February 23, 2012

Posts Comments

You are here: Home / Archives for Information / Risk Management

Business Continuity Awareness Week 2012 — Reminder — March 19-23

February 21, 2012 By Leave a Comment

 

Photo courtesy of blog.clearrisk.com

Business Continuity Awareness Week (“BCAW”)  2012 is fast approaching and with this year’s BCAW 2012 theme about time, we should all be aware of the fact the time is not usually on your side in a crisis — therefore our staff recommends participation in BCAW 2012 for all business continuity planners.

First a few general reminders:

  1. the Business Continuity Awareness Week (BCAW) is the global educational event for people to learn more about Business Continuity Management (BCM).
  2. BCAW is facilitated by the Business Continuity Institute (BCI), the prestigious international membership body for BCM — approaching 7,000 members in some 100 countries.
  3. In a crisis, people are making decisions under pressure, options are reduced and media scrutiny may be at its greatest.  Indeed, how well or badly a crisis is managed may have greater consequences for the organization than the original incident.  Whether a small business or a major multi-national, the challenges are the same, it’s just that some have further to fall!

Our staff supports the premise of BCAW 2012 – i.e. …dealing effectively with an incident on any scale requires Business Continuity Management (BCM) – a set of practices and capabilities, which have been crafted into a tried and tested framework to help you identify and manage the consequences of disruption to your organization regardless of cause.

BCAW 2012 will provide the opportunity for disaster preparedness and risk management teams to;

  1. engage with business continuity professionals from around the world,
  2. learn about the importance of dealing effectively with incidents on varying scales, and,
  3. develop methodologies and strategies on how to make an organization more resilient.

Some of the highlights of BCAW 2012 will include: (a) New research: The BCI and its partners will be publishing new research and papers throughout the week, (b) BC24: the ground breaking, multi-role, online incident simulation game to test your organization’s crisis management skills, and informally benchmark with organizations across the world, (c) New webcasts: A multiple free offering of webcast presentations which will run throughout the week, (d) BCAW 2012 Forum: a LinkedIn Forum for newcomers to ask questions of the BC community and for more experienced practitioners to debate the hot topics in the industry, and, (e) In-house Awareness Opportunities – This will be an opportunity for existing BCM practitioners who are looking to run awareness raising activities within their own organizations.

If you are interested in participating, sponsoring or just being an active listen to these valuable opportunities, or, if you have any questions about BCAW 2012CLICK HERE.

If applicable, please pass this information along to those business continuity or crisis management planning groups in your organization, and, to those PS-Prep strategy planning teams in private sector companies.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , ,

Threats for 2012 Global Business Continuity — New Survey Results Released

February 17, 2012 By Leave a Comment

Photo courtesy of gpnetnow.com

Business continuity and risk management planning groups would benefit from reviewing the results of a new survey report recently released by the Business Continuity Institute and given the title “Horizon Scan 2012”.

In this report, four hundred and fifty eight (458) organizations — reporting from the U.K., USA, Australia, Canada and South Africa — during the period of 5-20 December, 2011, have indicated that business continuity practitioners are applying business continuity management to a wider range of threat categories than those with which the BC discipline is more traditionally associated, and, perhaps, equally important, it raises the question as to the extent that individual organizations can deal with these challenges by themselves.

A short list of the threats identified by survey participants in this report would include: unplanned IT/Telecom outage(s), adverse weather, cyber-attack, acts of terrorism, utility interruption(s), availability of workforce(s), new laws and/or regulations, social/civil unrest, major customer/supplier disruption(s), or the availability/cost of credit/finance.

Of particular importance and/or interest is the section dealing with the evaluation of threats as perceived by the primary activities of operational groups within an organization — e.g. the top three threats as seen by the information and communications group are stated as: (1) unplanned IT / Telecom outage, (2) Data breach and (3) Cyber-attack …..While the top three evaluated threats as seen by the manufacturing group are: (1) Supply chain disruption, (2) Unplanned IT/Telecom outage, and (3) Product safety incident.

Our staff recommends that this report be added to the reading resource libraries of those disaster preparedness, crisis management and/or risk management planning teams in your enterprise level organizations.  And, if you are a private sector smaller company, please share this information with your PS-Prep strategy planning groups.

Click here to read more, and to download and view the full report.

Again, we thank the Business Continuity Institute for making this resource available to all BC/DR planning teams.

