How are Organizations Managing Policies Ongoing?
Posted In Business Continuity, Financial, Financial, Information Privacy, Validations on May 3rd, 2011 Tags: Accountability, auditability, OCEG, policy management, status quo
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
- 32% use an internally developed database or intranet system
- 24% have no formal structure
- 18% use file folders or centralized network drive
- 14% use document or policy management software
- 8% track changes in Word
- 4% use other methods
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
No Comments
‘Tricked’ RSA Worker Opened Backdoor to APT Attack
Posted In Business Continuity, Information Privacy, Information Security on May 3rd, 2011 Tags: Human Factors, Phishing, RSA, RSA breach, Security Awareness
A targeted phishing e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to open a document attached to an e-mail. The document contained a virus that led to a sophisticated attack on RSA’s information systems.
Lessons Learned: Are your employees aware of changing and more sophisticated risks? Does your organization update employees with situational awareness as more and more attacks target your employees? All employees must understand their individual roles and responsibilities for protecting sensitive information. Organizations need to implement comprehensive and ongoing awareness programs to ensure all individuals understand changing risks, threats, best practices, etc.
No Comments
Measuring Risk and Measuring Cake
Posted In Business Continuity, Regulatory Compliance, Risk Management on January 10th, 2011
Is Measuring Risk Possible?
I saw a discussion question recently asking how to measure risk?
My first reaction was…do you measure risk? I say no.
Do you measure security? Do you measure prevention? I would say no and no.
Do you measure cake?
Not usually, unless you are paying for cake by the pound, but measuring the cake does not guarantee the cake is any good.
Determining if the cake is any good depends on how the cake looks and how the cake tastes. To make a good cake, you need to measure each of the ingredients for the cake (internal) and you need to measure the temperature and how long you bake the cake (external).
Risk is similar and organizations must determine if their risk management is good (or not good) based on the results. Like a good cake, good risk management* depends on the “internal ingredients” and the “external factors”.
Research from hundreds and hundreds of lessons learned clearly reveal that better risk management results are needed and organizations:
- Need better awareness/management of their internal ingredients
- Need better awareness/management of external elements that can affect their organization
- Need better tools for measuring their internal ingredients and external elements
Measuring risk is an interesting topic of discussion, but your organization’s bottom line results and winning the “best cake award” with your employees and clients is far more important.
*In addition to risk management, numerous other management efforts (security, safety, prevention, intervention, reputation, documentation, etc.) depend on measuring internal and external elements.
No Comments
Does Information Equal Awareness?
Posted In Business Continuity, Emergency Management, Human Resources, Incident Reporting, Information Security, Regulatory Compliance on November 18th, 2010
General Information
Personally Identifiable Information
Intelligence Information
Industry Information
Regulatory Information
Legal Information
Risk Information
Customer Information
Emergency Information
Competitive Information
Etc….
Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc.
BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness.
Lessons learned continue to reveal that just having information is not enough. Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or risk assessments actually existed BEFORE the incident occurred.
And many incidents could have been prevented had the information been translated into Situational Awareness and shared with the right individuals in the right place at the right time so they could have taken appropriate actions to prevent or intervene or respond more proactively.
For the next week or month or longer, when you become aware of an incident or a mistake in your organization or another organization ask yourself these questions:
- Did information exist that could have helped prevent the incident or mistake?
- Does my organization have a good way to turn information into situational awareness?
- Do all appropriate individuals have the ability to access confidential situational awareness?
- Does our incident reporting system just pass along information?
- Do our threat assessment and security teams have access to situational awareness?
- Do our decision makers and leaders have on-demand access to updated situational awareness?
No Comments
Does Information Equal Awareness?
Posted In Business Continuity, Information Privacy, Information Security, Risk Management on November 18th, 2010
General Information
Personally Identifiable Information
Intelligence Information
Industry Information
Regulatory Information
Legal Information
Risk Information
Customer Information
Emergency Information
Competitive Information
Etc….
Most people and their organizations would agree they are overwhelmed by information that is spread all over in e-mails, web sites, binders, intranets, etc.
