types of dispute resolution“.

From a business continuityor regulatory audit perspective, non-compliance with any of these requirements, could present an economic risk and/or penalty cost beyond the resources available to most small or mid-size companies.  This milestone now reached could offer a risk mitigation resource for those organizations now facing e-discovery litigation or requirement challenges.

World now has independent uniform standards, verifiable competency level

This is a milestone in the e-discovery field,” said ACEDS president and founder Charles A. Intriago, a former Assistant US Attorney and litigator at a large international law firm, who also founded the now 10,000-member Association of Certified Anti-Money Laundering Specialists (ACAMS.)   “For the first time the world has an independent, authoritative, scientifically verifiable mechanism to set uniform standards and establish a base level of competency, knowledge and skill for e-discovery practitioners wherever they do business,” he added.

For the successful candidates, the CEDS designation will be powerful evidence of highly specialized expertise that will be recognized and welcomed by law firms, corporations, courts, peers, government agencies, and clients,” said William Hamilton, a partner at the law firm of Quarles & Brady, who chairs the ACEDS Advisory Board.

This should be good news for all organizations now facing the challenge of compliance to many new and developing regulatory requirements in the field of e-discovery.

Read more about this e-discovery announcement….

If applicable, please pass this information along to those information security and/or records management team members in your organization.

Filed Under: Business Continuity Info, Information Security, Regulatory Compliance, Regulatory Compliance Tagged With: , , , , , , , , ,

HIPAA Privacy Violation Fines: A Potential Factor for Risk Management Strategy Planning

February 26, 2011 By Leave a Comment

In an effort to not lose focus on the seriousness of compliance requirements regarding HIPAA, we point our readers to a recent article written by Howard Anderson, Executive Editor, of and posted on the HealthcareInfoSecurity.com website.  In this posting we are told that for the first time, federal officials have fined a healthcare organization for violations of the HIPAA privacy rule. Cignet Health of Prince George’s County, Md., was fined $4.3 million for the violations that involved failing to provide 41 patients with access to their medical records and then failing to cooperate with federal investigators.

Cignet Health, a Christian-influenced medical service, operates four clinics in southern Maryland. The HITECH ACT created higher fines for HIPAA violations, which were issued in this case.

The reason we want to inform you about these imposed fines by federal officials is to respond to the many comments received by this website indicating a less than serious attention being paid to the reality that these fines do exist and are often heavy economic burdens for organizations and finally, that there seems to be a trend for continuation of such investigations and actions taken for proven violations to these important HIPAA related regulations.

If applicable, is your organization taking these HIPAA privacy rules seriously?  If not, that organization may be subject to a potential and costly investigative process which could ultimately lead to an final economic penalty that even the best business continuity plan or risk management strategy could not survive.

Click here to read the full article concerning this potential threat to “keeping the doors open”  — especially for any small or mid-sized entity or enterprise.

Filed Under: Business Continuity Info, Organizational Resiliency, Regulatory Compliance Tagged With: , , , , ,

E-Discovery Issues to Follow in 2011

February 22, 2011 By Leave a Comment

While issues surrounding E-Discovery continue to become more critical components of how organizations and their legal counsel teams prepare for and conduct litigation, it seems to be perceived as more of a concern for large enterprises and less so for small businesses. Unfortunately, the emerging regulations and laws surrounding this topic do not follow this logic.  and, given the recent increase of economic penalties for non-compliance, e-discovery matters could quickly become enough of an economic burden to small and mid-sized companies to also be a threat to “keeping the doors open” for that company.

Therefore, it is with this logic in mind that we point our readers to a recent posting about e-discovery by the Huron Consulting Group.  The posting is entitled, “Ten Key E-Discovery Issues to Watch in 2011”.

James G. Mitchell, Managing Director and Head of Discovery Services for Huron Legal describes this posting by stating, “In the following article, David J. Lender, Partner, Weil Gotshal & Manges LLP; and Andrew J. Peck, Magistrate Judge, United States District Court for the Southern District of New York, assess the most important court rulings in 2010 and their impact on process and procedure in 2011. They also describe practical strategies to meet the challenges today and devise approaches that will be beneficial in the year ahead. Their commentary offers a blueprint for proactive ways to deal with 10 key issues they identify as important to all those working on e-discovery matters.

Click here to read their full listing of important issues surrounding e-discovery to watch in 2011.

If applicable, please pass this information along to those information security, privacy rights strategy, business risk and business continuity planning team members in your organization.

Filed Under: Business Continuity Info, Regulatory Compliance, Regulatory Compliance Tagged With: , , , , , , , ,
« Older Posts
Newer Posts »