Filed Under: Business Continuity Info, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , ,

Risk Management and Crisis Response Traits

February 7, 2012 By Leave a Comment

In a recent article written by Kevin M. Quinley, entitled “Avoid These Seven Traits that Will Sink Your Risk Management Program!”, the topic of organizational crisis management in the context of product liability is addressed from an interesting adaption of consultant Jim Lukaszewski’s presentation identifying seven behaviors that spell trouble when it comes to how an organization will act when faced with an unexpected crisis or disruptive event.

Quinley’s article should focus our readers’ attention on several perceived typical reactions by organizations when faced with a disruptive event — like a product liability claim or law suit.  And, by learning from this information, it could be a first important step for an organization to take toward building a strong corporate risk management and mitigation plan against these potential threats.

A quick summary of those typical reactions expressed by both Llukaszewski and Quinley are:

  1. Denial
  2. Victim Confusion
  3. “Testosterosis”
  4. Arrogance
  5. Scapegoating
  6. Media-Phobia
  7. Whining Parties

Click here to read Quinley’s full article.

If applicable, please pass this information along to those risk management team members in your organization.  And, in some cases for smaller companies in the private sector, PS-Prep strategy and business continuity planning groups could add this content to their library of available reference materials as well.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , ,

Black Swans in the Boardroom

February 7, 2012 By Leave a Comment

Photo courtesy of ashfordbirder.blogspot.com

Judging from recent comments and inputs from our readers, many business continuity planning teams fully realize that the risk landscape facing their organizations is changing, and, while they and their upper management teams can see that a new risk landscape is emerging, it remains difficult to define what is behind those changes or how their risk management strategies should respond to them.

Trying to keep this awareness out of a negative light, Armoghan Mohammed and Richard Sykes (both part of the PricewaterhouseCoopers International Limited group) have written and recently released a report entitled “Black Swans Turn Grey: The Transformation of Risk”.

Our staff agrees with Mohammed and Sykes’s belief that through a better understanding and management of risk strategy, organizations will be more resilient and better positioned to pursue their corporate objectives.

First a little background on the concept of risk and a “black swan event”.  In 2007, the Nassim Nicholas Talleb wrote about “The Black Swan: The Impact of the Highly Improbable”, and, the term “black swan” was quickly adopted and became one of the three (3) major types of risks now recognized by risk management methodologies – the other two are “known risks” and “emerging risks”.

Mohammed and Sykes argue and suggest that recent experience(s) indicate that events that fit the description of “black swans” are happening more and more frequently –therefore they ask the question, “Are black swans actually turning grey?”

Exploring this approach and tying it, as well, to a real need to map out the new risk landscape, align it with the requirement for board members to better understand this reality, and integrate this reality into the management leadership so that organizations develop a risk aware culture with explicit focus on the risk appetite of the organization and then align that risk appetite with the objective marketing and growth strategies for that organization.  In other words, the board has the responsibility — building on an enterprise risk management methodology – to: (1) fuse strategy more closely with risk, (2) articulate a more explicit and holistic risk appetite and (3) promote and support more active collaboration within their organizations to build stronger resilience levels across total business management systems.

Click here to read Mohammed and Sykes’ full whitepaper.

If applicable, please pass this information along to those risk management and business continuity planning teams in your organization, and, where needed, introduce these thoughts to PS-Prep strategy planning teams, as well.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Organizational Resiliency, Risk Management Tagged With: , , , , , , , , , , , , , ,

Risk Awareness Concerns and Organizational Risk Management System Potential Integration(s)

February 5, 2012 By Leave a Comment

Photo courtesy of meship.com

By: Lisa DuBrock, CPA, CBCP, MBCI

Recently in an article written by Subrata Guha entitled “New ISO IEC 20000-1: Alignment with ISO 27001”, Guha makes the point that, “…. since ISO 20000-1 and ISO 27001 are so closely linked, there is a strong argument that these two standards should be implemented as a single management system – and, that the new release of ISO 20000-1 makes this process easier than ever before.

I contend that the melding of those 2 standards is certainly an excellent idea —especially since some well-defined areas such as incident management, change management, and security management link up so well. And, I believe that many companies have done just that; whether they implement the standards together or individually and then knit the individual management systems and overlapping control structures together.

What I’d like to propose today is — depending on your own corporate and organizational culture — to consider a coupling of two other standards that have a natural affinity to work together.  Those standards are ISO/IEC 27001:2005 Information Security Management System and ASIS SPC.1 Organizational Resilience:  Security, Preparedness and Continuity Management System.

Both the ISO 27001 and the ASIS SPC.1 standards build their foundation on the concept that management identifies, adopts, implements, monitors, updates and, most importantly, manages their related management system(s) based on that particular organization’s appetite for risk – i.e. Risk Appetite.