BUT, most people and their organizations would also agree they are not overwhelmed by awareness, and more specifically they are not overwhelmed by Situational Awareness.
Lessons learned continue to reveal that just having information is not enough. Most of the highly publicized tragedies and incidents reveal that information in the form of red flags or intelligence or risk assessments actually existed BEFORE the incident occurred.
And many incidents could have been prevented had the information been translated into Situational Awareness and shared with the right individuals in the right place at the right time so they could have taken appropriate actions to prevent or intervene or respond more proactively.
For the next week or month or longer, when you become aware of an incident or a mistake in your organization or another organization ask yourself these questions:
- Did information exist that could have helped prevent the incident or mistake?
- Does my organization have a good way to turn information into situational awareness?
- Do all appropriate individuals have the ability to access confidential situational awareness?
- Does our incident reporting system just pass along information?
- Do our threat assessment and security teams have access to situational awareness?
- Do our decision makers and leaders have on-demand access to updated situational awareness?
No Comments
If I Knew Then What I Know Now…
Posted In Business Continuity, Emergency Management, Legal, Pandemic Flu, Regulatory Compliance on September 15th, 2010 Tags: 9-11, columbine, Compliance, Incident Reporting, Katrina, preparedness, Red Flags, Security, Virginia Tech
Most everyone has heard or muttered these words at some time or another:
If I Knew Then What I Know Now…
The saying is most often used when we look back at our life and we realize that if I knew then (when I was younger) what I know now (with more experience and wisdom), I may have made some different decisions.
The saying also came to mind recently as we were reminded of the 9year anniversary of September 11th and the 5 year anniversary of Katrina and numerous other incidents that have provided experience and wisdom that we could have used before these events took place.
As I was reflecting on these and numerous other events I started thinking about how so many of the incidents and unwanted results could have been prevented from ever happening had certain people known what others knew….and perhaps how this saying should be updated to:
If I knew now what you know now.
We now know that there were multiple people who noticed red flags or knew about 9-11 before the attack. We now know that multiple people at Virginia Tech and Columbine noticed red flags or knew about these attacks before the attacks we launched. In numerous other incidents, we now know other people besides the aggressor(s) knew about red flags, suspicious actions and misguided plans before the tragic incidents actually occurred.
Unfortunately these other people who noticed red flags or knew about what was coming did not provide their information to people who could have intervened and prevented the incidents and could have saved millions of dollars and saved the lives of many.
How are you getting people to report red flags or suspicious behavior or ethics violations or safety improvements?
Lessons learned clearly show that lack of awareness and not connecting the dots will lead to gaps and disconnects that lead to expensive, embarrassing and tragic incidents.
So if you are responsible or accountable for security, safety, preparedness, compliance, legal due diligence, finances, customers, patients, etc….do you know now what others know now??
No Comments
Blueprints Do Not Build Skyscrapers
Posted In Business Continuity, Human Resources, Risk Management, School Safety, Workplace Violence on August 11th, 2010 Tags: Anti-Bullying, policy and procedure management, preparedness program
In my previous blog I suggested that building a successful preparedness campaign is like building a skyscraper…and in some cases it seems like building a skyscraper may actually be easier than building a successful campus-wide or organization-wide preparedness effort.
I mentioned that building a skyscraper and building a campus-wide or organization-wide preparedness effort have a lot in common and one of those common items is blueprints.
Blueprints can be a technical drawing, a mechanical drawing, an architectural plan, a model, a prototype, a detailed plan of action and etc. Blueprints can also include programs, policies, procedures, processes, guidelines, checklists and etc.
But blueprints are not skyscrapers.
Lessons learned continue to reveal that many organizations are extremely vulnerable because they purchase blueprints (emergency plans, anti-bullying programs, checklists, and etc.) and schedule a meeting or training session and post their blueprints on an intranet/portal and think they have built their “skyscraper”.
More and more organizations are learning the hard way that having blueprints is not enough.
Even though financial organizations have policies, government entities have plans, schools have procedures, healthcare organizations have checklists and organizations have been offering general training on an annual basis for years… tragedies, failures, bullying and lawsuits continue to escalate.
Do your organization’s leaders understand that building organization-wide preparedness efforts or a culture of safety or an anti-bullying environment requires more than disseminating blueprints?
No Comments
Building A Preparedness Program…like Building a Skyscraper?
Posted In Business Continuity, Emergency Management, Risk Management, School Safety, Workplace Violence on August 9th, 2010 Tags: campus preparedness conference, Compliance, Ethics, safety, Security
I attended the Virginia Governor’s Campus Preparedness conference last week and had an interesting discussion with one of the attendees. We were talking about how building preparedness across an organization or an entire campus is becoming more complex and more difficult due to escalating challenges, regulations, obligations, liabilities and much more.
As our discussion continued, we started talking about how important tools can be when building campus-wide preparedness programs. In reference to whether tools can make a difference, I offered the following analogy:
Could a skyscraper be built using a hammer, a saw and some nails?
The attendee responded quickly, yes the skyscraper could be built but she wouldn’t go inside it!
Next we discussed how building a skyscraper and building a campus-wide or organization-wide preparedness program have a lot in common:
- Both require blueprints
- Both are complex and require planning
- Both require specialized tools to build
- Both have a lot of parts or “dots to connect”
- Both require specialized tools to maintain
- People will not trust poorly built skyscrapers or preparedness programs
Are you building your __________ program [preparedness, compliance, business continuity, safety, security, ethics, etc.] with old outdated tools such as binders, intranets, shared drives and general training?
No Comments
CFOs Have Responsibility To Break Down Risk Management Silos
Posted In Business Continuity, Information Privacy, Information Security, Regulatory Compliance on July 12th, 2010 Tags: CFOs, Cybercrime, Cybersecurity, DHS
Last week financial executives received some valuable advice on ways to significantly reduce costs associated with an expensive non-budgeted item – cybercrime.
Greg Schaffer heads up DHS’s Office of Cybersecurity and Communications and his comments on cybercrime included:
“Cybercrime is not a problem that is growing, or coming, or off in the future. This is a problem right now.”
Mr. Schaffer also cited some statistics from reports and surveys:
- A single cyber breach costs companies an average of $6.75 million
- 27 countries have claimed to have experienced financial losses related to cybercrime
- In 2009, 30 million examples of new malicious software were released
Mr. Schaffer shared that there is a “disconnect” between corporate risk managers and information technology professionals. Mr. Schaffer also pointed out that most companies have kept risk management related to cybercrime in “a silo” within the IT department, rather than treating cybercrime as a risk the entire organization must address.
Mr. Schaffer had this advice too… because CFOs play an important role in enterprise risk management; CFOs have a responsibility to break down “silos” within an organization.
Do you have “silos” in your organization?
Of course you do! CFOs (along with CEOs, COOs, CROs, etc.) must become more proactive and prevention focused. CFOs must find better ways to break down silos and connect the dots before a cybercrime incident creates a huge hit on their bottom line.
No Comments
SEC Provides Lessons Learned on Policies and Porn
Posted In Business Continuity, Human Resources, Incident Reporting, Information Privacy, Risk Management on July 7th, 2010 Tags: Federal Computer Week, incident management, SEC, security policy, social media policies
A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.
Good for Teri Robinson… who wrote the article!!
However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility. Teri suggested the following steps:
- Review existing policy
- Social media guidelines should be included and should be specific
- Assign responsibility because policies are more easily adopted if someone is in charge
- Train, train, train as threats change so do policies so regular training is needed
- Enforce the rules
- Ramp up resources with technology and staffing
I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.
I sort of agree with Assigning Responsibility and Train, Train, Train…
I disagree with Ramping Up Resources and Staffing Up.
Based on lessons learned, the following steps are also needed:
- Accountability at the Individual Level
- Documentation of Individual Acknowledgements
- Situational Awareness and Case Studies that relate to organization specific policies
- Incident Reporting and Incident Management Tools for Assessment/Prevention Teams
And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.
Now if we could just get federal agencies to start using “tractors” instead of “old horses”…
No Comments