As with any organization’s business management system (BMS), the process of implementing that BMS to a standard (i.e. ISO 27001 or ASIS SPC.1) begins with and is based on the scope that the organization sets for its BMS.

In this instance, both ISO 27001 and ASIS SPC.1 adhere to the management system requirements of: Management Commitment (including resourcing, training and awareness, and approval of the system), Internal Audit, Management Review and Continual Improvement.

Both of these standards also require a statement of applicability (SOA).  However they differ in how the SOA is defined.  In SPC.1 the SOA documents the strategic weighting of security management, preparedness, emergency management, disaster management, crisis management and business continuity management.   In ISO 27001 the SOA is a documented statement describing the control objectives and controls that are relevant and applicable to the organizations ISMS.

What really differs between these standards, however, is the context of the risk process.  For ISO 27001, the context is based on the information assets identified within the scope of the management system.  Within SPC.1 the Organizational Resiliency Management System is based on legal and other requirements, information about significant hazards and threats and protection of critical not just information assets (physical, intangible, environmental and human).

By having an organization integrate the implementations of both ISO 27001 and ASIS SPC.1 standards simultaneously, it would almost be a certainty that a stronger and more clear understanding of risk and what is needed for that organization’s mitigation of those risks (i.e. to be more secure) would be achieved.

If you agree or not with this opinion, please share your comments and inputs regarding this potential integrated approach.

Filed Under: Business Continuity Info, Corner Office Viewpoint, Information Security, Organizational Resiliency, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

PRIVATE SECTOR UPDATE — DHS Presents State of America’s Homeland Security

January 29, 2012 By Leave a Comment

Photo courtesy of DHS

PS-Prep strategy planning groups, along with all business continuity and risk management members of teams in organizations of all sizes should be interested in listening to Janet Napolitano, Department of Homeland Security Secretary (DHS), as she delivers the second annual State of America’s Homeland Security address, on Monday, January 30 2012 at 1:00 PM EST.

Increasing our nation’s security and resilience remains a goal achieved through strong connections between DHS and our nation’s private sector.

Click here to watch Janet Napolitano’s presentation LIVE on Monday, January 30 2012 at 1:00 PM EST.

Filed Under: Business Continuity Info, Homeland Security Dpt, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , ,

Business Continuity and Emergency Management Plan Testing — Need Help Pitching the Need?

January 28, 2012 By Leave a Comment

Photo courtesy of blog.abn.org.au

Many of the readers of this website belong to emergency management and business continuity planning teams.  And, hopefully, those disaster preparedness focused teams are testing their emergency, continuity and disaster recovery plans regularly.

But if not, or if those risk management centered groups are looking for some useful information to assist the testing of those BC/DR plans, then, an article written by Jim Satterfield is a valuable resource to turn to when you need content and reasons to convince your fellow BC/DR team members – or even upper management — that funding and support is justified to test your plans.

As Satterfield says, “Everyone has a role in a crisis. Some are strategic, some are tactical. How decisions are made in a crisis is critical to the outcome. Because of this, the following holds true:

  1. Practicing emergency response helps assure that the response can proceed predictably during a crisis or disaster;
  2. Participation in exercises familiarizes everyone with the vulnerabilities, impacts, plans, mitigation strategies, incident management and crisis communications;
  3. Testing allows problems or weaknesses to be identified and used to stimulate necessary and appropriate changes; and
  4. Errors committed and experience gained during testing will provide valuable insights and lessons learned that can be factored into the planning/updating process.”

The full posting by Satterfield is in two parts, so be sure to read the entire posting, and, if applicable, pass this info on to those associates in your organization or even those disaster recovery and first responder teams in your community’s Emergency and Crisis Management Response areas.  And if your organization is in the private sector, please get this info to in-house team members of the PS-Prep strategy planning leaders.

Click here to read Part 1 and Click here  to read Part 2 of Satterfield’s postings.

Filed Under: Business Continuity Info, Homeland Security Dpt, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , , , , , ,

Google Plans to Alter Privacy Policy and Terms of Service

January 25, 2012 By Leave a Comment

Photo courtesy of blog.mclane.com

The actions and decisions of Google can potentially affect many information security teams in organizations across the globe.  With that thought in mind, a recent announcement by Google to alter its privacy policy and terms of service to reflect the fact that it is now going to combine data from its various services into a single user profile may well be an event that requires close study, review and evaluation regarding an organization’s own existing privacy policy – i.e. particularly where services such as Google are involved.

It goes without saying that this privacy change by Google needs to also be closely reviewed where individual use of Google is employed as well.

In a recent article written by Thomas Claburn, Claburn is quick to point out that critics of the change have been quick to question Google’s decision.

This article also references Sen. Richard Blumenthal (D-Conn.) who said in a reaction blog posting that he’s troubled by the lack of an opt-out mechanism, and, David Jacobs, consumer protection fellow at the Electronic Privacy Information Center (EPIC), expressed concerns that Google’s changes decrease the ability of users to control how their personal information is being used.

Click here to read Claburn’s full article, and, be sure to utilize the useful links in that article to dig more deeply into the reference documents and related postings to this potential privacy risks.

Additional stories about this controversial decision by Google are also listed below:

Google Says Privacy Change Won’t Affect Government Users” by Jaikumar Vijayan

Google Stirs Up Privacy Hornet’s Nest” by Sharon Gaudin

Google Privacy Policy: Who Will be Affected and How You Can Choose What Information Gets Shared” by Cecilia Kang

Google Seeks to Clarify New Privacy Policy” by Doug Gross

Lawmakers Press Google on Privacy Policy Changes” (Reuters)

If applicable, please pass this information along to those information security and risk management team members in your organization, those members of privacy rights protection groups in your community and to members of your family who use Google on a daily basis.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , ,

Business Continuity Planners May Face “Frictionless Sharing” Risks from New Facebook Apps

January 19, 2012 By Leave a Comment

Photo courtesy facebook.com

While information security and privacy rights protection teams within organizations continue to monitor the potential privacy risks that Facebook may be presenting to their employees, a new announcement was made today indicating that Facebook is now adding over 60+ new applications within their auto-share technology.

Click here to read a Facebook company blog covering this news as released by Facebook’s director of platform Cal Sjogreen.

As you will read, Facebook users can now immediately begin adding these new apps to their timelines.

As Sjogreen states, “…the apps are all set up to use the “frictionless sharing” function on the social network, meaning that users only have to give an app permission to share information once. After that, the app updates automatically to a user’s profile, letting their friends know instantly what they may be eating, studying or listening to at any given moment.”

While it may be too early to accurately assess any additional risks these apps may present to existing business continuity plans, it may be a good idea to inform information security specialists, risk managers and HR privacy managers of this event.

PS-Prep strategy planning teams in the private sector, in local community disaster preparedness groups and even risk mitigation discussions among family and friends may warrant a close watching of this recent announcement.

Filed Under: Business Continuity Info, Information Security, Organizational Resiliency, PS-Prep Program, Risk Management Tagged With: , , , , , , , , , , , , , , , ,

E-Discovery No Stranger on Campus

January 18, 2012 By Leave a Comment

Photo courtesy of sonian.com

In response to a few recent inquiries and comments from readers working in the educational field, and, in particular for those readers working in a university campus information security department, who requested that more discussions and information be presented on the topic of e-discovery relevant to a university campus environment, our staff would like to present a listing of recent postings and articles addressing this growing dynamic within the “discovery” process itself.

Dian Schaffhauser, a writer who covers technology and business related topics for a number of various publications, has recently written and posted an article entitled “An e-Discovery Primer”  — and, this information may be a great reference resource to offer anyone who wants to learn the basics of e-Discovery.

To this point, it is also important to realize that the “discovery” process is neither something new nor is this process limited to the digital era.  As Seth Gilbertson, associate counsel for the State University of New York states, “…discovery is the process of saving and producing records and other evidence pertaining to an activity that may be the subject of litigation.”

If applicable, or even if you are new to the discussions and risk mitigation potentials embedded in the e-discovery process, click here  to read Schaffhauser’s full article.

E-Discovery Guideline and Toolkit offering posted on the EDUCAUSE website presents e-discovery issues for universities to consider.

E-Discovery Trends: Potential ESI Sources Abound in Penn State Case” by Doug Austin

E-Discovering Reference” article by Spolanka

School districts wrestling with ABCs of electronic discovery, compliance” by Beth Pariseau, Senior News Writer

“Hey @wfryer looking for the 411 on eDiscovery: http://bit.ly/9hcxe9 (your wiki) Bottom line: do schools have to archive STUDENT email?”

The E-Discovery Question   – Don’t panic over the new regulations, but make sure your school’s policy is clear.

If applicable, please add your inputs, comments and experiences of e-discovery challenges you might have had to face in your university campus environment.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , ,
« Older Posts